Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Smartphone Kill Switch, Consumer Boon Or Way For Government To Brick Your Phone?

samzenpus posted about a month and a half ago | from the best-of-both-worlds dept.

Government 299

MojoKid writes We're often told that having a kill switch in our mobile devices — mostly our smartphones — is a good thing. At a basic level, that's hard to disagree with. If every mobile device had a built-in kill switch, theft would go down — who would waste their time over a device that probably won't work for very long? Here's where the problem lays: It's law enforcement that's pushing so hard for these kill switches. We first learned about this last summer, and this past May, California passed a law that requires smartphone vendors to implement the feature. In practice, if a smartphone has been stolen, or has been somehow compromised, its user or manufacturer would be able to remotely kill off its usability, something that would be reversed once the phone gets back into its rightful owner's hands. However, such functionality should be limited to the device's owner, and no one else. If the owner can disable a phone with nothing but access to a computer or another mobile device, so can Google, Samsung, Microsoft, Nokia or Apple. If the designers of a phone's operating system can brick a phone, guess who else can do the same? Everybody from the NSA to your friendly neighborhood police force, that's who. At most, all they'll need is a convincing argument that they're acting in the interest of "public safety."

Tor Browser Security Under Scrutiny

Soulskill posted about a month and a half ago | from the shouldn't-we-be-funding-this-better dept.

Encryption 80

msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.

Researchers Find Security Flaws In Backscatter X-ray Scanners

Soulskill posted about a month and a half ago | from the raise-your-hand-if-you're-surprised dept.

Security 146

An anonymous reader writes: Researchers from UC San Diego, University of Michigan, and Johns Hopkins say they've found security vulnerabilities in full-body backscatter X-ray machines deployed to U.S. airports between 2009 and 2013. In lab tests, the researchers were able to conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner, plus modify the scanner software so it presents an "all-clear" image to the operator even when contraband was detected. "Frankly, we were shocked by what we found," said lead researcher J. Alex Halderman. "A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."

51% of Computer Users Share Passwords

Unknown Lamer posted about a month and a half ago | from the rm-rf-/-of-shame dept.

Security 117

An anonymous reader writes Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues. The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.

Your Phone Can Be Snooped On Using Its Gyroscope

Unknown Lamer posted about a month and a half ago | from the phone-can-be-snooped-on-by-everything dept.

Cellphones 96

stephendavion (2872091) writes Researchers will demonstrate the process used to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. Researchers from Stanford and a defense research group at Rafael will demonstrate a way to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. According to the "Gyrophone: Recognizing Speech From Gyroscope Signals" study, the gyroscopes integrated into smartphones were sensitive enough to enable some sound waves to be picked up, transforming them into crude microphones.

Heartbleed To Blame For Community Health Systems Breach

Soulskill posted about a month and a half ago | from the bet-you-wish-you'd-patched dept.

Security 89

An anonymous reader writes: The Heartbleed vulnerability is the cause of the data breach at Community Health Systems, which resulted in 4.5 million records (containing patient data) being compromised. According to a blog post from TrustedSec, the attackers targeted a vulnerable Juniper router and obtained credentials, which allowed them access to the network's VPN.

C++14 Is Set In Stone

timothy posted about a month and a half ago | from the but-it's-a-soft-stone dept.

Programming 193

jones_supa (887896) writes "Apart from minor editorial tweaks, the ISO C++14 standard can be considered completed. Implementations are already shipping by major suppliers. C++14 is mostly an incremental update over C++11 with some new features like function return type deduction, variable templates, binary literals, generic lambdas, and so on. The official C++14 specification release will arrive later in the year, but for now Wikipedia serves as a good overview of the feature set."

Nuclear Regulator Hacked 3 Times In 3 Years

timothy posted about a month and a half ago | from the once-a-year-to-keep-in-practice dept.

Government 66

mdsolar (1045926) writes with this disconcerting story from CNet about security breaches at the U.S. Nuclear Regulatory Commission, revealed in a new report to have been compromised three times in the last three years: The body that governs America's nuclear power providers said in an internal investigation that two of the hacks are suspected to have come from unnamed foreign countries, the news site Nextgov reported based on a Freedom of Information Act request. The source of the third hack could not be identified because the logs of the incident had been destroyed, the report said. Hackers, often sponsored by foreign governments, have targeted the US more frequently in recent years. A report (PDF) on attacks against government computers noted that there was a 35 percent increase between 2010 and 2013.

Intruders used common hacking techniques to get at the NRC's computers. One attack linked to a foreign country or individual involved phishing emails that coerced NRC employees into submitting their login credentials. The second one linked to a foreign government or individual used spearphishing, or emails targeted at specific NRC employees, to convince them to click a link that led to a malware site hosted on Microsoft's cloud storage site SkyDrive, now called OneDrive. The third attack involved breaking into the personal account of a NRC employee. After sending a malicious PDF attachment to 16 other NRC employees, one person was infected with malware.

AMD Launches Radeon R7 Series Solid State Drives With OCZ

timothy posted about a month and a half ago | from the brand-awareness dept.

Data Storage 64

MojoKid (1002251) writes AMD is launching a new family of products today, but unless you follow the rumor mill closely, it's probably not something you'd expect. It's not a new CPU, APU, or GPU. Today, AMD is launching its first line of solid state drives (SSDs), targeted squarely at AMD enthusiasts. AMD is calling the new family of drives, the Radeon R7 Series SSD, similar to its popular mid-range line of graphics cards. The new Radeon R7 Series SSDs feature OCZ and Toshiba technology, but with a proprietary firmware geared towards write performance and high endurance. Open up one of AMD's new SSDs and you'll see OCZ's Indilinx Barefoot 3 M00 controller on board—the same controller used in the OCZ Vector 150, though it is clocked higher in these drives. That controller is paired to A19nm Toshiba MLC (Multi-Level Cell) NAND flash memory and a DDR3-1333MHz DRAM cache. The 120GB and 240GB drives sport 512MB of cache memory, while the 480GB model will be outfitted with 1GB. Interestingly enough, AMD Radeon R7 Series SSDs are some of the all-around, highest-performing SATA SSDs tested to date. IOPS performance is among the best seen in a consumer-class SSD, write throughput and access times are highly-competitive across the board, and the drive offered consistent performance regardless of the data type being transferred. Read performance is also strong, though not quite as stand-out as write performance.

Research Unveils Improved Method To Let Computers Know You Are Human

Unknown Lamer posted about a month and a half ago | from the until-computers-improve dept.

Security 91

An anonymous reader writes CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. Researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location. The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. The game-like nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs. There are a couple research papers available: "A Three-Way Investigation of a Game-CAPTCHA: Automated Attacks, Relay Attacks and Usability" and "Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming."

Hackers Steal Data Of 4.5 Million US Hospital Patients

Unknown Lamer posted about a month and a half ago | from the security-through-whoops dept.

Security 111

itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.

Linux Kernel Git Repositories Add 2-Factor Authentication

samzenpus posted about a month and a half ago | from the locking-things-down dept.

Security 49

LibbyMC writes For a few years now Linux kernel developers have followed a fairly strict authentication policy for those who commit directly to the git repositories housing the Linux kernel. Each is issued their own ssh private key, which then becomes the sole way for them to push code changes to the git repositories hosted at kernel.org. While using ssh keys is much more secure than just passwords, there are still a number of ways for ssh private keys to fall into malicious hands. So they've further tightened access requirements with two-factor authentication using yubikeys.

Daimler's Solution For Annoying Out-of-office Email: Delete It

samzenpus posted about a month and a half ago | from the keep-your-away-messages-to-yourself dept.

Businesses 232

AmiMoJo writes Sure, you can set an out-of-office auto-reply to let others know they shouldn't email you, but that doesn't usually stop the messages; you may still have to handle those urgent-but-not-really requests while you're on vacation. That's not a problem if you work at Daimler, though. The German automaker recently installed software that not only auto-replies to email sent while staff is away, but deletes it outright.

Windows 8.1 Update Crippling PCs With BSOD, Microsoft Suggests You Roll Back

samzenpus posted about a month and a half ago | from the back-to-the-old dept.

Bug 304

MojoKid writes Right on schedule, Microsoft rolled-out an onslaught of patches for its "Patch Tuesday" last week, and despite the fact that it wasn't the true "Update 2" for Windows 8.1 many of us were hoping for, updates are generally worth snatching up. Since the patch rollout, it's been discovered that four individual updates are causing random BSoD issues for its users, with KB2982791, a kernel-mode related driver, being the biggest culprit. Because of the bug's severity, Microsoft is recommending that anyone who updated go and uninstall a couple of the specific updates, or rollback using Windows Restore. You can uninstall these updates in much the same way you uninstall any app; the difference is that once you're in the "Programs and Features" section, you'll need to click on "View installed updates" on the left. While it's mostly recommended that you uninstall 2982791, you may wish to uninstall the others as well, just in case.

New Cridex Malware Copies Tactics From GameOver Zeus

samzenpus posted about a month and a half ago | from the imitation-is-the-sincerest-form-of-flattery dept.

Security 18

Trailrunner7 writes The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM's X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ's penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

"There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we've witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators," Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.

Companies That Don't Understand Engineers Don't Respect Engineers

Soulskill posted about a month and a half ago | from the if-you-aren't-part-of-the-solution,-you're-part-of-the-preciptate dept.

Businesses 371

An anonymous reader writes Following up on a recent experiment into the status of software engineers versus managers, Jon Evans writes that the easiest way to find out which companies don't respect their engineers is to learn which companies simply don't understand them. "Engineers are treated as less-than-equal because we are often viewed as idiot savants. We may speak the magic language of machines, the thinking goes, but we aren't business people, so we aren't qualified to make the most important decisions. ... Whereas in fact any engineer worth her salt will tell you that she makes business decisions daily–albeit on the micro not macro level–because she has to in order to get the job done. Exactly how long should this database field be? And of what datatype? How and where should it be validated? How do we handle all of the edge cases? These are in fact business decisions, and we make them, because we're at the proverbial coal face, and it would take forever to run every single one of them by the product people and sometimes they wouldn't even understand the technical factors involved. ... It might have made some sense to treat them as separate-but-slightly-inferior when technology was not at the heart of almost every business, but not any more."

Ask Slashdot: How Dead Is Antivirus, Exactly?

Soulskill posted about a month and a half ago | from the deader-than-an-arbitrarily-dead-thing dept.

Security 331

Safensoft writes: Symantec recently made a loud statement that antivirus is dead and that they don't really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. The press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan, and how only 40% of its versions can be stopped by antivirus software. The arms race between malware authors and security companies is unlikely to stop.

On the other hand, experts' opinions of antivirus software have been low for a while, so it's hardly surprising. It's not a panacea. The only question that remains is: how exactly should antivirus operate in modern security solutions? Should it be one of the key parts of a protection solution, or it should be reduced to only stopping the easiest and most well-known threats?

Threats aren't the only issue — there are also performance concerns. Processors get better, and interaction with hard drives becomes faster, but at the same time antivirus solutions require more and more of that power. Real-time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using a computer goes down severely. This situation is not going to change, ever, so we have to deal with it. But how, exactly? Is a massive migration of everything, from workstations to automatic control systems in industry, even possible? Is using whitelisting protection on Windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection? Are there any other ways to deal with it?

Google Brings Chrome OS User Management To Chrome

timothy posted about a month and a half ago | from the whaddya-mean-you-can't-do-that-in-a-web-browser? dept.

Chrome 68

An anonymous reader writes "Google is toying with a complete revamp of the user account system in its browser. Google is essentially pulling the user management system from Chrome OS back into Chrome. The company's thinking is likely two-layered. First, it wants users to stay in the browser for as long as possible, and thus it wants the switching process to be part of Chrome as opposed to Windows, Mac, or Linux. Second, if it can teach users to have accounts in Chrome (as well as use incognito and guest modes), the learning curve will have been flattened for when they encounter Chrome OS."

Supervalu Becomes Another Hacking Victim

Soulskill posted about a month and a half ago | from the another-day-another-breach dept.

Security 27

plover sends this news about another possible exposure of customer data: Supervalu is the latest retailer to experience a data breach, announcing today that cybercriminals had accessed payment card transactions at some of its stores. The Minneapolis-based company said it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores. There was no confirmation that any cardholder data was in fact stolen and no evidence the data was misused, according to the company. The event occurred between June 22 and July 17, 2014 at 180 Supervalu stores and stand-alone liquor stores. Affected banners include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy.

Watch a Cat Video, Get Hacked: the Death of Clear-Text

Soulskill posted about a month and a half ago | from the internet-doomed dept.

Security 166

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

The Billion-Dollar Website

Soulskill posted about a month and a half ago | from the get-what-you-paid-for-minus-a-billion-dollars dept.

Government 194

stoborrobots writes: The Government Accountability Office has investigated the cost blowouts associated with how the Centers for Medicare & Medicaid Services (CMS) handled the Healthcare.gov project. It has released a 60-page report entitled Healthcare.gov: Ineffective Planning and Oversight Practices Underscore the Need for Improved Contract Management, with a 5 page summary. The key takeaway messages are:

  • CMS undertook the development of Healthcare.gov and its related systems without effective planning or oversight practices...
  • [The task] was a complex effort with compressed time frames. To be expedient, CMS issued task orders ... when key technical requirements were unknown...
  • CMS identified major performance issues ... but took only limited steps to hold the contractor accountable.
  • CMS awarded a new contract to another firm [and the new contract's cost has doubled] due to changes such as new requirements and other enhancements...

US Defense Contractors Still Waiting For Breach Notification Rules

samzenpus posted about a month and a half ago | from the a-little-while-longer dept.

United States 19

An anonymous reader writes US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD. This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face. The US Congress will require "cleared defense contractors" — i.e. those who have been granted clearance by the DoD to access, receive, or store classified information — to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.

Can Our Computers Continue To Get Smaller and More Powerful?

timothy posted about a month and a half ago | from the where-is-the-orchard-of-low-hanging-fruit? dept.

Upgrades 151

aarondubrow (1866212) writes In a [note, paywalled] review article in this week's issue of the journal Nature (described in a National Science Foundation press release), Igor Markov of the University of Michigan/Google reviews limiting factors in the development of computing systems to help determine what is achievable, in principle and in practice, using today's and emerging technologies. "Understanding these important limits," says Markov, "will help us to bet on the right new techniques and technologies." Ars Technica does a great job of expanding on the various limitations that Markov describes, and the ways in which engineering can push back against them.

Google Expands Safe Browsing To Block Unwanted Downloads

timothy posted about a month and a half ago | from the now-you-can-turn-off-adblock dept.

Google 106

An anonymous reader writes "Google today announced it is expanding its Safe Browsing service to protect users against malware that makes unexpected changes to your computer. Google says it will show a warning in Chrome whenever an attempt is made to trick you into downloading and installing such software. In the case of malware, PUA stands for Potentially Unwanted Application, which is also sometimes called Potentially Unwanted Program or PUP. In short, the broad terms encompass any downloads that the user does not want, typically because they display popups, show ads, install toolbars in the default browser, change the homepage or the search engine, run several processes in the background that slow down the PC, and so on."

Microsoft Black Tuesday Patches Bring Blue Screens of Death

timothy posted about a month and a half ago | from the but-wait-for-the-patch dept.

Bug 179

snydeq (1272828) writes "Two of Microsoft's kernel-mode driver updates — which often cause problems — are triggering a BSOD error message on some Windows systems, InfoWorld reports. 'Details at this point are sparse, but it looks like three different patches from this week's Black Tuesday crop are causing Blue Screens with a Stop 0x50 error on some systems. If you're hitting a BSOD, you can help diagnose the problem (and perhaps prod Microsoft to find a solution) by adding your voice to the Microsoft Answers Forum thread on the subject.'"

The Biggest iPhone Security Risk Could Be Connecting One To a Computer

timothy posted about a month and a half ago | from the seems-an-obvious-hole dept.

IOS 72

angry tapir (1463043) writes Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect. Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

Ryan Lackey, Marc Rogers Reveal Inexpensive Tor Router Project At Def Con

timothy posted about a month and a half ago | from the widespread-and-easy-are-tightly-linked dept.

Communications 38

An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)

DEFCON's Latest Challenge: Hacking Altruism

Soulskill posted about a month and a half ago | from the teach-a-man-to-phish dept.

Security 47

jfruh writes: A casual observer at the latest DEFCON conference in Las Vegas might not have noticed much change from last year — still tons of leather, piercing, and body art, still groups of men gathered in darkened ballrooms furiously typing commands. But this year there's a new focus: hacking not just for the lulz, but focusing specifically on highlighting computer security problems that have the potential to do real-world physical harm to human beings.

Password Gropers Hit Peak Stupid, Take the Spamtrap Bait

Unknown Lamer posted about a month and a half ago | from the bad-strategy dept.

Security 100

badger.foo (447981) writes Peter Hansteen reports that a new distributed and slow-moving password guessing effort is underway, much like the earlier reports, but this time with a twist: The users they are trying to access do not exist. Instead, they're taken from the bsdly.net spamtrap address list, where all listed email addresses are guaranteed to be invalid in their listed domains. There is a tiny chance that this is an elaborate prank or joke, but it's more likely that via excessive automation, the password gropers have finally hit Peak Stupid.

Samsung Announces Galaxy Alpha Featuring Metal Frame and Rounded Corners

Unknown Lamer posted about a month and a half ago | from the strange-sense-of-deja-vu dept.

Cellphones 220

mrspoonsi (2955715) writes with word that Samsung is hopping on the metal case and rounded corners design bandwagon. From the article: Samsung says a metal frame and curved corners give the Galaxy Alpha a "sophisticated" look. The South Korean company describes the Galaxy Alpha as representing a "new design approach". The firm has previously been criticised for the plastic feel of its handsets at a time when other firms have opted to use materials marketed as having a "premium" feel. Samsung Electronics saw a 20% year-on-year drop in its last quarter's profit. The phone features 2G of RAM, a 4.7" AMOLED display, and either an 8-core Exynos 5 or 4-core Snapdragon 801.

A Look At Advanced Targeted Attacks Through the Lens of a Human-Rights NGO

Unknown Lamer posted about a month and a half ago | from the shotgun-network-intrusion dept.

Security 25

An anonymous reader writes New research was released on cyber-attacks via human-rights NGO World Uyghur Congress over a period of four years. Academic analysis was conducted through the lens of a human-rights NGO representing a minority living in China and in exile when most targeted attack reports are against large organizations with apparent or actual financial or IP theft unlike WUC, and reported by commercial entities rather than academics. The attacks were a combination of sophisticated social engineering via email written primarily in the Uyghur language, in some cases through compromised WUC email accounts, and with advanced malware embedded in attached documents. Suspicious emails were sent to more than 700 different email addresses, including WUC leaders as well as journalists, politicians, academics and employees of other NGOs (including Amnesty International and Save Tibet — International Campaign for Tibet). The study will be presented at USENIX on August 21, and the full paper is already available.

The Quiet Before the Next IT Revolution

Soulskill posted about a month and a half ago | from the before-the-AIs-violently-revolt dept.

IT 145

snydeq writes: Now that the technologies behind our servers and networks have stabilized, IT can look forward to a different kind of constant change, writes Paul Venezia. "In IT, we are actually seeing a bit of stasis. I don't mean that the IT world isn't moving at the speed of light — it is — but the technologies we use in our corporate data centers have progressed to the point where we can leave them be for the foreseeable future without worry that they will cause blocking problems in other areas of the infrastructure. What all this means for IT is not that we can finally sit back and take a break after decades of turbulence, but that we can now focus less on the foundational elements of IT and more on the refinements. ... In essence, we have finally built the transcontinental railroad, and now we can use it to completely transform our Wild West."

Getting IT Talent In Government Will Take Culture Change, Says Google Engineer

Soulskill posted about a month and a half ago | from the optimizing-for-the-wrong-thing dept.

Government 166

dcblogs writes: Mikey Dickerson, a site reliability engineer at Google, who was appointed Monday by the White House as the deputy federal CIO, will lead efforts to improve U.S. Websites. Dickerson, who worked on the Healthcare.gov rescue last year, said that one issue the government needs to fix is its culture. In describing his experience on the Healthcare.gov effort, he said the workplace was "not one that is optimized to get good work out of engineers." It was a shirt-and-tie environment, and while Dickerson said cultural issues may sound superficial, they are still real. "You don't have to think that the engineers are the creative snowflakes and rock stars that they think they are, you don't have to agree with any of that," Dickerson said in a recent conference presentation posted online. "I'm just telling you that's how they think of themselves, and if you want access to more of them, finding a way to deal with that helps a lot." Engineers want to make a difference, Dickerson said, and he has collected the names of more than 140 engineers who would be willing to take unpaid leave from their jobs to work on a meaningful project.

Gmail Now Rejects Emails With Misleading Combinations of Unicode Characters

Soulskill posted about a month and a half ago | from the we-look-forward-to-being-caught-in-your-new-web dept.

Communications 79

An anonymous reader writes: Google today announced it is implementing a new effort to thwart spammers and scammers: the open standard known as Unicode Consortium's "Highly Restricted" specification. In short, Gmail now rejects emails from domains that use what the Unicode community has identified as potentially misleading combinations of letters. The news today follows Google's announcement last week that Gmail has gained support for accented and non-Latin characters. The company is clearly okay with international domains, as long as they aren't abused to trick its users.

Study: Firmware Plagued By Poor Encryption and Backdoors

Soulskill posted about a month and a half ago | from the how-the-sausage-is-made dept.

Security 141

itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.

Errata Prompts Intel To Disable TSX In Haswell, Early Broadwell CPUs

Soulskill posted about a month and a half ago | from the somebody-is-getting-fired dept.

Intel 131

Dr. Damage writes: The TSX instructions built into Intel's Haswell CPU cores haven't become widely used by everyday software just yet, but they promise to make certain types of multithreaded applications run much faster than they can today. Some of the savviest software developers are likely building TSX-enabled software right about now. Unfortunately, that work may have to come to a halt, thanks to a bug—or "errata," as Intel prefers to call them—in Haswell's TSX implementation that can cause critical software failures. To work around the problem, Intel will disable TSX via microcode in its current CPUs — and in early Broadwell processors, as well.

Ask Slashdot: Why Are Online Job Applications So Badly Designed?

timothy posted about 1 month ago | from the no-one-asked-jakob-nielsen dept.

Security 278

First time accepted submitter GreyViking (3606993) writes Over the past few years, I've witnessed a variety of my intelligent but largely non-technical nearest-and-dearest struggling to complete online job applications. The majority of these online forms are multiple screens long, and because they're invariably HTTPS, they'll time out after a finite time which isn't always made known to the user. Some sites actively disable back/forward buttons but many don't, and text that's sometime taken a lot of effort to compile, cut and paste can be lost. And did I mention text input boxes that are too small? Sometimes it seems that the biggest obstacle to getting a job can be being able to conquer the online application, and really, there has to be a better way: but what is it?

The Technologies Changing What It Means To Be a Programmer

samzenpus posted about 1 month ago | from the keeping-up-with-the-times dept.

Programming 294

snydeq writes Modern programming bears little resemblance to the days of assembly code and toggles. Worse, or perhaps better, it markedly differs from what it meant to be a programmer just five years ago. While the technologies and tools underlying this transformation can make development work more powerful and efficient, they also make developers increasingly responsible for facets of computing beyond their traditional domain, thereby concentrating a wider range of roles and responsibilities into leaner, more overworked staff.

Silicon Valley Doesn't Have an Attitude Problem, OK?

samzenpus posted about 1 month ago | from the high-horse dept.

Businesses 262

Nerval's Lobster writes: In Silicon Valley they think differently, and if that leads to arrogance, so be it. At least that's what Bloomberg Businessweek's Joel Stein implies in his long meditation on the area's outlook on technology, money and changing the world. Stein set out to examine the underlying notion that Silicon Valley's and San Francisco's tech entrepreneurs are feeding a backlash by being, in a word, jerks. His conclusion seems to be that they may well be jerks, but they're misunderstood jerks. He doesn't deny that there's sexism and boorishness at play in the young tech community, but he sees the industry trying to make itself better. He sees a lot of egotism at work, too, but he says if you're setting out to change the world, you're probably going to need a big ego to do it. But tell that to other people in Northern California: undoubtedly, you've read about the tempest in San Francisco recently, where urban activists are decrying the influx of highly paid tech professionals, who they argue are displacing residents suddenly unable to keep up with skyrocketing rents.

Hackers Demand Automakers Get Serious About Security

samzenpus posted about 2 months ago | from the lock-it-down dept.

Security 120

wiredmikey writes: In an open letter to Automotive CEOs, a group of security researchers has called on automobile industry executives to implement five security programs to improve car safety and build cyber-security safeguards inside the software systems powering various features in modern cars. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation. Vehicles are "computers on wheels," said Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the letter (PDF). The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.

DARPA Wants To Kill the Password

samzenpus posted about 2 months ago | from the at-least-zero-characters-long dept.

United States 383

jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.

Memo to Users: SpamCop Winding Down Webmail Service

timothy posted about 2 months ago | from the not-the-whole-company-mind-you dept.

Spam 44

LuserOnFire (175383) writes with word that on Saturday SpamCop users received an email that says in part: "For over 12 years, Corporate Email Services has been partnering with SpamCop to provide webmail service with spam filtering via the SpamCop Email System for our users. Back then, spam filtering was rare. We heard story after story about how our service rescued people from unfiltered email. Nowadays, webmail service with spam filtering has become the norm in the general public. As such, the need for the webmail service with SpamCop filtered email has decreased. Due to these reasons, we have decided to retire the SpamCop Email System and its webmail service; while SpamCop will continue to focus on providing the World's best spam reporting platform and blacklist for the community. As of September 30, 2014 (Tuesday) 6pm ET, the current SpamCop Email service will be converted to email forwarding-only with spam filtered by SpamCop for all existing SpamCop Email users."

Connected Collar Lets Your Cat Do the War-Driving

timothy posted about 2 months ago | from the wifi-password-|"pl[\'as[cnp dept.

Security 110

MojoKid (1002251) writes "Security researcher Gene Bransfield, with the help of his wife's grandmother's cat, decided to see how many neighborhood WiFi access points he could map and potentially compromise. With a collar loaded with a Spark chip, a Wi-Fi module, a GPS module, and a battery, Coco the cat helped Gene identify Wi-Fi networks around the neighborhood and then reported back. The goal here is obvious: Discover all of the unsecured, or at least poorly-secured, wireless access points around the neighborhood. During his journey, Coco identified dozens of Wi-Fi networks, with four of them using easily-broken WEP security, and another four that had no security at all. Gene has dubbed his collar the "WarKitteh", and it cost him less than $100 to make. He admits that such a collar isn't a security threat, but more of a goofy hack. Of course, it could be used for shadier purposes." (Here's Wired's article on the connected cat-collar.)

NVIDIA Tegra K1: First Mobile Chip With Hardware-Accelerated OpenCL

timothy posted about 2 months ago | from the bragging-rights dept.

Graphics 52

New submitter shervinemami writes (starting with a pretty big disclaimer: "I'm an Engineer at NVIDIA.") The latest CompuBench GPU benchmarks show NVIDIA's Tegra K1 running whole OpenCL algorithms around 5x faster than any other mobile device, and individual instructions around 20x faster! This huge jump is because mobile companies have been saying they support OpenCL on mobile devices since early 2013, but what they don't mention is that they only have software API support, not hardware-accelerated OpenCL running faster on their GPUs than CPUs. Now that NVIDIA's Tegra-K1 chip has started shipping in devices and thus is available for full benchmarking, it is clearly the only mobile chip that actually gives you proper hardware-accelerated OpenCL (and CUDA of course!). The K1 is also what's in Google's Project Tango 3-D mapping tablet.

Wiring Programmers To Prevent Buggy Code

timothy posted about 2 months ago | from the stop-thinking-about-my-clairvoyance dept.

Bug 116

mikejuk (1801200) writes "Microsoft Researcher Andrew Begel, together with academic and industry colleagues have been trying to detect when developers are struggling as they work, in order to prevent bugs before they are introduced into code. A paper presented at the 36th International Conference on Software Engineering, reports on a study conducted with 15 professional programmers to see how well an eye-tracker, an electrodermal activity (EDA) sensor, and an electroencephalography (EEG) sensor could be used to predict whether developers would find a task difficult. Difficult tasks are potential bug generators and finding a task difficult is the programming equivalent of going to sleep at the wheel. Going beyond this initial investigation researchers now need to decide how to support developers who are finding their work difficult. What isn't known yet is how developers will react if their actions are approaching bug-potential levels and an intervention is deemed necessary. Presumably the nature of the intervention also has to be worked out. So next time you sit down at your coding station consider that in the future they may be wanting to wire you up just to make sure you aren't a source of bugs. And what could possibly be the intervention?"

Silent Circle's Blackphone Exploited at Def Con

timothy posted about 2 months ago | from the outharshing-one-another dept.

Security 46

Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com's linked report: "However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities." Case reacts via Twitter to the crowing: "Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only "secure" because it has few users and little value as a target."

John McAfee Airs His Beefs About Privacy In Def Con Surprise Talk

timothy posted about 2 months ago | from the now-take-larry-ellison dept.

Privacy 124

John McAfee made a surprise appearance at Def Con to talk about privacy: he's for it. Trouble is, he says, lots of companies feel otherwise, and he took the stage to single out "don't be evil" Google: “Google, or at least certain people within Google, I will not mention names because I am not a rude gentleman, would like us to believe that if we have nothing to hide, we should not mind if everybody knows everything that we do,” he said from the podium. “I have to take serious issue with that.” The BBC has video. McAfee also announced his new complaints website, The Brown List. (Good usernames are still available, and your complaint can be about anything, not just privacy violations by humongous corporations.)

For Fast Internet in the US, Virginia Tops the Charts

timothy posted about 2 months ago | from the averages-verses-actuals dept.

United States 98

According to data gathered by Akamai, an analysis from Broadview Networks comes to the conclusion that the top five U.S. states for broadband speed are Virginia (at the top of the list, with an average transfer speed of 13.78 Mbps), Delaware, Massachusetts, Rhode Island, and Washington, with Washington, D.C. slightly edging out the similarly-named state; Alaska comes in dead last. These are average speeds, though, and big states have more variation to account for, including connections in the hinterlands. You could still have a fast connection in Chattanooga, or be stuck on dial-up in the Texas panhandle.

How Facebook Is Saving Power By 10-15% Through Better Load Balancing

timothy posted about 2 months ago | from the 10-percent-at-web-scale dept.

Power 54

An anonymous reader writes Facebook today revealed details about Autoscale, a system for power-efficient load balancing that has been rolled out to production clusters in its data centers. The company says it has "demonstrated significant energy savings." For those who don't know, load balancing refers to distributing workloads across multiple computing resources, in this case servers. The goal is to optimize resource use, which can mean different things depending on the task at hand.

Skype Reverses Decision To Drop OS X 10.5 Support, Retires Windows Phone 7 App

timothy posted about 2 months ago | from the nobody-worth-spying-on-with-windows-7-it-seems dept.

Communications 99

An anonymous reader writes Mac OS X 10.5 Leopard users recently found that Skype no longer works on their system: despite upgrading to the latest version they still can't sign in. We got in touch with the Microsoft-owned company and after two days, we got confirmation that a solution was in the works. "We have a Skype version for Mac OS X 10.5 users which will soon be available for download," a Skype spokesperson told TNW. Unfortunately, the same can't be said for Windows Phone 7. In a support page titled "Is Skype for Windows Phone 7 being discontinued?," the Microsoft-owned company answers the question with a "yes" and elaborates that it is "permanently retiring all Skype apps for Windows Phone 7." Again, this isn't just old versions going away, or support being removed, but the apps themselves have disappeared.

Slashdot Login

Need an Account?

Forgot your password?