mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free. The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system. The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. Several flaws have been known to the operator since 2009." There are two sets of problems: their website is not adequately secured, allowing identity harvesting attacks, and the transit cards themselves are easy to forge.
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
Trailrunner7 writes "In the wake of the publication of a new academic paper that says there is a fundamental flaw in the Bitcoin protocol that could allow a small cartel of participants to become powerful enough that it could take over the mining process and gather a disproportionate amount of the value in the system, researchers are debating the potential value of the attack and whether it's actually practical in the real world. The paper, published this week by researchers at Cornell University, claims that Bitcoin is broken, but critics say there's a foundational flaw in the paper's assertions. ... The idea of a majority of Bitcoin miners joining together to dominate the system isn't new, but the Cornell researchers say that a smaller pool of one third of the miners could achieve the same result, and that once they have, there would be a snowball effect with other miners joining this cartel to increase their own piece of the pie. However, other researchers have taken issue with this analysis, saying that it wouldn't hold together in the real world. 'The most serious flaw, perhaps, is that, contrary to their claims, a coalition of ES-miners [selfish miners] would not be stable, because members of the coalition would have an incentive to cheat on their coalition partners, by using a strategy that I'll call fair-weather mining,' Ed Felten, a professor of computer science and public affairs at Princeton University and director of the Center for Information Technology Policy, wrote in an analysis of the paper."
An anonymous reader writes "Wikimedia today announced the launch of a beta program simply called Beta Features. In short, the organization is offering a way for users to try out new features on Wikipedia and other Wikimedia sites before they are released for everyone. If you're reading this with bated breath, you'll be happy to know logged-in users can join the early testing right now on MediaWiki.org, meta.wikimedia.org and Wikimedia Commons. Wikimedia plans to release Beta Features on all wikis in two weeks, on November 21, although the date may shift depending on the feedback the organization receives."
An anonymous reader writes "Oracle acquired GlassFish when it acquired Sun Microsystems, and now — like OpenSolaris and OpenOffice — the company has announced it will no longer support a commercial version of the product. Mike Milinkovich, executive director of the Eclipse Foundation. said in an interview the decision wasn't exactly a surprise: "The only company that was putting any real investment in GlassFish was Oracle," Milinkovich said. "Nobody else was really stepping up to the plate to help. If you never contributed anything to it, you can't complain when something like this happens." An update to the open source version is still planned for 2014." GlassFish is an open source application server.
cold fjord sends this news from Reuters: "Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"
Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.
alphadogg writes "If you can't tell the difference between an inkblot that looks more like 'body builder lady with mustache and goofy in the center' than 'large steroid insect with big eyes,' then you can't crack passwords protected via a new scheme created by computer scientists that they've dubbed GOTCHA. GOTCHA, a snappy acronym for the decidedly less snappy Generating panOptic Turing Tests to Tell Computers and Humans Apart, is aimed at stymying hackers from using computers to figure out passwords, which are all too often easy to guess. GOTCHA, like its ubiquitous cousin CAPTCHA, relies on visual cues that typically only a human can appreciate. The researchers don't think that computers can solve the puzzles and have issued a challenge to fellow security researchers to use artificial intelligence to try to do so. You can find the GOTCHA Challenge here."
An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)
An anonymous reader writes "I've recently been charged with updating our existing serial console access tools. We have 12 racks of servers each with a console server in it (OpenGear, ACS, and a few others). Several of these systems host virtual machines which are also configured to have 'serial' management (KVM, virt serial). In total it comes to about 600 'systems.' All the systems also have remote power management (various vendors). Right now our team has a set of home grown scripts and a cobbled together database for keeping this all together. Today any admin can simply ssh into the master, run 'manage hostname console' and automatically get a serial console or run 'manage hostname power off' to cut the power to a system. I'd rather use some tools with more of a community than just the 4 of us. What tool(s) should I move my group onto for remote serial/power management?"
New submitter BitVulture writes "The hardcore Bitcoin community is abuzz with news of the closure of Inputs.io, a supposedly secure online Bitcoin wallet, after an attack resulted in the loss of 4100 Bitcoins. A PGP-signed message at the home page of the now mostly non-operational site briefly explains the situation: 'Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.' There's no word yet whether Inputs.io will eventually resume operations or whether the security breach will force the Bitcoin bank out of business."
An anonymous reader writes "Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses vulnerabilities they find. The minimum bounty for hacking any component of the Internet is $5,000."
An anonymous reader writes "Paedophiles may escape detection because highly-classified material about Britain's surveillance capabilities have been published by the Guardian newspaper, the UK government has claimed. A senior Whitehall official said data stolen by Edward Snowden, a former contractor to the US National Security Agency, could be exploited by child abusers and other cyber criminals. It could also put lives at risk by disclosing secrets to terrorists, insurgents and hostile foreign governments, he said."
wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."
ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."
rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."
tsu doh nimh writes "A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database."
New submitter bmurray7 writes "You might think that the country that has the fastest average home internet speeds would be a first adapter of modern browsers. Instead, as the Washington Post reports, a payment processing security standard forces most South Koreans to rely upon Internet Explorer for online shopping. Since the standard uses a unique encryption algorithm, an ActiveX control is required to complete online purchases. As a result, many internet users are in the habit of approving all AtivceX control prompts, potentially exposing them to malware."
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
onehitwonder writes "In short, they build it themselves. When Tesla Motors needed to improve the back-end software that runs its business, CEO Elon Musk decided not to upgrade the company's SAP system. Instead, he told his CIO, Jay Vijayan, to have the IT organization build a new back-end system, according to The Wall Street Journal. The company's team of 25 software engineers developed the new system in about four months, and it provided the company with speed and agility at a time when it was experiencing costly delivery delays on its all-electric Model S."
rtoz writes "For handling the future unreliable chips, a research group at MIT's Computer Science and Artificial Intelligence Laboratory has developed a new programming framework that enables software developers to specify when errors may be tolerable. The system then calculates the probability that the software will perform as it's intended. As transistors get smaller, they also become less reliable. This reliability won't be a major issue in some cases. For example, if few pixels in each frame of a high-definition video are improperly decoded, viewers probably won't notice — but relaxing the requirement of perfect decoding could yield gains in speed or energy efficiency."
wjcofkc writes "In the turbulent wake of the international uproar spurred by his leaked documents, Mr. Snowden published a letter over the weekend in Der Spiegel titled, "A Manifesto for the Truth". In the letter, Mr. Snowden reflects on the consequences of the information released so far, and their effect on exposing the extent and obscenity of international and domestic surveillance, while continuing to call out the NSA and GCHQ as the worst offenders. He further discusses how the debate should move forward, the intimidation of journalists, and the criminalization of the truth saying, 'Citizens have to fight suppression of information on matters of vital public importance. To tell the truth is not a crime.'"
An anonymous reader writes "Linus Torvalds announced the Linux 3.12 kernel release with a large number of improvements through many subsystems including new EXT4 file-system features, AMD Berlin APU support, a major CPUfreq governor improvement yielding impressive performance boosts for certain hardware/workloads, new drivers, and continued bug-fixing. Linus also took the opportunity to share possible plans for Linux 4.0. He's thinking of tagging Linux 4.0 following the Linux 3.19 release in about one year and is also considering the idea of Linux 4.0 being a release cycle with nothing but bug-fixes. Does Linux really need an entire two-month release cycle with nothing but bug-fixing? It's still to be decided by the kernel developers."
MojoKid writes "Microsoft has several valid reasons why you should upgrade to Windows 8.1, which is free if you already own Windows 8. However, there's a known issue that might give some gamers pause before clicking through in the Windows Store. There have been complaints of mouse problems after applying the Windows 8.1 update, most of which have been related to lag in video games, though Microsoft confirmed there are other potential quirks. Acknowledging the problem, Microsoft says it's also actively investigating the issues and working on a patch."
An anonymous reader writes "Intel shipped open-source Broadwell graphics driver support for Linux this weekend. While building upon the existing Intel Linux GPU driver, the kernel driver changes are significant in size for Broadwell. Code comments from Intel indicate that these processors shipping in 2014 will have "some of the biggest changes we've seen on the execution and memory management side of the GPU" and "dwarf any other silicon iteration during my tenure, and certainly can compete with the likes of the gen3->gen4 changes." Come next year, Intel may now be able to better take on AMD and NVIDIA discrete graphics solutions."
First time accepted submitter renzema writes "I'm looking for a way to do near-site backups — backups that are not on my physical property, but with a hard drive still accessible should I need to do a restore (let's face it — this is where cloud backup services are really weak — 1 TB at 3-4mb downloads just doesn't cut it). I've tried crashplan, but that requires that someone has a computer on all the time and they don't ship hard drives to Sweden. What I want is to be able to back up my Windows and Mac to both a local disk and to a disk that I own that is not on site. I don't want a computer running 24x7 to support this — just a router or NAS. I would even be happy with a local disk that is somehow mirrored to a remote location. I haven't found anything out there that makes this simple. Any ideas?" What, besides "walk over a disk once in a while," would you advise?
codeusirae writes "RAF pilots were left 'blinded' by a barrage of images while flying at speeds of over 1,000 mph when a number of technical glitches hit their high-tech helmets. The visors were supposed to provide the fighter pilots with complete vision and awareness, but problems with the display produced a blurring known as 'green-glow,' meaning they were unable to see clearly.The green glow occurred when a mass of information was displayed on the helmet-mounted display systems, including radar pictures and images from cameras mounted around the aircraft."
An anonymous reader writes "Despite what we hear about how much the U.S. government is struggling with a website, it is reassuring that most of government entities can update their websites within a day after they are asked to. This conclusion is the result of research done by the Networking Systems Laboratory at the Computer Science Department of the University of Houston. The research team tracked government websites and their update times, and found that 96% of the websites were updated within 24 hours after President Obama signed HR 2775 into law, ending the Government shutdown. Worth noting that two websites took 8 days to update. It is interesting that the team was able to use the shutdown as an opportunity to study the efficiency of the IT departments of various parts of Government."
An anonymous reader writes "Almost three years ago, I started looking for a cloud storage service. Encryption and the "zero-knowledge" concept were not concerns. Frankly, after two weeks testing services, it boiled down to one service I used for almost 2 years. It was perfect — in the technical sense — because it simply works as advertised and is one of the cheapest for 500GB. But this year, I decided changing that service for another one, that would encrypt my files before leaving my machine. Some of these services call themselves 'zero-knowledge' services, because (as they claim) clear text does not leave your host: they only receive encrypted data — keys or passwords are not sent. I did all testing I could, with the free bit of their services, and then, chose one of them. After a while, when the load got higher (more files, more folders, more GB...), my horror story began. I started experiencing sync problems of all sorts. In fact, I have paid for and tested another service and both had the same issues with sync. Worse, one of them could not even handle restoring files correctly. I had to restore from my local backup more than once and I ended up losing files for real. In your experience, which service (or services) are really able to handle more than a hundred files, in sync within 5+ hosts, without messing up (deleting, renaming, duplicating) files and folders?"
New submitter codeusirae writes "An initial round of criticism focused on how many files the browser was being forced to download just to access the site, per an article at Reuters. A thread at Reddit appeared and was filled with analyses of the code. But closer looks by others have teased out deeper, more systematic issues."
jones_supa writes "Edward Snowden papers unmask that the German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain's GCHQ eavesdropping agency. The bulk monitoring is carried out through direct taps into fibre optic cables and the development of covert relationships with telecommunications companies. A loose but growing eavesdropping alliance has allowed intelligence agencies from one country to cultivate ties with corporations from another to facilitate the trawling of the web. The files also make clear that GCHQ played a leading role in advising its European counterparts how to work around national laws intended to restrict the surveillance power of intelligence agencies."
sfcrazy writes "CyanogenMod team has announced the release of version 10.2 M1, just after the release of Android 4.4 aka Kit Kat. In a post the team says, "With all the Android 4.4 hype, we haven't forgotten about CM 10.2. Tonight the buildbots will focus their efforts on building and shipping out CyanogenMod 10.2 M1. Builds are already hitting the servers (please be patient, this will take a while). We are targeting over 70 devices for this initial M-release.""
N8F8 writes "Like many IT professionals, I provide a lot of free help desk-type support to friends and family. I've decided to expand my support work and create a site where veterans can receive free computer help. I'm using OSTicket for the ticket reporting. What I really need is an easy to use desktop-sharing system. In the past I've used TeamViewer because it is easy to use, but it is not really free for non-personal use. Recently I switched to Meraki Systems Manager because it is free — and it uses VNC — but unfortunately it isn't intended for the one-time-use type support I'll be offering. So I'm looking for a reliable, open source, easy to use desktop-sharing solution that I can set up on my site for people to join one-time-use help desk sessions."
An anonymous reader writes "The release of OpenBSD 5.4 has been announced. New and notable advancements include new or extended platforms like octeon and beagle, moving VAX to ELF format, improved hardware support including Kernel Mode Setting (KMS), overhauled inteldrm(4), experimental support for fuse(4), reworked checksum handling for network protocols, OpenSMTPD 5.3.3, OpenSSH 6.3, over 7,800 ports, and many other improvements and additions."
netbuzz writes "On Nov. 2, 1988, mainstream America learned for the first time that computers get viruses, too, as the now notorious "Morris worm" made front-page headlines after first making life miserable for IT professionals. A PBS television news report about the worm offers a telling look at how computer viruses were perceived (or not) at the time. 'Life in the modern world has a new anxiety today,' says the news anchor. 'Just as we've become totally dependent on our computers they're being stalked by saboteurs, saboteurs who create computer viruses.'"
Daniel_Stuckey writes "The group, called UnSystem, are self-proclaimed crypto-anarchists led by Cody Wilson—who you may remember as the creator of the controversial 3D-printed gun. After getting himself in hot water with the government for making the digital files to print an unregulated weapon freely available on the internet, Wilson's now endeavoring to bring Bitcoin back to its anarchist roots. Like other Bitcoin wallets, you'll be able to store, send, and receive coins, and interact with block chain, the Bitcoin public ledger. But Dark Wallet will include extra protections to make sure transactions are secure, anonymous, and hard to trace—including a protocol called "trustless mixing" that combines users' coins together before encoding it into the ledger."
Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"
wjcofkc writes "The United States Government has officially called in the calvary over the problems with Healthcare.gov. Tech titans Oracle, Red Hat and Google have been tapped to join the effort to fix the website that went live a month ago, only to quickly roll over and die. While a tech surge of engineers to fix such a complex problem is arguably not the greatest idea, if you're going to do so, you might as well bring in the big guns. The question is: can they make the end of November deadline?"
szotz writes "Keeping up the pace of Moore's Law is hard, but you wouldn't know it from the way chipmakers name their technology. The semiconductor industry's names for chip generations (Intel's 22nm, TSMC's 28nm, etc) have very little to do with actual physical sizes, says IEEE Spectrum. And the disconnect is only getting bigger. For the first time, the "pay us to make your chip" foundries are offering a new process (with a smaller-sounding name) that will produce chips that are no denser than their forbears. The move is not a popular one."
itwbennett writes "This brings to mind an earlier Slashdot discussion about whether we've hit the limit on screen resolution improvements on handheld devices. But this time, the question revolves around ever-faster graphics processing units (GPUs) and the resolution limits of desktop monitors. ITworld's Andy Patrizio frames the problem like this: 'Desktop monitors (I'm not talking laptops except for the high-end laptops) tend to vary in size from 20 to 24 inches for mainstream/standard monitors, and 27 to 30 inches for the high end. One thing they all have in common is the resolution. They have pretty much standardized on 1920x1080. That's because 1920x1080 is the resolution for HDTV, and it fits 20 to 24-inch monitors well. Here's the thing: at that resolution, these new GPUs are so powerful you get no major, appreciable gain over the older generation.' Or as Chris Angelini, editorial director for Tom's Hardware Guide, put it, 'The current high-end of GPUs gives you as much as you'd need for an enjoyable experience. Beyond that and it's not like you will get nothing, it's just that you will notice less benefit.'"
An anonymous reader writes "Do you think an airgap can protect your computer? Maybe not. According to this story at Ars Technica, security consultant Dragos Ruiu is battling malware that communicates with infected computers using computer microphones and speakers." That sounds nuts, but it is a time-tested method of data transfer, after all.
First time accepted submitter taxtropel was one of many readers to note that Google has officially released its newest version of Android. taxtropel extracts from the announcement: "Today we are announcing Android 4.4 KitKat, a new version of Android that brings great new features for users and developers. The very first device to run Android 4.4 is the new Nexus 5, available today on Google Play, and coming soon to other retail outlets. We'll also be rolling out the Android 4.4 update worldwide in the next few weeks to all Nexus 4, Nexus 7, and Nexus 10 devices, as well as the Samsung Galaxy S4 and HTC One Google Play Edition devices." Reader SmartAboutThings adds: "Almost all of the features that the Nexus 5 comes with are not a surprise, since they were heavily leaked before. Still, for those that have obediently waited this day, here are some of its most important specs: 2.2Ghz quad-core Snapdragon 800 and 2GB of RAM, 4.95-inch 1080p display, Wireless charging, 2,300 mAh battery, LTE, Bluetooth 4.0, 802.11ac WiFi and NFC; Gorilla Glass 3, Front 1.3-megapixel camera and 8-megapixel sensor on the back with optical image stabilization (OIS)."
An anonymous reader writes "Google today announced Chrome is getting an automatic download blocking feature for malware. Google has already added the new functionality to the latest build of Chrome Canary. All versions of Chrome will soon automatically block downloads and let you know in a message at the bottom of your screen. You will be able to "Dismiss" the message, although it's not clear if you will be able to stop or revert the block."
itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."
Nerval's Lobster writes "Government whistleblower Edward Snowden, exiled in Russia after releasing top-secret documents about the National Security Agency's surveillance activities to the press, has a new job: tech support. Snowden's lawyer, Anatoly Kucherena, told the Associated Press that his client starts work Nov. 1 for a "major" Russian Website, which he declined to name. In June, Snowden—a former CIA employee who worked as a contractor for the NSA—began feeding an enormous pile of classified charts and documents about federal surveillance programs to The Guardian and other newspapers. Many of those documents suggested that the NSA, ordinarily tasked with intercepting communications from terrorists and foreign governments, collects massive amounts of information on ordinary Americans, which in turn ignited a firestorm of controversy. The Snowden revelations have continued into this week, with The Washington Post reporting that the NSA has aggressively targeted Google and Yahoo servers. Snowden's documents suggest that the agency has figured out how to tap the links connecting the two tech giants' datacenters to the broader Web. Google told the Post that it was "troubled" by the report. A Yahoo spokesperson insisted that the company had "strict controls in place to protect the security of our datacenters" and that "we have not given access to our data centers to the NSA or to any other government agency.""
angry tapir writes "Two privacy-focused email providers have launched the Dark Mail Alliance, a project to engineer an email system with robust defenses against spying. Silent Circle and Lavabit abruptly halted their encrypted email services in August, saying they could no longer guarantee email would remain private after court actions against Lavabit, reportedly an email provider for NSA leaker Edward Snowden."
dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."
MojoKid writes "Rumors around the what and when of Google's upcoming Nexus 5 smartphone have been plentiful, and ahead of the supposed release date on Halloween, a benchmark score for the handset has slipped out from Rightware, and it's downright impressive. According to Rightware's Power Board, the Nexus 5 delivered the second-highest Benchmark X gaming score among smartphones, behind only the iPhone 5S, making it the most powerful Android-based handset in the land. The LG-made phone shares a GPU (the Adreno 330) with the third-place Sharp Aquos SHL23 but bested the latter handset with a score of 14.27 to 13.10. A leaked user manual revealed that the Nexus 5 will boast a full HD 4.95-inch display, Snapdragon 800 processor (2.3GHz), 2GB of RAM, 16GB or 32GB of onboard storage, and 8MP rear-facing and 1.3MP front-facing cameras."
stry_cat writes "Ed Bot makes the case against Gmail: 'Gmail was a breath of fresh air when it debuted. But this onetime alternative is showing signs that it's past its prime, especially if you want to use the service with a third-party client. That's the way Google wants it, which is why I've given up on Gmail after almost a decade.' Personally, I've always thought it odd that no other email provider ever adopted Gmails "search not sort" mentality. I've been a Gmail user since you needed an invitation to get an account. However Gmail has been steadily moving towards a more traditional email experience. Plus there's the iGoogle disaster that got me looking into alternatives to everything Google."
barlevg writes "The Washington Post reports that, according to documents obtained from Edward Snowden, through their so-called 'MUSCULAR' initiative, the National Security Agency has exploited a weakness in the transfers between data centers, which Google and others pay a premium to send over secure fiber optic cables. The leaked documents include a post-it note as part of an internal NSA Powerpoint presentation showing a diagram of Google network traffic, an arrow pointing to the Google front-end server with text reading, 'SSL Added and Removed Here' with a smiley face. When shown the sketch by The Post and asked for comment, two engineers with close ties to Google responded with strings of profanity." The Washington Post report is also summarized at SlashBI. Also in can't-trust-the-government-not-to-spy news, an anonymous reader writes: "According to recent reports, the National Security Agency collects 'one-end foreign' Internet metadata as it passes through the United States. The notion is that purely domestic communications should receive greater protection, and that ordinary Americans won't send much personal information outside the country. A researcher at Stanford put this hypothesis to the test... and found that popular U.S. websites routinely pass browsing activity to international servers. Even the House of Representatives website was sending traffic to London. When the NSA vacuums up international Internet metadata, then, it's also snooping on domestic web browsing by millions of Americans."