Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Android

Manufacturer's Backdoor Found On Popular Chinese Android Smartphone 36

Posted by samzenpus
from the sneaking-in dept.
Trailrunner7 writes that researchers at Palo Alto Networks have found a backdoor in Android devices sold by Coolpad. "A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users' consent. The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor's control system. Ryan Olson, intelligence director at Palo Alto, said the CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user's permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad."
Cloud

The Joys and Hype of Hadoop 32

Posted by samzenpus
from the ups-and-downs dept.
theodp writes "Investors have poured over $2 billion into businesses built on Hadoop," writes the WSJ's Elizabeth Dwoskin, "including Hortonworks Inc., which went public last week, its rivals Cloudera Inc. and MapR Technologies, and a growing list of tiny startups. Yet companies that have tried to use Hadoop have met with frustration." Dwoskin adds that Hadoop vendors are responding with improvements and additions, but for now, "It can take a lot of work to combine data stored in legacy repositories with the data that's stored in Hadoop. And while Hadoop can be much faster than traditional databases for some purposes, it often isn't fast enough to respond to queries immediately or to work on incoming information in real time. Satisfying requirements for data security and governance also poses a challenge."
The Courts

Apple Wins iTunes DRM Case 168

Posted by Soulskill
from the drm-protected-history-is-written-by-the-victors dept.
An anonymous reader sends word that Apple's iTunes DRM case has already been decided. The 8-person jury took only a few hours to decide that the features introduced in iTunes 7.0 were good for consumers and did not violate antitrust laws. Following the decision, the plaintiff's head attorney Patrick Coughlin said an appeal is already planned. He also expressed frustrations over getting two of the security features — one that checks the iTunes database, and another that checks each song on the iPod itself — lumped together with the other user-facing features in the iTunes 7.0 update, like support for movies and games. "At least we got a chance to get it in front of the jury," he told reporters. ... All along, Apple's made the case that its music store, jukebox software, and hardware was simply an integrated system similar to video game consoles from Sony, Microsoft, and Nintendo. It built all those pieces to work together, and thus it would be unusual to expect any one piece from another company to work without issues, Apple's attorneys said. But more importantly, Apple offered, any the evolution of its DRM that ended up locking out competitors was absolutely necessary given deals it had with the major record companies to patch security holes.
Privacy

Uber Limits 'God View' To Improve Rider Privacy 74

Posted by Soulskill
from the enabled-by-typing-iddqd dept.
mpicpp sends this report from CNN: Uber has rolled back employee access to its "God view" mode, which allows the company to track riders' locations and other data. The ride service company was faced with questions about its privacy policies from U.S. Senator Al Franken, following a series of recent privacy debacles. Uber's updated policy is detailed in its response to the senator's questions. Franken sent Uber a letter (PDF, Uber's response) in November after news reports made two things clear: The ride service company collects lots of data on customers — and some executives don't exercise that power responsibly. In one case, an Uber employee using "God View" easily tracked a reporter's movements on her way to a meeting.
Privacy

Snowden Leaks Prompt Internet Users Worldwide To Protect Their Data 53

Posted by Soulskill
from the for-differing-values-of-"protect" dept.
Lucas123 writes: A new international survey of internet users from 24 countries has found that more than 39% of them have taken steps to protect their data since Edward Snowden leaked the NSA's spying practices. The survey, conducted by the Center for International Governance Innovation, found that 43% of Internet users now avoid certain websites and applications and 39% change their passwords regularly. Security expert Bruce Schneier chastised the media for trying to downplay the numbers by saying "only" 39%" have taken action and "only 60%" have heard of Snowden. The news articles, "are completely misunderstanding the data," Schneier said, pointing out that by combining data on Internet penetration with data from the international survey, it works out to 706 million people who are now taking steps to protect their online data. Additionally, two-thirds (64%) of users indicated they are more concerned today about online privacy than they were a year ago. Another notable finding: 83% of users believe that affordable access to the Internet should be a basic human right.
Google

Eric Schmidt: To Avoid NSA Spying, Keep Your Data In Google's Services 269

Posted by samzenpus
from the no-snooping-zone dept.
jfruh writes Google Chairman Eric Schmidt told a conference on surveillance at the Cato Institute that Edward Snowden's revelations on NSA spying shocked the company's engineers — who then immediately started working on making the company's servers and services more secure. Now, after a year and a half of work, Schmidt says that Google's services are the safest place to store your sensitive data.
Businesses

Sony Pictures Leak Reveals Quashed Plan To Upload Phony Torrents 130

Posted by timothy
from the trial-balloon dept.
retroworks writes Motherboard.vice offers an interesting scoop from the hacked Sony Pictures email trove. A plan championed by Polish marketing employee Magda Mastalerz was to upload false versions of highly-pirated Sony programming, effectively polluting torrent sites with false positives. For example, a "Hannibal"-themed anti-piracy ad to popular torrent sites disguised as the first episode. Sony Pictures legal department quashed the idea, saying that if pirate sites were illegal, it would also be illegal for Sony Pictures to upload onto them. There were plans in WW2 to drop phony counterfeit currency to disrupt markets, and I wonder why flooding underground markets with phony products isn't widespread. Why don't credit card companies manufacture fake lists of stolen credit card numbers, or phony social security numbers, for illegal trading sites? For that matter, would fake ivory, fake illegal porn, and other "false positives" discourage buyers? Or create alibis?
Open Source

OpenMotics Offers Open Source (and Open Hardware) Home Automation 36

Posted by timothy
from the here-are-your-diagrams dept.
Home automation is a recurring topic around here; we've had stories about X-10-based home-brewed systems, a protocol designed for automation, and more than a few Ask Slashdots. Now, an anonymous reader writes OpenMotics is an open source home automation hardware and software system that offers features like switching lights and outputs, multi-zone heating and cooling, power measurements, and automated actions. The system encompasses both open source software and hardware. For interoperability with other systems, the OpenMotics Gateway provides an API through which various actions can be executed. The project was open sourced 2 years ago and was started about 10 years. The choice to open source the project was very conscious: we want to offer a system where users are in full control over their home automation system.
Google

Google Earth API Will Be Retired On December 12, 2015 74

Posted by timothy
from the so-be-on-that-bus-to-mars dept.
An anonymous reader writes Google [on Friday] announced it plans to retire the Google Earth API on December 12, 2015. The reason is simple: Both Chrome and Firefox are removing support for Netscape Plugin Application Programming Interface (NPAPI) plugins due to security reasons, so the API's death was inevitable. The timing makes sense. Last month, Google updated its plan for killing off NPAPI support in Chrome, saying that it would block all plugins by default in January and drop support completely in September. The company also revealed that the Google Earth plugin had dropped in usage from 9.1 percent of Chrome users in October 2013 to 0.1 percent in October 2014. Add dwindling cross-platform support (particularly on mobile devices), and we're frankly surprised the announcement didn't come sooner.
Networking

BGP Hijacking Continues, Despite the Ability To Prevent It 56

Posted by Soulskill
from the won't-fix dept.
An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community seems unhappy with the agreement, and is choosing not to implement it, just to avoid the RPA, leaving the the Internet as a whole less secure.
Businesses

Is Enterprise IT More Difficult To Manage Now Than Ever? 238

Posted by Soulskill
from the get-off-my-virtualized-lawn dept.
colinneagle writes: Who's old enough to remember when the best technology was found at work, while at home we got by with clunky home computers and pokey dial-up modems? Those days are gone, and they don't look like they're ever coming back.

Instead, today's IT department is scrambling to deliver technology offerings that won't get laughed at — or, just as bad, ignored — by a modern workforce raised on slick smartphones and consumer services powered by data centers far more powerful than the one their company uses. And those services work better and faster than the programs they offer, partly because consumers don't have to worry about all the constraints that IT does, from security and privacy to, you know, actually being profitable. Plus, while IT still has to maintain all the old desktop apps, it also needs to make sure mobile users can do whatever they need to from anywhere at any time.

And that's just the users. IT's issues with corporate peers and leaders may be even rockier. Between shadow IT and other Software-as-a-Service, estimates say that 1 in 5 technology operations dollars are now being spent outside the IT department, and many think that figure is actually much higher. New digital initiatives are increasingly being driven by marketing and other business functions, not by IT. Today's CMOs often outrank the CIO, whose role may be constrained to keeping the infrastructure running at the lowest possible cost instead of bringing strategic value to the organization. Hardly a recipe for success and influence.
Crime

Tracking the Mole Inside Silk Road 2.0 81

Posted by Soulskill
from the doomed-from-day-one dept.
derekmead writes: The arrest of the Silk Road 2.0 leader and subsequent seizure of the site was partially due to the presence of an undercover U.S. Department of Homeland Security agent, who "successfully infiltrated the support staff involved in running the Silk Road 2.0 website," according to the FBI.

Referencing multiple interviews, publicly available information, and parts of the moderator forum shared with me, it appears likely that the suspicions of many involved in Silk Road 2.0 are true: the undercover agent that infiltrated the site was a relatively quiet staff member known as Cirrus.
Yahoo!

"Lax" Crossdomain Policy Puts Yahoo Mail At Risk 49

Posted by samzenpus
from the protect-ya-neck dept.
msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.
Sony

Sony Reportedly Is Using Cyber-Attacks To Keep Leaked Files From Spreading 185

Posted by samzenpus
from the fight-fire-with-fire dept.
HughPickens.com writes Lily Hay Newman reports at Slate that Sony is counterhacking to keep its leaked files from spreading across torrent sites. According to Recode, Sony is using hundreds of computers in Asia to execute a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. Sony used a similar approach in the early 2000s working with an anti-piracy firm called MediaDefender, when illegal file sharing exploded. The firm populated file-sharing networks with decoy files labeled with the names of such popular movies as "Spider-Man," to entice users to spend hours downloading an empty file. "Using counterattacks to contain leaks and deal with malicious hackers has been gaining legitimacy," writes Newman. "Some cybersecurity experts even feel that the Second Amendment can be interpreted as applying to 'cyber arms'."
United States

Are the TSA's New Electronic Device Screenings Necessary? 184

Posted by samzenpus
from the obvious-answer-is-obvious dept.
First time accepted submitter Amanda Parker writes In July the US warned of a terrorism risk which led countries, such as France and the UK, to step up their security screening for flights to the US. Secretary of Homeland Security Jeh Johnson directed the TSA to implement enhanced security measures. In his statement on 6 July, Johnson warned that passengers could also be asked to "power up some devices, including cell phones" and stated that "powerless devices will not be permitted on board the aircraft". In light of the US Transportation Security Administration's (TSA) recent tightening of airport security to include stricter screening of electronic devices, is the TSA right to be cautious or have its actions caused unnecessary hassle for passengers?
Privacy

Bank Security Software EULA Allows Spying On Users 135

Posted by timothy
from the even-for-a-eula-that's-bad dept.
An anonymous reader writes Trusteer Rapport, a software package whose installation is promoted by several major banks as an anti-fraud tool, has recently been acquired by IBM and has an updated EULA. Among other things, the new EULA includes this gem: "In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise's data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction." Welcome to the future...
DRM

Keurig 2.0 Genuine K-Cup Spoofing Vulnerability 269

Posted by timothy
from the if-only-this-worked-for-ink-jet-cartridges dept.
An anonymous reader writes A security researcher has released a humorous vulnerability description for the Keurig 2.0 coffee maker, which includes DRM designed to only brew Keurig brand coffe pods (K-Cups): "Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods, known as K-Cups, uses weak verification methods, which are subject to a spoofing attack through re-use of a previously verified K-Cup." The vulnerability description even includes mitigating controls, such as keeping the Keurig in a locked cabinet when not in use. Also at Hackaday.
Cellphones

In Iowa, a Phone App Could Serve As Driver's License 207

Posted by timothy
from the search-incident-to-arrest dept.
New submitter dubner writes Simply hand the law enforcement officer your mobile phone. That's what you can do in Iowa rather than "digging through clutter in your glove compartment for an insurance card." And soon your driver's license will be available on your phone too, according to a story in the (Des Moines Register). Iowans will soon be able to use a mobile app on their smartphones as their official driver's license issued by the Iowa Department of Transportation. Some marvelous quotes in TFA: "The new app should be highly secure ... People will use a pin number for verification." And "Branstad (Iowa governor)... noted that even Iowa children are now working on digital development projects." A raft of excuses ("battery's dead") and security problems come to mind; how would you implement such a system?
Communications

Why Open Source Matters For Sensitive Email 73

Posted by samzenpus
from the better-mail dept.
Jason Baker writes Can you really trust your email provider? And even if you self-host your email server, can you really trust its security if you can't see the code? Over on Opensource.com, Olivier Thierry makes three cases for using open source to power your email solution: The power of numbers, the value of trust, and the importance of leverage.
Twitter

An Algorithm To Prevent Twitter Hashtag Degeneration 162

Posted by samzenpus
from the read-all-about-it dept.
Bennett Haselton writes The corruption of the #Ferguson and #Gamergate hashtags demonstrates how vulnerable the hashtag system is to being swamped by an "angry mob". An alternative algorithm could be created that would allow users to post tweets and browse the ones that had been rated "thoughtful" by other users participating in the same discussion. This would still allow anyone to contribute, even average users lacking a large follower base, while keeping the most stupid and offensive tweets out of most people's feeds. Keep reading to see what Bennett has to say.

Always draw your curves, then plot your reading.

Working...