Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.
Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and learn more about it. Thanks for reading, and for making the site better!
nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."
An anonymous reader writes "Recently my boss has asked me about the advantages of Linux as a desktop operating system and if it would be a good idea to install it instead of upgrading to Windows 7 or 8. About ten boxes here are still running Windows XP and would be too old to upgrade to any newer version of Windows. He knows that i am using Linux at work on quite outdated hardware (would have gotten a new PC but never requested new hardware — Linux Mint x64 runs quite well on it) and i always managed to get my stuff done with it. I explained to him that there are no licensing issues with Linux, there is no anti-virus software to deal with and that Linux is generally a bit more efficient on old hardware than operating systems from Microsoft. The boss seems interested." But that's not quite the end; read on for this reader's question.
itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."
New submitter raides (881987) writes "Theo De Raadt has been on a better roll as of late. Since his rant about FreeBSD playing catch up, he has something to say about OpenSSL. It is worth the 5 second read because it is how a few thousand of us feel about the whole thing and the stupidity that caused this panic." Update: 04/10 15:20 GMT by U L : Reader badger.foo pointed out Ted Unangst (the Ted in the mailing list post) wrote two posts on the issue: "heartbleed vs malloc.conf and "analysis of openssl freelist reuse" for those seeking more detail.
alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."
mpicpp (3454017) writes in with news about accusations from Cuban officials about a spamming campaign against the country by the U.S.. "Cuban officials have accused the U.S. government of bizarre plots over the years, such as trying to kill Fidel Castro with exploding cigars. On Wednesday, they said Washington is using a new weapon against the island: spam. 'It's overloading the networks, which creates bad service and affects our customers,' said Daniel Ramos Fernandez, chief of security operations at the Cuban government-run telecommunications company ETECSA. At a news conference Wednesday, Cuban officials said text messaging platforms run by the U.S. government threatened to overwhelm Cuba's creaky communications system and violated international conventions against junk messages. The spam, officials claim, comes in the form of a barrage of unwanted text messages, some political in nature. Ramos said that during a 2009 concert in Havana performed by the Colombian pop-star Juanes, a U.S. government program blanketed Cuban cell phone networks with around 300,000 text messages over about five hours."
itwbennett (1594911) writes "Intel and SGI have built a proof-of-concept supercomputer that's kept cool using a fluid developed by 3M called Novec that is already used in fire suppression systems. The technology, which could replace fans and eliminate the need to use tons of municipal water to cool data centers, has the potential to slash data-center energy bills by more than 90 percent, said Michael Patterson, senior power and thermal architect at Intel. But there are several challenges, including the need to design new motherboards and servers."
An anonymous reader writes "Since the announcement malicious actors have been leaking software library data and using one of the several provided PoC codes to attack the massive amount of services available on the internet. One of the more complicated issues is that the OpenSSL patches were not in-line with the upstream of large Linux flavors. We have had a opportunity to review the behavior of the exploit and have come up with the following IDS signatures to be deployed for detection."
Hugh Pickens DOT Com writes: "The Guardian reports that according to Edward Snowden, the NSA has spied on the staff of prominent human rights organizations like Amnesty International and Human Rights Watch. 'The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organizations including domestically within the borders of the United States.' Snowden, addressing the Council of Europe in Strasbourg, said he did not believe the NSA was engaged in 'nightmare scenarios,' such as the active compilation of a list of homosexuals 'to round them up and send them into camps.' But he did say that the infrastructure allowing this to happen had been built.
Snowden made clear that he believed in legitimate intelligence operations but said the NSA should abandon its electronic surveillance of entire civilian populations. Instead, Snowden said, it should go back to the traditional model of eavesdropping against specific targets, such as 'North Korea, terrorists, cyber-actors, or anyone else.' Snowden also urged members of the Council of Europe to encrypt their personal communications and said that encryption, used properly, could still withstand 'brute force attacks' from powerful spy agencies and others. 'Properly implemented algorithms backed up by truly random keys of significant length all require more energy to decrypt than exists in the universe.'"
DroidJason1 (3589319) writes "Microsoft has released the highly anticipated Windows 8.1 Update, adding numerous improvements for non-touch consumers based on feedback. It is also a required update for Windows 8.1, otherwise consumers will no get any future security updates after May 2014. Most of the changes in the update are designed to appease non-touch users, with options to show apps on the desktop taskbar, the ability to see show the taskbar above apps, and a new title bar at the top of apps with options to minimize, close, or snap apps."
wesbascas (2475022) writes "This morning, AMD unveiled its latest flagship graphics board: the $1,500, liquid-cooled, dual-GPU Radeon R9 295X2. With a pair of Hawaii GPUs that power the company's top-end single-GPU Radeon R9 290X, the new board is sure to make waves at price points that Nvidia currently dominates. In gaming benchmarks, the R9 295X2 performs pretty much in line with a pair of R9 290X cards in CrossFire. However, the R9 295X2 uses specially-binned GPUs which enable the card to run with less power than a duo of the single-GPU cards. Plus, thanks to the closed-loop liquid cooler, the R9 295X doesn't succumb to the nasty throttling issues present on the R9 290X, nor its noisy solution."
Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012." Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.
First time accepted submitter ControlsGeek (156589) writes "The Raspberry Pi Foundation has developed a new product. It is basically a Raspberry Pi model A processor, memory, and flash memory on a DDR2-style SODIMM connector. Also available will be a development board that breaks out all the internal connections. The board design will be open sourced so you can develop your own devices using the BCM2835 processor. No network, but support for 2 HDMI displays and 2 cameras, so 3D TV is a possibility.
An anonymous reader writes "Despite whispers of growing dissatisfaction among consumers, there are still very few ISP start-ups popping up in communities all over the U.S. There are two main reasons for this: up-front costs and legal obstacles. The first reason discourages anyone who doesn't have Google's investors or the local government financially supporting them from even getting a toe in the business. 'Financial analysts last year estimated that Google had to spend $84 million to build a fiber network that passed 149,000 homes in Kansas City, with the cost per home at $500 to $674.' The second reason will keep any new start-up defending itself in court against frivolous lawsuits incumbent ISP providers have been known to file to bleed the newcomers dry in legal fees. There are also ISP lobbyists working to pass laws that prevent local governments from either entering the ISP market themselves or partnering with private companies to provide ISP alternatives. Given these set-backs and growing dissatisfaction with the status quo, one has to wonder how long before the U.S. recognizes the internet as a utility and passes laws and regulations accordingly."
jaa101 (627731) writes "The owner of a drone which fell and reportedly hit an athlete competing in a triathlon in Western Australia's Mid West has said he believes the device was 'hacked' into." From the article: "Mr Abrams said an initial investigation had indicted that someone nearby "channel hopped" the device, taking control away from the operator. ... Mr Abrams said it was a deliberate act and it would be difficult to determine who was responsible as something as common as a mobile phone could be used to perform a channel hop. The videographer added that there had been a similar incident when the drone was flown earlier in the day."
NicknamesAreStupid (1040118) writes "As Whoever57 pointed out, there are some who will still get support for Microsoft Windows XP — the 'haves'. However, most will be the 'have nots.' Anytime you have such market imbalance, there is opportunity. Since Microsoft clearly intends to create a disparity, there will certainly be those who defy it. What will Microsoft do to prevent bootleg patches of XP from being sold to the unwashed masses? How will they stop China from supporting 100 million bootleg XP users? And how easily will it be to crack Microsoft's controls? How big will the Windows XP patch market be?" There are a lot of businesses still on Windows XP; if you work for one of them, will the official end of life spur actually cause you to upgrade? (And if so, to what?)
rjmarvin (3001897) writes "Researchers at the U.K.'s Lancaster University have reimagined the fundamental logic behind encryption, stumbling across a radically new way to encrypt data while creating software models to simulate how the human heart and lungs coordinate rhythms. The encryption method published in the American Physical Society journal and filed as a patent entitled 'Encoding Data Using Dynamic System Coupling,' transmits and receive multiple encrypted signals simultaneously, creating an unlimited number of possibilities for the shared encryption key and making it virtually impossible to decrypt using traditional methods. One of the researchers, Peter McClintock, called the encryption scheme 'nearly unbreakable.'
According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.
An anonymous reader writes "Linux kernel developers are currently evaluating the possibility of using QR codes to display kernel oops/panic messages. Right now a lot of text is dumped to the screen when a kernel oops occurs, most of which isn't easily archivable by normal Linux end-users. With QR codes as Linux oops messages, a smart-phone could capture the display and either report the error string or redirect them to an error page on Kernel.org. The idea of using QR codes within the Linux kernel is still being discussed by upstream developers."
An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"
An anonymous reader writes "Since Edward Snowden started making NSA files public last year, GSMK has seen a jump in sales. There are more than 100,000 CryptoPhones in use today. How secure they really are will be determined in the future. But I'm sure that some government agencies, not just in the U.S., are very interested in getting a list of users." For the price the company's charging for a modified Galaxy S3, it had better be as secure as they claim; otherwise, the free and open source RedPhone from Moxie Marlinspike's Whisper Systems seems like something to think about first.
An anonymous reader writes "Microsoft [Thursday] announced a change to how it handles adware, a form of malware that pushes unwanted advertisements to the user. As of July 1, the company's security products will immediately stop any adware they detect and notify the user, who can then restore the program if they wish. Currently, when any of Microsoft's security products (including Microsoft Security Essentials and Microsoft Forefront) detects a program as adware, it will alert the user and offer them a recommended action. If the user doesn't do anything, the security product will let the program continue to run until the user makes a decision." If adware is malware, why wait until July?
whoever57 (658626) writes "The UK Government has signed a contract worth £5.5M (almost $9M) for extended support and security updates for Windows XP for 12 months after April 8. The deal covers XP, Exchange 2003 and Office 2003 for users in central and local government, schools and the National Health Service. The NHS is in need of this deal because it was estimated last September that 85% of the NHS's 800,000 computers were running XP."
mspohr (589790) writes with this news from the BBC: "The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software. 'We went from zero to total compromise,' said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software which was first released to run on Windows 98 to monitor and control machinery in many large industrial installations. The researchers also explored other SCADA software: 'We ended up finding over 1,000 bugs in 100 days.'" The vulnerabilities reported are in Yokogawa's Centum CS 300 industrial control software.
fructose writes: "The Nest Protect has a flaw in its software that, under the right circumstances, could disable the alarm and not notify the owners of a fire. To remedy this flaw, they are disabling the Nest Wave feature through automatic updates. Owners who don't have their Nest Protects connected to their WiFi net or don't have a Nest account are suggested to either update the device manually or return it to Nest for a full refund. While they work out the problem, all sales are being halted to prevent unsafe units from being sold. There have been no reported incidents resulting from this flaw, but they aren't taking any chances."
chicksdaddy writes: "The pervasiveness of the NSA's spying operation has turned it into a kind of bugaboo — the monster lurking behind every locked networking closet and the invisible hand behind every flawed crypto implementation. Those inclined to don the tinfoil cap won't be reassured by Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP. (Video with time code.) Researchers at the time were working on just such a lightweight cryptosystem. On Stanford's campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described the functioning of a public key cryptography system. But they didn't yet have the algorithms to make it practical. (Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977). As it turns out, however, Cerf did have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren't they used? The crypto tools were part of a classified NSA project he was working on at Stanford in the mid 1970s to build a secure, classified Internet. 'At the time I couldn't share that with my friends,' Cerf said."
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
mask.of.sanity writes: "A security researcher says he has developed a method to score free flights across Europe by generating fake boarding passes designed for Apple's Passbook app. The 18-year-old computer science undergrad didn't reveal the 'bypass' which gets the holder of the fraudulent ticket past the last scanner and onto the jetway; he's saving that for his talk at Hack in the Box in Amsterdam next month."
atrader42 (687933) writes "Microsoft announced a new .NET compiler that compiles .NET code to native code using the C++ compiler backend. It produces performance like C++ while still enabling .NET features like garbage collection, generics, and reflection. Popular apps have been measured to start up to 60% faster and use 15% less memory. The preview currently only supports Windows Store applications, but is expected to apply to more .NET applications in the long term. A preview of the compiler is available for download now. (Caveat: I both work for MS and read Slashdot.)"
An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."
MojoKid (1002251) writes "Today, Qualcomm is announcing full support for a new wireless transmission method that could significantly boost performance on crowded networks. The new standard, MU-MIMO (Multiple User — Multiple Input and Multiple Output) has a clunky name — but could make a significant difference to home network speeds and make gigabit WiFi a practical reality. MU-MIMO is part of the 802.11ac Release 2 standard, so this isn't just a custom, Qualcomm-only feature. In SU-MIMO mode, a wireless router creates time slices for every device it detects on the network. Every active device on the network slows down the total system bandwidth — the router has to pay attention to every device, and it can only pay attention to one phone, tablet, or laptop at a time. The difference between single-user and multi-user configurations is that where SU can only serve one client at a time and can therefore only allocate a fraction of total bandwidth to any given device, MU can create groups of devices and communicate with all three simultaneously."
An anonymous reader writes "In an unprecedented total disruption of a fully operational GNSS constellation, all satellites in the Russian GLONASS broadcast corrupt information for 11 hours, from just past midnight until noon Russian time (UTC+4), on April 2 (or 5 p.m. on April 1 to 4 a.m. April 2, U.S. Eastern time). This rendered the system completely unusable to all worldwide GLONASS receivers."
Lucas123 writes: "A presentation released today by Intel revealed images of the USB 3.1 Type-C cable and connectors, which is symmetrical and will no longer require a user to correctly orient the plug. Initially, the USB 3.1 Type-C specification will support up to 10Gbps data transfer speeds. The Type-C connectors resemble those of Apple's Thunderbolt cabling in that they are much smaller than today's USB SuperSpeed connectors. The receptacle opening is 8.3mm x 2.5mm.The first iteration will have a 5 volt power transfer rate, but it is expected to deliver up to 100 watts for higher power applications in the future."
benrothke (2577567) writes "When it comes to documenting the history of cryptography, David Kahn is singularly one of the finest, if not the finest writers in that domain. For anyone with an interest in the topic, Kahn's works are read in detail and anticipated. His first book was written almost 50 years ago: The Codebreakers – The Story of Secret Writing; which was a comprehensive overview on the history of cryptography. Other titles of his include Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939-1943. The Codebreakers was so good and so groundbreaking, that some in the US intelligence community wanted the book banned. They did not bear a grudge, as Kahn became an NSA scholar-in-residence in the mid 1990's. With such a pedigree, many were looking forward, including myself, to his latest book How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code. While the entire book is fascinating, it is somewhat disingenuous, in that there is no new material in it. Many of the articles are decades old, and some go back to the late 1970's. From the book description and cover, one would get the impression that this is an all new work. But it is not until ones reads the preface, that it is detailed that the book is simple an assemblage of collected articles." Keep reading for the rest of Ben's review.
Chester Wisniewski's nakedsecurity describes Wisniewski's specialty thus: "He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics." So he's obviously someone who might know a little about preventing future Target-style security debacles. We've also interviewed tech journalist Wayne Rash about this topic, and will probably interview another security expert or two. Many Slashdot users may find all this credit card security talk boring, but for those who handle security matters for a living, especially for retailers, it's vital information. So here's Tim Lord talking with Chet, who is a recognized security expert for Sophos, one of the big dogs in the IT security field, when Chet was in Texas for the latest iteration of Security B-Sides in Austin. (Alternate video link.)
Nemo the Magnificent (2786867) writes "A friend of mine bought a Western Digital 'MyCloud' NAS server (non-RAID) a couple of weeks ago. WD implements the cloud service through its wd2go.com site. He reports that that site is down and has been since last Wednesday. No word on when it'll be back up. The only official announcements are daily repeats of this canned posting: 'Our My Cloud and My Book Live users are experiencing intermittent issues with WD servers that enable remote access when using these products. These issues include poor transfer speeds and/or inability to connect remotely. We sincerely apologize for this inconvenience and we are working very hard to resolve these issues and resume normal service as soon as possible. We thank you for your patience and will provide updates as they are available.'"
UnderAttack (311872) writes "The SANS Internet Storm Center got an interesting story about how some of the devices scanning its honeypot turned out to be infected DVRs. These DVRs are commonly used to record footage from security cameras, and likely got infected themselves due to weak default passwords (12345). Now they are being turned into bots (but weren't they bots before that?) and are used to scan for Synology Disk Stations who are vulnerable. In addition, these DVRs now also run a copy of a bitcoin miner. Interestingly, all of this malware is compiled for ARM CPUs, so this is not a case of standard x86 exploits that happen to hit an embedded system/device."
Rambo Tribble (1273454) writes "Reuters is reporting that the U.S. National Security Agency managed to have security firm RSA adopt not just one, but two security tools, further facilitating NSA eavesdropping on Internet communications. The newly discovered software is dubbed 'Extended Random', and is intended to facilitate the use of the already known 'Dual Elliptic Curve' encryption software's back door. Researchers from several U.S. universities discovered Extended Random and assert it could help crack Dual Elliptic Curve encrypted communications 'tens of thousands of times faster'."
An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.
The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
darthcamaro (735685) writes "Red Hat's open source oVirt project hit a major milestone this week with the release of version 3.4. It's got improved storage handling so users can mix and match different resource types, though the big new feature is one that seems painfully obvious. For the first time oVirt users can have the oVirt Manager and oVirt VMs on the same physical machine. 'So, typically, customers deployed the oVirt engine on a physical machine or on a virtual machine that wasn't managed or monitored,' Scott Herold, principal product manager for Red Hat Enterprise Virtualization said. 'The oVirt 3.4 release adds the ability for oVirt to self-host its engine, including monitoring and recovery of the virtual machine.'" (Wikipedia describes oVirt as "a free platform virtualization management web application community project.")
dotancohen (1015143) writes "It is commonly said that open source software is preferable because if you need something changed, you can change it yourself. Well, I am not an Xorg developer and I cannot maintain a separate Xorg fork. Xorg version 1.13.1 introduced a bug which breaks the "Sticky Keys" accessibility option. Thus, handicapped users who rely on the feature cannot use Xorg-based systems with the affected versions and are stuck on older software versions. Though all pre-bug Linux distros are soon scheduled for retirement, there seems to be no fix in sight. Should disabled users stick with outdated, vulnerable, and unsupported Linux distros or should we move to OS-X / Windows?
The prospect of changing my OS, applications, and practices due to such an ostensibly small issue is frightening. Note that we are not discussing 'I don't like change' but rather 'this unintentional change is incompatible with my physical disability.' Thus this is not a case of every change breaks someone's workflow."
An anonymous reader writes "The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process. The settlements with the FTC don't include any monetary penalties, but both companies have been ordered to submit to independent security audits every other year for the next 20 years and to put together comprehensive security programs."
An anonymous reader writes "Security engineers from Google have found that 21 out of the top 25 news organizations have been targeted by cyberattacks that are likely state-sponsored. We've heard about some high profile attacks on news sites, but Google actively tracks the countries that are launching these attacks, and even hosts email services for many of the news organizations. 'Huntley said Chinese hackers recently gained access to a major Western news organization, which he declined to identify, via a fake questionnaire emailed to staff. Most such attacks involve carefully crafted emails carrying malware or directing users to a website crafted to trick them into giving up credentials. Marquis-Boire said that while such attacks were nothing new, their research showed that the number of attacks on media organizations and journalists that went unreported was significantly higher than those made public.'"
coondoggie writes "By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement: the Secret Service and Federal Bureau of Investigation. But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance? The agencies do the one thing companies don't do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk."
concertina226 (2447056) writes "Chinese authorities have detained a total of 1,530 suspects in a crackdown on spam SMS text messages being sent out by illegal telecoms equipment, according to Chinese news agency ECNS. Over 2,600 fake mobile base stations were seized and 24 sites manufacturing illegal telecoms equipment shut down as part of a massive nationwide operation involving nine central government and Communist Party of China departments. A report released by Trend Micro this month looked into the telecoms equipment black market in China (PDF) and found that cybercriminals routinely use either a GSM modem, an internet short message gateway and an SMS server to send out spam messages. On the underground market, SMS servers come in 'all-in-one' packages that include a laptop, a GSM mobile phone, an SMS server, an antenna to send out the fake signal and a USB cable, all for RMB 45,000 (£4,355)."
An anonymous reader writes "As most of us working in IT may know, Microsoft will stop supporting Windows XP on April 8th, 2014. Although this fact has been known for quite some time, XP is still relatively popular in companies and also enjoys noticeable marketshare for home users. Even ATMs are running XP and will continue to do so for some time. A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions. So what is the best way to secure this remaining Windows XP systems? Installing the latest security patches, checking firewall status and user permissions etc. should be fairly obvious, as Microsoft Security Essentials may also not receive updates anymore, changing antivirus programs seems a sensible thing to do."
mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.
An anonymous reader writes "After hiring the lead Btrfs developers and Linux kernel block maintainers last year, Facebook is beginning trial deployments of Btrfs. Facebook will start using the next-generation file-system within their web-tier and they will be among the first major public deployments of Btrfs."
wiredmikey writes: "Russian government officials have swapped their iPads for Samsung tablets to ensure tighter security, the telecoms minister told news agencies on Wednesday. Journalists spotted that ministers at a cabinet meeting were no longer using Apple tablets, and minister Nikolai Nikiforov confirmed the changeover "took place not so long ago." He said the ministers' new Samsungs were "specially protected devices that can be used to work with confidential information." This isn't the first time Russian powers have had concerns over mobile. In August 2012, Russia unveiled a prototype tablet with its own "almost Android" mobile OS that has the remarkably familiar feel of an Android but with bolstered encryption. In an even more paranoid move, this past July a Russian state service in charge of safeguarding Kremlin communications was looking to purchase an array of old-fashioned typewriters to prevent leaks from computer hardware."