We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
stephendavion sends news that Christopher Wilson, a 22-year-old computer science student, has been sent to jail for six months for refusing to hand over his computer encryption passwords. Wilson has been accused of "phoning in a fake warning of an impending cyber attack against Northumbria Police that was convincing enough for the force to temporarily suspend its site as a precaution once a small attack started." He's also accused of trolling on Facebook. Wilson only came to the attention of police in October 2012 after he allegedly emailed warnings about an online threat against one of the staff at Newcastle University. ... The threatening emails came from computer servers linked to Wilson. Police obtained a warrant on this basis and raided his home in Washington, where they seized various items of computer equipment. ... Investigators wanted to examine his encrypted computer but the passwords supplied by Wilson turned out to be incorrect. None of the 50 passwords he provided worked. Frustration with his lack of co-operation prompted police to obtained a order from a judge compelling him to turn over the correct passphrase last year. A judge ordered him to turn over these passwords on the grounds of national security but Wilson still failed to comply, earning him six months behind bars.
redletterdave writes: The Tor Project has been sued in the state of Texas over a revenge porn website that used its free encrypted communications service. The plaintiff in the case — Shelby Conklin, a criminal justice major at the University of North Texas — alleges a revenge porn site called Pinkmeth "gained unauthorized access to nude photographs" she owned and posted them to the internet. She also said Tor, which The Economist once called "a dark corner of the web," was involved in an active "civil conspiracy" with Pinkmeth because the revenge porn website used the anonymous communications service to prevent others from tracking its location.
wiredmikey (1824622) writes The Operation Aurora attack was publicized in 2010 and impacted Google and a number of other high-profile companies. However, DHS responded to the request by releasing more than 800 pages of documents related to the 'Aurora' experiment conducted several years ago at the Idaho National Laboratory, where researchers demonstrated a way to damage a generator via a cyber-attack. Of the documents released by the DHS, none were related to the Operation Aurora cyber attack as requested. Many of the 840 pages are comprised of old weekly reports from the DHS' Control System Security Program (CSSP) from 2007. Other pages that were released included information about possible examples of facilities that could be vulnerable to attack, such as water plants and gas pipelines.
An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."
ShaunC writes: Is there a glut of qualified American tech workers, or isn't there? Some companies like Facebook and Airbnb are now actively courting and recruiting high school students as young as 13 with promises of huge stipends and salaries. As one student put it, "It's kind of insane that you can make more than the U.S. average income in a summer." Another who attended a Facebook-sponsored trip said he'd "forego college for a full-time job" if it were offered. Is Silicon Valley taking advantage of naive young workers?
chicksdaddy writes: When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP. The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston, she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.
An anonymous reader writes "Today, CentOS project unveiled CentOS Linux 7 for 64 bit x86 compatible machines. CentOS conforms fully with Red Hat's redistribution policy and aims to have full functional compatibility with the upstream product released in last month. The new version includes systemd, firewalld, GRUB2, LXC, docker, xfs instead of ext4 filesystem by default. The Linux kernel updated to 3.10.0, support for Linux Containers, 3d graphics drivers out of the box, OpenJDK 7, support for 40G Ethernet cards, installations in UEFI secure Boot mode on compatible hardware and more. See the complete list of features here and here. You can grab this release by visiting the official mirror site or via torrents. On a related note there is also a CentOS Linux 7 installation screencast here."
mpicpp writes with a story about researchers who have developed a way to steal passwords using video-capturing devices.Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google's face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn't even need to be able to read the screen — meaning glare is not an antidote. The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode. They tested the algorithm on passwords entered on an Apple iPad, Google's Nexus 7 tablet, and an iPhone 5.
benrothke writes There is a not so fine line between data dashboards and other information displays that provide pretty but otherwise useless and unactionable information; and those that provide effective answers to key questions. Data-Driven Security: Analysis, Visualization and Dashboards is all about the later. In this extremely valuable book, authors Jay Jacobs and Bob Rudis show you how to find security patterns in your data logs and extract enough information from it to create effective information security countermeasures. By using data correctly and truly understanding what that data means, the authors show how you can achieve much greater levels of security. Keep reading for the rest of Ben's review.
Trachman writes The US Transport Security Administration revealed on Sunday that enhanced security procedures on flights coming to the US now include not allowing uncharged cell phones and other devices onto planes. “During the security examination, officers may also ask that owners power up some devices, including cell phones. Powerless devices will not be permitted on board the aircraft. The traveler may also undergo additional screening,” TSA said in a statement.
An anonymous reader writes in with the latest news about NSA spying from documents leaked by Edward Snowden. Ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks, according to a four-month investigation by The Washington Post. Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else. Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or "minimized," more than 65,000 such references to protect Americans' privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S. residents."
chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.
The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS's ICS CERT said it was alerted to compromises of the vendors' by researchers at the security firms Symantec and F-Secure. DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed "Havex" was being spread by way of so-called "watering hole" attacks that involved compromises of vendors web sites. According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.
An anonymous reader writes "We all know somebody who changes jobs like changing clothes. In software development and IT, it's getting increasingly hard to find people who have been at their job for more than a few years. That's partly because of tech companies' bias for a young work force, and partly because talented people can write their own ticket in this industry. Thus, I put the question to you: how often should you be switching jobs? Obviously, if you find the perfect company (full of good people, doing interesting things, paying you well), your best bet is to stay. But that's not the reality for most of the workforce. Should you always be keeping an eye out for new jobs? Is there a length of time you should stick around so you don't look like a serial job-hopper? Does there come a point in life when it's best to settle down and stick with a job long term?"
As reported by the Sydney Morning Herald, NASA has given a green light to the production of a new motor, dubbed the Space Launch System, intended to enable deep space exploration. Boeing, prime contractor on the rocket, announced on Wednesday that it had completed a critical design review and finalized a $US2.8-billion contract with NASA. The last time the space agency made such an assessment of a deep-space rocket was the mighty Saturn V, which took astronauts to the moon. ... Space Launch System's design called for the integration of existing hardware, spurring criticism that it's a "Frankenstein rocket," with much of it assembled from already developed technology. For instance, its two rocket boosters are advanced versions of the Space Shuttle boosters, and a cryogenic propulsion stage is based on the motor of a rocket often used by the Air Force. The Space Frontier Foundation, an advocacy group and frequent NASA critic, said Space Launch System was "built from rotting remnants of left over congressional pork. And its budgetary footprints will stamp out all the missions it is supposed to carry, kill our astronaut program and destroy science and technology projects throughout NASA."
An anonymous reader writes We've been calling it for years — connect everything in your house to the internet, and people will find a way to attack it. This post provides a technical walkthrough of how internet-connected lighting systems are vulnerable to outside attacks. Quoting: "With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads. ... Monitoring packets captured from the mesh network whilst adding new bulbs, we were able to identify the specific packets in which the WiFi network credentials were shared among the bulbs. The on-boarding process consists of the master bulb broadcasting for new bulbs on the network. A new bulb responds to the master and then requests the WiFi details to be transferred. The master bulb then broadcasts the WiFi details, encrypted, across the mesh network. The new bulb is then added to the list of available bulbs in the LIFX smart phone application."
M-Saunders writes: Perl 6 has been in development since 2000. So why, 14 years later, hasn't it been released yet? Linux Voice caught up with Damian Conway, one of the architects of Perl 6, to find out what's happening. "Perl 6 has all of the same features [as Perl 5] but with the rough edges knocked off of them", he says. Conway also talks about the UK's Year of Code project, and how to get more people interested in programming.
mask.of.sanity writes Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids. Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with, but experts weren't sure if the technology could be used to locate individuals.
realized (2472730) writes "In nine cases in 2013, state police were unable to break the encryption used by criminal suspects they were investigating, according to an annual report on law enforcement eavesdropping released by the U.S. court system on Wednesday. That's more than twice as many cases as in 2012, when police said that they'd been stymied by crypto in four cases—and that was the first year they'd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero."
wiredmikey (1824622) writes "Security researchers have found a way to disable the protection systems provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a software tool designed to prevent vulnerabilities from being exploited by using various mitigation technologies. Others have managed to bypass EMET in the past, but researchers from Offensive Security have focused on disarming EMET, rather than on bypassing mitigations, as this method gives an attacker the ability use generic shellcodes such as the ones generated by Metasploit. The researchers managed to disarm EMET and get a shell after finding a global variable in the .data section of the EMET.dll file. Initially, they only managed to get a shell by executing the exploit with a debugger attached, due to EMET's EAF checks. However, they've succeeded in getting a shell outside the debugger after disarming EAF with a method described by security researcher Piotr Bania in January 2012. The researchers tested their findings on Windows 7, Internet Explorer 8 and EMET 4.1 update 1."
New submitter marxmarv writes If you search the web for communications security information, or read online tech publications like Linux Journal or BoingBoing, you might be a terrorist. The German publication Das Erste disclosed a crumb of alleged XKeyScore configuration, with the vague suggestion of more source code to come, showing that Tor directory servers and their users, and as usual the interested and their neighbor's dogs due to overcapture, were flagged for closer monitoring. Linux Journal, whose domain is part of a listed selector, has a few choice words on their coveted award. Would it be irresponsible not to speculate further?
An anonymous reader writes with this excerpt from TechDirt: Three years ago we wrote about how Austrian police had seized computers from someone running a Tor exit node. This kind of thing happens from time to time, but it appears that folks in Austria have taken it up a notch by... effectively now making it illegal to run a Tor exit node. According to the report, which was confirmed by the accused, the court found that running the node violated 12 of the Austrian penal code, which effectively says:"Not only the immediate perpetrator commits a criminal action, but also anyone who appoints someone to carry it out, or anyone who otherwise contributes to the completion of said criminal action." In other words, it's a form of accomplice liability for criminality. It's pretty standard to name criminal accomplices liable for "aiding and abetting" the activities of others, but it's a massive and incredibly dangerous stretch to argue that merely running a Tor exit node makes you an accomplice that "contributes to the completion" of a crime. Under this sort of thinking, Volkswagen would be liable if someone drove a VW as the getaway car in a bank robbery. It's a very, very broad interpretation of accomplice liability, in a situation where it clearly does not make sense.
wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."
the simurgh writes: As many who follow the Kim Dotcom saga know, New Zealand police seized his encrypted computer drives in 2012, copies of which were illegally passed to the FBI. Fast-forward to 2014: Dotcom wants access to the seized but encrypted content. A New Zealand judge has now ruled that even if the Megaupload founder supplies the passwords, the encryption keys cannot be forwarded to the FBI.
jfruh (300774) writes Tech writer Tyler Hayes had never come close to hitting the 250 GB monthly bandwidth cap imposed by Cox Cable — until suddenly he was blowing right through it, eating up almost 80 GB a day. Using the Mac network utility little snitch, he eventually tracked down the culprit: a screensaver on his new Kindle Fire TV. A bug in the mosaic screensaver caused downloaded images to remain uncached.
New submitter Aryeh Goretsky writes: The IEEE Standards Assocation has launched an Anti-Malware Support Service to help the computer security industry respond more quickly to malware. The first two services available are a Clean file Metadata Exchange (PDF), to help prevent false positives in anti-malware software, and a Taggant System (PDF) to help prevent software packers from being abused. Official announcement is available at the offical website."
MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products: As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.
An anonymous reader writes In a post published Monday, Symantec writes that western countries including the U.S., Spain, France, Italy, Germany, Turkey, and Poland are currently the victims of an ongoing cyberespionage campaign. The group behind the operation, called Dragonfly by Symantec, originally targeted aviation and defense companies as early as 2011, but in early 2013, they shifted their focus to energy firms. They use a variety of malware tools, including remote access trojans (RATs) and operate during Eastern European business hours. Symantec compares them to Stuxnet except that "Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."
Vigile (99919) writes "As SSD controllers continue to evolve, so does the world of flash memory. With the release of the Samsung 850 Pro SSD announced today, Samsung is the first company to introduce 3D NAND technology to the consumer. By using 30nm process technology that might seem dated in some applications, Samsung has been reliably able to stack lithography and essentially "tunnel holes" in the silicon while coating the inside with the material necessary to hold a charge. The VNAND being used with the Samsung 850 Pro is now 32 layers deep, and though it lowers the total capacity per die, it allows Samsung to lower manufacturer costs with more usable die per wafer. This results in more sustainable and reliable performance as well as a longer life span, allowing Samsung to offer a 10 year warranty on the new drives. PC Perspective has a full review with performance results and usage over time that shows Samsung's innovation is leading the pack."
An anonymous reader writes For some reason that escapes me, a Judge has granted Microsoft permission to hijack NoIP's DNS. This is necessary according to Microsoft to thwart a "global cybercrime epidemic" being perpetrated by infected machines running Microsoft software. No-IP is a provider of dynamic DNS services (among other things). Many legitimate users were affected by the takedown: "This morning, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives. ... We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening."
tsu doh nimh writes In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company's recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. Some anti-spam experts who worked very closely on Canada's Anti-Spam Law (CASL) say they are baffled by Microsoft's response to a law which has been almost a decade in the making. Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide "warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased." Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.
Ars Technica has spent some time with pre-production (but very nearly final) samples of the Blackphone, from Geeksphone and Silent Circle. They give it generally high marks; the hardware is mostly solid but not cutting edge, but the software it comes with distinguishes it from run-of-the-mill Android phones. Though it's based on Android, the PrivOS system in these phone offers fine grained permissions, and other software included with the phone makes it more secure both if someone has physical access to the phone (by encrypting files, among other things) and if communications between this phone and another are being eavesdropped on. A small taste: At first start up, Blackphone’s configuration wizard walks through getting the phone configured and secured. After picking a language and setting a password or PIN to unlock the phone itself, the wizard presents the option of encrypting the phone’s stored data with another password. If you decline to encrypt the phone’s mini-SD storage during setup, you’ll get the opportunity later (and in the release candidate version of the PrivOS we used, the phone continued to remind me about that opportunity each time I logged into it until I did). PrivOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks.
New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)
MojoKid (1002251) writes LG is probably getting a little tired of scraping for brand recognition versus big names like Samsung, Apple and Google. However, the company is also taking solace in the fact that their smartphone sales figures are heading for an all-time high in 2014, with an estimated 60 million units projected to be sold this year. LG's third iteration of their popular "G" line of flagship smartphones, simply dubbed the LG G3, is the culmination of all of the innovation the company has developed in previous devices to date, including its signature rear button layout, and a cutting-edge 5.5-inch QHD display that drives a resolution of 2560X1440 with a pixel density of 538 PPI. Not satisified with pixel overload, LG decide to equip their new smartphone with 'frickin' laser beams' to assist its 13MP camera in targeting subjects for auto-focus. The G3 performs well in the benchmarks with a Snapdragon 801 on board and no doubt its camera takes some great shots quickly and easily. However, it's questionable how much of that super high res 2560 display you can make use of on a 5.5-inch device.
mpicpp (3454017) writes Apple told news website The Loop that it has decided to abandon Aperture, its professional photo-editing software application. "With the introduction of the new Photos app and iCloud Photo Library, enabling you to safely store all of your photos in iCloud and access them from anywhere, there will be no new development of Aperture," Apple said in a statement to The Loop. "When Photos for OS X ships next year, users will be able to migrate their existing Aperture libraries to Photos for OS." The new Photos app, which will debut with OS X Yosemite when it launches this fall, will also replace iPhoto. It promises to be more intuitive and user friendly, but as such, likely not as full featured as what Aperture currently offers.
NotInHere (3654617) writes In 1996, Markus F. X. J. Oberhumer wrote an implementation of the Lempel–Ziv compression, which is used in various places like the Linux kernel, libav, openVPN, and the Curiosity rover. As security researchers have found out, the code contained integer overflow and buffer overrun vulnerabilities, in the part of the code that was responsible for processing uncompressed parts of the data. Those vulnerabilities are, however, very hard to exploit, and their scope is dependent on the actual implementation. According to Oberhumer, the problem only affects 32-bit systems. "I personally do not know about any client program that actually is affected", Oberhumer sais, calling the news about the possible security issue a media hype.
jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."
McGruber (1417641) writes In December 2013, Slashdot reported the arrest of seven metro Atlanta residents for allegedly selling counterfeit MARTA Breeze cards, stored-value smart cards that passengers use as part of an automated fare collection system on Atlanta's subway. Now, six months later (June 2014), the seven suspects have finally been indicted. According to the indictment, the co-conspirators purchased legitimate Breeze cards for $1, then fraudulently placed unlimited or monthly rides on the cards. They then sold the fraudulent cards to MARTA riders for a discounted cash price. Distributors of the fraudulent cards were stationed at several subway stations. The indictment claims that the ring called their organization the "Underground Railroad."
An anonymous reader writes As the support for the Microsoft (MS) Windows XP service is terminated this year, the government will try to invigorate open source software in order to solve the problem of dependency on certain software. By 2020 when the support of the Windows 7 service is terminated, it is planning to switch to open OS and minimize damages. Industry insiders pointed out that the standard e-document format must be established and shared as an open source before open source software is invigorated. A similar suggestion that Korea might embrace more open source (but couched more cautiously, with more "should" and "may") is reported on the news page of the EU's program on Interoperability Solutions for European Public Administrations, based on a workshop presentation earlier this month by Korea's Ministry of Science, ICT, and Future Planning. (And at a smaller but still huge scale, the capitol city of Seoul appears to be going in for open source software in a big way, too.)
New submitter outofluck70 (1734164) writes Got an email today from Microsoft, text is below. [Note: text here edited for formatting and brevity; see the full text at seclists.org.] They are no longer going to send out emails regarding patches, you have to use RSS or keep visiting their security sites. They blame "governmental policies" as the reason. What could the real reason be? Anybody in the know? From the email: "Notice to IT professionals: As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following: Security bulletin advance notifications; Security bulletin summaries; New security advisories and bulletins; Major and minor revisions to security advisories and bulletins. In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website." WindowsIT Pro blames Canada's new anti-spam law.
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.
Trailrunner7 (1100399) writes ... Security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones, and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops. The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so. The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt's Fifth Amendment rights. The ruling.
Last fall, Newegg lost a case against patent troll TQP for using SSL with RC4, despite arguments from Diffie of Diffie-Hellman key exchange. Intuit was also targeted by a lawsuit for infringing the same patent, and they were found not to be infringing. mpicpp (3454017) sends this excerpt from Ars: U.S. Circuit Judge William Bryson, sitting "by designation" in the Eastern District of Texas, has found in a summary judgment ruling (PDF) that the patent, owned by TQP Development, is not infringed by the two defendants remaining in the case, Intuit Corp. and Hertz Corp. In a separate ruling (PDF), Bryson rejected Intuit's arguments that the patent was invalid. Not a complete victory (a clearly bogus patent is still not invalidated), but it's a start.
angry tapir writes The Australian government has indicated it intends to seek a boost to the powers of Australia's spy agencies, particularly ASIO (the Australian Security Intelligence Organization). The attorney-general told the Senate today that the government would introduce legislation based on recommendations of a parliamentary committee that last year canvassed "reforms" including boosting ASIO's power to penetrate third party computer systems to intercept communications to and from a target. That report also covered other issues such as the possibility of introducing a mandatory data retention scheme for ISPs and telcos.
cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.
itwbennett writes: A group of researchers from Google, the Hong Kong University of Science and Technology and the University of Nebraska undertook a study of over 26 million builds by 18,000 Google engineers from November 2012 through July 2013 to better understand what causes software builds to fail and, by extension, to improve developer productivity. And, while Google isn't representative of every developer everywhere, there are a few findings that stand out: Build frequency and developer (in)experience don't affect failure rates, most build errors are dependency-related, and C++ generates more build errors than Java (but they're easier to fix).
chicksdaddy (814965) writes "According to DUO, PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically. However, researchers at DUO noticed that the PayPal iOS application would briefly display a user's account information and transaction history prior to displaying that error message and logging them out. ... The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal's back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled. They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client — not on the server." The attack worked simply by intercepting a server response and toggling a flag (2fa_enabled) from true to false. After being alerted, PayPal added a workaround to limit the scope of the hole. Update: 06/26 00:42 GMT by T : (Get the story straight from the source: Here's the original report from DUO.)
Google I/O, the company's annual developer tracking^wdevelopers conference, has opened today in San Francisco. This year the company has reduced the number of conference sessions to 80, but also promised a broader approach than in previous years -- in other words, there may be a shift in focus a bit from Google's best known platforms (Chrome/Chrome OS and Android). Given its wide-ranging acquisitions and projects (like the recent purchase of Nest, which itself promptly bought Dropcam, the ever smarter fleet of self-driving cars, the growing number of Glass devices in the wild, and the announcement of a 3D scanning high end tablet quite unlike the Nexus line of tablets and phones), there's no shortage of edges to focus on. Judging from the booths set up in advance of the opening (like one with a sign announcing "The Physical Web," expect some of the stuff that gets lumped into "the Internet of Things." Watch this space -- updates will appear below -- for notes from the opening keynote, or follow along yourself with the live stream, and add your own commentary in the comments. In the days to come, watch for some video highlights of projects on display at I/O, too. Update: 06/25 17:41 GMT by T : Updates rolling in below on Android, wearables, Android in cars, Chromecast, smart watches, etc.Keep checking back! (Every few minutes, I get another chunk in there.)
An anonymous reader writes The experts at Kaspersky Lab have discovered evidence of a targeted attack against the clients of a large European bank. According to the logs found in the server used by the attackers, apparently in the space of just one week cybercriminals stole more than half a million euros from accounts in the bank. The experts also detected transaction logs on the server, containing information about which sums of money were taken from which accounts. All in all, more than 190 victims could be identified, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between 1,700 to 39,000 euros.
An anonymous reader writes Work/life balance is a constant problem in the tech industry. Even though experienced and mature engineers have been vocal in fighting it, every new generation buys into the American cultural identity of excessive work being a virtue. Each generation suffers for it, and the economy does, too. This article backs up that wisdom with hard numbers: "The 40-hour workweek is mostly a thing of the past. Ninety-four percent of professional workers put in 50 or more hours, and nearly half work 65 or above. All workers have managed to cut down on our time on the job by 112 hours over the last 40 years, but we're far behind other countries: The French cut down by 491 hours, the Dutch by 425, and Canadians by 215 in the same time period. ... This overwork shows up in our sleep. Out of five developed peers, four other countries sleep more than us. That has again worsened over the years. In 1942, more than 80 percent of Americans slept seven hours a night or more. Today, 40 percent sleep six hours or less. A lack of sleep makes us poorer workers: People who sleep less than seven hours a night have a much harder time concentrating and getting work done."