We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
An anonymous reader sends this quote from TechDirt:
As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation's incumbent phone companies was all-but obliterated long ago. As such, it's relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers "end-to-end" encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.
Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.
145 comments | yesterday
angry tapir writes: If you patched your sites against a serious SSL flaw discovered in October you will have to check them again. Researchers have discovered that the POODLE vulnerability also affects implementations of the newer TLS protocol. The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows attackers who manage to intercept traffic between a user's browser and an HTTPS website to decrypt sensitive information, like the user's authentication cookies.
54 comments | about a week ago
Nicola Hahn writes Over the course of the Snowden revelations there have been a number of high profile figures who've praised the merits of encryption as a remedy to the quandary of mass interception. Companies like Google and Apple have been quick to publicize their adoption of cryptographic countermeasures in an effort to maintain quarterly earnings. This marketing campaign has even convinced less credulous onlookers like Glenn Greenwald. For example, in a recent Intercept piece, Greenwald claimed:
"It is well-established that, prior to the Snowden reporting, Silicon Valley companies were secret, eager and vital participants in the growing Surveillance State. Once their role was revealed, and they perceived those disclosures threatening to their future profit-making, they instantly adopted a PR tactic of presenting themselves as Guardians of Privacy. Much of that is simply self-serving re-branding, but some of it, as I described last week, are genuine improvements in the technological means of protecting user privacy, such as the encryption products now being offered by Apple and Google, motivated by the belief that, post-Snowden, parading around as privacy protectors is necessary to stay competitive."
So, while he concedes the role of public relations in the ongoing cyber security push, Greenwald concurrently believes encryption is a "genuine" countermeasure. In other words, what we're seeing is mostly marketing hype... except for the part about strong encryption.
With regard to the promise of encryption as a privacy cure-all, history tells a markedly different story. Guarantees of security through encryption have often proven illusory, a magic act. Seeking refuge in a technical quick fix can be hazardous for a number of reasons.
103 comments | about two weeks ago
product_bucket writes: The UK's radio regulator, Ofcom, today published changes in the licensing conditions that remove the mandatory 15-minute callsign ID interval on all allocated frequencies apart from 5MHz, where special conditions remain. In its place, a requirement for the station to be "clearly identifiable at all times" has been made, along with a requirement to transmit the station callsign "as frequently as is practicable" in a form consistent with the operating mode. The decision also permits the use of encryption (PDF) when the station is being used for, or on behalf of a user service such as St. John Ambulance. Unusually, no response to the consultation (PDF) has been made available, so there is at present no way to assess the extent to which the changes were based on actual responses.
57 comments | about two weeks ago
An anonymous reader sends this report from The Verge: Senator Ron Wyden (D-OR) is trying to proactively block FBI head James Comey's request for new rules that make tapping into devices easier. The Secure Data Act would ban agencies from making manufacturers alter their products to allow easier surveillance or search, something Comey has said is necessary as encryption becomes more common and more sophisticated. "Strong encryption and sound computer security is the best way to keep Americans' data safe from hackers and foreign threats," said Wyden in a statement. "It is the best way to protect our constitutional rights at a time when a person's whole life can often be found on his or her smartphone."
109 comments | about two weeks ago
gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?
247 comments | about two weeks ago
An anonymous reader writes Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the "S" in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web. The paper pinpoints also the cost of encryption, that manifests itself through increases in the page loading time that go above 50%, and possible increase in battery usage. However, the major loss due to the "S" is the inability to offer any in-network value added services, that are offered by middle-boxes, such as caching, proxying, firewalling, parental control, etc. Are we ready to accept it? (Presentation can be downloaded from here.)
238 comments | about two weeks ago
KentuckyFC writes: One of the big applications for quantum computers is finding the prime factors of large numbers, a technique that can help break most modern cryptographic codes. Back in 2012, a team of Chinese physicists used a nuclear magnetic resonance quantum computer with 4 qubits to factor the number 143 (11 x 13), the largest quantum factorization ever performed. Now a pair of mathematicians say the technique used by the Chinese team is more powerful than originally thought. Their approach is to show that the same quantum algorithm factors an entire class of numbers with factors that differ by 2 bits (like 11 and 13). They've already discovered various examples of these numbers, the largest so far being 56153. So instead of just factoring 143, the Chinese team actually quantum factored the number 56153 (233 x 241, which differ by two bits when written in binary). That's the largest quantum factorization by some margin. The mathematicians point out that their discovery will not help code breakers since they'd need to know in advance that the factors differ by 2 bits, which seems unlikely. What's more, the technique relies on only 4 qubits and so can be easily reproduced on a classical computer.
62 comments | about two weeks ago
Cognitive Dissident writes The Register has a story about federal prosecutors using a law signed by George Washington to force manufacturers to help law enforcement access encrypted data on devices they manufacture. The All Writs Act is a broad statute simply authorizing courts to issue any order necessary to obtain information within their jurisdiction. Quoting the Register article: "Last month, New York prosecutors successfully persuaded a judge that the ancient law could be used to force an unnamed smartphone manufacturer to help unlock a phone allegedly used in a credit card fraud case. The judge ordered the manufacturer to offer 'reasonable technical assistance' to make the phone's contents available." What will happen when this collides with Apple and Google deliberately creating encryption that they themselves cannot break?
446 comments | about two weeks ago
angry tapir writes BlackBerry is now free to integrate German security vendor Secusmart's voice encryption technology in its smartphones and software, after the German government approved its acquisition of the company. BlackBerry CEO John Chen still wants his company to be the first choice of CIOs that want nothing but the best security as he works to turn around the company's fortunes.
27 comments | about two weeks ago
rastos1 writes Four years ago Jim Sanborn, the sculptor who created the wavy metal pane called Kryptos that sits in front of the CIA in Langley revealed a clue for breaking the last remaining part of the encrypted message on Kryptos. The clue was: BERLIN. But the puzzle resisted all all decryption efforts and is still unsolved. To honor the 25th anniversary of the Wall's demise and the artist's 69th birthday this year, Sanborn has decided to reveal a new clue to help solve his iconic and enigmatic artwork. It's only the second hint he's released since the sculpture was unveiled in 1990 and may finally help unlock the fourth and final section of the encrypted sculpture, which frustrated sleuths have been struggling to crack for more than two decades. The next word in the sequence is: "clock."
50 comments | about three weeks ago
Nicola Hahn writes In his latest Intercept piece Glenn Greenwald considers the recent defeat of the Senate's USA Freedom Act. He remarks that governments "don't walk around trying to figure out how to limit their own power." Instead of appealing to an allegedly irrelevant Congress Greenwald advocates utilizing the power of consumer demand to address the failings of cyber security. Specifically he argues that companies care about their bottom line and that the trend of customers refusing to tolerate insecure products will force companies to protect user privacy, implement encryption, etc. All told Greenwald's argument is very telling: that society can rely on corporate interests for protection. Is it true that representative government is a lost cause and that lawmakers would never knowingly yield authority? There are people who think that advising citizens to devolve into consumers is a dubious proposition.
157 comments | about a month ago
An anonymous reader writes The team over at the BITCOMSEC (Bitcoin Community Security) project released a second part to their 'Tracking a Bitcoin Thief' series in which they disclose what happened to a once-rising alternate crypto currency project that promised to place guaranteed value of its MidasCoins by backing it with actual Gold. Dealing with the reality of user compromise, the projects founder ups and runs away with all of the communities coins; cashing them out at an exchange for Bitcoins. A sobering tale of trust issues within the alternate crypto currency community. (The first part is interesting, too.)
46 comments | about a month ago
An anonymous reader writes So for a variety of reasons (some related to recent events, some ongoing for a while) I've kinda soured on Linux and have been looking at giving BSD a shot on the desktop. I've been a Gentoo user for many years and am reasonably comfortable diving into stuff, so I don't anticipate user friendliness being a show stopper. I suspect it's more likely something I currently do will have poor support in the BSD world. I have of course been doing some reading and will probably just give it a try at some point regardless, but I was curious what experience and advice other slashdot users could share. There's been many bold comments on slashdot about moving away from Linux, so I suspect I'm not the only one asking these questions. Use-case wise, my list of must haves is: Minecraft, and probably more dubiously, FTB; mplayer or equivalent (very much prefer mplayer as it's what I've used forever); VirtualBox or something equivalent; Firefox (like mplayer, it's just what I've always used, and while I would consider alternatives, that would definitely be a negative); Flash (I hate it, but browsing the web sans-flash is still a pain); OpenRA (this is the one I anticipate giving me the most trouble, but playing it is somewhat of an obsession).
Stuff that would be nice but I can live without: Full disk encryption; Openbox / XFCE (It's what I use now and would like to keep using, but I could probably switch to something else without too much grief); jackd/rakarrack or something equivalent (currently use my computer as a cheap guitar amp/effects stack); Qt (toolkit of choice for my own stuff). What's the most painless way to transition to BSD for this constellation of uses, and which variety of BSD would you suggest?
267 comments | about a month ago
L-One-L-One (173461) writes In a surprise move, nine months after being bought by Facebook, WhatsApp has begun rolling out end-to-end encryption for its users. With true end-to-end encryption data becomes unaccessible to admins of WhatsApp or law enforcement authorities. This new feature first proposed on Android only has been developed in cooperation with Open Whisper Systems, based on TextSecure. With hundreds of million users, WhatsApp becomes by far the largest secure messaging application. FBI Director James Comey might not be pleased. Do you have a current favorite for encrypted online chat?
93 comments | about a month ago
Peter Eckersley writes: Today EFF, Mozilla, Cisco, and Akamai announced a forthcoming project called Let's Encrypt. Let's Encrypt will be a certificate authority that issues free certificates to any website, using automated protocols (demo video here). Launching in summer 2015, we believe this will be the missing piece that deprecates the woefully insecure HTTP protocol in favor of HTTPS.
212 comments | about a month ago
An anonymous reader writes A former researcher at Columbia University's Network Security Lab has conducted research since 2008 indicating that traffic flow software included in network routers, notably Cisco's 'Netflow' package, can be exploited to deanonymize 81.4% of Tor clients. Professor Sambuddho Chakravarty, currently researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology, uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records generated by Netflow (or equivalent packages from other router manufacturers) to individuate the 'victim' client. In laboratory conditions the success rate of this traffic analysis attack is 100%, with network noise and variations reducing efficiency to 81% in a live Tor environment. Chakravarty says: 'it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods  to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection.'
136 comments | about a month ago
Tyketto writes The US Department of Justice has been using fake communications towers installed in airplanes to acquire cellular phone data for tracking down criminals, reports The Wall Street Journal. Using fix-wing Cessnas outfitted with DRT boxes produced by Boeing, the devices mimic cellular towers, fooling cellphones into reporting "unique registration information" to track down "individuals under investigation." The program, used by the U.S. Marshals Service, has been in use since 2007 and deployed around at least five major metropolitan areas, with a flying range that can cover most of the US population. As cellphones are designed to connect to the strongest cell tower signal available, the devices identify themselves as the strongest signal, allowing for the gathering of information on thousands of phones during a single flight. Not even having encryption on one's phone, like found in Apple's iPhone 6, prevents this interception. While the Justice Department would not confirm or deny the existence of such a program, Verizon denies any involvement in this program, and DRT (a subsidiary of Boeing), AT&T, and Sprint have all declined to comment.
202 comments | about a month ago
apexcp writes: A week ago, Silk Road 2.0 was theatrically shut down by a global cadre of law enforcement. This week, the dark net is realigning. "In the wake of the latest police action against online bazaars, the anonymous black market known as Evolution is now the biggest Dark Net market of all time. Today, Evolution features 20,221 products for sale, a 28.8 percent increase from just one month ago and an enormous 300 percent increase over the past six months."
86 comments | about a month ago
Presto Vivace points out this troubling new report from the Electronic Frontier Foundation:
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the U.S. and Thailand intercepting their customers' data to strip a security flag — called STARTTLS — from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
245 comments | about a month ago