mr crypto writes with this quote from El Reg: "In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election. 'It was too good an opportunity to pass up,' explained Professor Alex Halderman from the University of Michigan. 'How often do you get the chance to hack a government network without the possibility of going to jail?' With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory (PDF) on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. ... The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board."

Timothy asked Electronic Frontier Foundation (EFF) International Outreach Coordinator Maira Sutton that very question. Watch the video for her answer. It turns out that the EFF has lots of friends among RSA ("the most comprehensive forum in information security") attendees, and has some very good reasons to be there, in the midst of companies and government agencies that Timothy thinks might not only violate your privacy once in a while, but (gasp!) might even enjoy it.

mask.of.sanity writes "The National Security Agency has designed a super-secure Android phone from commercial parts, and released the blueprints(Pdf) to the public. The doubly-encrypted phone, dubbed Fishbowl, was designed to be secure enough to handle top secret phone calls yet be as easy to use and cheap to build as commercial handsets. One hundred US government staff are using the phones under a pilot which is part of a wider project to redesign communication platforms used in classified conversations."

chicksdaddy writes with a tidbit from the RSA conference. From the article: "A panel of security and policy experts speaking at the RSA Conference in San Francisco on Wednesday said that, despite dire warnings about the information warfare capabilities of China and other developing nations, the risk of an all-out cyberwar is remote, and that the U.S. still holds many of the cards. Rather than trying to deliver a knock-out cyberwar capability, the U.S. should embrace the Cold War notions of containment and mutually assured destruction with advanced nations like China and Russia. Tried and true methods to win security from cyberattacks include international diplomacy, multilateral agreements that clarify the parameters for peaceful and hostile cyberactions and — of course — a strong offensive capability."

astroengine writes "NASA had 5,408 computer security lapses in 2010 and 2011, including the March 2011 loss of a laptop computer that contained algorithms used to command and control the International Space Station, the agency's inspector general told Congress Wednesday. According to his statement (PDF), 'These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.'"

judgecorp writes "Microsoft's Windows Azure cloud service was down much of yesterday, and the cause was a leap year bug as the service failed to handle the 29th day of February. Faults propagated making this a severe outage for many customers, including the UK Government's recently launched G-cloud service."

Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices. Their website says, 'Our initial hardware offering, the Pwn Plug, is the first-to-market commercial penetration testing drop box platform. This low-cost plug-and-play device is designed for remote security testing of corporate facilities, including branch offices and retail locations. A security professional or service provider can ship this device to a corporate facility and conduct a security test over the Internet without travel expenses.' Hardware buffs will recognize this unit as a SheevaPlug, but the value-add is that it's preloaded with Ubuntu Linux and and a rich suite of intrusion/testing tools. The company's 'Founder and CEO and everything else' is Dave Porcello. The video is an interview with Dave, in which he shows off and demonstrates some Pwnie Express products.

judgecorp writes "Google's new unified privacy policy could violate EU law, according to objections. The French data regulator warns that the policy will infringe users' privacy by building a single online profile. Commission Nationale de L’informatique et Des Libertes (CNIL) has expressed “deep concerns” about the policy and its adherence to the European Data Protection Directive."

pigrabbitbear writes "The most recent bombshell of confidential documents dropped by infamous watchdog organization Wikileaks is already looking to have an enormous impact on our understanding of government security practices. Specifically, intimate details on the long-suspected fact that the U.S. has been paying a whole lot of money to have private corporations spy on citizens, activists and other groups and individuals on their ever-expanding, McCarthy-style naughty list. But perhaps more importantly, the docs demonstrate something very interesting about the nature of U.S. government intelligence: They haven't really got much of it."

Peter Eckersley writes "EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to their Observatory database allowing them to detect attacks against the web's cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discovered random number generator bugs."

dcblogs writes "External forces who work on the customer's data center or supply equipment to it, including manufacturers, vendors, factory representatives, installers, integrators, and other third parties were responsible for 50% to 60% of abnormal incidents reported in a data center, according to Uptime Institute, which has been collecting data since 1994. Over the last three years, Uptime found that 34% of the abnormal incidents in 2009 were attributed to operations staff, followed by 41% in 2010, and 40% last year. Some 5% to 8% of the incidents each year were tied to things like sabotage, outside fires, other tenants in a shared facility. But when an abnormal incident leads to a major outage that causes a data center failure, internal staff gets the majority of blame. 'It's the design, manufacturing, installation processes that leave banana peels behind and the operators who slip and fall on them,' said Hank Seader, managing principal research and education at Uptime."

jfruh writes "The balance between security and ease of use is always a tricky one to strike, and Linux distros tend to err on the side of caution. But no less a luminary than Linus Torvalds thinks openSUSE has gone too far. When his kid needed to call from school for the root password just so he could add a printer to a laptop, that's when Linus decided things had gone off the rails."

A couple of days ago, GNOME released the first beta of version 3.4. Designer Allan Day has posted a tour of the major interface changes. Some of them seem good (everything looks shiny and clean), but some of them seem questionable. The big thing to take from this release cycle appears to be improvements to the underlying technology that might help other window managers take advantage of the GNOME 3 infrastructure (leading to a world where hackers, tablet users, and grandma can all get along).

New submitter lister king of smeg writes "As we all know The Department of Homeland Security monitors social networks,in an attempt to expose 'Items Of Interest.' As it turns out many terms including seemingly benign words such as flu, agent, response, cops drill, etc are on the list of words that set off warning bells for the government spooks. Many of the terms make sense ..., but there are some real stupid ones on the list to like 'social network' ... [according to a] list of key words provided to a DHS contractor that were released by EPIC."

An anonymous reader writes "I've been the server admin at a university for the past five years. Recently, I was given the chance to move from servers to networking, and I jumped at it. I now find myself typing up all my open-ended projects, removing certain scripts and stopping others. What would the community recommend as best practices for passing on administration of some servers? I am trying to avoid a phone call that results in me having to remote in, explain something, jog to the other side of campus to access the machine, etc. Essentially, I'm trying to cover all my bases so any excuse my replacement has to call me is seen as nothing but laziness or incompetence. I am required to give him a day of training to show him where everything is on the servers (web and database), and during that day I'm going to have him change all the passwords. But aside from locking myself out and knowing what is where, what else should I be doing?"

jfruh writes "You'd think that, of all events, security conferences would have tight security. But one anonymous human pen tester managed to sneak into the RSA conference without credentials, using tried and true techniques like waving a badge from another conference at security guards and slipping in through exits."

PatPending writes with news that Google will be offering up to $1 million for the discovery of new exploits in their Chrome browser. This comes as part of the CanSecWest security conference, and the rewards will be broken down into categories: $60,000 for an exploit using only Chrome bugs, $40,000 for an exploit using a Chrome bug in conjunction with other bugs, and $20,000 for exploits that affect Chrome (and other browsers) but are due to bugs in other software, like Flash, Windows, or drivers. Google had originally planned to offer rewards through the Pwn2Own competition, but they were concerned by the contest rules: "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. ... We guarantee to send non-Chrome bugs to the appropriate vendor immediately."

miller60 writes "Despite the publicity around the U.S. Government's 'Cloud First' approach to IT, many agencies are reluctant to shift mission critical assets to third-party facilities. That's the analysis from Harris Corp., which has decided to get out of the cloud hosting business and sell a data center in Virginia, just two years after it spent $200 million to build and equip it. 'It's becoming clear that customers, both government and commercial, currently have a preference for on-premise versus off-premise solutions,' said Harris' CEO."

Hugh Pickens writes "John Markoff writes that an unsuccessful campaign against the Vatican by Anonymous, which did not receive wide attention at the time, provides a rare glimpse into the recruiting, reconnaissance, and warfare tactics used by the shadowy hacking collective and may be the first end-to-end record of a full Anonymous attack. The attack, called Operation Pharisee in a reference to the sect that Jesus called hypocrites, was initially organized by hackers in South America and Mexico and was designed to disrupt Pope Benedict XVI's visit to Madrid in August 2011 for World Youth Day and draw attention to child sexual abuse by priests. First the hackers spent weeks spreading their message through their own website and social sites like Twitter and Flickr calling on volunteers to download free attack software and imploring them to 'stop child abuse' by joining the cause. It took the hackers 18 days to recruit enough people, then a core group of roughly a dozen skilled hackers spent three days poking around the church's World Youth Day site looking for common security holes that could let them inside. In this case, the scanning software failed to turn up any gaps so the hackers turned to a brute-force approach of a distributed denial-of-service, On the first day, the denial-of-service attack resulted in 28 times the normal traffic to the church site, rising to 34 times the next day but did not crash the site. 'Anonymous is a handful of geniuses surrounded by a legion of idiots,' says Cole Stryker, an author who has researched the movement. 'You have four or five guys who really know what they're doing and are able to pull off some of the more serious hacks, and then thousands of people spreading the word, or turning their computers over to participate in a DDoS attack.'"

daria42 writes "Progress is happening rapidly in Australia, with the country's government continuing to roll out a nation-wide fibre network. However, the country's major telco Telstra doesn't appear to have quite gotten the message. Releasing its first National Broadband Network fibre broadband plans today, the telco stipulated that fibre customers will still be forced to make phone calls over the telco's existing copper network. Yup, that's right — fibre to people's houses, but phone calls over the copper network. Progress."