Slashdot

MBCook sends word on a possible solution to the mystery of the Voynich Manuscript, which we last visited nearly 6 years ago. "The Voynich Manuscript has confounded attempts to decode it for nearly 100 years. A person named Edith Sherwood, who has previously suggested a possible link to DaVinci, has a new idea: perhaps the text is simply anagrams of Italian words. There are three pages of examples from the herb section of the book, showing the original text, the plaintext Italian words, and the English equivalents. Has someone cracked the code?"

CWmike writes "Apple wants a federal judge to shut down Psystar's Mac clone operation and order the company to pay more than $2.1 million in damages, according to court documents. The move was the first by Apple since US District Court Judge William Alsup ruled that Psystar violated Apple's copyright and the Digital Millennium Copyright Act when it installed Mac OS X on clones it sold. Alsup's Nov. 13 order, which granted Apple's motion for summary judgment and quashed Psystar's similar request, was a crushing blow to the Florida company's legal campaign. In a motion filed Monday, Apple asked Alsup to grant a permanent injunction that would force Psystar to stop selling any computer bundled with Mac OS X; using, selling or even owning software that lets it crack Apple's OS encryption key to trick Mac OS X to run on non-Apple hardware; and 'inducing, aiding or inducing others in infringing Apple's copyright.'" Groklaw has summarized Apple's request as well, and noted that Apple has also filed a motion to dismiss Psystar's litigation in Florida (or transfer it to California, where the above injunction was filed).

aaaaaaargh! writes "I'm using a laptop with Ubuntu 8.04 for work, a netbook with Ubuntu 9.10 when I'm outside, Mac OS X 10.5 for hobby projects, and Windows XP for gaming. For backups, I'm currently using Jungle Disk and Apple's Time Machine, and I use a local svn repository for my work data. Now I need to frequently exchange and synchronize OpenOffice and Latex files and source code in various cross-platform programming languages between one machine and another. Options range from putting everything online (but Jungle Disk disks seem to be too slow for anything else than backup), storing my data on external media like USB sticks or SD cards, or working with copies by synchronizing folders over the network. I don't want to give my data away to some server outside without strong encryption (controlled by me, including the source code) and external media like USB sticks are a bit too fragile according to my taste. The solution should be reliable, relatively failsafe, as simple as possible, and allow me to continue to use Jungle Disk for backup. So what would you recommend?"

Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

Trailrunner7 writes "US and international prosecutors have indicted a criminal ring that they allege was responsible for an ATM scam last November that stole about $9 million from RBS WorldPay. The criminals cracked payroll debit cards and withdrew money from ATMs in hundreds of cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan, and one unidentified man. Prosecutors allege that the men 'used sophisticated hacking techniques' to defeat the company's encryption system. The scam involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards, then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period."

Trailrunner7 writes "Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill. But the Data Breach Notification Act, S.139, exempts federal agencies and other organizations subject to the bill from disclosing a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless. Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.' That is a very broad exemption that could become a sticking point as the bill moves along. The terms 'access controls' and 'other such mechanisms' encompass a huge number of technologies."

Norsefire writes to mention a Register piece reporting that early adopters are having a tough time with Karmic Koala, Ubuntu's latest release. "Ubuntu 9.10 is causing outrage and frustration, with early adopters wishing they'd stuck with previous versions of the Linux distro. Blank and flickering screens, failure to recognize hard drives, defaulting to the old 2.6.28 Linux kernel, and failure to get encryption running are taking their toll, as early adopters turn to the web for answers and log fresh bug reports in Ubuntu forums." What has been your experience if you've moved to Karmic?

pariax writes "So you wanna build your own massively distributed password cracking infrastructure? Electric Alchemy has published a writeup detailing their experiences cracking PGP ZIP archives using brute force computing power provided by Amazon EC2 and a distributed password cracker from Elcomsoft."

A new format specification has reached consensus among web and type designers and is being backed by Mozilla. Dubbed Web Open Font Format (WOFF), it is an effort to bring advanced typography to the Web in a much better way. Support for the new spec will be included as a part of Firefox 3.6 which just recently hit beta. "WOFF combines the work Leming and Blokland had done on embedding a variety of useful font metadata with the font resource compression that Kew had developed. The end result is a format that includes optimized compression that reduces the download time needed to load font resources while incorporating information about the font's origin and licensing. The format doesn't include any encryption or DRM, so it should be universally accepted by browser vendors — this should also qualify it for adoption by the W3C."

Frequent Slashdot contributor Bennett Haselton writes "A federal judge rules that government can obtain access to a person's inbox contents without any notification to the subscriber. The pros and cons of this are complicated, but the decision hinges on the assertion that ISP customers have lowered privacy interests in e-mail because they 'expose to the ISP's employees in the ordinary course of business the contents of their e-mails.' Fortunately for everybody, this is not true — most ISPs do not allow their employees to read customer e-mails 'in the ordinary course of business' — but then what are the consequences for the rest of the argument?" Read on for the rest of Bennett's analysis.

David Gerard writes "Lord Peter Mandelson has carefully ignored the Gowers Report and the Carter Report, instead taking the advice of his good friend David Geffen and announcing that 'three strikes and you're out' will become law in Britain. The Open Rights Group has, of course, hit the roof. Oh, and never mind MI5 and the police pointing out that widespread encryption will become normal, hampering their efforts to keep up with little things like impending terrorist atrocities. Still, worth it to stop a few Lily Allen tracks being shared, right?"

Now that the UK is discussing plans for some form of 3-strikes regime to discourage file-sharing, TechDirt reports that the fans of due process have picked up unlikely allies: the law enforcement and spying establishments fear that a 3-strikes policy would result in far more encryption on the Net, greatly complicating their jobs. "Of course, they're not as concerned about due process and civil rights, as they are about making it more difficult to track down criminals online: 'Law enforcement groups, which include the Serious and Organized Crime Agency and the Metropolitan Police's e-crime unit, believe that more encryption will increase the costs and workload for those attempting to monitor internet traffic. ... A source involved in drafting the Bill said that the intelligence agencies, MI5 and MI6, had also voiced concerns about disconnection. "The spooks hate it," the source said.'" The Times (UK) Online has more details.

Schneier has a blog piece about Joanna Rutkowska's "evil maid" attack, demonstrated earlier this month against TrueCrypt. "The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. ... [A] likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. ... [P]eople who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too."

Ponca City, We love you writes "The EFF has warned Texas Instruments not to pursue legal threats against calculator hobbyists who perform modifications to the company's programmable graphing calculators. TI's calculators perform a 'signature check' that allows only approved operating systems to be loaded, but researchers have reverse-engineered signing keys, allowing tinkerers to install custom operating systems and unlock new functionality in the calculators' hardware. In response, TI has unleashed a torrent of demand letters claiming that the anti-circumvention provisions of the Digital Millennium Copyright Act require the hobbyists to take down commentary about and links to the keys. 'This is not about copyright infringement. This is about running your own software on your own device — a calculator you legally bought,' says EFF Civil Liberties Director Jennifer Granick. 'Yet TI still issued empty legal threats in an attempt to shut down discussion of this legitimate tinkering. Hobbyists are taking their own tools and making them better, in the best tradition of American innovation.'"

An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

An anonymous reader writes "OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. It encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. Version 5.3 marks the 10th anniversary of the OpenSSH project."

sertsa writes "Earlier this year a group of researchers at the University of Washington came up with a scheme to use peer-to-peer networks to store and, ultimately, to forget the keys for encrypted messages, causing them to 'Vanish.' Now a group from researchers from UT Austin, Princeton, and the University of Michigan has come up with a way to break this approach, by making a single computer appear to be many nodes on the p2p network. 'In our experiments with Unvanish, we have shown that it is possible to make Vanish messages reappear long after they should have disappeared nearly 100 percent of the time...'"

Dan Jones writes "2009 marks 60 years since the advent of modern cryptography. It was back in October 1949 when mathematician Claude Shannon published a paper on Communication Theory of Secrecy Systems. According to his employer at the time, Bell Labs, the work transformed cryptography from an art to a science and is generally considered the foundation of modern cryptography. Since then significant developments in secure communications have continued, particularly with the advent of the Internet and Web. CIO has a pictorial representation of the past six decades of research and development in encryption technology. Highlights include the design of the first quantum cryptography protocol by Charles Bennett and Gilles Brassard in 1984, and the EFF's 'Deep Crack' DES code breaker of 1998."

Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."