mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."
benrothke writes "It's said that truth is stranger than fiction, as fiction has to make sense. Had The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interests been written as a spy thriller, it would have been a fascinating novel of international intrigue. But the book is far from a novel. It's a dense, well-researched overview of China's cold-war like cyberwar tactics against the US to regain its past historical glory and world dominance." Read below for the rest of Ben's review.
Writing "Wow, this is going to really set the cat amongst the pigeons once this gets around," an anonymous reader links to a story at The Guardian about some good old fashioned friendly interception, and the slide-show version of what went on at recent G20 summits in London: "Foreign politicians' calls and emails intercepted by UK intelligence; Delegates tricked into using fake internet cafes; GCHQ analysts sent logs of phone calls round the clock; Documents are latest revelations from whistleblower Edward Snowden."
Lucas123 writes "Intel this year plans to sell a set-top box and Internet-based streaming media service that will bundle TV channels for subscribers, but cable, satellite and ISPs are likely to use every tool at their disposal to stop another IP-based competitor, according to experts. They may already be pressuring content providers to charge Intel more or not sell to it. Another scenario could be that cable and ISP providers simply favor their own streaming services with pricing models, or limit bandwidth based on where customers get their streamed content. For example, Comcast could charge more for a third-party streaming service than for its own, or it could throttle bandwidth or place caps on it to limit how much content customer receives from streaming media services as it did with BitTorrent. Meanwhile, Verizon is challenging in a D.C. circuit court the FCC's Open Internet rules that are supposed to ensure there's a level playing field."
Nerval's Lobster writes "In case you didn't catch it yesterday, AllThingsD ran a piece endorsing the idea of the software-defined data center. That's a venue where hordes of non-technical mid- and upper-level managers will see it and (because of the credibility of AllThingsD) will believe software-defined data centers are not only possible, but that they exist and that your company is somehow falling behind because you personally have not sketched up a topology on a napkin or brought a package of it to install. If mid-level managers in your datacenter or extended IT department have not been pinged at least once today by business-unit managers offering to tip them off to the benefits of software-defined data centers—or demand that they buy one—then someone should go check the internal phone system because not all the calls are coming through. Why was AllThingD's piece problematic? First, because it's a good enough publication to explain all the relevant technology terms in ways that even a non-technical audience can understand. Second, it's also a credible source, owned by Dow Jones & Co. and spun off by The Wall Street Journal. Third, software-defined data centers are genuinely happening—but it's in the very early stages. The true benefits of the platform won't arrive for quite some time—and there's too much to do in the meantime to talk about potential endpoints. Fortunately, there are a number of resources online to help tell hype from reality."
New submitter RoccamOccam writes "Shortly after the news broke that the Department of Justice had been secretly monitoring the phones and email accounts of Associated Press and Fox News reporters (and the parents of Fox News Correspondent James Rosen), CBS News' Sharyl Attkisson said her computer seemed like it had been compromised. Turns out, it was. 'A cyber security firm hired by CBS News has determined through forensic analysis that Sharyl Attkisson's computer was accessed by an unauthorized, external, unknown party on multiple occasions late in 2012. Evidence suggests this party performed all access remotely using Attkisson's accounts. While no malicious code was found, forensic analysis revealed an intruder had executed commands that appeared to involve search and exfiltration of data.'"
alphadogg writes "Medical device makers should take new steps to protect their products from malware and cyberattacks or face the possibility that U.S. Food and Drug Administration won't approve their devices for use, the FDA said. The FDA issued new cybersecurity recommendations for medical devices on Thursday, following reports that some devices have been compromised. Recent vulnerabilities involving Philips fetal monitors and in Oracle software used in body fluid analysis machines are among the incidents that prompted the FDA to issue the recommendations."
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
Nerval's Lobster writes "One year and seven months after beginning construction, Facebook has brought its first datacenter on foreign soil online. That soil is in Lulea, town of 75,000 people on northern Sweden's east coast, just miles south of the boundary separating the Arctic Circle from the somewhat-less-frigid land below it. Lulea (also nicknamed The Node Pole for the number of datacenters in the area) is in the coldest area of Sweden and shares the same latitude as Fairbanks, Alaska, according to a local booster site. The constant, biting wind may have stunted the growth of Lulea's tourism industry, but it has proven a big factor in luring big IT facilities into the area. Datacenters in Lulea are just as difficult to power and cool as any other concentrated mass of IT equipment, but their owners can slash the cost of cooling all those servers and storage units simply by opening a window: the temperature in Lulea hasn't stayed at or above 86 degrees Fahrenheit for 24 hours since 1961, and the average temperature is a bracing 29.6 Fahrenheit. Air cooling might prove a partial substitute for powered environmental control, but Facebook's datacenter still needed 120megawatts of steady power to keep the social servers humming. Sweden has among the lowest electricity costs in Europe, and the Lulea area reportedly has among the lowest power costs in Sweden. Low electricity prices are at least partly due to the area's proximity to the powerful Lulea River and the line of hydroelectric dams that draw power from it."
crookedvulture writes "With its Sandy Bridge and Ivy Bridge processors, Intel allowed standard Core i5 and i7 CPUs to be overclocked by up to 400MHz using Turbo multipliers. Reaching for higher speeds required pricier K-series chips, but everyone got access to a little "free" clock headroom. Haswell isn't quite so accommodating. Intel has disabled limited multiplier control for non-K CPUs, effectively limiting overclocking to the Core i7-4770K and i5-4670K. Those chips cost $20-30 more than their standard counterparts, and surprisingly, they're missing a few features. The K-series parts lack the support for transactional memory extensions and VT-d device virtualization included with standard Haswell CPUs. PC enthusiasts now have to choose between overclocking and support for certain features even when purchasing premium Intel processors. AMD also has overclocking-friendly K-series parts, but it offers more models at lower prices, and it doesn't remove features available on standard CPUs."
First time accepted submitter jarle.aase writes "It's doable today to use a mix of virtual machines, VPN, TOR, encryption (and staying away from certain places; like Google Plus, Facebook, and friends), in order to retain a reasonable degree of privacy. In recent days, even major mainstream on-line magazines have published such information. (Aftenposten, one of the largest newspapers in Norway, had an article yesterday about VPN, Tor and Freenet!) But what about the cell-phone? Technically it's not hard to design a phone that can switch off the GSM transmitter, and use VoIP for calls. VoIP could then go from the device through Wi-Fi and VPN. Some calls may be routed trough PSTN gateways — allowing the agencies to track the other party. But they will not track your location. And they will not track pure, encrypted VoIP calls that traverse trough VPN and use anonymous SIP or XMPP accounts. Android may not be the best software for such a device, as it very eagerly phones home. The same is true for iOS and Windows 8. Actually, I would prefer a non cloud-based mobile OS from a vendor that is not in the PRISM gallery. Does such a device exist yet? Something that runs a relatively safe OS, where GSM can be switched totally off? Something that will only make an outgoing network connection when I ask it to do so?" And in the absence of a perfect solution, what do you do instead? (It's still Android and using the cell network, but Red Phone — open sourced last year — seems like a good start.)
hypnosec writes "OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks, has been updated and a new list for 2013 published. Last updated back in 2010, the organization has published the new list wherein the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been diluted a little, while risks related to broken session management and authentication have moved up a notch. Code injection, which was the topmost risk in 2010, has retained its position in the updated list. The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors."
judgecorp writes "Security researchers say that iPhone and other Apple devices are vulnerable to an old attack, using a fake Wi-Fi access point. Attackers can use an SSID which matches one that is stored on the iPhone (say "BTWiF"), which the iPhone will connect to automatically. Other devices are protected thanks to the use of HTTPS, which enforces HTTPS, but iPhones are susceptible to this man in the middle attack, researchers say."
itwbennett writes "You can make a decent living as a software developer, and if you were lucky enough to get hired at a pre-IPO tech phenom, you can even get rich at it. But set your sights above the average and below Scrooge McDuck and you won't find many developers in that salary range. In fact, the number of developers earning $200,000 and above is under 10%, writes blogger Phil Johnson who looked at salary data from Glassdoor, Salary.com and the Bureau of Labor Statistics. How does your salary rate? What's your advice for earning the big bucks?"
An anonymous reader writes "After 25 years of doing IT (started as a PC technician and stayed on technical of IT work through out my career) I've been moved to a position of doing only on call work (but paid as if it is a normal 9-5 job). This leaves me with a lot of free time... As someone who's used to working 12+ hours a day + the odd night/weekend on call, I'm scared I'll lose my mind with all the new free time I'll have. Any suggestions (beyond develop hobbies, spend time with family) on how to deal with all the new free time?"
Trailrunner7 writes "A group of eight senators from both parties have introduced a new bill that would require the attorney general to declassify as many of the rulings of the secret Foreign Intelligence Surveillance Court as possible as a way of bringing into the sunlight much of the law and opinion that guides the government's surveillance efforts. Under the terms of the proposed law, the Justice Department would be required to declassify major FISC opinions as a way to give Americans a view into how the federal government is using the Foreign Intelligence Surveillance Act and Patriot Act. If the attorney general determines that a specific ruling can't be declassified without endangering national security, he can declassify a summary of it. If even that isn't possible, then the AG would need to explain specifically why the opinion needs to be kept secret."
Nerval's Lobster writes "Flash storage is more common on mobile devices than data-center hardware, but that could soon change. The industry has seen increasing sales of solid-state drives (SSDs) as a replacement for traditional hard drives, according to IHS iSuppli Research. Nearly all of these have been sold for ultrabooks, laptops and other mobile devices that can benefit from a combination of low energy use and high-powered performance. Despite that, businesses have lagged the consumer market in adoption of SSDs, largely due to the format's comparatively small size, high cost and the concerns of datacenter managers about long-term stability and comparatively high failure rates. But that's changing quickly, according to market researchers IDC and Gartner: Datacenter- and enterprise-storage managers are buying SSDs in greater numbers for both server-attached storage and mainstream storage infrastructure, according to studies both research firms published in April. That doesn't mean SSDs will oust hard drives and replace them directly in existing systems, but it does raise a question: are SSDs mature enough (and cheap enough) to support business-sized workloads? Or are they still best suited for laptops and mobile devices?"
dinscott writes "If you think of cyberspace as a resource for you and your organization, it makes sense to protect your part of it as best you can. You build your defenses and train employees to recognize attacks, and you accept the fact that your government is the one that will pursue and prosecute those who try to hack you. But the challenge arises when you (possibly rightfully so) perceive that your government is not able do so, and you demand to be allowed to 'hack back.'"
Nerval's Lobster writes "If those newspaper reports are accurate, the NSA's surveillance programs are enormous and sophisticated, and rely on the latest in analytics software. In the face of that, is there any way to keep your communications truly private? Or should you resign yourself to saying or typing, 'Hi, NSA!' every time you make a phone call or send an email? Fortunately there are ways to gain a measure of security: HTTPS, Tor, SCP, SFTP, and the vendors who build software on top of those protocols. But those host-proof solutions offer security in exchange for some measure of inconvenience. If you lose your access credentials, you're likely toast: few highly secure services include a 'Forgot Your Password?' link, which can be easily engineered to reset a password and username without the account owner's knowledge. And while 'big' providers like Google provide some degree of encryption, they may give up user data in response to a court order. Also, all the privacy software in the world also can't prevent the NSA (or other entities) from capturing metadata and other information. What do you think is the best way to keep your data locked down? Or do you think it's all a lost cause?"
An anonymous reader writes "Apple has always been extremely anti jailbreaking, but it might now have a good reason to plug up the exploits. As Hardware 2.0 argues, Apple's new iOS 7 Activation Lock anti-theft mechanism which renders stolen handsets useless (even after wiping) unless the owner's Apple ID is entered relies on having a secure, locked-down OS. Are the days of jailbreaking iOS coming to a close?" I can see a whole new variety of phone-based ransom-ware based on this capability, too.
MojoKid writes with more detailed information on the new hardware Apple announced earlier today at WWDC "On the hardware side, Apple is updating its two MacBook Air devices; both the 11-inch and 13-inch versions will enjoy better battery life (up to 9 hours and 12 hours, respectively), thanks in no small part to having Intel's new Haswell processors inside. They'll also have 802.11ac WiFi on board. Both models have 1.3GHz Intel Core i5 or i7 (Haswell) processors, Intel HD Graphics 5000, 4GB of RAM, and has 128GB or 256GB of flash storage. Arguably the scene stealer on the desktop side of things is a completely redesigned Mac Pro. The 9.9-inch tall cylindrical computer boasts a new 'unified thermal core' which is designed to conduct heat away from the CPU and GPU while distributing it uniformly and using a single bottom-mounted intake fan. It rocks a 12-core Intel Xeon processor, dual AMD FirePro GPUs (standard), 1866MHz DDR3 ECC memory (60GBps), and PCIe flash storage with up to 1.25GBps read speeds. The system promises 7 teraflops of graphics performance, supports 4k displays, and has a host of ports including four USB 3.0, two gigabit Ethernet ports, HDMI 1.4, six Thunderbolt 2 ports that offer super-fast (20Gbps) external connectivity."
chicksdaddy writes "When reports surfaced about 'BadNews,' a new family of mobile malware that affected Google Android devices the news sounded — well — bad. BadNews was described by Lookout Mobile Security as a new kind of mobile malware for the Android platform-one that harness mobile ad networks to push out malicious links, harvest information on compromised devices and more. Now, six weeks later, a senior member of Google's Android security team claims that BadNews wasn't really all that bad, after all. Speaking at an event in Washington D.C. sponsored by the Federal Trade Commission, Google employee and Android team member Adrian Ludwig threw cold water on reports linking BadNews to sites that installed malicious programs. The search giant, he said, had not found any evidence linking BadNews to so-called SMS 'toll fraud' malware."
mvar writes "According to Kotaku, a hacker named SuperDaeE who breached multiple gaming companies (Valve, Sony, MS to name a few) has released a 1.7TB treasure trove file for download. The file which contains source code for older titles plus development kits for the PS4 and Xbox One consoles, is encrypted and SuperDaeE claims that it is his insurance in case he gets arrested."
sweetpea86 writes "Cisco has teamed up with robotics firm iRobot to create their own enterprise version of the 'Sheldonbot' from US comedy series The Big Bang Theory. The robot, known as Ava 500, brings together iRobot's autonomous navigation with Cisco's TelePresence system to enable a remote worker sitting in front of a video collaboration system to meet with colleagues in an office setting or take part in a facility tour."
Taco Cowboy writes "Edward Snowden, the leaker who gave us the evidence of US government spying on its people is under threat of being extradited back to the U.S. to face prosecution. Some people in Congress, including Republican Peter King (R-NY), are calling for his extradition from Hong Kong to face trial. From the article: 'A spokesman for the director of national intelligence, James Clapper, said Snowden's case had been referred to the justice department and US intelligence was assessing the damage caused by the disclosures. "Any person who has a security clearance knows that he or she has an obligation to protect classified information and abide by the law," the spokesman, Shawn Turner, said.'"
An anonymous reader writes "I have been asked by a medium-sized business to help them come to grips with why their IT group is ineffective, loathed by all other departments, and runs at roughly twice the budget of what the CFO has deemed appropriate for the company's size and industry. After just a little scratching, it has become quite clear that the 'head of IT' has no modern technological skills, and has been parroting what his subordinates have told him without question. (This has led to countless projects that are overly complex, don't function as needed, and are incredibly expensive.) How can one objectively illustrate that a person doesn't have the knowledge sufficient to run a department? The head of IT doesn't necessarily need to know how to write code, so a coding test serves no purpose, but should be able to run a project. Are there objective methods for assessing this ability?"
Bruce66423 writes "The government minister in charge of GCHQ, the UK's equivalent of the NSA, has used those immortal words, 'Only terrorists, criminals and spies should fear secret activities of the British and US intelligence agencies.' From the article: '...In an interview on the BBC’s Andrew Marr Show on Sunday, Mr Hague refused to say whether the British government knew of the existence of Prism before it emerged last week. “I can’t confirm or deny in public what Britain knows about and what Britain doesn’t, for obvious reasons,” he said. However, he implied that the revelations had not taken him by surprise.'" While many are concerned about the reach of PRISM overseas, the Finnish Foreign Minister says he plans to continue using Outlook for email.
An anonymous reader writes "The individual responsible for one of the most significant leaks in US political history is Edward Snowden, a 29-year-old former technical assistant for the CIA and current employee of the defense contractor Booz Allen Hamilton. Snowden has been working at the National Security Agency for the last four years as an employee of various outside contractors, including Booz Allen and Dell. The Guardian, after several days of interviews, is revealing his identity at his request. From the moment he decided to disclose numerous top-secret documents to the public, he was determined not to opt for the protection of anonymity. 'I have no intention of hiding who I am because I know I have done nothing wrong,' he said."
An anonymous reader writes "The Register carries the funniest, most topical IT story of the year: 'Facebook's first data center ran into problems of a distinctly ironic nature when a literal cloud formed in the IT room and started to rain on servers. Though Facebook has previously hinted at this via references to a 'humidity event' within its first data center in Prineville, Oregon, the social network's infrastructure king Jay Parikh told The Reg on Thursday that, for a few minutes in Summer, 2011, Facebook's data center contained two clouds: one powered the social network, the other poured water on it.'"
Five years ago today, reader J.J. Ramsey asked what's keeping you off Windows (itself a followup to this question about the opposite situation). With five years of development time gone by for Windows as well as all the alternative OSes, where does Windows stand for you today? (Is it the year of Linux on the Desktop yet?)
An anonymous reader writes "We operate a wide area network that has a large amount of fiber optics, and provides service to our various departments in locations across the state. The network is reasonably complex, with splices, patches, and the general type of ad-hoc build that makes knowing where things go difficult. I'd like to implement some type of software to record where the fiber cables run, what pit number they are jointed in, which fiber is spliced to which, and what internal customer is using which fiber path through the system. Knowing what fibers are free for use is also a requirement, and I'd love to record details of what equipment was put in where, for asset and warranty tracking. Extra points if I can give Engineering access to help them design things better!"
New submitter Noel Trout writes "For a long time in the Java world, there has been a free tool called the 'tzupdater' or Time Zone Updater released as a free download first by Sun and then Oracle. This tool can be used to apply a patch to the Java runtime so that time zone information is correct. This is necessary since some time zones in the world are not static and change more frequently than one might think; in general time zone updates can be released maybe 4-6 times a year. The source information backing the Java timezone API comes from the open source Olson timezone database that is also used by many operating systems. For certain types of applications, you can understand that these updates are mission critical. For example, my company operates in the private aviation sector so we need to be able to display the correct local time at airports around the world. So, the interesting part is that Oracle has now decided to only release these updates if you have a Java SE support contract. Being Oracle, such licenses are far from cheap. In my opinion, this is a pretty serious change in stance for Oracle and amounts to killing free Java for certain types of applications, at least if you care about accuracy. We are talking about the core API class java.util.TimeZone. This begs the question, can you call an API free if you have to pay for it to return accurate information? What is the point of such an API? Should the community not expect that core Java classes are fully functional and accurate? I believe it is also a pretty bad move for Java adoption for these types of applications. If my company as a startup 10 years ago would have been presented with such a license fee, we almost certainly could not have chosen Java as our platform as we could not afford it."
Nerval's Lobster writes "Apple's iOS 7, which is heavily rumored to make its debut at next week's Worldwide Developers Conference (WWDC) in San Francisco, will almost certainly feature a totally redesigned interface. According to recent rumors (including a few key postings on the Apple-centric blog 9 to 5 Mac), the OS will stand as a shining example of "flat" design, which eliminates "real world" elements such as texture and shading in favor of stripped-down, basic shapes. That means certain iOS environments such as Game Center (with its casino-like green felt) and Newsstand (with its wooden shelving) could soon look completely different. But what about iOS 7's actual features? What could Apple change that would improve the operating system's chances against the increasingly sophisticated Google Android, not to mention the new-and-improved BlackBerry 10 and Windows Phone 8? What would you do to iOS with Apple's full resources at your disposal?"
An anonymous reader writes "Is there a device to automatically disconnect network or otherwise time limit a physical connection to a network? The why? We are dealing with a production outage of large industrial equipment. The cause? The supplier, with no notice, remotely connected to the process control system and completely botched an update to their system. We are down and the vendor is inept and not likely to have us back to 100% for a few days. Obviously the main issue is that they were able to do this at all, but reality is that IT gets overridden by the Process Control department in a manufacturing business. They were warned about this and told it was a horrible idea to allow remote access all the time. They were warned many times to leave the equipment disconnected from remote access except when they were actively working with the supplier. Either they forgot to disconnect it or they ignored our warnings. The question is, is there a device that will physically disconnect a network connection after a set time? Yes, we could use a Christmas tree light timer hooked up to a switch or something like that but I want something more elegant. Something with two network jacks on it that disconnects the port after a set time, or even something IT would have to login to and enable the connection and set a disconnect timer would be better than nothing. As we know, process control workers and vendors are woefully inept/uneducated about IT systems and risks and repeatedly make blunders like connecting process control systems directly to the internet, use stock passwords for everything, don't install antivirus on windows based control computers, etc. How do others deal with controlling remote access to industrial systems?"
An anonymous reader writes "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration,' argues a U.S. Air Force cyber security researcher. 'It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight. Yet software and hardware developers are not regulated in the same way as, say, the auto or pharmaceutical industries.' 'The truth is that we should no longer accept a patch/configuration management culture that promotes a laissez-faire approach to cyber security."
storagedude writes "10 Gigabit Ethernet may finally be catching on, some six years later than many predicted. So why did it take so long? Henry Newman offers a few reasons: 10GbE and PCIe 2 were a very promising combination when they appeared in 2007, but the Great Recession hit soon after and IT departments were dumping hardware rather than buying more. The final missing piece is finally arriving: 10GbE support on motherboards. 'What 10 GbE needs to become a commodity is exactly what 1 GbE got and what Fibre Channel failed to get: support on every motherboard,' writes Newman. 'The current landscape looks promising. 10 GbE is starting to appear on motherboards from every major server vendor, and I suspect that in just a few years, we'll start to see it on home PC boards, with the price dropping from the double digits to single digits, and then even down to cents.'"
New submitter einar2 writes "German hoster Hetzner informed customers that login data for their admin surface might have been compromised (Google translation of German original). At the end of last week, a backdoor in a monitoring server was found. Closer examination led to the discovery of a rootkit residing in memory. The rootkit does not touch files on storage but patches running processes in memory. Malicious code is directly injected into running processes. According to Hetzner the attack is surprisingly sophisticated."
Lucas123 writes "As consumerization of IT and self-service trends becomes part and parcel of everyone's work in the enterprise, the corporate data center may be left behind and IT departments may be given over to business units as consultants and integrators. 'The business itself will be the IT department. [Technologists] will simply be the enabler,' said Brandon Porco, chief technologist & solutions architect at Northrop Grumman. Porco was part of a four-person panel of technologists who participated at a town hall-style meeting at the CITE Conference and Expo in San Francisco this week. The panel was united on the topic of the future of IT shops. Others said they are not sure how to address a growing generation gap between young and veteran workers, each of whom are comfortable with different technologies. Nathan McBride, vice president of IT & chief cloud architect at AMAG Pharmaceuticals, said he's often forced to deal with older IT workers coming on board who expect his company to support traditional email like Outlook when it uses Google Apps.' Sooner or later, IT departments are going to change. When do you think that will happen, and how will they be different?"
Bennett Haselton writes with his take on a case going back and forth in U.S. courts right now about whether a defendant can be ordered to decrypt his own hard drives when they may incriminate him. "A Wisconsin defendant in a criminal child-pornography case recently invoked his Fifth Amendment right to avoid giving the FBI the password to decrypt his hard drive. At the risk of alienating fellow civil-libertarians, I admit I've never seen the particular value of the Fifth Amendment right against self-incrimination. So I pose this logical puzzle: come up with a specific, precisely defined scenario, where the Fifth Amendment makes a positive difference." Read on for the rest of Bennett's thoughts.
angry tapir writes "Hackers would face up to two years or more in prison no matter where they live in the European Union under a new draft law approved by the European Parliament's civil liberties committee. The proposed rule would prevent E.U. countries from capping sentences for any type of hacking at less than two years. Meanwhile the maximum sentence possible for cyberattacks against 'critical infrastructure,' such as power plants, transport networks and government networks would be at least five years in jail. The draft directive, which updates rules that have been in place since 2005, would also introduce a maximum penalty of at least three years' imprisonment for creating botnets."
chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."
hypnosec writes "Microsoft in collaboration with the FBI have successfully taken down the Citadel botnet which was known to control millions of PCs across the globe and was allegedly responsible for bank fraud in excess of $500 million. Citadel was known to have over 1,400 instances across the globe with most located in the US, Europe, India, China, Hong Kong and Singapore. It would install key-logging tools on target systems, which were then used to steal online banking credentials."
Excelcia writes "Users could soon be asked to pull a series of faces to unlock their Android phones or tablets. Google has filed a patent suggesting users stick out their tongue or wrinkle their nose in place of a password. Requiring specific gestures could prevent the existing Face Unlock facility being fooled by photos. The software could monitor if there were changes in the angle of the person's face to ensure the device was not being shown a still image with a fake gesture animated on top."
hypnosec writes "KingCope, known for many concrete zero-day exploits, has published yet another zero-day through full disclosure – this time for Plesk, a hosting software package made by Parallels and used on thousands of servers across the web. According to KingCope, Plesk versions 9.5.4, 9.3, 9.2, 9.0 and 9.6 on three different Linux variants Red Hat, CentOS and Fedora are vulnerable to the hack. The exploit, as noted by the hacker, makes use of specially crafted HTTP queries that inject PHP commands. The exploit uses POST request to launch a PHP interpreter and the attacker can set any configuration parameters through the POST request. Once invoked, the interpreter can be used to execute arbitrary commands."
An anonymous reader writes "Mt. Gox is the the largest Bitcoin exchange in the world, and as such it and its users are being repeatedly targeted by attackers. Some two months ago, it battled a massive DDoS attack that was likely aimed at destabilizing the virtual currency and allow the criminals to profit from the swings. Now, according to Symantec researchers, the criminals have turned to spoofing Mt. Gox' site and tricking its customers into downloading malware — the Ponik downloader Trojan, which is also able to steal passwords."
mikejuk writes "The BBC home page has just lost its clock because the BBC Trust upheld a complaint that it was inaccurate. The clock would show the current time on the machine it was being viewed on and not an accurate time as determined by the BBC. However, the BBC have responded to the accusations of inaccuracy by simply removing the clock stating that it would take 100 staffing days to fix. It further says: 'Given the technical complexities of implementing an alternative central clock, and the fact that most users already have a clock on their computer screen, the BBC has taken the decision to remove the clock from the Homepage in an upcoming update.' They added, '...the system required to do this "would dramatically slow down the loading of the BBC homepage", something which he said was "an issue of great importance to the site's users". Secondly, if the site moved to a format in which users across the world accessed the same homepage, irrespective of whichever country they were in, it would be "impossible to offer a single zonally-accurate clock."'"
girlmad writes "The UK government's chief operating officer Stephen Kelly offered a frightening insight into the world of government IT spending this week. According to Kelly, the government spends £6,000 per year per PC just to maintain the devices, and wastes 3 days per year per person due to slow boot-up times."
WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"
Nerval's Lobster writes "Monsanto is more infamous for growing its genetically modified crops than its use of software, but a series of corporate acquisitions and a new emphasis on tech solutions has transformed it into a firm that acts more like an innovative IT vendor than an agribusiness giant. Jim McCarter (the Entrepreneur in Residence for Monsanto) recently detailed for an audience in St. Louis how the company's IT efforts are expanding. Monsanto's core projects generate huge amounts of bits, especially its genomic efforts, which are the focus of so much public attention. Other big data gobblers are the phenotypes of millions of DNA structures that describe the various biological properties of each plant, and the photographic imagery of crop fields. (All told, there are several tens of petabytes that need storage and analysis, a number that's doubling roughly every 16 months.) With all that tech muscle, the company has launched IT-based initiatives such as its FieldScripts software, which uses proprietary algorithms (fed with data from the FieldScripts Testing Network and Monsanto research) to recommend where to best plant corn hybrids. 'Just like Amazon has its recommendation engine for what book to buy, we will have our recommendations of what and how a grower should plant a particular crop,' said McCarter. 'All fields aren't uniform and shouldn't be planted uniformly either.' Despite its increasingly sophisticated use of data analytics in the name of greater crop yields, however, Monsanto faces pushback from various groups with an aversion to genetically modified food; a current ballot initiative in Washington State, for example, could result in genetically modified foods needing a label in order to go on sale here. The company has also inspired a 'March Against Monsanto,' which has been much in the news lately."