DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Bug

LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com) 28

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.
DRM

W3C Erects DRM As Web Standard (theregister.co.uk) 50

The World Wide Web Consortium (W3C) has formally put forward highly controversial digital rights management as a new web standard. "Dubbed Encrypted Media Extensions (EME), this anti-piracy mechanism was crafted by engineers from Google, Microsoft, and Netflix, and has been in development for some time," reports The Register. "The DRM is supposed to thwart copyright infringement by stopping people from ripping video and other content from encrypted high-quality streams." From the report: The latest draft was published last week and formally put forward as a proposed standard soon after. Under W3C rules, a decision over whether to officially adopt EME will depend on a poll of its members. That survey was sent out yesterday and member organizations, who pay an annual fee that varies from $2,250 for the smallest non-profits to $77,000 for larger corporations, will have until April 19 to register their opinions. If EME gets the consortium's rubber stamp of approval, it will lock down the standard for web browsers and video streamers to implement and roll out. The proposed standard is expected to succeed, especially after web founder and W3C director Sir Tim Berners-Lee personally endorsed the measure, arguing that the standard simply reflects modern realities and would allow for greater interoperability and improve online privacy. But EME still faces considerable opposition. One of its most persistent vocal opponents, Cory Doctorow of the Electronic Frontier Foundation, argues that EME "would give corporations the new right to sue people who engaged in legal activity." He is referring to the most recent controversy where the W3C has tried to strike a balance between legitimate security researchers investigating vulnerabilities in digital rights management software, and hackers trying to circumvent content protection. The W3C notes that the EME specification includes sections on security and privacy, but concedes "the lack of consensus to protect security researchers remains an issue." Its proposed solution remains "establishing best practices for responsible vulnerability disclosure." It also notes that issues of accessibility were ruled to be outside the scope of the EME, although there is an entire webpage dedicated to those issues and finding solutions to them.
The Internet

'Dig Once' Bill Could Bring Fiber Internet To Much of the US (arstechnica.com) 71

An anonymous reader quotes a report from Ars Technica: If the U.S. adopts a "dig once" policy, construction workers would install conduits just about any time they build new roads and sidewalks or upgrade existing ones. These conduits are plastic pipes that can house fiber cables. The conduits might be empty when installed, but their presence makes it a lot cheaper and easier to install fiber later, after the road construction is finished. The idea is an old one. U.S. Rep. Anna Eshoo (D-Calif.) has been proposing dig once legislation since 2009, and it has widespread support from broadband-focused consumer advocacy groups. It has never made it all the way through Congress, but it has bipartisan backing from lawmakers who often disagree on the most controversial broadband policy questions, such as net neutrality and municipal broadband. It even got a boost from Rep. Marsha Blackburn (R-Tenn.), who has frequently clashed with Democrats and consumer advocacy groups over broadband -- her "Internet Freedom Act" would wipe out the Federal Communications Commission's net neutrality rules, and she supports state laws that restrict growth of municipal broadband. Blackburn, chair of the House Communications and Technology Subcommittee, put Eshoo's dig once legislation on the agenda for a hearing she held yesterday on broadband deployment and infrastructure. Blackburn's opening statement (PDF) said that dig once is among the policies she's considering to "facilitate the deployment of communications infrastructure." But her statement did not specifically endorse Eshoo's dig once proposal, which was presented only as a discussion draft with no vote scheduled. The subcommittee also considered a discussion draft that would "creat[e] an inventory of federal assets that can be used to attach or install broadband infrastructure." Dig once legislation received specific support from Commerce Committee Chairman Greg Walden (R-Ore.), who said that he is "glad to see Ms. Eshoo's 'Dig Once' bill has made a return this Congress. I think that this is smart policy and will help spur broadband deployment across the country."
Privacy

Hackers Claim Access To 300 Million iCloud Accounts, Demand $75,000 From Apple To Delete the Cache of Data (vice.com) 57

A hacker or group of hackers calling themselves the "Turkish Crime Family" claim they have access to at least 300 million iCloud accounts, and will delete the alleged cache of data if Apple pays a ransom by early next month. Motherboard is reporting that the hackers are demanding "$75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data." From the report: The hackers provided screenshots of alleged emails between the group and members of Apple's security team. One also gave Motherboard access to an email account allegedly used to communicate with Apple. "Are you willing to share a sample of the data set?" an unnamed member of Apple's security team wrote to the hackers a week ago, according to one of the emails stored in the account. (According to the email headers, the return-path of the email is to an address with the @apple.com domain). The hackers also uploaded a YouTube video of them allegedly logging into some of the stolen accounts. The hacker appears to access an elderly woman's iCloud account, which includes backed-up photos, and the ability to remotely wipe the device. Now, the hackers are threatening to reset a number of the iCloud accounts and remotely wipe victim's Apple devices on April 7, unless Apple pays the requested amount. According to one of the emails in the accessed account, the hackers claim to have access to over 300 million Apple email accounts, including those use @icloud and @me domains. However, the hackers appear to be inconsistent in their story; one of the hackers then claimed they had 559 million accounts in all. The hackers did not provide Motherboard with any of the supposedly stolen iCloud accounts to verify this claim, except those shown in the video.
GNOME

GNOME 3.24 Released (softpedia.com) 58

prisoninmate quotes a report from Softpedia: GNOME 3.24 just finished its six-month development cycle, and it's now the most advanced stable version of the modern and popular desktop environment used by default in numerous GNU/Linux distributions. It was developed since October 2016 under the GNOME 3.23.x umbrella, during which it received numerous improvements. Prominent new features of the GNOME 3.24 desktop environment include a Night Light functionality that promises to automatically shift the colors of your display to the warmer end of the spectrum after sunset, and a brand-new GNOME Control Center with redesigned Users, Keyboard and Mouse, Online Accounts, Bluetooth, and Printer panels. As for the GNOME apps, we can mention that the Nautilus file manager now lets users browse files as root (system administrator), GNOME Photos imitates Darktable's exposure and blacks adjustment tool, GNOME Music comes with ownCloud integration and lets you edit tags, and GNOME Calendar finally brings the Week view. New apps like GNOME Recipes are also part of this release. The full release notes can be viewed here. Softpedia notes in conclusion: "As mentioned before, it will take at least a couple of weeks for the new GNOME 3.24 packages to land on the stable repositories of your favorite distro, which means that you'll most probably be able to upgrade from GNOME 3.22 when the first point release, GNOME 3.24.1, is out on April 12, 2017."
AT&T

17,000 AT&T Workers Go On Strike In California and Nevada (fortune.com) 75

An anonymous reader quotes a report from Fortune: Approximately 17,000 workers in AT&T's traditional wired telephone business in California and Nevada walked out on strike on Wednesday, marking the most serious labor action against the carrier in years. The walkout -- formally known as a grievance strike -- occurred after AT&T changed the work assignments of some of the technicians and call center employees in the group, the Communications Workers of America union said. The union would not say how long the strike might last. A contract covering the group expired last year and there has been little progress in negotiations over sticking points like the outsourcing of call center jobs overseas, stagnant pay, and rising health care costs. The union said it planned to file an unfair labor charge with the National Labor Relations Board over the work assignment changes. "A walkout is not in anybody's best interest and it's unfortunate that the union chose to do that," an AT&T spokesman told Fortune. "We're engaged in discussion with the union to get these employees back to work as soon as possible."
Nintendo

Nintendo Is Repairing Left Joy-Cons With ... a Piece of Foam? (polygon.com) 57

While Nintendo remains silent on the issue of some left Joy-Con controllers becoming desynced from the Switch console, it appears it has a solution for those affected. No, it's not avoidance of aquariums or all other wireless devices; instead, it's apparently as simple as a foam sticker placed in the right spot. From a report: Early reviews and, later, actual retail units of the Nintendo Switch highlighted an apparent hardware flaw in the design of the left Joy-Con controller. In certain scenarios -- like when played some distance from the console using the Joy-Con Grip -- some left Joy-Cons could lose sync and players would find themselves unable to accurately control what's happening on the screen. While a day one console update fixed this issue for some, it's remained for others and Nintendo has done little to assuage would-be consumers that it's solved the issue for good. But, a Joy-Con sent in for repair by CNET's Sean Hollister was returned with one small enhancement a week later and -- lo and behold -- it works. That enhancement: A small piece of conductive foam.
Transportation

Plans For London-Paris Electric Flight in 'Next Decade' Unveiled (telegraph.co.uk) 64

A start-up has unveiled ambitious plans to offer an electric-powered commercial flight between London and Paris in the next ten years. From a report: Wright Electric believes the proposed low-emission electric plane would offer a cheaper alternative to jet fuel for airlines and consumers. However, the start-up's bid to revolutionize short-haul flights relies on the continued advancement of battery technology. The company, who pitched to investors this week, would be forced to switch to a hybrid of aviation fuel and electricity if the advances in battery technology fail to materialise.
Security

Ebay Asks Users To Downgrade Security (krebsonsecurity.com) 51

Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.
Television

Cord-Cutting Isn't Nearly as Significant as Cable Providers Make It Out To Be (cnbc.com) 122

From a report on CNBC: Despite legacy media's anxieties about cord-cutting, data suggest that the phenomenon isn't nearly as significant as cable providers make it out to be. In its 11th annual "Digital Democracy Survey," Deloitte found that the percentage of American households that subscribe to paid television services has remained relatively stable since 2012, even as adoption of streaming services has accelerated. In its survey of 2,131 consumers, Deloitte said two-thirds of respondents reported they have kept their TV subscriptions because they're bundled with their internet plan. Kevin Westcott, vice chairman and U.S. media and entertainment leader at Deloitte, told CNBC that bundling seems to be a huge deterrent for cord cutting.
Chrome

Google Contemplating Removing Chrome 'Close Other Tabs' and 'Close Tabs to the Right' Options (bleepingcomputer.com) 202

An anonymous reader shares a report: Chrome engineers are planning to remove two options from Chrome that allow users to quickly close a large number of tabs with just a few clicks. The options, named "Close other tabs" and "Close tabs to the right" reside in the menu that appears when a user right-clicks on a Chrome tab. According to an issue on the Chromium project spotted yesterday by a Reddit user, Google engineers planned to remove to menu options for many years even before opening the Chromium issue, dated itself to July 31, 2015. After several years of inactivity and no decision, things started to move again in September 2016, when usage statistics confirmed that Chrome users rarely used the two options they initially wanted to remove. Seeing no new discussions past this point, Chromium engineers assigned the issue in February, meaning engineers are getting ready to remove the two menu options it in future Chromium builds.
Programming

Performance Bugs, 'the Dark Matter of Programming Bugs', Are Out There Lurking and Unseen (forwardscattering.org) 230

Several Slashdot readers have shared an article by programmer Nicholas Chapman, who talks about a class of bugs that he calls "performance bugs". From the article: A performance bug is when the code computes the correct result, but runs slower than it should due to a programming mistake. The nefarious thing about performance bugs is that the user may never know they are there -- the program appears to work correctly, carrying out the correct operations, showing the right thing on the screen or printing the right text. It just does it a bit more slowly than it should have. It takes an experienced programmer, with a reasonably accurate mental model of the problem and the correct solution, to know how fast the operation should have been performed, and hence if the program is running slower than it should be. I started documenting a few of the performance bugs I came across a few months ago, for example (on some platforms) the insert method of std::map is roughly 7 times slower than it should be, std::map::count() is about twice as slow as it should be, std::map::find() is 15% slower than it should be, aligned malloc is a lot slower than it should be in VS2015.
Social Networks

Reddit To Transform Into a Social Network With New Profile Pages (digitaljournal.com) 124

An anonymous reader quotes a report from Digital Journal: Reddit has announced it has begun trialling a radical new profile page design that's reminiscent of Facebook and Twitter. It will evolve the discussion board site towards being a social network by enabling users to post directly to their new profile page. At present, posts on Reddit have to be directed into a specific sub-Reddit community. You can't simply write a post and have it appear across the network which can make it difficult to get your voice heard. Unless you've got some reputation in a relevant sub-Reddit, your posts may end up going unnoticed. That could soon change. Last night, Reddit announced it's working on a drastic revision of its user profile page experience. The site has commenced testing of an early version of the design. According to a report from Reuters, just three "high-profile" users currently have access to the feature. When the new pages are eventually opened up to all, they'll showcase the user's profile picture and description. Below the header, posts from the user will be publicly displayed. The user will be able to add new posts to their page, without submitting to a sub-Reddit. Users will be able to follow each other to stay informed of new posts, effectively creating a social network atmosphere above the discussion boards.
Software

Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware (vice.com) 443

Tractor owners across the country are reportedly hacking their John Deere tractors using firmware that's cracked in Easter Europe and traded on invite-only, paid online forums. The reason is because John Deere and other manufacturers have "made it impossible to perform 'unauthorized' repair on farm equipment," which has obviously upset many farmers who see it "as an attack on their sovereignty and quite possibly an existential threat to their livelihood if their tractor breaks at an inopportune time," reports Jason Koebler via Motherboard. As is the case with most modern-day engineering vehicles, the mechanical problems experienced with the newer farming tractors are often remedied via software. From the report: The nightmare scenario, and a fear I heard expressed over and over again in talking with farmers, is that John Deere could remotely shut down a tractor and there wouldn't be anything a farmer could do about it. A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for "crop loss, lost profits, loss of goodwill, loss of use of equipment [...] arising from the performance or non-performance of any aspect of the software." The agreement applies to anyone who turns the key or otherwise uses a John Deere tractor with embedded software. It means that only John Deere dealerships and "authorized" repair shops can work on newer tractors. "If a farmer bought the tractor, he should be able to do whatever he wants with it," Kevin Kenney, a farmer and right-to-repair advocate in Nebraska, told me. "You want to replace a transmission and you take it to an independent mechanic -- he can put in the new transmission but the tractor can't drive out of the shop. Deere charges $230, plus $130 an hour for a technician to drive out and plug a connector into their USB port to authorize the part." "What you've got is technicians running around here with cracked Ukrainian John Deere software that they bought off the black market," he added.
Medicine

Satellite Navigation 'Switches Off' Parts of Brain Used For Navigation, Study Finds (scientificamerican.com) 154

A new study published today in the journal Nature Communications reveals some of the drawbacks of using satellite navigation (SatNav) technology. After scanning the brains of 24 volunteers as they explored a simulation through the streets of London's Soho district, researchers from the University of London found that listening to a satellite navigation's instructions "switches off" activity in parts of the brain used for navigation. Scientific American reports: The researchers found that a brain structure called the hippocampus, which is involved in both memory and spatial navigation, appears to encode two different maps of the environment: One tracks the distance to the final destination as the crow flies and is encoded by the frontal region of the hippocampus, the other tracks the "true path" to the goal and is encoded by its rear region. During the navigation tasks, the hippocampus acts like a flexible guidance system, flipping between these two maps according to changing demands. Activity in the hippocampal rear region acts like a homing signal, increasing as the goal gets closer. Analysis of the brain-scanning data revealed activity in the rear right of the hippocampus increased whenever the participants entered a new street while navigating. It also varied with the number of new path options available. The more alternatives there were, the greater the brain activity. The researchers also found that activity in the front of the hippocampus was associated with a property called centrality, defined by the proximity of each new street to the center of the network. Further, they observed activity in the participants' prefrontal cortices when they were forced to make a detour and had to replan their route -- and this, too, increased in relation to the number of options available. Intriguingly, when participants followed SatNav instructions, however, brain activity in these regions "switched off." Together, the new findings suggest the rear portion of the hippocampus reactivates spatial memories of possible navigation paths, with more available paths evoking more activity, and that the prefrontal cortex may contribute to path-planning by searching though different route options and selecting the best one.
Medicine

Spider Venom Might Protect Us From Deadly Strokes (arstechnica.com) 41

New submitter evolutionary writes: Apparently the Australian funnel-web spider's venom has amazing properties, if you can use it within 4.5 hours. From a report via Ars Technica: "Venom from the Australian funnel-web spider (Hadronyche infensa) contains a chemical that shuts down an ion channel known to malfunction in brain cells after strokes, researchers report Monday in PNAS. In cell experiments, the harmless chemical protected brain cells from a toxic flood of ions unleashed after a stroke strikes. In rats, the venom component markedly protected the rats' brains from extensive damage -- even when it was given hours after a stroke occurred. Researchers have years, if not decades, of work to figure out if their particular venom is safe and effective in humans. And very few potential therapies make the cut. But, this early study gives us reason to be somewhat optimistic: it follows years of research and hypotheses that such venom components and their ion channel-targets could be key to new stroke treatments -- which are desperately needed. The vast majority of strokes involve a blockage that stops or slows the flow of blood into an area of the brain (other strokes can be caused by hemorrhages.) This leaves brain cells without fresh blood and oxygen. To cope, the cells can switch to metabolic pathways that don't rely on oxygen. But this creates acidic conditions, and the pH outside of brain cells starts dropping fast -- a scenario called acidosis. In the acidic, oxygen-starved brain regions, brain cells become damaged and start dying off, causing irreparable damage. The only drug approved by the Food and Drug Administration to treat these types of strokes tries to restore blood flow by breaking up clots. But this drug is only used in about three to four percent of stroke victims because it has to be used within 4.5 hours of the stroke. It also comes with the risk of causing hemorrhages."
Microsoft

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com) 136

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
Businesses

Walmart Unveils 'Store No. 8' Tech Incubator In Silicon Valley (bloomberg.com) 62

An anonymous reader quotes a report from Bloomberg: Wal-Mart Stores Inc. is creating a technology-startup incubator in Silicon Valley to identify changes that will reshape the retail experience, including virtual reality, autonomous vehicle and drone delivery and personalized shopping. The incubator will be called Store No. 8, a reference to a Wal-Mart location where the company experimented with new store layouts. Marc Lore, chief executive officer of Wal-Mart's e-commerce operations, announced the incubator Monday at the ShopTalk conference in Las Vegas. The world's biggest retailer has been overhauling its online team to better challenge Amazon.com Inc. with greater selection and lower prices. Lore founded Jet.com, which Wal-Mart purchased in September for about $3.3 billion in pursuit of Amazon in the e-commerce race. Lore said Wal-Mart has an advantage over "pure play" e-commerce companies because of its large network of stores that attract shoppers for such items as fresh food. The incubator will partner with startups, venture capitalists and academics to promote innovation in robotics, virtual and augmented reality, machine learning and artificial intelligence, according to Wal-Mart. The goal is to have a fast-moving, separate entity to identify emerging technologies that can be developed and used across Wal-Mart.
Advertising

Google Wants To Create Promotions That Aren't Ads For Its Voice-Controlled Assistant (businessinsider.in) 49

Earlier this month, some Google Home users noticed what appeared to be audio ads for Disney's "Beauty and the Beast" movie. After some intense backlash, the company released a statement claiming that the ad was not an ad, but that it was simply "timely content" that Disney didn't pay for. Google's UK director of agencies, Matt Bush, has since spoken out about the company's plans with advertising via the voice-controlled Assistant. Business Insider reports: Bush explained Google isn't looking to offer brand integrations in voice for the time being, since it didn't have enough data to come up with an ad product that adds value for consumers. "We want businesses to have a phenomenal mobile experience and then building on that have a phenomenal voice experience," Bush told Business Insider at Advertising Week Europe. "That might not be, in the early instances, anything that has to do with commercials at all. It might just be something something that adds value to the consumer without needing to be commercialized." Bush explained that the consumer experience with voice is very different from that of text search because the use cases for voice navigation differ depending on the device the function is used on and the context the user finds themselves in. "We don't want to start putting in commercial opportunities that we think users don't want to interact with," Bush said "We don't want anything to come in-between the user and their access to the information they're actually looking for. If a brand can add value in that space, fantastic." Bush cited mobile search ads as successful executions of using context and personal user insights, but voice promotions are unlikely to take the same form. "It's unlikely to be what you see from search as it currently stands, where you might have three or four ads as the top results of a search," he said.
Google

Burglars Can Easily Make Google Nest Security Cameras Stop Recording (helpnetsecurity.com) 66

Orome1 quotes a report from Help Net Security: Google Nest's Dropcam, Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor security cameras can be easily disabled by an attacker that's in their Bluetooth range. The vulnerabilities are present in the latest firmware version running on the devices (v5.2.1). They were discovered by researcher Jason Doyle last fall, and their existence responsibly disclosed to Google, but have still not been patched. The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter, respectively. Triggering one of these flaws will make the devices crash and reboot. The third flaw is a bit more serious, as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to. If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won't be recording. Nest has apparently already prepared a patch but hasn't pushed it out yet. (It should be rolling out "in the coming days.")

Slashdot Top Deals