Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

  • Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

    First time accepted submitter Brett W (3715683) writes "The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week."

    5 comments | 16 minutes ago

  • When Spies and Crime-Fighters Squabble Over How They Spy On You

    The Washington Post reports in a short article on the sometimes strange, sometimes strained relationship between spy agencies like the NSA and CIA and law enforcement (as well as judges and prosecutors) when it comes to evidence gathered using technology or techniques that the spy agencies would rather not disclose at all, never mind explain in detail. They may both be arms of the U.S. government, but the spy agencies and the law enforcers covet different outcomes. From the article: [S]sometimes it's not just the tool that is classified, but the existence itself of the capability — the idea that a certain type of communication can be wiretapped — that is secret. One former senior federal prosecutor said he knew of at least two instances where surveillance tools that the FBI criminal investigators wanted to use "got formally classified in a big hurry" to forestall the risk that the technique would be revealed in a criminal trial. "People on the national security side got incredibly wound up about it," said the former official, who like others interviewed on the issue spoke on condition of anonymity because of the topic’s sensitivity. "The bottom line is: Toys get taken away and put on a very, very high shelf. Only people in the intelligence community can use them." ... The DEA in particular was concerned that if it came up with a capability, the National Security Agency or CIA would rush to classify it, said a former Justice Department official.

    117 comments | yesterday

  • Private Data On iOS Devices Not So Private After All

    theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.

    97 comments | yesterday

  • FBI Studied How Much Drones Impact Your Privacy -- Then Marked It Secret

    v3rgEz writes When federal agencies adopt new technology, they're required by law to do Privacy Impact Assessments, which is exactly what the FBI did regarding its secretive drone program. The PIAs are created to help the public and federal government assess what they're risking through the adoption of new technology. That part is a little trickier, since the FBI is refusing to release any of the PIA on its drone project, stating it needs to be kept, er, private to protect national security.

    133 comments | 2 days ago

  • The NSA's New Partner In Spying: Saudi Arabia's Brutal State Police

    Advocatus Diaboli sends this news from The Intercept: The National Security Agency last year significantly expanded its cooperative relationship with the Saudi Ministry of Interior, one of the world's most repressive and abusive government agencies. An April 2013 top secret memo provided by NSA whistleblower Edward Snowden details the agency's plans "to provide direct analytic and technical support" to the Saudis on "internal security" matters. The Saudi Ministry of Interior—referred to in the document as MOI— has been condemned for years as one of the most brutal human rights violators in the world. In 2013, the U.S. State Department reported that "Ministry of Interior officials sometimes subjected prisoners and detainees to torture and other physical abuse," specifically mentioning a 2011 episode in which MOI agents allegedly "poured an antiseptic cleaning liquid down [the] throat" of one human rights activist. The report also notes the MOI's use of invasive surveillance targeted at political and religious dissidents.

    124 comments | 2 days ago

  • New SSL Server Rules Go Into Effect Nov. 1

    alphadogg writes: Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. The concern is that SSL server digital certificates issued by CAs at present for internal corporate e-mail servers, Web servers and databases are not unique and can potentially be used in man-in-the-middle attacks involving the setup of rogue servers inside the targeted network, say representatives for the Certification Authority/Browser Forum (CA/B Forum), the industry group that sets security and operational guidelines for digital certificates. Members include the overwhelming bulk of public CAs around the globe, plus browser makers such as Microsoft and Apple. The problem today is that network managers often give their servers names like 'Server1' and allocate internal IP addresses so that SSL certificates issued for them through the public CAs are not necessarily globally unique, notes Trend Micro's Chris Bailey.

    88 comments | 2 days ago

  • How a Solar Storm Two Years Ago Nearly Caused a Catastrophe On Earth

    schwit1 writes: On July 23, 2012, the sun unleashed two massive clouds of plasma that barely missed a catastrophic encounter with the Earth's atmosphere. These plasma clouds, known as coronal mass ejections (CMEs), comprised a solar storm thought to be the most powerful in at least 150 years. "If it had hit, we would still be picking up the pieces," physicist Daniel Baker of the University of Colorado tells NASA. Fortunately, the blast site of the CMEs was not directed at Earth. Had this event occurred a week earlier when the point of eruption was Earth-facing, a potentially disastrous outcome would have unfolded.

    "Analysts believe that a direct hit could cause widespread power blackouts, disabling everything that plugs into a wall socket. Most people wouldn't even be able to flush their toilet because urban water supplies largely rely on electric pumps. ... According to a study by the National Academy of Sciences, the total economic impact could exceed $2 trillion, or 20 times greater than the costs of a Hurricane Katrina. Multi-ton transformers damaged by such a storm might take years to repair." Steve Tracton put it this way in his frightening overview of the risks of a severe solar storm: "The consequences could be devastating for commerce, transportation, agriculture and food stocks, fuel and water supplies, human health and medical facilities, national security, and daily life in general."

    210 comments | 2 days ago

  • Social Security Administration Joins Other Agencies With $300M "IT Boondoggle"

    alphadogg (971356) writes with news that the SSA has joined the long list of federal agencies with giant failed IT projects. From the article: "Six years ago the Social Security Administration embarked on an aggressive plan to replace outdated computer systems overwhelmed by a growing flood of disability claims. Nearly $300 million later, the new system is nowhere near ready and agency officials are struggling to salvage a project racked by delays and mismanagement, according to an internal report commissioned by the agency. In 2008, Social Security said the project was about two to three years from completion. Five years later, it was still two to three years from being done, according to the report by McKinsey and Co., a management consulting firm. Today, with the project still in the testing phase, the agency can't say when it will be completed or how much it will cost.

    140 comments | 3 days ago

  • Dutch Court Says Government Can Receive Bulk Data from NSA

    jfruh (300774) writes Dutch law makes it illegal for the Dutch intelligence services to conduct mass data interception programs. But, according to a court in the Hague, it's perfectly all right for the Dutch government to request that data from the U.S.'s National Security Agency, and doing so doesn't violate any treaties or international law.

    109 comments | 3 days ago

  • Internet Explorer Vulnerabilities Increase 100%

    An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

    137 comments | 3 days ago

  • The Psychology of Phishing

    An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?

    126 comments | 3 days ago

  • Intel Launches Self-Encrypting SSD

    MojoKid writes: Intel just launched their new SSD 2500 Pro series solid state drive, the follow-up to last year's SSD 1500 Pro series, which targets corporate and small-business clients. The drive shares much of its DNA with some of Intel's consumer-class drives, but the Pro series cranks things up a few notches with support for advanced security and management features, low power states, and an extended management toolset. In terms of performance, the Intel SSD 2500 Pro isn't class-leading in light of many enthusiast-class drives but it's no slouch either. Intel differentiates the 2500 Pro series by adding support for vPro remote-management and hardware-based self-encryption. The 2500 Pro series supports TCG (Trusted Computing Group) Opal 2.0 features and is Microsoft eDrive capable as well. Intel also offers an administration tool for easy management of the drive. With the Intel administration tool, users can reset the PSID (physical presence security ID), though the contents of the drive will be wiped. Sequential reads are rated at up to 540MB/s, sequential writes at up to 480MB/s, with 45K – 80K random read / write IOps.

    91 comments | 4 days ago

  • The Department of Homeland Security Needs Its Own Edward Snowden

    blottsie writes: Out of all the U.S. government agencies, the Department of Homeland Security is one of the least transparent. As such, the number of Freedom of Information Act requests it receives have doubled since 2008. But the DHS has only become more adamant about blocking FOIA requests over the years. The problem has become so severe that nothing short of an Edward Snowden-style leak may be needed to increase transparency at the DHS.

    190 comments | 4 days ago

  • Researchers Design Bot To Conduct National Security Clearance Interviews

    meghan elizabeth (3689911) writes Advancing a career in the U.S. government might soon require an interview with a computer-generated head who wants to know about that time you took ketamine. A recent study by psychologists at the National Center for Credibility Assessment, published in the journal Computers and Human Behavior, asserts that not only would a computer-generated interviewer be less "time consuming, labor intensive, and costly to the Federal Government," people are actually more likely to admit things to the bot. Eliza finds a new job.

    102 comments | 4 days ago

  • CNN iPhone App Sends iReporters' Passwords In the Clear

    chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

    40 comments | 4 days ago

  • EFF Releases Wireless Router Firmware For Open Access Points

    klapaucjusz writes: The EFF has released an experimental router firmware designed make it easy to deploy open (password-less) access points in a secure manner. The EFF's firmware is based on the CeroWRT fork of OpenWRT, but appears to remove some of its more advanced routing features. The EFF is asking for help to further develop the firmware. They want the open access point to co-exist on the same router as your typical private and secured access point. They want the owner to be able to share bandwidth, but with a cap, so guests don't degrade service for the owner. They're also looking to develop a network queueing, a minimalist web UI, and an auto-update mechanism. The EFF has also released the beta version of a plug-in called Privacy Badger for Firefox and Chrome that will prevent online advertisers from tracking you.

    56 comments | 5 days ago

  • Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix

    alphadogg writes A presentation on a low-budget method to unmask users of a popular online privacy tool Tor will no longer go ahead at the Black Hat security conference early next month. The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website. Tor project leader Roger Dingledine said, "I think I have a handle on what they did, and how to fix it. ... Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world." Tor's developers were "informally" shown materials about the bug, but never saw any details about what would be presented in the talk.

    51 comments | 5 days ago

  • Firefox 31 Released

    An anonymous reader writes Mozilla has released version 31 of its Firefox web browser for desktops and Android devices. According to the release notes, major new features include malware blocking for file downloads, automatic handling of PDF and OGG files if no other software is available to do so, and a new certificate verification library. Smaller features include a search field on the new tab page, better support for parental controls, and partial implementation of the OpenType MATH table. Firefox 31 is also loaded with new features for developers. Mozilla also took the opportunity to note the launch of a new game, Dungeon Defenders Eternity, which will run at near-native speeds on the web using asm.js, WebGL, and Web Audio. "We're pleased to see more developers using asm.js to distribute and now monetize their plug-in free games on the Web as it strengthens support for Mozilla's vision of a high performance, plugin-free Web."

    171 comments | 5 days ago

  • AirMagnet Wi-Fi Security Tool Takes Aim At Drones

    alphadogg (971356) writes "In its quest to help enterprises seek out and neutralize all threats to their Wi-Fi networks, AirMagnet is now looking to the skies. In a free software update to its AirMagnet Enterprise product last week, the Wi-Fi security division of Fluke Networks added code specifically crafted to detect the Parrot AR Drone, a popular unmanned aerial vehicle that costs a few hundred dollars and can be controlled using a smartphone or tablet. Drones themselves don't pose any special threat to Wi-Fi networks, and AirMagnet isn't issuing air pistols to its customers to shoot them down. The reason the craft are dangerous is that they can be modified to act as rogue access points and sent into range of a victim's wireless network, potentially breaking into a network to steal data."

    52 comments | 5 days ago

  • The "Rickmote Controller" Can Hijack Any Google Chromecast

    redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.

    131 comments | about a week ago

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...