We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
An anonymous reader writes with this announcement: "Ubuntu Linux version 14.04 LTS (code named "Trusty Tahr") has been released and available for download. This updated version includes the Linux kernel v3.13.0-24.46, Python 3.4, Xen 4.4, Libreoffice 4.2.3, MySQL 5.6/MariaDB 5.5, Apache 2.4, PHP 5.5, improvements to AppArmor allow more fine-grained control over application, and more. The latest release of Ubuntu Server is heavily focused on supporting cloud and scale-out computing platforms such as OpenStack, Docker, and more. As part of the wider Ubuntu 14.04 release efforts the Ubuntu Touch team is proud to make the latest and greatest touch experience available to our enthusiast users and developers. You can install Ubuntu on Nexus 4 Phone (mako), Nexus 7 (2013) Tablet (flo), and Nexus 10 Tablet (manta) by following these instructions. On a hardware front, ARM multiplatform support has been added, enabling you to build a single ARM kernel image that can boot across multiple hardware platforms. Additionally, the ARM64 and Power architectures are now fully supported. See detailed release notes for more information. A quick upgrade to a newer version of Ubuntu is possible over the network."
msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 nodes vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear."
An anonymous reader writes "Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws but also features in the devices themselves that could be of use to attackers. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."
According to PC Mag, a "19-year-old Canadian was arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data." That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.
Hugh Pickens DOT Com (2995471) writes "Chris Bowlby reports at BBC that medical research has been building up for a while now, suggesting constant sitting is harming our health — potentially causing cardiovascular problems or vulnerability to diabetes. Advocates of sit-stand desks say more standing would benefit not only health, but also workers' energy and creativity. Some big organizations and companies are beginning to look seriously at reducing 'prolonged sitting' among office workers. 'It's becoming more well known that long periods of sedentary behavior has an adverse effect on health,' says GE engineer Jonathan McGregor, 'so we're looking at bringing in standing desks.' The whole concept of sitting as the norm in workplaces is a recent innovation, points out Jeremy Myerson, professor of design at the Royal College of Art. 'If you look at the late 19th Century,' he says, Victorian clerks could stand at their desks and 'moved around a lot more'. 'It's possible to look back at the industrial office of the past 100 years or so as some kind of weird aberration in a 1,000-year continuum of work where we've always moved around.' What changed things in the 20th Century was 'Taylorism' — time and motion studies applied to office work. 'It's much easier to supervise and control people when they're sitting down,' says Myerson. What might finally change things is if the evidence becomes overwhelming, the health costs rise, and stopping employees from sitting too much becomes part of an employer's legal duty of care. 'If what we are creating are environments where people are not going to be terribly healthy and are suffering from diseases like cardiovascular disease and diabetes,' says Prof Alexi Marmot, a specialist on workplace design, 'it's highly unlikely the organization benefits in any way.'"
thundergeek (808819) writes "I am the sole sysadmin for nearly 50 servers (win/linux) across several contracts. Now a Change Advisory Board (CAB) is wanting to manage every patch that will be installed on the OS and approve/disapprove for testing on the development network. Once tested and verified, all changes will then need to be approved for production. Windows servers aren't always the best for informing admin exactly what is being 'patched' on the OS, and the frequency of updates will make my efficiency take a nose dive. Now I'll have to track each KB, RHSA, directives and any other 3rd party updates, submit a lengthy report outlining each patch being applied, and then sit back and wait for approval. What should I use/do to track what I will be installing? Is there already a product out there that will make my life a little less stressful on the admin side? Does anyone else have to go toe-to-toe with a CAB? How do you handle your patch approval process?"
An anonymous reader writes "Python guru Jeff Knupp writes about his frustration with the so-called 'DevOps' movement, an effort to blend development jobs with operations positions. It's an artifact of startup culture, and while it might make sense when you only have a few employees and a focus on simply getting it running rather than getting it running right, Knupp feels it has no place in bigger, more established companies. He says, 'Somewhere along the way, however, we tricked ourselves into thinking that because, at any one time, a start-up developer had to take on different roles he or she should actually be all those things at once. If such people even existed, "full-stack" developers still wouldn't be used as they should. Rather than temporarily taking on a single role for a short period of time, then transitioning into the next role, they are meant to be performing all the roles, all the time. And here's what really sucks: most good developers can almost pull this off.' Knupp adds, 'The effect of all of this is to destroy the role of "developer" and replace it with a sort of "technology utility-player". Every developer I know got into programming because they actually enjoyed doing it (at one point). You do a disservice to everyone involved when you force your brightest people to take on additional roles.'"
jammag writes: "Heartbleed has dealt a blow to the image of free and open source software. In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily. As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.' Many users of proprietary software, tired of FOSS's continual claims of superior security, welcome the idea that Heartbleed has punctured FOSS's pretensions. But is that what has happened?"
Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."
Hugh Pickens DOT Com writes: "When Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. Now Klint Finley reports that Snowden also used The Amnesic Incognito Live System (Tails) to keep his communications out of the NSA's prying eyes. Tails is a kind of computer-in-a-box using a version of the Linux operating system optimized for anonymity that you install on a DVD or USB drive, boot your computer from and you're pretty close to anonymous on the internet. 'Snowden, Greenwald and their collaborator, documentary film maker Laura Poitras, used it because, by design, Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'
The developers of Tails are, appropriately, anonymous. They're protecting their identities, in part, to help protect the code from government interference. 'The NSA has been pressuring free software projects and developers in various ways,' the group says. But since we don't know who wrote Tails, how do we know it isn't some government plot designed to snare activists or criminals? A couple of ways, actually. One of the Snowden leaks show the NSA complaining about Tails in a Power Point Slide; if it's bad for the NSA, it's safe to say it's good for privacy. And all of the Tails code is open source, so it can be inspected by anyone worried about foul play. 'With Tails,' say the distro developers, 'we provide a tongue and a pen protected by state-of-the-art cryptography to guarantee basic human rights and allow journalists worldwide to work and communicate freely and without fear of reprisal.'"
An anonymous reader writes "Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done. How secure the language might be is simply an afterthought, which is usually too late. A new WhiteHat Security report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications."
First time accepted submitter Iarwain Ben-adar (2393286) writes "The OpenBSD has started a cleanup of their in-tree OpenSSL library. Improvements include removing "exploit mitigation countermeasures", fixing bugs, removal of questionable entropy additions, and many more. If you support the effort of these guys who are responsible for the venerable OpenSSH library, consider a donation to the OpenBSD Foundation. Maybe someday we'll see a 'portable' version of this new OpenSSL fork. Or not."
snydeq (1272828) writes "Microsoft TechNet blog makes clear that Windows 8.1 will not be patched, and that users must get Windows 8.1 Update if they want security patches, InfoWorld's Woody Leonhard reports. 'In what is surely the most customer-antagonistic move of the new Windows regime, Steve Thomas at Microsoft posted a TechNet article on Saturday stating categorically that Microsoft will no longer issue security patches for Windows 8.1, starting in May,' Leonhard writes. 'Never mind that Windows 8.1 customers are still having multiple problems with errors when trying to install the Update. At this point, there are 300 posts on the Microsoft Answers forum thread 'Windows 8.1 Update 1 Failing to Install with errors 0x80070020, 80073712 and 800F081F.' The Answers forum is peppered with similar complaints and a wide range of errors, from 800F0092 to 80070003, for which there are no solutions from Microsoft. Never mind that Microsoft itself yanked Windows 8.1 Update from the corporate WSUS update server chute almost a week ago and still hasn't offered a replacement.'"
msm1267 (2804139) writes "A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released today (PDF) by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.
The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly."
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."
dcblogs (1096431) writes "A study of New York City's tech workforce found that 44% of jobs in the city's 'tech ecosystem,' or 128,000 jobs, 'are accessible' to people without a Bachelor's degree. This eco-system includes both tech specific jobs and those jobs supported by tech. For instance, a technology specific job that doesn't require a Bachelor's degree might be a computer user support specialist, earning $28.80 an hour, according to this study. Tech industry jobs that do not require a four-year degree and may only need on-the-job training include customer services representatives, at $18.50 an hour, telecom line installer, $37.60 an hour, and sales representatives, $33.60 an hour. The study did not look at 'who is actually sitting in those jobs and whether people are under-employed,' said Kate Wittels, a director at HR&A Advisors, a real-estate and economic-development consulting firm, and report author.. Many people in the 'accessible' non-degree jobs may indeed have degrees. For instance. About 75% of the 25 employees who work at New York Computer Help in Manhattan have a Bachelor's degree. Of those with Bachelor's degrees, about half have IT-related degrees."
SpacemanukBEJY.53u (3309653) writes "It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."
Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."
coondoggie (973519) writes "The US Department of Justice charged nine members of a group that used Zeus malware to infect thousands of business computers and illegally siphon-off millions of dollars into over-seas bank accounts. The DoJ said an indictment was unsealed in connection with the arraignment this week at the federal courthouse in Lincoln, Neb., of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36. Konovalenko and Kulibaba were recently extradited from the United Kingdom."
An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.
An anonymous reader writes "The Linux 3.15 kernel now in its early life will be able to suspend and resume much faster than previous versions of the Linux kernel. A few days ago we saw ACPI and Power Management updates that enable asynchronous threads for more suspend and resume callbacks. Carrying out more async operations leads to reduced time for the system suspend and then resuming. According to one developer, it was about an 80% time savings within one of the phases. On Friday, work was merged that ensured the kernel is no longer blocked by waiting for ATA devices to resume. Multiple ATA devices can be woken up simultaneously, and any ATA commands for the device(s) will be queued until they have powered up. According to an 01.org blog post on the ATA/SCSI resume optimization patches, when tested on three Intel Linux systems the resume time was between 7x and 12x faster (not including the latest ACPI/PM S&R optimizations)."
alphadogg (971356) writes "There's a new sign on the door to Courtroom 5 at the federal courthouse in San Jose, the home to the Apple v. Samsung battle that's playing out this month: 'Please turn off all cell phones.' For a trial that centers on smartphones and the technology they use, it's more than a little ironic. The entire case might not even be taking place if the market wasn't so big and important, but the constant need for connectivity of everyone is causing problems in the court, hence the new sign. The problems have centered on the system that displays the court reporter's real-time transcription onto monitors on the desks of Judge Lucy Koh, the presiding judge in the case, and the lawyers of Apple and Samsung. The system, it seems, is connected via Wi-Fi and that connection keeps failing."
cartechboy (2660665) writes "GM said it has placed two engineers on paid leave in connection with its massive recall probe of 2 million vehicles. Now, GM is asking NASA to advise on whether those cars are safe to drive even with the ignition key alone. Significantly, individual engineers now have their names in print and face a raft of inquiries what they did or didn't know, did or didn't do, and when. A vulnerability for GM: One engineer may have tried to re-engineer the faulty ignition switch without changing the part number—an unheard-of practice in the industry. Is it a good thing that people who engineer for a living can now get their names on national news for parts designed 10 years ago? The next time your mail goes down, should we know the name of the guy whose code flaw may have caused that?"
squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.
An anonymous reader writes "The Associated Press reports that Pacific Gas & Electric Co. has put up a $250,000 reward for 'information leading to an arrest and conviction in a startling attack mounted nearly a year ago on telephone lines and the power grid in Silicon Valley.' Besides cutting power lines, the attackers also cut AT&T fiber-optic phone lines, thereby denying some people access to 911, and fired shots into a PB&E substation, knocking out 17 transformers in Silicon Valley and causing $15 million in damage. As of this post, the perpetrators are still unidentified and continue to elude the FBI. Meanwhile, the Federal Energy Regulatory Commission (FERC) on Thursday was brought before the Senate Energy Committee to explain why the FERC disseminated via insecure media a sensitive document describing where all the nation's power grids are particularly sensitive to a physical attack. FERC responded with assurances that databases are currently being scrubbed and procedures being implemented to safeguard critical data."
An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"
jfruh writes: "Being a Unix or Linux admin tends to be an odd kind of job: you often spend much of your workday on your own, with lots of time when you don't have a specific pressing task, punctuated by moments of panic where you need to do something very important right away. Sandra Henry-Stocker, a veteran sysadmin, offers suggestions on how to structure your professional life if you're in this job. Her advice includes setting priorities, knowing your tools, and providing explanations to the co-workers whom you help." What habits have you found effective for system administration?
nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."
An anonymous reader writes "Recently my boss has asked me about the advantages of Linux as a desktop operating system and if it would be a good idea to install it instead of upgrading to Windows 7 or 8. About ten boxes here are still running Windows XP and would be too old to upgrade to any newer version of Windows. He knows that i am using Linux at work on quite outdated hardware (would have gotten a new PC but never requested new hardware — Linux Mint x64 runs quite well on it) and i always managed to get my stuff done with it. I explained to him that there are no licensing issues with Linux, there is no anti-virus software to deal with and that Linux is generally a bit more efficient on old hardware than operating systems from Microsoft. The boss seems interested." But that's not quite the end; read on for this reader's question.
itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."
New submitter raides (881987) writes "Theo De Raadt has been on a better roll as of late. Since his rant about FreeBSD playing catch up, he has something to say about OpenSSL. It is worth the 5 second read because it is how a few thousand of us feel about the whole thing and the stupidity that caused this panic." Update: 04/10 15:20 GMT by U L : Reader badger.foo pointed out Ted Unangst (the Ted in the mailing list post) wrote two posts on the issue: "heartbleed vs malloc.conf and "analysis of openssl freelist reuse" for those seeking more detail.
alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."
mpicpp (3454017) writes in with news about accusations from Cuban officials about a spamming campaign against the country by the U.S.. "Cuban officials have accused the U.S. government of bizarre plots over the years, such as trying to kill Fidel Castro with exploding cigars. On Wednesday, they said Washington is using a new weapon against the island: spam. 'It's overloading the networks, which creates bad service and affects our customers,' said Daniel Ramos Fernandez, chief of security operations at the Cuban government-run telecommunications company ETECSA. At a news conference Wednesday, Cuban officials said text messaging platforms run by the U.S. government threatened to overwhelm Cuba's creaky communications system and violated international conventions against junk messages. The spam, officials claim, comes in the form of a barrage of unwanted text messages, some political in nature. Ramos said that during a 2009 concert in Havana performed by the Colombian pop-star Juanes, a U.S. government program blanketed Cuban cell phone networks with around 300,000 text messages over about five hours."
itwbennett (1594911) writes "Intel and SGI have built a proof-of-concept supercomputer that's kept cool using a fluid developed by 3M called Novec that is already used in fire suppression systems. The technology, which could replace fans and eliminate the need to use tons of municipal water to cool data centers, has the potential to slash data-center energy bills by more than 90 percent, said Michael Patterson, senior power and thermal architect at Intel. But there are several challenges, including the need to design new motherboards and servers."
An anonymous reader writes "Since the announcement malicious actors have been leaking software library data and using one of the several provided PoC codes to attack the massive amount of services available on the internet. One of the more complicated issues is that the OpenSSL patches were not in-line with the upstream of large Linux flavors. We have had a opportunity to review the behavior of the exploit and have come up with the following IDS signatures to be deployed for detection."
Hugh Pickens DOT Com writes: "The Guardian reports that according to Edward Snowden, the NSA has spied on the staff of prominent human rights organizations like Amnesty International and Human Rights Watch. 'The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organizations including domestically within the borders of the United States.' Snowden, addressing the Council of Europe in Strasbourg, said he did not believe the NSA was engaged in 'nightmare scenarios,' such as the active compilation of a list of homosexuals 'to round them up and send them into camps.' But he did say that the infrastructure allowing this to happen had been built.
Snowden made clear that he believed in legitimate intelligence operations but said the NSA should abandon its electronic surveillance of entire civilian populations. Instead, Snowden said, it should go back to the traditional model of eavesdropping against specific targets, such as 'North Korea, terrorists, cyber-actors, or anyone else.' Snowden also urged members of the Council of Europe to encrypt their personal communications and said that encryption, used properly, could still withstand 'brute force attacks' from powerful spy agencies and others. 'Properly implemented algorithms backed up by truly random keys of significant length all require more energy to decrypt than exists in the universe.'"
DroidJason1 (3589319) writes "Microsoft has released the highly anticipated Windows 8.1 Update, adding numerous improvements for non-touch consumers based on feedback. It is also a required update for Windows 8.1, otherwise consumers will no get any future security updates after May 2014. Most of the changes in the update are designed to appease non-touch users, with options to show apps on the desktop taskbar, the ability to see show the taskbar above apps, and a new title bar at the top of apps with options to minimize, close, or snap apps."
wesbascas (2475022) writes "This morning, AMD unveiled its latest flagship graphics board: the $1,500, liquid-cooled, dual-GPU Radeon R9 295X2. With a pair of Hawaii GPUs that power the company's top-end single-GPU Radeon R9 290X, the new board is sure to make waves at price points that Nvidia currently dominates. In gaming benchmarks, the R9 295X2 performs pretty much in line with a pair of R9 290X cards in CrossFire. However, the R9 295X2 uses specially-binned GPUs which enable the card to run with less power than a duo of the single-GPU cards. Plus, thanks to the closed-loop liquid cooler, the R9 295X doesn't succumb to the nasty throttling issues present on the R9 290X, nor its noisy solution."
Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012." Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.
First time accepted submitter ControlsGeek (156589) writes "The Raspberry Pi Foundation has developed a new product. It is basically a Raspberry Pi model A processor, memory, and flash memory on a DDR2-style SODIMM connector. Also available will be a development board that breaks out all the internal connections. The board design will be open sourced so you can develop your own devices using the BCM2835 processor. No network, but support for 2 HDMI displays and 2 cameras, so 3D TV is a possibility.
An anonymous reader writes "Despite whispers of growing dissatisfaction among consumers, there are still very few ISP start-ups popping up in communities all over the U.S. There are two main reasons for this: up-front costs and legal obstacles. The first reason discourages anyone who doesn't have Google's investors or the local government financially supporting them from even getting a toe in the business. 'Financial analysts last year estimated that Google had to spend $84 million to build a fiber network that passed 149,000 homes in Kansas City, with the cost per home at $500 to $674.' The second reason will keep any new start-up defending itself in court against frivolous lawsuits incumbent ISP providers have been known to file to bleed the newcomers dry in legal fees. There are also ISP lobbyists working to pass laws that prevent local governments from either entering the ISP market themselves or partnering with private companies to provide ISP alternatives. Given these set-backs and growing dissatisfaction with the status quo, one has to wonder how long before the U.S. recognizes the internet as a utility and passes laws and regulations accordingly."
jaa101 (627731) writes "The owner of a drone which fell and reportedly hit an athlete competing in a triathlon in Western Australia's Mid West has said he believes the device was 'hacked' into." From the article: "Mr Abrams said an initial investigation had indicted that someone nearby "channel hopped" the device, taking control away from the operator. ... Mr Abrams said it was a deliberate act and it would be difficult to determine who was responsible as something as common as a mobile phone could be used to perform a channel hop. The videographer added that there had been a similar incident when the drone was flown earlier in the day."
NicknamesAreStupid (1040118) writes "As Whoever57 pointed out, there are some who will still get support for Microsoft Windows XP — the 'haves'. However, most will be the 'have nots.' Anytime you have such market imbalance, there is opportunity. Since Microsoft clearly intends to create a disparity, there will certainly be those who defy it. What will Microsoft do to prevent bootleg patches of XP from being sold to the unwashed masses? How will they stop China from supporting 100 million bootleg XP users? And how easily will it be to crack Microsoft's controls? How big will the Windows XP patch market be?" There are a lot of businesses still on Windows XP; if you work for one of them, will the official end of life spur actually cause you to upgrade? (And if so, to what?)
rjmarvin (3001897) writes "Researchers at the U.K.'s Lancaster University have reimagined the fundamental logic behind encryption, stumbling across a radically new way to encrypt data while creating software models to simulate how the human heart and lungs coordinate rhythms. The encryption method published in the American Physical Society journal and filed as a patent entitled 'Encoding Data Using Dynamic System Coupling,' transmits and receive multiple encrypted signals simultaneously, creating an unlimited number of possibilities for the shared encryption key and making it virtually impossible to decrypt using traditional methods. One of the researchers, Peter McClintock, called the encryption scheme 'nearly unbreakable.'
According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.
An anonymous reader writes "Linux kernel developers are currently evaluating the possibility of using QR codes to display kernel oops/panic messages. Right now a lot of text is dumped to the screen when a kernel oops occurs, most of which isn't easily archivable by normal Linux end-users. With QR codes as Linux oops messages, a smart-phone could capture the display and either report the error string or redirect them to an error page on Kernel.org. The idea of using QR codes within the Linux kernel is still being discussed by upstream developers."
An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"
An anonymous reader writes "Since Edward Snowden started making NSA files public last year, GSMK has seen a jump in sales. There are more than 100,000 CryptoPhones in use today. How secure they really are will be determined in the future. But I'm sure that some government agencies, not just in the U.S., are very interested in getting a list of users." For the price the company's charging for a modified Galaxy S3, it had better be as secure as they claim; otherwise, the free and open source RedPhone from Moxie Marlinspike's Whisper Systems seems like something to think about first.
An anonymous reader writes "Microsoft [Thursday] announced a change to how it handles adware, a form of malware that pushes unwanted advertisements to the user. As of July 1, the company's security products will immediately stop any adware they detect and notify the user, who can then restore the program if they wish. Currently, when any of Microsoft's security products (including Microsoft Security Essentials and Microsoft Forefront) detects a program as adware, it will alert the user and offer them a recommended action. If the user doesn't do anything, the security product will let the program continue to run until the user makes a decision." If adware is malware, why wait until July?