McGruber writes "Joseph Bonneau, a computer scientist at the University of Cambridge, calculated the password strengths of nearly 70 million Yahoo! users. He compared the strengths of passwords chosen by different demographic groups and compared the results. People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old." Does this mean that the younger users are more cavalier and naive, or are they simply more cynical about the actual value of strong passwords in the era of large-scale user-database compromises?

judgecorp writes "Google has applied for the .lol domain in ICANN's sale of generic top level domains (gTLDs). Google also asked for .google, .docs, and .youtube at a cost of $185,000 each, in the round of applications which has finally closed. A glitch in the application system may have leaked some of the applicants' data to other applicants."

New submitter lsatenstein writes with this snippet from The H:"The regional government of Spain's Basque Country has decreed that all software produced for Basque government agencies and public bodies should be open sourced. Joinup, the European Commission's open source web site, cites an article in Spanish newspaper El Pais [English translation], saying that the only exceptions will be software that directly affects state security and a handful of projects which are being conducted in conjunction with commercial software suppliers."

Bob the Super Hamste writes "The BBC is reporting on a new law in Venezuela that effectively bans the commercial sale of firearms and ammunition to private citizens. Previously anyone with a permit could purchase a firearm from any commercial vendor but now only the police, military, and security firms will be able to purchase firearms or ammunition from only state-owned manufactures or importers. Hugo Chavez's government states that the goal is to eventually disarm the citizenry. The law, which went into effect today, was passed on February 29th, and up to this point the government has been running an amnesty program allowing citizens to turn in their illegal firearms. Since the law was first passed, 805,000 rounds of ammunition have been recovered from gun dealers. The measure is intended to curb violent crime in Venezuela, where 78% of homicides are linked to firearms."

blackbearnh writes "Everyone these days knows that you have to double- and triple-check your code for security vulnerabilities, and make sure your servers are locked down as tight as you can. But why? Because our underlying operating systems, languages, and platforms do such a crappy job of protecting us from ourselves. The inevitable result of clamoring for new features, rather than demanding rock-solid infrastructure, is that the developer community wastes huge amounts of time protecting their applications from exploits that should never be possible in the first place. The next time you hear about a site that gets pwned by a buffer overrun exploit, don't think 'stupid developers!', think 'stupid industry!'"

An anonymous reader writes "As Microsoft released the preview of the next version of its Internet Explorer browser, news that in Windows 8 the browser will be sending a 'Do Not Track' signal to Web sites by default must have shaken online advertising giants. 'Consumers can change this default setting if they choose,' Microsoft noted, but added that this decision reflects their commitment to providing Windows customers an experience that is 'private by default' in an era when so much user data is collected online.' This step will make Internet Explorer 10 the first web browser with DNT on by default. And while the websites are not required to comply with the users' do-not-track request, the DNT initiative — started by the U.S. Federal Trade Commission — is making good progress."

diewlasing sends this excerpt from the NY Times: "From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran's main nuclear enrichment facilities, significantly expanding America's first sustained use of cyberweapons, according to participants in the program. Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran's Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet."

Trailrunner7 writes in with a story about a iOS security guide released by Apple. "Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn't been publicly discussed by Apple. The iOS Security guide (PDF), released within the last week, represents Apple's first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing their best to reverse engineer the operating system for several years and much of what's in the new Apple guide has been discussed in presentations and talks by researchers. 'Apple doesn't really talk about their security mechanisms in detail. When they introduced ASLR, they didn't tell anybody. They didn't ever explain how codesigning worked,' security researcher Charlie Miller said."

An anonymous reader writes with this story at Ars Technica: "Three self-taught hackers from the DC949 hacker collective managed to use a combination of techniques to beat ReCaptcha with 99.1% accuracy (better than most humans!)" In short, the hackers skipped the visual part of the Recaptcha system entirely, focusing on the audio alternative, which gave them a few convenient angles of attack. Google responded with changes to the system, but that doesn't minimize their accomplishment.

An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"

First time accepted submitter dintech writes "The Wall Street Journal reports that while Sony considered online-only content distribution for its next-generation Playstation, the manufacturer has decided that the new console will include an optical drive after all. Microsoft is also planning to include an optical disk drive in the successor to its Xbox 360 console as the software company had concerns about access to Internet bandwidth."

Gunkerty Jeb writes "Two financial industry groups, the American Bankers Association (ABA) and the Financial Services Roundtable, announced on Thursday that they have applied to the Internet Corporation for Assigned Names and Numbers (ICANN) to operate two top level Internet domains, .bank and .insurance, on behalf of the financial services industry. In a published statement, the groups said that they had applied for .bank and .insurance to 'provide the highest security for the millions of customers conducting banking and insurance activities online.' The move comes as the U.S. Congress is set to begin hearings on e-banking fraud on Friday."

wiredmikey writes "Simurgh, a privacy tool used in Iran and Syria to bypass Internet censorship and governmental monitoring, is being circulated with a backdoor. The compromised version has been offered on P2P networks and via web searches. Research conducted by CitizenLab.org has shown that the malicious version isn't available from the original software source, only through third-party access, so it appears that Simurgh has been repackaged. The troubling aspect of the malicious version is that while it does install the proxy as expected, it then adds a keylogging component, and ships the recorded information off to a server hosted in the U.S. and registered to a person in Saudi Arabia. In response to this attack, the team that develops Simurgh has instituted a check that will warn the user if they are running a compromised version of the software. At present, it is unknown who developed the hijacked version of Simurgh, or why they did so."

judgecorp writes "The up-market London borough of Kensington and Chelsea has lost its chance for BT fast fibre. After residents objected to the ugly fibre cabinets, and the council repeatedly refused permission to install them in historic sites, BT has said the borough will not get its fast BT Infinity product at all. The borough says it doesn't need BT, as Richard Branson's Virgin Media has got it more or less covered."

An anonymous reader writes with this excerpt from NetSecurity.org: "A Chinese computer programmer that was charged with stealing the source code of software developed by the U.S. Treasury Department pleaded guilty to the charge on Tuesday. The 33-year-old Bo Zhang, legally employed by a U.S. consulting firm contracted by the Federal Reserve Bank of New York, admitted that he took advantage of the access he had to the Government-wide Accounting and Reporting Program (GWA) in order to copy the code onto an external hard disk and take it home." Just such things make me think that the default setting for software created with public money should be released with source code anyhow, barring context-specific reasons that it shouldn't be.