×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Anonymous' Airchat Aim: Communication Without Need For Phone Or Internet

timothy posted 10 hours ago | from the turn-down-your-volume-before-clicking dept.

147

concertina226 (2447056) writes "Online hacktivist collective Anonymous has announced that it is working on a new tool called Airchat which could allow people to communicate without the need for a phone or an internet connection — using radio waves instead. Anonymous, the amorphous group best known for attacking high profile targets like Sony and the CIA in recent years, said on the project's Github page: 'Airchat is a free communication tool [that] doesn't need internet infrastructure [or] a cell phone network. Instead it relies on any available radio link or device capable of transmitting audio.' Despite the Airchat system being highly involved and too complex for most people in its current form, Anonymous says it has so far used it to play interactive chess games with people at 180 miles away; share pictures and even established encrypted low bandwidth digital voice chats. In order to get Airchat to work, you will need to have a handheld radio transceiver, a laptop running either Windows, Mac OS X or Linux, and be able to install and run several pieces of complex software." And to cleanse yourself of the ads with autoplaying sound, you can visit the GitHub page itself.

OpenSSL: the New Face of Technology Monoculture

Soulskill posted yesterday | from the relied-upon-to-a-fault dept.

112

chicksdaddy writes: "In a now-famous 2003 essay, 'Cyberinsecurity: The Cost of Monopoly,' Dr. Dan Geer argued, persuasively, that Microsoft's operating system monopoly constituted a grave risk to the security of the United States and international security, as well. It was in the interest of the U.S. government and others to break Redmond's monopoly, or at least to lessen Microsoft's ability to 'lock in' customers and limit choice. The essay cost Geer his job at the security consulting firm AtStake, which then counted Microsoft as a major customer. These days Geer is the Chief Security Officer at In-Q-Tel, the CIA's venture capital arm. But he's no less vigilant of the dangers of software monocultures. In a post at the Lawfare blog, Geer is again warning about the dangers that come from an over-reliance on common platforms and code. His concern this time isn't proprietary software managed by Redmond, however, it's common, oft-reused hardware and software packages like the OpenSSL software at the heart (pun intended) of Heartbleed. 'The critical infrastructure's monoculture question was once centered on Microsoft Windows,' he writes. 'No more. The critical infrastructure's monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them.'"

Google Opens Up Street View Archives From 2007 To Today

Unknown Lamer posted yesterday | from the just-look-at-that-urban-decay dept.

24

mpicpp (3454017) writes with news that Google is publishing all Street View imagery back to 2007. Quoting Ars: "The feature hasn't rolled out to many accounts yet, but it looks like a small, draggable window will be added to the Street View interface. Just move the time slider around and you'll be able to jump through past images. Granted, Street View has only been around for a few years, so the archives only go back to 2007. A few of the events Google suggests browsing through are the building of One World Trade Center and the destruction and rebuilding of Onagawa, Japan after the 2011 earthquake. Besides being really cool, the move will save Google from having to choose a canonical Street View image for every location. If the current image is blacked-out or wrong in some way, you can just click back to the previous one."

How Silk Road Bounced Back From Its Multimillion-Dollar Hack

Soulskill posted 2 days ago | from the easy-come-easy-go dept.

48

Daniel_Stuckey writes: "Silk Road, the online marketplace notable for selling drugs and attempting to operate over Tor, was shut down last October. Its successor, Silk Road 2.0 survived for a few months before suffering a security breach. In total, an estimated $2.7 million worth of Bitcoin belonging to users and staff of the site was stolen. Some in the Silk Road community suspected that the hack might have involved staff members of the site itself, echoing scams on other sites. Project Black Flag closed down after its owner scampered with all of their customers' Bitcoin, and after that users of Sheep Marketplace had their funds stolen, in an incident that has never been conclusively proven as an inside job or otherwise. Many site owners would probably have given up at this point, and perhaps attempted to join another site, or start up a new one under a different alias. Why would you bother to pay back millions of dollars when you could just disappear into the digital ether? But Silk Road appears to be trying to rebuild, and to repay users' lost Bitcoins."

Apple Fixes Major SSL Bug In OS X, iOS

Soulskill posted 2 days ago | from the more-broken-security-stuff dept.

96

Trailrunner7 writes: "Apple has fixed a serious security flaw present in many versions of both iOS and OS X and could allow an attacker to intercept data on SSL connections. The bug is one of many the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user's network, he might be able to intercept supposedly secure traffic or change the connection's properties."

NIST Removes Dual_EC_DRBG From Random Number Generator Recommendations

Soulskill posted 2 days ago | from the cryptic-announcement dept.

86

hypnosec writes: "National Institute of Standards and Technology (NIST) has removed the much-criticized Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from its draft guidance on random number generators following a period of public comment and review. The revised document retains three of the four previously available options for generating pseudorandom bits required to create secure cryptographic keys for encrypting data. NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible."

Ask Slashdot: How Can We Create a Culture of Secure Behavior?

Soulskill posted 2 days ago | from the start-giving-$50-citations-for-bad-passwords dept.

168

An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"

Tech People Making $100k a Year On the Rise, Again

timothy posted 2 days ago | from the it-is-all-about-the-wilson dept.

191

Nerval's Lobster (2598977) writes "Last month, a report suggested that Austin has the highest salaries for tech workers (after factoring in the cost of living), followed by Atlanta, Denver, Boston, and Silicon Valley. Now, a new report (yes, from Dice, because it gathers this sort of data from tech workers) suggests that more tech people are earning six figures a year than ever. Some 32 percent of full-time tech pros took home more than $100,000 in 2013, according to the findings, up from 30 percent in 2012 and 26 percent in 2011. For contractors, the data is even better: In 2013, a staggering 54 percent of them earned more than $100,000 a year, up from 51 percent the previous year and 50 percent in 2011. How far that money goes depends on where you live, of course, but it does seem like a growing number of the world's tech workers are earning a significant amount of cash."

Not Just a Cleanup Any More: LibreSSL Project Announced

timothy posted 2 days ago | from the they'd-like-some-beer-money dept.

349

An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."

Our Education System Is Failing IT

Unknown Lamer posted 2 days ago | from the take-your-money-and-leave-you-dumb dept.

301

Nemo the Magnificent (2786867) writes "In this guy's opinion most IT workers can't think critically. They are incapable of diagnosing a problem, developing a possible solution, and implementing it. They also have little fundamental understanding of the businesses their employers are in, which is starting to get limiting as silos are collapsing within some corporations and IT workers are being called upon to participate in broader aspects of the business. Is that what you see where you are?"

Intentional Backdoor In Consumer Routers Found

Unknown Lamer posted 3 days ago | from the insecurity-through-idiocy dept.

234

New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."

Administration Ordered To Divulge Legal Basis For Killing Americans With Drones

samzenpus posted 3 days ago | from the reason-time dept.

309

An anonymous reader writes "In a claim brought by The New York Times and the ACLU, the Second US Circuit Court of Appeals has ruled that the administration must disclose the legal basis for targeting Americans with drones. From the article: 'Government officials from Obama on down have publicly commented on the program, but they claimed the Office of Legal Counsel's memo outlining the legal rationale about it was a national security secret. The appeals court, however, said on Monday that officials' comments about overseas drone attacks means the government has waived its secrecy argument. "After senior Government officials have assured the public that targeted killings are 'lawful' and that OLC advice 'establishes the legal boundaries within which we can operate,'" the appeals court said, "waiver of secrecy and privilege as to the legal analysis in the Memorandum has occurred" (PDF).'"

OpenSSL Cleanup: Hundreds of Commits In a Week

timothy posted 4 days ago | from the the-good-kind-of-competition dept.

374

New submitter CrAlt (3208) writes with this news snipped from BSD news stalwart undeadly.org: "After the news of heartbleed broke early last week, the OpenBSD team dove in and started axing it up into shape. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls. ... All combined, there've been over 250 commits cleaning up OpenSSL. In one week.'" You can check out the stats, in progress.

Preventative Treatment For Heartbleed On Healthcare.gov

timothy posted 4 days ago | from the welcome-to-centralized-medicine-dot-gov dept.

80

As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge

Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

timothy posted 5 days ago | from the bleeding-from-the-ears dept.

59

wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.

"Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

California Utility May Replace IT Workers with H-1B Workers

Soulskill posted about a week ago | from the if-california-falls-into-the-ocean-would-that-count-as-offshoring dept.

220

dcblogs writes: "Southern California Edison is preparing to offshore IT jobs, the second major U.S. utility in the last year to do so. It will be cutting its staff, but it hasn't said by how much. The utility is using at least two offshore outsourcing firms, according to government records. SCE's management culture may be particularly primed for firing its IT workers. Following a workplace shooting in SCE's IT offices in 2011, the utility conducted an independent audit of its organizational and management culture. One observation in this report, which was completed a year later, was that 'employees perceive managers to be more concerned about how they 'look' from above, and less concerned about how they are viewed by their subordinates. This fosters an unhealthy culture and climate by sending a message to employees that it is more important to focus on how things look from the top than how they actually are down below.'"

Bug Bounties Don't Help If Bugs Never Run Out

Soulskill posted about a week ago | from the trying-to-bail-the-ocean dept.

235

Bennett Haselton writes: "I was an early advocate of companies offering cash prizes to researchers who found security holes in their products, so that the vulnerabilities can be fixed before the bad guys exploited them. I still believe that prize programs can make a product safer under certain conditions. But I had naively overlooked that under an alternate set of assumptions, you might find that not only do cash prizes not make the product any safer, but that nothing makes the product any safer — you might as well not bother fixing certain security holes at all, whether they were found through a prize program or not." Read on for the rest of Bennett's thoughts.

Heartbleed Sparks 'Responsible' Disclosure Debate

Soulskill posted about a week ago | from the arguing-about-ethics dept.

188

bennyboy64 writes: "IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed 'responsibly.' A number of selective leaks to Facebook, Akamai, and CloudFlare occurred prior to disclosure on April 7. A separate, informal pre-notification program run by Red Hat on behalf OpenSSL to Linux and Unix operating system distributions also occurred. But router manufacturers and VPN appliance makers Cisco and Juniper had no heads up. Nor did large web entities such as Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy, just to name a few. The Sydney Morning Herald has spoken to many people who think Google should've told OpenSSL as soon as it uncovered the critical OpenSSL bug in March, and not as late as it did on April 1. The National Cyber Security Centre Finland (NCSC-FI), which reported the bug to OpenSSL after Google, on April 7, which spurred the rushed public disclosure by OpenSSL, also thinks it was handled incorrectly. Jussi Eronen, of NCSC-FI, said Heartbleed should have continued to remain a secret and be shared only in security circles when OpenSSL received a second bug report from the Finnish cyber security center that it was passing on from security testing firm Codenomicon. 'This would have minimized the exposure to the vulnerability for end users,' Mr. Eronen said, adding that 'many websites would already have patched' by the time it was made public if this procedure was followed."

Ubuntu Linux 14.04 LTS Trusty Tahr Released

timothy posted about a week ago | from the what-in-tahr-nation dept.

177

An anonymous reader writes with this announcement: "Ubuntu Linux version 14.04 LTS (code named "Trusty Tahr") has been released and available for download. This updated version includes the Linux kernel v3.13.0-24.46, Python 3.4, Xen 4.4, Libreoffice 4.2.3, MySQL 5.6/MariaDB 5.5, Apache 2.4, PHP 5.5, improvements to AppArmor allow more fine-grained control over application, and more. The latest release of Ubuntu Server is heavily focused on supporting cloud and scale-out computing platforms such as OpenStack, Docker, and more. As part of the wider Ubuntu 14.04 release efforts the Ubuntu Touch team is proud to make the latest and greatest touch experience available to our enthusiast users and developers. You can install Ubuntu on Nexus 4 Phone (mako), Nexus 7 (2013) Tablet (flo), and Nexus 10 Tablet (manta) by following these instructions. On a hardware front, ARM multiplatform support has been added, enabling you to build a single ARM kernel image that can boot across multiple hardware platforms. Additionally, the ARM64 and Power architectures are now fully supported. See detailed release notes for more information. A quick upgrade to a newer version of Ubuntu is possible over the network."

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...