v3rgEz writes "Documents released by the FBI provide an unusual inside look at how the agency is struggling to penetrate 'darknet' Onion sites routed through Tor, the online privacy tool funded in part by government grants to help global activists. In this case, agents were unable to pursue specific leads about an easily available child pornography site, while files withheld indicate that the FBI has ongoing investigations tied to the Silk Road marketplace, a popular, anonymous Tor site for buying and selling drugs and other illegal materials." Sounds similar to the problems that plagued freenet.
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
snydeq writes "IT professionals jumping into the cloud with both feet beware: It's irresponsible to think that just because you push a problem outside your office, it ceases to be your problem. It's not just the possibility of empty promises and integration issues that dog the cloud decision; it's also the upgrade to the new devil, the one you don't know. You might be eager to relinquish responsibility of a cranky infrastructure component and push the headaches to a cloud vendor, but in reality you aren't doing that at all. Instead, you're adding another avenue for the blame to follow. The end result of a catastrophic failure or data loss event is exactly the same whether you own the service or contract it out.'"
First time accepted submitter zer0point writes "Apple has just announced the next-generation Macbook Pro with a retina display. Starting today you can also order a MacBook Pro upgraded with Ivy Bridge CPUs, and Nvidia graphics. Mountain Lion got some various updates, and as expected iOS 6 was announced. In rumor news, KGI Securities analyst Ming-Chi Kuo wrote in a note to investors, 'Based on the release schedule for iOS 6 GM, there is a very good chance iPhone 5 will start shipping also in early September.'"
First time accepted submitter anaphora writes "In this TED Talk, Rory Sutherland discusses the need for every company to have a staff member with the power to do big things but no budget to spend: these are the kinds of individuals who are not afraid to recommend cheap and effective ways to solve big company problems. This article argues that, in the IT world, this person is none other than a highly-skilled hacker. From the article: 'To the media, the term “hacker” refers to a user who breaks into a computer system. To a programmer, “hacker” simply means a great programmer. In the corporate IT field, hackers are both revered as individuals who get a lot done without a lot of resources but feared as individuals who may be a little more “loose cannon” than your stock IT employee. Telling your CEO you want to hire a hacker may not be the best decision for an IT manager, but actually hiring one may be the best decision you can make.'"
JohnBert writes "A security bug in MariaDB and MySQL has been revealed, allowing a known username and password to access the master user table of a MySQL server and dump it into a locally-stored file. By using a tool like John the Ripper, this file can be easily cracked to reveal text passwords that can provide further access. By committing a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database, you can access the database using the cracked password hashes even if the authentication bypass vulnerability is fixed."
Trailrunner7 writes "Researchers digging through the code of the recently discovered Flame worm say they have come across a wealth of evidence that suggests Flame and the now-famous Stuxnet worm share a common origin. Researchers from Kaspersky Lab say that a critical module that the Flame worm used to spread is identical to a module used by Stuxnet.a, an early variant of the Stuxnet worm that began circulating in 2009, more than a year before a later variant of the worm was discovered by antivirus researchers at the Belarussian firm VirusBlokAda. The claims are the most direct, to date, that link the Flame malware, which attacked Iranian oil facilities, with Stuxnet, which is believed to have targeted Iran's uranium-enrichment facility at Natanz. If true, they suggest a widespread and multi-year campaign of offensive cyber attacks against multiple targets within that country."
An anonymous reader writes "Qualys researcher Francois Pesce used open source password cracker John the Ripper to try to crack SHA-1 hashes of leaked LinkedIn passwords. He ran the John the Ripper default command on a small default password dictionary of less than 4,000 words. The program then switched to incremental mode based on statistical analysis of known password structures, which generated more probable passwords. The results? After 4 hours, approximately 900,000 passwords had been cracked. Francois then ran numerous iterations, incorporating older dictionaries to uncover less common passwords and ended up cracking a total of 2,000,000 passwords."
First time accepted submitter Jizzbug writes "The X Window System made release X11 7.7 last night (June 9th): 'This release incorporates both new features and stability and correctness fixes, including support for reporting multi-touch events from touchpads and touchscreens which can report input from more than one finger at a time, smoother scrolling from scroll wheels, better cross referencing and formatting of the documentation, pointer barriers to control cursor movement, and synchronization fences to coordinate between X and other rendering engines such as OpenGL.'"
HappyDude writes "I've been asked to manage a department in our IT group. It's comprised of UNIX, VMWare, Citrix, EMC and HP SAN Admins, Technicians and Help Desk personnel. The group covers the spectrum in years of experience. I am a 20-year Admin veteran of Engineering and Health Care IT systems including UNIX, Oracle DBA, Apache HTTP/Tomcat, WebSphere, software design plus other sundry jack-of-all-trades kinds of stuff. Although I consider myself a hack at most of those trades, I'm reasonably good at any one of them when I'm submerged. I also have 10 years of Project Management experience in Engineering and Health Care related IT organizations. I do have formal PM training, but haven't bothered to seek credentialing. I'm being told that I'll be worth less to the organization as a supervisor than what I'm making now, but the earning potential is greater if I accept the management position. Out of the kindness of their hearts, they're offering to start me in the new position at the same wage I'm currently making. Does this make any sense, Slashdot? " Read on for further details.
UnderAttack writes "A common joke in infosec is that you can't hack a server that is turned off. You better make sure that the power cord is unplugged, too. Otherwise, you may be exposed via IPMI, a component present on many servers for remote management that can be used to flash firmware, get a remote console and power cycle the server even after the normal power button has been pressed to turn the server off."
fmatthew5876 writes "I have a friend who graduated with a degree in philosophy and sociology. He has been spending a lot of his spare time for the last couple years learning system administration and web development. He has set up web servers, database servers, web proxies and more. He has taught himself PHP, MySQL, and how to use Linux and openBSD without any formal education. I believe that if given the chance with an entry level position somewhere and a good mentor he could really be a great Unix admin, but the problem is that he doesn't have a degree in computer science or any related field. He is doing stuff now that a lot of people I graduated with (I was a CS major) could not do when they had a bachelor's degree. Does Slashdot have any advice on what my friend could do to build up his resume and find a job? I know a lot of people think certifications are pretty useless or even harmful, but in his case do you think it would be a good idea?"
Harperdog writes "Scott Kemp writes about the similarities between the nuclear arms race and the use of cyberweaponry for offensive purposes. As the article points out, offensive cyberwarfare leaves a nation's own citizenry vulnerable to attack as government agencies seek to keep weaknesses in operating systems (such as Windows) secret. Quoting: 'In the world of armaments, cyber weapons may require the fewest national resources to build. That is not to say that highly developed nations are not without their advantages during early stages. Countries like Israel and the United States may have more money and more talented hackers. Their software engineers may be more skilled and exhibit more creativity and critical thinking owing to better training and education. However, each new cyberattack becomes a template for other nations — or sub-national actors — looking for ideas.'"
Trailrunner7 writes "Adobe has released a new version of their Flash player that now gives Firefox users the additional security of a sandbox and also includes a background update mechanism for Mac users. Flash has run in a sandbox on Google Chrome and Internet Explorer for some time already. The big security news in Flash player 11.3 is the addition of the protected mode sandbox for Firefox on Windows. That's a major change for Adobe, which has been adding sandbox to its main product lines for a couple of years now. Adobe Reader X has run in protected mode — which is what Adobe calls its sandbox — since its release, and the company also added a sandbox to Flash on Google Chrome. The sandbox is designed to prevent attackers from using vulnerabilities in Flash to break out of the application and move to other apps or the OS itself."
CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."