Bug

Tattoos Found To Interfere With Apple Watch Sensors 399

Posted by timothy
from the clashing-hipsterisms dept.
An anonymous reader writes: A number of early Apple Watch adopters have complained that their tattoos cause interference with many of the new product's key features. According to multiple tattooed sources, inked wrists and hands can disrupt communication with the wearable's sensors installed in the underside of the device leading to malfunction. Owners of Apple Watch have taken to social media to voice their frustration using the hashtag #tattoogate and sharing their disappointment over the newly discovered Apple flaw. One user reported that the Watch's lock system did not disable as it should when the device was placed on a decorated area of skin – forcing those affected to constantly enter their security pins. A further source suggested that notification alerts would fail to 'ping' as they are supposed to, and that heart rate monitoring differed significantly between tattooed and non-tattooed wrist readings.
United Kingdom

Windows XP Support Deal Not Renewed By UK Government, Leaves PCs Open To Attack 137

Posted by samzenpus
from the free-for-all dept.
girlmad writes: The government's one-year £5.5m Windows XP support deal with Microsoft has not been extended, sources have told V3, despite thousands of computers across Whitehall still running the ancient software, leaving them wide open to cyber attacks. It's still unclear when all government machines will be migrated to a newer OS.
Businesses

Disney Replaces Longtime IT Staff With H-1B Workers 631

Posted by samzenpus
from the you-are-no-longer-needed dept.
Lucas123 writes: Disney CEO Bob Iger is one of eight co-chairs of the Partnership for a New American Economy, a leading group advocating for an increase in the H-1B visa cap. Last Friday, the partnership was a sponsor of an H-1B briefing at the U.S. Capitol for congressional staffers. The briefing was closed to the press. One of the briefing documents obtained after the meeting stated, "H-1B workers complement — instead of displace — U.S. Workers." Last October, however, Disney laid off at least 135 IT staff (though employees say it was hundreds more), many of them longtime workers. Disney then replaced them with H-1B contractors that company said could better "focus on future innovation and new capabilities." The fired workers believe the primary motivation behind Disney's action was cost-cutting. "Some of these folks were literally flown in the day before to take over the exact same job I was doing," one former employee said. Disney officials promised new job opportunities as a result of the restructuring, but the former staff interviewed by Computerworld said they knew of few co-workers who had landed one of the new jobs. Use of visa workers in a layoff is a public policy issue, particularly for Disney. Ten U.S. senators are currently seeking a federal investigation into displacement of IT workers by H-1B-using contractors. Kim Berry, president of the Programmer's Guild, said Congress should protect American workers by mandating that positions can only be filled by H-1B workers when no qualified American — at any wage — can be found to fill the position."
Android

LG G4 and Qualcomm's Snapdragon 808 Benchmarked 45

Posted by samzenpus
from the looking-at-the-numbers dept.
MojoKid writes: LG officially lifted the veil on its new G4 flagship Android phone this week and the buzz has been fairly strong. LG's display prowess is well known, along with their ability to pack a ton of screen real estate into a smaller frame with very little bezel, as they did with the previous generation G3. However, what's under the hood of the new LG G4 is probably just as interesting as the build quality and display, for some. On board the LG G4 is a Qualcomm Snapdragon 808, the six-core little brother of the powerful and power-hungry Snapdragon 810 that's found in HTC's One M9. The One M9 is currently one of the fastest Android handsets out there, but its battery life suffers as a result. So with a six-core Snapdragon and a slightly tamer Adreno 418 graphics engine on board, but also with 3GB of RAM, it's interesting to see where the G4 lands performance-wise. It's basically somewhere between the HTC One M9 (Snapdragon 810) and the Snapdragon 805 in the Nexus 6 in CPU bound workloads, besting even the iPhone 6, but much more middle of the pack in terms of graphics and gaming.
Google

Google Announces "Password Alert" To Protect Against Phishing Attacks 71

Posted by samzenpus
from the protect-ya-neck dept.
HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.
IBM

IBM CIO Thinks Agile Development Might Save Company 208

Posted by samzenpus
from the best-laid-plans dept.
Nerval's Lobster writes: A new Wall Street Journal article details how IBM CIO Jeff Smith is trying to make Big Blue, which is going through some turbulent times as it attempts to transition from a hardware-dependent business to one that more fully embraces the cloud and services, operate more like a startup instead of a century-old colossus. His solution centers on having developers work in smaller teams, each of which embraces Agile methodology, as opposed to working in huge divisions on multi-year projects. In order to unite employees who might be geographically dispersed, IBM also has its groups leave open a Skype channel throughout the workday. Smith hopes, of course, that his plan will accelerate IBM's internal development, and make it more competitive against not only its tech-giant competition, but also the host of startups working in common fields such as artificial intelligence.
Transportation

Crashing iPad App Grounds Dozens of American Airline Flights 263

Posted by Soulskill
from the have-you-tried-pushing-the-button dept.
infolation writes: American Airlines was forced to delay multiple flights on Tuesday night after the iPad app used by pilots crashed. Introduced in 2013, the cockpit iPads are used as an "electronic flight bag," replacing 16kg (35lb) of paper manuals which pilots are typically required to carry on flights. In some cases, the flights had to return to the gate to access Wi-Fi to fix the issue.
Bug

RealTek SDK Introduces Vulnerability In Some Routers 35

Posted by Soulskill
from the won't-fix dept.
jones_supa writes: SOHO routers from manufacturers including at least Trendnet and D-Link allow attackers anywhere in the world to execute malicious code on the devices, according to a security advisory issued over the weekend. The remote command-injection vulnerability resides in the "miniigd SOAP service" as implemented by the RealTek SDK. Before someone asks, there is no comprehensive list of manufacturers or models that are affected. Nerds may be able to spot them by using the Metasploit framework to query their router. If the response contains "RealTek/v1.3" or similar, the device is likely vulnerable. For now, the vulnerable routers should be restricted to communicate only with trusted devices. HP's Zero Day Initiative reported the bug confidentially to RealTek in August 2013, but the issue was disclosed 20 months later as no fix has been provided.
Encryption

Why Crypto Backdoors Wouldn't Work 105

Posted by Soulskill
from the because-math dept.
An anonymous reader writes: Your devices should come with a government backdoor. That's according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.

Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
KDE

KDE Plasma 5.3 Released 53

Posted by Soulskill
from the onward-and-upward dept.
jrepin writes: The KDE community has released Plasma 5.3, a major new version of the popular, open source desktop environment. The latest release brings much enhanced power management, better support for Bluetooth, and improved Plasma widgets. Also available is a technical preview of Plasma Media Center shell. In addition, Plasma 5.3 represents a big step towards support for the Wayland windowing system. There are also a few other minor tweaks and over 300 bugfixes. Here is the full changelog, and here's the package download wiki page.
Robotics

Researchers Mount Cyberattacks Against Surgery Robot 55

Posted by Soulskill
from the backseat-aortic-bypass dept.
An anonymous reader writes: A group of researchers from University of Washington have tested the security of a teleoperated robotic surgery system created by their colleagues, and have found it severely lacking. "Teleoperated surgical robots will be expected to use a combination of existing publicly available networks and temporary ad-hoc wireless and satellite networks to send video, audio and other sensory information between surgeons and remote robots. It is envisioned these systems will be used to provide immediate medical relief in under-developed rural terrains, areas of natural and human-caused disasters, and in battlefield scenarios," the researchers noted, and asked: "But what if these robotic systems are attacked and compromised?"
Crime

TeslaCrypt Isn't All That Cryptic 52

Posted by timothy
from the nelson-laugh dept.
citpyrc writes: TeslaCrypt, the latest-and-greatest ransomware branch off of the CryptoWall family, claims to the unwitting user that his/her documents are encrypted with "a unique public key generated for this computer". This coudn't be farther from truth. In actuality, the developers of this malware appear to have been lazy and implemented encryption using symmetric AES256 with a decryption key generated on the user's machine. If any of your machines are afflicted, Talos has developed a tool that can be used to generate the user's machine's symmetric key and decrypt all of the ransomed files.
Security

New Zero Day Disclosed In WordPress Core Engine 89

Posted by Soulskill
from the pressing-words-is-risky-business dept.
Trailrunner7 writes: WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver. Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, Pynnonen said.

"An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings," Pynnonen said. "A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won't appear on the page until it has been approved by an admin/moderator. Under default settings, after one 'harmless' comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts."
Java

JavaScript Devs: Is It Still Worth Learning jQuery? 218

Posted by samzenpus
from the to-learn-or-not-to-learn dept.
Nerval's Lobster writes: If you're learning JavaScript and Web development, you might be wondering whether to learn jQuery. After nearly a decade of existence, jQuery has grown into a fundamental part of JavaScript coding in Web development. But now we're at a point where many of the missing pieces (and additional features) jQuery filled in are present in browsers. So do you need to learn jQuery anymore? Some developers don't think so. The official jQuery blog, meanwhile, is pushing a separate jQuery version for modern browsers, in an attempt to keep people involved. And there are still a few key reasons to keep learning jQuery: Legacy code. If you're going to go to work at a company that already has JavaScript browser code, there's a strong possibility it has jQuery throughout its code. There's also a matter of preference: People still like jQuery and its elegance, and they're going to continue using it, even though they might not have to.
Privacy

The Sun Newspaper Launches Anonymous Tor-Based WikiLeaks-Style SecureDrop 64

Posted by samzenpus
from the keeping-your-name-out-of-it dept.
Mark Wilson writes: The likes of Julian Assange's WikiLeaks have set the standard for blowing the lid on huge stories based on tips from anonymous sources. Whistle-blowers such as Edward Snowden have brought to public attention stories which would otherwise have been kept hidden from the public, and it has been with the help of newspapers such as the Guardian that this information has been disseminated around the world.

Other newspapers are keen to ride on the coattails of those blazing a trail in the world of investigative journalism, and the latest to join the party is The Sun. Today, Murdoch-owned News Corp's newspaper and website launches SecureDrop — a way for whistle-blowers to anonymously leave tip-offs that can be further investigated.

The cloud service provides a means of getting in touch with journalists at The Sun without giving up anonymity — something which is particularly important when making revelations about companies and governments. The site provides a basic guide to getting started with the SecureDrop service, starting off with pointing would-be users in the direction of the Tor Browser Bundle.
United States

Officials Say Russian Hackers Read Obama's Unclassified Emails 109

Posted by samzenpus
from the lets-have-a-look dept.
An anonymous reader points out that Russian hackers reportedly obtained some of President Obama’s emails when the White House’s unclassified computer system was hacked last year. Some of President Obama's email correspondence was swept up by Russian hackers last year in a breach of the White House's unclassified computer system that was far more intrusive and worrisome than has been publicly acknowledged, according to senior American officials briefed on the investigation. The hackers, who also got deeply into the State Department's unclassified system, do not appear to have penetrated closely guarded servers that control the message traffic from Mr. Obama's BlackBerry, which he or an aide carries constantly. But they obtained access to the email archives of people inside the White House, and perhaps some outside, with whom Mr. Obama regularly communicated. From those accounts, they reached emails that the president had sent and received, according to officials briefed on the investigation.
Cellphones

Turning a Smartphone Display Into a Biometric Scanner 16

Posted by Soulskill
from the don't-make-the-obvious-jokes dept.
New submitter jan_jes writes: Recent mobile phones integrate fingerprint scanners to authenticate users biometrically and replace passwords, making authentication more convenient. Researchers at Yahoo Labs have created a new technology called "Bodyprint," which turns your smartphone's touchscreen display into a biometric scanner. It allows the touch sensor to scan users' body parts (PDF) such as ears, fingers, fists, and palms by pressing them against the display. Bodyprint implements the four-eye principle for locking sensitive documents — accessing the document can require the presence of two or more people involved with the project. Another application is authenticating a user to answer a call by scanning their ear pressed against the phone.
Security

Microsoft Opens Vulnerability Bounty Program For Spartan Browser 53

Posted by timothy
from the why-not-leave-the-code-to-survive-infancy-alone? dept.
jones_supa writes: As it did in the past when it tried to make Internet Explorer more secure, Microsoft has launched a new bug bounty program for Spartan browser, the default application of Windows 10 for surfing the information highway. A typical remote code execution flaw can bring between $1,500 and $15,000, and for the top payment you also need to provide a functioning exploit. The company says that it could pay even more than that, if you convince the jury on the entry quality and complexity. Sandbox escape vulnerabilities with Enhanced Protected Mode enabled, important or higher severity vulnerabilities in Spartan or its engine, and ASLR info disclosure vulnerabilities are also eligible. If you want to accept the challenge, Microsoft provides more information on how to participate.
Windows

Buggy Win 95 Code Almost Wrecked Stuxnet Campaign 93

Posted by timothy
from the when-governments-attack dept.
mask.of.sanity writes: Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, malware analysts say. Stuxnet was on the brink of failure thanks to buggy code allowing it to spread to PCs running older and unsupported versions of Windows, and probably causing them to crash as a result. Those blue screens of death would have raised suspicions at the Natanz nuclear lab.
Crime

Allegation: Philly Cops Leaned Suspect Over Balcony To Obtain Password 225

Posted by timothy
from the forget-it-jake-it's-the-city-of-brotherly-love dept.
An anonymous reader writes with this news from Ars Technica: If you want access to encrypted data on a drug dealer's digital device, you might try to break the crypto—or you might just try to break the man.

According to testimony from a police corruption trial currently roiling the city of Philadelphia, officers from an undercover drug squad took the latter route back in November 2007. After arresting their suspect, Michael Cascioli, in the hallway outside his 18th floor apartment, the officers took Cascioli back inside. Although they lacked a search warrant, the cops searched Cascioli's rooms anyway. According to a federal indictment (PDF), the officers 'repeatedly assaulted and threatened [Cascioli] during the search to obtain information about the location of money, drugs, and drug suppliers.'
That included, according to Cascioli, lifting him over the edge of his balcony to try to frighten out of him the password to his Palm Pilot. That sounds like a good time for a duress password.