An anonymous reader writes "I'm starting a new job soon, and I will be issued a work laptop. For obvious reasons I cannot name any names, but I can state that I do expect my employer to have tracking software on the laptop, and I expect to not be the administrator on the device. That being said, I am not the kind of person who can just 'not browse the internet.' If I ever have to travel with this laptop, I may want to read an ebook or watch a movie or maybe even play a game. I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it. I can use portable apps off a usb key and browse in private mode. The machine will be encrypted, but I can also make myself my own little encrypted folder or partition perhaps. Are there any other precautions I could or should take?"
PatPending writes with this excerpt from TorrentFreak: "The RetroShare network allows people to create a private and encrypted file-sharing network. Users add friends by exchanging PGP certificates with people they trust. All the communication is encrypted using OpenSSL and files that are downloaded from strangers always go through a trusted friend. In other words, it's a true Darknet and virtually impossible to monitor by outsiders. RetroShare founder DrBob told us that while the software has been around since 2006, all of a sudden there's been a surge in downloads. 'The interest in RetroShare has massively shot up over the last two months,' he said."
dsinc sends this quote from a Symantec report: "In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies. The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid."
Pat Attack writes "I think most of the people who read Slashdot know that if it has circuitry, it can be hacked. Well, the good folks over at CNN have an article about the potential for your car to be hacked. This article lists the potential damage that could be done, proof of concept work, as well as a few scary scenarios. 'With vehicles taking up to three years to develop, [security strategist Brian Contos] says manufacturers will struggle to keep abreast of rapidly-evolving threats unless they organize regular software updates. Instead, he says, any installed technology should be given a so-called "white list" of permissible activities beyond which any procedures are blocked.' My mom reads CNN and is a Luddite. I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe."
alphadogg writes "The little cameras in your home are multiplying. There are the ones you bought, perhaps your SLR or digital camera, but also those that just kind of show up in your current phone, your old phone, your laptop, your game console, and soon your TV and set-top box. Varun Arora, founder of startup GotoCamera in Singapore, wants you to turn them all on and let his company's algorithms analyze what they show, then sell the results as marketing data, in a sort of visual version of what Google and other firms do with search results and free email services."
mr crypto writes with this quote from El Reg: "In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election. 'It was too good an opportunity to pass up,' explained Professor Alex Halderman from the University of Michigan. 'How often do you get the chance to hack a government network without the possibility of going to jail?' With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory (PDF) on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. ... The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board."
Timothy asked Electronic Frontier Foundation (EFF) International Outreach Coordinator Maira Sutton that very question. Watch the video for her answer. It turns out that the EFF has lots of friends among RSA ("the most comprehensive forum in information security") attendees, and has some very good reasons to be there, in the midst of companies and government agencies that Timothy thinks might not only violate your privacy once in a while, but (gasp!) might even enjoy it.
mask.of.sanity writes "The National Security Agency has designed a super-secure Android phone from commercial parts, and released the blueprints(Pdf) to the public. The doubly-encrypted phone, dubbed Fishbowl, was designed to be secure enough to handle top secret phone calls yet be as easy to use and cheap to build as commercial handsets. One hundred US government staff are using the phones under a pilot which is part of a wider project to redesign communication platforms used in classified conversations."
chicksdaddy writes with a tidbit from the RSA conference. From the article: "A panel of security and policy experts speaking at the RSA Conference in San Francisco on Wednesday said that, despite dire warnings about the information warfare capabilities of China and other developing nations, the risk of an all-out cyberwar is remote, and that the U.S. still holds many of the cards. Rather than trying to deliver a knock-out cyberwar capability, the U.S. should embrace the Cold War notions of containment and mutually assured destruction with advanced nations like China and Russia. Tried and true methods to win security from cyberattacks include international diplomacy, multilateral agreements that clarify the parameters for peaceful and hostile cyberactions and — of course — a strong offensive capability."
astroengine writes "NASA had 5,408 computer security lapses in 2010 and 2011, including the March 2011 loss of a laptop computer that contained algorithms used to command and control the International Space Station, the agency's inspector general told Congress Wednesday. According to his statement (PDF), 'These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.'"
judgecorp writes "Microsoft's Windows Azure cloud service was down much of yesterday, and the cause was a leap year bug as the service failed to handle the 29th day of February. Faults propagated making this a severe outage for many customers, including the UK Government's recently launched G-cloud service."
Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices. Their website says, 'Our initial hardware offering, the Pwn Plug, is the first-to-market commercial penetration testing drop box platform. This low-cost plug-and-play device is designed for remote security testing of corporate facilities, including branch offices and retail locations. A security professional or service provider can ship this device to a corporate facility and conduct a security test over the Internet without travel expenses.' Hardware buffs will recognize this unit as a SheevaPlug, but the value-add is that it's preloaded with Ubuntu Linux and and a rich suite of intrusion/testing tools. The company's 'Founder and CEO and everything else' is Dave Porcello. The video is an interview with Dave, in which he shows off and demonstrates some Pwnie Express products.
pigrabbitbear writes "The most recent bombshell of confidential documents dropped by infamous watchdog organization Wikileaks is already looking to have an enormous impact on our understanding of government security practices. Specifically, intimate details on the long-suspected fact that the U.S. has been paying a whole lot of money to have private corporations spy on citizens, activists and other groups and individuals on their ever-expanding, McCarthy-style naughty list. But perhaps more importantly, the docs demonstrate something very interesting about the nature of U.S. government intelligence: They haven't really got much of it."
Peter Eckersley writes "EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to their Observatory database allowing them to detect attacks against the web's cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discovered random number generator bugs."