Jul 27

Ubuntu 12.10 Alpha 3 unifies user menus

The Ubuntu developers have released the third alpha of Ubuntu 12.10 “Quantal Quetzal”, the final release of which is scheduled for 18 October. This development release includes several changes over Alpha 2, which was released a month ago. These changes include a reworked session menu, improvements to the update manager and removal of the third party driver installation tool. Upstream changes to the Nautilus file manager have caused theming issues with the default Ubuntu theme, but the developers expect to have these fixed by the time the first beta release of 12.10 arrives at the beginning of September.

Ubuntu’s session and the “Me” menu have been combined in this release, and several listings and options, such as the devices section, have been taken out. User testing had apparently revealed that many users were confused by which option was present in which of the two menus, so the developers decided to combine and simplify them. Ubuntu’s update manager has now been renamed to “software updater” and has been streamlined to show less information, concentrating on what the developers deem the most important bits of information. The third party driver tool that allowed Ubuntu users to install proprietary drivers for their hardware, such as drivers for NVIDIA graphics cards, has been moved to a tab in the Software Sources dialog.

Changes to Nautilus from the upstream GNOME project have led to a somewhat unfavourable look for Ubuntu’s file manager in this release. This is due to the GNOME developers streamlining its look and Ubuntu’s default theme not yet being compatible with these changes. The developers are planning to address these problems in the upcoming weeks, however. Other changes in Nautilus include more evocative icons and the ability to reorder items in the side bar, the ability to choose between “copy to” and “move to” actions, the removal of the “Go” menu and more.

Ubuntu 12.10 Alpha 3 includes version 3.5.0 of the Linux kernel, Python 3 (Python 2 is available from the repositories but will not be installed by default), version 3.5.4 of the GNOME components, LibreOffice 3.6.2 RC2 and the latest beta release of Firefox 15. More details on the changes in this release as well as known issues with it are available from the distribution’s wiki.

ISO images of Ubuntu 12.10 Alpha 3 are available from the Ubuntu web site for testing on 32- and 64-bit systems. The developers point out that this release is intended for testing purposes only and should under no circumstances be used on production systems.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/ubuntu-12-10-alpha-3-unifies-user-menus/

Jul 26

Password leak at meetOne

A data leak at the meetOne dating site allowed anyone to access private data including the plaintext passwords, email addresses and real names of the site’s approximately 900,000 members. To obtain the data, an attacker simply needed to increment a URL parameter. After they were informed by The H‘s associates at heise Security, the operators soon closed the hole.

When news of a data leak in one of the dating portal’s custom APIs was disclosed to heise Security, the editors managed to reproduce the problem and access the data of a specially created test profile. The API disclosed information including the email address and password of the test user, which allowed access to the user’s profile.

Once logged in, the editors could have accessed any data, private messages and photos stored with the user profile. However, logging in wasn’t actually required to retrieve sensitive information – most of the data was already available through the API. Labels such as “sexuality”, “childrenNumber”, “schooling”, “yearlyIncome”, “relationshipTyp” or “searchOneNightStand” provide some idea of the havoc a malicious data thief could have wreaked with this information.

After heise Security informed meetOne co-founder Nils Henning, the vulnerability was closed within hours. Henning said that the “scope of the hole is limited” because “no sensitive data such as billing information was retrievable at any time”. The executive didn’t clarify why the company thought that information such as plaintext user passwords was not considered to be “sensitive data”.

The operators cannot guarantee that the hole has not been exploited in the past and say that they have “reset all passwords”. However, on checking at 7.30 pm on Wednesday evening, all passwords that were tested by heise Security were still functional. To be safe, users who have previously created a profile with this site should change their password – and, importantly, they should also change passwords on any other services where they may have used the same password.

Founded in Germany, the dating portal is now operated by US company meetOne International LLC. Nils Henning continues to work for Hamburg-based meetOne GmbH, a company that now regards itself as a service provider to the LLC and “mainly handles support tasks”.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/password-leak-at-meetone/

Jul 26

Google making spaces interactive

Google has announced an open source software framework for tracking objects and people in a space and providing virtual interactions between them. The toolset is called Interactive Spaces, is written in Java and can theoretically run on any operating system with Java – currently, Linux and Mac OS X are supported, Windows support is coming soon.

To explain the project, Google provides the example of a room with a display built into the floor and cameras in the ceiling that track people in the space. The software creates circles under the feet of people entering the room, and these circles then follow them around. The framework accomplishes these interactions between tracked objects in the space and virtual objects on displays by providing an architecture to build activities and connect them to “producers” and “consumers” of events. Producers are peripherals like the cameras in Google’s example, whereas the consumers would be the displays in the floor.

Besides Java, Interactive Spaces also supports JavaScript and Python for scripting purposes. Native applications can also be incorporated, including OpenFrameworks which uses C++. Google plans to add support for the Processing language as well since it is often used in interactive art installations.

Interactive Spaces is licensed under the Apache 2.0 licence and the source code for the project is available from Google Code.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/google-making-spaces-interactive/

Jul 25

Intel updates its open source Linux drivers

Intel’s developers have released version 12.07 of the open source Intel graphics package for Linux systems. The package includes the new X Server drivers for Intel cards as well as several other components that have been tested with these drivers.

The most important new feature of the release is version 2.20.0 of the xf86-video-intel driver for the X Server. This includes a new 2D acceleration method, called SNA, that can be selected at runtime by specifying Option "AccelMethod" "sna" in the Xorg.conf file. The SNA architecture is designed to make better use of new features in modern Intel graphics cards and aims to be faster and consume less CPU than the older UXA method. Alternatively, users can also activate the Glamor method which accelerates 2D graphics by using OpenGL. Both of these methods are currently considered experimental. The established UXA architecture and other portions of the driver have also received several bug fixes. Alongside version 2.20.0, the developers have also separately released version 2.10.1 of the X Server driver to fix problems they found while preparing the rest of the driver package.

Intel’s graphics driver package is aimed at developers looking for a pre-tested bundle of components rather than Linux end users. Aside from the actual drivers, the collection also includes other software components that have been tested in conjunction with them. This encompasses the stable 3.4.x version of the Linux kernel which was released in May and which uses the RC6 power saving mode by default. It also supports the GT2 server chipset based on the Ivy Bridge architecture. The included 3D driver is version 8.0.4 of Mesa 3D which fixes several problems of older 8.0.x releases but includes almost no new features.

The source code for Intel’s driver package is licensed under a combination of the MIT and GPLv2 licences and can be downloaded from the company’s Linux driver web site.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/intel-updates-its-open-source-linux-drivers/

Jul 25

Safari 6 addresses numerous security vulnerabilities


Users running OS X 10.7.4 Lion can upgrade using the built-in Software Update tool Zoom
Alongside the release of OS X 10.8 Mountain Lion earlier today, Apple has published version 6.0 of its Safari web browser for OS X 10.7 Lion, adding a number of new features and closing numerous security holes. According to the company, the major update addresses more than 120 vulnerabilities found in the previous 5.x branch. Among the holes closed are problems in the handling of feed:// URLs could have led to cross-site scripting (XSS) attacks or users’ files being sent to a remote server. A bug in the autocomplete system used by Safari, which may have resulted in passwords being automatically inserted even when a site specifies that it shouldn’t be, has been fixed, as has an XSS issue caused by opening maliciously crafted files on certain pages.

As usual, the majority of the problems fixed in the update were found in the WebKit browser engine used by Safari. These include cross-site information disclosure bugs, site URL spoofing problems, cross-origin issues, problems related to iFrames and over 100 memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a specially crafted web site. Other WebKit-related bugs include the disclosure of memory contents, escapes from the browser’s sandbox, history session handling problems, and an HTTP header injection issue.

Non-security related changes include the addition of a single “Smart Search Field” used for both searching and inputting site addresses, a new Password pane for managing saved site logins, and an Offline Reading List, which allows users to save web pages to a Reading List for when an internet connection isn’t available. Support for the “Do Not Track” (DNT) header has also been added; DNT is a developing standard for telling web sites that the browser user wishes to opt-out of online behavioural tracking.

A full list of security fixes can be found in Apple’s security advisory. Users running Mac OS X 10.7.4 can upgrade to Safari 6 using the built-in Software update function. All users are advised to upgrade as soon as possible.

Safari 6 is included by default with Apple’s OS X 10.8 Mountain Lion operating system, which arrived earlier today as a paid update from the Mac App Store. At the time of writing, the Apple security updates and Support Downloads pages do not yet list Safari 6. Additionally, it’s worth noting that a Windows version of Safari 6 is not available and that all references to Safari for Windows have been removed from Apple’s main Safari page. As it uses the same engine, the current 5.1.7 release of Safari for Windows is vulnerable to many of the same security problems.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/safari-6-addresses-numerous-security-vulnerabilities/

Page 40 of 53« First...102030...37383940414243...50...Last »