Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering." Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."

An anonymous reader writes with a bit of news about the compromised download of phpMyAdmin discovered on an sf.net mirror yesterday: "A malicious version of the open source Web-based MySQL database administration tool phpMyAdmin has been discovered on one of the official mirror sites of SourceForge, the popular online code repository for free and open source software. The file — phpMyAdmin-3.5.2.2-all-languages.zip — was modified to include a backdoor that allowed attackers to remotely execute PHP code on the server running the malicious version of phpMyAdmin." The Sourceforge weblog has details. Someone compromised a mirror (since removed from rotation of course) around September 22nd. Luckily, only around 400 people grabbed the file before someone caught it.

An anonymous reader writes with this excerpt from Geek.com: "Intel CEO Paul Otellini may be getting an angry phone call from Steve Ballmer today after it was revealed he told staff in Taiwan Windows 8 isn't ready for release. Otellini's comments were made at an internal meeting in Taipai, and he must have naively thought they would never become public knowledge. We don't know if he went into detail about what exactly is unfinished about Windows 8, but others have commented about a lack of reliable driver support and supporting applications. For many who have picked up previous versions of the Windows desktop OS early, this probably isn't coming as a surprise."

A reader writes with news of a settlement in a case of Rent-to-Own firms grossly violating the privacy of their customers. From the article: "Seven rent-to-own companies and a software developer have settled federal charges that they spied on customers, ... The companies captured screenshots of confidential and personal information, logged keystrokes, and took webcam pictures of people in their homes. Their aim was to track the computers belonging to customers who were behind with their payments. 'An agreement to rent a computer doesn't give a company license to access consumers' private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,' says FTC chairman Jon Leibowitz. 'The FTC orders today will put an end to their cyber spying.' Developer DesignerWare produced the software that was used to gather the information, PC Rental Agent. The package included a 'kill switch' designed to disable a computer of it was stolen, or if payments weren't made. However, an add-on program called Detective Mode could log key strokes, capture screen shots and take photographs using a computer's webcam, says the FTC in its complaint (PDF)."

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."

DavidGilbert99 writes "Security researchers have discovered a single line of code embedded in websites which could wipe all data from your Samsung Galaxy S3 and other smartphones. Samsung smartphones including the Galaxy S3, Galaxy S2, Galaxy Ace, Galaxy Beam and Galaxy S Advance all appear to be affected by the bug which triggers a factory reset on your phone if your web browser is pointed to a particular website. Smartphones can also be directed to the code through NFC or using a QR code. Once the process has been initiated, users are have no way of stopping it. The hack was unveiled at the Ekoparty 2012 security conference in Argentina by Ravi Borgaonkar, a security researcher at the Security in Communications department at Technical University Berlin. ... Only Samsung smartphones running the company's proprietary TouchWiz user interface appear to be affected. According to telecoms engineer Pau Oliva, the Samsung Galaxy Nexus is not affected, as it runs on stock Android and doesn't use the TouchWiz skin on top." Hit the link above for a video demonstration.

First time accepted submitter radudragusin writes "IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available, but I took the liberty to analyse it briefly."

Trailrunner7 writes with this excerpt from Threatpost: "For the last five years, NIST, the government body charged with developing new standards for computer security, among other things, has been searching for a new hash function to replace the aging SHA-2 function. Five years is a long time, but this is the federal government and things move at their own pace in Washington, but NIST soon will be announcing the winner from the five finalists that were chosen last year. Despite the problems that have cropped up with some versions of SHA-2 in the past and the long wait for the new function, there doesn't seem to be much in the way of breathless anticipation for this announcement. So much so, in fact, that Bruce Schneier, a co-author of one of the finalists not only isn't hoping that his entry wins, he's hoping that none of them wins. ... It's not because Schneier doesn't think the finalists are worthy of winning. In fact, he says, they're all good and fast and perfectly capable. The problem is, he doesn't think that the world needs a new hash function standard at all. SHA-512, the stronger version of the SHA-2 function that's been in use for more than a decade, is still holding up fine, Schneier said, which was not what cryptographers anticipated would be the case when the SHA-3 competition was conceived. 'I expect SHA-2 to be still acceptable for the foreseeable future. That's the problem. It's not like AES. Everyone knew that DES was dead — and triple-DES was too slow and clunky — and we needed something new. So when AES appeared, people switched as soon as they could. This will be different,' Schneier said via email."

First time accepted submitter paperclipman writes "I'm on the college student budget and want to make sure that my recent investment in an Acer laptop will last me a good long while. I like to think of myself as a reasonably competent CPU user so I'm no adventurous link-clicker, but I do download some music as a recent SoundCloud devotee. My Kaspersky antivirus will be expiring shortly and I don't particularly care to renew with that steep of a fee — any advice from fellow thrifts?"

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

TechCrunch reports that Apple, facing a substantial backlash (and some snarky competitive advertising) over goofs in the mapping software included in iOS 6, is going after the problem with a hiring spree. Here's TechCrunch's lead: "Apple is going after people with experience working on Google Maps to develop its own product, according to a source with connections on both teams. Using recruiters, Apple is pursuing a strategy of luring away Google Maps employees who helped develop the search giant’s product on contract, and many of those individuals seem eager to accept due in part to the opportunity Apple represents to build new product, instead of just doing 'tedious updates' on a largely complete platform." Meanwhile, writes reader EGSonikku "Well known iOS hacker Ryan Perrich has gotten the iOS5 Google Maps application to run on iOS6 using 'a little trickery.' (YouTube demonstration.) He has not released it yet due to crashing issues but states 'it mostly works.'"

tetrahedrassface writes "The first city in the U.S. to offer a screaming fast fiber network has now announced customers will get a free 60% boost in speed. If you had the 30 MB/sec service you now will get 50. Mid-range customers get a doubling for free, while the high end consumers of fiber get an average 250% boost. The fiber network recently passed 40,000 members and judging from a test of my business, we are currently over 300 MB/sec." What's the fastest service actually available where you live, and what does it cost?

WebMink writes "With an impending deadline for America's schools to satisfy new federal reporting requirements on academic achievement, a new alliance of state educators is creating a system of open source software to help schools gather and submit the data that the rules require. To get the whole thing started, the Gates Foundation and Carnegie are funding two $75,000 awards for the open source developers who create the in-school software. The winners could also become the linchpins of a new industry in academic software."

An anonymous reader writes "iOS 6 has seen rapid adoption among iPhone and iPad users, reports developer David Smith. Smith's applications like Audiobooks get around 100k downloads weekly and he's taken to mapping the adoption of Apple's software releases over the last couple of years. This update's data shows a 35.4% adoption of iOS 6, with iOS 5.x holding court at 71.5% adoption. That's a pretty rapid pace, eclipsing Android Jelly Bean's 2-month adoption levels of 1.2% easily."

First time accepted submitter FredAndrews writes "A Private User Agent W3C Community Group has been proposed to tackle the privacy of the web browser by developing technical solutions to close the leaks. Current Javascript APIs are capable of leaking a lot of information as we browse the Internet, such as details of our browser that can be used to identify and track our online presence, and the content on the page (including any private customizations and the effects of extensions), and can monitor and leak our usage on the page such a mouse movements and interactions on the page. This problem is compounded by the increased use of the web browser as a platform for delivering software. While the community ignores the issue, solutions are being developed commercially and patented — we run the risk of ending up unable to have privacy because the solutions are patented. The proposed W3C PUA CG proposes to address the problem with technical solutions at the web browser, such as restricting the back channels available to Javascript, and also by proposing HTML extensions to mitigate lost functionality. Note, this work cannot address the privacy of information that we overtly share, and there are other current W3C initiatives working on this, such as DNT."

An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

New submitter who_stole_my_kidneys writes "Evidence suggests the Iranian government is behind cyberattacks this week that have targeted the websites of JPMorgan Chase and Bank of America. The attacks are described by one source, a former U.S. official, as being 'significant and ongoing,' and looking to cause 'functional and significant damage.' Another source suggested the attacks were in response to U.S. sanctions on Iranian banks."

This video is a half-hour speech given by Dino Dai Zovi and Charlie Miller, two people Apple corporately hates because of their success in finding security holes in Apple operating systems and software. Both Charlie and Dino have been mentioned on Slashdot before and probably will be again. This is a chance to see how they sound and look in person, talking to a small "by invitation only" group. They have a book to push, too: The iOS Hacker's Handbook. (Please note that this book is supposed to help you secure iOS and iOS apps, not exploit security holes in them.)

itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.