Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Director Says Agency Is Still Trying To Figure Out Cyber Operations

Soulskill posted 11 hours ago | from the i-don't-think-the-mr-magoo-routine-is-going-to-work dept.

Government 74

Trailrunner7 writes: In a keynote speech at a security conference in Washington on Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war. "We're still trying to work our way through distinguishing the difference between criminal hacking and an act of war," said Rogers. "If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what's an act of defense." Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.

Why Is It Taking So Long To Secure Internet Routing?

Soulskill posted 13 hours ago | from the adoption-is-driven-by-fear dept.

Networking 67

CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"

Tim Cook Says Apple Can't Read Users' Emails, That iCloud Wasn't Hacked

timothy posted yesterday | from the our-cooperation-was-strictly-reluctant dept.

Cloud 175

Apple CEO Tim Cook insists that Apple doesn't read -- in fact, says Cook, cannot read -- user's emails, and that the company's iCloud service wasn't hacked. ZDNet presents highlights from Cook's lengthy, two-part interview with Charlie Rose. One selection of particular interest: Apple previously said that even it can't access iMessage and FaceTime communications, stating that such messages and calls are not held in an "identifiable form." [Cook] claimed if the government "laid a subpoena," then Apple "can't provide it." He said, bluntly: "We don't have a key... the door is closed." He reiterated previous comments, whereby Apple has said it is not in the business of collecting people's data. He said: "When we design a new service, we try not to collect data. We're not reading your email." Cook went on to talk about PRISM in more detail, following the lead from every other technology company implicated by those now-infamous PowerPoint slides.

New Release of MINIX 3 For x86 and ARM Is NetBSD Compatible

timothy posted yesterday | from the big-and-fancy dept.

Open Source 89

An anonymous reader writes MINIX 3 is a small POSIX-compliant operating system aimed at high reliability (embedded) applications. A major new version of MINIX 3 (3.3.0) is now available for download at www.minix3.org. In addition to the x86, the ARM Cortex A8 is now supported, with ports to the BeagleBoard and BeagleBones available. Finally, the entire userland has been redone in 3.3.0 to make it NetBSD compatible, with thousands of NetBSD packages available out of the box. MINIX 3 is based on a tiny (13 KLoC) microkernel with the operating system running as a set of protected user-mode processes. Each device driver is also a separate process. If a driver fails, it is automatically and transparently restarted without rebooting and without applications even noticing, making the system self-healing. The full announcement, with links to the release notes and notes on installation, can be found at the Minix Google Groups page.

Canon Printer Hacked To Run Doom Video Game

samzenpus posted 2 days ago | from the print-or-play dept.

Security 86

wiredog writes Security researcher Michael Jordon has hacked a Canon's Pixma printer to run Doom. He did so by reverse engineering the firmware encryption and uploading via the update interface. From the BBC: "Like many modern printers, Canon's Pixma range can be accessed via the net, so owners can check the device's status. However, Mr Jordon, who works for Context Information Security, found Canon had done a poor job of securing this method of interrogating the device. 'The web interface has no user name or password on it,' he said. That meant anyone could look at the status of any device once they found it, he said. A check via the Shodan search engine suggests there are thousands of potentially vulnerable Pixma printers already discoverable online. There is no evidence that anyone is attacking printers via the route Mr Jordon found."

New Details About NSA's Exhaustive Search of Edward Snowden's Emails

samzenpus posted 2 days ago | from the taking-a-good-look dept.

Government 193

An anonymous reader points out this Vice story with new information about the NSA's search of Edward Snowden's emails. Last year, the National Security Agency (NSA) reviewed all of Edward Snowden's available emails in addition to interviewing NSA employees and contractors in order to determine if he had ever raised concerns internally about the agency's vast surveillance programs. According to court documents the government filed in federal court September 12, NSA officials were unable to find any evidence Snowden ever had.

In a sworn declaration, David Sherman, the NSA's associate director for policy and records, said the agency launched a "comprehensive" investigation after journalists began to write about top-secret NSA spy programs upon obtaining documents Snowden leaked to them. The investigation included searches of any records where emails Snowden sent raising concerns about NSA programs "would be expected to be found within the agency." Sherman, who has worked for the NSA since 1985, is a "original classification authority," which means he can classify documents as "top-secret" and process, review, and redact records the agency releases in response to Freedom of Information Act (FOIA) requests.

In his declaration, Sherman detailed steps he said agency officials took to track down any emails Snowden wrote that contained evidence he'd raised concerns inside the agency. Sherman said the NSA searched sent, received, deleted emails from Snowden's account and emails "obtained by restoring back-up tapes." He noted that NSA officials reviewed written reports and notes from interviews with "NSA affiliates" with whom the agency spoke during its investigation.

Malware Distributed Through Twitch Chat Is Hijacking Steam Accounts

samzenpus posted 2 days ago | from the protect-ya-neck dept.

Security 53

An anonymous reader writes If you use Twitch don't click on any suspicious links in the video streaming platform's chat feature. Twitch Support's official Twitter account issued a security warning telling users not to click the "csgoprize" link in chat. According to f-secure, the link leads to a Java program that asks for your name and email. If you provide the info it will install a file on your computer that's able to take out any money you have in your Steam wallet, as well as sell or trade items in your inventory. "This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry," says F-Secure. "It even dumps your items for a discount in the Steam Community Market. Previous variants were selling items with a 12 percent discount, but a recent sample showed that they changed it to 35 percent discount. Perhaps to be able to sell the items faster."

Chrome For Mac Drops 32-bit Build

samzenpus posted 2 days ago | from the more-bits dept.

Google 129

jones_supa writes Google has revealed that it's launching the finished 64-bit version of Chrome 39 for OS X this November, which already brought benefits in speed, security and stability on Windows. However at this point the 32-bit build for Mac will cease to exist. Just to make it clear, this decision does not apply to Windows and Linux builds, at least for now. As a side effect, 32-bit NPAPI plugins will not work on Chrome on Mac version 39 onwards. The affected hardware are only the very first x86-based Macs with Intel Core Duo processors. An interesting question remains, whether the open source version of Chrome, which is of course Chromium, could still be compiled for x86-32 on OS X.

Sapphire Glass Didn't Pass iPhone Drop Test According to Reports

samzenpus posted 2 days ago | from the trying-something-different dept.

Iphone 202

SternisheFan notes reports about why Apple didn't use sapphire glass screens in the latest iPhones as many expected. Sapphire screens were part of the iPhone 6 design until the glass repeatedly cracked during standard drop tests conducted by Apple suppliers. So Apple abandoned its sapphire plans before the iPhone 6 product launch September 9. VentureBeat has learned that recent supplier channel checks by an IDC analyst yielded several reports of the sapphire failures and Apple's decision against using the glass material. As we heard on Tuesday in Cupertino, both the iPhone 6 and the larger iPhone 6 Plus will ship with screens made of "ion-strengthened" glass. This was apparently Apple's second choice. IDC analyst Danielle Levitas says it isn't clear when exactly the drop-test failures took place, or when Apple abandoned plans for sapphire-screened iPhones. She says the poor drop-test results, combined with the relative high cost of sapphire glass, could have made plans to ship sapphire glass phones too risky. One researcher who covers GT Advanced Technologies, the company that was to produce the glass for the iPhone 6, wrote in a research note earlier this week that plans for the sapphire screens were cancelled in August, just weeks before the September 9 launch. The new Apple Watches (except the "Sport" version) do use sapphire for their screens. Levitas believes that the glass for the smaller 1.5-inch and 1.7-inch watch screens was less likely to break in drop tests.

High School Student Builds Gun That Unlocks With Your Fingerprint

Soulskill posted 3 days ago | from the amazed-he-hasn't-been-expelled dept.

Security 582

An anonymous reader writes: Kai Kloepfer is a 17-year-old high school student from Colorado who just won the Smart Tech for Firearms Challenge. Kloepfer designed and built a smart gun that will only unlock and fire for users who supply the proper fingerprints. "The gun works by creating a user ID and locking in the fingerprint of each user allowed to use the gun. The gun will only unlock with the unique fingerprint of those who have already permission to access the gun. ... According to him, all user data is kept right on the gun and nothing is uploaded anywhere else so it would be pretty hard to hack." The gun can have up to 999 authorized users, and its accuracy at detecting fingerprints is 99.99%. For winning the challenge, he won $50,000 in funding to continue developing the smart gun. Some of the fund have already gone toward 3-D printing portions of the prototype.

Early iPhone 6 Benchmark Results Show Only Modest Gains For A8

Soulskill posted 4 days ago | from the find-a-way-to-make-this-fit-your-narrative dept.

Cellphones 207

MojoKid writes: Historically speaking, we typically see impressive performance gains each time Apple releases a new custom processor for its mobile products. Certainly that was true of the A7 SoC, the world's first 64-bit smartphone processor. So, can we expect the same kind of performance bump from the iPhone 6 and iPhone 6 Plus, both of which sport the new custom A8 SoC? Maybe not. The iPhone 6 recently surfaced in results for the Basemark X benchmark and armed with a dual-core 1.4GHz Cyclone CPU and A8 GPU, the iPhone 6 scored 21,204.26 and a earned a place at the top of the chart, though not by much. By comparison, the iPhone 5s scored 20,253.80 in the same benchmark. In other words, the iPhone 6 is currently less than 5 percent faster than the iPhone 5s, at least as far as the Basemark X benchmark is concerned.

City of Turin To Switch From Windows To Linux and Save 6M Euros

Soulskill posted 4 days ago | from the frugal-tux dept.

Government 245

jrepin writes: The municipality of Turin in Italy hopes to save 6 million Euro over five years by switching from Windows XP to Ubuntu Linux in all of its offices. The move will mean installing the open source operating system on 8,300 PCs, which will generate an immediate saving of roughly €300 per machine (almost €2.5m altogether, made up from the cost of Windows and Office licences) — a sum that will grow over the years as the need for the renewal of proprietary software licences vanishes, and the employees get used to the new machines.

Ask Slashdot: Advice On Building a Firewall With VPN Capabilities?

timothy posted 4 days ago | from the thick-pipes-and-sturdy-valves dept.

Networking 237

An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."

L.A. TV Stations Free Up Some Spectrum For Wireless Broadband

timothy posted 5 days ago | from the slightly-less-waste dept.

Wireless Networking 79

alphadogg (971356) writes An effort to free up some of the airwaves used by TV broadcasts and make them available for wireless broadband took a big step forward this week in the U.S. Two TV stations in Los Angeles, KLCS and KCET, have agreed to share a single frequency to deliver their programming freeing up a channel that can be auctioned off to wireless carriers next year. The change, which the Federal Communications Commission calls "repackaging," is possible because digital TV broadcasts don't need the full 6MHz of broadcast spectrum that was used for analog TV.

Turning the Tables On "Phone Tech Support" Scammers

timothy posted 5 days ago | from the mouthwatering-shadenfreude dept.

Crime 208

mask.of.sanity writes A security pro has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers. The hack detailed in Matthew Weeks' technical post works from the end-user, meaning victims can send scammers the hijacking exploit when they request access to their machines. Victims should provide scammers with their external IP addresses rather than their Ammyy identity numbers as the exploit was not yet built to run over the Ammyy cloud, according to the exploit readme. This is much more efficient than just playing along but "accidentally" being unable to follow their instructions.

Mining iPhones and iCloud For Data With Forensic Tools

Soulskill posted 5 days ago | from the security-through-panic-and-news-articles dept.

Iphone 85

SternisheFan points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak. There are a number of ways to break into these devices and services depending on what kind of weakness an attacker has found. For example, if the attacked has possession of a target's iPhone, a simple command-line toolkit from Elcomsoft uses a jailbreak to bypass the iPhone's security. A different tool can extract iCloud data with access to a computer that has a local backup of a phone's data, or access to a computer that simply has stored credentials.

The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."

5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

samzenpus posted about a week ago | from the big-list dept.

Google 203

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.

Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure

Soulskill posted about a week ago | from the everyone-was-equally-ignorant dept.

Security 20

Trailrunner7 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations – perhaps the NSA – that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.

"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.

Satoshi Nakamoto's Email Address Compromised

Soulskill posted about a week ago | from the or-as-he-likes-to-be-called,-bitcoin-batman dept.

Bitcoin 65

ASDFnz writes: Satoshi Nakamoto, the respected (and currently missing) inventor of Bitcoin, seems to have had his email address compromised by an unknown agent. Satoshi exclusively used one email address when he was active in the Bitcoin community: satoshin@gmx.com. If you have a look at the original Bitcoin whitepaper (PDF), you will find it there at the top just under the title. He also usually signed his correspondence with his PGP signature. Earlier today, the head administrator of Bitcointalk, Theymos, received an email from Satoshi's email address that appeared to originate from GMX's servers. Theymos made a post on the Bitcointalk forums saying he had received an email from the address without Satoshi's PGP signature. Later, the unknown agent posted to other Satoshi accounts.

Home Depot Confirms Breach of Its Payment Systems

Soulskill posted about a week ago | from the hackers-can-do-it.-we-can-help. dept.

Security 111

itwbennett writes: Home Depot confirmed Monday that its payment systems had been breached, potentially affecting any customers who shopped at its stores in the U.S. and Canada since April. There's no evidence yet that debit card PINs had been compromised, the company said, though it is still figuring out the scope and scale of the attacks. Home Depot is offering a free year of identity protection services for anyone who used a payment card in one of their stores since the beginning of April.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>