Sparrowvsrevolution writes "Slashdot readers are no doubt familiar by now with the case of Onity, the company whose locks are found on 4 million hotel room doors worldwide and, as came to light over the summer, can be opened in seconds with a $50 Arduino device. Since that hacking technique was unveiled by Mozilla developer Cody Brocious at Black Hat, Onity first downplayed its security flaws and then tried to force its hotel customers to pay the cost of the necessary circuit board replacements to fix the bug. But now, after at least one series of burglaries exploiting the bug hit a series of hotel rooms in Texas, Onity has finally agreed to shoulder the cost of replacing the hardware itself — at least for its locks in major chain hotels in the U.S. installed after 2005. Score one point for full disclosure."
Catch up on stories from the past week (and beyond) at the Slashdot story archive
coondoggie writes "The U.S. government's overly complicated way of classifying and declassifying information needs to be dumped and reinvented with the help of a huge technology injection if it is to keep from being buried under its own weight. That was one of the main conclusions of a government board tasked with making recommendations on exactly how the government should transform the current security classification system (PDF)."
New submitter thereitis writes "Looking over my home computing setup, I see equipment ranging from 20 years old to several months old. What sorts of old and new equipment have you seen coexisting, and in what type of environment?" I regularly use keyboards from the mid 1980s, sometimes with stacked adapters to go from ATX to PS/2, and PS/2 to USB, and I'm sure that's not too unusual.
Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."
dcblogs writes "Despite the fact that technology plays an increasingly important role in the economy, IT wages remain persistently flat. This may be tech's inconvenient truth. In 2000, the average hourly wage was $37.27 in computer and math occupations for workers with at least a bachelor's degree. In 2011, it was $39.24, adjusted for inflation, according to a new report by the Economic Policy Institute. That translates to an average wage increase of less than a half percent a year. In real terms, IT wages overall have gone up by $1.97 an hour in just over 10 years, according to the EPI. Data from professional staffing firm Yoh shows wages in decline. In its latest measure for week 12 of 2012, the hourly wages were $31.45 and in 2010, for the same week, at $31.78. The worker who earned $31.78 in 2010 would need to make $33.71 today to stay even with inflation. Wages vary by skill and this data is broad. The unemployment rate for tech has been in the 3-4% range, but EPI says full employment has been historically around 2%."
chicksdaddy writes "A presentation at the Passwords^12 Conference in Oslo, Norway (slides), has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney's system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft's LM and NTLM, obsolete. In a test, the researcher's system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference. For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other, Linux-based operating systems, was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU-powered systems that could perform 'close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,' he wrote. Gosney's cluster cranks out more than 77 million brute force attempts per second against MD5crypt."
snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"
Rambo Tribble writes "The Swiss spy agency, NDB, reports a disaffected employee walked out with drives containing terabytes of data shared by counter-terrorism agencies in Switzerland, the U.S. and Britain. It is not yet known if he was able to pass on any information before he was apprehended. 'A European security source said investigators now believe the suspect became disgruntled because he felt he was being ignored and his advice on operating the data systems was not being taken seriously.'"
Hugh Pickens writes "In the old days, traditional computer security centered around users. However, Bruce Schneier writes that now some of us have pledged our allegiance to Google (using Gmail, Google Calendar, Google Docs, and Android phones) while others have pledged allegiance to Apple (using Macintosh laptops, iPhones, iPads; and letting iCloud automatically synchronize and back up everything) while others of us let Microsoft do it all. 'These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don't like. Or we can spread our allegiance around. But either way, it's becoming increasingly difficult to not pledge allegiance to at least one of them.' Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. Today we users must trust the security of these hardware manufacturers, software vendors, and cloud providers and we choose to do it because of the convenience, redundancy, automation, and shareability. 'In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm (PDF). Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades.' In this system, we have no control over the security provided by our feudal lords. Like everything else in security, it's a trade-off. We need to balance that trade-off. 'In Europe, it was the rise of the centralized state and the rule of law that undermined the ad hoc feudal system; it provided more security and stability for both lords and vassals. But these days, government has largely abdicated its role in cyberspace, and the result is a return to the feudal relationships of yore,' concludes Schneier, adding that perhaps it's time for government to create the regulatory environments that protect us vassals. 'Otherwise, we really are just serfs.'"
hypnosec writes "The Linux 3.7 kernel has been delayed by one week as Linus Torvalds has released the Linux 3.7-rc8 instead. Because of some hiccups following the 'resurrection of a kswapd issue,' Torvalds wasn't comfortable releasing version 3.7 this week and instead went ahead with another release candidate. Torvalds revealed in his release announcement that because of this delay, the merge window for Linux 3.8 will close just around Christmas time."
Yes, you can now have full remote access to your home computer or a server at work that's running Ubuntu Linux. Really any Linux distro, although only Ubuntu is formally supported by Splashtop. What? You say you already control your home and work Linux computers from your Android tablet with VNC? That there's a whole bunch of Android VNC apps out there already? And plenty for iOS, too? You're right. But Cliff says Splashtop is better than the others. It can play video at a full 30 frames per second, and has low enough latency (depending on your connection) that you can play video games remotely in between taking care of that list of server issues your boss emailed to you. Or perhaps, in between work tasks, you take a dip in the ocean, because you're working from the beach, not from a stuffy office. It seems that work and living locations get a little more remote from each other every year, and Splashtop is helping to make that happen. This video interview is, itself, an example of how our world has gotten flatter; Cliff was in China and I was in Florida. The connection wasn't perfect, but the fact that we could have this conversation at all is a wonder. Please note, too, that while Cliff Miller is now Chief Marketing Officer for Splashtop, he was also the founder and first CEO of TurboLinux, so he is not new to Linux. And Splashtop is the company that supplied the "instant on" Linux OS a lot of computer manufacturers bundled with their Windows computers for a few years. Now, of course, they're focusing on the remote desktop, and seem to be making a go of it despite heavy competition in that market niche.
Sparrowvsrevolution writes "In the wake of Syria's 52-hour digital blackout last week, the networking firm Renesys performed an analysis of which countries are most susceptible to an Internet shutdown, based simply on how many distinct entities control the connections between the country's networks and those of the outside world. It found that for 61 countries and territories, just one or two Internet service providers maintain all external connections–a situation that could make possible a quick cutoff from the world with a well-placed government order or physical attack."
Eugene Kaspersky probably hates malware just as much as you do on his own machines, but as the head of Kaspersky Labs, the world's largest privately held security software company, he might have a different perspective — the existence of malware and other forms of online malice drives the need for security software of all kinds, and not just on personal desktops or typical internet servers. The SCADA software vulnerabilities of the last few years have led him to announce work on an operating system for industrial control systems of the kind affected by Flame and Stuxnet. But Kaspersky is not just toiling away in the computer equivalent of the CDC: He's been outspoken in his opinions — some of which have drawn ire on Slashdot, like calling for mandatory "Internet ID" and an "Internet Interpol". He's also come out in favor of Internet voting, and against SOPA, even pulling his company out of the BSA over it. More recently, he's been criticized for ties to the current Russian government. (With regard to that Wired article, though, read Kaspersky's detailed response to its claims.) Now, he's agreed to answer Slashdot readers' questions. As usual, you're encouraged to ask all the question you'd like, but please confine your questions to one per post. We'll pass on the best of these for Kaspersky's answers. Update: 12/04 14:20 GMT by T : For more on Kaspersky's thoughts on the importance of online IDs, see this detailed blog posting.
wiredmikey writes "Over the weekend, a security researcher disclosed seven security vulnerabilities related to MySQL. Of the flaws disclosed, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the Full Disclosure mailing list, Oracle is aware of the zero-days, but has not yet commented on them directly. Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed. One disclosure included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the MySQL admin user."
Hugh Pickens writes writes "The Washington Post reports that Apple has finally unveiled their new version of iTunes, overhauling its look and feel and integrating it more closely with the company's iCloud Internet- storage service with one of the biggest upgrades Apple has made to the program with 400 million potential users since its debut more than a decade ago. The new design of iTunes moves away from the spreadsheet format that Apple has featured since its debut and adds more art and information about musicians, movies and television shows. It also adds recommendation features so users can find new material. According to David Pogue of the NY Times Apple has fixed some of the dumber design elements that have always plagued iTunes. 'For years, the store was represented only as one item in the left-side list, lost among less important entries like Radio and Podcasts. Now a single button in the upper-right corner switches between iTunes's two personalities: Store (meaning Apple's stuff) and Library (meaning your stuff).' Unfortunately, Apple hasn't fixed the Search box. As before, you can't specify in advance what you're looking for: an app, a song, a TV show, a book. Whatever you type into the Search box finds everything that matches, and you can't filter it until after you search. It feels like a two-step process when one should do. 'Improvements in visual navigation and a more logical arrangement of tools are good, but for me the biggest positive within iTunes 11 remains its vastly improved performance on all three Macs I've tested it on, including a relatively ancient five-year-old MacBook,' writes Jonny Evans."