Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker (bleepingcomputer.com) 138

An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.
Bug

Malicious Video Link Can Cause Any iOS Device To Freeze (9to5mac.com) 53

A new bug in iOS has surfaced that will cause any iOS device to freeze when trying to view a certain .mp4 video in Safari. YouTube channel EverythingApplePro explains the bug in a video titled "This Video Will CRASH ANY iPhone!" 9to5Mac reports: As you'll see in the video below from EverythingApplePro, viewing a certain video in Safari will cause iOS to essentially overload and gradually become unusable. We won't link the infectious video here for obvious reasons, but you can take our word for it when we say that it really does render your device unusable. It's not apparently clear as to why this happens. The likely reason is that it's simply a corrupted video that's some sort of memory leak and when played, iOS isn't sure how to properly handle it, but there's like more to it than that. Because of the nature of the flaw, it isn't specific to a certain iOS build. As you can see in the video below, playing the video on an iPhone running as far back as iOS 5 will cause the device to freeze and become unusable. Interestingly, with iOS 10.2 beta 3, if you let an iPhone affected by the bug sit there for long enough, it will power off and indefinitely display the spinning wheel that you normally see during the shutdown process. If someone sends you the malicious link and you fall for it, this is luckily a pretty easy problem to fix. All you have to do is hard reboot your device. For any iPhone but the iPhone 7, this can be done by long-pressing the power and Home buttons at the same time. The iPhone 7, of course, uses a new non-mechanical Home button. In order to reboot an iPhone 7, you must long-press the power button and volume down button at the same time.
Android

WhatsApp Is Rolling Out Video Calls On Its Android App (techcrunch.com) 42

WhatsApp appears to be rolling out its video calling feature for beta users of the Android app. The arrival of the feature was first spotted by Android Police, which found that an updated app interface caused some users of the beta builds of the application to be able to access video calling. TechCrunch reports: For those on a version of WhatsApp which includes video calling support, you're able to tap the call button or tap on a contact card to kick off a video call. In this case, a new dialog box will appear, offering the choice between a standard voice call and a video call. In addition, the call log will show which calls were made via video by annotating them with the camera icon, instead of the telephone icon. However, there isn't yet a way to call other WhatsApp users who don't also have video calling support. If you try to, WhatsApp defaults to a voice call. Android isn't the only platform where video calling has been switched on. Last week, some users on the WhatsApp beta for Windows Phone were also surprised to find that the feature was now functional. And in this case, it didn't require an app update -- indicating a server-side change could enable it. Some users have also reported seeing the feature on iOS.
Education

BBC Micro Bit Mini-Computer To Expand Internationally With New Hardware (bbc.com) 40

An anonymous reader quotes a report from BBC: The Micro Bit mini-computer is to be sold across the world and enthusiasts are to be offered blueprints showing how to build their own versions. The announcements were made by a new non-profit foundation that is taking over the educational project, formerly led by the BBC. About one million of the devices were given away free to UK-based schoolchildren earlier this year. Beyond the UK, Micro Bits are also in use in schools across the Netherlands and Iceland. But the foundation now intended to co-ordinate a wider rollout. "Our goal is to go out and reach 100 million people with Micro Bit, and by reach I mean affect their lives with the technology," said the foundations' new chief executive Zach Shelby. "That means [selling] tens of millions of devices... over the next five to 10 years." His organization plans to ensure Micro Bits can be bought across Europe before the end of the year and is developing Norwegian and Dutch-language versions of its coding web tools to boost demand. Next, in 2017, the foundation plans to target North America and China, which will coincide with an upgrade to the hardware. TrixX adds: The makers of the BBC micro:bit have announced that they are releasing the full specs for the device under an open license, (SolderPad License, similar to Apache License but for hardware). This means that anyone can legally use the specs and build their own device, or fork the reference design GitHub repo and design their derivatives.
Open Source

The Arduino Split is Over, New Non-Profit Formed (arduino.cc) 73

"Today is one of the best days in Arduino history," announced Massimo Banzi, Co-Founder of Arduino LLC, calling it "a new beginning" for Ardunio. Slashdot reader ruhri reports: Massimo Banzi and Federico Musto, co-founders of the Arduino Project, announced they have settled their differences that had resulted in the creation of Arduino LLC and Arduino SRL. A new, unified Arduino Holding and Arduino Foundation will be created.
"Massimo Banzi and Federico Musto took the stage today at the New York Maker Faire to announce the good news," reports a blog post at Arudino.cc. "At the end of 2016, the newly created 'Arduino Holding' will become the single point of contact for the wholesale distribution of all current and future products... In addition, Arduino will form a not-for-profit 'Arduino Foundation' responsible for maintaining the open source Arduino desktop IDE, and continuing to foster the open source movement by providing support for a variety of scholarships, community and developer initiatives."
HP

HP To Issue 'Optional Firmware Update' Allowing 3rd-Party Ink (arstechnica.com) 81

Soon after the Electronic Frontier Foundation (EFF) issued a letter to HP, calling for them to apologize to customers for releasing firmware that prevents the use of non-HP ink cartridges and refilled HP cartridges, the company has responded with a temporary solution. HP "will issue an optional firmware update that will remove the dynamic security feature" for certain OfficeJet printers. Ars Technica reports: HP made its announcement in a blog post titled "Dedicated to the best printing experience." "We updated a cartridge authentication procedure in select models of HP office inkjet printers to ensure the best consumer experience and protect them from counterfeit and third-party ink cartridges that do not contain an original HP security chip and that infringe on our IP," the company said. The recent firmware update for HP OfficeJet Pro, and OfficeJet Pro X printers "included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned," HP said. For customers who don't wish to be protected from the ability to buy less expensive ink cartridges, HP said it "will issue an optional firmware update that will remove the dynamic security feature. We expect the update to be ready within two weeks and will provide details here." This customer-friendly move may just be a one-time thing. HP said it will continue to use security features that "protect our IP including authentication methods that may prevent some third-party supplies from working." Without the optional firmware update, printers will only be able to use third-party ink cartridges that have an "original HP security chip," the company said.
Security

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe (arstechnica.com) 172

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.
Android

Google Play Starts Bringing Android Apps To Chromebooks (venturebeat.com) 14

An anonymous reader quotes a report from VentureBeat: As promised, Google has finally brought the Google Play store to Chrome OS. Android apps, Android games, and media content from the store are all now finally available on Chromebooks running the latest stable build. But that still doesn't mean all Chromebook owners can use the store. This continues to be a gradual rollout -- even on the stable channel, Google is limiting the launch in multiple ways. "A beta release of the Play store is available to users now on the Acer R11 and Asus Flip (and coming soon to Pixel 2015) and can be enabled from the Settings page," a Google spokesperson told VentureBeat. "The team is hard at work making the experience great for users before making the Play Store available by default on these Chromebooks." That's right -- even though we're still talking about just three devices, the Play store is disabled by default. Once you've updated to version 53.0.2785.129 (make sure to switch back to the stable channel if you aren't already on it), you'll have to enable the Play Store in Chrome Settings.
Hardware Hacking

Ask Slashdot: How Do You Build Your Own Vacuum Tubes? 275

Could you beat wireless headphones by creating your own DIY home audio system? Two weeks ago one Slashdot commenter argued, "to have good audio that is truly yours and something to be proud of, you need to make your own vacuum tube amplifier and then use it to power real electrostatic headphones over a wire." And now long-time Slashdot reader mallyn is stepping up to the challenge: I want to try to make my own vacuum tubes. Is there anyone here who has tried DIY vacuum tubes (or valves, to you Europeans)? I need help getting started -- how to put together the vacuum plumbing system; how to make a glass lathe; what metals to use for the elements (grid, plate, etc). If this is not the correct forum, can anyone please gently shove me into the correct direction? It needs to be online as my physical location (Bellingham, Washington) is too far away from the university labs where this type of work is likely to be done.
Slashdot's covered the "tubes vs. transistors" debate before, but has anyone actually tried to homebrew their own? Leave your best answers in the comments. How do you build your own vacuum tubes?
HP

HP Builds One Desktop PC Around a Speaker, Another Modular PC In Slices (arstechnica.com) 78

An anonymous reader writes from a report via Ars Technica: HP has announced today two new desktop PCs: HP Elite Slice and Pavilion Wave. The HP Elite Slice is a modular machine, with USB Type-C for power and I/O. The base unit contains all the core guts of the PC -- up to a 35W Core i7-6700T processor, up to 32GB of RAM, up to 512GB NVMe storage, gigabit Ethernet, 802.11ac Wi-Fi and several ports. The top cover of the main unit is modular, while the bottom of the unit contains a special connector that can allow for additional modules to be stacked. HP has an audio module that includes speakers and a microphone array, and an optical drive module. It should be available later this month, starting at $699. The Pavilion Wave on the other hand combines a PC and a speaker in a 10.3 inch tall triangular box. As for specs, it features a 35W processor, up to an i7 processor, up to 16GB RAM, with up to 1TB SSD or 2TB HDD. An AMD R9 M470 is optional. In addition to the speaker, the Wave features a microphone array for Cortana support.
Java

Slashdot Asks: What Are Your Favorite Java 8 Features? (infoworld.com) 427

New submitter liveedu shares with us a report from InfoWorld: When Java 8 was released two years ago, the community graciously accepted it, seeing it as a huge step toward making Java better. Its unique selling point is the attention paid to every aspect of the programming language, including JVM (Java Virtual Machine), the compiler, and other help-system improvements. Java is one of the most searched programming languages according to TIOBE index for July 2016, where Java ranks number one. Its popularity is also seen on LiveCoding, a social live coding platform for engineers around the world, where hundreds and thousands of Java projects are broadcasted live. InfoWorld highlights five Java 8 features for developers in their report: lambda expressions, JavaScript Nashorn, date/time APIs, Stream API and concurrent accumulators. But those features only scratch the surface. What makes Java 8 amazing in your opinion? What are your favorite Java 8 features that help you write high quality code? You can view the entire list of changes made to the programming language here.
Robotics

Intel Demos A New Robotics Controller Running Ubuntu (hackerboards.com) 21

Intel demoed their new robotics compute module this week. Scheduled for release in 2017, it's equipped with various sensors, including a depth-sensing camera, and it runs Ubuntu on a quad-core Atom. Slashdot reader DeviceGuru writes: Designed for researchers, makers, and robotics developers, the device is a self contained, candy-bar sized compute module ready to pop into a robot. It's augmented with a WiFi hotspot, Bluetooth, GPS, and IR, as well as proximity, motion, barometric pressure sensors. There's also a snap-on battery.

The device is preinstalled with Ubuntu 14.04 with Robot Operating System (ROS) Indigo, and can act as a supervisory processor to, say, an Arduino subsystem that controls a robot's low-level functions. Intel demoed a Euclid driven robot running an obstacle avoidance and follow-me tasks, including during CEO Brian Krzanich's keynote (YouTube video).

Intel says they'll also release instructions on how to create an accompanying robot with a 3D printer. This plug-and-play robotics module is a proof-of-concept device -- the article includes some nice pictures -- but it already supports programming in Node.js (and other high-level languages), and has a web UI that lets you monitor performance in real-time and watch the raw camera feeds.
Programming

The $5 Onion Omega2 Gives Raspberry Pi a Run For Its Money (dailydot.com) 124

An anonymous reader writes from a report via The Daily Dot: Onion's Omega2 computer may give the Raspberry Pi a run for its money if the success of the Kickstarter campaign is any indication. The Daily Dot reports: "With an initial goal of just $15,000, over 11,560 backers have pledged the company $446,792 in hopes of getting their hands on this little wonder board. So why are thousands of people losing their minds? Simple; the Omega2 packs a ton of power into a $5 package. Billed as the world's smallest Linux server, complete with built-in Wi-Fi, the Omega2 is perfect for building simple computers or the web connected project of your dreams. The tiny machine is roughly the size of a cherry, before expansions, and runs a full Linux operating system. For $5 you get a 580MHz CPU, 64MB memory, 16MB storage, built-in Wi-Fi and a USB 2.0 port. A $9 model is also available with 128MB of memory, 32MB of storage, and a MircoSD slot. The similarly priced Raspberry Pi Zero comes with a 1GHz Arm processor, 512MB of memory, a MicroSD slot, no onboard storage, and no built-in Wi-Fi. Omega2 supports the Ruby, C++, Python, PHP, Perl, JavaScript (Node.js), and Bash programming languages, so no matter your background in coding you should be able to figure something out." You can also add Bluetooth, GPS, and 2G/3G support via add-ons or expansions. It looks promising, though it is a Kickstarter campaign and the product may not come into fruition.
Security

Windows UAC Bypass Permits Code Execution (threatpost.com) 79

msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.
Chrome

Google: Chrome 53 Will 'De-Emphasize Flash In Favor of HTML5' Next Month (venturebeat.com) 68

Google announced in a blog post today that Chrome will officially start to "de-emphasize Flash in favor of HTML5." VentureBeat reports: "In September 2016, Chrome will block Flash content that loads behind the scenes, which the company estimates accounts for more than 90 percent of the Flash on the web. In December, Chrome will make HTML5 the default experience for central content, such as games and videos, except on sites that only support Flash." Google detailed next month's plan (design doc), when Chrome 53 will be released: "In September 2015, we made 'Detect and run important plugin content' the default plugin setting in Chrome, automatically pausing any cross-origin plugin content smaller than 400px in width or 300px in height. This behavior has an exception for any plugin content that is 5x5 or smaller or is an undefined size, because there was no canonical way of detecting viewability until Intersection Observer was standardized and implemented. We would now like to remove this exception and instead not load tiny, cross-origin content. If the user has their plugin setting set to the default of 'Detect and run important plugin content,' the browser will not instantiate cross-origin plugin content that is roughly 5x5 or smaller or has an undefined size. An icon will be displayed in the URL bar indicating that plugin content is not running, allowing the user to reload the page with plugin content running or open settings to add a site-wide exception. Other choices of the plugin content setting are unaffected by this launch."
Microsoft

Microsoft To Release Two Major Windows 10 Updates Next Year (arstechnica.com) 150

An anonymous reader quotes a report from Ars Technica: With the Windows 10 Anniversary Update, aka Windows 10 version 1607, released earlier this week, it's time to look forward to what's next. Windows 10 has multiple release tracks to address the needs of its various customer types. The mainstream consumer release, the one that received the Anniversary Update on Tuesday, is dubbed the Current Branch (CB). The Current Branch for Business (CBB) trails the CB by several months, giving it greater time to bed in and receive another few rounds of bug fixing. Currently the CBB is using last year's November Update, version 1511. In about four months, Microsoft plans to bump CBB up to version 1607, putting both CB and CBB on the same major version. [The Long Term Servicing Branch, an Enterprise-only version that will receive security and critical issue support for 10 years, will also be updated.] Going forward, however, the differences between both current branch variants (CB and CBB) and LTSB will become more marked. Microsoft is not planning another major update this year. There will be no equivalent to last year's 1511 release, but Microsoft will have two next year. These are believed to be codenamed Redstone 2 (rs2) and Redstone 3 (rs3), with this week's 1607 release being Redstone 1 (rs1). Current expectation is that rs2 will have a heavy mobile focus and be shipped simultaneously with new Surface branded hardware.
Books

CP/M Creator Gary Kildall's Memoirs Released As Free Download (ieee.org) 157

An anonymous reader writes from IEEE Spectrum: The year before his death in 1994, Gary Kildall -- inventor of the early microcomputer operating system CP/M -- wrote a draft of a memoir, "Computer Connections: People, Places, and Events in the Evolution of the Personal Computer Industry." He distributed copies to family and friends, but died before realizing his plans to release it as a book. This week, the Computer History Museum in Mountain View, with the permission of Kildall's children, released the first section and it is available for a free download. The rest of it, which they say did not reflect his true self, will not be made public.
Operating Systems

LibreOffice 5.2 Officially Released (softpedia.com) 103

prisoninmate writes from a report via Softpedia: LibreOffice 5.2 is finally here, after it has been in development for the past four months, during which the development team behind one of the best free office suites have managed to implement dozens of new features and improvements to most of the application's components. Key features include more UI refinements to make it flexible for anyone, standards-based document classification, forecasting functions in Calc, the spreadsheet editor, as well as lots of Writer and Impress enhancements. A series of videos are provided to see what landed in the LibreOffice 5.2 office suite, which is now available for download for GNU/Linux, Mac OS X, and Microsoft Windows operating systems.
Microsoft

Microsoft's HoloLens Is Now On Sale To Anyone In The US Or Canada (computerworld.com) 53

Microsoft is now selling its augmented reality headset dubbed HoloLens to anyone in the United States or Canada for $3,000 a pop. Computerworld reports: Until now, HoloLens was available only to developers and companies through Microsoft sales reps, but starting Tuesday, anyone in the U.S. or Canada can buy up to five headsets online through the Microsoft Store. There was no word about availability in other countries. The HoloLens now on sale is the same developer edition that has been offered to Microsoft partners, and buyers are asked to acknowledge before completing purchase that they understand it's not a finished product intended for consumers. Microsoft also asks buyers to agree not to resell the product and acknowledge that no refunds are available. The move should expand the community of developers working to build apps and other content for the headset before a consumer version is officially available.
Hardware Hacking

FCC Requires TP-Link To Support Open Source Router Firmware 52

An anonymous reader writes: Earlier today, the FCC reached a settlement with TP-Link over Wi-Fi router interference. Most of the agreement was routine, addressing compliance with radio emission rules.

But the FCC also did something unprecedented. It required TP-Link to support open source firmware on its routers. You might recall that, last year, the FCC caused a ruckus when it mistakenly suggested it was banning open source router firmware. In fact, the FCC only required that router vendors implement protections for specific radio emission parameters. But the FCC didn't work with router vendors in advance to maintain open source compatibility, resulting in certain vendors (including TP-Link) trying to lock down their routers.

The FCC eventually issued a clarification, but the damage was done. Only recently have a couple router vendors (Linksys and Asus) affirmed that they will continue to support open source firmware.

Today's settlement is a milestone for the FCC. The agency is finally doing something, with deeds and not just words, to demonstrate its support for the open source community. It would be better if the agency hadn't created this mess, but they deserve serious credit for working so hard to fix it.

Slashdot Top Deals