Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.
Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and learn more about it. Thanks for reading, and for making the site better!
redletterdave (2493036) writes TweetDeck, Twitter's tool for real-time tracking and engagement of posts, was found to be vulnerable to cross-site scripting (XSS), a type of computer vulnerability commonly found in web applications that allows hackers to inject script into webpages to access user accounts and important security information. As a result of the hack, a tweet with an emoticon heart is being shared more than 38,000 times — automatically.
capedgirardeau writes: An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. For example, the SMS permissions group would allow an app access to both reading and sending SMS messages. The problem is that once an app has access to the group of permissions, it can make use of any of the allowed actions at any time without ever informing the user. As Google explains: "It's a good idea to review permissions groups before downloading an app. Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted."
Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."
angry tapir writes: All bits running over the Internet are not equal and should not be treated that way by broadband providers, despite net neutrality advocates' calls for traffic neutral regulations, Cisco Systems has said. Some Web-based applications, including rapidly growing video services, home health monitoring and public safety apps, will demand priority access to the network, while others, like most Web browsing and email, may live with slight delays, said Jeff Campbell, Cisco's vice president for government and community relations. "Different bits do matter differently. We need to ensure that we have a system that allows this to occur."
schwit1 tips a post by Brian Krebs saying that P.F. Chang's China Bistro, a nationwide restaurant chain, is the latest victim of a massive data breach. The company is currently investigating. Krebs writes: On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang's locations between the beginning of March 2014 and May 19, 2014. ... The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
Reader Bruce66423 (1678196) points out skeptical-sounding coverage at the Washington Post of the NSA's claim that it can't hold onto information it collects about users' online activity long enough for it to be useful as evidence in lawsuits about the very practice of that collection. From the article: 'The agency is facing a slew of lawsuits over its surveillance programs, many launched after former NSA contractor Edward Snowden leaked information on the agency's efforts last year. One suit that pre-dates the Snowden leaks, Jewel v. NSA, challenges the constitutionality of programs that the suit allege collect information about Americans' telephone and Internet activities. In a hearing Friday, U.S. District for the Northern District of California Judge Jeffrey S. White reversed an emergency order he had issued earlier the same week barring the government from destroying data that the Electronic Frontier Foundation had asked be preserved for that case. The data is collected under Section 702 of the Amendments Act to the Foreign Intelligence Surveillance Act. But the NSA argued that holding onto the data would be too burdensome. "A requirement to preserve all data acquired under section 702 presents significant operational problems, only one of which is that the NSA may have to shut down all systems and databases that contain Section 702 information," wrote NSA Deputy Director Richard Ledgett in a court filing submitted to the court. The complexity of the NSA systems meant preservation efforts might not work, he argued, but would have "an immediate, specific, and harmful impact on the national security of the United States.' Adds Bruce66423: "This of course implies that they have no backup system — or at least that the backup are not held for long."
jones_supa (887896) writes 'Since the release of the extremely successful Grand Theft Auto V on PlayStation 3 and Xbox 360, rumors about PC — and later also an Xbox One and PlayStation 4 — version have been floating around. Now it's official: Grand Theft Auto V will be released on Windows PC and Xbox One, in addition to PlayStation 4, this fall, publisher Rockstar Games announced today with a trailer. A post on Rockstar Newswire tells us that the ports will offer visual and technical improvements such as "increased draw distances, finer texture details, denser traffic and enhanced resolutions." All of the new GTA Online content that has been created and released since launch will be available also on the modern platforms. The PC version will exclusively include a video editor to allow players to put together their own clips of in-game action.'
hypnosec (2231454) writes 'Starting today businesses and individuals in the UK will be able to register a new national web address (".uk") and drop their existing ".co.uk" or ".com" suffix in favour of a shorter and snappier domain name. The entire process along with the transition is being overseen by private yet not-for-profit organisation Nominet, which has already started notifying existing customers with a ".co.uk" domain of their chance to adopt a ".uk" domain. Nominet will reserve all ".uk" domain names, which already have a ".co.uk" counterparts, for the next five years offering registrants the chance to adopt the new domain and to keep cyber squatters at bay.'
schwit1 (797399) writes 'It wasn't touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy.As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize the MAC address, effectively disguising any trace of the real device until it decides to connect to a network.'
An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"
An anonymous reader writes "Ex-KGB Major Boris Karpichko says that spies from Russia's SVR intelligence service, posing as diplomats in Hong Kong, convinced Snowden to fly to Moscow last June. 'It was a trick and he fell for it,' Karpichko, who reached the rank of Major as a member of the KGB's prestigious Second Directorate while specializing in counter-intelligence, told Nelson. 'Now the Russians are extracting all the intelligence he possesses.'"
An anonymous reader writes "In a lull between product launches Tesla intends to keep making improvements to the Model S according to Elon Musk. Tesla will automatically push software to the Model S fleet that will help the car learn the driver's habits and the navigation system will offer directions to avoid traffic jams. 'This year, Tesla is offering only the single model, the Model S that is EPA rated at up to 265 miles on a single charge, the most of any electric car. The company's next model won't come until next year, when the delayed Model X crossover goes on sale. Musk says the holdup has centered on making sure its signature design element, gullwing doors to make it easier to get in the rear, works properly and is leak-proof. "Getting the door right is extremely difficult," he says.'"
JonZittrain (628028) writes "I'm curious whether there are good prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions — such as the passage of time — are met? Libraries and archives could offer such technology as part of accepting papers and manuscripts, especially in the wake of the 'Belfast Project' situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely. Some suggested solutions are very much out of the box."
msm1267 (2804139) writes "If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies' IT organizations should be aware of: IPMI. Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.
Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore. Farmer released a paper called 'Sold Down the River,' in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit."
An anonymous reader writes "Researchers from Columbia University's Network Security Lab discovered a flaw affecting millions of Smart TVs supporting the HbbTV standard. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to interact with any website on their behalf — Academic paper available online."
An anonymous reader writes 'Earlier this month, at least three U.S. states reported that a hacker had broken into electronic road signs above major highways, with the hacker leaving messages for people to follow him on Twitter. The Multi-State Information Sharing an Analysis Center (MS-ISAC) produced an intelligence report blaming a Saudi Arabian hacker that the organization says likely got the idea from Watch Dogs, a new video in which game play revolves around "hacking," with a focus on hacking critical infrastructure-based electronic devices in particular. "Watch Dogs allows players to hack electronic road signs, closed-circuit television cameras (CCTVs), street lights, cell phones and other systems. On May 27, 2014, the malicious actor posted an image of the game on his Twitter feed, demonstrating his interest in the game, and the compromise of road signs occurs during game play. CIS believes it is likely that a small percentage of Watch Dogs players will experiment with compromising computers and electronic systems outside of game play, and that this activity will likely affect SSLT [state, local, tribal and territorial] government systems and Department of Transportation (DOT) systems in particular." The signs allowed telnet and were secured with weak or default passwords. The report came out on the same day that The Homeland Security Department cautioned transportation operators about a security hole in some electronic freeway billboards that could let hackers display bogus warnings to drivers.'
mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"
Vigile (99919) writes "Since the introduction of Intel's Ivy Bridge processors there was a subset of users that complained about the company's change of thermal interface material between the die and the heat spreader. With the release of the Core i7-4790K, Intel is moving to a polymer thermal interface material that claims to improve cooling on the Haswell architecture, along with the help of some added capacitors on the back of the CPU. Code named Devil's Canyon, this processor boosts stock clocks by 500 MHz over the i7-4770K all for the same price ($339) and lowers load temperatures as well. Unfortunately, in this first review at PC Perspective, overclocking doesn't appear to be improved much."
CowboyRobot writes: 'In ACM's Queue, Thomas Wadlow argues that "Whom you trust, what you trust them with, and how much you trust them are at the center of the Internet today." He gives a checklist of what to look for when evaluating any system for trustworthiness, chock full of fascinating historical examples. These include NASA opting for a simpler, but more reliable chip; the Terry Childs case; and even an 18th century "semaphore telegraph" that was a very early example of steganographic cryptography. From the article: "Detecting an anomaly is one thing, but following up on what you've detected is at least as important. In the early days of the Internet, Cliff Stoll, then a graduate student at Lawrence Berkeley Laboratories in California, noticed a 75-cent accounting error on some computer systems he was managing. Many would have ignored it, but it bothered him enough to track it down. That investigation led, step by step, to the discovery of an attacker named Markus Hess, who was arrested, tried, and convicted of espionage and selling information to the Soviet KGB."'
Daniel_Stuckey (2647775) writes 'A year after leaked files exposed the National Security Agency's efforts to spy on citizens and companies in Brazil, previously unpublished chat logs obtained by Motherboard reveal that while under the FBI's supervision, Hector Xavier Monsegur, widely known by his online persona, "Sabu," facilitated attacks that affected Brazilian websites.The operation raises questions about how the FBI uses global Internet vulnerabilities during cybercrime investigations, how it works with informants, and how it shares information with other police and intelligence agencies.
After his arrest in mid-2011, Monsegur continued to organize cyber attacks while working for the FBI. According to documents and interviews, Monsegur passed targets and exploits to hackers to disrupt government and corporate servers in Brazil and several other countries. Details about his work as a federal informant have been kept mostly secret, aired only in closed-door hearings and in redacted documents that include chat logs between Monsegur and other hackers. The chat logs remain under seal due to a protective order upheld in court, but in April, they and other court documents were obtained by journalists at Motherboard and the Daily Dot.'
Today, as the EFF notes, marks one year from Edward Snowden's first document leaks, and the group is using that as a good spur to install free software intended to make it harder for anyone (the NSA is certainly not the first, and arguably far from the worst) to spy on your electronic communications. Nowadays, that means nearly everything besides face-to-face communication, or paper shipped through the world's postal systems. Reader gnujoshua (540710) highlights one of the options: 'The FSF has published a (rather beautiful) infographic and guide to encrypting your email using GnuPG. In their blog post announcing the guide they write: "One year ago today, an NSA contractor named Edward Snowden went public with his history-changing revelations about the NSA's massive system of indiscriminate surveillance. Today the FSF is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder.'" Serendipitous timing: a year and a day ago, we mentioned a UN report that made explicit the seemingly obvious truth that undue government surveillance, besides being an affront in itself, chills free speech. (Edward Snowden agrees.)
MojoKid (1002251) writes 'Microsoft confirmed a development rumor that's been swirling around its next-generation console ever since it announced Kinect would become an optional add-on rather than a mandatory boat anchor. Lifting that requirement will give game developers 10 percent additional graphics power to play with and help close the gap between the Xbox One and PS4. The story kicked off when Xbox head Phil Spencer tweeted that June's Xbox One dev kit gave devs access to more GPU bandwidth. Further, another Microsoft representative then confirmed that the performance improvement coming in the next version of the Xbox SDK was the result of making Kinect an optional accessory. No matter how Microsoft may try to spin it, cancelling Kinect isn't just a matter of giving game developers freedom, it's a tacit admission that game developers have no significant projects in play that are expected to meaningfully tap Kinect to deliver a great game experience — and they need those GPU cycles back.' Also on the Xbox capabilities front: Reader BogenDorpher (2008682) writes 'In August of last year, a Microsoft spokesman confirmed that the Xbox One controller will be compatible for PC users sometime in 2014. That time has finally come. Windows gamers can now use the Xbox One controller to play games on their computer. If a game supports a USB gamepad or the Xbox 360 controller, it will also support the Xbox One controller.'
Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'
Maddog Batty (112434) writes 'The fine people at the NASA Space Flight Forum are making good progress on restoring the corrupted landing video reported earlier. It worth looking at the original video to see how bad it was and then at the latest restored video. It is now possible to see the legs being deployed, the sea coming closer and a big flame ball as the rocket plume hits the water. An impressive improvement so far and it is still being actively worked on so further refinements are likely.' Like Maddog Batty, I'd suggest watching the restored version first (note: the video is lower on the page), to see just what a big improvement's been made so far.
Bismillah (993337) writes 'The British government wants life in prison for hackers who cause disruption to computer networks, resulting in loss of life or threat to the country's national security. From the article: "The UK government will seek to amend the 1990 Computer Misuse Act "to ensure sentences for attacks on computer systems fully reflect the damage they cause. Currently, the law provides for a maximum sentence of ten years' imprisonment for those who commit the offence of impairing a computer. A new, aggravated offence of unauthorised access to a computer will be introduced into the Computer Misuse Act by the government, carrying far longer sentences."'
An anonymous reader writes "Computer security experts from academia, industry and the larger security community have organized themselves into more than 30 teams to compete in DARPA's Cyber Grand Challenge, a tournament designed to speed the development of automated security systems able to defend against cyberattacks as fast as they are launched. The Challenge plans to follow a 'capture the flag' competition format that experts have used for more than 20 years to test their cyber defense skills. The winning team from the CGC finals stands to receive a cash prize of $2 million. Second place can earn $1 million and third place $750,000."
itwbennett writes: "Three U.S. tech worker groups have launched a labor boycott of IBM, Infosys and Manpower, saying the companies have engaged in a pattern that discourages U.S. workers from applying for U.S. IT jobs by tailoring employment ads toward overseas workers. For its part, Infosys disputed the charges, saying that 'it is incorrect to allude that we exclude or discourage U.S. workers. Today, we are recruiting for over 440 active openings across 20 states in the U.S.' Representatives from IBM and Manpower didn't respond to requests for comment on the boycott."
A new flaw has been discovered in the GnuTLS cryptographic library that ships with several popular Linux distributions and hundreds of software implementations. According to the bug report, "A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code." A patch is currently available, but it will take time for all of the software maintainers to implement it. A lengthy technical analysis is available. "There don't appear to be any obvious signs that an attack is under way, making it possible to exploit the vulnerability in surreptitious "drive-by" attacks. There are no reports that the vulnerability is actively being exploited in the wild."
Nicola Hahn (1482985) writes "Though the Review Board at DEF CON squelched Bill Blunden's presentation on Chinese cyber-espionage, and the U.S. government has considered imposing visa restrictions to keep out Chinese nationals, Bill has decided to post both the presentation's slide deck and its transcript online. The talk focuses on Mike Rogers, in all his glory, a former FBI agent who delivers a veritable litany of hyperbolic misstatements (likely to be repeated endlessly on AM radio). Rather than allow the DEFCON Review Board to pass judgement as supposed .gov 'experts,' why not allow people to peruse the material and decide for themselves who is credible and who is not?" "Squelched" seems a little harsh (only so many talks can fit, and there's no accounting for taste), but it's certainly good to see any non-accepted DEF CON presentations made public.
MojoKid (1002251) writes "Last year, Intel launched two new processor families based on the Haswell and Ivy Bridge-E based Core i7 architecture. Both chips were just incremental updates over their predecessors. Haswell may have delivered impressive gains in mobile, but it failed to impress on the desktop where it was only slightly faster than the chip it replaced. Enthusiasts weren't terribly excited about either core but Intel is hoping its new Devil's Canyon CPU, which launches today, will change that. The new chip is the Core i7-4790K and it packs several new features that should appeal to the enthusiast and overclocking markets. First, Intel has changed the thermal interface material from the paste it used in the last generation over to a new Next Generation Polymer Thermal Interface Material, or as Intel calls it, "NGPTIM." Moving Haswell's voltage regulator on-die proved to be a significant problem for overclockers since it caused dramatic heat buildup that was only exacerbated by higher clock speeds. Overclockers reported that removing Haswell's lid could boost clock speeds by several hundred MHz. The other tweak to the Haswell core is a great many additional capacitors, which have been integrated to smooth power delivery at higher currents. This new chip gives Haswell a nice lift. If the overclocking headroom delivers on top of that, enthusiasts might be able to hit 4.7-4.8GHz on standard cooling."
cartechboy (2660665) writes "Tesla won't reveal its production figures every quarter, but it has now likely built about 50,000 all-electric Model S luxury sport sedans. Unlike other automakers, Tesla doesn't group its changes to a model year, rather it makes running changes to cars whenever updates are tested, validated, and ready to roll out. Which raises the question, are model year 2012 Model S sedans already outdated? The answer is it depends how you look at it. From a powertrain perspective, no. There are still two battery-size options and the shape is still the same. But under the surface of the car there are a surprising number of updates and new options. Not including software changes (of which there are dozens already pushed to the car), changes range from power folding mirrors and a new cold-weather package (which cannot be retrofitted) to a new ultra-high-fidelity sound package and three-zone, three-mode rear seat heaters. It's worth noting that none of these are mandatory changes — there are merely options that have been added to the roster of available equipment."
Daniel_Stuckey (2647775) writes "A hacker group from the Middle East known as Molerats attacked a wide range of major public sector organizations over April and May, including the BBC and a smattering of European governments, researchers revealed today. The latest attacks, which sought to establish espionage operations on targets' digital infrastructure, took place between 29 April and 27 May, according to security technology vendor FireEye. The Molerats' actions have added weight to concerns around growing cyber capability stemming from the Middle East. Yet researchers are somewhat perplexed as to the motivation of the perpetrators, whose targets included both Israel and Palestine, as well as Turkey, Slovenia, Macedonia, New Zealand and Latvia. The hackers also went after government bodies in the U.S. and the UK."
msm1267 (2804139) writes "A cryptanalysis of TrueCrypt will proceed as planned, said organizers of the Open Crypto Audit Project who announced the technical leads of the second phase of the audit and that there will be a crowdsourcing aspect to phase two. The next phase of the audit, which will include an examination of everything including the random number generators, cipher suites, crypto protocols and more, could be wrapped up by the end of the summer."
snydeq (1272828) writes "Insecure by design and trusted by default, embedded systems present security concerns that could prove crippling if not addressed by fabricators, vendors, and customers alike, InfoWorld reports. Routers, smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones — 'the trend toward systems and devices that, once deployed, stubbornly "keep on ticking" regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations. This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of — or hostile to — change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.'"
DroidJason1 (3589319) writes "Microsoft recently announced plans to reintroduce the Start Menu to Windows in an upcoming version of the operating system. While the plan was to roll out an update to Windows 8.1 and offer the Start menu later this year, it seems like this is no longer the case. Now Microsoft is reportedly looking to release the Start Menu with Windows 9, which is expected in April of 2015. Windows 8 and Windows 8.1 have faced a boat load of criticism and hatred, partly due to the removal of the Start button and Start menu. The restoration of a visible Start button on the taskbar was one of the key features of the Windows 8.1 update, released back in October of 2013."
tsu doh nimh (609154) writes "The U.S. Justice Department announced today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and that the botnet is responsible for more than $100 million in losses from online banking account takeovers. The government alleges that Gameover also was rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes. In a complaint unsealed today, the DOJ further alleges that ZeuS and Gameover are the brainchild of a Russian man named Evgeniy Mikhailovich Bogachev, a.k.a. 'Slavik.'"
wiredmikey (1824622) writes "While most organizations have patched the Heartbleed bug in their OpenSSL installations, a security expert has uncovered new vectors for exploiting the vulnerability, which can impact enterprise wireless networks, Android devices, and other connected devices. Dubbed 'Cupid,' the new attack method was recently presented by Portuguese security researcher Luis Grangeia, who debunked theories that Heartbleed could only be exploited over TCP connections, and after the TLS handshake. Unlike the initial Heartbleed attack, which took place on TLS connections over TCP, the Cupid attack happens on TLS connections over the Extensible Authentication Protocol (EAP), an authentication framework typically used in wireless networks and peer-to-peer connections.
The researcher has confirmed that default installations of wpa_supplicant, hostapd, and freeradius (RADIUS server implementation) can be exploited on Ubuntu if a vulnerable version of OpenSSL is utilized. Mobile devices running Android 4.1.0 and 4.1.1 also use wpa_supplicant to connect to wireless networks, so they're also affected. Everything that uses OpenSSL for EAP TLS is susceptible to Cupid attacks. While he hasn't been able to confirm it, the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected."
An anonymous reader writes "Here on Slashdot we sometimes see questions about how to get IT jobs while having little experience, changing from one specialty to another, or being (gasp) middle aged. And, we see comments that bemoan various aspects of IT work and express a desire to do something entirely different. This is what I'm wondering about, and I thought I'd put my questions to Ask Slashdot. Has anyone successfully applied their years of IT experience to other lines of work? Is the field that you moved on to entirely unrelated, or is there a more substantial link to your new (but clearly not IT) role?"
X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?
First time accepted submitter Jim Efaw (3484) writes "Tired of the OpenDNS Guide surprise from website-unavailable.com when you go to an old link or a typo from some ISPs? Relief is at hand: On June 6, 2014, OpenDNS will stop redirecting dead hostnames to Guide and its ads; the OpenDNS Guide itself will shut down sometime afterwards. OpenDNS nameservers will start returning normal NXDOMAIN and SERVFAIL messages instead. Phishing protection and optional parental controls will still stay in place."
miller60 (554835) writes "Citing strong demand from cryptocurrency miners, data center and colocation providers are beginning to accept Bitcoin as payment for large chunks of data center space. It's a sign that the data center industry sees an emerging opportunity in catering to the hosting needs of crypto miners, who typically seek high-density space with cheap power. While many web hosting companies accept Bitcoin, larger data center players have been slower to embrace cryptocurrency. Utah-based C7 Data Centers says it's accepting Bitcoin because of surging demand. The Utah-based company says it now hosts about 4.5 megawatts of mining gear, just down the road from the NSA data center." On-topic: Dish Networks has recently become the biggest company to accept Bitcoins.
An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
An anonymous reader writes "When Glenn Greenwald's book came out recently, one of the most startling revelations was that the NSA has been intercepting shipments of networking gear to add spyware. Cisco was one of the vendors whose gear was altered, and now their shipping provider has spoken up about it: 'UPS, which Cisco has used since 1997 to ship hardware to customers around the world, said on Thursday that it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law. "UPS' long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests," UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments." In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.' That sounds like carefully parsed language to me. 'Did not voluntarily,' 'unless it is required to do so by law.' Perhaps they're bound by a National Security Letter?"
First time accepted submitter wheelbarrio (1784594) writes with this news from the Economist: "Inspired by the natural resistance offered to pathogens by genetically diverse host populations, Dr Michael Franz at UCI suggests that common software be similarly hardened against attack by generating a unique executable for each install. It sounds like a cute idea, although the article doesn't provide examples of what kinds of diversity are possible whilst maintaining the program logic, nor what kind of attacks would be prevented with this approach." This might reduce the value of MD5 sums, though.
Trailrunner7 (1100399) writes "Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project. The CII is backed by a who's who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing. Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites."
Several readers sent word that the website for TrueCrypt, the popular disk encryption system, says that development has ended, and Windows users should switch to BitLocker. A notice on the site reads, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. ... You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." It includes a link to a new version of TrueCrypt, 7.2, and provides instructions on how to migrate to BitLocker. Many users are skeptical of a site defacement, and there's been no corroborating post or communication from the maintainers. However, the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases. A source code diff of the two versions has been posted, and the new release appears to simply remove much of what the software was designed to do. It also warns users away from relying on it for security. (The people doing an audit of TrueCrypt had promised a 'big announcement' soon, but that was coincidental.) Security experts are warning to avoid the new version until the situation can be verified.