×
Privacy

Swartz-Designed Whistleblower Tool "SecureDrop" Launched 79

Posted by samzenpus from the protect-ya-neck dept.
An anonymous reader writes in with word of a new tool for whistleblowers: "The 'strongest-ever' whistleblowing tool for sources to speak anonymously with journalists, partly developed by the late Reddit co-founder Aaron Swartz, has been launched by the Freedom of The Press Foundation. Before his suicide in January 2013, Swartz had been working on a tool for sources to anonymously submit documents to journalists online, without using traceable email and in a way that could be easily catalogued by news organisations. Called SecureDrop, the tool can be installed on any news organisation's website as a 'Contact Us' form page. But where these pages usually require a name and email address, the encrypted SecureDrop system is completely anonymous, assigning the whistleblower two unique identifiers - one seen by the journalist, and one seen by the whistleblower. These identities stay the same, so a conversation can be had without names being shared or known."
Security

35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole 91

Posted by Unknown Lamer from the delete-stale-files dept.
realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own." Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)
Networking

Ethernet's 400-Gigabit Challenge Is a Good Problem To Have 75

Posted by Unknown Lamer from the something-about-too-many-cooks dept.
alphadogg writes "As it embarks on what's likely to be a long journey to its next big increase in speed, Ethernet is in some ways a victim of its own success. Years ago, birthing a new generation of Ethernet was relatively straightforward: Enterprises wanted faster LANs, vendors figured out ways to achieve that throughput and hashed out a standard, and IT shops bought the speed boost with their next computers and switches. Now it's more complicated, with carriers, Web 2.0 giants, cloud providers, and enterprises all looking for different speeds and interfaces, some more urgently than others. ... That's what the IEEE 802.3 400Gbps Study Group faces as it tries to write the next chapter in Ethernet's history. ... 'You have a lot of different people coming in to the study group,' said John D'Ambrosia, the group's chair, in an interview at the Ethernet Alliance's Technology Exploration Forum in Santa Clara, California, on Tuesday. That can make it harder to reach consensus, with 75 percent approval required to ratify a standard, he said."
Security

Security Researchers Want To Fully Audit Truecrypt 233

Posted by Unknown Lamer from the brought-to-you-by-the-makers-of-stuxnet dept.
Hugh Pickens DOT Com writes "TrueCrypt has been part of security-minded users' toolkits for nearly a decade — but there's one problem: no one has ever conducted a full security audit on it. Now Cyrus Farivar reports in Ars Technica that a fundraiser reached more than $16,000 in a public call to perform a full security audit on TrueCrypt. 'Lots of people use it to store very sensitive information,' writes Matthew Green, a well-known cryptography professor at Johns Hopkins University. 'That includes corporate secrets and private personal information. Bruce Schneier is even using it to store information on his personal air-gapped super-laptop, after he reviews leaked NSA documents. We should be sweating bullets about the security of a piece of software like this.' According to Green, Truecrypt 'does some damned funny things that should make any (correctly) paranoid person think twice.' The Ubuntu Privacy Group says the behavior of the Windows version [of Truecrypt 7.0] is problematic. 'As it can't be ruled out that the published Windows executable of Truecrypt 7.0a is compiled from a different source code than the code published in "TrueCrypt_7.0a_Source.zip" we however can't preclude that the binary Windows package uses the header bytes after the key for a back door.' Green is one of people leading the charge to setup the audit, and he helped create the website istruecryptauditedyet.com. 'We're now in a place where we have nearly, but not quite enough to get a serious audit done.'"
Security

Ed Felten: Why Email Services Should Be Court-Order Resistant 183

Posted by Soulskill from the it's-not-a-bug-it's-a-feature dept.
Jah-Wren Ryel sends this excerpt from Ed Felten at Freedom to Tinker: "Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data. They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access? The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack. To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel. From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company."

Slashdot Top Deals