Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New IE 8 Zero Day Discovered

samzenpus posted about 2 months ago | from the no-shortage dept.

Microsoft 134

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

IT Pro Gets Prison Time For Sabotaging Ex-Employer's System

Soulskill posted about 2 months ago | from the fractions-of-a-penny dept.

Crime 265

itwbennett writes: "In June 2012, Ricky Joe Mitchell of Charleston, West Virginia, found out he was going to be fired from oil and gas company EnerVest and in response he decided to reset the company's servers to their original factory settings. He also disabled cooling equipment for EnerVest's systems and disabled a data-replication process. After pleading guilty in January, Mitchell has been sentenced to four years in federal prison."

Android iBanking Malware Still Fetches $5,000

Unknown Lamer posted about 2 months ago | from the malware-for-the-rich-and-famous dept.

Android 25

itwbennett (1594911) writes "Symantec and RSA published details on their blogs on Tuesday about the iBanking Android program, which is being used by two Eastern European cybercrime groups to intercept one-time SMS passcodes used for logging into bank accounts. IBanking's source code was leaked in February, which should have caused its price to drop. But its developer has continued to develop iBanking and provide support, and the malware is still commanding $5,000 per copy, one of the highest prices seen for a type of malware, according to research from Symantec."

eBay Compromised

Unknown Lamer posted about 2 months ago | from the ebay-passwords-show-up-in-ebay-auction dept.

Security 193

New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this." From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."

Why Lavabit Shut Down

Soulskill posted about 2 months ago | from the read-this-if-you-want-your-day-to-get-worse dept.

Encryption 304

An anonymous reader writes "Ladar Levison, founder of the encrypted email service Lavabit that shut down last year because of friction with U.S. government data requests, has an article at The Guardian where he explains the whole story. He writes, 'My legal saga started last summer with a knock at the door, behind which stood two federal agents ready to to serve me with a court order requiring the installation of surveillance equipment on my company's network. ... I had no choice but to consent to the installation of their device, which would hand the U.S. government access to all of the messages – to and from all of my customers – as they traveled between their email accounts other providers on the Internet. But that wasn't enough. The federal agents then claimed that their court order required me to surrender my company's private encryption keys, and I balked. What they said they needed were customer passwords – which were sent securely – so that they could access the plain-text versions of messages from customers using my company's encrypted storage feature. (The government would later claim they only made this demand because of my "noncompliance".) ... What ensued was a flurry of legal proceedings that would last 38 days, ending not only my startup but also destroying, bit by bit, the very principle upon which I founded it – that we all have a right to personal privacy.'"

FBI Need Potheads To Fight Cybercrime

Soulskill posted about 2 months ago | from the government-dorito-budget-not-up-to-snuff dept.

Crime 319

An anonymous reader writes "The rate of cybercrime is growing and growing, and law enforcement is struggling to keep up. The FBI is in the process of beefing up its headcount, but they're running into a problem: many of the hackers applying for these jobs have a history of marijuana use, and the agency has a zero tolerance policy. FBI Director James Comey said, 'I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview.' However, change may be on the horizon: Comey said the FBI is changing 'both our mindset and the way we do business.' He also encouraged job applications from former pot users despite the policy."

Surface Pro 3 Has 12" Screen, Intel Inside

timothy posted about 2 months ago | from the touch-it dept.

Handhelds 316

crookedvulture (1866146) writes "Microsoft unveiled its Surface Pro 3 tablet at a press event in New York this morning. The device has a larger 12" screen with a 2160x1440 display resolution and a novel 3:2 aspect ratio. Intel Core processors provide the horsepower, starting with the Core i3 in the base model and extending all the way up to Core i7 in pricier variants. The tablet is just 9.1 mm thick, which Microsoft claims is the thinnest ever for a Core-based device. Microsoft developed a new radial fan that's suppose to distribute airflow evenly inside the chassis without generating audible noise. The tablet weights 800 g, shaving 100 g off the Surface Pro 2, and it's supposed to have longer battery life, as well. Microsoft has also rolled out new keyboard accessories, a pressure-sensitive stylus, and a docking station that supports 4K video output. The Surface Pro 3 is scheduled to be available tomorrow with prices starting at $799." Update: 05/20 17:12 GMT by T : Mary Jo Foley points out at ZDNet that one thing not announced today is an ARM-powered Mini version.

China Bans Government Purchases of Windows 8

timothy posted about 2 months ago | from the everybody's-got-priorities dept.

China 200

itwbennett (1594911) writes "Last week, China's Central Government Procurement Center posted a notice on new requirements for government tender, that included, among other things, the mysterious request that Windows 8 be excluded from the bidding process on computer purchases. The agency could not be reached Tuesday, but China's state-controlled Xinhua News Agency said that the government was forbidding the use of Windows 8 after Microsoft recently ended official support for Windows XP."

Gun Rights Groups Say They Don't Oppose Smart Guns, Just Mandates

timothy posted about 2 months ago | from the force-breeds-resistance dept.

Government 584

Lucas123 (935744) writes "When two gun stores attempted to sell the nation's first integrated smart gun, the iP1, gun advocacy groups were charged in media reports with organizing protests that lead to the stores pulling the guns from their shelves or reneging on their promise to sell them in the first place. But, the National Rifle Association and the National Shooting Sports Foundation say they do not oppose smart gun technology, which they call "authorized user recognition" firearms. "We do oppose any government mandate of this technology, however. The marketplace should decide," Mike Bazinet, a spokesman for the NSSF, wrote in an email reply to Computerworld. However, the argument for others goes that if stores begin selling smart guns, then legislators will draft laws requiring the technology."

The 69 Words GM Employees Can Never Say

timothy posted about 2 months ago | from the ok-and-you-can't-say-that-number-either dept.

Bug 373

bizwriter (1064470) writes "General Motors put together its take on a George Carlin list of words you can't say. Engineering employees were shown 69 words and phrases that were not to be used in emails, presentations, or memos. They include: defect, defective, safety, safety related, dangerous, bad, and critical. You know, words that the average person, in the context of the millions of cars that GM has recalled, might understand as indicative of underlying problems at the company. Oh, terribly sorry, 'problem' was on the list as well."

XMPP Operators Begin Requiring Encryption, Google Still Not Allowing TLS

Unknown Lamer posted about 2 months ago | from the google-talk-is-the-new-internet-explorer dept.

Communications 121

Via El Reg comes news that major XMPP (formerly known as Jabber, likely the only widely used distributed instant messaging protocol other than IRC) operators have all begun requiring encryption for client-to-server and server-to-server connections. Quoting the Prosidy developers: "Last year Peter Saint-Andre laid out a plan for strengthening the security of the XMPP network. The manifesto, to date signed by over 70 XMPP service operators and software developers, offered a rallying point for those interested in ensuring the security of XMPP for its users. Today is the date that the manifesto gave for the final 'flip of the switch': as of today many XMPP services will begin refusing unencrypted connections. If you run an XMPP service, we encourage you to do the same. On the xmpp.org wiki you can find instructions for all the popular XMPP server software. While XMPP is an open distributed network, obviously no single entity can 'mandate' encryption for the whole network — but as a group we are moving in the right direction." There is a handy tool to test your server. A result worth noting is Google's: they still do not support TLS for server-to-server connections, and their sudden dropping of TLS s2s connections a few years ago is likely the primary reason operators switched off mandatory TLS for s2s (I know that's why I did it). Although Google Hangouts offers no federation, GTalk still does, but it appears that the XMPP network-at-large will now cease to federate with Google voluntarily.

Almost 100 Arrested In Worldwide Swoop On Blackshades Malware

samzenpus posted about 2 months ago | from the shut-it-down dept.

Crime 87

MattSparkes (950531) writes "Law enforcement around the world has teamed-up to arrest 97 for buying/using Blackshades malware, which can remotely seize control of a victim's computer, access documents, record keystrokes and even activate their webcam to take surreptitious pictures and video. It is also able to encrypt files in order to extract a ransom for their release. Blackshades RAT is a commercial product costing less than $200 which was marketed as a tool to test network security. However, it is widely used by hackers and was even said by the Electronic Frontier Foundation to have been used against Syrian activists by the government in 2012."

US To Charge Chinese Military Employees With Hacking

samzenpus posted about 2 months ago | from the don't-hack-me-bro dept.

United States 225

jfruh (300774) writes "The U.S. federal government will announce today indictments of several employees of the Chinese military with hacking into computers to steal industrial secrets. The indictments will be the first of their kind against employees of a foreign government. Among the trade secrets allegedly stolen by the accused are information about a nuclear power plant design and a solar panel company's cost and pricing data."

Cisco Complains To Obama About NSA Adding Spyware To Routers

samzenpus posted about 2 months ago | from the get-out-of-there dept.

Businesses 297

pdclarry (175918) writes "Glenn Greenwald's book No Place to Hide reveals that the NSA intercepts shipments of networking gear destined for overseas and adds spyware. Cisco has responded by asking the President to intervene and stop this practice, as it has severely hurt their non-U.S. business, with shipments to other countries falling from 7% for emerging countries to over 25% for Brazil and Russia."

Malvertising Up By Over 200%

samzenpus posted about 2 months ago | from the protect-ya-neck dept.

Advertising 174

An anonymous reader writes "Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate's Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users' computers via 'drive by downloads,' which occur when a user innocently visits a web site, with no interaction or clicking required."

Mozilla Launches Student Coding Program "Winter of Security"

samzenpus posted about 2 months ago | from the student-labor dept.

Mozilla 40

First time accepted submitter NotInHere (3654617) writes "Mozilla has introduced a new program called MWoS, or 'Mozilla Winter of Security,' to involve university students in security projects. The attending students will write code for a Mozilla security tool during (northern hemisphere) winter. Unlike GSoC, attending it involves no monetary payment, but the student's universities are expected to actively cooperate and to give the students a credit for their work. From the article: 'MWoS is a win for all. Students get a chance to work on real-world security projects, under the guidance of an experienced security engineer. Professors get to implement cutting-edge security projects into their programs. Mozilla and the community get better security tools, which that we would not have the resources to build or improve ourselves.'"

30-Day Status Update On LibreSSL

Soulskill posted about 2 months ago | from the all-the-hyperlinks-you-can-handle dept.

Encryption 164

ConstantineM writes: "Bob Beck — OpenBSD, OpenSSH and LibreSSL developer and the director of Alberta-based non-profit OpenBSD Foundation — gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing for a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that nobody at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL — RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment. The Linux Foundation has not yet committed support, but discussions are ongoing. Funding can be directed to the OpenBSD Foundation."
Update: 05/18 14:28 GMT by S : Changed last paragraph to better reflect the Linux Foundation's involvement.

Emory University SCCM Server Accidentally Reformats All Computers Campus-wide

Soulskill posted about 2 months ago | from the that-qualifies-as-a-bad-day dept.

Security 564

acidradio writes: "Somehow the SCCM application and image deployment server at Emory University in Atlanta accidentally started to repartition, reformat then install a new image of Windows 7 onto all university-managed computers. By the time this was discovered the SCCM server had managed to repartition and reformat itself. This was likely an accident. But what if it weren't? Could this have shed light on a possibly huge vulnerability in large enterprise organizations that rely heavily on automated software deployment packages like SCCM?"

Discrete Logarithm Problem Partly Solved -- Time To Drop Some Crypto Methods?

Soulskill posted about 2 months ago | from the now-let's-be-paranoid-that-the-NSA-solved-it-years-ago dept.

Math 114

An anonymous reader points out this Science Daily report: "Researchers ... have solved one aspect of the discrete logarithm problem. This is considered to be one of the 'holy grails' of algorithmic number theory, on which the security of many cryptographic systems used today is based. They have devised a new algorithm that calls into question the security of one variant of this problem, which has been closely studied since 1976. The result ... discredits several cryptographic systems that until now were assumed to provide sufficient security safeguards. Although this work is still theoretical, it is likely to have repercussions especially on the cryptographic applications of smart cards, RFID chips , etc."

Embedded Devices Leak Authentication Data Via SNMP

Soulskill posted about 2 months ago | from the duct-tape-won't-fix-this-leak dept.

Security 58

msm1267 writes: "Researchers have discovered previously unreported problems in SNMP on embedded devices where devices such as secondary-market home routers and a popular enterprise-grade load balancer are leaking authentication details in plain text. The data could be extracted by gaining access to the read-only public SNMP community string, which enables outside access to device information. While only vulnerabilities in three brands were disclosed today, a Shodan search turns up potentially hundreds of thousands of devices that are exposing SNMP to the Internet that could be equally vulnerable."

Ask Slashdot: Anti-Theft Products For the Over-Equipped Household?

timothy posted about 2 months ago | from the exploding-dye-packs dept.

Crime 408

First time accepted submitter Dufflepod (3656815) writes "After yet another hardware purchase last week, I realized with some alarm just how drastically an enterprising burglar could increase the crapulence quotient of my life if they ever made off with my hardware. The house is alarmed, but much to my annoyance it isn't always set when people go out for any length of time. Ideally I want to 'alarm' the expensive items among my various PCs, UPS, NAS box, test equipment, and some of the sundry other gadgets & gizmos I require to stroke my inner geek. Over the past few days I have spent hours Googling for every combination of "anti-theft perimeter alarm radius motion detector vibration wireless" etc etc.. I have found various possible solutions, though the cost of some of them does make my eyes water (eg SonicShock @ €150/box). Has anyone out there decided to bite-the-bullet and protect their kit with decent alarms, and do you have any suggested 'do's & don'ts'?" So how would you secure valuable items, as opposed to securing the entire place?

Finding More Than One Worm In the Apple

timothy posted about 2 months ago | from the looking-deeper dept.

Bug 116

davecb (6526) writes "At Guido von Rossum's urging, Mike Bland has a look at detecting and fixing the "goto fail" bug at ACM Queue. He finds the same underlying problem in both in the Apple and Heartbleed bugs, and explains how to not suffer it again." An excerpt: "WHY DIDN'T A TEST CATCH IT? Several articles have attempted to explain why the Apple SSL vulnerability made it past whatever tests, tools, and processes Apple may have had in place, but these explanations are not sound, especially given the above demonstration to the contrary in working code. The ultimate responsibility for the failure to detect this vulnerability prior to release lies not with any individual programmer but with the culture in which the code was produced. Let's review a sample of the most prominent explanations and specify why they fall short. Adam Langley's oft-quoted blog post13 discusses the exact technical ramifications of the bug but pulls back on asserting that automated testing would have caught it: "A test case could have caught this, but it's difficult because it's so deep into the handshake. One needs to write a completely separate TLS stack, with lots of options for sending invalid handshakes.""

Adobe Creative Cloud Is Back

timothy posted about 2 months ago | from the won't-happen-again dept.

Bug 74

As reported by TheNextWeb, the extended outage of the authentication mechanism of Adobe's Creative Cloud service has been resolved. From the story: 'According to a series of tweets: 'Adobe ID issue is resolved. We are bringing services back online. We will share more details once we confirm everything is working.' Adobe said further, 'We have restored Adobe login services and all services are now online. We will be sharing a complete update on the outage soon.' and 'We know we let you down. We apologize and are working to ensure it doesn't happen again."' A good time to revisit this prediction from last year about how going to an all-cloud, all-subscription model might hurt customers.

Apple's Revenge: iMessage Might Eat Your Texts If You Switch To Android

timothy posted about 2 months ago | from the computer-says-no dept.

Android 415

redletterdave (2493036) writes "When my best friend upgraded from an iPhone 4S to a Galaxy S4, I texted her hello. Unfortunately, she didn't get that text, nor any of the five I sent in the following three days. My iPhone didn't realize she was now an Android user and sent all my texts via iMessage. It wasn't until she called me about going to brunch that I realized she wasn't getting my text messages. What I thought was just a minor bug is actually a much larger problem. One that, apparently, Apple has no idea how to fix. Apple said the company is aware of the situation, but it's not sure how to solve it. One Apple support person said: 'This is a problem a lot of people are facing. The engineering team is working on it but is apparently clueless as to how to fix it. There are no reliable solutions right now — for some people the standard fixes work immediately; many others are in my boat.'"

OCZ RevoDrive 350 PCIe SSD Hits 1.8GB/sec With Standard Toshiba MLC NAND

timothy posted about 2 months ago | from the and-this-time-next-year dept.

Data Storage 113

MojoKid (1002251) writes "OCZ was recently acquired by Toshiba and has been going through its product stack, revamping its SSD portfolio with fresh re-designs based on Toshiba NAND Flash memory for not only increased performance but better cost structure as well. OCZ has now replaced their RevoDrive family of PCIe SSD cards with an almost complete re-designed of the product. The RevoDrive 350 is based on the same OCZ VCA 2.0 (Virtualized Controller Architecture) technology as the previous generation but is now enabled with a PCI Express X8 card interface and up to 4 LSI SandForce SD-2282 SSD processors, along with 19nm Toshiba NAND Flash. The good news is, not only is the new RevoDrive 350 faster at 1.8GB/sec claimed bandwidth for sequential reads and 1.7GB/sec for sequential writes, but it's also significantly more affordable, at literally half the price of the previous gen RevoDrive 3 when it first launched. In the benchmarks, the new PCIe card excels at read throughput, regularly hitting its 1.8GB/sec claimed bandwidth, especially with sequential workloads. Write performance is solid as well and the drive competes with the likes of some higher-end and more expensive SLC NAND-based PCIe cards like LSI's WarpDrive and Intel's SSD 910."

Unlock Your Android Phone With Open Source Wearable NFC

timothy posted about 2 months ago | from the now-attach-it-to-your-gun dept.

Hardware Hacking 81

coop0030 (263345) writes "Becky Stern at Adafruit has created a guide on how to create an open source NFC ring or other wearable to mod and unlock your Android phone. From the tutorial: 'Unlock your phone by just picking it up! No more pesky password or gesture PIN, just scan an NFC tag! This guide covers creating an NFC ring, putting an NFC tag in your nail polish, modding your Android installation to read tags from the lockscreen, and creating an automation toolchain to unlock the phone when the desired tag is scanned.' There is also a video that demonstrates how it works."

Adobe Creative Cloud Services Offline (Again?)

timothy posted about 2 months ago | from the more-moving-parts-to-fail dept.

Software 164

New submitter jvp (27996) writes "Adobe's authentication system for its Creative Cloud as well as its website services is down, and has been since Wednesday (14 May) afternoon. What this means: If you're a Creative Cloud subscriber, you can't log into your account via the desktop application. Online services such as the fonts are not available. Applications (eg: Photoshop, Premiere, etc) will continue to work. Softpedia has a nice article on it, but their time frames are off quite a bit." As of this writing, a message on the Adobe Creative Cloud page says "Creative Cloud is currently undergoing maintenance. Please check back later. Thank you for your patience." Even though I've come to like some remote-hosted software, like gmail, I don't think I'd want tools for manipulating local media tied even loosely to the uptime of a remote computer (or network connection).

Sony To Make Movie of Edward Snowden Story

samzenpus posted about 2 months ago | from the leaks-camera-action! dept.

Movies 107

wiredmikey (1824622) writes "Sony Pictures Entertainment has acquired the rights to the new book by journalist Glenn Greenwald about fugitive US intelligence leaker Edward Snowden, the studio said Wednesday. James Bond franchise producers Michael Wilson and Barbara Broccoli will make the movie version of 'No Place to Hide,' described as 'a political film that will resonate with today's moviegoers.' The book, subtitled 'Edward Snowden, the NSA and the US Surveillance State,' was just recently published in Britain by Hamish Hamilton and in the United States by Metropolitan Books."

Phil Zimmermann's 'Spy-Proof' Mobile Phone In Demand

Soulskill posted about 2 months ago | from the protecting-against-all-but-the-dumbest-users dept.

Cellphones 107

An anonymous reader writes "BlackPhone was designed by Phil Zimmermann (inventor of PGP). The 4.7" display phone features a 2 GHz NVIDIA Tegra 4i ARM Cortex-A9 quad-core processor with 60 GPU cores, 1GB RAM and 16GB storage [more specs]. The OS is a customized version of Android called PrivatOS which offers encrypted calls, texts and emails that can't be unscrambled even by spy agencies. It also offers built-in resistance against malicious software which will be most welcomed for users worried about free Apps that are becoming increasingly invasive, if not pure data collection spyware for unknown 3rd parties. It's coming out this June, and many Fortune 50 companies have already ordered the phone to protect against industrial espionage."

The Fight To Uncover Spyware Exports To Repressive Regimes

Unknown Lamer posted about 2 months ago | from the virtual-arms-deals dept.

Security 36

Daniel_Stuckey (2647775) writes with news that we may soon learn which countries were sold the FinFisher malware package to spy on their own citizens. "The UK's High Court ruled yesterday that HM Revenue and Customs acted 'unlawfully' when it declined to detail how it was investigating the export of digital spy tools created by a British company. Human rights group Privacy International is celebrating the decision of Mr. Justice Green, which means HMRC now has to reconsider releasing information on its investigation into controls surrounding the export of malware known as FinFisher, created by British supplier Gamma International. The widespread FinFisher malware family, also known as FinSpy, can carry out a range of surveillance operations, from snooping on Skype and Facebook conversations to siphoning off emails or files sitting on a device. It is supposed to benefit law enforcement in their investigations, but has allegedly been found in various nations with poor human rights records, including Bahrain and Ethiopia."

Estonia Urged To Drop Internet Voting Over Security Fears

Unknown Lamer posted about 2 months ago | from the still-better-than-a-diebold-machine dept.

Security 116

wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'" The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."

Do Embedded Systems Need a Time To Die?

Soulskill posted about 2 months ago | from the upgrade-or-perish dept.

Security 187

chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."

Can Thunderbolt Survive USB SuperSpeed+?

Soulskill posted about 2 months ago | from the apple-can-afford-life-support-for-a-while dept.

Intel 355

Lucas123 writes: "The USB SuperSpeed+ spec (a.k.a. v3.1) offers up to 10Gbps throughput. Combine that with USB's new C-Type Connector, the specification for which is expected out in July, and users will have a symmetrical cable and plug just like Thunderbolt but that will enable up to 100 watts of power depending on the cable version. So where does that leave Thunderbolt, Intel's other hardware interconnect? According to some analysts, Thunderbolt withers or remains a niche technology supported almost exclusively by Apple. Even as Thunderbolt 2 offers twice the throughput (on paper) as USB 3.1, or up to 20Gbps, USB SuperSpeed+ is expected to scale past 40Gbps in coming years. 'USB's installed base is in the billions. Thunderbolt's biggest problem is a relatively small installed base, in the tens of millions. Adding a higher data throughput, and a more expensive option, is unlikely to change that,' said Brian O'Rourke, a principal analyst covering wired interfaces at IHS."

5-Year-Old Linux Kernel Bug Fixed

Soulskill posted about 2 months ago | from the must-have-been-union dept.

Bug 127

rastos1 sends in a report about a significant bug fix for the Linux kernel (CVE-2014-0196). "'The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device. 'This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31),' Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. 'A bug this serious only comes out once every couple years.' ... While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said."

Journalist vs. the Syrian Electronic Army

Soulskill posted about 2 months ago | from the place-your-wagers-now dept.

Security 43

New submitter Drunkulus writes "Journalist Ira Winkler has an article about his personal run-in with the Syrian Electronic Army. While admitting that the SEA has succeeded in hijacking the Wall Street Journal's Twitter accounts and defacing the RSA conference website, he calls them immature, inept script kiddies in this Computerworld column. Quoting: 'These people purport to be servants of the genocidal dictator of Syria and came together to support him, but they wasted their hack on what amounted to cyberbullying. This is not behavior that the SEA's Syrian intelligence handlers would condone. The SEA wasted an opportunity to promote its message, while divulging previously unknown attack vectors. ... I don't think that sort of immaturity will go over well with the SEA's Syrian intelligence bosses. And that could have implications for the influence of the group in the future.'"

US Navy Develops World's Worst E-reader

timothy posted about 2 months ago | from the I-want-one dept.

Government 249

First time accepted submitter Dimetrodon (2714071) writes "It is an unspoken rule of military procurement that any IT or communications technology will invariably be years behind what is commercially available or technically hobbled to ensure security. One case in point is the uncomfortably backronymed NeRD, or Navy e-Reader Device, an electronic book so secure the 300 titles it holds can never be updated. Ever."

Researchers Find, Analyze Forged SSL Certs In the Wild

timothy posted about 2 months ago | from the they're-out-there dept.

Security 86

An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."

Flaws In Popular Solar Power Management Platform Could Crash the Grid

samzenpus posted about 2 months ago | from the there-goes-the-sun dept.

Security 90

mask.of.sanity (1228908) writes "Criminals could potentially cause black-outs and mess with power grid configurations by exploiting flaws in a popular solar panel management system used by thousands of homes and businesses. The threat is substantial because, as the company boasts, its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out 566TWh of electrical energy."

Ask Slashdot: Computer Science Freshman, Too Soon To Job Hunt?

samzenpus posted about 2 months ago | from the get-a-job dept.

Businesses 309

First time accepted submitter stef2dotoh (3646393) writes "I've got about a year of computer science classes under my belt along with countless hours of independent online and tech book learning. I can put together a secure login-driven Web site using PHP and MySQL. (I have a personal project on GitHub and a personal Web site.) I really enjoyed my Web development class, so I've spent a lot of time honing those skills and trying to learn new technologies. I still have a ways to go, though. I've been designing Web sites for more than 10 years, writing basic PHP forms for about 5 or 6 years and only gotten seriously into PHP/MySQL the last 1 or 2 years on and off. I'm fluent with HTML and CSS, but I really like back-end development. I was hoping I might be able to get a job as a junior Web developer, but even those require 2+ years of experience and a list of technologies as long as my arm. Internships usually require students to be in their junior or senior year, so that doesn't seem to be an option for me. Recruiters are responding to my resume on various sites, but it's always for someone more experienced. Should I forget about trying to find a junior Web developer position after only one year of computer science classes?"

Feds: Sailor Hacked Navy Network While Aboard Nuclear Aircraft Carrier

samzenpus posted about 2 months ago | from the to-the-hacking-station dept.

Security 43

ClownP (1315157) writes in with this story about a hacker who did some of his work while aboard a nuclear aircraft carrier. " A former sailor assigned to a US nuclear aircraft carrier and another man have been charged with hacking the computer systems of 30 public and private organizations, including the US Navy, the Department of Homeland Security, AT&T, and Harvard University. Nicholas Paul Knight, 27, of Chantilly, VA, and Daniel Trenton Krueger, 20, of Salem, IL, were members of a crew that hacked protected computers as part of a scheme to steal personal identities and obstruct justice, according to a criminal complaint unsealed earlier this week in a US District Court in Tulsa, Oklahoma. The gang, which went by the name Team Digi7al, allegedly took to Twitter to boast of the intrusions and publicly disclose sensitive data that was taken. The hacking spree lasted from April 2012 to June 2013, prosecutors said."

Eavesdropping With a Smart TV

Soulskill posted about 2 months ago | from the i'll-stick-with-a-dumb-tv,-thanks dept.

Television 93

An anonymous reader writes "A article on The Register titled talks about a demo that was given in London last month by NCC Group where they turned a modern TV into an audio bug. 'The devices contain microphones and cameras that can be utilized by applications — Skype and similar apps being good examples. The TV has a fairly large amount of storage, so would be able to hold more than 30 seconds of audio – we only captured short snippets for demonstrations purposes. A more sophisticated attack could store more audio locally and only upload it at certain times, or could even stream it directly to a server, bypassing the need to use any of the device’s storage.' Given the Snowden revelations and what we've seen previously about older tech being deprecated, how can we protect ourselves with the modern devices (other than not connecting them to the Internet)?"

DOJ Requests More Power To Hack Remote Computers

Soulskill posted about 2 months ago | from the you-can-trust-us dept.

Government 76

An anonymous reader writes "The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation. The agency reasons that criminal operations involving computers are become more complicated, and argues that its own capabilities need to scale up to match them. An ACLU attorney said, 'By expanding federal law enforcement's power to secretly exploit "zero-day"' vulnerabilities in software and Internet platforms, the proposal threatens to weaken Internet security for all of us.' This is particularly relevant in the wake of Heartbleed — it's been unclear whether the U.S. government knew about it before everyone else did. This request suggests that the DOJ, at least, did not abuse it — but it sure looks like they would've wanted to. You can read their request starting on page 499 of this committee meeting schedule."

The NSA and Snowden: Securing the All-Seeing Eye

timothy posted about 2 months ago | from the what-you-intend-to-practice dept.

Government 97

First time accepted submitter ChelleChelle2 (2908449) writes "Edward Snowden's release of classified material exposing the existence of numerous global surveillance programs (obtained while working as an NSA contractor at Booz Allen Hamilton) has been referred to as 'the most damaging breach of secrets in U.S. history.' Regardless of whether one choses to champion or condemn Snowden's actions, it is apparent that the NSA needs to dramatically rework its security measures. In this article Bob Toxen, renown author of several books and articles on Linux Security, discusses the security practices that could have stopped Snowden. Equally interesting, he weighs in on the constitutionality and morality of the NSA's spying on all Americans."

Ask Slashdot: How Do You Tell a Compelling Story About IT Infrastructure?

Soulskill posted about 2 months ago | from the name-your-servers-after-game-of-thrones-characters dept.

IT 192

An anonymous reader writes "Every month we submit status reports to upper management. On the infrastructure side, these reports tend to be 'Hey, we met our service level agreements ... again.' IT infrastructure is now a lot like the electric company. Nobody thanks the electric company when the lights come on, but they have plenty of colorful adjectives to describe them when the power is off.

What is the best way to construct a compelling story for upper management so they'll appreciate the hard work that an IT department does? They don't seem particularly impressed with functioning systems, because they expect functioning systems. The extensive effort to design and implement reliable systems has also made IT boring and dull. What types of summaries can you provide upper management to help them appreciate IT infrastructure and the money they spend on the services it provides?"

Physicists Turn 8MP Smartphone Camera Into a Quantum Random Number Generator

Soulskill posted about 2 months ago | from the more-than-one-way-to-skin-schrodinger's-cat dept.

Encryption 104

KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics."

One Month Later: 300,000 Servers Remain Vulnerable To Heartbleed

Soulskill posted about 2 months ago | from the server-security-hipsters-don't-follow-the-crowd dept.

Encryption 60

DavidGilbert99 writes: "The Heartbleed Bug cause widespread panic from internet users around the world worried their sensitive information was being targeted. While system administrators were warned to patch their systems, a security researcher notes that 300,000 servers remain vulnerable to the heartbleed flaw a full month later. He said, 'Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.' A developer at Vivaldi Technologies AS also pointed out that a significant number of server administrators botched their response, going from safe to vulnerable."

The Man Behind Munich's Migration of 15,000 PCs From Windows To Linux

Soulskill posted about 2 months ago | from the full-conversion-mod dept.

Operating Systems 264

An anonymous reader writes "It's one of the biggest migrations in the history of Linux, and it made Steve Ballmer very angry: Munich, in southwest Germany, has completed its transition of 15,000 PCs from Windows to Linux. It has saved money, fueled the local economy, and improved security. Linux Voice talked to the man behind the migration: 'One of the biggest aims of LiMux was to make the city more independent. Germany’s major center-left political party is the SPD, and its local Munich politicians backed the idea of the city council switching to Linux. They wanted to promote small and medium-sized companies in the area, giving them funding to improve the city’s IT infrastructure, instead of sending the money overseas to a large American corporation. The SPD argued that moving to Linux would foster the local IT market, as the city would pay localcompanies to do the work.' (Linux Voice is making the PDF article free [CC-BY-SA] so that everyone can send it to their local councilors and encourage them to investigate Linux)."

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database

timothy posted about 2 months ago | from the but-don't-say-they-didn't-ask dept.

Security 139

mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."

ACLU and EFF Endorse Weaker USA Freedom Act Passed By Committee

samzenpus posted about 2 months ago | from the dialing-it-back dept.

United States 107

First time accepted submitter sumakor (3571543) writes "The House Judiciary Committee has advanced a weakened version of the USA Freedom Act (HR3361). The amended compromise version allows collection of phone call records up to two hops away from a target, potentially including millions of customer records, and allows for collection without a judge's order in emergency cases. The amended bill also drops the requirement for a privacy advocate who can appeal the rulings of the Foreign Intelligence Surveillance Court and extends the controversial Section 215 of the Patriot Act from 2015 through 2017.

Despite these significant changes the amended bill has been endorsed by the ACLU and the EFF as a first step and the most promising path towards reigning in government surveillance. The two organizations called for further Congressional measures to tighten control of surveillance authorities including an explicit definition of the term 'selector,' a reduction in the number of hops from 2 to 1 under most circumstances and the closing the loophole that allows searches of Americans' data inadvertently collected thru Section 702.

The bill now proceeds to the House Intelligence Committee, who has advanced its competing bill, the FISA Transparency and Modernization Act (HR 4291). The committee will mark up both bills on the same day, beginning at 10am Thursday, behind closed doors."

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...