Open Source

Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source ( 32

Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."

Firefox Support For NPAPI Plugins Ends Next Year ( 82

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.

Disclosed Netgear Flaws Under Attack ( 14

msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the research teams that it addressed the problem adequately. The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300- The flaw allows an attacker, without knowing the router password, to access the administration interface.

Linus: '2016 Will Be the Year of the ARM Laptop' ( 149

jones_supa writes: Linus Torvalds took the stage at LinuxCon Europe in Dublin, Ireland, and talked about a number of things, including security and the future for Linux on ARM hardware. There is nothing that will blow your mind, but there are a couple of interesting statements nonetheless. Chromebooks are slowly taking over the world, and a large number of those Chromebooks are powered by ARM processors. "I'm happy to see that ARM is making progress. One of these days, I will actually have a machine with ARM. They said it would be this year, but maybe it'll be next year. 2016 will be the year of the ARM laptop," said Linus excitedly. He also explained that one of the problems now is actually finding people to maintain Linux. It's not a glorious job, and it usually entails answering emails seven days a week. Finding someone with the proper set of skills and the time to do this job is difficult.

US Government Will Not Force Companies To Decode Encrypted Data... For Now ( 105

Mark Wilson writes: The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies. This is being hailed as a "partial victory" by the Electronic Frontier Foundation; partial because, as reported by the Washington Post, the government "will not — for now — call for [such] legislation." This means companies will not be forced to build backdoors into their products, but there is no guarantee it won't happen further down the line. The government wants to continue talks with the technology industry to find a solution, but leaving things in limbo for the time being will create a sense of unease on both sides of the debate. The EFF has also compiled a report showing where the major tech companies stand on encryption.

LogMeIn To Acquire LastPass For $125 Million ( 94

An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

First Successful Collision Attack On the SHA-1 Hashing Algorithm ( 78

Artem Tashkinov writes: Researchers from Dutch and Singapore universities have successfully carried out an initial attack on the SHA-1 hashing algorithm by finding a collision at the SHA1 compression function. They describe their work in the paper "Freestart collision for full SHA-1". The work paves the way for full SHA-1 collision attacks, and the researchers estimate that such attacks will become reality at the end of 2015. They also created a dedicated web site humorously called The SHAppening.

Perhaps the call to deprecate the SHA-1 standard in 2017 in major web browsers seems belated and this event has to be accelerated.


Apple Approves, Then Removes In-App Ad Blocker ( 77

Mickeycaskill writes: Apple has pulled a number of applications from the App Store, most notably the "Been Choice" ad blocker, because of concerns the methods they employ to rid adverts could compromise sensitive user data. iOS 9 allows for the installation of applications that block adverts in Safari, but other apps like Been Choice go one step further and let users remove adverts from applications – including Apple News. Been Choice routes traffic through a VPN to filter out adverts in some applications, but it this technique has attracted the attention of Apple, which is concerned user data could be exposed. Apple says it is working with developers to get their apps back up and Been is refining its application for resubmission. In any case, Been says users must opt-in for in-app ad blocking and that no data is stored on its servers.

Iran-Based Hacking Crew Uses Fake LinkedIn Profiles In Espionage Attacks ( 41

An anonymous reader writes: The Iranian hacker group Cleaver has been directing a cyber spying campaign at bodies in the Middle East across a network of fake LinkedIn accounts. It is thought that the threat actors were using the professional platform to gather intelligence using six 'leader' profiles, each with over 500 connections, and a collection of 'supporter' accounts. According to Dell researchers, recruitment advertisements and skill endorsements from 'supporter' accounts were used to boost credibility. Perhaps they're after the New Yorker crowd, too.

Man Behind Week-Long Bitcoin Attacks Reveals Himself 71

An anonymous reader writes: A Russian man that calls himself "Alister Maclin" has been disrupting the Bitcoin network for over a week, creating duplicate transactions, and annoying users. According to Bitcoin experts, the attack was not dangerous and is the equivalent of "spam" on the Bitcoin blockchain servers, known in the industry as a "malleability attack," creating duplicate transactions, but not affecting Bitcoin funds. Maclin recently gave an interview to Vice.

ESR On Why the FCC Shouldn't Lock Down Device Firmware ( 143

An anonymous reader writes: We've discussed some proposed FCC rules that could restrict modification of wireless routers in such a way that open source firmware would become banned. Eric S. Raymond has published the comment he sent to the FCC about this. He argues, "The present state of router and wireless-access-point firmware is nothing short of a disaster with grave national-security implications. ... The effect of locking down router and WiFi firmware as these rules contemplate would be to lock irreparably in place the bugs and security vulnerabilities we now have. To those like myself who know or can guess the true extent of those vulnerabilities, this is a terrifying possibility. I believe there is only one way to avoid a debacle: mandated device upgradeability and mandated open-source licensing for device firmware so that the security and reliability problems can be swarmed over by all the volunteer hands we can recruit. This is an approach proven to work by the Internet ubiquity and high reliability of the Linux operating system."

IP Address May Associate Lyft CTO With Uber Data Breach ( 103

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.
United States

NSF Awards $74.5 Million To Support Interdisciplinary Cybersecurity Research ( 8

aarondubrow writes: The National Science Foundation announced $74.5 million in grants for basic research in cybersecurity. Among the awards are projects to understand and offer reliability to cryptocurrencies; invent technologies to broadly scan large swaths of the Internet and automate the detection and patching of vulnerabilities; and establish the science of censorship resistance by developing accurate models of the capabilities of censors. According to NSF, long-term support for fundamental cybersecurity research has resulted in public key encryption, software security bug detection, spam filtering and more.

Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? 83

New submitter tanstaaf1 writes: I was thinking about the whole tracking and privacy train-wreck and I'm wondering why specific information on how it is done, and how it can be micromanaged or undone by a decent programmer (at least), isn't vastly more accessible? By searching, I can only find information on how to erase cookies using the browser. Browser level (black box) solutions aren't anywhere near good enough; if it were, the exploits would be few and far between instead everywhere everyday. Read below for the rest of tanstaaf1's question.

Wealth of Personal Data Found On Used Electronics Purchased Online 70

An anonymous reader writes: After examining 122 used mobile devices, hard disk drives and solid state drives purchased online, Blancco Technology Group and Kroll Ontrack found 48% contained residual data. In addition, 35% of mobile devices contained emails, texts/SMS/IMs, and videos. From the article: "Upon closer examination, Blancco Technology Group and Kroll Ontrack discovered that a deletion attempt had been made on 57 percent of the mobile devices and 75 percent of the drives that contained residual data. Even more compelling was the discovery that those deletion attempts had been unsuccessful due to common, but unreliable methods used, leaving sensitive information exposed and potentially accessible to cyber criminals. The residual data left on two of the second-hand mobile devices were significant enough to discern the original users' identities. Whether it's a person's emails containing their contact information or media files involving a company's intellectual property, lingering data can have serious consequences."

Prison Debate Team Beats Harvard's National Title Winners 191 writes: Lauren Gambino reports at The Guardian that months after winning this year's national debate championship, Harvard's debate team has fallen to a debate team of three inmates with violent criminal records. The showdown took place at the Eastern correctional facility in New York, a maximum-security prison where convicts can take courses taught by faculty from nearby Bard College, and where inmates have formed a popular debate club. The Bard prison initiative has expanded since 2001 to six New York correctional facilities, and aims to provide inmates with a liberal arts education so that when the students leave prison they are able to find meaningful work. A three-judge panel concluded that the Bard team had raised strong arguments that the Harvard team had failed to consider and declared the team of inmates victorious. "Debate helps students master arguments that they don't necessarily agree with," says Max Kenner. "It also pushes people to learn to be not just better litigators but to become more empathetic people, and that's what really speaks to us as an institution about the debate union."

The prison team has proven formidable in the past, beating teams from the US military academy at West Point and the University of Vermont. They lost a rematch against West Point in April, setting up a friendly rivalry between the teams. The competition against West Point has become an annual event, and the prison team is preparing for the next debate in spring. In the morning before the debate, team members talked of nerves and their hope that competing against Harvard—even if they lost—would inspire other inmates to pursue educations. "If we win, it's going to make a lot of people question what goes on in here," says Alex Hall, a 31-year-old from Manhattan convicted of manslaughter. "We might not be as naturally rhetorically gifted, but we work really hard."

Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments 41

An anonymous reader writes: Dutch IT security expert Sijmen Ruwhof has found a pretty big blunder on the part of Danske Bank, Denmark's biggest bank, which exposed sensitive user session information in the form of an encoded data dump, in their banking portal's JavaScript files. The data contained client IP addresses, user agent strings, cookie information, details about the bank's internal IT network, and more. He contacted the bank, who fixed the issue, but later denied it ever happened.

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights 64

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

Windows Phone Store Increasingly Targeted With Fake Mobile Apps 90

An anonymous reader writes: A post by security company Avast says not only are a large amount of fake apps available from the third-party marketplace of the Windows Phone Store, but they also remain available for quite a while despite negative comments and other flags from end-users. Avast speculates that improved security and auditing procedures at rival stores such as Google Play account for the increasing attention that fake app-publishers are giving to the Windows phone app market.
Open Source

Matthew Garrett Forks the Linux Kernel 686

jones_supa writes: Just like Sarah Sharp, Linux developer Matthew Garrett has gotten fed up with the unprofessional development culture surrounding the kernel. "I remember having to deal with interminable arguments over the naming of an interface because Linus has an undying hatred of BSD securelevel, or having my name forever associated with the deepthroating of Microsoft because Linus couldn't be bothered asking questions about the reasoning behind a design before trashing it," Garrett writes. He has chosen to go his own way, and has forked the Linux kernel and added patches that implement a BSD-style securelevel interface. Over time it is expected to pick up some of the power management code that Garrett is working on, and we shall see where it goes from there.