Forgot your password?
typodupeerror

Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

Government

Feds Offer $20M For Critical Open Source Energy Network Cybersecurity Tools 56

Posted by samzenpus
from the won't-somebody-please-think-of-the-energy-supply? dept.
coondoggie writes "The US Department of Energy today said it would spend $20 million on the development of advanced cybersecurity tools to help protect the nation's vulnerable energy supply. The DOE technologies developed under this program should be interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."
Government

Citizenville: Newsom Argues Against Bureaucracy, Swipes At IT Departments 173

Posted by samzenpus
from the read-all-about-it dept.
Nerval's Lobster writes "Gavin Newsom, former mayor of San Francisco and current lieutenant governor of California, argues in his new book Citizenville that citizens need to take the lead in solving society's problems, sidestepping government bureaucracy with a variety of technological tools. It's more efficient for those engineers and concerned citizens to take open government data and use it to build apps that serve a civic function—such as Google Earth, or a map that displays crime statistics—than for government to try and provide these tools itself. But Newsom doesn't limit his attacks on government bureaucracy to politicians; he also reserves some fire for the IT departments, which he views as an outdated relic. 'The traditional IT department, which set up and maintained complex, centralized services—networks, servers, computers, e-mail, printers—may be on its way out,' he writes. 'As we move toward the cloud and technology gets easier to use, we'll have less need for full-time teams of people to maintain our stuff.' Despite his advocacy of the cloud and collaboration, he's also ambivalent about Wikileaks. 'It has made government and diplomacy much more challenging and ultimately less honest,' he writes at one point, 'as people fear that their private communications might become public.' Nonetheless, he thinks WikiLeaks and its ilk are ultimately here to stay: 'It is happening, and it's going to keep happening, and it's going to intensify.' In the end, he feels the benefits of collaboration and openness outweigh the drawbacks." Keep reading for the rest of Nick's review.
Education

Professors Rejecting Classroom Technology 372

Posted by samzenpus
from the get-off-my-lawn dept.
CowboyRobot writes "The January edition of Science, Technology & Human Values published an article titled Technological Change and Professional Control in the Professoriate, which details interviews with 42 faculty members at three research-intensive universities. The research concludes that faculty have little interest in the latest IT solutions. 'I went to [a course management software workshop] and came away with the idea that the greatest thing you could do with that is put your syllabus on the Web and that's an awful lot of technology to hand the students a piece of paper at the start of the semester and say keep track of it,' said one. 'What are the gains for students by bringing IT into the class? There isn't any. You could teach all of chemistry with a whiteboard. I really don't think you need IT or anything beyond a pencil and a paper,' said another."
Security

How To Sneak Into the Super Bowl With Social Engineering 164

Posted by timothy
from the appropriate-authorities dept.
danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.
Communications

Widespread Compromise Of Yahoo-Backed Email In New Zealand 47

Posted by timothy
from the spam-is-best-in-sushi dept.
First time accepted submitter Bitsy Boffin writes "Xtra, the largest ISP in New Zealand, which outsources email provision to Yahoo, has in the last two days been subject to a widespread email compromise, causing potentially thousands of accounts to send spam messages to every address in their webmail address books. Discussion at Geekzone centers around this potentially being a continuation of the Yahoo XSS exploit. While Telecom NZ, the owners of Xtra internet service provider indicate that the problem was "resolved", reports of spam from its members continue unabated. Telecom NZ are advising those affected to change their passwords."
Cloud

Mega Vulnerability Reward Program Starts Payouts: 7 Bugs Fixed In First Week 41

Posted by timothy
from the paid-in-bitcoins-of-course dept.
An anonymous reader writes "If you're a hacker or a security researcher, this is a reminder that you don't have to take on Google's or Mozilla's software to get paid for finding a bug. In its first week, the Mega vulnerability reward program has already confirmed and fixed seven bugs, showing that Dotcom really does put his money where his mouth is. Although Mega hasn't shared how much money it paid out in the first week, how many bug submissions were made, or even who found which bugs, the company did briefly detail the discovered security holes. It also confirmed that the program is here to stay and urged those participating to find more severe bugs."
Bug

What To Do When an Advised BIOS Upgrade Is Bad? 467

Posted by timothy
from the wishful-thinking dept.
Bomarc writes "Twice now I've been advised to 'flash the BIOS to the latest,' once by a (major) hard drive controller maker (RAID); once by an OEM (who listed the update as 'critical,' and has removed older versions of the BIOS). Both times, the update has bricked an expensive piece of equipment. Both times, the response after the failed flash was 'It's not our problem, it's out of warranty.' Given that they recommended / advised that the unit be upgraded, shouldn't they shoulder the responsibility of BIOS upgrade failure? Also, if their design had sockets rather than soldering on parts, one could R/R the faulty part (BIOS chip), rather than going to eBay and praying. Am I the only one that has experienced this type of problem? Have you been advised to upgrade a BIOS (firmware); and the upgrade bricked the part or system? If so, what did you do? Should I name the companies?"
Bug

Six Months Without Adobe Flash, and I Feel Fine 393

Posted by timothy
from the alternatives-emerge-in-a-wait-no dept.
Reader hessian six months ago de-installed the Adobe Flash player on all of his browsers, probably a prudent move in light of various recent vulnerabilities. "This provoked some shock and incredulity from others. After all, Flash has been an essential content interpreter for over a decade. It filled the gap between an underdeveloped JavaScript and the need for media content like animation, video and so on." But it turns out that life sans Flash can still be worth living. Are there things you rely on that make Flash hard to give up?
China

How a Chinese Hacker Tried To Blackmail Me 146

Posted by timothy
from the shame-if-anything-was-t'-happen dept.
An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"
Bug

Samsung Laptop Bug Is Not Linux Specific 215

Posted by timothy
from the using-french-or-korean-does-it-too dept.
First time accepted submitter YurB writes "Matthew Garrett, a Linux kernel developer who was investigating the recent Linux-on-Samsung-in-UEFI-mode problem, has bricked a Samsung laptop using a test userspace program in Windows. The most fascinating part of the story is on what is actually causing the firmware boot failure: 'Unfortunately, it turns out that some Samsung laptops will fail to boot if too much of the [UEFI] variable storage space is used. We don't know what "too much" is yet, but writing a bunch of variables from Windows is enough to trigger it. I put some sample code here — it writes out 36 variables each containing a kilobyte of random data. I ran this as an administrator under Windows and then rebooted the system. It never came back.'"
Bug

iOS 6.1 Leads To Battery Life Drain, Overheating For iPhone Users 266

Posted by timothy
from the that's-a-drag dept.
An anonymous reader writes "We have started seeing an increase in iPhone issues related to battery life and overheating. All of them seem to be related to users upgrading their devices to iOS 6.1. Furthermore, Vodafone UK today began sending out text messages to iPhone 4S owners on its network, warning them not to upgrade to iOS 6.1 due to issues with 3G performance. The text reads, 'If you've not already downloaded iOS 6.1 for your iPhone 4s, please hold off for the next version while Apple fixes 3G performance issues. Thanks.'"
Internet Explorer

IE Patch To Fix 57 Vulnerabilities 91

Posted by timothy
from the there's-a-sauce-for-that dept.
Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."
Microsoft

Adobe Hopes Pop-up Warnings Will Stop Office-Borne Flash Attacks 125

Posted by timothy
from the ms-bob-is-on-the-case dept.
tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."
Security

Bit9 Hacked, Stolen Certs Used To Sign Malware 65

Posted by Soulskill
from the that-seems-like-a-bad-plan dept.
tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."
Communications

E-Mail Hack Exposes Bush Family Pictures, Correspondence 230

Posted by Soulskill
from the dubya-the-painter dept.
New submitter rHBa sends this article about another high-profile email account breach: "The apparent hack of several e-mail accounts has exposed personal photos and sensitive correspondence from members of the Bush family, including both former U.S. presidents. The posted photos and e-mails contain a watermark with the hacker's online alias, 'Guccifer.' ... Included in the hacked material is a confidential October 2012 list of home addresses, cell phone numbers, and e-mails for dozens of Bush family members, including both former presidents, their siblings, and their children. ... Correspondence obtained by the hacker indicates that at least six separate e-mail accounts have been compromised, including the AOL account of Dorothy Bush Koch, daughter of George H.W. Bush and sister of George W. Bush. Other breached accounts belong to Willard Heminway, 79, an old friend of the 41st president who lives in Greenwich, Connecticut; CBS sportscaster Jim Nantz, a longtime Bush family friend; former first lady Barbara Bush’s brother; and George H.W. Bush’s sister-in-law. "
Security

New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X 167

Posted by Soulskill
from the something-to-be-said-for-consistency dept.
Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."
Bug

Facebook Breaks Major Websites With Redirection Bug 179

Posted by Soulskill
from the now-we're-tripping-on-virtual-power-cords dept.
johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"
Android

Fragmentation Leads To Android Insecurities 318

Posted by samzenpus
from the united-we-stand dept.
Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"
Encryption

Deloitte: Use a Longer Password In 2013. Seriously. 538

Posted by timothy
from the you're-gonna-need-a-bigger-post-it dept.
clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."
Software

LibreOffice 4 Released 249

Posted by timothy
from the whole-numbers-is-best-numbers dept.
Titus Andronicus writes "LibreOffice 4.0.0 has been released. Some of the changes are for developers: an improved API, a new graphics stack, migrating German code comments to English, and moving from Apache 2.0 to LGPLv3 & MPLv2. Some user-facing changes are: better interoperability with other software, some functional & UI improvements, and some performance gains."
Government

Rich Countries Suffer Less Malware, Says Microsoft Study 84

Posted by timothy
from the better-treatment-helps dept.
chicksdaddy writes "To paraphrase a quote attributed to F. Scott Fitzgerald: 'Rich countries aren't like everyone else. They have less malware.' That's the conclusion of a special Security Intelligence Report from Microsoft, anyway. The special supplement, released on Wednesday, investigated the links between rates of computer infections and a range of national characteristics including the relative wealth of a nation, observance of the rule of law and the rate of software piracy. The conclusion: cyber security (by Microsoft's definition: low rates of malware infection) correlated positively with many characteristics of wealthy nations – high Gross Income Per Capita, higher broadband penetration and investment in R&D and high rates of literacy. It correlated negatively with characteristics common in poorer nations – like demographic instability, political instability and lower levels of education.'"
Security

Researchers Devise New Attack Techniques Against SSL 33

Posted by samzenpus
from the protect-ya-neck dept.
alphadogg writes "The developers of many SSL libraries are releasing patches for a vulnerability that could potentially be exploited to recover plaintext information, such as browser authentication cookies, from encrypted communications.The patching effort follows the discovery of new ways to attack SSL, TLS and DTLS implementations that use cipher-block-chaining (CBC) mode encryption. The new attack methods were developed by researchers at the University of London's Royal Holloway College. The men published a research paper and a website on Monday with detailed information about their new attacks, which they have dubbed the Lucky Thirteen. They've worked with several TLS library vendors, as well as the TLS Working Group of the IETF, to fix the issue."
Spam

Ask Slashdot: How Do You Handle SPF For Spam Filtering? 187

Posted by samzenpus
from the false-positive dept.
An anonymous reader writes "Our organization had had a decent SPF record of our own for a long time. Recently, we decided to try using SPF for filtering inbound mail. On the up side, a lot of bad mail was being caught. On the down side, it seems like there is always a 'very important' message being caught in the filter because the sender has failed to consider all mail sources in writing their record. At first, I tried to assist sending parties with correcting their records out of hope that it was isolated. This quickly started to consume far too much time. I'm learning that many have set up inaccurate but syntactically valid SPF records and forgotten about them, which is probably the worst outcome for SPF as a standard. Are you using SPF? How are you handling false positives caused by inaccurate SPF records?"
Intel

Intel Gigabit NIC Packet of Death 137

Posted by Soulskill
from the how-to-break-things dept.
An anonymous reader sends this quote from a blog post about a very odd technical issue and some clever debugging: "Packets of death. I started calling them that because that’s exactly what they are. ... This customer location, for some reason or another, could predictably bring down the ethernet controller with voice traffic on their network. Let me elaborate on that for a second. When I say “bring down” an ethernet controller I mean BRING DOWN an ethernet controller. The system and ethernet interfaces would appear fine and then after a random amount of traffic the interface would report a hardware error (lost communication with PHY) and lose link. Literally the link lights on the switch and interface would go out. It was dead. Nothing but a power cycle would bring it back. ... While debugging with this very patient reseller I started stopping the packet captures as soon as the interface dropped. Eventually I caught on to a pattern: the last packet out of the interface was always a 100 Trying provisional response, and it was always a specific length. Not only that, I ended up tracing this (Asterisk) response to a specific phone manufacturer’s INVITE. ... With a modified HTTP server configured to generate the data at byte value (based on headers, host, etc) you could easily configure an HTTP 200 response to contain the packet of death — and kill client machines behind firewalls!"
Canada

Sony Rootkit Redux: Canadian Business Groups Lobby For Right To Install Spyware 240

Posted by Soulskill
from the do-not-want dept.
An anonymous reader writes "Michael Geist reports that a coalition of Canadian industry groups, including the Canadian Chamber of Commerce, the Canadian Marketing Association, the Canadian Wireless Telecommunications Association and the Entertainment Software Association of Canada, are demanding legalized spyware for private enforcement purposes. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation)."
Security

Semi-Automatic Hacking of Masked ROM Code From Microscopic Images 42

Posted by Soulskill
from the making-a-computer-read-a-computer dept.
An anonymous reader writes "Decapping chips and recovering code or data is nothing new, but the old problem of recovering Masked ROM through visual inspection (binary '0' and '1' can be distinguished within the images) is normally done by crowd sourcing a manual typing effort. Now a tool that semi-automates this process and then recovers the data automatically has been released."
Bug

Kaspersky Update Breaks Internet Access For Windows XP Users 92

Posted by timothy
from the all-a-secret-plot dept.
An anonymous reader writes "Yesterday afternoon, Kaspersky Labs released a definition update that blocked all Internet and Intranet access on Windows XP workstations. While there has been no official communication from Kaspersky, their forum is lit up with angry customers relying on each other to find a fix." Update: 02/05 16:42 GMT by T : Thanks to an anonymous reader, who says that Kaspersky has issued a statement, and a fix (though the fix takes some manual labor to implement).
Databases

MySQL 5.6 Reaches General Availability 47

Posted by timothy
from the magic-8-ball-says dept.
First time accepted submitter jsmyth writes "MySQL 5.6.10 has been released, marking the General Availability of version 5.6 for production." Here's more on the features of 5.6. Of possible interest to MySQL users, too, is this look at how MySQL spinoff MariaDB (from Monty, one of the three creators of MySQL) is making inroads into the MySQL market, including (as we've mentioned before) as default database system in some Linux distributions.
Australia

Why Australian Telco's Plan To Shape BitTorrent Traffic Won't Work 84

Posted by timothy
from the locking-doorknobs-on-revolving-doors dept.
New submitter oztechmuse writes "Australian Telco Telstra is planning to trial shaping some BitTorrent traffic during peak hours. Like all other telcos worldwide, they are facing increasing traffic with a long tail of users: 20% of users consume 80% of bandwidth. The problem is, telcos in Australia are already shaping BitTorrent traffic as a study by Measurement Lab has shown and traffic use continues to increase. Also, the 20% of broadband users consuming the most content will just find a different way of accessing the content and so overall traffic is unlikely to be reduced."
Android

Wireless Carriers Put On Notice About Providing Regular Android Security Updates 171

Posted by Soulskill
from the suggestion-placed-in-circular-file dept.
msm1267 writes "Activist Chris Soghoian, who in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices. The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. 'With Android, the situation is worse than a joke, it’s a crisis,' said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. 'With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.'"
Crime

Researchers Demo Hack Against African Micro-Finance Accounts 52

Posted by timothy
from the and-such-small-portions dept.
mask.of.sanity writes "Security researchers have shown how to raid Africa micro-finance bank accounts en masse using fake audio one time passwords. The banks use audio one-time passwords to authenticate users logging into their accounts, but failed to implement properly security controls across numerous systems. Crucially, the researchers did not reveal how they cracked the encryption in order to protect users."
Google

US Wants Apple, Google, and Microsoft To Get a Grip On Mobile Privacy 103

Posted by Soulskill
from the because-they've-done-a-bang-up-job-so-far dept.
coondoggie writes "When it comes to relatively new technologies, few have been developing at the relentless pace of mobile. But with that development has come a serious threat to the security of personal information and privacy. The Federal Trade Commission has issued a report (PDF) on mobility issues and said less than one-third of Americans feel they are in control of their personal information on their mobile devices. 'The report makes recommendations for critical players in the mobile marketplace: mobile platforms (operating system providers, such as Amazon, Apple, BlackBerry, Google, and Microsoft), application (app) developers, advertising networks and analytics companies, and app developer trade associations. ... The report recommends that mobile platforms should: Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation; Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded; Consider offering a Do Not Track (DNT) mechanism for smartphone users.'"
Bug

Typing These 8 Characters Will Crash Almost Any App On Your Mountain Lion Mac 425

Posted by Soulskill
from the break-different dept.
An anonymous reader writes "All software has bugs, but this one is a particularly odd one. If you type "File:///" (no quotes) into almost any app on your Mac, it will crash. The discovery was made recently and a bug report was posted to Open Radar. First off, it’s worth noting that the bug only appears to be present in OS X Mountain Lion and is not reproducible in Lion or Snow Leopard. That’s not exactly good news given that this is the latest release of Apple’s operating system, which an increasing number of Mac users are switching to. ... A closer look shows the bug is inside Data Detectors, a feature that lets apps recognize dates, locations, and contact data, making it easy for you to save this information in your address book and calendar."
China

Washington Post: We Were Also Hacked By the Chinese 135

Posted by Soulskill
from the they-just-want-to-fit-in dept.
tsu doh nimh writes "A sophisticated cyberattack targeted The Washington Post in an operation that resembled intrusions against other major American news organizations and that company officials suspect was the work of Chinese hackers, the publication acknowledged on Friday. The disclosure came just hours after a former Post employee shared information about the break-in with ex-Postie reporter Brian Krebs, and caps a week marked by similar stories from The New York Times and The Wall Street Journal. Krebs cites a former Post tech worker saying that the publication gave one of its hacked servers to the National Security Agency for analysis, a claim that the Post's leadership denies. The story also notes that the Post relied on software from Symantec, the same security software that failed to detect intrusions at The New York Times for many months."
Communications

Twitter #Hacked 111

Posted by timothy
from the coz-it's-a-hashtag-see dept.
theodp writes "Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."
Java

Oracle Responds To Java Security Critics With Massive 50 Flaw Patch Update 270

Posted by timothy
from the no-more-jeans-all-patches dept.
darthcamaro writes "Oracle has been slammed a lot in recent months about its lackluster handling of Java security. Now Oracle is responding as strongly as it can with one of the largest Java security updates in history. 50 flaws in total with the vast majority carrying the highest-possible CVSS score of 10."
Government

Federal Gun Control Requires IT Overhaul 436

Posted by Soulskill
from the give-me-back-my-stapler dept.
New submitter Matt Slaybaugh writes "John Foley at InformationWeek has an editorial saying that the missing piece in the new gun control legislation is adequate data management. 'President Obama introduced 23 executive orders on Jan. 16 aimed at reducing gun violence through a combination of tougher regulation and enforcement, research, training, education and attention to mental healthcare. Several of the proposed actions involve better information sharing, including requiring federal agencies to make relevant data available to the FBI's background check system and easing legal barriers that prevent states from contributing data to that system.' But concrete plans are needed now to improve the current poor system of data collection and sharing. Federal CIO Steven VanRoekel's Digital Government Strategy, introduced in May, 'defines an IT architecture and processes for sharing digitized content securely, using Web APIs and with attention to protecting privacy. ... Unfortunately, on top of the data quality issues identified by the White House, and the FBI's and ATF's outdated IT systems, there's a lack of transparency about the systems used to enforce federal gun-control laws.'"
Programming

Is 'Brogramming' Killing Requirements Engineering? 432

Posted by Soulskill
from the made-up-words-you-already-hate dept.
chicksdaddy writes "Veracode's blog has an interesting piece that looks at whether 'brogramming' — the testosterone- and booze-fueled coding culture depicted in movies like The Social Networkspells death for the 'engineering' part of 'software engineering.' From the post: 'The Social Network is a great movie. But, let's face it, the kind of "coding" you're doing when you're "wired in"... or drunk... isn't likely to be very careful or – need we say – secure. Whatever else it may have done, [brogramming's] focus on flashy, testosterone-fueled "competitive" coding divorces "writing software" – free form, creative, inspirational – from "software engineering," its older, more thoughtful and reliable cousin.' The article picks up on Leslie Lamport's recent piece in Wired: 'Why we should build software like we build houses' — also worth reading!"
Security

Online Ads Are More Dangerous Than Porn, Cisco Says 110

Posted by samzenpus
from the watch-what-you-click dept.
wiredmikey writes "The popular belief is that security risks increase as the user engages in riskier and shadier behavior online, but that apparently isn't the case, Cisco found in its 2013 Annual Security report. It can be more dangerous to click on an online advertisement than an adult content site these days, according to Cisco. For example, users clicking on online ads were 182 times more likely to wind up getting infected with malware than if they'd surfed over to an adult content site, Cisco said. The highest concentration of online security targets do not target pornography, pharmaceutical, or gambling sites as much as they affect legitimate sites such as search engines, online retailers, and social media. Users are 21 times more likely to get hit with malware from online shopping sites and 27 more times likely with a search engine than if they'd gone to a counterfeit software site, according to Cisco's report (PDF). There is an overwhelming perception that people get compromised for 'going to dumb sites,' Mary Landesman, senior security researcher at Cisco, told SecurityWeek."
China

Wall Street Journal Hit By Chinese Hackers, Too 92

Posted by samzenpus
from the join-the-party dept.
wiredmikey writes "The Wall Street Journal said Thursday its computers were hit by Chinese hackers, the latest U.S. media organization citing an effort to spy on its journalists covering China. The Journal made the announcement a day after The New York Times said hackers, possibly connected to China's military, had infiltrated its computers in response to its expose of the vast wealth amassed by a top leader's family. The Journal said in a news article that the attacks were 'for the apparent purpose of monitoring the newspaper's China coverage' and suggest that Chinese spying on U.S. media 'has become a widespread phenomenon.'"
Businesses

Amazon.com Suffers Outage: Nearly $5M Down the Drain? 173

Posted by timothy
from the what-is-the-richter-scale-for-net-outages? dept.
First time accepted submitter Brandon Butler writes "Amazon.com, the multi-billion online retail website, experienced an outage of unknown proportions on Thursday afternoon. Rumblings of an Amazon.com outage began popping up on Twitter at about 2:40 PM ET. Multiple attempts to access the site around 3:15 PM ET on Thursday were met with the message: 'Http/1.1 Service Unavailable.' By 3:30 PM ET the site appeared to be back online for at least some users. How big of a deal is an hour-long Amazon outage? Amazon.com's latest earnings report showed that the company makes about $10.8 billion per quarter, or about $118 million per day and $4.9 million per hour." Update: 01/31 22:25 GMT by T : "Hackers claim credit."
Security

Turning the Belkin WeMo Into a Deathtrap 146

Posted by timothy
from the they-keep-poltergeisting-me! dept.
Okian Warrior writes "As a followup to yesterday's article detailing 50 Million Potentially Vulnerable To UPnP Flaws, this video shows getting root access on a Belkin WeMo remote controlled wifi outlet. As the discussion notes, remotely turning someone's lamp on or off is not a big deal, but controlling a [dry] coffeepot or space heater might be dangerous. The attached discussion also points out that rapidly cycling something with a large inrush current (such as a motor) could damage the unit and possibly cause a fire." In the style of Bruce Schneier's movie-plot threat scenarios, what's the most nefarious use you can anticipate such remote outlet control being used for?
Communications

FTC Gets 744 New Ideas On How To Hang Up On Robocallers 281

Posted by timothy
from the I'd-prefer-starving-them-in-a-cage dept.
coondoggie writes "The Federal Trade Commission today said the submission period for its Robocall Challenge had ended and it got 744 new ideas for ways to shut down the annoying automated callers. The FTC noted that the vast majority of telephone calls that deliver a prerecorded message trying to sell something to the recipient are illegal. The FTC regulates these calls under the Telemarketing Sales Rule and the Challenge was issued to developing technical or functional solutions and proofs of concepts that can block illegal robocalls which, despite the agency's best efforts, seem to be increasing."
Patents

Micron Lands Broad "Slide To Unlock" Patent 211

Posted by timothy
from the is-it-malice-blindness-or-incompetence dept.
Zordak writes "Micron has recently landed U.S. Patent 8,352,745, which claims priority back to a February 2000 application---well before Apple's 2004 slide-to-unlock application. While claim construction is a highly technical art, the claims here are (for once) almost as broad as they sound, and may cover the bulk of touch screen smart phones on the market today. Dennis Crouch's Patently-O has a discussion."
Communications

Ask Slashdot: Name Conflicts In Automatically Generated Email Addresses? 383

Posted by timothy
from the hash-of-full-name-plus-birthday dept.
New submitter matteocorti writes "I work at medium-sized university and we are considering reducing the number of domains used for email addresses (now around 350): the goal is to have all the 30K personal addresses in a single domain. This will increase the clashes for the local part of the address for people with the same first and last name (1.6%). We are considering several options: one of them is to use 'username@domain.tld' and the other is to use 'first.last@domain.tld.' The first case will avoid any conflict in the addresses (usernames are unique) but the second is fancier. Which approach does your organization use? How are name conflicts (homonyms) solved? Manually or automatically (e.g., by adding a number)?"
Blackberry

Yes, PlayBook Does Get BlackBerry 10 Update 90

Posted by timothy
from the seriously-how-is-blackberry-compelling-nowadays? dept.
judgecorp writes "Yesterday's BlackBerry 10 announcement did not mention the company's tablet, the Playbook, but users will be relieved to know it will get an update to BlackBerry 10. It's not a huge surprise, since BB10 is based on the PlayBook's QNX operating system, but PlayBook users may have been worried since the company did not even mention the struggling tablet in passing at the event." Hopefully the Playbook's camera is better than the one in the new BB10-based Z10 phone, the low-light performance of which Gizmodo describes as "four-years-ago crap."
The Internet

Time Warner Boosts Broadband Customer Speed — But Only Near Google Fiber 203

Posted by timothy
from the just-a-coincidence dept.
An anonymous reader writes " Rob is a Time Warner Cable customer, and he's received two really interesting things from them lately. First, a 50% speed boost: they claim to have upgraded the speed of his home Internet connection. That's neat. Oh, and they've also cut his bill, from $45 to $30. Wow! What has prompted this amazing treatment? Years of loyalty and on-time payments? No, not exactly. Rob lives in Kansas City, pilot site for Google Fiber. Even though they have shut off people in other states for using too much bandwidth. Is Google making them show that it's not that hard to provide good service and bandwidth?"
Android

"Bill Shocker" Malware Controls 620,000 Android Phones In China 138

Posted by timothy
from the it's-ok-they're-calling-the-premier dept.
Orome1 writes "A new discovered malware is potentially one of the most costly viruses yet discovered. Uncovered by NQ Mobile, the 'Bill Shocker' (a.expense.Extension.a) virus has already impacted 620,000 users in China and poses a threat to unprotected Android devices worldwide. Bill Shocker downloads in the background, without arousing the mobile device owner's suspicion. The infection can then take remote control of the device, including the contact list, Internet connections and dialing and texting functions. Once the malware has turned the phone into a "zombie," the infection uses the device to send text message to the profit of advertisers. In many cases, the threat will overrun the user's bundling quota, which subjects the user to additional charges."
China

Chinese Hack New York Times 116

Posted by samzenpus
from the protect-ya-neck dept.
Rick Zeman writes "According to a headline article in the New York Times, they admit to being hacked by the Chinese, and covers the efforts of Mandiant to investigate, and then to eradicate their custom Advanced Persistent Threats (APT). This was alleged to be in reaction to an article which details the sleazy business dealings of the family of Wen Jiabao, China's newest Prime Minister. China's Ministry of National Defense said in denial, 'Chinese laws prohibit any action including hacking that damages Internet security.'" Update: 01/31 15:00 GMT by T : The Times used Symanetic's suite of malware protection software; Symantec has issued a statement that could be taken as slightly snippy about its role in (not) preventing the spyware from taking hold.
Security

DARPA Open Source Security Helped FreeBSD, Junos, Mac OS X, iOS 22

Posted by Soulskill
from the also-juliennes-fries dept.
An anonymous reader writes "In a February 2013 ACM Queue / Communications of the ACM article, A decade of OS access-control extensibility, Robert Watson at the University of Cambridge credits 2000s-era DARPA security research, distributed via FreeBSD, for the success of sandboxing in desktop, mobile, and embedded systems such as Mac OS X, iOS, and Juniper's Junos router OS. His blog post about the article argues that OS security extensibility is just as important as more traditional file system (VFS) and device driver extensibility features in kernels — especially in embedded environments where UNIX multi-user security makes little sense, and where tradeoffs between performance, power use, functionality, and security are very different. This seems to fly in the face of NSA's recent argument argument that one-size-fits-all SELinux-style Type Enforcement is the solution for Android security problems. He also suggests that military and academic security researchers overlooked the importance of app-store style security models, in which signed application identity is just as important as 'end users' in access control."

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman

Working...