We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
MattSparkes (950531) writes "Law enforcement around the world has teamed-up to arrest 97 for buying/using Blackshades malware, which can remotely seize control of a victim's computer, access documents, record keystrokes and even activate their webcam to take surreptitious pictures and video. It is also able to encrypt files in order to extract a ransom for their release. Blackshades RAT is a commercial product costing less than $200 which was marketed as a tool to test network security. However, it is widely used by hackers and was even said by the Electronic Frontier Foundation to have been used against Syrian activists by the government in 2012."
jfruh (300774) writes "The U.S. federal government will announce today indictments of several employees of the Chinese military with hacking into computers to steal industrial secrets. The indictments will be the first of their kind against employees of a foreign government. Among the trade secrets allegedly stolen by the accused are information about a nuclear power plant design and a solar panel company's cost and pricing data."
pdclarry (175918) writes "Glenn Greenwald's book No Place to Hide reveals that the NSA intercepts shipments of networking gear destined for overseas and adds spyware. Cisco has responded by asking the President to intervene and stop this practice, as it has severely hurt their non-U.S. business, with shipments to other countries falling from 7% for emerging countries to over 25% for Brazil and Russia."
An anonymous reader writes "Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users' computers via 'drive by downloads,' which occur when a user innocently visits a web site, with no interaction or clicking required."
First time accepted submitter NotInHere (3654617) writes "Mozilla has introduced a new program called MWoS, or 'Mozilla Winter of Security,' to involve university students in security projects. The attending students will write code for a Mozilla security tool during (northern hemisphere) winter. Unlike GSoC, attending it involves no monetary payment, but the student's universities are expected to actively cooperate and to give the students a credit for their work. From the article: 'MWoS is a win for all. Students get a chance to work on real-world security projects, under the guidance of an experienced security engineer. Professors get to implement cutting-edge security projects into their programs. Mozilla and the community get better security tools, which that we would not have the resources to build or improve ourselves.'"
ConstantineM writes: "Bob Beck — OpenBSD, OpenSSH and LibreSSL developer and the director of Alberta-based non-profit OpenBSD Foundation — gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing for a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.
Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that nobody at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL — RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.
To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment. The Linux Foundation has not yet committed support, but discussions are ongoing. Funding can be directed to the OpenBSD Foundation." Update: 05/18 14:28 GMT by S : Changed last paragraph to better reflect the Linux Foundation's involvement.
acidradio writes: "Somehow the SCCM application and image deployment server at Emory University in Atlanta accidentally started to repartition, reformat then install a new image of Windows 7 onto all university-managed computers. By the time this was discovered the SCCM server had managed to repartition and reformat itself. This was likely an accident. But what if it weren't? Could this have shed light on a possibly huge vulnerability in large enterprise organizations that rely heavily on automated software deployment packages like SCCM?"
An anonymous reader points out this Science Daily report: "Researchers ... have solved one aspect of the discrete logarithm problem. This is considered to be one of the 'holy grails' of algorithmic number theory, on which the security of many cryptographic systems used today is based. They have devised a new algorithm that calls into question the security of one variant of this problem, which has been closely studied since 1976. The result ... discredits several cryptographic systems that until now were assumed to provide sufficient security safeguards. Although this work is still theoretical, it is likely to have repercussions especially on the cryptographic applications of smart cards, RFID chips , etc."
msm1267 writes: "Researchers have discovered previously unreported problems in SNMP on embedded devices where devices such as secondary-market home routers and a popular enterprise-grade load balancer are leaking authentication details in plain text. The data could be extracted by gaining access to the read-only public SNMP community string, which enables outside access to device information. While only vulnerabilities in three brands were disclosed today, a Shodan search turns up potentially hundreds of thousands of devices that are exposing SNMP to the Internet that could be equally vulnerable."
First time accepted submitter Dufflepod (3656815) writes "After yet another hardware purchase last week, I realized with some alarm just how drastically an enterprising burglar could increase the crapulence quotient of my life if they ever made off with my hardware. The house is alarmed, but much to my annoyance it isn't always set when people go out for any length of time. Ideally I want to 'alarm' the expensive items among my various PCs, UPS, NAS box, test equipment, and some of the sundry other gadgets & gizmos I require to stroke my inner geek. Over the past few days I have spent hours Googling for every combination of "anti-theft perimeter alarm radius motion detector vibration wireless" etc etc.. I have found various possible solutions, though the cost of some of them does make my eyes water (eg SonicShock @ €150/box). Has anyone out there decided to bite-the-bullet and protect their kit with decent alarms, and do you have any suggested 'do's & don'ts'?" So how would you secure valuable items, as opposed to securing the entire place?
davecb (6526) writes "At Guido von Rossum's urging, Mike Bland has a look at detecting and fixing the "goto fail" bug at ACM Queue. He finds the same underlying problem in both in the Apple and Heartbleed bugs, and explains how to not suffer it again." An excerpt: "WHY DIDN'T A TEST CATCH IT? Several articles have attempted to explain why the Apple SSL vulnerability made it past whatever tests, tools, and processes Apple may have had in place, but these explanations are not sound, especially given the above demonstration to the contrary in working code. The ultimate responsibility for the failure to detect this vulnerability prior to release lies not with any individual programmer but with the culture in which the code was produced. Let's review a sample of the most prominent explanations and specify why they fall short. Adam Langley's oft-quoted blog post13 discusses the exact technical ramifications of the bug but pulls back on asserting that automated testing would have caught it: "A test case could have caught this, but it's difficult because it's so deep into the handshake. One needs to write a completely separate TLS stack, with lots of options for sending invalid handshakes.""
As reported by TheNextWeb, the extended outage of the authentication mechanism of Adobe's Creative Cloud service has been resolved. From the story: 'According to a series of tweets: 'Adobe ID issue is resolved. We are bringing services back online. We will share more details once we confirm everything is working.' Adobe said further, 'We have restored Adobe login services and all services are now online. We will be sharing a complete update on the outage soon.' and 'We know we let you down. We apologize and are working to ensure it doesn't happen again."' A good time to revisit this prediction from last year about how going to an all-cloud, all-subscription model might hurt customers.
redletterdave (2493036) writes "When my best friend upgraded from an iPhone 4S to a Galaxy S4, I texted her hello. Unfortunately, she didn't get that text, nor any of the five I sent in the following three days. My iPhone didn't realize she was now an Android user and sent all my texts via iMessage. It wasn't until she called me about going to brunch that I realized she wasn't getting my text messages. What I thought was just a minor bug is actually a much larger problem. One that, apparently, Apple has no idea how to fix. Apple said the company is aware of the situation, but it's not sure how to solve it. One Apple support person said: 'This is a problem a lot of people are facing. The engineering team is working on it but is apparently clueless as to how to fix it. There are no reliable solutions right now — for some people the standard fixes work immediately; many others are in my boat.'"
MojoKid (1002251) writes "OCZ was recently acquired by Toshiba and has been going through its product stack, revamping its SSD portfolio with fresh re-designs based on Toshiba NAND Flash memory for not only increased performance but better cost structure as well. OCZ has now replaced their RevoDrive family of PCIe SSD cards with an almost complete re-designed of the product. The RevoDrive 350 is based on the same OCZ VCA 2.0 (Virtualized Controller Architecture) technology as the previous generation but is now enabled with a PCI Express X8 card interface and up to 4 LSI SandForce SD-2282 SSD processors, along with 19nm Toshiba NAND Flash. The good news is, not only is the new RevoDrive 350 faster at 1.8GB/sec claimed bandwidth for sequential reads and 1.7GB/sec for sequential writes, but it's also significantly more affordable, at literally half the price of the previous gen RevoDrive 3 when it first launched. In the benchmarks, the new PCIe card excels at read throughput, regularly hitting its 1.8GB/sec claimed bandwidth, especially with sequential workloads. Write performance is solid as well and the drive competes with the likes of some higher-end and more expensive SLC NAND-based PCIe cards like LSI's WarpDrive and Intel's SSD 910."
coop0030 (263345) writes "Becky Stern at Adafruit has created a guide on how to create an open source NFC ring or other wearable to mod and unlock your Android phone. From the tutorial: 'Unlock your phone by just picking it up! No more pesky password or gesture PIN, just scan an NFC tag! This guide covers creating an NFC ring, putting an NFC tag in your nail polish, modding your Android installation to read tags from the lockscreen, and creating an automation toolchain to unlock the phone when the desired tag is scanned.' There is also a video that demonstrates how it works."
New submitter jvp (27996) writes "Adobe's authentication system for its Creative Cloud as well as its website services is down, and has been since Wednesday (14 May) afternoon. What this means: If you're a Creative Cloud subscriber, you can't log into your account via the desktop application. Online services such as the fonts are not available. Applications (eg: Photoshop, Premiere, etc) will continue to work. Softpedia has a nice article on it, but their time frames are off quite a bit." As of this writing, a message on the Adobe Creative Cloud page says "Creative Cloud is currently undergoing maintenance. Please check back later. Thank you for your patience." Even though I've come to like some remote-hosted software, like gmail, I don't think I'd want tools for manipulating local media tied even loosely to the uptime of a remote computer (or network connection).
wiredmikey (1824622) writes "Sony Pictures Entertainment has acquired the rights to the new book by journalist Glenn Greenwald about fugitive US intelligence leaker Edward Snowden, the studio said Wednesday. James Bond franchise producers Michael Wilson and Barbara Broccoli will make the movie version of 'No Place to Hide,' described as 'a political film that will resonate with today's moviegoers.' The book, subtitled 'Edward Snowden, the NSA and the US Surveillance State,' was just recently published in Britain by Hamish Hamilton and in the United States by Metropolitan Books."
An anonymous reader writes "BlackPhone was designed by Phil Zimmermann (inventor of PGP). The 4.7" display phone features a 2 GHz NVIDIA Tegra 4i ARM Cortex-A9 quad-core processor with 60 GPU cores, 1GB RAM and 16GB storage [more specs]. The OS is a customized version of Android called PrivatOS which offers encrypted calls, texts and emails that can't be unscrambled even by spy agencies. It also offers built-in resistance against malicious software which will be most welcomed for users worried about free Apps that are becoming increasingly invasive, if not pure data collection spyware for unknown 3rd parties. It's coming out this June, and many Fortune 50 companies have already ordered the phone to protect against industrial espionage."
Daniel_Stuckey (2647775) writes with news that we may soon learn which countries were sold the FinFisher malware package to spy on their own citizens. "The UK's High Court ruled yesterday that HM Revenue and Customs acted 'unlawfully' when it declined to detail how it was investigating the export of digital spy tools created by a British company. Human rights group Privacy International is celebrating the decision of Mr. Justice Green, which means HMRC now has to reconsider releasing information on its investigation into controls surrounding the export of malware known as FinFisher, created by British supplier Gamma International. The widespread FinFisher malware family, also known as FinSpy, can carry out a range of surveillance operations, from snooping on Skype and Facebook conversations to siphoning off emails or files sitting on a device. It is supposed to benefit law enforcement in their investigations, but has allegedly been found in various nations with poor human rights records, including Bahrain and Ethiopia."
wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'" The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."
chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."
Lucas123 writes: "The USB SuperSpeed+ spec (a.k.a. v3.1) offers up to 10Gbps throughput. Combine that with USB's new C-Type Connector, the specification for which is expected out in July, and users will have a symmetrical cable and plug just like Thunderbolt but that will enable up to 100 watts of power depending on the cable version. So where does that leave Thunderbolt, Intel's other hardware interconnect? According to some analysts, Thunderbolt withers or remains a niche technology supported almost exclusively by Apple. Even as Thunderbolt 2 offers twice the throughput (on paper) as USB 3.1, or up to 20Gbps, USB SuperSpeed+ is expected to scale past 40Gbps in coming years. 'USB's installed base is in the billions. Thunderbolt's biggest problem is a relatively small installed base, in the tens of millions. Adding a higher data throughput, and a more expensive option, is unlikely to change that,' said Brian O'Rourke, a principal analyst covering wired interfaces at IHS."
rastos1 sends in a report about a significant bug fix for the Linux kernel (CVE-2014-0196). "'The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device. 'This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31),' Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. 'A bug this serious only comes out once every couple years.' ... While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said."
New submitter Drunkulus writes "Journalist Ira Winkler has an article about his personal run-in with the Syrian Electronic Army. While admitting that the SEA has succeeded in hijacking the Wall Street Journal's Twitter accounts and defacing the RSA conference website, he calls them immature, inept script kiddies in this Computerworld column. Quoting: 'These people purport to be servants of the genocidal dictator of Syria and came together to support him, but they wasted their hack on what amounted to cyberbullying. This is not behavior that the SEA's Syrian intelligence handlers would condone. The SEA wasted an opportunity to promote its message, while divulging previously unknown attack vectors. ... I don't think that sort of immaturity will go over well with the SEA's Syrian intelligence bosses. And that could have implications for the influence of the group in the future.'"
First time accepted submitter Dimetrodon (2714071) writes "It is an unspoken rule of military procurement that any IT or communications technology will invariably be years behind what is commercially available or technically hobbled to ensure security. One case in point is the uncomfortably backronymed NeRD, or Navy e-Reader Device, an electronic book so secure the 300 titles it holds can never be updated. Ever."
An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."
mask.of.sanity (1228908) writes "Criminals could potentially cause black-outs and mess with power grid configurations by exploiting flaws in a popular solar panel management system used by thousands of homes and businesses. The threat is substantial because, as the company boasts, its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out 566TWh of electrical energy."
First time accepted submitter stef2dotoh (3646393) writes "I've got about a year of computer science classes under my belt along with countless hours of independent online and tech book learning. I can put together a secure login-driven Web site using PHP and MySQL. (I have a personal project on GitHub and a personal Web site.) I really enjoyed my Web development class, so I've spent a lot of time honing those skills and trying to learn new technologies. I still have a ways to go, though. I've been designing Web sites for more than 10 years, writing basic PHP forms for about 5 or 6 years and only gotten seriously into PHP/MySQL the last 1 or 2 years on and off. I'm fluent with HTML and CSS, but I really like back-end development. I was hoping I might be able to get a job as a junior Web developer, but even those require 2+ years of experience and a list of technologies as long as my arm. Internships usually require students to be in their junior or senior year, so that doesn't seem to be an option for me. Recruiters are responding to my resume on various sites, but it's always for someone more experienced. Should I forget about trying to find a junior Web developer position after only one year of computer science classes?"
ClownP (1315157) writes in with this story about a hacker who did some of his work while aboard a nuclear aircraft carrier. " A former sailor assigned to a US nuclear aircraft carrier and another man have been charged with hacking the computer systems of 30 public and private organizations, including the US Navy, the Department of Homeland Security, AT&T, and Harvard University. Nicholas Paul Knight, 27, of Chantilly, VA, and Daniel Trenton Krueger, 20, of Salem, IL, were members of a crew that hacked protected computers as part of a scheme to steal personal identities and obstruct justice, according to a criminal complaint unsealed earlier this week in a US District Court in Tulsa, Oklahoma. The gang, which went by the name Team Digi7al, allegedly took to Twitter to boast of the intrusions and publicly disclose sensitive data that was taken. The hacking spree lasted from April 2012 to June 2013, prosecutors said."
An anonymous reader writes "A article on The Register titled talks about a demo that was given in London last month by NCC Group where they turned a modern TV into an audio bug. 'The devices contain microphones and cameras that can be utilized by applications — Skype and similar apps being good examples. The TV has a fairly large amount of storage, so would be able to hold more than 30 seconds of audio – we only captured short snippets for demonstrations purposes. A more sophisticated attack could store more audio locally and only upload it at certain times, or could even stream it directly to a server, bypassing the need to use any of the device’s storage.' Given the Snowden revelations and what we've seen previously about older tech being deprecated, how can we protect ourselves with the modern devices (other than not connecting them to the Internet)?"
An anonymous reader writes "The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation. The agency reasons that criminal operations involving computers are become more complicated, and argues that its own capabilities need to scale up to match them. An ACLU attorney said, 'By expanding federal law enforcement's power to secretly exploit "zero-day"' vulnerabilities in software and Internet platforms, the proposal threatens to weaken Internet security for all of us.' This is particularly relevant in the wake of Heartbleed — it's been unclear whether the U.S. government knew about it before everyone else did. This request suggests that the DOJ, at least, did not abuse it — but it sure looks like they would've wanted to. You can read their request starting on page 499 of this committee meeting schedule."
angry tapir (1463043) writes "The Australian government is eyeing the introduction of a government-wide content-management system, with the preferred choice almost certain to be Drupal. Government documents indicate that part of the appeal is that Drupal modules can be easily shared between government agencies and with the public."
First time accepted submitter ChelleChelle2 (2908449) writes "Edward Snowden's release of classified material exposing the existence of numerous global surveillance programs (obtained while working as an NSA contractor at Booz Allen Hamilton) has been referred to as 'the most damaging breach of secrets in U.S. history.' Regardless of whether one choses to champion or condemn Snowden's actions, it is apparent that the NSA needs to dramatically rework its security measures. In this article Bob Toxen, renown author of several books and articles on Linux Security, discusses the security practices that could have stopped Snowden. Equally interesting, he weighs in on the constitutionality and morality of the NSA's spying on all Americans."
An anonymous reader writes "Every month we submit status reports to upper management. On the infrastructure side, these reports tend to be 'Hey, we met our service level agreements ... again.' IT infrastructure is now a lot like the electric company. Nobody thanks the electric company when the lights come on, but they have plenty of colorful adjectives to describe them when the power is off.
What is the best way to construct a compelling story for upper management so they'll appreciate the hard work that an IT department does? They don't seem particularly impressed with functioning systems, because they expect functioning systems. The extensive effort to design and implement reliable systems has also made IT boring and dull. What types of summaries can you provide upper management to help them appreciate IT infrastructure and the money they spend on the services it provides?"
KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics."
DavidGilbert99 writes: "The Heartbleed Bug cause widespread panic from internet users around the world worried their sensitive information was being targeted. While system administrators were warned to patch their systems, a security researcher notes that 300,000 servers remain vulnerable to the heartbleed flaw a full month later. He said, 'Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.' A developer at Vivaldi Technologies AS also pointed out that a significant number of server administrators botched their response, going from safe to vulnerable."
An anonymous reader writes "It's one of the biggest migrations in the history of Linux, and it made Steve Ballmer very angry: Munich, in southwest Germany, has completed its transition of 15,000 PCs from Windows to Linux. It has saved money, fueled the local economy, and improved security. Linux Voice talked to the man behind the migration: 'One of the biggest aims of LiMux was to make the city more independent. Germany’s major center-left political party is the SPD, and its local Munich politicians backed the idea of the city council switching to Linux. They wanted to promote small and medium-sized companies in the area, giving them funding to improve the city’s IT infrastructure, instead of sending the money overseas to a large American corporation. The SPD argued that moving to Linux would foster the local IT market, as the city would pay localcompanies to do the work.' (Linux Voice is making the PDF article free [CC-BY-SA] so that everyone can send it to their local councilors and encourage them to investigate Linux)."
mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."
First time accepted submitter sumakor (3571543) writes "The House Judiciary Committee has advanced a weakened version of the USA Freedom Act (HR3361). The amended compromise version allows collection of phone call records up to two hops away from a target, potentially including millions of customer records, and allows for collection without a judge's order in emergency cases. The amended bill also drops the requirement for a privacy advocate who can appeal the rulings of the Foreign Intelligence Surveillance Court and extends the controversial Section 215 of the Patriot Act from 2015 through 2017.
Despite these significant changes the amended bill has been endorsed by the ACLU and the EFF as a first step and the most promising path towards reigning in government surveillance. The two organizations called for further Congressional measures to tighten control of surveillance authorities including an explicit definition of the term 'selector,' a reduction in the number of hops from 2 to 1 under most circumstances and the closing the loophole that allows searches of Americans' data inadvertently collected thru Section 702.
The bill now proceeds to the House Intelligence Committee, who has advanced its competing bill, the FISA Transparency and Modernization Act (HR 4291). The committee will mark up both bills on the same day, beginning at 10am Thursday, behind closed doors."
An anonymous reader writes "The op-co.de blog has a post about the incredibly poor job Samsung did securing its new NX300 'smart camera.' One of the camera's primary features is that it can join Wi-Fi networks — this lets it upload photos, but it also lets you use your smartphone to access the photos on the camera directly. You can also connect with NFC. Unfortunately, the way they set it up is extremely insecure. First, there's an NFC tag that tells the camera where to download the app, and also the name of the access point set up by the camera. 'The tag is writable, so a malicious user can easily 'hack' your camera by rewriting its tag to download some evil app, or to open nasty links in your web browser, merely by touching it with an NFC-enabled smartphone.' Things aren't much better with Wi-Fi — a simple port scan reveals that the camera is running an unprotected X server (running Enlightenment). When the camera checks for new firmware, it helpfully reports your physical location. Its software also sets up unencrypted access points."
An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."
An anonymous reader writes "Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that. Andrew Lewman, executive director of the project, 'thinks of the digital abuse epidemic like a doctor might consider a biological outbreak. "Step one, do not infect yourself. Step two, do not infect others, especially your co-workers. Step three, help others," he said. In the case of digital infections, like any other, skipping those first two steps can quickly turn caretakers into infected liabilities. For domestic violence prevention organizations that means ensuring their communication lines stay uncompromised. And that means establishing a base level of technology education for staff with generally little to no tech chops who might not understand the gravity of clean communication lines until faced with a situation where their own phone or email gets hacked.'"
msm1267 (2804139) writes with a bit of news from last week that seems to have slipped under the radar. The IETF TLS working group has reached consensus on dropping static RSA cipher suites from TLS 1.3, instead requiring the use of Diffie-Hellman Exchange (or the faster ellipitic curve variant). Static DH and not just ephemeral DH key exchange will be supported, so not all connections will have forward secrecy. The consensus is subject to change before the final TLS 1.3 specification is released, and there are still details to be worked out. The changes to the draft are pending as a git pull request.
mask.of.sanity (1228908) writes "4chan's founder Moot has launched a bug bounty for the site after it was hacked, but is offering a meager $20 in 'self-serve ad spend' for all bugs. The bounty program was launched after the website and Moot's Amazon accounts were hacked. The intrusion spelled the end for DrawQuest which was closed after Moot decided it was not worth spending money to ensure the unprofitable but popular drawing platform was secure."
judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links." Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue.
judgecorp (778838) writes "Symantec says anti-virus is dead but the company — the world's largest IT security firm — still makes 40 percent of its revenue there. AV now lets through around 55 percent of attacks, the company's senior vice president of information security told the Wall Street Journal. Meanwhile, other security firms including FireEye, RedSocks and Imperva are casting doubt on AV, suggesting a focus on data loss prevention might be better."
arglebargle_xiv (2212710) writes "As most people will have heard, Microsoft will end support for anyone who hasn't upgraded to Win8.1 Update 1 on May 8. What fewer people have heard is that large numbers of users can't install the 8.1 Update, with over a thousand messages in this one thread alone, and that's for tech geeks rather than home users who won't find out about this until their PC becomes orphaned on May 8. Check your Windows Update log, if you've got a "Failed" entry next to KB2919355 then your PC will also become orphaned after May 8."
crookedvulture (1866146) writes "AMD just revealed that it has two all-new CPU cores in the works. One will be compatible with the 64-bit ARMv8 instruction set, while the other is meant as an x86 replacement for the Bulldozer architecture and its descendants. Both cores have been designed from the ground up by a team led by Jim Keller, the lead architect behind AMD's K8 architecture. Keller worked at Apple on the A4 and A4 before returning to AMD in 2012. The first chips based on the new AMD cores are due in 2016."
An anonymous reader writes "Valve Software has sponsored some interesting improvements developed by LunarG for the Mesa OpenGL library on Linux for deferred and threaded GLSL shader compilation. What these changes mean for users of the open-source Linux graphics drivers when running their favorite games is that OpenGL games now load a lot faster. As an example, the time from starting Dota 2 until the time actually being within the game is reduced by about 20 seconds on an Intel system. While Direct3D has offered similar functionality for a while, OpenGL has not, which has given it a bad reputation with regard to game load times until all shaders are compiled and cached — fortunately it's now addressed for OpenGL if using the Mesa Linux graphics drivers on a supported game."
Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt: "For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."