Security

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com) 52

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.
Android

Netflix Says No To Unlocked Android Smartphones (androidpolice.com) 255

An anonymous reader writes: Last week Netflix app started showing up as "incompatible" on the Play Store for rooted and unlocked Android devices. However, the app itself continued to work fine, leading some to think it could have been an accident. However, Netflix has now confirmed to blog AndroidPolice that blocking modified devices from downloading the app was intentional. This is the full statement: "With our latest 5.0 release, we now fully rely on the Widevine DRM provided by Google; therefore, many devices that are not Google-certified or have been altered will no longer work with our latest app and those users will no longer see the Netflix app in the Play Store."
Electronic Frontier Foundation

EFF Warns Most Of Intel's Chipsets Contain 'A Security Hazard' (eff.org) 158

The EFF is issuing a warning about the "tiny homunculus computer" in most of Intel's chipsets -- the largely-undocumented "Management Engine" which houses more than just the AMT module. An anonymous reader quotes their report: While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one....vulnerabilities in any of the other modules could be as bad, if not worse, for security. Some of the other modules include hardware-based authentication code and a system for location tracking and remote wiping of laptops for anti-theft purposes... It should be up to hardware owners to decide if this code will be installed in their computers or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user's interests, and should never be installed in a Management Engine by default...

While Intel may put a lot of effort into hunting for security bugs, vulnerabilities will inevitably exist, and having them lurking in a highly privileged, low-level component with no OS visibility or reliable logging is a nightmare for defensive cybersecurity. The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility... EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

TLDR: "We have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure."
DRM

FSF Supports Today's Boston March Against DRM In HTML5 (defectivebydesign.org) 89

Atticus Rex writes: A small artist-led group called Ethics in Tech is joining the long-simmering struggle between streaming video giants and Internet freedom activists over whether the Web should include Digital Rights Management in its technical standards. This Saturday, Ethics in Tech will lead a march on the W3C, the body -- led by Web inventor Tim Berners-Lee -- that decides on Web standards.
The Free Software Foundation is promoting the march, and their "Defective By Design" site is sharing this quote from the march's organizers. Dear W3C: we demand you comply with UNESCO and international civil and political rights. Halt EME -- ensure the protection of a secure, accessible, and open web. Make ethical standards or stand on the wrong side of history.
DRM

DRM Will Be Gone By 2025, Predicts Cory Doctorow (theregister.co.uk) 191

An anonymous reader writes: It's been two years since Cory Doctorow joined the EFF's campaign to eliminate DRM within 8 years -- and he still believes it'll happen. "Farmers and the Digital Right To Repair Coalition have done brilliantly and have a message which is extremely resonant with the political right as well as the political left." And now even the entertainment industry seems to oppose extending the DMCA to tractors. "The entertainment industry feels very proprietary towards laws that protect DRM. They really feel that they lobbied for and bought these laws in order to protect the business model they envisioned. For these latecomer upstarts to turn up and stretch and distort these laws out of proportion has really exposed one of the natural cracks in copyright altogether."
Doctorow also says that "If there's anything good that might come of Brexit, it's that the UK will renegotiate and reevaluate its relationship to the Organisation for Economic Co-operation and Development and other directives. The UK enjoys a really interesting market position if it wants to be the only nation in the region that makes, exports, and supports DRM-breaking tools."
DRM

An Open Letter on DRM To the Inventor of the Web, From the Inventor of Net Neutrality (boingboing.net) 46

Tim Wu, a law professor at the Colombia University, and best known for coining the term "net neutrality," has published an open letter to Tim Berners-Lee, the creator of the web and director of the World Wide Web Consortium (W3C). In the letter, Wu has asked Berners-Lee to "seriously consider extending a protective covenant to legitimate circumventers who have cause to bypass EME, should it emerge as a W3C standard." Cory Doctorow, writes for BoingBoing: But Wu goes on to draw a connection between the problems of DRM and the problems of network discrimination: DRM is wrapped up in a layer of legal entanglements (notably section 1201 of America's Digital Millennium Copyright Act), which allow similar kinds of anticompetitive and ugly practices that make net neutrality so important. This is a live issue, too, because the W3C just held the most contentious vote in its decades-long history, on whether to publish a DRM standard for the web without any of the proposed legal protections for companies that create the kinds of competing products and services that the law permits, except when DRM is involved. As Wu points out, this sets up a situation where the incumbents get to create monopolies that produce the same problems for the open web that network neutrality advocates -- like Berners-Lee -- worry about.
Bitcoin

Backdoor Could Allow Company To Shut Down 70% of All Bitcoin Mining Operations (bleepingcomputer.com) 102

An anonymous reader writes: "An anonymous security researcher has published details on a vulnerability named "Antbleed," which the author claims is a remote backdoor affecting Bitcoin mining equipment sold by Bitmain, the largest vendor of crypto-currency mining hardware on the market," reports Bleeping Computer. The backdoor code works by reporting mining equipment details to Bitmain servers, who can reply by instructing the customer's equipment to shut down. Supposedly introduced as a crude DRM to control illegal equipment, the company forgot to tell anyone about it, and even ignored a user who reported it last fall. One of the Bitcoin Core developers claims that if such command would ever be sent, it could potentially brick the customer's device for good. Bitmain is today's most popular seller of Bitcoin mining hardware, and its products account for 70% of the entire Bitcoin mining market. If someone hijack's the domain where this backdoor reports, he could be in the position to shut down Bitcoin mining operations all over the world, which are nothing more than the computations that verify Bitcoin transactions, effectively shutting down the entire Bitcoin ecosystem. Fortunately, there's a way to mitigate the backdoor's actions using local hosts files.
GNU is Not Unix

Richard Stallman Interviewed By Bryan Lunduke (youtube.com) 172

Many Slashdot readers know Bryan Lunduke as the creator of the humorous "Linux Sucks" presentations at the annual Southern California Linux Exposition. He's now also a member of the OpenSUSE project board and an all-around open source guy. (In September, he released every one of his books, videos and comics under a Creative Commons license, while his Patreon page offers a tip jar and premiums for monthly patrons). But now he's also got a new "daily computing/nerd show" on YouTube, and last week -- using nothing but free software -- he interviewed the 64-year-old founder of the Free Software Foundation, Richard Stallman. "We talk about everything from the W3C's stance on DRM to opinions on the movie Galaxy Quest," Lunduke explains in the show's notes.

Click through to read some of the highlights.
DRM

The Kodi Development Team Wants To Be Legitimate and Bring DRM To the Platform. (torrentfreak.com) 156

New submitter pecosdave writes: The XBMC/ Kodi development team has taken a lot of heat over the years, mostly due to third-party developers introducing piracy plugins to the platform. In many cases, cheap Android computers are often sold with these plugins pre-installed with the Kodi or XBMC name attached to them -- something that caused Amazon to ban sales of such devices. The Kodi team is not happy about this, and has taken the fight to the sellers. The Kodi team is now trying to work with rights holders to introduce DRM and legitimate plugins to the platform. Is this the first step towards creating a true one-stop do it yourself Linux entertainment system?
DRM

American Farmers Are Still Fighting Tractor Software Locks (npr.org) 316

Manufacturers lock consumers into restrictive "user agreements," and inside "there's things like you won't open the case, you won't repair," complains a U.S. advocacy group called The Repair Association. But now the issue is getting some more attention in the American press. An anonymous reader quotes NPR: Modern tractors, essentially, have two keys to make the engine work. One key starts the engine. But because today's tractors are high-tech machines that can steer themselves by GPS, you also need a software key -- to fix the programs that make a tractor run properly. And farmers don't get that key.

"You're paying for the metal but the electronic parts technically you don't own it. They do," says Kyle Schwarting, who plants and harvests fields in southeast Nebraska... "Maybe a gasket or something you can fix, but everything else is computer controlled and so if it breaks down I'm really in a bad spot," Schwarting says. He has to call the dealer. Only dealerships have the software to make those parts work, and it costs hundreds of dollars just to get a service call. Schwarting worries about being broken down in a field, waiting for a dealer to show up with a software key.

The article points out that equipment dealers are using those expensive repair calls to offset slumping tractor sales. But it also reports that eight U.S. states, including Nebraska, Illinois and New York, are still considering bills requiring manufacturers to sell repair software, adding that after Massachusetts passed a similar lar, "car makers started selling repair software."
Government

Should The FBI Have Arrested 'The Hacker Who Hacked No One'? (thedailybeast.com) 227

Last week The Daily Beast ran an article about the FBI's arrest of "the hacker who hacked no one." In December they'd arrested 26-year-old Taylor Huddleston, "the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers." It's been "linked to intrusions in at least 10 countries," reported Kevin Poulsen, but "as Huddleston sees it, he's a victim himself -- hackers have been pirating his program for years and using it to commit crimes."

The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."

Click through for the rest of the story.
Movies

Netflix Now Lets You Download Videos Onto Your PC (pcworld.com) 60

Netflix now offers offline streaming via its Windows 10 PC application, meaning you'll have even more options wherever you're stuck without Internet access. From a report: Netflix added the offline viewing options as part of the most recent update to the Netflix app on Windows 10. Because the Windows Store doesn't show you what version of the Netflix app you're using, just make sure you check for updates using the large blue button in the upper-right corner of the Windows Store app to receive the latest version. You won't need the Creators Update to take advantage of the new feature, either. When you open the app, Netflix will show you a large splash screen that advertises the new "download and go" capability. Unfortunately, if you click the Find me something to download button, the Netflix app doesn't currently display a list of downloadable titles; you'll have to hunt them down yourself. Netflix introduced the same capability on iOS and Android late last year. It's a bold move by Netflix to bring this feature to desktop. There is always the risk of someone finding out a way to break the DRM and easily distribute the files.
The Internet

FSF Activists Want You To Call Tim Berners-Lee About DRM (boingboing.net) 126

"The Free Software Foundation is calling on netizens to make calls to the W3C demanding they not include DRM in Web standards," an anonymous reader writes. Cory Doctorow reports: There's only two weeks left until members of the World Wide Web Consortium vote on whether the web's premier open standards organization will add DRM to the toolkit available to web developers, without effecting any protections for people who discover security vulnerabilities that affect billions of web users, let alone people who adapt web tools for those with disabilities and people who create legitimate, innovative new technologies to improve web video.
Tim Berners-Lee has final say over this change, according to the article, which directs callers to urge him to "keep the web free and open, rather than rescuing DRM from its slow collapse due to the complexity of fielding and supporting it without standards like those the W3C makes."
DRM

W3C Erects DRM As Web Standard (theregister.co.uk) 260

The World Wide Web Consortium (W3C) has formally put forward highly controversial digital rights management as a new web standard. "Dubbed Encrypted Media Extensions (EME), this anti-piracy mechanism was crafted by engineers from Google, Microsoft, and Netflix, and has been in development for some time," reports The Register. "The DRM is supposed to thwart copyright infringement by stopping people from ripping video and other content from encrypted high-quality streams." From the report: The latest draft was published last week and formally put forward as a proposed standard soon after. Under W3C rules, a decision over whether to officially adopt EME will depend on a poll of its members. That survey was sent out yesterday and member organizations, who pay an annual fee that varies from $2,250 for the smallest non-profits to $77,000 for larger corporations, will have until April 19 to register their opinions. If EME gets the consortium's rubber stamp of approval, it will lock down the standard for web browsers and video streamers to implement and roll out. The proposed standard is expected to succeed, especially after web founder and W3C director Sir Tim Berners-Lee personally endorsed the measure, arguing that the standard simply reflects modern realities and would allow for greater interoperability and improve online privacy. But EME still faces considerable opposition. One of its most persistent vocal opponents, Cory Doctorow of the Electronic Frontier Foundation, argues that EME "would give corporations the new right to sue people who engaged in legal activity." He is referring to the most recent controversy where the W3C has tried to strike a balance between legitimate security researchers investigating vulnerabilities in digital rights management software, and hackers trying to circumvent content protection. The W3C notes that the EME specification includes sections on security and privacy, but concedes "the lack of consensus to protect security researchers remains an issue." Its proposed solution remains "establishing best practices for responsible vulnerability disclosure." It also notes that issues of accessibility were ruled to be outside the scope of the EME, although there is an entire webpage dedicated to those issues and finding solutions to them.
Software

Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware (vice.com) 500

Tractor owners across the country are reportedly hacking their John Deere tractors using firmware that's cracked in Easter Europe and traded on invite-only, paid online forums. The reason is because John Deere and other manufacturers have "made it impossible to perform 'unauthorized' repair on farm equipment," which has obviously upset many farmers who see it "as an attack on their sovereignty and quite possibly an existential threat to their livelihood if their tractor breaks at an inopportune time," reports Jason Koebler via Motherboard. As is the case with most modern-day engineering vehicles, the mechanical problems experienced with the newer farming tractors are often remedied via software. From the report: The nightmare scenario, and a fear I heard expressed over and over again in talking with farmers, is that John Deere could remotely shut down a tractor and there wouldn't be anything a farmer could do about it. A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for "crop loss, lost profits, loss of goodwill, loss of use of equipment [...] arising from the performance or non-performance of any aspect of the software." The agreement applies to anyone who turns the key or otherwise uses a John Deere tractor with embedded software. It means that only John Deere dealerships and "authorized" repair shops can work on newer tractors. "If a farmer bought the tractor, he should be able to do whatever he wants with it," Kevin Kenney, a farmer and right-to-repair advocate in Nebraska, told me. "You want to replace a transmission and you take it to an independent mechanic -- he can put in the new transmission but the tractor can't drive out of the shop. Deere charges $230, plus $130 an hour for a technician to drive out and plug a connector into their USB port to authorize the part." "What you've got is technicians running around here with cracked Ukrainian John Deere software that they bought off the black market," he added.
Operating Systems

NetBSD 7.1 Released (netbsd.org) 45

New submitter fisted writes: The NetBSD Project is pleased to announce NetBSD 7.1, the first feature update of the NetBSD 7 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. Some highlights of the 7.1 release are:

-Support for Raspberry Pi Zero.
-Initial DRM/KMS support for NVIDIA graphics cards via nouveau (Disabled by default. Uncomment nouveau and nouveaufb in your kernel config to test).
The addition of vioscsi, a driver for the Google Compute Engine disk.
-Linux compatibility improvements, allowing, e.g., the use of Adobe Flash Player 24.
-wm(4): C2000 KX and 2.5G support; Wake On Lan support; 82575 and newer SERDES based systems now work.
-ODROID-C1 Ethernet now works.
-Numerous bug fixes and stability improvements.

NetBSD is free. All of the code is under non-restrictive licenses, and may be used without paying royalties to anyone. Free support services are available via our mailing lists and website. Commercial support is available from a variety of sources. More extensive information on NetBSD is available from http://www.NetBSD.org.
You can download NetBSD 7.1 from one of these mirror sites.
Movies

How Seven Movie Studios Forced A Pirated Movie Site Offline (hollywoodreporter.com) 136

A major pirated movie site went offline last month after seven Hollywood studios won a preliminary court injunction. An anonymous reader quotes the Hollywood Reporter: The MPAA-member studios sued the operators of PubFilm/PidTV in February, asking the court for a temporary restraining order to shut down what it described as a ring of six interconnected large-scale piracy sites. The suit was initially sealed, but was made public on Friday. Warner Bros, 20th Century Fox, Columbia Pictures, Universal, Disney, Paramount and Viacom are named as plaintiffs in the suit for direct and secondary copyright infringement, trademark infringement and unfair competition.

They're seeking statutory damages of $150,000 per infringement plus restitution of the sites' profits. So, depending on how many instances of infringement are discovered, the damages in this case could be astronomical. The studios claim the sites had more than 8 million visitors each month, nearly half of which were linked to IP addresses in the U.S... The sites are believed to be operated in Vietnam.

The court also ordered GoDaddy, VeriSign and Enom to disable all six domain names, to prevent the domains from being transferred, and to do it without communicating or warning the sites' owners first. In response, the defendants purchased a new domain, and then began publicizing it with ads on Google AdSense.
Piracy

A Prenda Copyright Troll Finally Pleaded Guilty (popehat.com) 46

"One of the attorneys behind the Prenda Law 'copyright trolling' scheme has pleaded guilty to federal charges of fraud and money laundering," reports Ars Technica. Long-time Slashdot reader Freshly Exhumed shares this article from the law blog Popehat: The factual basis section -- which Steele admits is true (as to facts he knows) or that the government can prove (as to facts he doesn't know directly) -- is a startling 16 pages long [PDF] and lavishly documents the entire scheme, complete with many details that accusers have been pointing out for years. In short, Steele admits that he and Hansmeier used sham entities to obtain the copyright to (or in some cases film) porn, uploaded it to file-sharing websites, and then filed "false and deceptive" copyright suits against downloaders designed to conceal their role in distributing the films and their stake in the outcomes. They lied to courts themselves, sent others to court to lie, lied at depositions, lied in sworn affidavits, created sham entities as plaintiffs, created fraudulent hacking allegations to try to obtain discovery into the identity of downloaders, used "ruse defendants" (strawmen, in effect) to get courts to approve broad discovery into IP addresses.
Facing a maximum of 40 years in prison, Steele could get his sentence reduced if he testifies against Hansmeier, according to the article, and "Steele appears to have pinned all of his hopes on that option... I've seen a lot of plea agreements in a lot of federal cases, and I don't recall another one that so clearly conveyed the defendant utterly surrendering and accepting everything the government demanded, all in hopes of talking his sentence down later."
DRM

Free Software Foundation Challenges Tim Berners-Lee On DRM (defectivebydesign.org) 207

Slashdot reader Atticus Rex writes: On Monday, W3C (World Wide Web Consortium) director Tim Berners-Lee released a post defending his decision to allow Netflix, Microsoft, Apple and Google to enshrine DRM in Web standards, arguing that blocking it would be pointless. Zak Rogoff, FSF campaigns manager, writes in the response:

"As Director of the W3C (World Wide Web Consortium), Berners-Lee has the ability to block [the DRM proposal] from ratification as an official Web standard... Of course, a refusal to ratify could not immediately stop the use of DRM, but it could meaningfully weaken the position of DRM in the court of public opinion, and put EME proponents Netflix, Microsoft, Apple, and Google on notice that a very prominent figure was willing to stand up to them on behalf of users. Changes in society's technological infrastructure require political movements, not just technological arguments, and political movements benefit greatly from the support of prominent figures."

Berners-Lee takes the position that "The web has to be universal, to function at all. It has to be capable of holding crazy ideas of the moment, but also the well polished ideas of the century. It must be able to handle any language and culture. It must be able to include information of all types, and media of many genres. Included in that universality is that it must be able to support free stuff and for-pay stuff, as they are all part of this world.

"This means that it is good for the web to be able to include movies, and so for that, it is better for HTML5 to have EME than to not have it."
DRM

DRM Company Denuvo Forgets To Secure Its Server, Leaks Two Years Of Emails (torrentfreak.com) 77

Denuvo "left several private directories on its website open to the public," TorrentFreak wrote Sunday, calling it "an embarrassing blunder" for the digital rights management company. "Members of the cracking community are downloading and scrutinizing the contents," the site reports, with one of the finds being an 11-megabyte text file which apparently contains every message sent through Denuvo's web site since 2014. An anonymous reader writes: There's a message from Google's security team, one from Capcom Japan, and "dozens of emails from angry pirates, each looking to vent their anger," according to TorrentFreak. Ars Technica reports that there's also a 2015 message from Microsoft about "an upcoming initiative," as well as messages several game studios, and even one from the producers of Mavis Beacon Teaches Typing. "Combing the log file brings up countless spam messages, along with complaints, confused 'why won't this game work' queries from apparent pirates, and even threats (an example: 'for what you did to arkham knight I will find you and I will kill you and all of your loved ones, this I promise you CEO of this SHIT drm')."

"Since Denuvo's contact page does not contain a link to a private e-mail address -- only a contact form and a phone number to the company's Austrian headquarters -- the form appears to also have been used by many game developers and publishers." And in addition, "much of Denuvo's web database content appears to be entirely unsecured, with root directories for 'fileadmin' and 'logs' sitting in the open right now."

In addition, there's also a slideshow -- which has since been uploaded to Imgur -- bragging that "With over 300 man years of development experience among us, we clearly know what we're doing."

Slashdot Top Deals