Friday May 27, 2016

Slashdot: Millennials Value Speed Over Security, Says Survey

(posted on Friday May 27, 2016 at 05:35 AWST)

An anonymous reader quotes a report from The Daily Dot: Millennials stand apart from other Americans in preferring faster Internet access to safer Internet access, according to a new survey. When digital-authentication firm SecureAuth asked people from all age groups whether they would rather be safer online or browse faster online, 57 percent of Americans chose security and 43 percent chose speed. But among millennials, the results were almost reversed: 54 percent chose speed over security. Young people are also more willing than the overall population to share sensitive information over public Wi-Fi connections, which are notoriously insecure as they allow anyone on the network to analyze and intercept passing traffic. While a clear majority (57 percent) of Americans told SecureAuth that they transmitted such information over public Wi-Fi, nearly eight in 10 (78 percent) of millennials said they did so. A surprising 44 percent of millennials believe their data is generally safe from hackers, and millennials are more likely than members of other age groups to share account passwords with friends. Americans overall are paying more attention to some aspects of digital security. An October 2015 study by the wireless industry's trade group found that 61 percent of Americans use passwords on their smartphones and 58 percent use them on their tablets, compared to 50 percent and 48 percent, respectively, in 2012. The recent study lines up with a report published on May 24 that found that the elderly use more secure passwords than millennials.

Read more of this story at Slashdot.

Slashdot: Android Is 'Fair Use' As Google Beats Oracle In $9 Billion Lawsuit

(posted on Friday May 27, 2016 at 04:50 AWST)

infernalC writes: Ars Technica is reporting that the verdict is in, and that the jury decided that Google's duplication of several Java interfaces is fair use. Ars Technica writes that Google's Android OS does not infringe upon Oracle-owned copyrights because its re-implementation of 37 Java APIs is protected by "fair use." The jury unanimously answered "yes" in response to whether or not Google's use of Java APIs was a "fair use" under copyright law. The trial is now over, since Google won. "Google's win somewhat softens the blow to software developers who previously thought programming language APIs were free to use," Ars Technica writes. "It's still the case that APIs can be protected by copyright under the law of at least one appeals court. However, the first high-profile attempt to control APIs with copyright law has now been stymied by a "fair use" defense." The amount Oracle may have asked for in damages could have been as much as $9 billion.

Read more of this story at Slashdot.

Slashdot: Consumer Campaigners Read T&C Of Their Mobile Phone Apps To Prove a Point

(posted on Friday May 27, 2016 at 04:05 AWST)

From a BBC report: Norwegians have spent more than 30 hours reading out terms and conditions from smartphone apps in a campaign by the country's consumer agency. The average Norwegian has 33 apps, the Norwegian Consumer Council says, whose terms and conditions together run longer than the New Testament. To prove the "absurd" length, the council got Norwegians to read each of them out in real time on their website. The reading finished on Wednesday, clocking in at 31:49:11. Some of the world's most popular apps were chosen, including Netflix, YouTube, Facebook, Skype, Instagram and Angry Birds. Finn Myrstad from the Norwegian Consumer Council, said: "The current state of terms and conditions for digital services is bordering on the absurd."

Read more of this story at Slashdot.

Slashdot: A Third Of New Cellular Customers Last Quarter Were Cars

(posted on Friday May 27, 2016 at 03:25 AWST)

Ina Fried, reporting for Recode: With the U.S. smartphone market saturated, most of the growth in the cellular industry is actually coming from other kinds of devices including tablets, machine-to-machine connections and lots and lots of cars. In the first quarter, for example, the major carriers actually added more connected cars (Editor's note: amounting to a 32 percent capture) as new accounts than they did phones.

Read more of this story at Slashdot.

Slashdot: Slashdot Asks: Should It Be Legal To Resell E-Books, Software, and Other Digital Goods?

(posted on Friday May 27, 2016 at 02:45 AWST)

There's no one stopping you from selling the CDs and DVDs that you buy, so why can't you do the same with e-books, music albums, movies, and other things you've downloaded? Ars Technica reports about a Dutch second-hand e-book platform called Tom Kabinet which has been "at a war" with Dutch Publishers Association (NUV) over this issue. This is seen as a threat to the entire book industry. German courts have suggested that the practice of reselling e-books should be stopped, whereas Dutch courts don't necessarily see it as an issue. What's your view on this?

Read more of this story at Slashdot.

Slashdot: Microsoft and Facebook Building Underwater Transatlantic 'MAREA' Data Cable

(posted on Friday May 27, 2016 at 02:05 AWST)

An anonymous reader writes: On Thursday, Microsoft and Facebook announced a partnership to build a transatlantic subsea data cable. Called 'MAREA' (Editor's note: it is Spanish for "tide"), it will connect the United States to Europe. More specifically, it will connect the State of Virginia to the country of Spain. The project will begin this August, with a targeted completion date of October 2017.Microsoft says: "MAREA will be the highest-capacity subsea cable to ever cross the Atlantic -- featuring eight fiber pairs and an initial estimated design capacity of 160Tbps. The new 6,600 km submarine cable system, to be operated and managed by Telxius, will also be the first to connect the United States to southern Europe: from Virginia Beach, Virginia to Bilbao, Spain and then beyond to network hubs in Europe, Africa, the Middle East and Asia. This route is south of existing transatlantic cable systems that primarily land in the New York/New Jersey region. Being physically separate from these other cables helps ensure more resilient and reliable connections for our customers in the United States, Europe, and beyond." The fact that these two giants felt the need to have their own cables indicates how much data they intend to move. Wired has an in-depth piece on it (though the publication blocks users with adblockers).

Read more of this story at Slashdot.

Slashdot: E-Cigs Are Exploding In Vapers' Faces At An Alarming Rate

(posted on Friday May 27, 2016 at 01:25 AWST)

E-cigs are becoming increasingly popular, but are they safe enough? BuzzFeed News is reporting about accidents where e-cigs have exploded in vapers' faces. The report claims that these incidents are occurring at an alarming rate. From the report (condensed): Across the country, defective e-cigarettes -- the nicotine delivery machines that have taken over every strip mall and sidewalk, seemingly overnight -- are creating hundreds of victims like Cavins (a 63-year-old Orange, California-based family therapist who lost an eye after an e-cig device exploded in his face), people whose lives are suddenly and horrifyingly changed when their devices blow up. They are people like Thomas Boes, whose vape exploded while he was driving outside San Diego and struck him with such force that two of the three teeth he lost lodged in his upper palate; Kenneth Barbero, whose exploding device ripped a hole in his tongue; and Marcus Forzani, a 17-year-old whose left leg was charred from his calf to his thigh after a vape battery exploded in his pocket. An unpublished FDA analysis found 66 reports of e-cigarette overheating, fires, and explosions in 2015 and the first month of 2016, a number the agency calls "an underestimate of actual events."

Read more of this story at Slashdot.

Slashdot: Virtual Assistants Such As Amazon's Echo Break US Child Privacy Law, Experts Say

(posted on Friday May 27, 2016 at 00:45 AWST)

Mark Harris, reporting for The Guardian: An investigation by the Guardian has found that despite Amazon marketing the Echo to families with young children, the device is likely to contravene the US Children's Online Privacy Protection Act (COPPA), set up to regulate the collection and use of personal information from anyone younger than 13. Along with Google, Apple and others promoting voice-activated artificial intelligence systems to young children, the company could now face multimillion-dollar fines. "This is part of the initial wave of marketing to children using the internet of things," says Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group that helped write the law. "It is exactly why the law was enacted in the first place, to protect young people from pervasive data collection."

Read more of this story at Slashdot.

Slashdot: Lenovo: Motorola Acquisition 'Did Not Meet Expectations'

(posted on Friday May 27, 2016 at 00:05 AWST)

Lenovo acquired Motorola from Google in 2014. Since then, the Chinese technology conglomerate has been trying to merge Motorola's offering into its large portfolio. But things aren't going as planned. Lenovo on Thursday announced that the "integration efforts did not meet expectations". The company, however, insists that it has drawn many lessons from the experience since the close of the Motorola acquisition, and it is making changes to them quickly. It's not the best time in the market if you're an Android smartphone maker. There's an increasingly growing competition especially from companies such as Xiaomi, Meizu, Micromax, Yu and others that are making premium smartphones with a razor-thin margin. Any unique feature a smartphone maker introduces is seen replicated in others' offerings within weeks.

Read more of this story at Slashdot.

Thursday May 26, 2016

Slashdot: Comcast Users Must Now Pay $50 Per Month Extra To Avoid Caps

(posted on Thursday May 26, 2016 at 23:25 AWST)

Karl Bode, reporting for DSLReports: In a letter being sent to Comcast customers in usage capped markets, the company says that with the recent announcement of usage caps being bumped to 1 terabyte, the company is also capping the amount of additional charges capped users can incur -- to $200 in a single month. As it stands, customers that cross the 1 terabyte limit face overage fees of $10 per each additional 50 GB consumed. But under the revised plans, customers have to pay $50 (up from $30 to $35) extra per month to avoid usage caps entirely. "Because you are an unlimited data customer, we will maintain your current rate of $35 until the end of 2016," the letter reads. Comcast's recent decision to bump their caps to 1 terabyte weren't driven by altruism. With the FCC preventing Charter from imposing caps for seven years as a merger condition, the agency has signaled that it may start getting more serious about cracking down on usage caps in the broadband market.

Read more of this story at Slashdot.

Slashdot: Get Ready To Be Bombarded With Ads When Using Google Maps

(posted on Thursday May 26, 2016 at 22:45 AWST)

An anonymous reader writes: The chance to squeeze some extra advertising dollars is something rarely missed by Google. This week the company quietly announced changes to two of its most widely used services, offering businesses the chance to pay for featured advertisements in Google.com and Google Maps. In a blog post, Google senior ads vice president Sridhar Ramaswamy outlined the likely changes to Google Maps that will see users met with pop-up ads for local businesses when they use the GPS-based app. The announcement has been facetiously described online as "the Ad-pocalypse" but Google has shown more tact in their use of language, referring to the ads as "promoted pins".

Read more of this story at Slashdot.

Slashdot: Adidas To Sell Robot-Made Shoes In Germany

(posted on Thursday May 26, 2016 at 22:05 AWST)

Adidas, the German sportswear and equipment maker, has announced that it will start marketing the first series of sports shoes manufactured by robots in Germany from 2017. Deutsche Welle reports: The announcement came as Adidas unveiled its prototype "Speedfactory", a state-of-the-art, 4,600 square-meter facility meant to automate shoe production, which is largely done manually in Asian factories at the moment. The company has struggled with steadily rising wages across the continent, where it employs around a million people. Still, Adidas insisted that the aim was not to immediately replace their workers, saying the goal was not "full automatization".

Read more of this story at Slashdot.

Slashdot: American Schools Teaching Kids To Code All Wrong

(posted on Thursday May 26, 2016 at 21:00 AWST)

theodp writes: Over at Quartz, Globaloria CEO Idit Harel argues that American schools are teaching our kids how to code all wrong. She writes, "The light and fluffy version of computer science -- which is proliferating as a superficial response to the increased need for coders in the workplace -- is a phenomenon I refer to as 'pop computing.' While calling all policy makers and education leaders to consider 'computer science education for all' is a good thing, the coding culture promoted by Code.org and its library of movie-branded coding apps provide quick experiences of drag-and-drop code entertainment. This accessible attraction can be catchy, it may not lead to harder projects that deepen understanding." You mean the "first President to write a line of computer code" may not have progressed much beyond moving Disney Princess Elsa forward? Harel says there must be a distinction drawn between "coding tutorials" and learning "computer science." Building an app, for example, can't be done in a couple of hours, it "requires multi-dimensional learning contexts, pathways and projects." "Just as would-be musicians become proficient by listening, improvising and composing, and not just by playing other people's compositions, so would-be programmers become proficient by designing prototypes and models that work for solving real problems, doing critical thinking and analysis, and creative collaboration -- none of which can be accomplished in one hour of coding," she writes.

Read more of this story at Slashdot.

Netcraft: May 2016 Web Server Survey

(posted on Thursday May 26, 2016 at 20:52 AWST)

In the May 2016 survey we received responses from 1,033,790,346 sites and 5,946,961 web-facing computers. This reflects a gain of 147,000 computers, coupled with a loss of 49 million sites.

While last month's survey recorded the largest number of sites ever, many of the Chinese sites running Microsoft IIS that appeared last month have since disappeared. Combined with other departures, Microsoft suffered a net loss of 75 million sites this month, which has played a major part in its market share falling by more than 5 percentage points to less than 36%. Nevertheless, it is still the most common server vendor by number of sites, with a total of nearly 370 million hosted on IIS servers.

Despite Microsoft's loss of 75 million sites, the number of active sites using IIS actually grew by 450,000, which is indicative of the low quality of the sites it lost. Most of the lost sites were engaged in link farming activity, with large numbers of these sites being served from relatively few computers. The loss of these sites therefore had little impact on the number of web-facing computers using Microsoft IIS, which grew by 14,000.

Microsoft's closest competitor, Apache, gained 8.4 million sites, with its increased market share of 29.1% putting it within 6.4 percentage points of Microsoft's leading share.

Although it has yet to reach the same level as Microsoft and Apache, nginx made the largest gains, growing by 21 million sites and increasing its market share by 2.6 points to 15.9%.

nginx also showed the strongest growth in the survey's other metrics: it gained nearly 7.5 million active sites, 74,100 web-facing computers, and increased its presence within the top million sites by 16,000. The most significant of these gains was nginx's active site count increasing by a whopping 27%, largely as a result of Tumblr sites now exhibiting the Server: nginx header (in previous months, most Tumblr sites did not reveal which server software they were using).

While Microsoft has shaken off many of its low-quality sites, Alibaba's nginx fork, Tengine, gained around 10 million. Most of the new sites served by Tengine this month make use of domains under the .science gTLD, which has proved popular with many Chinese link farms and webspam sites – most likely due to the sub-dollar registration costs. Tengine suffered a small net loss in active sites this month, which corroborates the low quality of the 10 million new sites.

Only 2.4% of the sites served by Tengine now qualify as active sites, which highlights just how many of them are used for displaying automatically generated content. Microsoft is still also fairly popular with link farm operators (particularly in China), with only 4.6% of its sites showing active content. In contrast, more than 26% of Apache sites, and nearly 22% of nginx sites feature active content.

Total number of websites

Web server market share

DeveloperApril 2016PercentMay 2016PercentChange
Microsoft441,470,89440.75%366,964,00935.50%-5.26
Apache292,043,54826.96%300,447,47029.06%2.10
nginx143,349,43913.23%163,902,97115.85%2.62
Google20,597,6051.90%21,567,2522.09%0.18
Web server market share for active sites

DeveloperApril 2016PercentMay 2016PercentChange
Apache82,446,61949.15%81,000,02447.59%-1.56
nginx28,196,26216.81%35,670,65320.96%4.15
Microsoft16,887,24210.07%17,332,45210.18%0.12
Google12,968,1627.73%14,086,0468.28%0.55

For more information see Active Sites

Web server market share for top million busiest sites

DeveloperApril 2016PercentMay 2016PercentChange
Apache451,87245.19%441,36644.14%-1.05
nginx256,36125.64%272,39427.24%1.60
Microsoft112,60411.26%111,69111.17%-0.09
Google20,4132.04%20,9112.09%0.05
Web server market share for computers

DeveloperApril 2016PercentMay 2016PercentChange
Apache2,780,85947.94%2,827,76347.55%-0.39
Microsoft1,526,22726.31%1,540,48125.90%-0.41
nginx843,92614.55%918,03215.44%0.89

Slashdot: Xiaomi Unveils Budget-Friendly Mi Drone, $460 For 4K Or $380 For 1080p

(posted on Thursday May 26, 2016 at 18:00 AWST)

An anonymous reader writes: Chinese consumer electronics company Xiaomi has officially journeyed into the drones product category. The Xiaomi Mi Drone is a quadcopter with a three-axis gimbal, 4K camera, and a remote control that uses your Mi smartphone as a viewfinder. The 4K version retails for about $460 while the 1080p model retails for about $380. When compared to drones from DJI or Yuneec, the Mi Drone seriously undercuts them as they typically retail for more than $1,000. Some other features of the Mi Drone center around modularity and serviceability -- the camera module and rotors are detachable. The 5,100 mAh battery that Xiaomi claims can last 27 minutes of continuous flight time on a single charge is also replaceable. It uses GPS and GLONASS for positioning. It even features a visual positioning system on the rear that allows itself to remain stable when flying at low altitudes in environments where a satellite signal cannot be reached. Some of the autonomous flight modes include: takeoff, landing, return to home, waypoint navigation and orbit, with the ability to create a geofence to limit its movement. The 1080p Mi Drone "will be crowdfunded on the Mi Hope app starting May 26, 2016," while the 4K Mi Drone "will be available for testing via an open beta program at the end of July." With such an affordable price tag relative to the competition, the Xiaomi Mi Drone may help increase revenues for the company whose sales barely grew last year.

Read more of this story at Slashdot.

Slashdot: Tor To Use Distributed RNG To Generate Truly Random Numbers

(posted on Thursday May 26, 2016 at 15:00 AWST)

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.

Read more of this story at Slashdot.

SC Magazine: The $3 billion IT security problem

(posted on Thursday May 26, 2016 at 13:35 AWST)

Why business email compromise is the new malware.

SC Magazine: Microsoft to cut 1850 jobs

(posted on Thursday May 26, 2016 at 10:08 AWST)

Struggling smartphone unit takes the axe again.

SC Magazine: What needs to happen before Australia has digital passports?

(posted on Thursday May 26, 2016 at 10:06 AWST)

DFAT says your face can be your only credential.

SC Magazine: Telstra wins deal to run $180m national cancer register

(posted on Thursday May 26, 2016 at 09:24 AWST)

Five-year contract with federal government.

SC Magazine: US govt spending billions on ancient systems

(posted on Thursday May 26, 2016 at 08:30 AWST)

Nuclear weapons system uses 8in floppy disks.

pfSense: pfSense 2.3.1 Update 1 Available

(posted on Thursday May 26, 2016 at 07:10 AWST)

2.3.1 Update 1 (2.3.1_1) is now available. This includes one security fix to the web GUI, and 7 other bug fixes. The 2.3.1-RELEASE change list has been updated with an Update 1 section specifying the changes.

This update will reboot the system after installing.

Comments

SC Magazine: Watchdog slaps Clinton over private email server

(posted on Thursday May 26, 2016 at 04:57 AWST)

Hacking attempts never reported.

SC Magazine: YourDC opens $30m tier-three Adelaide data centre

(posted on Thursday May 26, 2016 at 04:35 AWST)

Facility has capacity of 8MW and 800 racks.

SC Magazine: TransGrid CIO retires

(posted on Thursday May 26, 2016 at 04:24 AWST)

High-level change ahead of strategic review.

SC Magazine: CBA banks on Apache, Docker in DevOps push

(posted on Thursday May 26, 2016 at 04:16 AWST)

Kafka, Cassandra, Mesos on radar.

SC Magazine: WA hopes to slice 10 percent off IT spend

(posted on Thursday May 26, 2016 at 04:12 AWST)

State government gets ready to lift its game.

Wednesday May 25, 2016

Drupal Contrib Security: XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030

(posted on Wednesday May 25, 2016 at 23:50 AWST)

Description

The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently filter the URL when it is displayed in the sitemap.

This vulnerability is mitigated if the setting for "Include a stylesheet in the sitemaps for humans." on the module's administration settings page is not enabled (the default is enabled).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • XML Sitemap 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed XML Sitemap module, there is nothing you need to do.

Solution

Install the latest version:

Also see the XML Sitemap project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

OpenBSD Journal: Privilege Separation and Pledge (video)

OpenBSD Journal (posted on Wednesday May 25, 2016 at 21:34 AWST)

This year's dotSecurity conference featured a presentation from OpenBSD founder Theo de Raadt, titled "Privilege Separation and Pledge."

The video is now available here, in addition to the slides.

SC Magazine: Hackers build alternative to 'flawed' CVE bug ID system

(posted on Wednesday May 25, 2016 at 13:43 AWST)

New identifier platform needed to address MITRE problems.

SC Magazine: Chips can be built with undetectable malware: researchers

(posted on Wednesday May 25, 2016 at 12:22 AWST)

Near-impossible to spot, defend against hardware Trojan.

SC Magazine: When a CIO ditches IT for politics

(posted on Wednesday May 25, 2016 at 10:45 AWST)

Are the skills transferable?

SC Magazine: NT sinks $186m into ‘largest ever’ clinical systems replacement

(posted on Wednesday May 25, 2016 at 10:12 AWST)

Outdated hospital IT to get the boot.

SC Magazine: CBA adds 1000 racks in data centre modernisation

(posted on Wednesday May 25, 2016 at 10:07 AWST)

New cooling technology handles dense workloads.

SC Magazine: Photos: Inside CBA's modernised Sydney data centre

(posted on Wednesday May 25, 2016 at 09:25 AWST)

Milestone reached as two new data halls begin service.

SC Magazine: Google Paris office raided in tax probe

(posted on Wednesday May 25, 2016 at 07:07 AWST)

Faces millions in fines if found guilty.

SC Magazine: HP Enterprise in $12.5bn IT services spinoff with CSC

(posted on Wednesday May 25, 2016 at 04:57 AWST)

Combined entity will have revenues of US$26 billion.

SC Magazine: British govt hackers report vulnerabilities to Apple

(posted on Wednesday May 25, 2016 at 04:50 AWST)

Were they no longer needed by GCHQ?

SC Magazine: How to build an effective IT security function

(posted on Wednesday May 25, 2016 at 04:30 AWST)

[Blog post] Don't become the next hack victim.

Tuesday May 24, 2016

EEV Blog: EEVblog #883 – Orange Pi One vs Raspberry Pi 2

EEV Blog (posted on Tuesday May 24, 2016 at 09:13 AWST)

Dave takes a look at the Orange Pi One $10 single board 4 ARM Cortex A7 processor computer and compares it to the Raspberry Pi 2.
Coving the install of the ARMbian flavour of Debian.
Beware the security bug!
And what is the power/watt efficiency between the two?

Schematic HERE
Allwinner H3 datasheet
Open source Allwinner H3 community
Forum HERE

Comments

nginx News: nginx-1.11.0 mainline version has been released.

(posted on Tuesday May 24, 2016 at 05:00 AWST)

2016-05-24

nginx-1.11.0 mainline version has been released.

Sunday May 22, 2016

Roundcube: Roundcube Webmail 1.2.0 released

(posted on Sunday May 22, 2016 at 08:00 AWST)

We proudly announce the stable version 1.2.0 of Roundcube Webmail which is now available for download. It introduces new features since version 1.1 covering security and PGP encryption topics:

  • PHP7 compatibility
  • PGP encryption
  • Drag-n-drop attachments from mail preview to compose window
  • Mail messages searching with predefined date interval
  • Improved security measures to protect from brute-force attacks

And of course plenty of small improvements and bug fixes.

As already announced with the 1.2-beta release, PGP encryption comes in two flavours: client-side using the Mailvelope browser extension and server-side with the Enigma plugin using GnuPG on the server.

Support with the Mailvelope browser plugin comes out of the box and is automatically enabled if the Mailvelope API is detected in a user’s browser. The Mailvelope documentation explains how to enable it for your site.

The features of the Enigma plugin, which comes with the release package and simply needs to be activated for your Roundcube installation are explained in this blog post.

IMPORTANT: with this version, we finally deprecate some old Roundcube library functions. Please test your plugins thoroughly and look for deprecation warnings in the logs.

With the release of Roundcube 1.2.0, the previous stable release branches 1.0.x and 1.1.x will switch in to LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates.

See the complete Changelog in our wiki and download the new packages from roundcube.net/download.

Friday May 20, 2016

EEV Blog: EEVblog #882 – Dumpster Dive Apple Xserve Computers

EEV Blog (posted on Friday May 20, 2016 at 22:28 AWST)

Dumpster diving time!
Dave fishes out some Apple Xserve rack mount server computers and tears them down.
Forum HERE

Comments

DFES Media Releases: Western Australians urged to get ready for dangerous weather

DFES Media Releases (posted on Friday May 20, 2016 at 10:58 AWST)

Content:

The Department of Fire and Emergency Services (DFES) is urging people across the State to get ready for the wild weather expected from this evening and into the weekend. 

The Bureau of Meteorology has warned that the first significant storm of the season will affect south west parts of the State, bringing widespread damaging winds, locally dangerous gusts and abnormally high tides.
 

DFES Duty Chief Superintendent Rick Curtis said people often underestimate the damage that storms and severe weather can cause to homes and property.
 

"People are often shocked by the path of destruction left behind after an intense storm hits,” Chief Superintendent Curtis said.
 

"I can’t stress enough the benefits of doing a few things around your home to prepare for the dangerous weather heading our way.
 

"Before the weather hits, clean your gutters, tie down or remove loose items around your property and remove any overhanging tree branches.
 

"Ensure your emergency kit is complete including a battery operated radio, torch, spare batteries and first aid kit.
 

"Move vehicles under cover and ensure animals are in a safe area with protection from strong winds.”
 

Chief Superintendent Curtis warned people to stay out of the water due to high tides and dangerous surf across a large section of coastline including Perth and Geographe Bay.
 

"Don’t risk your safety by going boating fishing or surfing, as conditions will be dangerous.
 

"Boat owners should make sure their boats are securely moored.”
 

State Emergency Service (SES) volunteers and other emergency services personnel work tirelessly during and after severe weather events to clear fallen trees, make temporary repairs in areas affected by storms.
 

During last year’s storm season, SES volunteers attended 480 calls for help and invested over 1950 hours helping the community with repairs.
 

If your home is badly damaged and you can’t safely fix it yourself, call the SES on 132 500.
 

For tips on how to prepare your home and family for storms, visit www.dfes.wa.gov.au/WinterSAFE
 

END 

Media Contact: DFES Media and Corporate Communications 9225 5955  

Publication Time: 20/05/2016 11:00 AM

Thursday May 19, 2016

OpenBSD Journal: p2k16 Hackathon Report: pirofti@ on octeon and TPM

OpenBSD Journal (posted on Thursday May 19, 2016 at 19:27 AWST)

The next hackathon report comes from Paul Irofti, who writes:

This was probably the shortest hackathon I attended. The 4 days flew by and I realised we have to pack and go with nothing to show for.

My usual hackathon work flow is: waste 3-4 days trying to figure how some device works, and then polish the driver(s) for the remaining days while congratulating myself with coffee, Günther and beer.

Read more...

DFES Media Releases: Revised Map of Bush Fire Prone Areas to be released tomorrow

DFES Media Releases (posted on Thursday May 19, 2016 at 09:06 AWST)

Content:

People developing or building properties could be affected with the next edition of the Map of Bush Fire Prone Areas to be released tomorrow.

The map is aimed at limiting the impact of bushfires by informing future building and development.
 
Office of Bushfire Risk Management Executive Manager Tim McNaught said the revised map incorporates updates from local governments following the Map’s first release last year.
 
“The map has been refined in partnership with local governments as part of a continuous process to ensure it closely reflects local circumstances,” he said.
 
“The map will be reviewed annually, so if you believe your property has been incorrectly listed on the map, your local government can work with the Office of Bushfire Risk Management to ensure your property is added or removed as part of the review process.
 
“Your local government can also advise you on what to do during the interim until the map is updated.”
 
The map is part of a suite of planning and building requirements for new developments in bushfire prone areas, launched by the State Government through the Department of Planning in December last year.
 
It addresses key recommendations from the Keelty Report into the 2011 Perth Hills bushfire.
 
Please refer to the Department of Planning website www.planning.wa.gov.au/bushfire for further information about the planning requirements for properties in bushfire prone areas on the map.
 
The next edition of the map will be released in May 2017.
 
The Map of Bush Fire Prone Areas 2016 will be available from noon tomorrow, via: www.dfes.wa.gov.au/bushfireproneareas
 
Fact file:
 
  • The Map shows areas that have been designated as bushfire prone by order of the Fire and Emergency Services Commissioner under section 18P of the Fire and Emergency Services Act 1998.
  • Designated bushfire prone areas are coloured pink on the Map. 
  • The 2016 edition of the Map will show both ‘new’ bushfire prone areas and those ‘continuing’ from the first edition of the Map released in December 2015. The newly designated areas are identified on the Map by a blue cross-hatched overlay. 
  •  A four-month transitional period may apply for properties in newly designated areas. 
  •  Contact your local government for further information about the planning and building requirements in your area. 
  •  Frequently Asked Questions and other resources are available on the DFES website: www.dfes.wa.gov.au/bushfireproneareas
 
END
 
Media Contact: DFES Media and Corporate Communications 9225 5955
 
Publication Time: 19/05/2016 9:00 AM

pfSense: pfSense 2.3.1-RELEASE Now Available!

(posted on Thursday May 19, 2016 at 05:23 AWST)

We are happy to announce the release of pfSense® software version 2.3.1!

This is a maintenance release in the 2.3.x series, bringing a number of bug fixes, two security fixes in the GUI, as well as security fixes for OpenSSL, OpenVPN and FreeBSD atkbd and sendmsg. The full list of changes is on the 2.3.1 New Features and Changes page.

This release includes a total of 103 bug fixes. 79 regressions in 2.3 have been fixed, mostly minor issues in the new GUI. Several of these are significant issues, and have resolved nearly all the post-upgrade problems encountered in 2.3-RELEASE. 24 issues affecting 2.2.x and prior versions have also been fixed.

If you haven’t yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.

Upgrade Considerations

As always, you can upgrade from any prior version directly to 2.3.1. The Upgrade Guide covers everything you’ll need to know for upgrading in general.  There are a few areas where additional caution should be exercised with this upgrade if upgrading from 2.2.x or an earlier release, all noted in the 2.3 Upgrade Guide.

For those upgrading from a 2.3 beta or RC version who have not yet upgraded to 2.3-RELEASE, please see this post.

Known Regressions

While, nearly all of the common regressions in 2.3-RELEASE have been fixed in 2.3.1, the following still exist:

  • IPsec IPComp does not work. This is disabled by default. However in 2.3.1, it is automatically not enabled to avoid encountering this problem. Bug 6167
  • IGMP Proxy does not work with VLAN interfaces. Bug 6099. This is a little-used component. If you’re not sure what it is, you’re not using it.
  • Those using IPsec and OpenBGPD may have non-functional IPsec unless OpenBGPD is removed. Bug 6223

Packages

The list of available packages in pfSense 2.3.x has been significantly trimmed.  We have removed packages that have been deprecated upstream, no longer have an active maintainer, or were never stable. A few have yet to be converted for Bootstrap and may return if converted. See the 2.3 Removed Packages list for details.

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on Github. 2.3.1-RELEASE is built from the RELENG_2_3_1 branch of each repository.

Main repository – the web GUI, back end configuration code, and build tools.
FreeBSD source – the source code, with patches of the FreeBSD 10.3 base.
FreeBSD ports – the FreeBSD ports used.

Download

Downloads are available on the mirrors as usual.

Downloads for New Installs

Downloads to Upgrade Existing Systems – note it’s usually easier to just use the auto-update functionality, in which case you don’t need to download anything from here. Check the Firmware Updates page for details.

Supporting the Project

Our efforts are made possible by the support our customers and the community. You can support our efforts via one or more of the following.

  • pfSense Store –  official hardware, apparel and pre-loaded USB sticks direct from the source.  Our pre-installed appliances are the fast, easy way to get up and running with a fully-optimized system. All are now shipping with 2.3 release installed.
  • Gold subscription – Immediate access to past hang out recordings as well as the latest version of the book after logging in to the members area.
  • Commercial Support – Purchasing support from us provides you with direct access to the pfSense team.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.

Comments

Drupal Contrib Security: Views Megarow - Critical - Access Bypass - SA-CONTRIB-2016-029

(posted on Thursday May 19, 2016 at 01:54 AWST)

Description

This module enables you to display content from any path within a list of content inside a view or form. The content is displayed in a modal-like format when the user clicks on the "view link" or any custom links created.

The module doesn't sufficiently check access permissions when the user clicks on a views megarow link.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Views megarow 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Views Megarow module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views Megarow project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal Contrib Security: Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

(posted on Thursday May 19, 2016 at 01:54 AWST)

Description

This module enables you to allow users to enter a special registration code in order to sign up for the site.

The module doesn't sufficiently validate the entered registration code

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Registration Codes 7.x-2.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Registration codes project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Drupal Contrib Security: Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

(posted on Thursday May 19, 2016 at 01:29 AWST)

Description

This module enables you to view dropbox files in your Drupal site.

The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to upload files to the dropbox folder that the victim later views through the Drupal site.

Additionally, the module shipped with hardcoded and exposed Oauth credentials, making known users of the module exposed to phishing and/or access bypass.

The app secret has been made invalid, making the exposed secrets unusable for the attacker. This also makes the module unusable without upgrading and taking necessary steps to register a new Dropbox app.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All dropbox_client 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Dropbox Client module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the dropbox_client module for Drupal 7.x, upgrade to dropbox_client 7.x-4.0
  • Versions 3.x is no longer supported

Also see the Dropbox Client project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: