Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

EFF Releases Wireless Router Firmware For Open Access Points

Soulskill posted about 3 months ago | from the secure-is-as-secure-does dept.

Electronic Frontier Foundation 56

klapaucjusz writes: The EFF has released an experimental router firmware designed make it easy to deploy open (password-less) access points in a secure manner. The EFF's firmware is based on the CeroWRT fork of OpenWRT, but appears to remove some of its more advanced routing features. The EFF is asking for help to further develop the firmware. They want the open access point to co-exist on the same router as your typical private and secured access point. They want the owner to be able to share bandwidth, but with a cap, so guests don't degrade service for the owner. They're also looking to develop a network queueing, a minimalist web UI, and an auto-update mechanism. The EFF has also released the beta version of a plug-in called Privacy Badger for Firefox and Chrome that will prevent online advertisers from tracking you.

Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix

Soulskill posted about 2 months ago | from the you-can't-say-that-on-television dept.

Privacy 52

alphadogg writes A presentation on a low-budget method to unmask users of a popular online privacy tool Tor will no longer go ahead at the Black Hat security conference early next month. The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website. Tor project leader Roger Dingledine said, "I think I have a handle on what they did, and how to fix it. ... Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world." Tor's developers were "informally" shown materials about the bug, but never saw any details about what would be presented in the talk.

Buying New Commercial IT Hardware Isn't Always Worthwhile (Video)

Roblimo posted about 3 months ago | from the sometimes-it's-better-and-costs-less-to-stick-with-proven-hardware dept.

Businesses 92

Ben Blair is CTO of MarkITx, a company that brokers used commercial IT gear. This gives him an excellent overview of the marketplace -- not just what companies are willing to buy used, but also what they want to sell as they buy new (or newer) equipment. Ben's main talking point in this interview is that hardware has become so commoditized that in a world where most enterprise software can be virtualized to run across multiple servers, it no longer matters if you have the latest hardware technology; that two older servers can often do the job of one new one -- and for less money, too. So, he says, you should make sure you buy new hardware only when necessary, not just because of the "Ooh... shiny!" factor" (Alternate Video Link)

Researchers Test Developer Biometrics To Predict Buggy Code

Soulskill posted about 3 months ago | from the subject-was-asleep-when-this-code-was-checked-in dept.

Bug 89

rjmarvin writes: Microsoft Research is testing a new method for predicting errors and bugs while developers write code: biometrics. By measuring a developer's eye movements, physical and mental characteristics as they code, the researchers tracked alertness and stress levels to predict the difficulty of a given task with respect to the coder's abilities. In a paper entitled "Using Psycho-Physiological Measures to Assess Task Difficulty in Software Development," the researchers summarized how they strapped an eye tracker, an electrodermal sensor and an EEG sensor to 15 developers as they programmed for various tasks. Biometrics predicted task difficulty for a new developer 64.99% of the time. For a subsequent tasks with the same developer, the researchers found biometrics to be 84.38% accurate. They suggest using the information to mark places in code that developers find particularly difficult, and then reviewing or refactoring those sections later.

Ask Slashdot: Linux Login and Resource Management In a Computer Lab?

timothy posted about 3 months ago | from the explain-your-system dept.

Linux 98

New submitter rongten (756490) writes I am managing a computer lab composed of various kinds of Linux workstations, from small desktops to powerful workstations with plenty of RAM and cores. The users' $HOME is NFS mounted, and they either access via console (no user switch allowed), ssh or x2go. In the past, the powerful workstations were reserved to certain power users, but now even "regular" students may need to have access to high memory machines for some tasks. Is there a sort of resource management that would allow the following tasks? To forbid a same user to log graphically more than once (like UserLock); to limit the amount of ssh sessions (i.e. no user using distcc and spamming the rest of the machines, or even worse, running in parallel); to give priority to the console user (i.e. automatically renicing remote users jobs and restricting their memory usage); and to avoid swapping and waiting (i.e. all the users trying to log into the latest and greatest machine, so have a limited amount of logins proportional to the capacity of the machine). The system being put in place uses Fedora 20, and LDAP PAM authentication; it is Puppet-managed, and NFS based. In the past I tried to achieve similar functionality via cron jobs, login scripts, ssh and nx management, and queuing system — but it is not an elegant solution, and it is hacked a lot. Since I think these requirements should be pretty standard for a computer lab, I am surprised to see that I cannot find something already written for it. Do you know of a similar system, preferably open source? A commercial solution could be acceptable as well.

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

timothy posted about 3 months ago | from the compared-to-what? dept.

Operating Systems 132

New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.

AirMagnet Wi-Fi Security Tool Takes Aim At Drones

timothy posted about 3 months ago | from the command-and-control-is-next dept.

Security 52

alphadogg (971356) writes "In its quest to help enterprises seek out and neutralize all threats to their Wi-Fi networks, AirMagnet is now looking to the skies. In a free software update to its AirMagnet Enterprise product last week, the Wi-Fi security division of Fluke Networks added code specifically crafted to detect the Parrot AR Drone, a popular unmanned aerial vehicle that costs a few hundred dollars and can be controlled using a smartphone or tablet. Drones themselves don't pose any special threat to Wi-Fi networks, and AirMagnet isn't issuing air pistols to its customers to shoot them down. The reason the craft are dangerous is that they can be modified to act as rogue access points and sent into range of a victim's wireless network, potentially breaking into a network to steal data."

The "Rickmote Controller" Can Hijack Any Google Chromecast

samzenpus posted about 3 months ago | from the never-going-to-give-you-up dept.

Google 131

redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.

Researcher Finds Hidden Data-Dumping Services In iOS

samzenpus posted about 3 months ago | from the don't-take-my-data-bro dept.

Privacy 98

Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
Update: 07/21 22:15 GMT by U L : Slides.

Snowden Seeks To Develop Anti-Surveillance Technologies

samzenpus posted about 3 months ago | from the snowden-brand dept.

Privacy 129

An anonymous reader writes Speaking via a Google Hangout at the Hackers on Planet Earth Conference, Edward Snowden says he plans to work on technology to preserve personal data privacy and called on programmers and the tech industry to join his efforts. "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day," he said. "That is what a lot of my future work is going to be involved in."

Critroni Crypto Ransomware Seen Using Tor for Command and Control

samzenpus posted about 3 months ago | from the protect-ya-neck dept.

Security 122

Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."

Australian Website Waits Three Years To Inform Customers of Data Breach

Unknown Lamer posted about 3 months ago | from the better-never-than-late dept.

Privacy 35

AlbanX (2847805) writes Australian daily deals website Catch of the Day waited three years to tell its customers their email addresses, delivery addresses, hashed passwords, and some credit card details had been stolen. Its systems were breached in April 2011 and the company told police, banks and credit cards issuers, but didn't tell the Privacy Commissioner or customers until July 18th.

Tesla Model S Hacking Prize Claimed

Soulskill posted about 3 months ago | from the to-the-victors-go-the-electric-spoils dept.

Transportation 59

savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company. "[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data

Soulskill posted about 3 months ago | from the low-hanging-fruit dept.

Security 68

jfruh writes: Point-of-sale systems aren't cheap, so it's not unusual for smaller merchants to buy used terminals second-hand. An HP security researcher bought one such unit on eBay to see what a used POS system will get you, and what he found was disturbing: default passwords, a security flaw, and names, addresses, and social security numbers of employees of the terminal's previous owner.

New Mayhem Malware Targets Linux and UNIX-Like Servers

Soulskill posted about 3 months ago | from the keep-calm-and-patch-on dept.

Security 168

Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."

The Hacking of NASDAQ

Unknown Lamer posted about 3 months ago | from the tales-of-hacking-and-intrigue dept.

Security 76

puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"

Pushdo Trojan Infects 11,000 Systems In 24 Hours

Unknown Lamer posted about 3 months ago | from the bots-everywhere dept.

Botnet 32

An anonymous reader writes Bitdefender has discovered that a new variant of the Trojan component, Pushdo, has emerged. 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey. Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.

LibreSSL PRNG Vulnerability Patched

Soulskill posted about 3 months ago | from the looking-forward-to-the-next-two-day-panic dept.

Security 151

msm1267 writes: The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG). The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a "catastrophic failure of the PRNG." OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is "overblown" because Ayer's test program is unrealistic. Ayer's test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

"It is actually only a problem with the author's contrived test program," Beck said. "While it's a real issue, it's actually a fairly minor one, because real applications don't work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article."

ChickTech Brings Hundreds of Young Women To Open Source

Soulskill posted about 3 months ago | from the more-engineers-more-cool-stuff dept.

Education 158

ectoman writes: Opensource.com is running an interview with Jennifer Davidson of ChickTech, a non-profit organization whose mission is to create communities of support for women and girls pursuing (or interested in pursuing) careers in tech. "In the United States, many girls are brought up to believe that 'girls can't do math' and that science and other 'geeky' topics are for boys," Davidson said. "We break down that idea." Portland, OR-based ChickTech is quickly expanding throughout the United States—to cities like Corvallis and San Francisco—thanks to the "ChickTech: High School" initiative, which gathers hundreds of young women for two-day workshops featuring open source technologies. "We fill a university engineering department with 100 high school girls—more girls than many engineering departments have ever seen," Davidson said. "The participants can look around the building and see that girls from all backgrounds are just as excited about tech as they are."

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Unknown Lamer posted about 3 months ago | from the brain-full-try-again-later dept.

Security 280

An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.

Breaches Exposed 22.8 Million Personal Records of New Yorkers

Unknown Lamer posted about 3 months ago | from the what-is-security dept.

Security 41

An anonymous reader writes Attorney General Eric T. Schneiderman issued a new report examining the growing number, complexity, and costs of data breaches in the New York State. The report reveals that the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches, which have cost the public and private sectors in New York upward of $1.37 billion in 2013. The demand on secondary markets for stolen information remains robust. Freshly acquired stolen credit card numbers can fetch up to $45 per record, while other types of personal information, such as Social Security numbers and online account information, can command even higher prices.

HP Claims Their Moonshot System is a 'New Style of IT' (Video)

Roblimo posted about 3 months ago | from the my-server-uses-less-power-than-yours dept.

HP 68

Didn't we already have something kind of like this called a Blade server? But this is better! An HP Web page devoted to Moonshot says, 'Compared to traditional servers, up to: 89% less energy; 80% less space; 77% less cost; and 97% less complex.' If this is all true, the world of servers is now undergoing a radical change. || A quote from another Moonshot page: "The HP Moonshot 1500 Chassis has 45 hot-pluggable servers installed and fits into 4.3U. The density comes in part from the low-energy, efficient processors. The innovative chassis design supports 45 servers, 2 network switches, and supporting components.' These are software-defined servers. HP claims they are the first ones ever, a claim that may depend on how you define "software-defined." And what software defines them? In this case, at Texas Linux Fest, it seems to be Ubuntu Linux. (Alternate Video Link)

Google's Project Zero Aims To Find Exploits Before Attackers Do

Unknown Lamer posted about 3 months ago | from the evil-hackers-respond-with-negative-one-day-exploits dept.

Security 62

DavidGilbert99 (2607235) writes "Google has announced Project Zero, a group of security experts who will hunt down security flaws in all software which touches the Internet. Among the group is a 24-year-old called George Hotz who shot to fame in 2007 when he was the first to unlock the iPhone before reverse engineering the PlayStation 3." Quoting the Project Zero announcement: You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. ... We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. All issues will be reported to the usual public vulnerability databases after vendors are given a short period to fix their systems and software.

OpenWRT 14.07 RC1 Supports Native IPv6, Procd Init System

Unknown Lamer posted about 3 months ago | from the bofh-excuse-#3847-replacing-router-os dept.

Networking 71

An anonymous reader writes Release Candidate One of OpenWRT 14.07 "Barrier Breaker" is released. Big for this tiny embedded Linux distribution for routers in 14.07 is native IPv6 support and the procd init system integration. The native IPv6 support is with the RA and DHCPv6+PD client and server support plus other changes. Procd is OpenWRT's new preinit, init, hotplug, and event system. Perhaps not too exciting is support for upgrading on devices with NAND, and file system snapshot/restore so you can experiment without fear of leaving your network broken. There's also experimental support for the musl standard C library.

German NSA Committee May Turn To Typewriters To Stop Leaks

Unknown Lamer posted about 3 months ago | from the how-to-tell-wikileaks-is-winning dept.

Security 244

mpicpp (3454017) writes with news that Germany may be joining Russia in a paranoid switch from computers to typewriters for sensitive documents. From the article: Patrick Sensburg, chairman of the German parliament's National Security Agency investigative committee, now says he's considering expanding the use of manual typewriters to carry out his group's work. ... Sensburg said that the committee is taking its operational security very seriously. "In fact, we already have [a typewriter], and it's even a non-electronic typewriter," he said. If Sensburg's suggestion takes flight, the country would be taking a page out of the Russian playbook. Last year, the agency in charge of securing communications from the Kremlin announced that it wanted to spend 486,000 rubles (about $14,800) to buy 20 electric typewriters as a way to avoid digital leaks.

Hacking Online Polls and Other Ways British Spies Seek To Control the Internet

samzenpus posted about 3 months ago | from the learning-to-troll dept.

United Kingdom 117

Advocatus Diaboli writes The secretive British spy agency GCHQ has developed covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, "amplif[y]" sanctioned messages on YouTube, and censor video content judged to be "extremist." The capabilities, detailed in documents provided by NSA whistleblower Edward Snowden, even include an old standby for pre-adolescent prank callers everywhere: A way to connect two unsuspecting phone users together in a call. The tools were created by GCHQ's Joint Threat Research Intelligence Group (JTRIG), and constitute some of the most startling methods of propaganda and internet deception contained within the Snowden archive. Previously disclosed documents have detailed JTRIG's use of "fake victim blog posts," "false flag operations," "honey traps" and psychological manipulation to target online activists, monitor visitors to WikiLeaks, and spy on YouTube and Facebook users.

Critical Vulnerabilities In Web-Based Password Managers Found

samzenpus posted about 3 months ago | from the protect-ya-neck dept.

Security 114

An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"

Apple Refutes Report On iPhone Threat To China's National Security

samzenpus posted about 3 months ago | from the it-was-other-kids dept.

China 134

An anonymous reader writes "Apple has never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers," the company said Sunday in a bilingual statement on its China website. Users have to make the choice to enable the iPhones to calculate their locations, while "Apple does not track users' locations — Apple has never done so and has no plans to ever do so," the company said. The statement was in response to allegations by China's top state broadcaster that iOS7 software and its "Frequent Location" service posed a security risk. The data can be accessed easily, although labelled as "encrypted," and may lead to the disclosure of "state secrets," CCTV said.

New Raspberry Pi Model B+

samzenpus posted about 3 months ago | from the latest-and-greatest dept.

Upgrades 202

mikejuk writes The Raspberry Pi foundation has just announced the Raspberry Pi B+. The basic specs haven't changed much — same BC2835 and 512MB of RAM and the $35 price tag. There are now four USB ports, which means you don't need a hub to work with a mouse, keyboard and WiFi dongle. The GPIO has been expanded to 40 pins, but don't worry: you can plug your old boards and cables into the lefthand part of the connector, and it's backward compatible. As well as some additional general purpose lines, there are two designated for use with I2C EEPROM. When the Pi boots it will look for custom EEPROMs on these lines and optionally use them to load Linux drivers or setup expansion boards. Expansion boards can now include identity chips that when the board is connected configures the Pi to make use of them — no more manual customization. The change to a micro SD socket is nice, unless you happen to have lots of spare full size SD cards around. It is also claimed that the power requirements have dropped by half, to one watt, which brings the model B into the same power consumption area as the model A. Comp video is now available on the audio jack, and the audio quality has been improved. One big step for Raspberry Pi is that it now has four holes for mounting in standard enclosures.

NSA Says Snowden Emails Exempt From Public Disclosure

samzenpus posted about 3 months ago | from the for-our-eyes-only dept.

United States 231

AHuxley (892839) writes "The Desk reports on a FOIA request covering "... all e-mails sent by Edward Snowden" and the NSA's refusal to release all documents. "The National Security Agency has acknowledged it retains a record of e-mail communications from former contractor turned whistleblower Edward Snowden, but says those records are exempt from public disclosure under the federal Freedom of Information Act. In a letter responding to a June 27 FOIA request from The Desk, the NSA’s chief FOIA officer Pamela Phillips wrote that while the agency has retained records related to Snowden’s employment as a contractor, they are being withheld from public examination because, among other things, releasing the records 'could interfere with law enforcement proceedings, could cause an unwarranted invasion of personal privacy, could reveal the identities of confidential sources or would reveal law enforcement techniques and procedures.' Other records are being withheld because those documents were 'also found to be currently and properly classifiedand remains classified TOP SECRET, SECRET and CONFIDENTIAL.' The letter marks the first time the NSA has publicly acknowledged retaining communication and employment records related to Snowden’s time as a contractor."

Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption

samzenpus posted about 3 months ago | from the getting-it-clean dept.

Android 91

MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.

Nano-Pixels Hold Potential For Screens Far Denser Than Today's Best

timothy posted about 3 months ago | from the enhance-enhance-enhance dept.

Displays 129

Zothecula (1870348) writes "The Retina displays featured on Apple's iPhone 4 and 5 models pack a pixel density of 326 ppi, with individual pixels measuring 78 micrometers. That might seem plenty good enough given the average human eye is unable to differentiate between the individual pixels, but scientists in the UK have now developed technology that could lead to extremely high-resolution displays that put such pixel densities to shame."

Source Code Leaked For Tinba Banking Trojan

timothy posted about 3 months ago | from the small-can-be-potent dept.

Crime 75

msm1267 (2804139) writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit. Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of "tiny banker," and researchers say that it's only about 20 KB in size."

FCC Approves Subsidy Plan to Upgrade School and Library Networks

timothy posted about 3 months ago | from the ask-for-a-mile-in-hopes-of-an-inch dept.

Government 70

The Washington Post reports that, "In a 3-2 vote along party lines Friday, the FCC greenlit a plan to spend $2 billion over the next two years on subsidies for internal networks. The move also begins a process to phase out some subsidies under the federal program, known as E-Rate, for services and equipment that are on the decline, such as pagers and dial-up Internet service." That sounds like a lot of money, and it is, but as usual in politics it's the result of a messy process: The original plan called for spending $5 billion on WiFi over five years, in line with a push by the Obama administration to bring next-gen broadband and WiFi to 99 percent of students over the same period. Those funds would have partly come from savings as a result of transitioning away from supporting legacy technologies. The proposal would also have eliminated an existing requirement that E-Rate funds be spent first on broadband services before being applied to WiFi. In past years, the cost of broadband service meant that money was rarely left over for upgrading WiFi connections. But the FCC's proposal was ultimately scaled back late Thursday amid Republican objections that the E-Rate program can't afford the changes. The final proposal's two-year, $2 billion commitment accounts for the money the FCC has already set aside for WiFi upgrades, but it does not commit the FCC to funding WiFi upgrades at that same rate for the following three years.

Chinese Hackers Infiltrate Firms Using Malware-Laden Handheld Scanners

timothy posted about 3 months ago | from the location-location-location dept.

China 93

wiredmikey (1824622) writes China-based threat actors are using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world. According to security firm TrapX, the attack begins at a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they're handling. The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

Experts determined that the threat group targets servers storing corporate financial data, customer data and other sensitive information. A second payload downloaded by the malware then establishes a sophisticated C&C on the company's finance servers, enabling the attackers to exfiltrate the information they're after. The malware used by the Zombie Zero attackers is highly sophisticated and polymorphic, the researchers said. In one attack they observed, 16 of the 48 scanners used by the victim were infected, and the malware managed to penetrate the targeted organization's defenses and gain access to servers on the corporate network. Interestingly, the C&C is located at the Lanxiang Vocational School, an educational institution said to be involved in the Operation Aurora attacks against Google, and which is physically located only one block away from the scanner manufacturer, TrapX said.

First Release of LibreSSL Portable Is Available

Soulskill posted about 3 months ago | from the cryptic-announcements dept.

Encryption 101

ConstantineM writes: It has finally happened. Bob Beck of The OpenBSD Foundation has just announced that the first release of LibreSSL portable is now available, and can be found in the LibreSSL directory of your favourite OpenBSD mirror. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OS X and FreeBSD. This is intended to be an initial portable release of OpenBSD's libressl to allow the community to start using it and providing feedback, and has been done to address the issue of incorrect portable versions being attempted by third-parties. Support for additional platforms will be added as time and resources permit.

Gameover ZeuS Re-Emerges As Fast-Fluxing Botnet

Soulskill posted about 3 months ago | from the game-not-quite-over-after-all dept.

Botnet 62

New submitter tylke (621801) writes: "Brian Krebs is reporting that the Gameover ZeuS botnet recently taken down by the U.S. Justice Department in June has re-emerged. The new variant of the Trojan is "stripped of the P2P code, and relies instead on an approach known as fast-flux hosting," a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind a network of compromised systems. Krebs says, "[T]his variant also includes a 'domain name generation algorithm' or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters). In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there." (Disclosure: I work for Malcovery Security, the company credited with identifying the new variant.)

Ask Slashdot: Unattended Maintenance Windows?

Soulskill posted about 3 months ago | from the wake-me-if-there's-fire dept.

IT 265

grahamsaa writes: Like many others in IT, I sometimes have to do server maintenance at unfortunate times. 6AM is the norm for us, but in some cases we're expected to do it as early as 2AM, which isn't exactly optimal. I understand that critical services can't be taken down during business hours, and most of our products are used 24 hours a day, but for some things it seems like it would be possible to automate maintenance (and downtime).

I have a maintenance window at about 5AM tomorrow. It's fairly simple — upgrade CentOS, remove a package, install a package, reboot. Downtime shouldn't be more than 5 minutes. While I don't think it would be wise to automate this window, I think with sufficient testing we might be able to automate future maintenance windows so I or someone else can sleep in. Aside from the benefit of getting a bit more sleep, automating this kind of thing means that it can be written, reviewed and tested well in advance. Of course, if something goes horribly wrong having a live body keeping watch is probably helpful. That said, we do have people on call 24/7 and they could probably respond capably in an emergency. Have any of you tried to do something like this? What's your experience been like?

Ode To Sound Blaster: Are Discrete Audio Cards Still Worth the Investment?

timothy posted about 3 months ago | from the won't-fit-in-my-phone dept.

Music 502

MojoKid (1002251) writes "Back in the day (which is a scientific measurement for anyone who used to walk to school during snowstorms, uphill, both ways), integrated audio solutions had trouble earning respect. Many enthusiasts considered a sound card an essential piece to the PC building puzzle. It's been 25 years since the first Sound Blaster card was introduced, a pretty remarkable feat considering the diminished reliance on discrete audio in PCs, in general. These days, the Sound Blaster ZxR is Creative's flagship audio solution for PC power users. It boasts a signal-to-noise (SNR) of 124dB that Creative claims is 89.1 times better than your motherboard's integrated audio solution. It also features a built-in headphone amplifier, beamforming microphone, a multi-core Sound Core3D audio processor, and various proprietary audio technologies. While gaming there is no significant performance impact or benefit when going from onboard audio to the Sound Blaster ZxR. However, the Sound Blaster ZxR produced higher-quality in-game sound effects and it also produces noticeably superior audio in music and movies, provided your speakers can keep up."

Today In Year-based Computer Errors: Draft Notices Sent To Men Born In the 1800s

timothy posted about 3 months ago | from the pa-dmv-never-did-me-any-favors-either dept.

Bug 205

sandbagger (654585) writes with word of a Y2K-style bug showing up in Y2K14: "The glitch originated with the Pennsylvania Department of Motor Vehicles during an automated data transfer of nearly 400,000 records. The records of males born between 1993 and 1997 were mixed with those of men born a century earlier. The federal agency didn't know it because the state uses a two-digit code to indicate birth year." I wonder where else two-digit years are causing problems; I still see lots of paper forms that haven't made the leap yet to four digits.

Hacking a Tesla Model S Could Net $10,000 Prize

timothy posted about 3 months ago | from the usb-port-under-the-gas-cap dept.

Transportation 77

cartechboy (2660665) writes "It seems there's a new hack challenge set every week, but this time, it seems different. A challenge has been thrown down to hack a Tesla Model S with a $10,000 prize. The organizers of a computer security conference have set the challenge and it's open to anyone that registers for the Syscan conference. Taking place in Beijing from July 16-17, the rules for the hack competition haven't been revealed yet but a Model S will be on display for hackers to try their luck on. It's important to note that Tesla itself isn't involved in the competition in any official capacity, nor does it support the competition. If successful, this wouldn't be the first time a Tesla Model S has been hacked. In that instance Tesla was quick to warn people that making changes in the Model S' software would immediately void the car's warranty. Given the car's high-tech nature, it's no shock Tesla's taking security seriously. With $10,000 on the line, it'll be interesting to see if anyone manages to crack the code."

India's National Informatics Centre Forged Google SSL Certificates

timothy posted about 3 months ago | from the who-can-you-trust? dept.

Security 107

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

UK Computing Student Jailed After Failing To Hand Over Crypto Keys

Soulskill posted about 3 months ago | from the guilty-until-proven-guilty dept.

Encryption 353

stephendavion sends news that Christopher Wilson, a 22-year-old computer science student, has been sent to jail for six months for refusing to hand over his computer encryption passwords. Wilson has been accused of "phoning in a fake warning of an impending cyber attack against Northumbria Police that was convincing enough for the force to temporarily suspend its site as a precaution once a small attack started." He's also accused of trolling on Facebook. Wilson only came to the attention of police in October 2012 after he allegedly emailed warnings about an online threat against one of the staff at Newcastle University. ... The threatening emails came from computer servers linked to Wilson. Police obtained a warrant on this basis and raided his home in Washington, where they seized various items of computer equipment. ... Investigators wanted to examine his encrypted computer but the passwords supplied by Wilson turned out to be incorrect. None of the 50 passwords he provided worked. Frustration with his lack of co-operation prompted police to obtained a order from a judge compelling him to turn over the correct passphrase last year. A judge ordered him to turn over these passwords on the grounds of national security but Wilson still failed to comply, earning him six months behind bars.

Tor Project Sued Over a Revenge Porn Business That Used Its Service

Soulskill posted about 3 months ago | from the tor-is-a-series-of-eeeeevil-tubes dept.

The Courts 311

redletterdave writes: The Tor Project has been sued in the state of Texas over a revenge porn website that used its free encrypted communications service. The plaintiff in the case — Shelby Conklin, a criminal justice major at the University of North Texas — alleges a revenge porn site called Pinkmeth "gained unauthorized access to nude photographs" she owned and posted them to the internet. She also said Tor, which The Economist once called "a dark corner of the web," was involved in an active "civil conspiracy" with Pinkmeth because the revenge porn website used the anonymous communications service to prevent others from tracking its location.

DHS Mistakenly Releases 840 Pages of Critical Infrastructure Documents

Unknown Lamer posted about 3 months ago | from the someone-inverted-the-black-lines dept.

United States 50

wiredmikey (1824622) writes The Operation Aurora attack was publicized in 2010 and impacted Google and a number of other high-profile companies. However, DHS responded to the request by releasing more than 800 pages of documents related to the 'Aurora' experiment conducted several years ago at the Idaho National Laboratory, where researchers demonstrated a way to damage a generator via a cyber-attack. Of the documents released by the DHS, none were related to the Operation Aurora cyber attack as requested. Many of the 840 pages are comprised of old weekly reports from the DHS' Control System Security Program (CSSP) from 2007. Other pages that were released included information about possible examples of facilities that could be vulnerable to attack, such as water plants and gas pipelines.

Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos

Soulskill posted about 3 months ago | from the delete-then-rewrite-then-smash-into-bits dept.

Cellphones 231

An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."

'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials

Soulskill posted about 3 months ago | from the clever-exploits dept.

Security 68

New submitter newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today. It has been dubbed the "Rosetta Flash" attack. JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place. Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack. Several of these services fixed the vulnerability with a patch prior to the public release, and Tumblr patched within hours of the release.

US Tech Firms Recruiting High Schoolers (And Younger)

Soulskill posted about 3 months ago | from the there-oughta-be-a-law-enforcing-the-laws-we-already-have dept.

Businesses 253

ShaunC writes: Is there a glut of qualified American tech workers, or isn't there? Some companies like Facebook and Airbnb are now actively courting and recruiting high school students as young as 13 with promises of huge stipends and salaries. As one student put it, "It's kind of insane that you can make more than the U.S. average income in a summer." Another who attended a Facebook-sponsored trip said he'd "forego college for a full-time job" if it were offered. Is Silicon Valley taking advantage of naive young workers?

Tired of Playing Cyber Cop, Microsoft Looks For Partners In Crime Fighting

Soulskill posted about 3 months ago | from the every-batman-needs-a-robin dept.

Microsoft 113

chicksdaddy writes: When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP. The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston, she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.

CentOS Linux Version 7 Released On x86_64

Unknown Lamer posted about 3 months ago | from the keeping-costs-down dept.

Operating Systems 125

An anonymous reader writes "Today, CentOS project unveiled CentOS Linux 7 for 64 bit x86 compatible machines. CentOS conforms fully with Red Hat's redistribution policy and aims to have full functional compatibility with the upstream product released in last month. The new version includes systemd, firewalld, GRUB2, LXC, docker, xfs instead of ext4 filesystem by default. The Linux kernel updated to 3.10.0, support for Linux Containers, 3d graphics drivers out of the box, OpenJDK 7, support for 40G Ethernet cards, installations in UEFI secure Boot mode on compatible hardware and more. See the complete list of features here and here. You can grab this release by visiting the official mirror site or via torrents. On a related note there is also a CentOS Linux 7 installation screencast here."

Slashdot Login

Need an Account?

Forgot your password?