Encryption

Tomb, a Successor To TrueCrypt For Linux Geeks 114 114

jaromil writes: Last day we released Tomb version 2.1 with improvements to stability, documentation and translations. Tomb is just a ZSh script wrapping around cryptsetup, gpg and other tools to facilitate the creation and management of LUKS encrypted volumes with features like key separation, steganography, off-line search, QRcode paper backups etc. In designing Tomb we struggle for minimalism and readability, convinced that the increasing complexity of personal technology is the root of many vulnerabilities the world is witnessing today — and this approach turns out to be very successful, judging from the wide adoption, appreciation and contributions our project has received especially after the demise of TrueCrypt.

As maintainer of the software I wonder what Slashdot readers think about what we are doing, how we are doing it and more in general about the need for simplicity in secure systems, a debate I perceive as transversal to many other GNU/Linux/BSD projects and their evolution. Given the increasing responsibility in maintaining such a software, considering the human-interface side of things is an easy to reach surface of attack, I can certainly use some advice and criticism.
Privacy

After Progressive Insurance's Snapshot Hacked, Manufacturer Has Been, Too 3 3

An anonymous reader writes: Progressive Insurance sells a tracking device called Snapshot that is advertised as a "little device [that] turns your safe driving into savings." However Snapshot itself has been hacked, and Xirgo Technologies, which makes Snapshot, is currently hacked due to out-of-date software on their website — and has been that way since at least May 5th of 2015. Given that Chrysler just did a recall of 1.4 million cars, people should really think twice before blindly trusting the safety of their cars to any random company, especially if that company can't even keep their WordPress up-to-date or remove hacked code from their site.
Android

The Android L Update For Nvidia Shield Portable Removes Features 115 115

An anonymous reader writes: For those of us who still remember the Hobson's choice with the 3.21 update of the PS3 firmware, the most recent update to the Nvidia Shield Portable is eerily similar. The update, which is necessary to run recent games and apps that require Android 5.0 APIs, removes some features from the device, and removes the games that were bundled with the device, Sonic 4 Episode II and The Expendables: ReArmed. Nvidia has stressed that it is an optional update, but how many users have been told for months that the update was coming, some of whom may have bought the device after the update was announced, only to find out now they won't receive all the functionality they paid for? How is it still legal for these companies to advertise and sell a whole product but only deliver part of it?
Transportation

Fiat Chrysler Recalls 1.4 Million Autos To Fix Remote Hack 157 157

swinferno writes: Fiat Chrysler announced today that it's recalling 1.4 million automobiles just days after researchers demonstrated a terrifying hack of a Jeep that was driving down the highway at 70 miles per hour. They are offering a software patch for some of their internet-connected vehicles. Cybersecurity experts Chris Valasek and Charlie Miller have publicly exposed a serious vulnerability that would allow hackers to take remote control of Fiat Chrysler Automobile (FCA) cars that run its Uconnect internet-accessing software for connected car features. Despite this, the researchers say automakers are being slow to address security concerns, and are often approaching security in the wrong way.
Security

Remote Control of a Car, With No Phone Or Network Connection Required 158 158

Albanach writes: Following on from this week's Wired report showing the remote control of a Jeep using a cell phone, security researchers claim to have achieved a similar result using just the car radio. Using off the shelf components to create a fake radio station, the researchers sent signals using the DAB digital radio standard used in Europe and the Asia Pacific region. After taking control of the car's entertainment system it was possible to gain control of vital car systems such as the brakes. In the wild, such an exploit could allow widespread simultaneous deployment of a hack affecting huge numbers of vehicles.
Security

HP: Smartwatches Are a Major Security Risk 98 98

Mickeycaskill writes: Researchers at HP Security discovered "significant vulnerabilities" in every single smartwatch they tested, claiming they pose a major security risk for users. The team is concerned by an apparent lack of authorization and authentication provisions, encrypted firmware updates and protection for personal data. When coupled with poor password choices, HP says wearables are as much a target for cyber criminals as muggers on the street. "As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks," said HP's Jason Schmitt.
OS X

A Tweet-Sized Exploit Can Get Root On OS X 10.10 129 129

vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet. The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer. This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits: Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."
Graphics

Open-Source Mesa 3D Library/Drivers Now Support OpenGL 4 30 30

An anonymous reader writes: The Mesa 3D project that is the basis of the open-source Linux/BSD graphics drivers now supports OpenGL 4.0 and most of OpenGL 4.1~4.2. The OpenGL 4.0 enablement code landed in Mesa Git yesterday/today and more GL 4.1/4.2 patches are currently being reviewed for the Intel, Radeon, and Nouveau open-source GPU drivers.
Security

What Non-Experts Can Learn From Experts About Real Online Security 112 112

An anonymous reader writes: Google researchers have asked 231 security experts and 294 web-users who aren't security experts about their security best practices, and the list of top ones for each group differs considerably. Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates. Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down. Another interesting thing to point out is that non-experts love and use antivirus software.
Security

Belgian Government Phishing Test Goes Off-Track 58 58

alphadogg writes: An IT security drill went off the tracks in Belgium, prompting a regional government office to apologize to European high-speed train operator Thalys for involving it without warning. Belgium's Flemish regional government sent a mock phishing email to about 20,000 of its employees to see how they would react. Hilarity and awkwardness ensued, with some employees contacting Thalys directly to complain, and others contacting the cops.
Bug

Bug Exposes OpenSSH Servers To Brute-Force Password Guessing Attacks 157 157

itwbennett writes: OpenSSH servers with keyboard-interactive authentication enabled, which is the default setting on many systems, including FreeBSD ones, can be tricked to allow many authentication retries over a single connection, according to a security researcher who uses the online alias Kingcope, who disclosed the issue on his blog last week. According to a discussion on Reddit, setting PasswordAuthentication to 'no' in the OpenSSH configuration and using public-key authentication does not prevent this attack, because keyboard-interactive authentication is a different subsystem that also relies on passwords.
Android

Hacking Team's RCS Android May Be the Most Sophisticated Android Malware Ever Exposed 91 91

An anonymous reader writes: As each day passes and researchers find more and more source code in the huge Hacking Team data dump, it becomes more clear what the company's customers could do with the spyware. After having revealed one of the ways that the company used to deliver its spyware on Android devices, Trend Micro researchers have analyzed the code of the actual spyware: RCS Android (Remote Control System Android). Unsurprisingly, it can do so many things and spy on so many levels that they consider it the most sophisticated Android malware ever exposed. The software can, among other things, gather device information, capture screenshots and photos, record speech by using the devices' microphone, capture voice calls, record location, capture Wi-Fi and online account passwords, collect contacts and decode messages from IM accounts, as well as collect SMS, MMS, and Gmail messages. Hacking Team says it sold its surveillance and intrusion software strictly within the law.
Advertising

FTC Accuses LifeLock of False Advertising Again 54 54

An anonymous reader writes: You may remember LifeLock — it's the identity protection company whose CEO published his social security number and dared people to steal his identity. Predictably, 13 different people succeeded. LifeLock was later sued for deceptive marketing practices, and eventually settled with the U.S. Federal Trade Commission to the tune of $12 million. Part of that settlement, of course, required that they refrain from misrepresenting their services in the future. Now, the FTC is taking action against them again, saying they failed to live up to that promise. The FTC claims (PDF) LifeLock falsely advertised that it "protected consumers' sensitive data with the same high-level safeguards as financial institutions" and also failed build systems to protect the data they held.
Government

FBI's Hacks Don't Comply With Legal Safeguards 64 64

An anonymous reader writes: The FBI hacks computers. Specifics are scarce, and only a trickle of news has emerged from court filings and FOIA responses. But we know it happens. In a new law review article, a Stanford Ph.D. candidate and privacy expert pulls together what's been disclosed, and then matches it against established law. The results sure aren't pretty. FBI agents deceive judges, ignore time limits, don't tell computer owners after they've been hacked, and don't get 'super-warrants' for webcam snooping. Whatever you think of law enforcement hacking, it probably shouldn't be this lawless.
IT

What's the Oldest Technology You've Used In a Production Environment? 615 615

itwbennett writes: Sometimes it's a matter of 'if it ain't broke, don't fix it,' sometimes corporate inertia is to blame, but perhaps even more often what keeps old technology plugging away in businesses large and small is the sense that it does a single, specific job the way that someone wants it done. George R.R. Martin's preference for using a DOS computer running WordStar 4 to write his Song of Ice and Fire series is one such example, but so is the hospital computer whose sole job was to search and print medical images, however badly or slowly it may have done the job. We all have such stories of obsolete tech we've had to use at one point or another. What's yours?
Cellphones

Ask Slashdot: Do You Use a Smartphone At Work, Contrary to Policy? 227 227

Jason McNew writes: I have been in IT since the late '90s, and began a graduate degree in Cyber Security with Penn State two years ago. I have always been interested in how and why users break policies, despite being trained carefully. I have observed the same phenomena even in highly secure government facilities — I watched people take iPhones into highly sensitive government facilities on several occasions. That led me to wonder to what extent the same problem exists in the private sector: Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property. This question has become the subject of a pilot study I am doing for grad school. So, do you use a smart phone or other PED during work hours, even though you are not supposed to? Please let me know, and I will provide the results in a subsequent submission to Slashdot.
Privacy

Free Tools For Detecting Hacking Team Malware In Your Systems 62 62

An anonymous reader writes: Worried that you might have been targeted with Hacking Team spyware, but don't know how to find out for sure? IT security firm Rook Security has released Milano, a free automated tool meant to detect the Hacking Team malware on a computer system. Facebook has also offered a way to discover if your Mac(s) have been compromised by Hacking Team malware: they have provided a specific query pack for its open source OS analysis tool osquery.
Spam

Gmail Spam Filter Changes Bite Linus Torvalds 136 136

An anonymous reader points out The Register's story that recent changes to the spam filters that Google uses to pare down junk in gmail evidently are a bit overzealous. Linus Torvalds, who famously likes to manage by email, and whose email flow includes a lot of mailing lists, isn't happy with it. Ironically perhaps, it was only last week that the Gmail team blogged that its spam filter's rate of false positives is down to less than 0.05 per cent. In his post, Torvalds said his own experience belies that claim, and that around 30 per cent of the mail in his spam box turned out not to be spam. "It's actually at the point where I'm noticing missing messages in the email conversations I see, because Gmail has been marking emails in the middle of the conversation as spam. Things that people replied to and that contained patches and problem descriptions," Torvalds wrote.
Businesses

Why Certifications Are Necessary (Even If Aggravating To Earn) 213 213

Nerval's Lobster writes: Whether or not certifications have value is a back-and-forth argument that's been going on since before Novell launched its CNE program in the 1990s. Developer David Bolton recently incited some discussion of his own when he wrote an article for Dice in which he claimed that certifications aren't worth the time and money. But there's a lot of evidence that certifications can add as much as 16 percent to a tech professional's base pay; in addition a lot of tech companies use resume-screening software that weeds out any resumes that don't feature certain acronyms. There's also the argument that the cost, difficulty, and annoyance of earning a certification is actually the best reason to go through it, especially if you're looking for a job; it broadcasts that you're serious enough about the technology to invest a serious chunk of your life in it. But others might not agree with that assessment, arguing that all a certification proves is that you're good at taking tests, not necessarily knowing a technology inside and out.