Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.
Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and learn more about it. Thanks for reading, and for making the site better!
An anonymous reader writes "Google is toying with a complete revamp of the user account system in its browser. Google is essentially pulling the user management system from Chrome OS back into Chrome. The company's thinking is likely two-layered. First, it wants users to stay in the browser for as long as possible, and thus it wants the switching process to be part of Chrome as opposed to Windows, Mac, or Linux. Second, if it can teach users to have accounts in Chrome (as well as use incognito and guest modes), the learning curve will have been flattened for when they encounter Chrome OS."
plover sends this news about another possible exposure of customer data: Supervalu is the latest retailer to experience a data breach, announcing today that cybercriminals had accessed payment card transactions at some of its stores. The Minneapolis-based company said it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores. There was no confirmation that any cardholder data was in fact stolen and no evidence the data was misused, according to the company. The event occurred between June 22 and July 17, 2014 at 180 Supervalu stores and stand-alone liquor stores. Affected banners include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy.
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.
stoborrobots writes: The Government Accountability Office has investigated the cost blowouts associated with how the Centers for Medicare & Medicaid Services (CMS) handled the Healthcare.gov project. It has released a 60-page report entitled Healthcare.gov: Ineffective Planning and Oversight Practices Underscore the Need for Improved Contract Management, with a 5 page summary. The key takeaway messages are:
An anonymous reader writes US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD. This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face. The US Congress will require "cleared defense contractors" — i.e. those who have been granted clearance by the DoD to access, receive, or store classified information — to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.
aarondubrow (1866212) writes In a [note, paywalled] review article in this week's issue of the journal Nature (described in a National Science Foundation press release), Igor Markov of the University of Michigan/Google reviews limiting factors in the development of computing systems to help determine what is achievable, in principle and in practice, using today's and emerging technologies. "Understanding these important limits," says Markov, "will help us to bet on the right new techniques and technologies." Ars Technica does a great job of expanding on the various limitations that Markov describes, and the ways in which engineering can push back against them.
An anonymous reader writes "Google today announced it is expanding its Safe Browsing service to protect users against malware that makes unexpected changes to your computer. Google says it will show a warning in Chrome whenever an attempt is made to trick you into downloading and installing such software. In the case of malware, PUA stands for Potentially Unwanted Application, which is also sometimes called Potentially Unwanted Program or PUP. In short, the broad terms encompass any downloads that the user does not want, typically because they display popups, show ads, install toolbars in the default browser, change the homepage or the search engine, run several processes in the background that slow down the PC, and so on."
snydeq (1272828) writes "Two of Microsoft's kernel-mode driver updates — which often cause problems — are triggering a BSOD error message on some Windows systems, InfoWorld reports. 'Details at this point are sparse, but it looks like three different patches from this week's Black Tuesday crop are causing Blue Screens with a Stop 0x50 error on some systems. If you're hitting a BSOD, you can help diagnose the problem (and perhaps prod Microsoft to find a solution) by adding your voice to the Microsoft Answers Forum thread on the subject.'"
angry tapir (1463043) writes Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect. Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.
An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)
jfruh writes: A casual observer at the latest DEFCON conference in Las Vegas might not have noticed much change from last year — still tons of leather, piercing, and body art, still groups of men gathered in darkened ballrooms furiously typing commands. But this year there's a new focus: hacking not just for the lulz, but focusing specifically on highlighting computer security problems that have the potential to do real-world physical harm to human beings.
badger.foo (447981) writes Peter Hansteen reports that a new distributed and slow-moving password guessing effort is underway, much like the earlier reports, but this time with a twist: The users they are trying to access do not exist. Instead, they're taken from the bsdly.net spamtrap address list, where all listed email addresses are guaranteed to be invalid in their listed domains. There is a tiny chance that this is an elaborate prank or joke, but it's more likely that via excessive automation, the password gropers have finally hit Peak Stupid.
mrspoonsi (2955715) writes with word that Samsung is hopping on the metal case and rounded corners design bandwagon. From the article: Samsung says a metal frame and curved corners give the Galaxy Alpha a "sophisticated" look. The South Korean company describes the Galaxy Alpha as representing a "new design approach". The firm has previously been criticised for the plastic feel of its handsets at a time when other firms have opted to use materials marketed as having a "premium" feel. Samsung Electronics saw a 20% year-on-year drop in its last quarter's profit. The phone features 2G of RAM, a 4.7" AMOLED display, and either an 8-core Exynos 5 or 4-core Snapdragon 801.
An anonymous reader writes New research was released on cyber-attacks via human-rights NGO World Uyghur Congress over a period of four years. Academic analysis was conducted through the lens of a human-rights NGO representing a minority living in China and in exile when most targeted attack reports are against large organizations with apparent or actual financial or IP theft unlike WUC, and reported by commercial entities rather than academics. The attacks were a combination of sophisticated social engineering via email written primarily in the Uyghur language, in some cases through compromised WUC email accounts, and with advanced malware embedded in attached documents. Suspicious emails were sent to more than 700 different email addresses, including WUC leaders as well as journalists, politicians, academics and employees of other NGOs (including Amnesty International and Save Tibet — International Campaign for Tibet). The study will be presented at USENIX on August 21, and the full paper is already available.
snydeq writes: Now that the technologies behind our servers and networks have stabilized, IT can look forward to a different kind of constant change, writes Paul Venezia. "In IT, we are actually seeing a bit of stasis. I don't mean that the IT world isn't moving at the speed of light — it is — but the technologies we use in our corporate data centers have progressed to the point where we can leave them be for the foreseeable future without worry that they will cause blocking problems in other areas of the infrastructure. What all this means for IT is not that we can finally sit back and take a break after decades of turbulence, but that we can now focus less on the foundational elements of IT and more on the refinements. ... In essence, we have finally built the transcontinental railroad, and now we can use it to completely transform our Wild West."
dcblogs writes: Mikey Dickerson, a site reliability engineer at Google, who was appointed Monday by the White House as the deputy federal CIO, will lead efforts to improve U.S. Websites. Dickerson, who worked on the Healthcare.gov rescue last year, said that one issue the government needs to fix is its culture. In describing his experience on the Healthcare.gov effort, he said the workplace was "not one that is optimized to get good work out of engineers." It was a shirt-and-tie environment, and while Dickerson said cultural issues may sound superficial, they are still real. "You don't have to think that the engineers are the creative snowflakes and rock stars that they think they are, you don't have to agree with any of that," Dickerson said in a recent conference presentation posted online. "I'm just telling you that's how they think of themselves, and if you want access to more of them, finding a way to deal with that helps a lot." Engineers want to make a difference, Dickerson said, and he has collected the names of more than 140 engineers who would be willing to take unpaid leave from their jobs to work on a meaningful project.
An anonymous reader writes: Google today announced it is implementing a new effort to thwart spammers and scammers: the open standard known as Unicode Consortium's "Highly Restricted" specification. In short, Gmail now rejects emails from domains that use what the Unicode community has identified as potentially misleading combinations of letters. The news today follows Google's announcement last week that Gmail has gained support for accented and non-Latin characters. The company is clearly okay with international domains, as long as they aren't abused to trick its users.
itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.
Dr. Damage writes: The TSX instructions built into Intel's Haswell CPU cores haven't become widely used by everyday software just yet, but they promise to make certain types of multithreaded applications run much faster than they can today. Some of the savviest software developers are likely building TSX-enabled software right about now. Unfortunately, that work may have to come to a halt, thanks to a bug—or "errata," as Intel prefers to call them—in Haswell's TSX implementation that can cause critical software failures. To work around the problem, Intel will disable TSX via microcode in its current CPUs — and in early Broadwell processors, as well.
First time accepted submitter GreyViking (3606993) writes Over the past few years, I've witnessed a variety of my intelligent but largely non-technical nearest-and-dearest struggling to complete online job applications. The majority of these online forms are multiple screens long, and because they're invariably HTTPS, they'll time out after a finite time which isn't always made known to the user. Some sites actively disable back/forward buttons but many don't, and text that's sometime taken a lot of effort to compile, cut and paste can be lost. And did I mention text input boxes that are too small? Sometimes it seems that the biggest obstacle to getting a job can be being able to conquer the online application, and really, there has to be a better way: but what is it?
snydeq writes Modern programming bears little resemblance to the days of assembly code and toggles. Worse, or perhaps better, it markedly differs from what it meant to be a programmer just five years ago. While the technologies and tools underlying this transformation can make development work more powerful and efficient, they also make developers increasingly responsible for facets of computing beyond their traditional domain, thereby concentrating a wider range of roles and responsibilities into leaner, more overworked staff.
Nerval's Lobster writes: In Silicon Valley they think differently, and if that leads to arrogance, so be it. At least that's what Bloomberg Businessweek's Joel Stein implies in his long meditation on the area's outlook on technology, money and changing the world. Stein set out to examine the underlying notion that Silicon Valley's and San Francisco's tech entrepreneurs are feeding a backlash by being, in a word, jerks. His conclusion seems to be that they may well be jerks, but they're misunderstood jerks. He doesn't deny that there's sexism and boorishness at play in the young tech community, but he sees the industry trying to make itself better. He sees a lot of egotism at work, too, but he says if you're setting out to change the world, you're probably going to need a big ego to do it. But tell that to other people in Northern California: undoubtedly, you've read about the tempest in San Francisco recently, where urban activists are decrying the influx of highly paid tech professionals, who they argue are displacing residents suddenly unable to keep up with skyrocketing rents.
wiredmikey writes: In an open letter to Automotive CEOs, a group of security researchers has called on automobile industry executives to implement five security programs to improve car safety and build cyber-security safeguards inside the software systems powering various features in modern cars. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation. Vehicles are "computers on wheels," said Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the letter (PDF). The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.
jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.
LuserOnFire (175383) writes with word that on Saturday SpamCop users received an email that says in part: "For over 12 years, Corporate Email Services has been partnering with SpamCop to provide webmail service with spam filtering via the SpamCop Email System for our users. Back then, spam filtering was rare. We heard story after story about how our service rescued people from unfiltered email. Nowadays, webmail service with spam filtering has become the norm in the general public. As such, the need for the webmail service with SpamCop filtered email has decreased. Due to these reasons, we have decided to retire the SpamCop Email System and its webmail service; while SpamCop will continue to focus on providing the World's best spam reporting platform and blacklist for the community. As of September 30, 2014 (Tuesday) 6pm ET, the current SpamCop Email service will be converted to email forwarding-only with spam filtered by SpamCop for all existing SpamCop Email users."
MojoKid (1002251) writes "Security researcher Gene Bransfield, with the help of his wife's grandmother's cat, decided to see how many neighborhood WiFi access points he could map and potentially compromise. With a collar loaded with a Spark chip, a Wi-Fi module, a GPS module, and a battery, Coco the cat helped Gene identify Wi-Fi networks around the neighborhood and then reported back. The goal here is obvious: Discover all of the unsecured, or at least poorly-secured, wireless access points around the neighborhood. During his journey, Coco identified dozens of Wi-Fi networks, with four of them using easily-broken WEP security, and another four that had no security at all. Gene has dubbed his collar the "WarKitteh", and it cost him less than $100 to make. He admits that such a collar isn't a security threat, but more of a goofy hack. Of course, it could be used for shadier purposes." (Here's Wired's article on the connected cat-collar.)
New submitter shervinemami writes (starting with a pretty big disclaimer: "I'm an Engineer at NVIDIA.") The latest CompuBench GPU benchmarks show NVIDIA's Tegra K1 running whole OpenCL algorithms around 5x faster than any other mobile device, and individual instructions around 20x faster! This huge jump is because mobile companies have been saying they support OpenCL on mobile devices since early 2013, but what they don't mention is that they only have software API support, not hardware-accelerated OpenCL running faster on their GPUs than CPUs. Now that NVIDIA's Tegra-K1 chip has started shipping in devices and thus is available for full benchmarking, it is clearly the only mobile chip that actually gives you proper hardware-accelerated OpenCL (and CUDA of course!). The K1 is also what's in Google's Project Tango 3-D mapping tablet.
mikejuk (1801200) writes "Microsoft Researcher Andrew Begel, together with academic and industry colleagues have been trying to detect when developers are struggling as they work, in order to prevent bugs before they are introduced into code. A paper presented at the 36th International Conference on Software Engineering, reports on a study conducted with 15 professional programmers to see how well an eye-tracker, an electrodermal activity (EDA) sensor, and an electroencephalography (EEG) sensor could be used to predict whether developers would find a task difficult. Difficult tasks are potential bug generators and finding a task difficult is the programming equivalent of going to sleep at the wheel. Going beyond this initial investigation researchers now need to decide how to support developers who are finding their work difficult. What isn't known yet is how developers will react if their actions are approaching bug-potential levels and an intervention is deemed necessary. Presumably the nature of the intervention also has to be worked out. So next time you sit down at your coding station consider that in the future they may be wanting to wire you up just to make sure you aren't a source of bugs. And what could possibly be the intervention?"
Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com's linked report: "However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities." Case reacts via Twitter to the crowing: "Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only "secure" because it has few users and little value as a target."
John McAfee made a surprise appearance at Def Con to talk about privacy: he's for it. Trouble is, he says, lots of companies feel otherwise, and he took the stage to single out "don't be evil" Google: “Google, or at least certain people within Google, I will not mention names because I am not a rude gentleman, would like us to believe that if we have nothing to hide, we should not mind if everybody knows everything that we do,” he said from the podium. “I have to take serious issue with that.” The BBC has video. McAfee also announced his new complaints website, The Brown List. (Good usernames are still available, and your complaint can be about anything, not just privacy violations by humongous corporations.)
According to data gathered by Akamai, an analysis from Broadview Networks comes to the conclusion that the top five U.S. states for broadband speed are Virginia (at the top of the list, with an average transfer speed of 13.78 Mbps), Delaware, Massachusetts, Rhode Island, and Washington, with Washington, D.C. slightly edging out the similarly-named state; Alaska comes in dead last. These are average speeds, though, and big states have more variation to account for, including connections in the hinterlands. You could still have a fast connection in Chattanooga, or be stuck on dial-up in the Texas panhandle.
An anonymous reader writes Facebook today revealed details about Autoscale, a system for power-efficient load balancing that has been rolled out to production clusters in its data centers. The company says it has "demonstrated significant energy savings." For those who don't know, load balancing refers to distributing workloads across multiple computing resources, in this case servers. The goal is to optimize resource use, which can mean different things depending on the task at hand.
An anonymous reader writes Mac OS X 10.5 Leopard users recently found that Skype no longer works on their system: despite upgrading to the latest version they still can't sign in. We got in touch with the Microsoft-owned company and after two days, we got confirmation that a solution was in the works. "We have a Skype version for Mac OS X 10.5 users which will soon be available for download," a Skype spokesperson told TNW. Unfortunately, the same can't be said for Windows Phone 7. In a support page titled "Is Skype for Windows Phone 7 being discontinued?," the Microsoft-owned company answers the question with a "yes" and elaborates that it is "permanently retiring all Skype apps for Windows Phone 7." Again, this isn't just old versions going away, or support being removed, but the apps themselves have disappeared.
Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.
While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?
Bismillah (993337) writes Yahoo is working on an easy to use PGP interface for webmail, the company's chief information security officer Alex Stamos said at Black Hat 2014. This could lead to some interesting standoffs with governments and law enforcement wanting to read people's messages. From the article: "'We are working to design a key server architecture that allows for automatic discovery of public keys within Yahoo.com and other participating mail providers and to integrate encryption into the normal mail flow,' Stamos said."
jfruh writes Not everyone has a job like Homer Simpson, who's been replaced at various times by a brick tied to a lever and a chicken named Queenie. But many IT workers have come up against mind-numbing, repetitive tasks that probably could be automated. So: what do you do about it? Well, the answer depends on how much power you have in an organization and how much your bosses respect your opinion.
An anonymous reader writes After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, 9, or 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. From the blog post: "Microsoft recommends enabling automatic updates to ensure an up-to-date computing experience—including the latest version of Internet Explorer—and most consumers use automatic updates today. Commercial customers are encouraged to test and accept updates quickly, especially security updates. Regular updates provide significant benefits, such as decreased security risk and increased reliability, and Windows Update can automatically install updates for Internet Explorer and Windows."
wiredmikey writes In a move to bolster the security of its massive global server network, Facebook announced on Thursday it was acquiring PrivateCore, a Palo Alto, California-based cybersecurity startup. PrivateCore describes that its vCage software transparently secures data in use with full memory encryption for any application, any data, anywhere on standard x86 servers. "I'm really excited that Facebook has entered into an agreement to acquire PrivateCore," Facebook security chief Joe Sullivan wrote in a post to his own Facebook page. "I believe that PrivateCore's technology and expertise will help support Facebook's mission to help make the world more open and connected, in a secure and trusted way," Sullivan said. "Over time, we plan to deploy PrivateCore's technology directly into the Facebook server stack."
OpenSignal, by means of mobile apps for iOS and Android, has been amassing data on Wi-Fi and cell-network signal strength. They released yesterday a few of their findings on the speed of Wi-Fi available at U.S. chain hotels (download speeds, specifically). Though it shouldn't be surprising that (as their data shows) more expensive hotels generally have faster speeds, I know it hasn't always matched my own experience. (Hotel chains also vary, even within brands, in whether the in-room Wi-Fi is free, cheap, or exorbitant.) If the in-room connection is flaky or expensive, though, from the same report it seems you'll do better by popping into a Google-networked Starbucks location than one fed by AT&T, and McDonalds beats Panera Bread by quite a bit.
As TechCrunch reports, Google will begin using website encryption, or HTTPS, as a ranking signal – a move which should prompt website developers who have dragged their heels on increased security measures, or who debated whether their website was “important” enough to require encryption, to make a change. Initially, HTTPS will only be a lightweight signal, affecting fewer than 1% of global queries, says Google. ... Over time, however, encryption’s effect on search ranking [may] strengthen, as the company places more importance on website security. ... While HTTPS and site encryption have been a best practice in the security community for years, the revelation that the NSA has been tapping the cables, so to speak, to mine user information directly has prompted many technology companies to consider increasing their own security measures, too. Yahoo, for example, also announced in November its plans to encrypt its data center traffic.
msm1267 (2804139) writes "Researcher David Litchfield is back at it again, dissecting Oracle software looking for critical bugs. At the Black Hat 2014 conference, Litchfield delivered research on a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities that bypass the data redaction service and trick the system into returning data that should be masked."
itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.
sciencehabit writes You can credit your existence to tiny wormlike creatures that lived 500 million years ago, a new study suggests. By tunneling through the sea floor, scientists say, these creatures kept oxygen concentrations at just the right level to allow animals and other complex life to evolve. The finding may help answer an enduring mystery of Earth's past. The idea is that as they dug and wiggled, these early multicellular creatures—some were likely worms as long as 40 cm—exposed new layers of seafloor sediment to the ocean's water. Each new batch of sediment that settles onto the sea floor contains bacteria; as those bacteria were exposed to the oxygen in the water, they began storing a chemical called phosphate in their cells. So as the creatures churned up more sediment layers, more phosphate built up in ocean sediments and less was found in seawater. Because algae and other photosynthetic ocean life require phosphate to grow, removing phosphate from seawater reduced their growth. Less photosynthesis, in turn, meant less oxygen released into the ocean. In this way, the system formed a negative feedback loop that automatically slowed the rise in oxygen levels as the levels increased.
lurker412 writes Yesterday, and without previous warning, all Mac users running Leopard or earlier versions of OS-X have been locked out of Skype. Those customers are given instructions to update, but following them does not solve the problem. The Skype Community Forum is currently swamped with complaints. A company representative active on the forum said "Unfortunately we don't currently have a build that OS X Leopard (10.5) users could use" but did not answer the question whether they intend to provide one or not.
New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring". Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?
An anonymous reader writes with the news that Hackaday published an article on the poor security of the add-on modules that Tektronix sells as expensive add-ons to unlock features in certain of its oscilloscopes. The reader writes: "It has come to attention of Tek's legal eagles and they now want the article to be taken down. Perhaps they can ask Google to forget that page?"
Advocatus Diaboli (1627651) writes For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement's knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it's also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants.
SSG Booraem (2553474) writes I've recently been hired to a IT supervisor position at a local college. My boss wants me to find some technology conferences that I'd like to attend and submit them to her. Since I've worked in IT for 18 years but usually done scut work, I don't have any ideas. I'd appreciate suggestions with personal experiences.
About six weeks ago, a hole in Paypal's two factor authentication and their mobile client was discovered. hypnosec (2231454) wrote in with news of another trivial way to bypass Paypal's two-factor authentication. A bug in a feature for eBay integration allows passing a GET parameter to completely bypass two-factor authentication, and you don't even need to be coming from eBay to use it. You still need the password, but additional protection is lost. From the article: eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account. ... When you are redirected to the login page, the URL contains "=_integrated-registration." ... Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login. So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal. You could repeat the process using the same "=_integrated-registration" page unlimited times.
mask.of.sanity (1228908) writes "A string of documents detailing the operations and effectiveness of the FinFisher suite of surveillance platforms appears to have been leaked. The documents, some dated 4 April this year, detail the anti-virus detection rates of the FinFisher spyware which German based Gamma Group sold to governments and law enforcement agencies. The dump also reveals Windows 8 users should opt for the Metro version of Skype rather than the desktop client because it cannot be tapped by FinFisher."