Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ode To Sound Blaster: Are Discrete Audio Cards Still Worth the Investment?

timothy posted about three weeks ago | from the won't-fit-in-my-phone dept.

Music 502

MojoKid (1002251) writes "Back in the day (which is a scientific measurement for anyone who used to walk to school during snowstorms, uphill, both ways), integrated audio solutions had trouble earning respect. Many enthusiasts considered a sound card an essential piece to the PC building puzzle. It's been 25 years since the first Sound Blaster card was introduced, a pretty remarkable feat considering the diminished reliance on discrete audio in PCs, in general. These days, the Sound Blaster ZxR is Creative's flagship audio solution for PC power users. It boasts a signal-to-noise (SNR) of 124dB that Creative claims is 89.1 times better than your motherboard's integrated audio solution. It also features a built-in headphone amplifier, beamforming microphone, a multi-core Sound Core3D audio processor, and various proprietary audio technologies. While gaming there is no significant performance impact or benefit when going from onboard audio to the Sound Blaster ZxR. However, the Sound Blaster ZxR produced higher-quality in-game sound effects and it also produces noticeably superior audio in music and movies, provided your speakers can keep up."

Today In Year-based Computer Errors: Draft Notices Sent To Men Born In the 1800s

timothy posted about three weeks ago | from the pa-dmv-never-did-me-any-favors-either dept.

Bug 205

sandbagger (654585) writes with word of a Y2K-style bug showing up in Y2K14: "The glitch originated with the Pennsylvania Department of Motor Vehicles during an automated data transfer of nearly 400,000 records. The records of males born between 1993 and 1997 were mixed with those of men born a century earlier. The federal agency didn't know it because the state uses a two-digit code to indicate birth year." I wonder where else two-digit years are causing problems; I still see lots of paper forms that haven't made the leap yet to four digits.

Hacking a Tesla Model S Could Net $10,000 Prize

timothy posted about three weeks ago | from the usb-port-under-the-gas-cap dept.

Transportation 77

cartechboy (2660665) writes "It seems there's a new hack challenge set every week, but this time, it seems different. A challenge has been thrown down to hack a Tesla Model S with a $10,000 prize. The organizers of a computer security conference have set the challenge and it's open to anyone that registers for the Syscan conference. Taking place in Beijing from July 16-17, the rules for the hack competition haven't been revealed yet but a Model S will be on display for hackers to try their luck on. It's important to note that Tesla itself isn't involved in the competition in any official capacity, nor does it support the competition. If successful, this wouldn't be the first time a Tesla Model S has been hacked. In that instance Tesla was quick to warn people that making changes in the Model S' software would immediately void the car's warranty. Given the car's high-tech nature, it's no shock Tesla's taking security seriously. With $10,000 on the line, it'll be interesting to see if anyone manages to crack the code."

India's National Informatics Centre Forged Google SSL Certificates

timothy posted about three weeks ago | from the who-can-you-trust? dept.

Security 107

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

UK Computing Student Jailed After Failing To Hand Over Crypto Keys

Soulskill posted about three weeks ago | from the guilty-until-proven-guilty dept.

Encryption 353

stephendavion sends news that Christopher Wilson, a 22-year-old computer science student, has been sent to jail for six months for refusing to hand over his computer encryption passwords. Wilson has been accused of "phoning in a fake warning of an impending cyber attack against Northumbria Police that was convincing enough for the force to temporarily suspend its site as a precaution once a small attack started." He's also accused of trolling on Facebook. Wilson only came to the attention of police in October 2012 after he allegedly emailed warnings about an online threat against one of the staff at Newcastle University. ... The threatening emails came from computer servers linked to Wilson. Police obtained a warrant on this basis and raided his home in Washington, where they seized various items of computer equipment. ... Investigators wanted to examine his encrypted computer but the passwords supplied by Wilson turned out to be incorrect. None of the 50 passwords he provided worked. Frustration with his lack of co-operation prompted police to obtained a order from a judge compelling him to turn over the correct passphrase last year. A judge ordered him to turn over these passwords on the grounds of national security but Wilson still failed to comply, earning him six months behind bars.

Tor Project Sued Over a Revenge Porn Business That Used Its Service

Soulskill posted about three weeks ago | from the tor-is-a-series-of-eeeeevil-tubes dept.

The Courts 311

redletterdave writes: The Tor Project has been sued in the state of Texas over a revenge porn website that used its free encrypted communications service. The plaintiff in the case — Shelby Conklin, a criminal justice major at the University of North Texas — alleges a revenge porn site called Pinkmeth "gained unauthorized access to nude photographs" she owned and posted them to the internet. She also said Tor, which The Economist once called "a dark corner of the web," was involved in an active "civil conspiracy" with Pinkmeth because the revenge porn website used the anonymous communications service to prevent others from tracking its location.

DHS Mistakenly Releases 840 Pages of Critical Infrastructure Documents

Unknown Lamer posted about three weeks ago | from the someone-inverted-the-black-lines dept.

United States 50

wiredmikey (1824622) writes The Operation Aurora attack was publicized in 2010 and impacted Google and a number of other high-profile companies. However, DHS responded to the request by releasing more than 800 pages of documents related to the 'Aurora' experiment conducted several years ago at the Idaho National Laboratory, where researchers demonstrated a way to damage a generator via a cyber-attack. Of the documents released by the DHS, none were related to the Operation Aurora cyber attack as requested. Many of the 840 pages are comprised of old weekly reports from the DHS' Control System Security Program (CSSP) from 2007. Other pages that were released included information about possible examples of facilities that could be vulnerable to attack, such as water plants and gas pipelines.

Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos

Soulskill posted about three weeks ago | from the delete-then-rewrite-then-smash-into-bits dept.

Cellphones 231

An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."

'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials

Soulskill posted about three weeks ago | from the clever-exploits dept.

Security 68

New submitter newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today. It has been dubbed the "Rosetta Flash" attack. JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place. Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack. Several of these services fixed the vulnerability with a patch prior to the public release, and Tumblr patched within hours of the release.

US Tech Firms Recruiting High Schoolers (And Younger)

Soulskill posted about three weeks ago | from the there-oughta-be-a-law-enforcing-the-laws-we-already-have dept.

Businesses 253

ShaunC writes: Is there a glut of qualified American tech workers, or isn't there? Some companies like Facebook and Airbnb are now actively courting and recruiting high school students as young as 13 with promises of huge stipends and salaries. As one student put it, "It's kind of insane that you can make more than the U.S. average income in a summer." Another who attended a Facebook-sponsored trip said he'd "forego college for a full-time job" if it were offered. Is Silicon Valley taking advantage of naive young workers?

Tired of Playing Cyber Cop, Microsoft Looks For Partners In Crime Fighting

Soulskill posted about three weeks ago | from the every-batman-needs-a-robin dept.

Microsoft 113

chicksdaddy writes: When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP. The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston, she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.

CentOS Linux Version 7 Released On x86_64

Unknown Lamer posted about three weeks ago | from the keeping-costs-down dept.

Operating Systems 125

An anonymous reader writes "Today, CentOS project unveiled CentOS Linux 7 for 64 bit x86 compatible machines. CentOS conforms fully with Red Hat's redistribution policy and aims to have full functional compatibility with the upstream product released in last month. The new version includes systemd, firewalld, GRUB2, LXC, docker, xfs instead of ext4 filesystem by default. The Linux kernel updated to 3.10.0, support for Linux Containers, 3d graphics drivers out of the box, OpenJDK 7, support for 40G Ethernet cards, installations in UEFI secure Boot mode on compatible hardware and more. See the complete list of features here and here. You can grab this release by visiting the official mirror site or via torrents. On a related note there is also a CentOS Linux 7 installation screencast here."

Researchers Develop New Way To Steal Passwords Using Google Glass

samzenpus posted about three weeks ago | from the let's-see-what-you-typed-there dept.

Google 116

mpicpp writes with a story about researchers who have developed a way to steal passwords using video-capturing devices.Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google's face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn't even need to be able to read the screen — meaning glare is not an antidote. The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode. They tested the algorithm on passwords entered on an Apple iPad, Google's Nexus 7 tablet, and an iPhone 5.

Book Review: Data-Driven Security: Analysis, Visualization and Dashboards

samzenpus posted about three weeks ago | from the read-all-about-it dept.

Books 26

benrothke writes There is a not so fine line between data dashboards and other information displays that provide pretty but otherwise useless and unactionable information; and those that provide effective answers to key questions. Data-Driven Security: Analysis, Visualization and Dashboards is all about the later. In this extremely valuable book, authors Jay Jacobs and Bob Rudis show you how to find security patterns in your data logs and extract enough information from it to create effective information security countermeasures. By using data correctly and truly understanding what that data means, the authors show how you can achieve much greater levels of security. Keep reading for the rest of Ben's review.

TSA Prohibits Taking Discharged Electronic Devices Onto Planes

samzenpus posted about three weeks ago | from the keeping-something-safe dept.

Transportation 702

Trachman writes The US Transport Security Administration revealed on Sunday that enhanced security procedures on flights coming to the US now include not allowing uncharged cell phones and other devices onto planes. “During the security examination, officers may also ask that owners power up some devices, including cell phones. Powerless devices will not be permitted on board the aircraft. The traveler may also undergo additional screening,” TSA said in a statement.

New Snowden Leak: of 160000 Intercepted Messages, Only 10% From Official Targets

samzenpus posted about three weeks ago | from the that-old-familiar-story dept.

United States 201

An anonymous reader writes in with the latest news about NSA spying from documents leaked by Edward Snowden. Ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks, according to a four-month investigation by The Washington Post. Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else. Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or "minimized," more than 65,000 such references to protect Americans' privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S. residents."

Industrial Control System Firms In Dragonfly Attack Identified

Unknown Lamer posted about a month ago | from the they're-in-the-grid dept.

Security 24

chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS's ICS CERT said it was alerted to compromises of the vendors' by researchers at the security firms Symantec and F-Secure. DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed "Havex" was being spread by way of so-called "watering hole" attacks that involved compromises of vendors web sites. According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

Ask Slashdot: How Often Should You Change Jobs?

Soulskill posted about a month ago | from the headhunters-can-keep-their-opinions-to-themselves dept.

IT 282

An anonymous reader writes "We all know somebody who changes jobs like changing clothes. In software development and IT, it's getting increasingly hard to find people who have been at their job for more than a few years. That's partly because of tech companies' bias for a young work force, and partly because talented people can write their own ticket in this industry. Thus, I put the question to you: how often should you be switching jobs? Obviously, if you find the perfect company (full of good people, doing interesting things, paying you well), your best bet is to stay. But that's not the reality for most of the workforce. Should you always be keeping an eye out for new jobs? Is there a length of time you should stick around so you don't look like a serial job-hopper? Does there come a point in life when it's best to settle down and stick with a job long term?"

NASA Approves Production of Most Powerful Rocket Ever

timothy posted about a month ago | from the because-rockets dept.

NASA 146

As reported by the Sydney Morning Herald, NASA has given a green light to the production of a new motor, dubbed the Space Launch System, intended to enable deep space exploration. Boeing, prime contractor on the rocket, announced on Wednesday that it had completed a critical design review and finalized a $US2.8-billion contract with NASA. The last time the space agency made such an assessment of a deep-space rocket was the mighty Saturn V, which took astronauts to the moon. ... Space Launch System's design called for the integration of existing hardware, spurring criticism that it's a "Frankenstein rocket," with much of it assembled from already developed technology. For instance, its two rocket boosters are advanced versions of the Space Shuttle boosters, and a cryogenic propulsion stage is based on the motor of a rocket often used by the Air Force. The Space Frontier Foundation, an advocacy group and frequent NASA critic, said Space Launch System was "built from rotting remnants of left over congressional pork. And its budgetary footprints will stamp out all the missions it is supposed to carry, kill our astronaut program and destroy science and technology projects throughout NASA."

Hacking Internet Connected Light Bulbs

Soulskill posted about a month ago | from the not-a-bright-idea dept.

Security 63

An anonymous reader writes We've been calling it for years — connect everything in your house to the internet, and people will find a way to attack it. This post provides a technical walkthrough of how internet-connected lighting systems are vulnerable to outside attacks. Quoting: "With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads. ... Monitoring packets captured from the mesh network whilst adding new bulbs, we were able to identify the specific packets in which the WiFi network credentials were shared among the bulbs. The on-boarding process consists of the master bulb broadcasting for new bulbs on the network. A new bulb responds to the master and then requests the WiFi details to be transferred. The master bulb then broadcasts the WiFi details, encrypted, across the mesh network. The new bulb is then added to the list of available bulbs in the LIFX smart phone application."

Damian Conway On Perl 6 and the Philosophy of Programming

Soulskill posted about a month ago | from the secretly-being-developed-by-blizzard dept.

Perl 132

M-Saunders writes: Perl 6 has been in development since 2000. So why, 14 years later, hasn't it been released yet? Linux Voice caught up with Damian Conway, one of the architects of Perl 6, to find out what's happening. "Perl 6 has all of the same features [as Perl 5] but with the rough edges knocked off of them", he says. Conway also talks about the UK's Year of Code project, and how to get more people interested in programming.

Can the NSA Really Track You Through Power Lines?

samzenpus posted about a month ago | from the follow-that-hum dept.

Privacy 109

mask.of.sanity writes Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids. Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with, but experts weren't sure if the technology could be used to locate individuals.

Use of Encryption Foiled the Cops a Record 9 Times In 2013

timothy posted about a month ago | from the achievement-unlocked dept.

Encryption 115

realized (2472730) writes "In nine cases in 2013, state police were unable to break the encryption used by criminal suspects they were investigating, according to an annual report on law enforcement eavesdropping released by the U.S. court system on Wednesday. That's more than twice as many cases as in 2012, when police said that they'd been stymied by crypto in four cases—and that was the first year they'd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero."

Researchers Disarm Microsoft's EMET

timothy posted about a month ago | from the slipping-through dept.

Microsoft 33

wiredmikey (1824622) writes "Security researchers have found a way to disable the protection systems provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a software tool designed to prevent vulnerabilities from being exploited by using various mitigation technologies. Others have managed to bypass EMET in the past, but researchers from Offensive Security have focused on disarming EMET, rather than on bypassing mitigations, as this method gives an attacker the ability use generic shellcodes such as the ones generated by Metasploit. The researchers managed to disarm EMET and get a shell after finding a global variable in the .data section of the EMET.dll file. Initially, they only managed to get a shell by executing the exploit with a debugger attached, due to EMET's EAF checks. However, they've succeeded in getting a shell outside the debugger after disarming EAF with a method described by security researcher Piotr Bania in January 2012. The researchers tested their findings on Windows 7, Internet Explorer 8 and EMET 4.1 update 1."

NSA Considers Linux Journal Readers, Tor (And Linux?) Users "Extremists"

timothy posted about a month ago | from the where-do-we-sign-up? dept.

Encryption 361

New submitter marxmarv writes If you search the web for communications security information, or read online tech publications like Linux Journal or BoingBoing, you might be a terrorist. The German publication Das Erste disclosed a crumb of alleged XKeyScore configuration, with the vague suggestion of more source code to come, showing that Tor directory servers and their users, and as usual the interested and their neighbor's dogs due to overcapture, were flagged for closer monitoring. Linux Journal, whose domain is part of a listed selector, has a few choice words on their coveted award. Would it be irresponsible not to speculate further?

Austrian Tor Exit Node Operator Found Guilty As an Accomplice

timothy posted about a month ago | from the blame-thompson-for-babyface-nelson dept.

Communications 255

An anonymous reader writes with this excerpt from TechDirt: Three years ago we wrote about how Austrian police had seized computers from someone running a Tor exit node. This kind of thing happens from time to time, but it appears that folks in Austria have taken it up a notch by... effectively now making it illegal to run a Tor exit node. According to the report, which was confirmed by the accused, the court found that running the node violated 12 of the Austrian penal code, which effectively says:"Not only the immediate perpetrator commits a criminal action, but also anyone who appoints someone to carry it out, or anyone who otherwise contributes to the completion of said criminal action." In other words, it's a form of accomplice liability for criminality. It's pretty standard to name criminal accomplices liable for "aiding and abetting" the activities of others, but it's a massive and incredibly dangerous stretch to argue that merely running a Tor exit node makes you an accomplice that "contributes to the completion" of a crime. Under this sort of thinking, Volkswagen would be liable if someone drove a VW as the getaway car in a bank robbery. It's a very, very broad interpretation of accomplice liability, in a situation where it clearly does not make sense.

Cybercrooks May Have Stolen Billions Using Brazilian "Boletos"

samzenpus posted about a month ago | from the making-that-money dept.

Crime 69

wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."

Encryption Keys For Kim Dotcom's Data Can't Be Given To FBI, Court Rules

Soulskill posted about a month ago | from the do-not-pass-go,-do-not-encrypt-$200 dept.

Encryption 149

the simurgh writes: As many who follow the Kim Dotcom saga know, New Zealand police seized his encrypted computer drives in 2012, copies of which were illegally passed to the FBI. Fast-forward to 2014: Dotcom wants access to the seized but encrypted content. A New Zealand judge has now ruled that even if the Megaupload founder supplies the passwords, the encryption keys cannot be forwarded to the FBI.

Bug In Fire TV Screensaver Tears Through 250 GB Data Cap

Unknown Lamer posted about a month ago | from the should-have-stuck-to-xscreensaver dept.

Bug 349

jfruh (300774) writes Tech writer Tyler Hayes had never come close to hitting the 250 GB monthly bandwidth cap imposed by Cox Cable — until suddenly he was blowing right through it, eating up almost 80 GB a day. Using the Mac network utility little snitch, he eventually tracked down the culprit: a screensaver on his new Kindle Fire TV. A bug in the mosaic screensaver caused downloaded images to remain uncached.

IEEE Launches Anti-malware Services To Improve Security

Soulskill posted about a month ago | from the trickle-down-security dept.

Security 51

New submitter Aryeh Goretsky writes: The IEEE Standards Assocation has launched an Anti-Malware Support Service to help the computer security industry respond more quickly to malware. The first two services available are a Clean file Metadata Exchange (PDF), to help prevent false positives in anti-malware software, and a Taggant System (PDF) to help prevent software packers from being abused. Official announcement is available at the offical website."

Microsoft Opens 'Transparency Center' For Governments To Review Source Code

Soulskill posted about a month ago | from the proof-is-in-the-proprietary-pudding dept.

Microsoft 178

MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products: As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.

Western Energy Companies Under Sabotage Threat

timothy posted about a month ago | from the shame-if-anything-was-t'-happen dept.

Security 86

An anonymous reader writes In a post published Monday, Symantec writes that western countries including the U.S., Spain, France, Italy, Germany, Turkey, and Poland are currently the victims of an ongoing cyberespionage campaign. The group behind the operation, called Dragonfly by Symantec, originally targeted aviation and defense companies as early as 2011, but in early 2013, they shifted their focus to energy firms. They use a variety of malware tools, including remote access trojans (RATs) and operate during Eastern European business hours. Symantec compares them to Stuxnet except that "Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."

Samsung Release First SSD With 3D NAND

timothy posted about a month ago | from the turning-up-the-volume dept.

Data Storage 85

Vigile (99919) writes "As SSD controllers continue to evolve, so does the world of flash memory. With the release of the Samsung 850 Pro SSD announced today, Samsung is the first company to introduce 3D NAND technology to the consumer. By using 30nm process technology that might seem dated in some applications, Samsung has been reliably able to stack lithography and essentially "tunnel holes" in the silicon while coating the inside with the material necessary to hold a charge. The VNAND being used with the Samsung 850 Pro is now 32 layers deep, and though it lowers the total capacity per die, it allows Samsung to lower manufacturer costs with more usable die per wafer. This results in more sustainable and reliable performance as well as a longer life span, allowing Samsung to offer a 10 year warranty on the new drives. PC Perspective has a full review with performance results and usage over time that shows Samsung's innovation is leading the pack."

Microsoft Takes Down No-IP.com Domains

Unknown Lamer posted about 1 month ago | from the slash-and-burn dept.

Microsoft 495

An anonymous reader writes For some reason that escapes me, a Judge has granted Microsoft permission to hijack NoIP's DNS. This is necessary according to Microsoft to thwart a "global cybercrime epidemic" being perpetrated by infected machines running Microsoft software. No-IP is a provider of dynamic DNS services (among other things). Many legitimate users were affected by the takedown: "This morning, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives. ... We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening."

Krebs on Microsoft Suspending "Patch Tuesday" Emails and Blaming Canada

samzenpus posted about a month ago | from the who's-to-blame dept.

Canada 130

tsu doh nimh writes In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company's recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. Some anti-spam experts who worked very closely on Canada's Anti-Spam Law (CASL) say they are baffled by Microsoft's response to a law which has been almost a decade in the making. Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide "warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased." Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.

Ars Takes an Early Look At the Privacy-Centric Blackphone

timothy posted about a month ago | from the all-voice-calls-should-be-encrypted dept.

Cellphones 67

Ars Technica has spent some time with pre-production (but very nearly final) samples of the Blackphone, from Geeksphone and Silent Circle. They give it generally high marks; the hardware is mostly solid but not cutting edge, but the software it comes with distinguishes it from run-of-the-mill Android phones. Though it's based on Android, the PrivOS system in these phone offers fine grained permissions, and other software included with the phone makes it more secure both if someone has physical access to the phone (by encrypting files, among other things) and if communications between this phone and another are being eavesdropped on. A small taste: At first start up, Blackphone’s configuration wizard walks through getting the phone configured and secured. After picking a language and setting a password or PIN to unlock the phone itself, the wizard presents the option of encrypting the phone’s stored data with another password. If you decline to encrypt the phone’s mini-SD storage during setup, you’ll get the opportunity later (and in the release candidate version of the PrivOS we used, the phone continued to remind me about that opportunity each time I logged into it until I did). PrivOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks.

RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage

timothy posted about a month ago | from the rand-can't-help-seeming-creepy dept.

Government 97

New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)

Overkill? LG Phone Has 2560x1440 Display, Laser Focusing

timothy posted about a month ago | from the too-much-overkill-is-never-enough dept.

Handhelds 198

MojoKid (1002251) writes LG is probably getting a little tired of scraping for brand recognition versus big names like Samsung, Apple and Google. However, the company is also taking solace in the fact that their smartphone sales figures are heading for an all-time high in 2014, with an estimated 60 million units projected to be sold this year. LG's third iteration of their popular "G" line of flagship smartphones, simply dubbed the LG G3, is the culmination of all of the innovation the company has developed in previous devices to date, including its signature rear button layout, and a cutting-edge 5.5-inch QHD display that drives a resolution of 2560X1440 with a pixel density of 538 PPI. Not satisified with pixel overload, LG decide to equip their new smartphone with 'frickin' laser beams' to assist its 13MP camera in targeting subjects for auto-focus. The G3 performs well in the benchmarks with a Snapdragon 801 on board and no doubt its camera takes some great shots quickly and easily. However, it's questionable how much of that super high res 2560 display you can make use of on a 5.5-inch device.

Apple Kills Aperture, Says New Photos App Will Replace It

timothy posted about a month ago | from the you-can-shop-outside-the-company-store dept.

Graphics 214

mpicpp (3454017) writes Apple told news website The Loop that it has decided to abandon Aperture, its professional photo-editing software application. "With the introduction of the new Photos app and iCloud Photo Library, enabling you to safely store all of your photos in iCloud and access them from anywhere, there will be no new development of Aperture," Apple said in a statement to The Loop. "When Photos for OS X ships next year, users will be able to migrate their existing Aperture libraries to Photos for OS." The new Photos app, which will debut with OS X Yosemite when it launches this fall, will also replace iPhoto. It promises to be more intuitive and user friendly, but as such, likely not as full featured as what Aperture currently offers.

Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype?

timothy posted about a month ago | from the you'll-never-feel-it dept.

Security 65

NotInHere (3654617) writes In 1996, Markus F. X. J. Oberhumer wrote an implementation of the Lempel–Ziv compression, which is used in various places like the Linux kernel, libav, openVPN, and the Curiosity rover. As security researchers have found out, the code contained integer overflow and buffer overrun vulnerabilities, in the part of the code that was responsible for processing uncompressed parts of the data. Those vulnerabilities are, however, very hard to exploit, and their scope is dependent on the actual implementation. According to Oberhumer, the problem only affects 32-bit systems. "I personally do not know about any client program that actually is affected", Oberhumer sais, calling the news about the possible security issue a media hype.

KeyStore Vulnerability Affects 86% of Android Devices

timothy posted about a month ago | from the that's-a-lot dept.

Android 71

jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."

Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze, Part II

timothy posted about a month ago | from the connecting-supply-and-demand dept.

Crime 170

McGruber (1417641) writes In December 2013, Slashdot reported the arrest of seven metro Atlanta residents for allegedly selling counterfeit MARTA Breeze cards, stored-value smart cards that passengers use as part of an automated fare collection system on Atlanta's subway. Now, six months later (June 2014), the seven suspects have finally been indicted. According to the indictment, the co-conspirators purchased legitimate Breeze cards for $1, then fraudulently placed unlimited or monthly rides on the cards. They then sold the fraudulent cards to MARTA riders for a discounted cash price. Distributors of the fraudulent cards were stationed at several subway stations. The indictment claims that the ring called their organization the "Underground Railroad."

Why The Korean Government Could Go Open Source By 2020

timothy posted about a month ago | from the file-formats-matter dept.

Open Source 64

An anonymous reader writes As the support for the Microsoft (MS) Windows XP service is terminated this year, the government will try to invigorate open source software in order to solve the problem of dependency on certain software. By 2020 when the support of the Windows 7 service is terminated, it is planning to switch to open OS and minimize damages. Industry insiders pointed out that the standard e-document format must be established and shared as an open source before open source software is invigorated. A similar suggestion that Korea might embrace more open source (but couched more cautiously, with more "should" and "may") is reported on the news page of the EU's program on Interoperability Solutions for European Public Administrations, based on a workshop presentation earlier this month by Korea's Ministry of Science, ICT, and Future Planning. (And at a smaller but still huge scale, the capitol city of Seoul appears to be going in for open source software in a big way, too.)

Microsoft Suspending "Patch Tuesday" Emails

timothy posted about a month ago | from the just-visit-our-lair-for-updates dept.

Security 145

New submitter outofluck70 (1734164) writes Got an email today from Microsoft, text is below. [Note: text here edited for formatting and brevity; see the full text at seclists.org.] They are no longer going to send out emails regarding patches, you have to use RSS or keep visiting their security sites. They blame "governmental policies" as the reason. What could the real reason be? Anybody in the know? From the email: "Notice to IT professionals: As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following: Security bulletin advance notifications; Security bulletin summaries; New security advisories and bulletins; Major and minor revisions to security advisories and bulletins. In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website." WindowsIT Pro blames Canada's new anti-spam law.

Exploiting Wildcards On Linux/Unix

Soulskill posted about a month ago | from the teaching-a-new-dog-old-tricks dept.

Security 215

An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.

Mass. Supreme Court Says Defendant Can Be Compelled To Decrypt Data

Unknown Lamer posted about a month ago | from the wrench-helps dept.

Encryption 560

Trailrunner7 (1100399) writes ... Security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones, and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops. The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so. The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt's Fifth Amendment rights. The ruling.

Intuit Beats SSL Patent Troll That Defeated Newegg

Unknown Lamer posted about a month ago | from the better-late-than-never dept.

Patents 59

Last fall, Newegg lost a case against patent troll TQP for using SSL with RC4, despite arguments from Diffie of Diffie-Hellman key exchange. Intuit was also targeted by a lawsuit for infringing the same patent, and they were found not to be infringing. mpicpp (3454017) sends this excerpt from Ars: U.S. Circuit Judge William Bryson, sitting "by designation" in the Eastern District of Texas, has found in a summary judgment ruling (PDF) that the patent, owned by TQP Development, is not infringed by the two defendants remaining in the case, Intuit Corp. and Hertz Corp. In a separate ruling (PDF), Bryson rejected Intuit's arguments that the patent was invalid. Not a complete victory (a clearly bogus patent is still not invalidated), but it's a start.

Australian Government Seeks To Boost Spy Agencies' Powers

samzenpus posted about a month ago | from the help-us-to-help-you dept.

Privacy 54

angry tapir writes The Australian government has indicated it intends to seek a boost to the powers of Australia's spy agencies, particularly ASIO (the Australian Security Intelligence Organization). The attorney-general told the Senate today that the government would introduce legislation based on recommendations of a parliamentary committee that last year canvassed "reforms" including boosting ASIO's power to penetrate third party computer systems to intercept communications to and from a target. That report also covered other issues such as the possibility of introducing a mandatory data retention scheme for ISPs and telcos.

The Security Industry Is Failing Miserably At Fixing Underlying Dangers

Soulskill posted about a month ago | from the closing-the-barn-door dept.

Security 205

cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.

Why Software Builds Fail

Soulskill posted about a month ago | from the failure-to-bribe-the-hamster dept.

Bug 279

itwbennett writes: A group of researchers from Google, the Hong Kong University of Science and Technology and the University of Nebraska undertook a study of over 26 million builds by 18,000 Google engineers from November 2012 through July 2013 to better understand what causes software builds to fail and, by extension, to improve developer productivity. And, while Google isn't representative of every developer everywhere, there are a few findings that stand out: Build frequency and developer (in)experience don't affect failure rates, most build errors are dependency-related, and C++ generates more build errors than Java (but they're easier to fix).

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>