Crime

Stolen Car Recovered With 11,000 More Miles -- and Lyft Stickers (sfgate.com) 71

The San Francisco Bay Area has more car thefts than any region in America, according to SFGate.com. A National Insurance Crime Bureau report found that between 2012 and 2014, there were an average of 30,000 car thefts a year just in the cities of San Francisco, Oakland and Hayward. But one theft took a strange turn. An anonymous reader quotes their report: Cierra and Josh Barton purchased a new Honda HR-V at the beginning of summer. It was stolen while parked in front of their Livermore apartment complex at the end of August. Four months later, Hayward police called the Bartons to say they had recovered the vehicle... What they found, to their surprise, was a car in relatively good shape -- a few dents, a rattling hood. But in the back and front windows were Lyft stickers, Cierra Barton said.

The odometer had spiked from 2,000 miles to more than 13,000. And in the back seat, Cierra said she found a pillow, a jacket and a stuffed animal. "It wasn't burned out, it wasn't gutted, but it appeared to be have been used as a Lyft," she said. That, Cierra added, was even worse than she imagined. "Not only did someone steal our car, they made money off it!"

Lyft says that "Given the information provided, we are unable to match this vehicle to any Lyft accounts in the area," adding they "stand ready to assist law enforcement in any investigation."
Microsoft

Microsoft Releases a Preview of OpenSSH Client and Server For Windows 10 (servethehome.com) 121

kriston (Slashdot user #7,886) writes: Microsoft released a preview of the OpenSSH server and client for Windows 10. Go to Settings, Apps & Features, and click "Manage optional features" to install them. The software only supports AES-CTR and chacha20 ciphers and supports a tiny subset of keys and KEXs, but, on the other hand, a decent set of MACs.

It also says that it doesn't use the OpenSSL library. That's the really big news, here. I understand leaving out arcfour/RC4 and IDEA, but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES? At least they chose the CTR versions of these ciphers. (Blowfish isn't compromised in any practical way, by the way). I prefer faster and less memory- and CPU-intensive ciphers.

Still, it's a good start. The SSH server is compelling enough to check out especially since I just started using X2GO for remote desktop access which requires an SSH server for its file sharing feature.

Microsoft

Windows 10 Bundled a Password Manager with a Security Flaw (bleepingcomputer.com) 46

An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.

Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.

The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
Microsoft

Do More People Use Firefox Than Edge and IE Combined? (computerworld.com) 127

A funny thing happened when Net Applications' statistics began excluding fake traffic from ad-defrauding bots. Computerworld reports: Microsoft's Edge browser is less popular with Windows 10 users than earlier thought, if revised data from a U.S. analytics vendor can be believed. According to Net Applications of Aliso Viejo, Calif., Edge has been designated the primary browser by fewer than one in six Windows 10 users for more than a year and a half. That's a significant downgrading of Edge's user share statistics from the browser's portrayal before this month...

By comparing Edge's old and new shares, it was evident that as much as half of the earlier Edge traffic had been faked by bots. The portion of Edge's share credited to bots fluctuated month to month, but fell below 30% in only 4 of the 19 months for which Net Applications provided data... Microsoft's legacy browser, Internet Explorer (IE) also was revealed as a Potemkin village. Under the old data regime, which included bots, IE's user share was overblown, at times more than double the no-bots reality. Take May 2016 as an example. With bots, Net Applications pegged IE at 33.7%; without bots, IE's user share dwindled to just 14.9%. Together, IE and Edge - in other words, Microsoft's browsers - accounted for only 16.3% of the global user share last month using Net Applications' new calculations... In fact, the combined IE and Edge now face a once unthinkable fate: falling beneath Mozilla's Firefox.

StatCounter's stats on browser usage already show more people have already been using Firefox than both of Microsoft's browsers combined -- in 12 of the last 13 months.
Chrome

Chrome 64 Beta Adds Sitewide Audio Muting, Pop-Up Blocker, Windows 10 HDR Video (9to5google.com) 43

Chrome 64 is now in beta and it has several new features over version 63. In addition to a stronger pop-up blocker and support for HDR video playback when Windows 10 is in HDR mode, Chrome 64 features sitewide audio muting to block sound when navigating to other pages within a site. 9to5Google reports: An improved pop-up blocker in Chrome 64 prevents sites with abusive experiences -- like disguising links as play buttons and site controls, or transparent overlays -- from opening new tabs or windows. Meanwhile, as announced in November, other security measures in Chrome will prevent malicious auto-redirects. Beginning in version 64, the browser will counter surprise redirects from third-party content embedded into pages. The browser now blocks third-party iframes unless a user has directly interacted with it. When a redirect attempt occurs, users will remain on their current page with an infobar popping up to detail the block. This version also adds a new sitewide audio muting setting. It will be accessible from the permissions dropdown by tapping the info icon or green lock in the URL bar. This version also brings support for HDR video playback when Windows 10 is in HDR mode. It requires the Windows 10 Fall Creator Update, HDR-compatible graphics card, and display. Meanwhile, on Windows, Google is currently prototyping support for an operating system's native notification center. Other features include a new "Split view" feature available on Chrome OS. Developers will also be able to take advantage of the Resize Observer API to build responsive sites with "finger control to observe changes to sizes of elements on a page."
Microsoft

Microsoft Considers Adding Python As an Official Scripting Language in Excel (bleepingcomputer.com) 171

An anonymous reader writes: Microsoft is considering adding Python as one of the official Excel scripting languages, according to a topic on Excel's feedback hub opened last month. Since it was opened, the topic has become the most voted feature request, double the votes of the second-ranked proposition. "Let us do scripting with Python! Yay! Not only as an alternative to VBA, but also as an alternative to field functions (=SUM(A1:A2))," the feature request reads, as opened by one of Microsoft's users.

The OS maker responded yesterday by putting up a survey to gather more information and how users would like to use Python inside Excel. If approved, Excel users would be able to use Python scripts to interact with Excel documents, their data, and some of Excel's core functions, similar to how Excel currently supports VBA scripts. Python is one of the most versatile programming languages available today. It is also insanely popular with developers. It ranks second on the PYPL programming languages ranking, third in the RedMonk Programming Language Rankings, and fourth in the TIOBE index.

Networking

Ask Slashdot: What's the Best Way to Retrain Old IT Workers? 343

A medium-sized company just hired a new IT manager who wants advice from the Slashdot community about their two remaining IT "gofers": These people have literally been here their entire "careers" and are now near retirement. Quite honestly, they do not have any experience other than reinstalling Windows, binding something to the domain and the occasional driver installation -- and are more than willing to admit this. Given many people are now using Macs and most servers/workstations are running Linux, they have literally lost complete control over the company, with most of these machines sitting around completely unmanaged.

Firing these people is nearly impossible. (They have a lot of goodwill within other departments, and they have quite literally worked there for more than 60 years combined.) So I've been tasked with attempting to retrain these people in the next six months. Given they still have to do work (imaging computers and fixing basic issues), what are the best ways of retraining them into basic network, Windows, Mac, Linux, and "cloud" first-level help desk support?

Monster_user had some suggestions -- for example, "Don't overtrain. Select and target areas where they will be able to provide a strong impact." Any other good advice?

Leave your best answers in the comments. What's the best way to retrain old IT workers?
Debian

Does Systemd Makes Linux Complex, Error-Prone, and Unstable? (ungleich.ch) 746

"Systemd developers split the community over a tiny detail that decreases stability significantly and increases complexity for not much real value." So argues Nico Schottelius, talking about his experiences as the CEO of a Swiss company providing VM hosting, datacenters, and high-speed fiber internet. Long-time Slashdot reader walterbyrd quotes Nico's essay: While I am writing here in flowery words, the reason to use Devuan is hard calculated costs. We are a small team at ungleich and we simply don't have the time to fix problems caused by systemd on a daily basis. This is even without calculating the security risks that come with systemd. Our objective is to create a great, easy-to-use platform for VM hosting, not to walk a tightrope...

[W]hat the Devuan developers are doing is creating stability. Think about it not in a few repeating systemd bugs or about the insecurity caused by a huge, monolithic piece of software running with root privileges. Why do people favor Linux on servers over Windows? It is very easy: people don't use Windows, because it is too complex, too error prone and not suitable as a stable basis. Read it again. This is exactly what systemd introduces into Linux: error prone complexity and instability. With systemd the main advantage to using Linux is obsolete.

The essay argues that while Devuan foisted another choice into the community, "it is not their fault. Creating Devuan is simply a counteraction to ensure Linux stays stable. which is of high importance for a lot of people."
Bug

Microsoft's 'Malware Protection Engine' Had A Remote Code Execution Flaw (theregister.co.uk) 54

Slashdot reader Trax3001BBS shares an article from The Register: Microsoft posted an out-of-band security update Thursday to address a remote code execution flaw in its Malware Protection Engine. Redmond says the flaw, dubbed CVE-2017-11937, has not yet been exploited in the wild. Because it is an out-of-band critical fix, however, it should be installed as soon as possible. For most users, this will happen automatically.

The security hole is present in Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016... According to Microsoft, the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats. In many systems this is set to happen automatically for all new files. By exploiting a memory corruption error in the malware scanning tool, the attack file would be able to execute code on the target machine with LocalSystem privileges.

Businesses

Reporter Regrets Letting Amazon's Delivery People Into His House (washingtonpost.com) 114

An anonymous reader writes: Washington Post reporter Geoffrey A. Fowler describes his short-lived experience with "Amazon Key", a $250 smart lock system with a security camera that grants Amazon's delivery people access to your home. The lock sounds "like R2-D2 with constipation," and at one point it actually jammed (though his persistent delivery person eventually got it working properly). The unlocking of the door triggers a live video feed of the delivery -- which is also stored in a private archive online -- plus an alert to your phone -- and the Post's reporter writes that "The biggest downsides to the experience haven't been the strangers -- it's been Amazon."

They missed their delivery windows four out of eight times, and though the packages all arrived eventually, all four were late by a least a day. But his larger issue is that Amazon "wants to draw you further into an all-Amazon world... Now Amazon wants to literally own your door, so it can push not just packages but also services that come through it, like handymen, dog-walkers, groceries, you name it." His ultimate question? "Who's really being locked in?"

The Post's reporter notes that Amazon CEO Jeff Bezos owns the Washington Post, "but I review all tech the same." He did identify some advantages to the $250 smart lock system -- the door can now also be unlocked with the Amazon Key app, and he can even share that access with his friends by giving them a special access code.

But he also notes that security researchers discovered a way to freeze Amazon's security camera, potentially allowing a rogue delivery person to lurk in your house. And all things considered, it was apparently all too creepy. "After two weeks, my family voted to remove the Amazon Key smart lock and take down the camera."
Security

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com) 126

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."
More research on the attack will be published on the Black Hat website in the following days.
Operating Systems

ReactOS 0.4.7 Released (reactos.org) 94

jeditobe writes: OSNews reports that the latest version of ReactOS has been released: "ReactOS 0.4.7 has been released, and it contains a ton of fixes, improvements, and new features. Judging by the screenshots, ReactOS 0.4.7 can run Opera, Firefox, and Mozilla all at once, which is good news for those among us who want to use ReactOS on a more daily basis. There's also a new application manager which, as the name implies, makes it easier to install and uninstall applications, similar to how package managers on Linux work. On a lower level, ReactOS can now deal with Ext2, Ext3, Ext4, BtrFS, ReiserFS, FFS, and NFS partitions." General notes, tests, and changelog for the release can be found at their respective links. A less technical community changelog for ReactOS 0.4.7 is also available. ISO images are ready at the ReactOS Download page.
Chrome

Google Wants Progressive Web Apps To Replace Chrome Apps (androidpolice.com) 154

An anonymous reader quotes a report from Android Police: The Chrome Web Store originally launched in 2010, and serves a hub for installing apps, extensions, and themes packaged for Chrome. Over a year ago, Google announced that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. Today, the company sent out an email to developers with additional information, as well as news about future Progressive Web App support. The existing schedule is mostly still in place -- Chrome apps on the Web Store will no longer be discoverable for Mac, Windows, and Linux users. In fact, if you visit the store right now on anything but a Chromebook, the Apps page is gone. Google originally planned to remove app support on all platforms (except Chrome OS) entirely by Q1 2018, but Google has decided to transition to Progressive Web Apps:

"The Chrome team is now working to enable Progressive Web Apps (PWAs) to be installed on the desktop. Once this functionality ships (roughly targeting mid-2018), users will be able to install web apps to the desktop and launch them via icons and shortcuts; similar to the way that Chrome Apps can be installed today. In order to enable a more seamless transition from Chrome Apps to the web, Chrome will not fully remove support for Chrome Apps on Windows, Mac or Linux until after Desktop PWA installability becomes available in 2018. Timelines are still rough, but this will be a number of months later than the originally planned deprecation timeline of 'early 2018.' We also recognize that Desktop PWAs will not replace all Chrome App capabilities. We have been investigating ways to simplify the transition for developers that depend on exclusive Chrome App APIs, and will continue to focus on this -- in particular the Sockets, HID and Serial APIs."

Android

Qualcomm Announces Latest Snapdragon 845 Processor (9to5google.com) 38

The processor to power the next generation of Android flagship smartphones has been announced today. Qualcomm unveiled the new Snapdragon 845 processor at the 2017 Snapdragon Tech Summit, where Microsoft announced it was working with its PC partners to bring Windows 10 to Qualcomm's ARM processors. While more technical details of the chip will be announced tomorrow, we do know that the Snapdragon 845 processor is based on a 10nm processor and will feature the latest X20 LTE modem for gigabit connectivity speeds. Generally speaking, the new processor will bring improved performance, better power efficiency, and improved image processing.
Microsoft

Microsoft Debuts Windows 10 on ARM; Asus and HP Unveil Laptops With 20-Hour Battery Life, Gigabit LTE (zdnet.com) 139

Mary Jo Zoley, writing for ZDNet: A year ago, Microsoft announced it was working with its PC partners to bring Windows 10 to Qualcomm's ARM processors. The resulting machines, part of the "Always Connected PC" ecosystem, would start rolling out before the end of calendar 2017, officials said. Today, December 5, Microsoft provided a progress report on Windows on ARM at Qualcomm's Snapdragon Tech Summit. Microsoft and PC makers Asus and HP showed off new PCs running Windows 10 on Snapdragon 835 at the event. Asus' NovoGo will begin shipping at least in quantities before year-end, I've heard. Models with 4 GB of RAM and 16 GB of storage will be available starting at $599, and 8GB/256 GB storage model at $799, Asus officials said today. Asus is claiming 22 hours of continuous video playback and 30 days of standby. HP's Envy x2 -- like most of the ARM-based Always Connected Windows 10 devices -- won't be available until Spring of 2018. Users can get up to 20 hours of active use and 700 hours of "Connected Modern Standby." Pricing is not yet available.
Windows

Lead Developer of Popular Windows Application Classic Shell Is Quitting 97

WheezyJoe writes: Classic Shell is a free Windows application that for years has replaced Microsoft's Start Screen or Start Menu with a highly configurable, more familiar non-tile Start menu. Yesterday, the lead developer released what he said would be the last version of Classic Shell. Citing other interests and the frequency at which Microsoft releases updates to Windows 10, as well as lagging support for the Win32 programming model, the developer says that he won't work on the program anymore. The application's source code is available on SourceForge, so there is a chance others may come and fork the code to continue development. There are several alternatives available, some pay and some free (like Start10 and Start Is Back++), but Classic Shell has an exceptionally broad range of tweaks and customizability.
Microsoft

Microsoft's Edge Browser Now Generally Available For iOS, Android (zdnet.com) 140

An anonymous reader shares a report: Microsoft announced in October previews of new Edge browser apps for iOS and Android. On November 30, Microsoft officials are announcing that these apps are no longer in preview and are generally available for users in select markets. By making Edge apps available on non-Windows operating systems, Microsoft is hoping to do more than give Windows 10 users who use Edge a more convenient way to sync their bookmarks, tabs, etc., across devices. Microsoft also is doing this to improve its "Continue on PC" feature that it's been touting for Windows 10. With "Continue on PC," users will be able to share a web site, app, photo, and other information from their phones to their Windows 10 PCs in a faster and more seamless way. Microsoft is looking to Continue on PC to help keep Windows PCs relevant in a world where more and more computing is done on mobile devices.
Windows

Windows 10 Now on 600 Million Active Devices (geekwire.com) 142

Windows 10 has found its way onto 600 million active devices, says CEO Satya Nadella. From a report: CEO Satya Nadella referenced the new number for the first time moments ago at the company's annual shareholders meeting. The number is up from the 500 million devices touted by Microsoft earlier this year, but it's still well short of the company's original goal of 1 billion Windows 10 devices within two to three years of its 2015 release.
Technology

'You Had to Be There': As Technologies Change Ever Faster, the Knowledge of Obsolete Things Becomes Ever Sweeter (theatlantic.com) 546

Alexis C. Madrigal, writing for The Atlantic: There's a question going around on Twitter, courtesy of the writer Matt Whitlock: "Without revealing your actual age, what's something you remember that if you told a younger person they wouldn't understand?" This simple query has received, at this date, 18,000 responses. Here is just a tiny selection: A/S/L, pagers, manual car windows, "be kind, please rewind", "Waiting by the radio for my song to come on so I could record it on a cassette tape", floppy disks, the smell of purple mimeograph ink, WordPerfect, busy signals, paper maps, Winamp, smoking in the hospital, the card catalogue. Our favorite response, "The remote to change the channel on the TV was attached to a box that was attached to the TV", which elicited a response, "What about the remote that was really a clicker... In that it clicked like a frog toy",
Microsoft

Microsoft Sees the Future of Windows 10 as Sets, Ditching Windows For a Tabbed App Interface (pcworld.com) 302

Microsoft said Tuesday that it plans to overhaul Windows 10, with a browser-like, tabbed application view dubbed "Sets" that groups apps and files by project. From a report: Think of Sets as a mashup of existing and emerging Windows 10 technologies. Take Windows Explorer and the little-used Task View within Windows 10, mix in the newer "Pick up where you left off" and "Timeline" features, and wrap it all into a single-window experience. The idea is that every task requires a set of apps -- Mail, a browser, PowerPoint, even Win32 apps like Photoshop -- and those apps will be optionally organized as tabs along a single window. But that's not all. Microsoft knows that one of the most difficult things to remember isn't what you were working on a week or so ago -- browser histories help with that. It's remembering all of the associated apps and documents that went with it: a particular PowerPoint document, that budget spreadsheet, the context an Edge tab provided. The idea is that the delayed Timeline feature will eventually group and associate all of these into a Set, so that when you open one, Windows will suggest the others, too.

Slashdot Top Deals