"A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions," reports Bleeping Computer, citing research presented last week at the Black Hat and DEF CON security conferences. An anonymous reader writes: The conditions are that the VPN service/client uses the OpenVPN protocol and that the VPN app compresses the HTTP traffic before it encrypts it using TLS. To make matters worse, the OpenVPN protocol compresses all data by default before sending it via the VPN tunnel. At least one VPN provider, TunnelBear, has now updated its client to turn off the compression. [UPDATE: ExpressVPN has since also disabled compression to prevent VORACLE attacks.] HTTPS traffic is safe, and only HTTP data sent via the VPN under these conditions can be recovered. Users can also stay safe by switching to another VPN protocol if their VPN client suppports multiple tunneling technologies. In response to the security researcher's report, the OpenVPN project "has decided to add a more explicit warning in its documentation regarding the dangers of using pre-encryption compression."

Read more of this story at Slashdot.

Poll: How often do you use Twitter's block command?

The Russian and German leaders meet for bilateral talks outside of Berlin.

Long-time Slashdot reader Mike Bouma shares a paper (via OS News) making the case for "a small microkernel as the core of the trusted computing base, with OS services separated into mutually-protected components (servers) -- in contrast to 'monolithic' designs such as Linux, Windows or MacOS." While intuitive, the benefits of the small trusted computing base have not been quantified to date. We address this by a study of critical Linux CVEs [PDF] where we examine whether they would be prevented or mitigated by a microkernel-based design. We find that almost all exploits are at least mitigated to less than critical severity, and 40% completely eliminated by an OS design based on a verified microkernel, such as seL4.... Our results provide very strong evidence that operating system structure has a strong effect on security. 96% of critical Linux exploits would not reach critical severity in a microkernel-based system, 57% would be reduced to low severity, the majority of which would be eliminated altogether if the system was based on a verified microkernel. Even without verification, a microkernel-based design alone would completely prevent 29% of exploits... The conclusion is inevitable: From the security point of view, the monolithic OS design is flawed and a root cause of the majority of compromises. It is time for the world to move to an OS structure appropriate for 21st century security requirements.

Read more of this story at Slashdot.

Twitter's CEO told the Washington Post he's "rethinking" core parts of Twitter: Dorsey said he was experimenting with features that would promote alternative viewpoints in Twitter's timeline to address misinformation and reduce "echo chambers." He also expressed openness to labeling bots -- automated accounts that sometimes pose as human users -- and redesigning key elements of the social network, including the "like" button and the way Twitter displays users' follower counts. "The most important thing that we can do is we look at the incentives that we're building into our product," Dorsey said. "Because they do express a point of view of what we want people to do -- and I don't think they are correct anymore." Dorsey's openness to broad changes shows how Silicon Valley leaders are increasingly reexamining the most fundamental aspects of the technologies that have made these companies so powerful and profitable. At Facebook, for example, CEO Mark Zuckerberg has commissioned a full review of his company's products to emphasize safety and trust, from mobile payments to event listings.... In recent months, Twitter has made several changes to promote safety and trust. It has introduced new machine learning software to monitor account behavior and is suspending over a million problematic accounts a day.... Dorsey said Twitter hasn't changed its incentives, which were originally designed to nudge people to interact and keep them engaged, in the 12 years since Twitter was founded.

Read more of this story at Slashdot.

Idlib is the Syrian government's next target, experts say, but other scenarios may unfold with regional players at hand.

An anonymous reader quotes the BBC: Ordinary wi-fi could be used to detect weapons and explosives in public places, according to a study led by the Rutgers University in New Jersey. Wireless signals can penetrate bags to measure the dimensions of metal objects or estimate the volume of liquids, researchers claim. Initial tests appeared to show that the system was at least 95% accurate. It could provide a low-cost alternative to airport-style security, researchers said. The system works by analysing what happens when wireless signals penetrate and bounce off objects and materials.

Read more of this story at Slashdot.

Everyone's experience with Twitter is different. As is every person's experience with podcasting; and everything else in life. To say Twitter is boring or abusive or whatever is like making an equivalent statement about movies or the telephone or travel.

I'm in season 3 of Deadwood now. Very different experience from the first time through when I watched the episodes as they came out. One thing that's clear is that it's a comedy. And they sometimes had a blast in the writer's room, with puns and characters finishing each others' speeches. I know in advance some characters are doomed, which is disturbing. And I had forgotten how evil some characters are. Not Swearengen though. He's a poet and hippie. Has limited ambition. That isn't clear in the first season, but by the third he's matured, as has Bullock, to become peacemakers even civil rights advocates.

Law imposes hefty fines, up to five years in prison for those who administer websites deemed to harm national interests.

Along the Mediterranean coast, some Spanish locals try to provide respect and care for the bodies of unidentified migrants who did not survive the perilous crossing.

"Even as the White House began cracking down on U.S. work visas, major Silicon Valley technology firms last year dramatically ramped up hiring of workers under the controversial H-1B visa program," reports the Mercury News. Menlo Park-based Facebook in 2017 received 720 H-1B approvals, a 53 percent increase over 2016, according to the National Foundation for American Policy, which obtained federal government data. Mountain View's Google received 1,213 H-1B approvals, a 31 percent increase. The number of H-1B approvals at Intel in Santa Clara rose 19 percent and Cupertino-based Apple received 673, a 7 percent increase.... [E]xperts say the data doesn't show how many additional H-1B contractors tech companies may get from staffing agencies or outsourcing companies. In response to this news organization's inquiries, Facebook said it does not publicly discuss its use of H-1B workers or contractors. Google, Apple and Intel did not respond to requests for information about their use of H-1B workers or contractors.... Amazon chalked up the largest increase in H-1B approvals, with 2,515 in 2017, a 78 percent leap. Microsoft received 1,479 approvals, an increase of 29 percent. Neither company responded to a request for comment. A distinguished fellow at Carnegie Mellon's School of Engineering at Silicon Valley believes that the threat of a U.S. crackdown on H-1B visas may simply have prompted companies to secure as many visas as possible while they could.

Read more of this story at Slashdot.

Sulayminyah has, since its founding 200 years ago, been dedicated to the arts and now the Kurdistan Regional Government has dedicated six million dollars to create a cultural arts centre in the city.

The systems and database administrator for a Fortune 500 company notes that while NFS is "decades old and predating Linux...the most obvious feature missing from NFSv4 is native, standalone encryption." emil (Slashdot reader #695) summarizes this article from Linux Journal: NFS is the most popular remote file system in the Linux, UNIX, and greater POSIX community. The NFS protocol pushes file traffic over cleartext connections in the default configuration, which is poison to sensitive information. TLS can wrap this traffic, finally bringing wire security to files vulnerable to compromise in transit. Before using a cloud provider's toolset, review NFS usage and encrypt where necessary. The article's author complains that Google Cloud "makes no mention of data security in its documented procedures," though "the performance penalty for tunneling NFS over stunnel is surprisingly small...." "While the crusade against telnet may have been largely won, Linux and the greater UNIX community still have areas of willful blindness. NFS should have been secured long ago, and it is objectionable that a workaround with stunnel is even necessary."

Read more of this story at Slashdot.

The proposed bill would could women to have a Nepalese husband to pass on their citizenship to their children.