Forgot your password?
typodupeerror

Become a fan of Slashdot on Facebook

Government

Smartphone Kill Switch, Consumer Boon Or Way For Government To Brick Your Phone? 212

Posted by samzenpus
from the best-of-both-worlds dept.
MojoKid writes We're often told that having a kill switch in our mobile devices — mostly our smartphones — is a good thing. At a basic level, that's hard to disagree with. If every mobile device had a built-in kill switch, theft would go down — who would waste their time over a device that probably won't work for very long? Here's where the problem lays: It's law enforcement that's pushing so hard for these kill switches. We first learned about this last summer, and this past May, California passed a law that requires smartphone vendors to implement the feature. In practice, if a smartphone has been stolen, or has been somehow compromised, its user or manufacturer would be able to remotely kill off its usability, something that would be reversed once the phone gets back into its rightful owner's hands. However, such functionality should be limited to the device's owner, and no one else. If the owner can disable a phone with nothing but access to a computer or another mobile device, so can Google, Samsung, Microsoft, Nokia or Apple. If the designers of a phone's operating system can brick a phone, guess who else can do the same? Everybody from the NSA to your friendly neighborhood police force, that's who. At most, all they'll need is a convincing argument that they're acting in the interest of "public safety."
Encryption

Tor Browser Security Under Scrutiny 71

Posted by Soulskill
from the shouldn't-we-be-funding-this-better dept.
msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.
Security

Researchers Find Security Flaws In Backscatter X-ray Scanners 131

Posted by Soulskill
from the raise-your-hand-if-you're-surprised dept.
An anonymous reader writes: Researchers from UC San Diego, University of Michigan, and Johns Hopkins say they've found security vulnerabilities in full-body backscatter X-ray machines deployed to U.S. airports between 2009 and 2013. In lab tests, the researchers were able to conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner, plus modify the scanner software so it presents an "all-clear" image to the operator even when contraband was detected. "Frankly, we were shocked by what we found," said lead researcher J. Alex Halderman. "A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."
Security

51% of Computer Users Share Passwords 115

Posted by Unknown Lamer
from the rm-rf-/-of-shame dept.
An anonymous reader writes Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues. The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.
Security

Heartbleed To Blame For Community Health Systems Breach 76

Posted by Soulskill
from the bet-you-wish-you'd-patched dept.
An anonymous reader writes: The Heartbleed vulnerability is the cause of the data breach at Community Health Systems, which resulted in 4.5 million records (containing patient data) being compromised. According to a blog post from TrustedSec, the attackers targeted a vulnerable Juniper router and obtained credentials, which allowed them access to the network's VPN.
Programming

C++14 Is Set In Stone 189

Posted by timothy
from the but-it's-a-soft-stone dept.
jones_supa (887896) writes "Apart from minor editorial tweaks, the ISO C++14 standard can be considered completed. Implementations are already shipping by major suppliers. C++14 is mostly an incremental update over C++11 with some new features like function return type deduction, variable templates, binary literals, generic lambdas, and so on. The official C++14 specification release will arrive later in the year, but for now Wikipedia serves as a good overview of the feature set."
Government

Nuclear Regulator Hacked 3 Times In 3 Years 66

Posted by timothy
from the once-a-year-to-keep-in-practice dept.
mdsolar (1045926) writes with this disconcerting story from CNet about security breaches at the U.S. Nuclear Regulatory Commission, revealed in a new report to have been compromised three times in the last three years: The body that governs America's nuclear power providers said in an internal investigation that two of the hacks are suspected to have come from unnamed foreign countries, the news site Nextgov reported based on a Freedom of Information Act request. The source of the third hack could not be identified because the logs of the incident had been destroyed, the report said. Hackers, often sponsored by foreign governments, have targeted the US more frequently in recent years. A report (PDF) on attacks against government computers noted that there was a 35 percent increase between 2010 and 2013.

Intruders used common hacking techniques to get at the NRC's computers. One attack linked to a foreign country or individual involved phishing emails that coerced NRC employees into submitting their login credentials. The second one linked to a foreign government or individual used spearphishing, or emails targeted at specific NRC employees, to convince them to click a link that led to a malware site hosted on Microsoft's cloud storage site SkyDrive, now called OneDrive. The third attack involved breaking into the personal account of a NRC employee. After sending a malicious PDF attachment to 16 other NRC employees, one person was infected with malware.
Data Storage

AMD Launches Radeon R7 Series Solid State Drives With OCZ 64

Posted by timothy
from the brand-awareness dept.
MojoKid (1002251) writes AMD is launching a new family of products today, but unless you follow the rumor mill closely, it's probably not something you'd expect. It's not a new CPU, APU, or GPU. Today, AMD is launching its first line of solid state drives (SSDs), targeted squarely at AMD enthusiasts. AMD is calling the new family of drives, the Radeon R7 Series SSD, similar to its popular mid-range line of graphics cards. The new Radeon R7 Series SSDs feature OCZ and Toshiba technology, but with a proprietary firmware geared towards write performance and high endurance. Open up one of AMD's new SSDs and you'll see OCZ's Indilinx Barefoot 3 M00 controller on board—the same controller used in the OCZ Vector 150, though it is clocked higher in these drives. That controller is paired to A19nm Toshiba MLC (Multi-Level Cell) NAND flash memory and a DDR3-1333MHz DRAM cache. The 120GB and 240GB drives sport 512MB of cache memory, while the 480GB model will be outfitted with 1GB. Interestingly enough, AMD Radeon R7 Series SSDs are some of the all-around, highest-performing SATA SSDs tested to date. IOPS performance is among the best seen in a consumer-class SSD, write throughput and access times are highly-competitive across the board, and the drive offered consistent performance regardless of the data type being transferred. Read performance is also strong, though not quite as stand-out as write performance.
Security

Research Unveils Improved Method To Let Computers Know You Are Human 91

Posted by Unknown Lamer
from the until-computers-improve dept.
An anonymous reader writes CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. Researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location. The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. The game-like nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs. There are a couple research papers available: "A Three-Way Investigation of a Game-CAPTCHA: Automated Attacks, Relay Attacks and Usability" and "Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming."
Security

Hackers Steal Data Of 4.5 Million US Hospital Patients 111

Posted by Unknown Lamer
from the security-through-whoops dept.
itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.
Security

Linux Kernel Git Repositories Add 2-Factor Authentication 48

Posted by samzenpus
from the locking-things-down dept.
LibbyMC writes For a few years now Linux kernel developers have followed a fairly strict authentication policy for those who commit directly to the git repositories housing the Linux kernel. Each is issued their own ssh private key, which then becomes the sole way for them to push code changes to the git repositories hosted at kernel.org. While using ssh keys is much more secure than just passwords, there are still a number of ways for ssh private keys to fall into malicious hands. So they've further tightened access requirements with two-factor authentication using yubikeys.
Businesses

Daimler's Solution For Annoying Out-of-office Email: Delete It 229

Posted by samzenpus
from the keep-your-away-messages-to-yourself dept.
AmiMoJo writes Sure, you can set an out-of-office auto-reply to let others know they shouldn't email you, but that doesn't usually stop the messages; you may still have to handle those urgent-but-not-really requests while you're on vacation. That's not a problem if you work at Daimler, though. The German automaker recently installed software that not only auto-replies to email sent while staff is away, but deletes it outright.
Bug

Windows 8.1 Update Crippling PCs With BSOD, Microsoft Suggests You Roll Back 300

Posted by samzenpus
from the back-to-the-old dept.
MojoKid writes Right on schedule, Microsoft rolled-out an onslaught of patches for its "Patch Tuesday" last week, and despite the fact that it wasn't the true "Update 2" for Windows 8.1 many of us were hoping for, updates are generally worth snatching up. Since the patch rollout, it's been discovered that four individual updates are causing random BSoD issues for its users, with KB2982791, a kernel-mode related driver, being the biggest culprit. Because of the bug's severity, Microsoft is recommending that anyone who updated go and uninstall a couple of the specific updates, or rollback using Windows Restore. You can uninstall these updates in much the same way you uninstall any app; the difference is that once you're in the "Programs and Features" section, you'll need to click on "View installed updates" on the left. While it's mostly recommended that you uninstall 2982791, you may wish to uninstall the others as well, just in case.
Security

New Cridex Malware Copies Tactics From GameOver Zeus 18

Posted by samzenpus
from the imitation-is-the-sincerest-form-of-flattery dept.
Trailrunner7 writes The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM's X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ's penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

"There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we've witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators," Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.
Businesses

Companies That Don't Understand Engineers Don't Respect Engineers 371

Posted by Soulskill
from the if-you-aren't-part-of-the-solution,-you're-part-of-the-preciptate dept.
An anonymous reader writes Following up on a recent experiment into the status of software engineers versus managers, Jon Evans writes that the easiest way to find out which companies don't respect their engineers is to learn which companies simply don't understand them. "Engineers are treated as less-than-equal because we are often viewed as idiot savants. We may speak the magic language of machines, the thinking goes, but we aren't business people, so we aren't qualified to make the most important decisions. ... Whereas in fact any engineer worth her salt will tell you that she makes business decisions daily–albeit on the micro not macro level–because she has to in order to get the job done. Exactly how long should this database field be? And of what datatype? How and where should it be validated? How do we handle all of the edge cases? These are in fact business decisions, and we make them, because we're at the proverbial coal face, and it would take forever to run every single one of them by the product people and sometimes they wouldn't even understand the technical factors involved. ... It might have made some sense to treat them as separate-but-slightly-inferior when technology was not at the heart of almost every business, but not any more."

A freelance is one who gets paid by the word -- per piece or perhaps. -- Robert Benchley

Working...