sabri writes "Cnet reports that German security expert Felix Lindner has unearthed several vulnerabilities in Huawei's carrier grade routers. These vulnerabilities could potentially enable attackers, or the Chinese government, to snoop on users' traffic and/or perform a man-in-the-middle attack. While these routers are mostly in use in Asia, Africa and the Middle East, they are increasingly being used in other parts of the world as well, because of their dirt-cheap pricing. Disclaimer: I work for one of their competitors." Via the H, you can check out the presentation slides. Yesterday Huawei issued a statement 'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'

An anonymous reader tips news that Google has sent out a letter to app developers explaining policy changes for any new apps published on the Google Play store. In-app purchases must now use Google Play's payment system unless it's for goods or services used outside the app itself. They've added language to dissuade developers from making their apps look like other apps, or like they come from other developers. But more significantly, Google has explained in detail what qualifies as spam: repetitive content, misleading product descriptions, gaming the rating system, affiliate traffic apps, or apps that send communications without user consent. Also, advertisements within apps must now follow the same rules as the app itself, and they can't be intrusive: Ads can't install things like shortcuts or icons without consent, they must notify the user of settings changes, they can't simulate notifications, and they can't request personal information to grant full app function.

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

First time submitter KateKintail writes "I'm being promoted to be a director of a computer/web services department at work with staff members (not yet hired) working under me. My workplace doesn't have a dress code 95% of the year. Is this the end of my days of jeans and enjoyably geeky t-shirts? Is there a way to dress professionally in the workplace as a boss (the kind that doesn't need to be defeated at the end of a level) while still showing my Browncoat or Whovian love as I crawl under cobwebby desks to check that equipment is properly plugged in?"

bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.

retroworks writes "J.D. Tuccille of the conservative think tank Reason Foundation discusses last week's news about the first working 3D-printed gun. According to the original article, the partly plastic '.22-caliber pistol, formed from a 3D-printed AR-15 (M16) lower receiver, and a normal, commercial upper' fired 200 rounds without any sign of wear and tear. Tuccille takes the discovery in the direction of politically topical gun control. '...the development makes it clear that a wide range of bans, restrictions and prohibitions are becoming increasingly unenforcable.' But in my mind, this example of additive-manufacturing technology raises even more questions about patent law enforcement. Will 3D printing be to the Anti-gray-market-alliance what online porn became to neighborhood blue laws?"

Quince alPillan writes "Netflix revealed today that they've released Chaos Monkey, an open source Amazon Web Service testing tool that will randomly turn off instances in Auto Scaling Groups. 'We have found that the best defense against major unexpected failures is to fail often. By frequently causing failures, we force our services to be built in a way that is more resilient. We are excited to make a long-awaited announcement today that will help others who embrace this approach. ...source code for the founding member of the Simian Army, Chaos Monkey, is available to the community.'"

Gunkerty Jeb writes "Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download."

An anonymous reader writes "It has been discovered that the Uplay system Ubisoft uses to both check a game is legal and offer up gaming achievements, multiplayer, and additional content, actually contains a rootkit. The discovery was made by Tavis Ormandy, an information security engineer at Google, when he installed Assassin's Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user's consent."
Update: Ubisoft has released a statement saying it has issued a forced patch to correct the flaw in the browser plug-in for the Uplay PC application.

CowboyRobot writes "Informatica64, a security research group, demonstrated the use of cached JavaScript to control computers connecting to a malicious proxy. 'The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.'"

lukehopewell1 writes "After the threats, admissions and delays, hacktivists protesting a data retention scheme proposed by the Australian Government's National Security Inquiry have begun dumping data gleaned from an Australian telco — presumably AAPT. Anonymous is in the process of dumping government and business customer data onto Pastebin for the world to see under the guise of Operation Australia. This episode is far from over, however. We're likely to see more data trickle out over the coming days, considering that the group has promised 40GB worth of leaks."

New submitter tramp writes "The Register reports, 'Eran Hammer, who helped create the OAuth 1.0 spec, has been editing the evolving 2.0 spec for the last three years. He resigned from his role in June but only went public with his reasons in a blog post on Thursday. "At the end, I reached the conclusion that OAuth 2.0 is a bad protocol," Hammer writes. "WS-* bad. It is bad enough that I no longer want to be associated with it."' At the end of his post, he says, 'I think the OAuth brand is in decline. This framework will live for a while, and given the lack of alternatives, it will gain widespread adoption. But we are also likely to see major security failures in the next couple of years and the slow but steady devaluation of the brand. It will be another hated protocol you are stuck with.'"

An anonymous reader writes "Nearly a year ago, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company. Still, when the social network's security team received a tip from a researcher about a vulnerability in the company's own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the corporate network. Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. It should, therefore, come as no surprise that Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there's a million-dollar bug, they will pay it out."

Hugh Pickens writes "Reuters reports that Apple will buy fingerprint sensor technology developer AuthenTec for about $356 million, striking a deal that could help Apple bring fingerprint technology, already used in mobile phones in Japan for authentication of mobile payments, to markets such as the United States, where mobile-wallet services have been slow to catch on. Some analysts expect the iPhone 5 to include some form of mobile payments technology. 'In the past 5 years, the growth of iPhone and Android smartphones has made mobile data security essential, not just a "nice-to-have" feature,' says Ben Yu, Managing Director of Sierra Ventures, one of the early investors in AuthenTec. 'People have their whole lives on the phones.' AuthenTec's embedded fingerprint scanners and other identity-related software is particularly useful now that Near Field Communications, or NFC-enabled, phones have begun to appear in the market. Analyst Colin Gillis says AuthenTec technology could potentially also help Apple combat problems such as theft of its more portable products such as iPhones. 'If they could have a way where they could tie the phone to a user more tightly, that would make sense for them,' says Gillis. The price tag for AuthenTec is a drop in the bucket of Apple's cash pile of $117.2 billion. 'We'll see if it's a one-off or if Tim Cook will start to level his cash balance and acquire talent,' adds Gillis."

McGruber writes "The Federal Times has the stunning (but not surprising) news that a new audit found six Defense Department modernization projects to be a combined $8 billion — or 110 percent — over budget. The projects are also suffering from years-long schedule delays. In 1998, work began on the Army's Logistics Modernization Program (LMP). In April 2010, the General Accounting Office issued a report titled 'Actions Needed to Improve Implementation of the Army Logistics Modernization Program' about the status of LMP. LMP is now scheduled to be fully deployed in September 2016, 12 years later than originally scheduled, and 18 years after development first began! (Development of the oft-maligned Duke Nukem Forever only took 15 years.)"