Security

FBI Accuses Researcher of Hacking Plane, Seizes Equipment 267

Posted by Soulskill
from the security-theater dept.
chicksdaddy writes: The Feds are listening, and they really can't take a joke. That's the apparent moral of security researcher Chris Roberts' legal odyssey on Wednesday, which saw him escorted off a plane in Syracuse by two FBI agents and questioned for four hours over a humorous tweet Roberts posted about his ability to hack into the cabin control systems of the Boeing 737 he was flying. Roberts (aka @sidragon1) joked that he could "start playing with EICAS messages," a reference to the Engine Indicating and Crew Alerting System.

Roberts was traveling to Syracuse to give a presentation. He said local law enforcement and FBI agents boarded the plane on the tarmac and escorted him off. He was questioned for four hours, with officers alleging they had evidence he had tampered with in-flight systems on an earlier leg of his flight from Colorado to Chicago. Roberts said the agents questioned him about his tweet and whether he tampered with the systems on the United flight -something he denies doing. Roberts had been approached earlier by the Denver office of the FBI which warned him away from further research on airplanes. The FBI was also looking to approach airplane makers Boeing and Airbus and wanted him to rebuild a virtualized environment he built to test airplane vulnerabilities to verify what he was saying.

Roberts refused, and the FBI seized his encrypted laptop and storage devices and has yet to return them, he said. The agents said they wished to do a forensic analysis of his laptop. Roberts said he declined to provide that information and requested a warrant to search his equipment. As of Friday, Roberts said he has not received a warrant.
Stats

IT Worker's Lawsuit Accuses Tata of Discrimination 294

Posted by timothy
from the not-all-discrimination-is-invidious dept.
dcblogs writes An IT worker is accusing Tata Consultancy Services (TCS) of discriminating against American workers and favoring "South Asians" in hiring and promotion. It's backing up its complaint, in part, with numbers. The lawsuit, filed this week in federal court in San Francisco, claims that 95% of the 14,000 people Tata employs in the U.S. are South Asian or mostly Indian. It says this practice has created a "grossly disproportionate workforce." India-based Tata achieves its "discriminatory goals" in at least three ways, the lawsuit alleges. First, the company hires large numbers of H-1B workers. Over from 2011 to 2013, Tata sponsored nearly 21,000 new H-1B visas, all primarily Indian workers, according to the lawsuit's count. Second, when Tata hires locally, "such persons are still disproportionately South Asian," and, third, for the "relatively few non-South Asians workers that Tata hires," it disfavors them in placement, promotion and termination decisions.
Security

Calling Out a GAO Report That Says In-Flight Wi-Fi Lets Hackers Access Avionics 113

Posted by timothy
from the this-postcard-is-just-an-atom-bomb dept.
An anonymous reader writes A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and take over navigation. At the same time, a cyber expert and pilot called the report "deceiving" and said that "To imply that because IP is used for in-flight WiFi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breathe air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane."
GUI

KDE Plasma 5.3 Beta Brings Lot of Improvements 64

Posted by timothy
from the gui-not-gooey dept.
jones_supa writes: The KDE project today announced the release of KDE Plasma 5.3 beta. It brings better power management, improved Bluetooth support, improved widgets, Wayland support, new media center, and nearly 350 bugfixes. The power management improvements include settings that can be independently configured per activity, there is a new energy usage monitor available in KInfoCenter, and a battery applet identifies applications that hog power. Bluetooth applet brings added support for blocking and unblocking devices. New touchpad module has been added as well. The combined window manager and compositor KWin is now able to start a nested XWayland server, which acts as a bridge between the old X11 and the new Wayland world.
Cloud

Google Sunsetting Old Version of Google Maps 208

Posted by timothy
from the nothing-beats-mapblast's-vector-directions dept.
New submitter Robertgilberts writes with word that Google is dropping the old version of Maps. The new version of Google Maps came out of preview back in February 2014 and was in beta for several months before that. The only way to access the old version of Google Maps was via a special URL or if you had a very old browser that did not support the new version of Google Maps. Consolation prize: There will still be a lighter-weight version, which "drops out many of the neat Google Maps features in exchange for speed and compatibility."
Security

The Voting Machine Anyone Can Hack 105

Posted by samzenpus
from the vote-now-vote-often dept.
Presto Vivace writes about a study published by the Virginia Information Technology Agency outlining just how bad the security of the AVS WINVote machine is. "Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts. The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of 'admin,' 'abcde,' and 'shoup' to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections."
United States

Gyro-Copter Lands On West Lawn of US Capitol, Pilot Arrested 324

Posted by samzenpus
from the just-mail-your-taxes-next-time dept.
An anonymous reader writes that Doug Hughes, 61, a mailman from Ruskin, Florida was arrested for landing a gyro-copter on the West Lawn of the U.S. Capitol. "A 61-year-old Florida mailman was arrested Wednesday after he landed a gyrocopter on the U.S. Capitol west lawn. The gyrocopter was carrying the pilot and 535 stamped letters for members of Congress urging 'real reform' to campaign finance laws. Doug Hughes told the Tampa Bay Times ahead of the afternoon stunt that he notified authorities 'well over an hour in advance of getting to the no-fly zone, so they know who I am and what I'm doing.' Capitol police sent dogs and a bomb squad to the scene. Nothing hazardous was found. A city block from the Capitol had been cordoned off."
Security

Why "Designed For Security" Is a Dubious Designation 58

Posted by samzenpus
from the protect-ya-neck dept.
itwbennett writes The list of products designed to be security enhanced that turned out to be anything but seems to get longer by the day. In just the latest instance, reported by Wired last week, the crowd-funded privacy-enhancing home router Anonabox had to be recalled after an independent researcher discovered serious security flaws in the product. But security experts caution that the real problem may be bigger than vulnerabilities hidden in application code: "Designed for security products don't just have to be good. They have to be beyond reproach," explains John Dickson, a Principal at the Denim Group. "All it takes is one guy with a grudge to undo you."
Transportation

GAO Warns FAA of Hacking Threat To Airliners 78

Posted by Soulskill
from the not-agile-enough-to-respond dept.
chicksdaddy writes: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne. In a report issued Tuesday (PDF), the GAO said, "significant security-control weaknesses remain that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system." Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.

The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that "unauthorized individuals might access and compromise aircraft avionics systems," in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.

Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems.
Windows

Remote Code Execution Vulnerability Found In Windows HTTP Stack 119

Posted by Soulskill
from the another-day,-another-vuln dept.
jones_supa writes: A remote code execution vulnerability exists in the Windows HTTP stack that is caused when HTTP.SYS parses specially-crafted HTTP requests. An attacker who has successfully exploited this vulnerability could execute arbitrary code under the SYSTEM context. Details of the bug are withheld, but exploit code is floating around. Microsoft describes the issue in security bulletin MS15-034. An update (KB3042553) is already available for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. As a workaround, Microsoft offers disabling IIS kernel caching.
Data Storage

New Samsung SSD 840 EVO Read Performance Fix Coming Later This Month 72

Posted by Soulskill
from the slower-than-fastest-but-faster-than-slowest dept.
An anonymous reader writes: The Samsung SSD 840 EVO read performance bug has been on the table for over six months now. Initially Samsung acknowledged the issue fairly quickly and provided a fix only a month after the news hit the mainstream tech media, but reports of read performance degradation surfaced again a few weeks after the fix had been released, making it clear that the first fix didn't solve the issue for all users. Two months ago Samsung announced that a new fix is in the works and last week Samsung sent out the new firmware along with Magician 4.6 for testing, which will be available to the public later this month.
Security

Cracking Passwords With Statistics 136

Posted by Soulskill
from the statistics-is-the-most-powerful-tool-nobody-uses-correctly dept.
New submitter pjauregui writes: When users are asked to create a "secure" password, most sites simply demand things like "must contain 1 uppercase letter and one punctuation character." But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit. This article starts by asking the reader, "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. His post is a discussion that demonstrates effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.
Chrome

Chrome 42 Launches With Push Notifications 199

Posted by Soulskill
from the douglas-adams-edition dept.
An anonymous reader writes: Google today launched Chrome 42 for Windows, Mac, and Linux with new developer tools. Chrome 42 offers two new APIs (Push API and Notifications API) that together allow sites to send notifications to their users even after the given page is closed. While this can be quite an intrusive feature for a browser, Google promises the users have to first grant explicit permission before they receive such a message.
Businesses

IT Consultant Talks About 'Negotiating for Nerds' (Video) 61

Posted by Roblimo
from the paying-it-forward dept.
Matt Heusser did a Slashdot video interview back in 2013 titled How to Become an IT Expert Companies Seek Out and Pay Well. Despite noise from a few yammerheads about Matt getting 'free advertising' on Slashdot, which is unlikely since the vast majority of Slashdot users are more likely to compete with him than to hire him, most of the people who saw that video (or read the transcript) knew he was giving helpful advice to peers who might want to get out of the cubicle and work for themselves.

Today, Matt is with us again. This video is about 'Negotiating for Nerds.' Matt talks about negotiating a pay raise or consulting fee increase, starting with learning who has the actual power to negotiate with you. This is essential knowledge if you are employed (or self-employed) in IT and want to make sure you're getting all you are worth.
Television

In New Zealand, a Legal Battle Looms Over Streaming TV 106

Posted by timothy
from the why-consider-this-pen-your-honor dept.
SpacemanukBEJY.53u writes After a threat from a law firm, two New Zealand ISPs have withdrawn services that let their customers navigate to content sites outside the country that world normally be geo-blocked. Using VPNs or other services to access content restricted by region isn't specifically outlawed in either New Zealand or in neighboring Australia, but it appears the entertainment industry is prepared to go to court to try and argue that such services can violate copyright law. Intellectual property experts said the situation in New Zealand, if it goes to court, could result in the first test case over the legality of skirting regional restrictions.