HughPickens.com writes: Cyrus Farivar reports at ArsTechnica that Congressman David Jolly has introduced the "No Taxpayer Support for Apple Act," a bill that would forbid federal agencies from purchasing Apple products until the company cooperates with the federal court order to assist the unlocking of a seized iPhone 5C associated with the San Bernardino terrorist attack. "Taxpayers should not be subsidizing a company that refuses to cooperate in a terror investigation that left 14 Americans dead on American soil," said Jolly, who announced in 2015 that he's running for Senate, joining the crowded GOP primary field to replace Sen. Marco Rubio. "Following the horrific events of September 11, 2001, every citizen and every company was willing to do whatever it took to side with law enforcement and defeat terror. It's time Apple shows that same conviction to further protect our nation today." Jolly's bill echoes a call from Donald Trump last month to boycott Apple until it agrees to assist the FBI. Not to fear, GovTrack gives Jolly's bill a 1% chance of being enacted.

schwit1 writes: China's effort to flush out threats to stability is expanding into an area that used to exist only in dystopian sci-fi: pre-crime. The Communist Party has directed one of the country's largest state-run defense contractors, China Electronics Technology Group, to develop software to collate data on jobs, hobbies, consumption habits, and other behavior of ordinary citizens to predict terrorist acts before they occur. "It's very crucial to examine the cause after an act of terror," Wu Manqing, the chief engineer for the military contractor, told reporters at a conference in December. "But what is more important is to predict the upcoming activities." The program is unprecedented because there are no safeguards from privacy protection laws and minimal pushback from civil liberty advocates and companies, says Lokman Tsui, an assistant professor at the School of Journalism and Communication at the Chinese University of Hong Kong, who has advised Google on freedom of expression and the Internet.

New submitter Kurast writes with this article at Boing Boing: Code is speech: critical court rulings from the early history of the Electronic Frontier Foundation held that code was a form of expressive speech, protected by the First Amendment. The EFF has just submitted an amicus brief in support of Apple in its fight against the FBI, representing 46 "technologists, researchers and cryptographers," laying out the case that the First Amendment means that Apple can't be forced to utter speech to the government's command, and they especially can't be forced to sign and endorse that speech. In a "deep dive" post, EFF's Andrew Crocker and Jamie Williams take you through the argument, step by step. (You can follow along by reading the brief itself (PDF), too.)

An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.

PolygamousRanchKid writes with this story from Reuters, excerpting: North Korean leader Kim Jong Un ordered his country to be ready to use its nuclear weapons at any time and to turn its military posture to "pre-emptive attack" mode in the face of growing threats from its enemies, state media said on Friday. The comments, carried by the North's official KCNA news agency, marked a further escalation of tension on the Korean peninsula after the U.N. Security Council on Wednesday imposed harsh new sanctions against the isolated state for its nuclear program. South Korea's defense ministry said on Thursday North Korea launched several projectiles off its coast into the sea up to 150 kilometers (90 miles) away, an apparent response to the U.N. sanctions. ... North Korea has previously threatened pre-emptive attacks on its enemies including South Korea, Japan and the United States. Military experts doubt it has yet developed the capability to fire a long-range missile with a miniaturized warhead to deliver a nuclear weapon as far as the United States. Says PolygamousRanchKid: "Oh, joy oh joy... I knew that 2016 was missing something: the threat of nuclear war!"

An anonymous reader writes: Famed cryptographer and Turing Award winner, Adi Shamir, has an interesting if not surprising take on Apple's current legal tussle with the FBI. While speaking on a panel at RSA Conference 2016 earlier this week, the man who helped co-invent the vaunted RSA algorithm (he's the 'S' in RSA) explained why he sides with the FBI as it pertains to the San Bernardino shooter's locked iPhone. It has nothing to do with placing trapdoors on millions of phones around the world," Shamir explained. "This is a case where it's clear those people are guilty. They are dead; their constitutional rights are not involved. This is a major crime where 14 people were killed. The phone is intact. All of this aligns in favor of the FBI." Shamir continued, "even though Apple has helped in countless cases, they decided not to comply this time. My advice is that they comply this time and wait for a better test case to fight where the case is not so clearly in favor of the FBI."

Patrick O'Neill writes: Employees of companies in France that refuse to decrypt data for police can go to prison for five years under new legislation from conservative legislators, Agence France-Presse reports. The punishment for refusing to hand over access to encrypted data is a five year jail sentence and $380,000 fine. Telecom companies would face their own penalties, including up to two years in jail. M. Pierre Lellouche, a French Republican, singled out American encryption in particular. "They deliberately use the argument of public freedoms to make money knowing full well that the encryption used to drug traffickers, to serious [criminals] and especially to terrorists. It is unacceptable that the state loses any control over encryption and, in fact, be the subject of manipulation by U.S. multinationals."

itwbennett writes: Cisco Systems has released critical software updates for its Nexus 3000 and 3500 switches to remove a default administrative account with static credentials that could allow remote attackers access to a bash shell with root privileges, meaning that they can fully control the device. The account is created at installation time by the Cisco NX-OS software that runs on these switches and it cannot be changed or deleted without affecting the system's functionality, Cisco said in an advisory. The affected devices are: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).

An anonymous reader writes: In a presentation at the BSides security conferences in San Francisco, Michael Raggo from MobileIron, has revealed that he discovered a cheap smartwatch engaging in covert communications behind the users' back. The watch in question is the U8 Nucleus, a cheap smartwatch that's made in China, sold for around $17 (€15.6), which also runs its own operating system, also known as Nucleus. When the user would install the iOS/Android app that allows the owners to manage the smartwatch via their phones, the app would start an encrypted communications channel with an IP address in China. This could be telemetry or analytics data, but nothing in the U8 smartwatch manual or website even mentioned something like this was happening in the first place.

schwit1 writes with this news from the Washington Post: The Justice Department has granted immunity to the former State Department staffer who worked on Hillary Rodham Clinton's private email server, a sign the FBI investigation into possible criminal wrongdoing is progressing. A senior U.S. law enforcement official said the FBI had secured the cooperation of Bryan Pagliano, who worked on Clinton's 2008 presidential campaign before setting up the server in her New York home in 2009. As the FBI looks to wrap up its investigation in the coming months, agents will likely want to interview Clinton and her senior aides about the decision to use a private server, how it was set up, and whether any of the participants knew they were sending classified information in emails, current and former officials said. The inquiry comes against a sensitive political backdrop in which Clinton is the favorite to secure the Democratic nomination for the presidency.

Patrick O'Neill writes: While Apple continues to resist a court order requiring it to help the FBI access a terrorist's phone, another major tech company took a strange and unexpected step away from encryption. Amazon has removed device encryption from the operating system that powers its Kindle e-reader, Fire Phone, Fire Tablet, and Fire TV devices. The change, which took effect in Fire OS 5, affects millions of users.

itwbennett writes: You need look no further than the FREAK and Logjam attacks in 2015 and the DROWN attack announced just this week to get a sense of 'the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today,' writes Lucian Constantin. But this isn't a new problem. 'One approach [the government] used throughout the 1990s [to keep encryption under its control] was to enforce export controls on products that used encryption by limiting the key lengths, allowing the National Security Agency to easily decrypt foreign communications,' says Constantin. 'This gave birth to so-called 'export-grade' encryption algorithms that have been integrated into cryptographic libraries and have survived to this day.'

An anonymous reader writes: Aberrant treatment of transactions by Bitcoin miners has renewed concerns that Bitcoin as a protocol may need a stronger specification. OpenBSD savior and Bitcoin entrepreneur Mircea Popescu raised this issue back in 2013 that the current attitude of "the code is the spec" was introducing fragility and harming Bitcoin's vital decentralization. While a lot of fuss has been made about the maximum blocksize, perhaps formalizing the protocol and breaking the current mining cartel is a more urgent and serious problem. The debate going on resurrects many of Datskovskiy's early concerns about Bitcoin's fragility including mining as a necessary bug, but a bug nonetheless.

An anonymous reader writes: Verizon's most recent Data Breach Digest includes a curious hacking case. Apparently a group of sea pirates have hired a hacker who uploaded a Web shell to a shipping company's CMS that allowed them to download cargo inventories and ship routes. They then used this information to attack ships, equipped with a barcode reader (and weapons of course), searching specific crates, emptying all the high-value cargo, and making off with the loot within minutes of launching their attacks.

paroneayea writes: GNU Guix, the functional package manager (and with GuixSD, distribution) got a nice feature yesterday: timely delivery of security updates with grafts. Guix's new grafts feature recursively produces re-linked packages as dependencies without waiting for all to compile when a time-sensitive security upgrade is an issue. This came just in time for this week's OpenSSL security issues, and has been successfully tested by the community. It worked so well that it was able to reproduce the ABI break issue that other traditional distributions experienced also!

Lucas123 writes: In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks. Now in its fervor to force Apple to create software that can break its own encryption algorithm, the FBI may be opening a security hole to federal agencies. Over the past four years, the federal government has largely shifted its use of mobile devices from Blackberry to iPhones. One major reason for that is -- you guessed it -- the strong native security. If Apple creates an iPhone skeleton key, it not only threatens the public's privacy, but the security of the federal government as well.

AmiMoJo writes: VESA has finalized and released the DisplayPort 1.4 spec, which can drive 60Hz 8K displays and supports HDR color modes at 5K and 8K. The physical interface used to carry DisplayPort data -- High Bit Rate 3 (HBR3), which provides 8.1Gbps of bandwidth per lane -- is still the same as it was in DisplayPort 1.3. The new standard drives higher-resolution displays with better color support using Display Stream Compression (DSC), a "visually lossless" form of compression that VESA says "enables up to [a] 3:1 compression ratio." This data compression, among other things, allows DisplayPort 1.4 to drive 60Hz 8K displays and 120Hz 4K displays with HDR "deep color" over both DisplayPort and USB Type-C cables. USB Type-C cables can provide a USB 3.0 data connection, too.

An anonymous reader writes: Edge, Microsoft's new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of WinRT vulnerabilities it could leverage to distribute his malware.

Quince alPillan writes: Announcing what it calls "the first cyber bug bounty program in the history of the federal government," the Department of Defense says it's inviting vetted hackers to test the security of its web pages and networks. Vetted hackers will need to pass a background check and will be attacking a predetermined system that is not a part of critical operations. This program is being put together by the Digital Defense Service, launched last fall.

serviscope_minor writes: The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not affected by the DROWN bug. LibreSSL is largely compatible with OpenSSL. The main exceptions are in the cases where programs use insecure functions removed from libreSSL, or require bug compatiblity with OpenSSL.

blottsie writes: Islamic State militants and supporters are promoting strong encryption tools from outside the United States that the American government cannot touch with legislation. In the last month, Islamic State supporters have promoted security software from Finland, Romania, America, France, the Czech Republic, Canada, Panama, Germany, Switzerland, Saint Kitts and Nevis, and other nations, a Daily Dot review found. The international availability of encryption technology, of which Islamic State militants are well aware, underscores FBI Director James Comey's long-held desire to build an international legal regime to deal with the problems posed by encryption, what he calls "going dark."

New submitter ricardinho writes: Research done at the University of Twente, in the Netherlands, shows that paying thousands of dollars for a professional drone does not guarantee that the device will be hack proof. These professional drones are commonly used across various industries to perform daily critical operations, such as surveillance and recon missions by law enforcement authorities. During his research, student Nils Rodday discovered that a professional drone could be compromised in multiple ways (PDF). One of these attack vectors investigated by the student is much more sophisticated than those used to compromise recreational drones that cost few hundreds of dollars and are not expected to be strongly secured. By reverse engineering the drone's operation and firmware, the student found ways to obtain key information that is used to validate the communication on the telemetry link between the drone and its remote controllers. This allowed for a Man-in-the-Middle attack in which the hacker could take full control of the attacked drone from a distance of up to 2 km. Manufacturers of professional drones are blindly trusting XBee chips for the communication between devices. These chips however are not meant to be used in sensitive devices and this flaw can compromise any sort of operation that the drones are deployed for. In addition, the solution is not simple since a firmware update patch cannot be simply released, but manufacturers have to actually recall the devices for in-house upgrades. Perhaps even more surprising is the cost of the described attack: 40 dollars is enough for an attacker to take full control of a $30,000 drone. Nils will explain and demonstrate his hacking into a professional drone during talks at RSA conference in San Francisco and Black Hat Asia in Singapore.

Mark.JUK writes: The International Telecommunication Union has just granted first-stage approval ("consent") to two new ultrafast Fiber-to-the-Home (FTTH) optical broadband standards. The first (NG-PON2) will support Internet download speeds of 40Gbps (Gigabits per second) and on top of that the new XGS-PON aims to deliver a symmetric 10Gbps service (same upload and download rate). By comparison, the previous XG-PON standard only ensured an asymmetric speed of 10Gbps download and 2.5Gbps upload. Now all we need is computers, Internet services and Wi-Fi networks that can actually harness such performance in the first place.

An anonymous reader writes: Play, a new peer-to-peer (P2P) site for downloading torrents, is practically impossible to shut down and promises to be the latest technology to revolutionise online downloads. The platform has appeared recently across ZeroNet, a Budapest-based open source site which is looking to offer a home to decentralised platforms which employ Bitcoin-crypto and BitTorrent technologies. As no central server exists, every additional user is a further point of connection inside the network, helping to avoid potential failures. As the first torrent site to appear on the network, Play can be accessed directly through a ZeroNet URL (only available with the tool installed). The site serves magnetic links sourced from RARBG, with which users can download films, series and other media files, in varying qualities. While ZeroNet itself is not an illegal platform, Play is identical to any other P2P download site in that it could face legal challenges over violating copyright.

itwbennett writes: A report released today by Digital Shadows finds that cybercrime organizations "face many of the same hiring problems as defending security organizations, but with their own particular twists," writes Maria Korolov. In particular, the groups are finding a shortage of qualified candidates for jobs such as malware writers, exploit developers, bot net operators, and mules. But, unlike legitimate organizations, "cybercriminals are limited in their ability to properly vet new hires, to widely advertise for needed talent, and to find people who are both trustworthy and are willing to break the law," writes Korolov. One thing the criminals have in common with defending organizations: entry-level skills are the easiest to find. This is one reason why many attackers use simple tools and attack methods.

An anonymous reader writes: Diego Dzodan, an Argentine national and Facebook's vice president for Latin America, has repeatedly refused to comply with court orders to hand over data for use in a criminal investigation of a WhatsApp user suspected of drug trafficking, police said. His arrest relates to the messaging service WhatsApp, owned by Facebook. In a statement, Facebook called Mr. Dzodan's arrest an "extreme and disproportionate measure." The company said, "Facebook has always been and will be available to address any questions Brazilian authorities may have." Judge Marcel Maia Montalvao had in two previous instances issued fines against Facebook for refusing to release WhatsApp data. In December, a judge in Brazil suspended WhatsApp for 48 hours in a similar case.

mmoorebz writes: Microsoft is recognizing the increasingly sophisticated cyber attacks on enterprises, which is why it is taking a new approach to protect its customers. Today it announced its new post-breach enterprise security service called Windows Defender Advanced Threat Protection, which will respond to these advanced attacks on companies' networks. Attackers these days are using social engineering and zero-day vulnerabilities to break into corporate networks. According to Microsoft, thousands of attacks were reported in 2015 alone. The company found that it currently takes an enterprise more than 200 days to detect a security breach, and 80 days to contain it. When there is such a breach, the attackers can steal company data, find private information, and damage the brand and customer trust in the company.

An anonymous reader writes: Two open-source libraries used in the Mars Rover software have been integrated in the source code of a malware family (nicknamed Rover) used as part of a cyber-espionage campaign against the Indian government (Indian Ambassador to Afghanistan). The two libraries are OpenCV and OpenAL, two libraries for processing image and audio information. As such, the Rover malware can take screenshots, record video and audio.

An anonymous reader writes: The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. In layman terms, the attack uses an improperly patched issue (from 1998) in SSL to attack websites using the more modern TLS protocol. Servers where admins use SSL and TLS are in danger. Additionally, servers where only TLS is used, but the admins are sharing the same certificate for other servers where they have SSL, are also vulnerable, since the attack targets RSA, employed in both SSL and TLS. The entire attack is also easy to carry out, costing only $440 on Amazon EC2.

An anonymous reader writes with this news from the Guardian about a proposed expansion of UK government agencies' power to eavesdrop under the so-called "snooper's charter": Powers for the police to access everyone's web browsing histories and to hack into their phones are to be expanded under the latest version of the snooper's charter legislation. The extension of police powers contained in the investigatory powers bill published on Tuesday indicates the determination of the home secretary, Theresa May, to get her controversial legislation on to the statute book by the end of this year in spite of sweeping criticisms by three separate parliamentary committees in the past month. The bill is designed to provide the first comprehensive legal framework for state surveillance powers anywhere in the world. It has been developed in response to the disclosure of state mass surveillance programmes by the whistleblower Edward Snowden. The government hopes it will win the backing of MPs by the summer and by the House of Lords this autumn.

blottsie writes: In a series of court battles in the late 1990s and early 2000s, Cindy Cohn represented plaintiffs challenging restrictions on DVD copying and the publication of cryptographic code. In all three cases—Bernstein v. United States, Universal City Studios v. Reimerdes, and Junger v. Daley—federal courts held that computer code merited protection under the First Amendment. Cohn, now the executive director of the Electronic Frontier Foundation, endorsed Apple's repeated citations of her cases in its fight against a court order to unlock a terrorism suspect's iPhone for the FBI. But she said that the controversial iPhone-unlocking order impinged even further on Apple's free-speech rights than the restrictions in her cases.

MojoKid writes: Even for mainstream users, it's easy to feel the differences between using a PC that has an OS installed on a solid state drive versus a mechanical hard drive. Also, with SSD pricing where it is right now, it's also easy to justify including one in a new configuration for the speed boost. And there's obvious benefit in the enterprise and data center for both performance and durability. As you might expect, Google has chewed through a healthy pile of SSDs in its data centers over the years and the company appears to have been one of the first to deploy SSDs in production at scale. New research results Google is sharing via a joint research project now encompasses SSD use over a six year span at one of Google's data centers. Looking over the results led to some expected and unexpected findings. One of the biggest discoveries is that SLC-based SSDs are not necessarily more reliable than MLC-based drives. This is surprising, as SLC SSDs carry a price premium with the promise of higher durability (specifically in write operations) as one of their selling points. It will come as no surprise that there are trade-offs of both SSDs and mechanical drives, but ultimately, the benefits SSDs offer often far outweigh the benefits of mechanical HDDs.

An anonymous reader writes: Snapchat suffered a huge data breach over the weekend after an employee fell victim to a phishing email scam which impersonated co-founder and CEO Evan Spiegel requesting payroll information. While the video messaging app's servers were unaffected and user data remained completely safe, both former and current employees were informed that some of their sensitive information had been leaked. Snapchat immediately reported the incident to the FBI and has offered affected staff two years of free identity theft insurance and monitoring. Snapchat admitted that it felt 'real remorse and embarrassment' that one of its employees had fallen for the attack, particularly as it takes privacy and security so seriously.

An anonymous reader writes: The original Raspberry Pi went on sale four years ago, and more than 8,000,000 units have shipped since then. Raspberry Pi computers are used in schools and universities, in factories and other industrial applications, in home automation and hobby projects, and much more. Today the Raspberry Pi 3 was announced, featuring a 64-bit quad-core ARMv8 CPU clocked at 1.2GHz, making it roughly 10x the speed of the original Pi 1. Many people will be pleased to hear that the Raspberry Pi 3 also features on-board Wi-Fi and Bluetooth, greatly improving the device's connectivity. The new device goes on sale today at the usual price of US $35. (Here's the official announcement itself.)

An anonymous reader writes: A popular internet-enabled security camera "secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware," according to security blogger Brian Krebs. While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it's still extremely hard to turn off. Krebs notes that the same behavior has been detected in DVRs and smart plugs -- they're secretly connecting to the same IP address in China, apparently without any mention of this in the product's packaging. One security researcher told Krebs the behavior is an "insanely bad idea," and that it opens an attack vector into home networks.

John McAfee, American computer programmer and contributing editor of Business Insider, explains how the NSA's back door has given every U.S. secret to its enemies. He begins by mentioning the importance of software, specifically meta- software, which contains a high level set of principles designed to help a nation survive in a cyberwar. Such software must not contain any back doors under any circumstances, otherwise it can and may very likely allow perceived enemies of the U.S. to have access to top-secret information. For example, the Chinese used the NSA's back door to hack the Defense Department last year and steal 5.6 million fingerprints of critical personnel. "Whatever gains the NSA has made through the use of their back door, it cannot possibly counterbalance the harm done to our nation by everyone else's use of that same back door." McAfee believes the U.S. has failed to grasp the subtle implications of technology and, as a result, is 20 years behind the Chinese, and by association, the Russians as well.

Tekla Perry writes: Last week at Berkeley's Center for Long-Term Cybersecurity, cybersecurity mavens from the industry, academia, government, and media considered a futuristic scenario in which traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts -- had been compromised. The challenge was to use the scenario to figure out how to establish a new means of verifying one's identity and to rebuild trust in the electronic records system in the case of such an imaginary crisis. Furthermore, they were then challenged to take the conclusions and develop policies that could prevent such a massive breach of digital trust from ever happening in the first place.

MojoKid writes: A Denver-based security startup called ProtectWise has a rather interesting twist on a security as a service platform that also incorporates an innovative threat detection and management user interface. The ProtectWise security platform runs on a cloud-based infrastructure that currently utilizes Amazon AWS for storage and processing. ProtectWise is an all software solution comprised of a "Cloud Network DVR" platform made-up of virtual cameras in the cloud that record all traffic on the network. The sensors (12MB install package) record all network traffic wherever they're installed and stream it up to the ProtectWise platform where it is securely stored and the threat analysis is performed. The sensors can be configured with profiles to capture just light metadata like netflow or headers (source, destination etc.) all the way to the full payload. You can then playback the traffic from the ProtectWise cloud analytics platform, going months back if needed, and analyze the data for threats. You can go back in time and see if, where and how you've been compromised retrospectively. There's also a ProtectWise HUD that visualizes and renders network threat location and progression, allowing you to make better use of all the data recorded. It has a 'KillBox' that visually shows attack event progression across the network area. The only question has to do with compliance for financial applications since it is cloud-based. Currently, ProtectWise has 100 or so deployments of its product in the market with customers like Netflix, Hulu, Expedia, Pandora and Universal Music.

An anonymous reader writes: After researchers discovered that SHA-1 can be decrypted, Mozilla, together with Microsoft and Google, said they will no longer "trust" SHA-1-based certificates issued after January 1, 2016, and later stop supporting any type of SHA-1 certificates after June 30, 2016, or January 1, 2017. The foundation went back on its word this week, when Symantec begged Mozilla to allow it to issue nine new certificates for one of its clients, Worldpay PLC, which forgot to request these certificates before January 1. Symantec got what it wanted. Fortunately, other companies like Microsoft, Apple, or Google didn't cave under the pressure.

DVDFab, a software tool for ripping and decrypting DVDs and Blu-ray discs, will not be upgraded to support newer Ultra HD (4K) Blu-ray discs. Fengtao Software, which makes DVDFab, said in a statement that it "will not decrypt or circumvent AACS 2.0 in the days to come. This is in accordance with AACS-LA, (which has not made public the specifications for AACS 2.0), the Blu-ray Disc Association and the movie studios." AACS-LA is the body that develops and licenses the Blu-ray DRM system. AACS 2.0 has a 'basic' version that sounds quite similar to existing AACS, but also an 'enhanced' version of DRM that requires the playback device to download the decryption key from the internet. There might still be a hole in the AACS 2.0 crypto scheme that allows for UHD discs to be ripped, but presumably it'll be a lot tougher that its predecessors.

mikejuk writes: Details of the next in the family of the successful Raspberry Pi family have become available as part of FCC testing documents. The Pi 3 finally includes WiFi and Bluetooth/LE. Comparing the board with the Pi 2 it is clear that most of the electronics has stayed the same. A Raspberry Pi with built in WiFi and Bluetooth puts it directly in competition with the new Linux based Arduinos, Intel's Edison and its derivatives, and with the ESP8266 — a very low cost (about $2) but not well known WiFi board. And of course, it will be in competition with its own stablemates. If the Pi 3 is only a few dollars more than the Pi 2 then it will be the obvious first choice. This would effectively make the Pi Zero, at $5 with no networking, king of the low end and the Pi 3 the choice at the other end of the spectrum. Let's hope they make more than one or two before the launch because the $5 Pi Zero is still out of stock most places three months after being announced and it is annoying a lot of potential users.

prisoninmate writes: On Monday, February 22, 2016, Softpedia reported on the availability of new kernel updates for several of Canonical's supported Ubuntu Linux operating systems, including Ubuntu 15.10, for which five kernel vulnerabilities have been patched at that point in time. And from the looks of it, the respective kernel updates introduced a regression, which Canonical patched four days later, on February 26, 2016, saying that the issue was introduced along with the fixed vulnerabilities for Ubuntu 15.10 (Wily Werewolf) and it broke graphics displays for those running the OS in VMWare VMs.

dcblogs writes: At a congressional hearing Thursday on the H-1B visa's impact on high-skilled workers, the first person to testify was Leo Perrero, a former Disney IT worker. He was overcome with emotion for parts of it, pausing to gather himself as he told the story of how he was replaced by a foreign visa holder. Perrero wondered how he would tell his family that "I would soon be living on unemployment." He paused. The hearing room was still as the audience waited for him to continue."Later that same day I remember very clearly going to the local church pumpkin sale and having to tell the kids that we could not buy any because my job was going over to a foreign worker," he said. But a person who made a case for access to foreign workers was Mark O'Neill, the CTO of Jackthreads, an online retailer. He argued that there is a need for more skilled workers. Competition is so fierce for developers "that my developers' starting salaries have risen by 50% in the last eight years," said O'Neill, and "senior positions command compensation that meets or exceeds even that of United States Senators."

An anonymous reader writes: A high-ranking general in the Norwegian Army and head of the Norwegian Intelligence Service E-tjenesten (Etterretningstjenesten) has made official statements accusing the Chinese government of launching cyber-attacks against his country. Gen. Lunde says that state-sponsored hacking groups have targeted many Norwegian companies during the past year. He says that these companies are suppliers and collaborators of the Norwegian army and that hackers have stolen information considered to be state military secrets. The statements were made to Norwegian TV station TV2 by General Lt. Morten Haga Lunde, who was detailing his agency's most recent intelligence report.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

mi writes: Though loudly resisting the American government's attempts to make it help break into the phone of a dead scumbag, Apple is very accommodating of the Chinese government's attempts to keep tabs on the citizenry's communications. Apple has censored apps that wouldn't pass muster with the Chinese government, moved local user data onto servers operated by the state-owned China Telecom, and submitted to Chinese audits. According to James Lewis, senior fellow at the Center for Strategic and International Studies in Washington, "I can't imagine the Chinese would tolerate end-to-end encryption or a refusal to cooperate with their police, particularly in a terrorism case." Why the accommodation there?

An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.

schwit1 writes: The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations.

The idea is to let more experts across American intelligence gain direct access to unprocessed information, increasing the chances that they will recognize any possible nuggets of value. That also means more officials will be looking at private messages - not only foreigners' phone calls and emails that have not yet had irrelevant personal information screened out, but also communications to, from, or about Americans that the NSA's foreign intelligence programs swept in incidentally.

Civil liberties advocates criticized the change, arguing that it will weaken privacy protections. They said the government should disclose how much American content the NSA collects incidentally - which agency officials have said is hard to measure - and let the public debate what the rules should be for handling that information.

An anonymous reader writes: Google plans to follow Microsoft in throwing its legal support behind Apple in its increasingly contentious dispute with the federal government around the iPhone connected with the San Bernardino terror attacks, according to sources.

At a congressional hearing on Thursday, Microsoft's legal chief, Brad Smith, said that the company plans to file an amicus brief next week in support of Apple's resistance to helping the FBI hack the phone. Google will deliver its own supporting brief 'soon,' according to sources familiar with the company.

wjcofkc writes: A group of ISIS supporters have threatened to take down Facebook and Twitter, as well as their leaders. In a 25-minute propaganda video released by a group calling itself "the sons of the Caliphate army," photographs of both technology leaders are riddled with bullets. The video was first spotted by Vocativ. The threats are being made over the two companies' efforts to seek out and remove terrorist-related content on their respective platforms. The group is quoted as saying, "If you close one account, we will take 10 in return and soon your names will be erased after we delete your sites, Allah willing, and will know that we say is true."