Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - "Most serious" Linux privilege-escalation bug ever is under active exploit (arstechnica.com)

operator_error writes: Lurking in the kernel for nine years, flaw gives untrusted users unfettered root access.

By Dan Goodin — 10/20/2016

A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time."

The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

Submission + - ICANN recommends TLDs like .txt -- and .exe (icann.org) 1

fyngyrz writes: ICANN says, in part:

Given preliminary feedback that there is not a technical need to prevent file extensions as TLDs, as well as the lack of an authoritative source of common file extensions to draw from, staff determined that it is not workable to prevent common file extensions from being used as TLDs.

To summarize, it is the recommendation of the ICANN technical staff to allow applications for TLD strings that may also be commonly used for file extensions.

But will ICANN approve such applications? If so, we can all look forward to opportunities to click on...


Comment This isn't very new for TP-Link (Score 5, Informative) 157

The last few routers I've bought for family and friends have been TP-Link, and of course I immediately flash them all with OpenWRT. The last two routers I bought had firmware from October that was locked down, just like TFA makes note of. I wasn't pleased with the google effort and time required to get to where I wanted to go.

As I recall, first I had to find a sort of neutral flashing dd-wrt firmware from early last year, that was possible to be flashed by TP-Link's firmware. Then, since TP-Link's October's firmware was useless, I had to flash the router with a much older version of their firmware, making the unit an April TP-Link router. Once I got that far, I was able to flash to OpenWRT as planned.

I'm happy with the units price and performance under OpenWRT, however I will look to other vendors from now on. Of course I must also blame the FCC, which sort of hurts because lately the FCC has been making a lot of good calls for its actual constituents, (while ignoring its paid-for lobbyists).

Submission + - Radioactive material stolen in Iraq raises security fears (reuters.com)

mdsolar writes: Iraq is searching for "highly dangerous" radioactive material stolen last year, according to an environment ministry document and seven security, environmental and provincial officials who fear it could be used as a weapon if acquired by Islamic State.

The material, stored in a protective case the size of a laptop computer, went missing in November from a storage facility near the southern city of Basra belonging to U.S. oilfield services company Weatherford WFT.N, the document seen by Reuters showed and officials confirmed.

A spokesman for Iraq's environment ministry said he could not discuss the issue, citing national security concerns.

Submission + - Internet Explorer 8, 9, and 10 Reach End-of-Life Next Week (thenextweb.com)

An anonymous reader writes: On Tuesday, January 12, Microsoft Internet Explorer 8, 9, and 10 will officially reach their end of life. A new patch going live soon will add a notification that nags users to upgrade. "What’s even bigger about the end of life for these versions is that this means Internet Explorer 11 is the last version of Microsoft’s old browser that’s left supported, as the company continues to transition customers to Edge on Windows 10."

Submission + - Drupal Update Process Flawed by Multiple Bugs, Attackers Can Take Over Sites

An anonymous reader writes: The Drupal CMS, a favorite with large enterprises, has a few bugs in its update process, affecting both the Drupal core update and its modules. The biggest flaw of the three discovered by IOActive researchers allows an attacker to take over the sites via poisoned updates. What's worse is that Drupal's team had known of this issue since 2012, but only recently reopened discussions on fixing the problem.

Submission + - IBM union calls it quits (computerworld.com)

dcblogs writes: A 16-year effort by the Communication Workers of America to organize IBM employees into a union is ending. The union's local, the Alliance@IBM, is suspending "organizing" efforts, and says its membership has been worn down by IBM's ongoing decline of its U.S. work force as it grows overseas. The union never got many dues-paying members, but its Website, a source of reports from employees on layoffs, benefit changes and restructuring, was popular with employees, a source of information for the news media, and a continuing thorn in the side of IBM.

Submission + - DaaS play brings Oracle into a cloud leadership role

Amanda Parker writes: Oracle has made its 96th acquisition, this time focusing on expanding its offerings in cloud marketing technology. AddThis offers sharing features that you will no doubt have seen on many sites, they allow you to share stories to sites such as Facebook and Twitter. The real benefit of this to Oracle is that AddThis has activity data for 1.9 billion monthly unique visitors and over 15 million mobile and desktop web domains. With Oracle saying that it will continue to serve AddThis customers, it means that Big Red will have access to a very large data source. This plays to the company's Data-as-a-Service business, selling anonymised data to help them run their marketing campaigns.

Submission + - Verizon launches auction to sell data centers (reuters.com)

operator_error writes: Verizon has now chosen to reverse "its strategy to expand in hosting and colocation services after it acquired data center operator Terremark Worldwide Inc in 2011 for $1.4 billion", and has "started a process to sell its data center assets".

The so-called 'colocation' portfolio up for sale includes 48 data centers, and generates annual earnings before interest, tax, depreciation and amortization of around $275 million.

The enterprise telecommunications industry has had to adapt in recent years to corporate customers seeking more sophisticated and cheaper offerings to manage their data. Verizon joins a host of its rivals in telecommunications who are shedding their data centers.

The article doesn't mention alternative, scalable, virtual machine technologies or companies with such a focus, like as Amazon, Xen, KVM, or VMware, but Slashdot readers might be able to draw such conclusions for themselves.

Submission + - New HTTPS Bicycle Attack Reveals Details About Passwords From Encrypted Traffic (softpedia.com)

campuscodi writes: Dutch security researcher Guido Vranken has published a paper [PDF] in which he details a new attack on TLS/SSL-encrypted traffic, one that can potentially allow attackers to extract some information from HTTPS data streams. Attackers could extract the length of a password from TLS packets, and then use this information to simplify brute-force attacks. The new HTTPS Bicycle Attack can also be used retroactively on HTTPS traffic logged several years ago. Hello NSA!

Submission + - How Outsourcing Companies Are Gaming the Visa System (nytimes.com)

shakah writes: Pretty straightforward summary of how the H-1B Visa system is working in the United States. Particularly interesting for me was this clarification on the argument that "VISA holders have to make prevailing wages, so they won't depress wages":

Under federal rules, employers like TCS, Infosys and Wipro that have large numbers of H-1B workers in the United States are required to declare that they will not displace American workers. But the companies are exempt from that requirement if the H-1B workers are paid at least $60,000 a year. H-1B workers at outsourcing firms often receive wages at or slightly above $60,000, below what skilled American technology professionals tend to earn, so those firms can offer services to American companies at a lower cost, undercutting American workers.

Slashdot Top Deals

To do two things at once is to do neither. -- Publilius Syrus