Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security

Encrypted PIN Data Taken In Target Breach 213

Posted by Soulskill
from the now-you're-all-targets dept.
New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.
The Almighty Buck

Millions of Dogecoin Stolen Over Christmas 132

Posted by timothy
from the it's-just-been-hidden-by-the-catecoin dept.
Kenseilon writes "The Verge reports that millions of Dogecoins — an alternative cryptocurrency — was stolen after the service DogeWallet was hacked. DogeWallet worked like a bank account for the currency, and the attackers modified it to make sure all transactions ended up in a wallet of their choice. This latest incident is just one in the long (and growing) list of problems that cryptocurrencies are currently facing. It brings to mind the incident where bitcoin exchange service GBL vanished and took a modest amount of Bitcoins with them. While not a similar case, it highlights the difficulties with trusting service provides in this market."
Transportation

Tesla Updates Model S Software As a Precaution Against Unsafe Charging 148

Posted by timothy
from the belt-and-suspenders-and-superglue dept.
zlives writes "Tesla Motors has maintained that the most recent fire involving one of its Model S electric vehicles isn't the result of a vehicle or battery malfunction, but the company is still addressing the situation with a software fix, according to Green Car Reports. The California-based automaker has added a software function that automatically reduces the charge current by about 25 percent when power from the charging source fluctuates outside of a certain range, Green Car Reports says, citing the Twitter feed from an Apple employee, @ddenboer, who owns a Model S. You can read the text of the update below."
Spam

Whatever Happened To Sanford "Spamford" Wallace? 45

Posted by Unknown Lamer
from the dj-master-spam dept.
Tackhead writes "People of a certain age — the age before email filters were effective, may remember a few mid-90s buzzwords like 'bulletproof hosting' and 'double opt-in.' People may remember that Hormel itself conceded that although 'SPAM' referred to their potted meat product, the term 'spam' could refer to unsolicited commercial email. People may also remember AGIS, Cyberpromo, Sanford 'Spam King' Wallace, and Walt Rines. Ten years after a 2003 retrospective on Rines and Wallace, Ars Technica reminds us that the more things change, the more they stay the same."
Security

Who's Selling Credit Cards From Target? 68

Posted by Soulskill
from the it's-the-grinch dept.
An anonymous reader writes "Brian Krebs has done some detective work to determine who is behind the recent Target credit card hack. Krebs sifted through posts from a series of shady forums, some dating back to 2008, to determine the likely real-life identity of one fraudster. He even turns down a $10,000 bribe offer to keep the information under wraps."
Software

How Healthcare.gov Changed the Software Testing Conversation 118

Posted by Soulskill
from the polls-say-software-testing-is-patriotic dept.
An anonymous reader notes an article about how the tribulations of Healthcare.gov brought the idea of software testing into the public consciousness in a more detailed way than ever before. Quoting: "Suddenly, Americans are sitting at their kitchen tables – in suburbs, in cities, on farms – and talking about quality issues with a website. The average American was given nightly tutorials on load testing and performance bottlenecks when the site first launched, then crumbled moments later. We talked about whether the requirements were well-defined and the project schedule reasonably laid out. We talked about who owns the decision to launch and whether they were keeping appropriate track of milestones and iterations. ... When the media went from talking about the issues in the website to the process used to build the website was when things really got interesting. This is when software testers stepped out of the cube farm behind the coffee station and into the public limelight. Who were these people – and were they incompetent or mistreated? Did the project leaders not allocate enough time for testing? Did they allocate time for testing but not time to react to the testing outcome? Did the testers run inadequate tests? Were there not enough testers? Did they not speak up about the issues? If they did, were they not forceful enough?"
Upgrades

A Flood of Fawning Reviews For Apple's Latest 501

Posted by timothy
from the nifty-design dept.
Like many other review sites, it seems that MacWorld can hardly find enough good things to say about the new Mac Pro, even while conceding it's probably not right for many users. 9to5 Mac has assembled a lot of the early reviews, including The Verge's, which has one of the coolest shots of its nifty design, which stacks up well against the old Pro's nifty design. The reviews mostly boil down to this: If you're in a field where you already make use of a high-end Mac for tasks like video editing, the newest one lives up to its hype.
Security

F-Secure's Mikko Hypponen Cancels RSA Talk In Protest 248

Posted by Unknown Lamer
from the conferences-in-america-considered-dangerous dept.
An anonymous reader writes "In a letter to RSA executives, F-Secure's Mikko Hypponen says he is canceling his talk at the 2014 RSA Conference, due to the company's deal with the NSA, and how the agency has treated foreigners." From the letter: " I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are american anyway — why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event."
Privacy

Researchers Connect 91% of Numbers With Names In Metadata Probe 84

Posted by samzenpus
from the looking-at-the-list dept.
Trailrunner7 writes "One of the key tenets of the argument that the National Security Agency and some lawmakers have constructed to justify the agency's collection of phone metadata is that the information it's collecting, such as phone numbers and length of call, can't be tied to the callers' names. However, some quick investigation by some researchers at Stanford University who have been collecting information voluntarily from Android users found that they could correlate numbers to names with very little effort. The Stanford researchers recently started a program called Metaphone that gathers data from volunteers with Android phones. They collect data such as recent phone calls and text messages and social network information. The goal of the project, which is the work of the Stanford Security Lab, is to draw some lines connecting metadata and surveillance. As part of the project, the researchers decided to select a random set of 5,000 numbers from their data and see whether they could connect any of them to subscriber names using just freely available Web tools. The result: They found names for 27 percent of the numbers using just Google, Yelp, Facebook and Google Places. Using some other online tools, they connected 91 of 100 numbers with names."
Businesses

Percentage of Self-Employed IT Workers Increasing 138

Posted by samzenpus
from the never-take-off-your-pajamas-again dept.
dcblogs writes "The tech industry is seeing a shift toward a more independent, contingent IT workforce. About 18% of all IT workers today are self-employed, according to an analysis by Emergent Research, a firm focused on small businesses trends. This independent IT workforce is growing at the rate of about 7% per year, which is faster than the overall growth rate for independent workers generally, at 5.5%. A separate analysis by research firm Computer Economics finds a similar trend. This year, contract workers make up 15% of a typical large organization's IT staff at the median. This is up from a median of just 6% in 2011, said Longwell. The last time there was a similar increase in contract workers was in 1998, during the dot.com boom and the run-up to Y2K remediation efforts."
Businesses

RSA Flatly Denies That It Weakened Crypto For NSA Money 291

Posted by timothy
from the problem-with-denials dept.
The Register reports that RSA isn't taking quietly the accusation reported by Reuters, based on documents released by Edward Snowden, that the company intentionally used weaker crypto at the request of the NSA, and accepted $10 million in exchange for doing so. RSA's defends the use of the Dual Elliptic Curve Deterministic Random Bit Generator, stating categorically "that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Privacy

Privacy Advocate Jacob Appelbaum Reports Break-In Of Berlin Apartment 194

Posted by timothy
from the watch-your-friends'-enemies dept.
Jacob Appelbaum isn't shy about his role as a pro-privacy (and anti-secrecy) activist and hacker. A long-time contributor to the Tor project, and security researcher more generally, Appelbaum stood in for the strategically absent Julian Assange at HOPE in 2010, and more recently delivered Edward Snowden's acceptance speech when Snowden was awarded the Government Accountability Project's Whistleblower Prize. Now, he reports, his Berlin apartment appears to have been burglarized, and his computers tampered with. As reported by Deutsche Welle, "Appelbaum told [newspaper the Berliner Zeitung] that somebody had broken into his apartment and used his computer in his absence. 'When I flew away for an appointment, I installed four alarm systems in my apartment,' Appelbaum told the paper after discussing other situations which he said made him feel uneasy. 'When I returned, three of them had been turned off. The fourth, however, had registered that somebody was in my flat - although I'm the only one with a key. And some of my effects, whose positions I carefully note, were indeed askew. My computers had been turned on and off.'" It's not the first time by any means that Appelbaum's technical and political pursuits have drawn attention of the unpleasant variety.
Windows

Microsoft's Ticking Time Bomb Is Windows XP 829

Posted by timothy
from the tic-tic-tic dept.
Hugh Pickens DOT Com writes "Shona Ghosh writes at PC Pro that the final deadline for Windows XP support in April 2014 will act as the starting pistol for developing new exploits as hackers reverse-engineer patches issued for Windows 7 or Windows 8 to scout for XP vulnerabilities. "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares [them]," says Tim Rains, the director of Microsoft's Trustworthy Computing group. Microsoft says that XP shared 30 security holes with Windows 7 and Windows 8 between July 2012 and July 2013. Gregg Keizer says that if a major chunk of the world's PCs remains tied to XP, as seems certain, Microsoft will face an unenviable choice: Stick to plan and put millions of customers at risk from malware infection, or backtrack from long-standing policies and proclamations." (Read on for more.)
Bug

Obamacare and Middle-Wheel-Wheelbarrows 199

Posted by timothy
from the well-here's-where-your-problem-is dept.
davecb writes "The Obamacare sign-up site was a classic example of managers saying 'not invented here' and doing everything wrong, as described in Poul-Henning Kamp's Center Wheel for Success, at ACM Queue." It's not just a knock on the health-care finance site, though: "We are quick to dismiss these types of failures as politicians asking for the wrong systems and incompetent and/or greedy companies being happy to oblige. While that may be part of the explanation, it is hardly sufficient. ... [New technologies] allow us to make much bigger projects, but the actual success/failure rate seems to be pretty much the same."
Encryption

Ask Slashdot: Can Commercial Hardware Routers Be Trusted? 213

Posted by timothy
from the rot13-is-the-only-way dept.
First time accepted submitter monkaru writes "Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is 'roll your own' the only reasonable path going forward?" What do you do nowadays, if anything, to maintain your online privacy upstream of your own computer?
Graphics

Big Buck Bunny In 4K, 60 Fps and 3D-stereo 102

Posted by timothy
from the open-culture dept.
An anonymous reader writes "Blender Foundation open movie projects like Sintel and Tears of Steel have been mentioned on Slashdot in the recent years. Now an old-timer, their open movie Big Buck Bunny from 2008, has been getting a make-over in a new release: The entire movie has been recreated in 3D stereo with a resolution of 4K (3840x2160) at 60fps. It took years to rework the movie because the original Big Buck Bunny was created for 2D. Most of the scenes had to be modified to work well in 3D stereo. Furthermore, the original movie was made for cinemas and was 24fps; a lot of changes to the animations had to be made to get the correct results. The creator of the reworked version explains about it on BlenderNation where he also talks about the fact that the entire movie was rendered via an online collaborative renderfarm, BURP, where volunteers provided spare CPU cycles to make it happen. If you want to see how your computer measures up to playing 4K content in 60 fps you can download the reworked movie from the official homepage — lower resolutions are also available."
Businesses

Reuters: RSA Weakened Encryption For $10M From NSA 464

Posted by timothy
from the 30-pieces-of-silver-seemed-too-derivative dept.
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
Microsoft

Microsoft Security Essentials Misses 39% of Malware 149

Posted by timothy
from the talked-harshly-with-the-other-61-percent dept.
Barence writes "The latest tests from Dennis Publishing's security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher — with five scoring 98% or 99% — Microsoft's free antivirus software protected against only 61% of the malware samples used in the test. Microsoft conceded last year that its security software was intended to offer only "baseline" performance"."
Education

Ask Slashdot: Do You Run a Copy-Cat Installation At Home? 308

Posted by Soulskill
from the yes-but-cat-food-prices-are-getting-oppressive dept.
Lab Rat Jason writes "During a discussion with my wife last night, I came to the realization that the primary reason I have a Hadoop cluster tucked under my desk at home (I work in an office) is because my drive for learning is too aggressive for my IT department's security policy, as well as their hardware budget. But on closer inspection the issue runs even deeper than that. Time spent working on the somewhat menial tasks of the day job prevent me from spending time learning new tech that could help me do the job better. So I do my learning on my own time. As I thought about it, I don't know a single developer who doesn't have a home setup that allows them to tinker in a more relaxed environment. Or, put another way, my home setup represents the place I wish my company was going. So my question to Slashdot is this: How many of you find yourselves investing personal time to learn things that will directly benefit your employer, and how many of you are able to 'separate church and state?'"
Security

DHS Turns To Unpaid Interns For Nation's Cyber Security 174

Posted by Soulskill
from the probably-still-an-upgrade dept.
theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations' best-and-brightest college students to work for nothing on the nation's cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Council's Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was advised by representatives from Cisco, JP Morgan Chase, Goldman Sachs, Northrop Grumman, the NSF, and the NSA. 'Do you desire to protect American interests and secure our Nation while building a meaningful and rewarding career?' reads the job posting for Secretary's Honors Program Cyber Student Volunteers (salary: $0.00-$0.00). 'If so, the Department of Homeland Security (DHS) is calling.' Student volunteers, DHS adds, will begin in spring 2014 and participate throughout the summer. Get your applications in by January 3, kids!"
Networking

Ask Slashdot: Managing Device-Upgrade Bandwidth Use? 159

Posted by timothy
from the selective-enforcement dept.
First time accepted submitter wallydallas writes "I'm close to a solution, but I wonder how other people block their many devices and operating systems from updating in working hours. For example: I'm the IT guy who blocks iPads from updating when school is in session because we are in a rural location. 3mbps is the best WAN we can buy. Devices can update after hours just fine. We do this with our router (DDWRT) by blocking MESU.APPLE.COM. Many guests bring in Windows 7 laptops, and I want to welcome them, but not their updates. How can I block updates on Android Phones and Linux Laptops? I have a 4G device at home, and I'd like to apply the same tricks 24 hours a day so that I don't use up the bandwith from my vendor. And my many home visitors should have their updates blocked."
Bitcoin

Why Charles Stross Wants Bitcoin To Die In a Fire 691

Posted by timothy
from the compare-and-contrast-with-unbacked-fiat-money dept.
Hugh Pickens DOT Com writes "SF writer Charles Stross writes on his blog that like all currency systems, Bitcoin comes with an implicit political agenda attached and although our current global system is pretty crap, Bitcoin is worse. For starters, BtC is inherently deflationary. There is an upper limit on the number of bitcoins that can ever be created so the cost of generating new Bitcoins rises over time, and the value of Bitcoins rise relative to the available goods and services in the market. Libertarians love it because it pushes the same buttons as their gold fetish and it doesn't look like a "Fiat currency". You can visualize it as some kind of scarce precious data resource, sort of a digital equivalent of gold. However there are a number of huge down-sides to Bitcoin says Stross: Mining BtC has a carbon footprint from hell as they get more computationally expensive to generate, electricity consumption soars; Bitcoin mining software is now being distributed as malware because using someone else's computer to mine BitCoins is easier than buying a farm of your own mining hardware; Bitcoin's utter lack of regulation permits really hideous markets to emerge, in commodities like assassination and drugs and child pornography; and finally Bitcoin is inherently damaging to the fabric of civil society because it is pretty much designed for tax evasion. "BitCoin looks like it was designed as a weapon intended to damage central banking and money issuing banks, with a Libertarian political agenda in mind—to damage states ability to collect tax and monitor their citizens financial transactions," concludes Stross. "The current banking industry and late-period capitalism may suck, but replacing it with Bitcoin would be like swapping out a hangnail for Fournier's gangrene.""
Crime

Target Has Major Credit Card Breach 191

Posted by samzenpus
from the you're-the-target dept.
JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.
Privacy

How a MacBook Camera Can Spy Without Lighting Up 371

Posted by Soulskill
from the they-can-see-you-right-now dept.
New submitter ttyler writes "It turns out a MacBook's built-in camera can be activated without turning on the green LED. An earlier report suggested the FBI could activate a device's camera without having the light turn on, and there was a case in the news where a woman had nude pictures taken of her without her knowledge. The new research out of Johns Hopkins University confirms both situations are possible. All it takes are a few tweaks to the camera's firmware."
Encryption

Scientists Extract RSA Key From GnuPG Using Sound of CPU 264

Posted by Soulskill
from the noisy-fans-are-now-a-feature dept.
kthreadd writes "In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones."
IOS

Apple Pushes Developers To iOS 7 336

Posted by Unknown Lamer
from the upgrade-or-die dept.
Hugh Pickens DOT Com writes "Chuong Nguyen reports that Apple is forcing developers to adopt iOS 7's visual UI for their apps, and has advised iOS developers that all apps submitted after February 1, 2014 must be optimized for iOS 7 and built using Xcode 5 ... 'It's likely that Apple is more anxious than ever for developers to update their apps to fit in visually and mechanically with iOS 7, as it's the largest change in the history of Apple's mobile software,' says Matthew Panzarino. 'iOS 7 introduced a much more complex physical language while stripping out many of the visual cues that developers had relied on to instruct users. For better or worse, this has created a new aesthetic that many un-updated apps did not reflect.' Most app developers have been building apps optimized towards iOS 7 since Apple's World Wide Developer Conference in June 2013. Apple has been on a push over the past couple of years to encourage developers to support the latest editions of its OS faster than ever. To do this, it's made a habit of pointing out the adoption rates of new versions of iOS, which are extremely high. Nearly every event mentions iOS 7 adoption, which now tops 76% of all iOS users, and Apple publishes current statistics. In order to optimize apps for the new operating system, they must be built with the latest version of Xcode 5 which includes 64-bit support and access to new features like backgrounding APIs."
Encryption

Academics Should Not Remain Silent On Government Hacking 135

Posted by Unknown Lamer
from the too-busy-writing-papers dept.
ananyo writes "The Guardian's technology editor, Charles Arthur, asks why researchers have remained largely silent in the wake of the revelation that the U.S. National Institute of Standards and Technology's standard for random numbers used for cryptography had been weakened by the NSA: 'The nature of the subversions sounds abstruse: the random-number generator, the 'Dual EC DRBG' standard, had been hacked by the NSA and the UK's GCHQ so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.' Arthur attributes the silence of UK academics, at least, to pressure from GCHQ. He goes on to say: 'For those who do care, White and Matthew Green, who teaches cryptography at Johns Hopkins University in Baltimore, Maryland, have embarked on an ambitious effort to clean up the mess — one that needs help. They have created a non-profit organization called OpenAudit.org, which aims to recruit experts to provide technical assistance for security projects in the public interest, especially open-source security software.'"
Android

Massive Android Mobile Botnet Hijacking SMS Data 117

Posted by Soulskill
from the all-your-texts-are-belong-to-us dept.
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
Cloud

Healthcare IT's Achilles' Heel: Sensors 84

Posted by Soulskill
from the still-waiting-on-that-tricorder dept.
Nerval's Lobster writes "Tech publications and pundits alike have crowed about the benefits we're soon to collectively reap from healthcare analytics. In theory, sensors attached to our bodies (and appliances such as the fridge) will send a stream of health-related data — everything from calorie and footstep counts to blood pressure and sleep activity — to the cloud, which will analyze it for insight; doctors and other healthcare professionals will use that data to tailor treatments or advise changes in behavior and diet. But the sensors still leave a lot to be desired: 'smart bracelets' such as Nike's FuelBand and FitBit can prove poor judges of physical activity, and FitBit's associated app still requires you to manually input records of daily food intake (the FuelBand is also a poor judge of lower-body activity, such as running). FDA-approved ingestible sensors are still being researched, and it'd be hard to convince most people that swallowing one is in their best interests. Despite the hype about data's ability to improve peoples' health, we could be a long way from any sort of meaningful consumer technology that truly makes that happen."
Red Hat Software

Fedora 20 Released 147

Posted by timothy
from the is-it-a-true-fedora? dept.
sfcrazy writes "The Fedora Project has announced the release of Fedora 20, code named Heisenbug (release notes). Fedora 20 is dedicated to Seth Vidal, the lead developer of Yum and the Fedora update repository, who recently died in a road accident. Gnome is the default DE of Fedora, and so it is for Fedora 20. However unlike Ubuntu (where they had to create different distros for each DE) Fedora comes with KDE, XFCE, LXDE and MATE. You can install the DE of your choice on top of base Fedora."
China

NSA Says It Foiled Plot To Destroy US Economy Through Malware 698

Posted by timothy
from the big-brother-says-he's-got-your-back dept.
mrspoonsi writes "Business Insider Reports: The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday's '60 Minutes.' Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy. Even more shocking, CBS goes as far as to point a finger directly at China for the plot — 'While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.' The NSA says it closed this vulnerability by working with computer manufacturers. Debora Plunkett, director of cyber defense for the NSA: One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."
Security

The Case For a Global, Compulsory Bug Bounty 81

Posted by timothy
from the perverse-incentives dept.
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
Security

Is Bruce Schneier Leaving His Job At BT? 96

Posted by samzenpus
from the parting-ways dept.
hawkinspeter writes "The Register is hosting an exclusive that Bruce Schneier will be leaving his position at BT as security futurologist. From the article: 'News of the parting of the ways reached El Reg via a leaked internal email. Our source suggested that Schneier was shown the door because of his recent comments about the NSA and GCHQ's mass surveillance activities.'"
Unix

Theo De Raadt Says FreeBSD Is Just Catching Up On Security 280

Posted by timothy
from the diplomatic-mission dept.
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
Security

Ask Slashdot: How Would You Secure Your Parents' PC? 408

Posted by timothy
from the what's-the-late-2013-version? dept.
New submitter StirlingArcher writes "I've always built/maintained my parents' PC's, but as Mum has got older her PC seems to develop problems more readily. I would love to switch her to Linux, but she struggles with change and wants to stay with Vista and MS Office. I've done the usual remove Admin rights, use a credible Internet Security package. Is there anything more dramatic that I could do, without changing the way she uses her PC or enforcing a new OS on her again? One idea was to use a Linux OS and then run Vista in a VM, which auto-boots and creates a backup image every so often. Thanks for any help!"
Security

IETF To Change TLS Implementation In Applications 80

Posted by timothy
from the nice-orderly-scramble dept.
Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it's deployed properly, reducing the errors that could make surveillance and other attacks easier."
Security

Leaked Passwords On Display At a German Museum 42

Posted by timothy
from the where's-your-scanner dept.
Daniel_Stuckey writes "Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, [artist Aram] Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year. He brings the books to his exhibits, called 'Forgot Your Password,' where you're free to see if he's got your data—and whether anyone else who wanders through is entirely capable of logging onto your account and making Connections with unsavory people. In fact, Bartholl insists: "These eight volumes contain 4.7 million LinkedIn clear text user passwords printed in alphabetical order," the description of his project reads. "Visitors are invited to look up their own password.""
Encryption

NSA Able To Crack A5/1 Cellphone Crypto 122

Posted by timothy
from the keith-alexander-huffs-righteously dept.
jones_supa writes "The most widely used cellphone encryption cipher A5/1 can be easily defeated by the National Security Agency, an internal document shows. This gives the agency the means to intercept most of the billions of calls and texts that travel over radiowaves every day, even when the agency would not have the encryption key. Encryption experts have long known the cipher to be weak and have urged providers to upgrade to newer systems. Consequently it is also suggested that other nations likely have the same cracking capability through their own intelligence services. The vulnerability outlined in the NSA document concerns encryption developed in the 1980s but still used widely by cellphones that rely on 2G GSM. It is unclear if the agency may also be able to decode newer forms of encryption, such as those covered under CDMA."
Safari

Safari Stores Previous Browsing Session Data Unencrypted 135

Posted by Soulskill
from the security-through-obscurity dept.
msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"
Cloud

Why Cloud Infrastructure Pricing Is Absurd 191

Posted by Soulskill
from the buzzwords-as-a-service dept.
itwbennett writes "Two reports out this week, one a new 'codex' released by 451 Research and the other an updated survey into cloud IaaS pricing from Redmonk, show just how insane cloud pricing has become. If your job requires you to read these reports, good luck. For the rest of us, Redmonk's Stephen O'Grady distilled the pricing trends down to this: 'HP offers the best compute value and instance sizes for the dollar. Google offers the best value for memory, but to get there it appears to have sacrificed compute. AWS is king in value for disk and it appears no one else is even trying to come close. Microsoft is taking the 'middle of the road,' never offering the best or worst pricing.'"
Security

Google Fixes Credit Card Security Hole, But Snubs Discoverer 127

Posted by timothy
from the and-that's-the-thanks-I-get dept.
Frequent contributor Bennett Haselton writes: "Google has fixed a vulnerability, first discovered by researcher Gergely Kalman, which let users search for credit card numbers by using hex number ranges. However, Google should have acknowledged or at least responded to the original bug finder (and possibly even paid him a bounty for it), and should have been more transparent about the process in general." Read on for the rest of the story.
Government

Munich Open Source Switch 'Completed Successfully' 275

Posted by timothy
from the austin-should-follow-suit dept.
Qedward writes "Munich's switch to open source software has been successfully completed, with the vast majority of the public administration's users now running its own version of Linux, city officials said today. In one of the premier open source software deployments in Europe, the city migrated from Windows NT to LiMux, its own Linux distribution. LiMux incorporates a fully open source desktop infrastructure. The city also decided to use the Open Document Format (ODF) as a standard, instead of proprietary options. Ten years after the decision to switch, the LiMux project will now go into regular operation, the Munich City council said."
ISS

Coolant Glitch Forces Partial Space Station Shutdown 49

Posted by samzenpus
from the its-getting-hot-in-here dept.
astroengine writes "A coolant system glitch on the International Space Station has forced several of the orbital outpost's modules offline as astronauts and ground control manage the problem. The crew are not in danger and ground control teams are currently working to see how best to troubleshoot. The issue, that occurred early on Wednesday, focuses on one of the space station's two external ammonia cooling loops, along which the station's electrical systems use to regulate their temperatures. The loop 'automatically shut down when it reached pre-set temperature limits,' said NASA in a statement. It is thought that a flow control valve in the ammonia pump itself may have malfunctioned."
Privacy

Switzerland Wants To Become the World's Data Vault 131

Posted by samzenpus
from the leave-it-to-us dept.
wiredmikey writes "Business for Switzerland's 55 data centers is booming. They benefit from the Swiss reputation for security and stability, and some predict the nation already famous for its super-safe banks will soon also be known as the world's data vault. For example, housed in one of Switzerland's numerous deserted Cold War-era army barracks, one high-tech data center is hidden behind four-ton steel doors built to withstand a nuclear attack — plus biometric scanners and an armed guard. Such tight security is in growing demand in a world shaking from repeated leaks scandals and fears of spies lurking behind every byte."
Encryption

FreeBSD Developers Will Not Trust Chip-Based Encryption 178

Posted by Soulskill
from the fool-me-once,-shame-on-you dept.
New submitter srobert writes "An article at Ars Technica explains how, following stories of NSA leaks, FreeBSD developers will not rely solely on Intel's or Via's chip-based random number generators for /dev/random values. The values will first be seeded through another randomization algorithm known as 'Yarrow.' The changes are effective with the upcoming FreeBSD 10.0 (for which the first of three planned release candidates became available last week)."
Encryption

OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein 140

Posted by Unknown Lamer
from the cha-cha-cha dept.
First time accepted submitter ConstantineM writes "Inspired by a recent Google initiative to adopt ChaCha20 and Poly1305 for TLS, OpenSSH developer Damien Miller has added a similar protocol to ssh, chacha20-poly1305@openssh.com, which is based on D. J. Bernstein algorithms that are specifically optimised to provide the highest security at the lowest computational cost, and not require any special hardware at doing so. Some further details are in his blog, and at undeadly. The source code of the protocol is remarkably simple — less than 100 lines of code!"
Bug

Disqus Bug Deanonymizes Commenters 151

Posted by Unknown Lamer
from the anonymous-cowards-unmasked dept.
alphatel writes "The Swedish company Resarchgruppen has discovered a flaw in the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites."
Government

NSA Uses Google Cookies To Pinpoint Targets For Hacking 174

Posted by Soulskill
from the another-day-another-way-to-spy-on-us dept.
Hugh Pickens DOT Com writes "For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them. Now the Washington Post reports that the NSA secretly piggybacks on the tools that enable Internet advertisers to track consumers, using 'cookies' and location data to pinpoint targets for government hacking and to bolster surveillance. The agency uses a part of a Google-specific tracking mechanism known as the 'PREF' cookie to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer. 'On a macro level, "we need to track everyone everywhere for advertising" translates into "the government being able to track everyone everywhere,"' says Chris Hoofnagle. 'It's hard to avoid.' Documents reviewed by the Post indicate cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. Google declined to comment for the article, but chief executive Larry Page joined the leaders of other technology companies earlier this week in calling for an end to bulk collection of user data and for new limits on court-approved surveillance requests."
Data Storage

Ask Slashdot: Practical Bitrot Detection For Backups? 321

Posted by timothy
from the error-detected-goodbye dept.
An anonymous reader writes "There is a lot of advice about backing up data, but it seems to boil down to distributing it to several places (other local or network drives, off-site drives, in the cloud, etc.). We have hundreds of thousands of family pictures and videos we're trying to save using this advice. But in some sparse searching of our archives, we're seeing bitrot destroying our memories. With the quantity of data (~2 TB at present), it's not really practical for us to examine every one of these periodically so we can manually restore them from a different copy. We'd love it if the filesystem could detect this and try correcting first, and if it couldn't correct the problem, it could trigger the restoration. But that only seems to be an option for RAID type systems, where the drives are colocated. Is there a combination of tools that can automatically detect these failures and restore the data from other remote copies without us having to manually examine each image/video and restore them by hand? (It might also be reasonable to ask for the ability to detect a backup drive with enough errors that it needs replacing altogether.)"
Encryption

CyanogenMod Integrates Text Message Encryption 118

Posted by Unknown Lamer
from the only-criminals-text-with-aes dept.
sfcrazy writes "People are now more concerned regarding their privacy after discovering about efforts made by governments to spy on their communications. The most practical solution to keep messages, emails and calls secure is to use a cryptographic encryption mechanism. However, just like the name of the method, the installation process is complex for most users. To solve this, CyanogenMod will come equipped with built in encryption system for text messages." Whisper System has integrated their TextSecure protocol into the SMS/MMS provider, so even third party sms apps benefit. Better yet, it's Free Software, licensed under the GPLv3+. Support will debut in Cyanogenmod 11, but you can grab a 10.2 nightly build to try it out now.

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...