tlhIngan writes: Samsung recently released a new version of its popular Galaxy Note series phablet, the Note 5. However, it turns out that there is a huge design flaw in the design of its pen holder (which Samsung calls the S-pen). If you insert it backwards (pointy end out instead of in), it's possible for it get stuck damaging the S-pen detection features. While it may be possible to fix it (Ars Technica was able to, Android Police was not), there's also a chance that your pen is also stuck the wrong way in permanently as the mechanism that holds the pen in grabs the wrong end and doesn't let go.
New submitter mushero writes: We are a fast-growing IT services company with dozens of systems, SaaS tools, dev tools and systems, and more that a new employee might need access to. We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems. And of course the reverse when an employee leaves. Every on-boarding or HR system we've looked at has zero support for this; they are great at getting tax info, your home address, etc. but not for getting you a computer nor access to a myriad of systems. I know in a perfect world it'd all be single-sign-on, but not realistic yet and we have many, many SaaS service that will never integrate. So what have you used for this, how do you track new employee access across dozens of systems, hundreds of employees, new hires every day, etc.?
Esther Schindler writes: It's a predictable argument in any IT shop: Should the techies — with their hands on their keyboards — be the people who decide which technology or deployment is right for the company? Or should CIOs and senior management — with their strategic perspective — be the ones to make the call? Ellis Luk got input from plenty of people about management vs. techies making cloud/on-premise decisions... with, of course, a lot of varying in opinion.
jfruh writes: The Congressional act that created the Federal Trade Commission gave that agency broad powers to punish companies engaged in "unfair and deceptive practices." Today, a U.S. appeals court affirmed that sloppy cybersecurity falls under that umbrella. The case involves data breaches at Wyndham Worldwide, which stored customer payment card information in clear, readable text, and used easily guessed passwords to access its important systems.
wired_parrot writes: Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach. This follows pleas from other users of the site for the hackers to not release the data before it was exposed- an anonymous gay Reddit user from Saudi Arabia, where homosexuality is illegal, pleaded for the data to be kept private: "I am about to be killed, tortured, or exiled," he wrote. "And I did nothing." And when The Intercept published a piece condemning the puritanical glee over the data dump, one user who commented on the article said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there. Ashley Madison has now offered a $380,000 reward for information that leads to the arrest and conviction of the hackers who leaked the data. Security researcher Troy Hunt has also posted about the kind of emails he's received from users after the data leak.
Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars' security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars: [M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
Bismillah writes: A British infosec company has discovered that cheap thermal imaging attachments for smartphones can be used to work out which keys users press on -- for instance -- ATM PIN pads. The thermal imprint last for a minute or longer. That's especially worrying if your PIN takes the form of letters, as do many users' phone-unlock patterns.
Mark Wilson writes: Complaints about the camera of the iPhone 6 Plus have been plentiful, and Apple has finally acknowledged that there is a problem. It's not something that affects all iPhone 6 Plus owners, but the company says that phones manufactured between September 2014 and January 2015 could include a failed camera component. Apple has set up a replacement program which enables those with problems with the rear camera to obtain a replacement. Before you get too excited, it is just replacement camera components that are on offer, not replacement iPhones. You'll need to check to see if your phone is eligible at the program website. (Also at TechCrunch.)
New submitter execthis writes: Japanese broadcaster NHK is reporting that yet another privacy/security-compromising "glitch" has been found to exist in preinstalled software on Lenovo laptops. The article states that the glitch was found in Spring and that in late July Lenovo began releasing a program to uninstall the difficult-to-remove software. The article does not specify, but it could be referring to a BIOS utility called Lenovo Service Engine (LSE) for which Lenovo has released a security advisory with links to removal tools for various models.
msm1267 writes: More than 2,000 websites running WordPress have been compromised and are responsible for a surge this week in traffic from the Neutrino Exploit Kit. Attacks against sites running older versions of the content management system, 4.2 and earlier, were spotted by Zscaler. Those sites are backdoored and redirect a victim's browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits. The exploits generally target Internet Explorer, Zscaler said, and victims' computers are eventually infected with CryptoWall 3.0 ransomware. This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.
tsu doh nimh writes: It was bound to happen: Brian Krebs reports that extortionists have begun emailing people whose information is included in the leaked Ashleymadison.com user database, threatening to find and contact the target's spouse and alert them if the recipient fails to cough up 1 Bitcoin. Krebs interviews one guy who got such a demand, a user who admits to having had an affair after meeting a woman on the site and who is now worried about the fallout, which he said could endanger his happily married life with his wife and kids. Perhaps inevitable: two Canadian law firms have filed a class action lawsuit against the company, seeking more than half a billion dollars in damages.
An anonymous reader writes: Presidential candidate Jeb Bush has called on tech companies to form a more "cooperative" arrangement with intelligence agencies. During a speech in South Carolina, Bush made clear his opinion on encryption: "If you create encryption, it makes it harder for the American government to do its job — while protecting civil liberties — to make sure that evildoers aren't in our midst." He also indicated he felt the recent scaling back of the Patriot Act went too far. Bush says he hasn't seen any indication the bulk collection of phone metadata violated anyone's civil liberties.
An anonymous reader writes: The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software. The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses and is also coordinating the CII's Census Project, and Dan Kohn, a senior adviser on the CII.
An anonymous reader writes: A vulnerability in Apple's iOS sandbox, which could affect personal information as well as configuration settings, has been discovered by Appthority's Enterprise Mobility Threat Team. It affects all mobile device management (MDM) clients, and any mobile applications distributed by an MDM that use the "Managed App Configuration" setting for private data. An attacker could potentially create a rogue app, perhaps masquerading as a productivity tool to increase the chances of it getting installed, and then distribute the attack by means of the iTunes store or "spear fishing" email attacks.
MojoKid writes: NVIDIA is launching a new mainstream graphics card today, the GeForce GTX 950, based on the company's GM206 GPU. The GM206 debuted on the GeForce GTX 960, which launched a few months back. As the new card's name suggests though, the GM206 used on the GeForce GTX 950 isn't quite as powerful as the one used on the GTX 960. The company is targeting this card at MOBA (massive online battle arena) players, who don't necessarily need the most powerful GPUs on the market, but want smooth, consistent framerates at resolutions of 1080p or below. It's being positioned as a significant, yet affordable, upgrade over cards like the GeForce GTX 650 Ti, that are a couple of generations old. NVIDIA's reference specifications for the GeForce GTX 950 call for a base clock of 1024MHz and a Boost clock of 1188MHz. The GPU is packing 768 CUDA cores, 48 texture units, and 32 ROPs. The 2GB of video memory on GeForce GTX 950 cards is clocked at a 6.6GHz (effective GDDR5 data rate) and the memory links to the GPU via a 128-bit interface. At those clocks, the GeForce GTX 950 offers up a peak textured fillrate of 49.2 GTexels/s and 105.6 GB/s of memory bandwidth. At a $159 starting MSRP, in the benchmarks, the GeForce GTX 950 offers solid entry level or midrange performance at 1080p resolutions. It's a bit faster than AMD's Radeon R9 270X but comes in just behind a Radeon R9 285.