We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
wiredmikey (1824622) writes "Sony Pictures Entertainment has acquired the rights to the new book by journalist Glenn Greenwald about fugitive US intelligence leaker Edward Snowden, the studio said Wednesday. James Bond franchise producers Michael Wilson and Barbara Broccoli will make the movie version of 'No Place to Hide,' described as 'a political film that will resonate with today's moviegoers.' The book, subtitled 'Edward Snowden, the NSA and the US Surveillance State,' was just recently published in Britain by Hamish Hamilton and in the United States by Metropolitan Books."
An anonymous reader writes "BlackPhone was designed by Phil Zimmermann (inventor of PGP). The 4.7" display phone features a 2 GHz NVIDIA Tegra 4i ARM Cortex-A9 quad-core processor with 60 GPU cores, 1GB RAM and 16GB storage [more specs]. The OS is a customized version of Android called PrivatOS which offers encrypted calls, texts and emails that can't be unscrambled even by spy agencies. It also offers built-in resistance against malicious software which will be most welcomed for users worried about free Apps that are becoming increasingly invasive, if not pure data collection spyware for unknown 3rd parties. It's coming out this June, and many Fortune 50 companies have already ordered the phone to protect against industrial espionage."
Daniel_Stuckey (2647775) writes with news that we may soon learn which countries were sold the FinFisher malware package to spy on their own citizens. "The UK's High Court ruled yesterday that HM Revenue and Customs acted 'unlawfully' when it declined to detail how it was investigating the export of digital spy tools created by a British company. Human rights group Privacy International is celebrating the decision of Mr. Justice Green, which means HMRC now has to reconsider releasing information on its investigation into controls surrounding the export of malware known as FinFisher, created by British supplier Gamma International. The widespread FinFisher malware family, also known as FinSpy, can carry out a range of surveillance operations, from snooping on Skype and Facebook conversations to siphoning off emails or files sitting on a device. It is supposed to benefit law enforcement in their investigations, but has allegedly been found in various nations with poor human rights records, including Bahrain and Ethiopia."
wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'" The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."
chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."
Lucas123 writes: "The USB SuperSpeed+ spec (a.k.a. v3.1) offers up to 10Gbps throughput. Combine that with USB's new C-Type Connector, the specification for which is expected out in July, and users will have a symmetrical cable and plug just like Thunderbolt but that will enable up to 100 watts of power depending on the cable version. So where does that leave Thunderbolt, Intel's other hardware interconnect? According to some analysts, Thunderbolt withers or remains a niche technology supported almost exclusively by Apple. Even as Thunderbolt 2 offers twice the throughput (on paper) as USB 3.1, or up to 20Gbps, USB SuperSpeed+ is expected to scale past 40Gbps in coming years. 'USB's installed base is in the billions. Thunderbolt's biggest problem is a relatively small installed base, in the tens of millions. Adding a higher data throughput, and a more expensive option, is unlikely to change that,' said Brian O'Rourke, a principal analyst covering wired interfaces at IHS."
rastos1 sends in a report about a significant bug fix for the Linux kernel (CVE-2014-0196). "'The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device. 'This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31),' Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. 'A bug this serious only comes out once every couple years.' ... While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said."
New submitter Drunkulus writes "Journalist Ira Winkler has an article about his personal run-in with the Syrian Electronic Army. While admitting that the SEA has succeeded in hijacking the Wall Street Journal's Twitter accounts and defacing the RSA conference website, he calls them immature, inept script kiddies in this Computerworld column. Quoting: 'These people purport to be servants of the genocidal dictator of Syria and came together to support him, but they wasted their hack on what amounted to cyberbullying. This is not behavior that the SEA's Syrian intelligence handlers would condone. The SEA wasted an opportunity to promote its message, while divulging previously unknown attack vectors. ... I don't think that sort of immaturity will go over well with the SEA's Syrian intelligence bosses. And that could have implications for the influence of the group in the future.'"
First time accepted submitter Dimetrodon (2714071) writes "It is an unspoken rule of military procurement that any IT or communications technology will invariably be years behind what is commercially available or technically hobbled to ensure security. One case in point is the uncomfortably backronymed NeRD, or Navy e-Reader Device, an electronic book so secure the 300 titles it holds can never be updated. Ever."
An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."
mask.of.sanity (1228908) writes "Criminals could potentially cause black-outs and mess with power grid configurations by exploiting flaws in a popular solar panel management system used by thousands of homes and businesses. The threat is substantial because, as the company boasts, its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out 566TWh of electrical energy."
First time accepted submitter stef2dotoh (3646393) writes "I've got about a year of computer science classes under my belt along with countless hours of independent online and tech book learning. I can put together a secure login-driven Web site using PHP and MySQL. (I have a personal project on GitHub and a personal Web site.) I really enjoyed my Web development class, so I've spent a lot of time honing those skills and trying to learn new technologies. I still have a ways to go, though. I've been designing Web sites for more than 10 years, writing basic PHP forms for about 5 or 6 years and only gotten seriously into PHP/MySQL the last 1 or 2 years on and off. I'm fluent with HTML and CSS, but I really like back-end development. I was hoping I might be able to get a job as a junior Web developer, but even those require 2+ years of experience and a list of technologies as long as my arm. Internships usually require students to be in their junior or senior year, so that doesn't seem to be an option for me. Recruiters are responding to my resume on various sites, but it's always for someone more experienced. Should I forget about trying to find a junior Web developer position after only one year of computer science classes?"
ClownP (1315157) writes in with this story about a hacker who did some of his work while aboard a nuclear aircraft carrier. " A former sailor assigned to a US nuclear aircraft carrier and another man have been charged with hacking the computer systems of 30 public and private organizations, including the US Navy, the Department of Homeland Security, AT&T, and Harvard University. Nicholas Paul Knight, 27, of Chantilly, VA, and Daniel Trenton Krueger, 20, of Salem, IL, were members of a crew that hacked protected computers as part of a scheme to steal personal identities and obstruct justice, according to a criminal complaint unsealed earlier this week in a US District Court in Tulsa, Oklahoma. The gang, which went by the name Team Digi7al, allegedly took to Twitter to boast of the intrusions and publicly disclose sensitive data that was taken. The hacking spree lasted from April 2012 to June 2013, prosecutors said."
An anonymous reader writes "A article on The Register titled talks about a demo that was given in London last month by NCC Group where they turned a modern TV into an audio bug. 'The devices contain microphones and cameras that can be utilized by applications — Skype and similar apps being good examples. The TV has a fairly large amount of storage, so would be able to hold more than 30 seconds of audio – we only captured short snippets for demonstrations purposes. A more sophisticated attack could store more audio locally and only upload it at certain times, or could even stream it directly to a server, bypassing the need to use any of the device’s storage.' Given the Snowden revelations and what we've seen previously about older tech being deprecated, how can we protect ourselves with the modern devices (other than not connecting them to the Internet)?"
An anonymous reader writes "The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation. The agency reasons that criminal operations involving computers are become more complicated, and argues that its own capabilities need to scale up to match them. An ACLU attorney said, 'By expanding federal law enforcement's power to secretly exploit "zero-day"' vulnerabilities in software and Internet platforms, the proposal threatens to weaken Internet security for all of us.' This is particularly relevant in the wake of Heartbleed — it's been unclear whether the U.S. government knew about it before everyone else did. This request suggests that the DOJ, at least, did not abuse it — but it sure looks like they would've wanted to. You can read their request starting on page 499 of this committee meeting schedule."
angry tapir (1463043) writes "The Australian government is eyeing the introduction of a government-wide content-management system, with the preferred choice almost certain to be Drupal. Government documents indicate that part of the appeal is that Drupal modules can be easily shared between government agencies and with the public."
First time accepted submitter ChelleChelle2 (2908449) writes "Edward Snowden's release of classified material exposing the existence of numerous global surveillance programs (obtained while working as an NSA contractor at Booz Allen Hamilton) has been referred to as 'the most damaging breach of secrets in U.S. history.' Regardless of whether one choses to champion or condemn Snowden's actions, it is apparent that the NSA needs to dramatically rework its security measures. In this article Bob Toxen, renown author of several books and articles on Linux Security, discusses the security practices that could have stopped Snowden. Equally interesting, he weighs in on the constitutionality and morality of the NSA's spying on all Americans."
An anonymous reader writes "Every month we submit status reports to upper management. On the infrastructure side, these reports tend to be 'Hey, we met our service level agreements ... again.' IT infrastructure is now a lot like the electric company. Nobody thanks the electric company when the lights come on, but they have plenty of colorful adjectives to describe them when the power is off.
What is the best way to construct a compelling story for upper management so they'll appreciate the hard work that an IT department does? They don't seem particularly impressed with functioning systems, because they expect functioning systems. The extensive effort to design and implement reliable systems has also made IT boring and dull. What types of summaries can you provide upper management to help them appreciate IT infrastructure and the money they spend on the services it provides?"
KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics."
DavidGilbert99 writes: "The Heartbleed Bug cause widespread panic from internet users around the world worried their sensitive information was being targeted. While system administrators were warned to patch their systems, a security researcher notes that 300,000 servers remain vulnerable to the heartbleed flaw a full month later. He said, 'Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.' A developer at Vivaldi Technologies AS also pointed out that a significant number of server administrators botched their response, going from safe to vulnerable."
An anonymous reader writes "It's one of the biggest migrations in the history of Linux, and it made Steve Ballmer very angry: Munich, in southwest Germany, has completed its transition of 15,000 PCs from Windows to Linux. It has saved money, fueled the local economy, and improved security. Linux Voice talked to the man behind the migration: 'One of the biggest aims of LiMux was to make the city more independent. Germany’s major center-left political party is the SPD, and its local Munich politicians backed the idea of the city council switching to Linux. They wanted to promote small and medium-sized companies in the area, giving them funding to improve the city’s IT infrastructure, instead of sending the money overseas to a large American corporation. The SPD argued that moving to Linux would foster the local IT market, as the city would pay localcompanies to do the work.' (Linux Voice is making the PDF article free [CC-BY-SA] so that everyone can send it to their local councilors and encourage them to investigate Linux)."
mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."
First time accepted submitter sumakor (3571543) writes "The House Judiciary Committee has advanced a weakened version of the USA Freedom Act (HR3361). The amended compromise version allows collection of phone call records up to two hops away from a target, potentially including millions of customer records, and allows for collection without a judge's order in emergency cases. The amended bill also drops the requirement for a privacy advocate who can appeal the rulings of the Foreign Intelligence Surveillance Court and extends the controversial Section 215 of the Patriot Act from 2015 through 2017.
Despite these significant changes the amended bill has been endorsed by the ACLU and the EFF as a first step and the most promising path towards reigning in government surveillance. The two organizations called for further Congressional measures to tighten control of surveillance authorities including an explicit definition of the term 'selector,' a reduction in the number of hops from 2 to 1 under most circumstances and the closing the loophole that allows searches of Americans' data inadvertently collected thru Section 702.
The bill now proceeds to the House Intelligence Committee, who has advanced its competing bill, the FISA Transparency and Modernization Act (HR 4291). The committee will mark up both bills on the same day, beginning at 10am Thursday, behind closed doors."
An anonymous reader writes "The op-co.de blog has a post about the incredibly poor job Samsung did securing its new NX300 'smart camera.' One of the camera's primary features is that it can join Wi-Fi networks — this lets it upload photos, but it also lets you use your smartphone to access the photos on the camera directly. You can also connect with NFC. Unfortunately, the way they set it up is extremely insecure. First, there's an NFC tag that tells the camera where to download the app, and also the name of the access point set up by the camera. 'The tag is writable, so a malicious user can easily 'hack' your camera by rewriting its tag to download some evil app, or to open nasty links in your web browser, merely by touching it with an NFC-enabled smartphone.' Things aren't much better with Wi-Fi — a simple port scan reveals that the camera is running an unprotected X server (running Enlightenment). When the camera checks for new firmware, it helpfully reports your physical location. Its software also sets up unencrypted access points."
An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."
An anonymous reader writes "Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that. Andrew Lewman, executive director of the project, 'thinks of the digital abuse epidemic like a doctor might consider a biological outbreak. "Step one, do not infect yourself. Step two, do not infect others, especially your co-workers. Step three, help others," he said. In the case of digital infections, like any other, skipping those first two steps can quickly turn caretakers into infected liabilities. For domestic violence prevention organizations that means ensuring their communication lines stay uncompromised. And that means establishing a base level of technology education for staff with generally little to no tech chops who might not understand the gravity of clean communication lines until faced with a situation where their own phone or email gets hacked.'"
msm1267 (2804139) writes with a bit of news from last week that seems to have slipped under the radar. The IETF TLS working group has reached consensus on dropping static RSA cipher suites from TLS 1.3, instead requiring the use of Diffie-Hellman Exchange (or the faster ellipitic curve variant). Static DH and not just ephemeral DH key exchange will be supported, so not all connections will have forward secrecy. The consensus is subject to change before the final TLS 1.3 specification is released, and there are still details to be worked out. The changes to the draft are pending as a git pull request.
mask.of.sanity (1228908) writes "4chan's founder Moot has launched a bug bounty for the site after it was hacked, but is offering a meager $20 in 'self-serve ad spend' for all bugs. The bounty program was launched after the website and Moot's Amazon accounts were hacked. The intrusion spelled the end for DrawQuest which was closed after Moot decided it was not worth spending money to ensure the unprofitable but popular drawing platform was secure."
judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links." Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue.
judgecorp (778838) writes "Symantec says anti-virus is dead but the company — the world's largest IT security firm — still makes 40 percent of its revenue there. AV now lets through around 55 percent of attacks, the company's senior vice president of information security told the Wall Street Journal. Meanwhile, other security firms including FireEye, RedSocks and Imperva are casting doubt on AV, suggesting a focus on data loss prevention might be better."
arglebargle_xiv (2212710) writes "As most people will have heard, Microsoft will end support for anyone who hasn't upgraded to Win8.1 Update 1 on May 8. What fewer people have heard is that large numbers of users can't install the 8.1 Update, with over a thousand messages in this one thread alone, and that's for tech geeks rather than home users who won't find out about this until their PC becomes orphaned on May 8. Check your Windows Update log, if you've got a "Failed" entry next to KB2919355 then your PC will also become orphaned after May 8."
crookedvulture (1866146) writes "AMD just revealed that it has two all-new CPU cores in the works. One will be compatible with the 64-bit ARMv8 instruction set, while the other is meant as an x86 replacement for the Bulldozer architecture and its descendants. Both cores have been designed from the ground up by a team led by Jim Keller, the lead architect behind AMD's K8 architecture. Keller worked at Apple on the A4 and A4 before returning to AMD in 2012. The first chips based on the new AMD cores are due in 2016."
An anonymous reader writes "Valve Software has sponsored some interesting improvements developed by LunarG for the Mesa OpenGL library on Linux for deferred and threaded GLSL shader compilation. What these changes mean for users of the open-source Linux graphics drivers when running their favorite games is that OpenGL games now load a lot faster. As an example, the time from starting Dota 2 until the time actually being within the game is reduced by about 20 seconds on an Intel system. While Direct3D has offered similar functionality for a while, OpenGL has not, which has given it a bad reputation with regard to game load times until all shaders are compiled and cached — fortunately it's now addressed for OpenGL if using the Mesa Linux graphics drivers on a supported game."
Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt: "For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."
wiredmikey (1824622) writes "As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond. Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking. Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments. Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place. One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are.""
GottaBeMobile offers a better explanation than many other reports of a recent Google upgrade (some users would say more of a lateral move) that makes offline document creation and editing a first-class option for users of Google's office apps, but removes editing capabilities from Google Drive per se. Instead of creating or editing documents directly through Drive, users will instead be able to do this (including offline) with a dedicated app called Docs and Sheets. The article explains a few ways in which the new configuration is confusing, including this one: "Splitting out the editing functionality from Google Drive into the new Apps certainly seems odd given that fundamentally there are no new or different editing features offered in the new Google Docs and Google Sheets standalone Apps. Some users won’t appreciate having to download the new stand alone Apps to replace previous functionality, especially limited functionality."
Iddo Genuth (903542) writes "Photographer and videographer Alec Weinstein was in the market for a new smartphone. He realized that the new Samsung Galaxy S5 and the Note 3 both have 4K video recording capabilities and decided to compare those to his 1080p 5D MKIII pro DSLR camera – the results are extremely interesting — Can you tell the difference between a Canon 5D MKIII shooting 1080p video and a Samsung Galaxy Note III smartphone shooting 4K video?"
jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."
Lucas123 (935744) writes "SanDisk has announced what it's calling the world's highest capacity 2.5-in SAS SSD, the 4TB Optimus MAX line. The flash drive uses eMLC (enterprise multi-level cell) NAND built with 19nm process technology. The company said it plans on doubling the capacity of its SAS SSDs every one to two years and expects to release an 8TB model next year, dwarfing anything hard disk drives can ever offer over the same amount of time. he Optimus MAX SAS SSD is capable of up to 400 MBps sequential reads and writes and up to 75,000 random I/Os per second (IOPS) for both reads and writes, the company said."
An anonymous reader writes "Apple has removed encrypted email attachments from iOS 7. Apple said back in June 2010 in regards to iOS 4.0: 'Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.' Not anymore."
Hugh Pickens DOT Com writes: "Sebastian Anthony argues that Microsoft is setting an awful precedent by caving and issuing a fix for Windows XP. 'Yes, tardy governments and IT administrators can breathe a little easier for a little bit longer,' writes Anthony, 'and yes, your mom and dad are yet again safe to use their old Windows XP beige box. But to what end? It's just delaying the inevitable.' Lance Ulanoff argues that Microsoft can't turn a blind eye the security of XP users, even though the company ended support for the 12-year-old operating system on April 8, a fact that Microsoft has been warning about for, literally, years. But this won't be the only vulnerability found in XP, says Dwight Silverman. 'If Microsoft makes an exception now, what about the flaw found after this one? And the next? And the one after that, ad infinitum?' Even though Microsoft has released a patch for the IE flaw, and Windows XP is included, it's time to move on – really. 'I don't want to hear that tired "if it ain't broke, don't fix it" line. Hey, XP IS broke, and it will just get more so over time. Upgrade to a newer version of Windows, or switch to another modern operating system, such as OS X or Linux.'"
jones_supa writes: "A notable security vulnerability has been discovered which impacts both OAuth and OpenID, which are software packages that provide a secure delegated access to websites. Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the 'Covert Redirect' flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter. For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication. If a user chooses to authorize the login, personal data will be released to the attacker instead of to the legitimate website. Wang did already warn a handful of tech giants about the vulnerability, but they mostly dodged the issue. In all honesty, it is not trivial to fix, and any effective remedies would negatively impact the user experience. Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google, and be aware of this redirection attack."
Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"
First time accepted submitter ElyKahn (3637855) writes "The diaspora of startups with an NSA pedigree is rapidly growing. These startups, such as Sqrrl, Virtru, and Synack, are typically security-focused and often are commercializing technology projects from the NSA. However, coming from the NSA is a dual-edged sword... the technology is world-class and cutting-edge, but they must also fight the viewpoint of some that the startups are merely a front for the NSA."
msm1267 (2804139) writes "Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update. At the same time, researchers said they are now seeing attacks specifically targeting XP users.
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."
ConstantineM (965345) writes "Just as per the schedule, OpenBSD 5.5 was released today, May 1, 2014. The theme of the 5.5 release is Wrap in Time, which represents a significant achievement of changing time_t to int64_t on all platforms, as well as ensuring that all of the 8k+ OpenBSD ports still continue to build and work properly, thus doing all the heavy lifting and paving the way for all other operating systems to make the transition to 64-bit time an easier task down the line. Signed releases and packages and the new signify utility are another big selling point of 5.5, as well as OpenSSH 6.6, which includes lots of DJB crypto like chacha20-poly1305, plus lots of other goodies."
Trailrunner7 (1100399) writes "It has been a running joke in the tech industry for years that the hacking scenes in movies are, well, a joke. Hackers in hoodies pushing a few keys and taking down the power grid or causing massive traffic pileups by turning all the stoplights green at once. While those scenes provide endless entertainment for security folks, it turns out some of those attacks aren't so far-fetched. Cesar Cerrudo, a researcher and CTO at IOActive, decided to take a look at the security of some of the devices that control traffic lights and electronic signs in many cites around the world, and found that not only were the devices vulnerable to a number of attacks, but they could be exploited quite easily and perhaps could be used to spread malware from device to device. Cerrudo said that the vulnerabilities he identified can be exploited from up to a mile or two away with the right equipment."
MojoKid writes: "Google's open source Android platform has the distinction of being the most popular mobile operating system in the world. That's great in terms of dominating the market and reaping the rewards that come with it, but it's also for that very reason that Android finds itself the target of virtually every new mobile malware threat that emerges. According to data published in F-Secure's latest Mobile Threat Report (PDF), over 99 percent of the new mobile threats it discovered in the first quarter of 2014 targeted Android users. To be fair, we're not taking about hundreds of thousands, tens of thousands, or thousands of malware threats — F-Secure detected 277 new threat families, of which 275 honed in on Android."