An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)
An anonymous reader writes "I've recently been charged with updating our existing serial console access tools. We have 12 racks of servers each with a console server in it (OpenGear, ACS, and a few others). Several of these systems host virtual machines which are also configured to have 'serial' management (KVM, virt serial). In total it comes to about 600 'systems.' All the systems also have remote power management (various vendors). Right now our team has a set of home grown scripts and a cobbled together database for keeping this all together. Today any admin can simply ssh into the master, run 'manage hostname console' and automatically get a serial console or run 'manage hostname power off' to cut the power to a system. I'd rather use some tools with more of a community than just the 4 of us. What tool(s) should I move my group onto for remote serial/power management?"
New submitter BitVulture writes "The hardcore Bitcoin community is abuzz with news of the closure of Inputs.io, a supposedly secure online Bitcoin wallet, after an attack resulted in the loss of 4100 Bitcoins. A PGP-signed message at the home page of the now mostly non-operational site briefly explains the situation: 'Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.' There's no word yet whether Inputs.io will eventually resume operations or whether the security breach will force the Bitcoin bank out of business."
An anonymous reader writes "Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses vulnerabilities they find. The minimum bounty for hacking any component of the Internet is $5,000."
An anonymous reader writes "Paedophiles may escape detection because highly-classified material about Britain's surveillance capabilities have been published by the Guardian newspaper, the UK government has claimed. A senior Whitehall official said data stolen by Edward Snowden, a former contractor to the US National Security Agency, could be exploited by child abusers and other cyber criminals. It could also put lives at risk by disclosing secrets to terrorists, insurgents and hostile foreign governments, he said."
wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."
ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."
rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."
tsu doh nimh writes "A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database."
New submitter bmurray7 writes "You might think that the country that has the fastest average home internet speeds would be a first adapter of modern browsers. Instead, as the Washington Post reports, a payment processing security standard forces most South Koreans to rely upon Internet Explorer for online shopping. Since the standard uses a unique encryption algorithm, an ActiveX control is required to complete online purchases. As a result, many internet users are in the habit of approving all AtivceX control prompts, potentially exposing them to malware."
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
onehitwonder writes "In short, they build it themselves. When Tesla Motors needed to improve the back-end software that runs its business, CEO Elon Musk decided not to upgrade the company's SAP system. Instead, he told his CIO, Jay Vijayan, to have the IT organization build a new back-end system, according to The Wall Street Journal. The company's team of 25 software engineers developed the new system in about four months, and it provided the company with speed and agility at a time when it was experiencing costly delivery delays on its all-electric Model S."
rtoz writes "For handling the future unreliable chips, a research group at MIT's Computer Science and Artificial Intelligence Laboratory has developed a new programming framework that enables software developers to specify when errors may be tolerable. The system then calculates the probability that the software will perform as it's intended. As transistors get smaller, they also become less reliable. This reliability won't be a major issue in some cases. For example, if few pixels in each frame of a high-definition video are improperly decoded, viewers probably won't notice — but relaxing the requirement of perfect decoding could yield gains in speed or energy efficiency."
wjcofkc writes "In the turbulent wake of the international uproar spurred by his leaked documents, Mr. Snowden published a letter over the weekend in Der Spiegel titled, "A Manifesto for the Truth". In the letter, Mr. Snowden reflects on the consequences of the information released so far, and their effect on exposing the extent and obscenity of international and domestic surveillance, while continuing to call out the NSA and GCHQ as the worst offenders. He further discusses how the debate should move forward, the intimidation of journalists, and the criminalization of the truth saying, 'Citizens have to fight suppression of information on matters of vital public importance. To tell the truth is not a crime.'"
An anonymous reader writes "Linus Torvalds announced the Linux 3.12 kernel release with a large number of improvements through many subsystems including new EXT4 file-system features, AMD Berlin APU support, a major CPUfreq governor improvement yielding impressive performance boosts for certain hardware/workloads, new drivers, and continued bug-fixing. Linus also took the opportunity to share possible plans for Linux 4.0. He's thinking of tagging Linux 4.0 following the Linux 3.19 release in about one year and is also considering the idea of Linux 4.0 being a release cycle with nothing but bug-fixes. Does Linux really need an entire two-month release cycle with nothing but bug-fixing? It's still to be decided by the kernel developers."
MojoKid writes "Microsoft has several valid reasons why you should upgrade to Windows 8.1, which is free if you already own Windows 8. However, there's a known issue that might give some gamers pause before clicking through in the Windows Store. There have been complaints of mouse problems after applying the Windows 8.1 update, most of which have been related to lag in video games, though Microsoft confirmed there are other potential quirks. Acknowledging the problem, Microsoft says it's also actively investigating the issues and working on a patch."
An anonymous reader writes "Intel shipped open-source Broadwell graphics driver support for Linux this weekend. While building upon the existing Intel Linux GPU driver, the kernel driver changes are significant in size for Broadwell. Code comments from Intel indicate that these processors shipping in 2014 will have "some of the biggest changes we've seen on the execution and memory management side of the GPU" and "dwarf any other silicon iteration during my tenure, and certainly can compete with the likes of the gen3->gen4 changes." Come next year, Intel may now be able to better take on AMD and NVIDIA discrete graphics solutions."
First time accepted submitter renzema writes "I'm looking for a way to do near-site backups — backups that are not on my physical property, but with a hard drive still accessible should I need to do a restore (let's face it — this is where cloud backup services are really weak — 1 TB at 3-4mb downloads just doesn't cut it). I've tried crashplan, but that requires that someone has a computer on all the time and they don't ship hard drives to Sweden. What I want is to be able to back up my Windows and Mac to both a local disk and to a disk that I own that is not on site. I don't want a computer running 24x7 to support this — just a router or NAS. I would even be happy with a local disk that is somehow mirrored to a remote location. I haven't found anything out there that makes this simple. Any ideas?" What, besides "walk over a disk once in a while," would you advise?
codeusirae writes "RAF pilots were left 'blinded' by a barrage of images while flying at speeds of over 1,000 mph when a number of technical glitches hit their high-tech helmets. The visors were supposed to provide the fighter pilots with complete vision and awareness, but problems with the display produced a blurring known as 'green-glow,' meaning they were unable to see clearly.The green glow occurred when a mass of information was displayed on the helmet-mounted display systems, including radar pictures and images from cameras mounted around the aircraft."
An anonymous reader writes "Despite what we hear about how much the U.S. government is struggling with a website, it is reassuring that most of government entities can update their websites within a day after they are asked to. This conclusion is the result of research done by the Networking Systems Laboratory at the Computer Science Department of the University of Houston. The research team tracked government websites and their update times, and found that 96% of the websites were updated within 24 hours after President Obama signed HR 2775 into law, ending the Government shutdown. Worth noting that two websites took 8 days to update. It is interesting that the team was able to use the shutdown as an opportunity to study the efficiency of the IT departments of various parts of Government."
An anonymous reader writes "Almost three years ago, I started looking for a cloud storage service. Encryption and the "zero-knowledge" concept were not concerns. Frankly, after two weeks testing services, it boiled down to one service I used for almost 2 years. It was perfect — in the technical sense — because it simply works as advertised and is one of the cheapest for 500GB. But this year, I decided changing that service for another one, that would encrypt my files before leaving my machine. Some of these services call themselves 'zero-knowledge' services, because (as they claim) clear text does not leave your host: they only receive encrypted data — keys or passwords are not sent. I did all testing I could, with the free bit of their services, and then, chose one of them. After a while, when the load got higher (more files, more folders, more GB...), my horror story began. I started experiencing sync problems of all sorts. In fact, I have paid for and tested another service and both had the same issues with sync. Worse, one of them could not even handle restoring files correctly. I had to restore from my local backup more than once and I ended up losing files for real. In your experience, which service (or services) are really able to handle more than a hundred files, in sync within 5+ hosts, without messing up (deleting, renaming, duplicating) files and folders?"
New submitter codeusirae writes "An initial round of criticism focused on how many files the browser was being forced to download just to access the site, per an article at Reuters. A thread at Reddit appeared and was filled with analyses of the code. But closer looks by others have teased out deeper, more systematic issues."
jones_supa writes "Edward Snowden papers unmask that the German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain's GCHQ eavesdropping agency. The bulk monitoring is carried out through direct taps into fibre optic cables and the development of covert relationships with telecommunications companies. A loose but growing eavesdropping alliance has allowed intelligence agencies from one country to cultivate ties with corporations from another to facilitate the trawling of the web. The files also make clear that GCHQ played a leading role in advising its European counterparts how to work around national laws intended to restrict the surveillance power of intelligence agencies."
sfcrazy writes "CyanogenMod team has announced the release of version 10.2 M1, just after the release of Android 4.4 aka Kit Kat. In a post the team says, "With all the Android 4.4 hype, we haven't forgotten about CM 10.2. Tonight the buildbots will focus their efforts on building and shipping out CyanogenMod 10.2 M1. Builds are already hitting the servers (please be patient, this will take a while). We are targeting over 70 devices for this initial M-release.""
N8F8 writes "Like many IT professionals, I provide a lot of free help desk-type support to friends and family. I've decided to expand my support work and create a site where veterans can receive free computer help. I'm using OSTicket for the ticket reporting. What I really need is an easy to use desktop-sharing system. In the past I've used TeamViewer because it is easy to use, but it is not really free for non-personal use. Recently I switched to Meraki Systems Manager because it is free — and it uses VNC — but unfortunately it isn't intended for the one-time-use type support I'll be offering. So I'm looking for a reliable, open source, easy to use desktop-sharing solution that I can set up on my site for people to join one-time-use help desk sessions."
An anonymous reader writes "The release of OpenBSD 5.4 has been announced. New and notable advancements include new or extended platforms like octeon and beagle, moving VAX to ELF format, improved hardware support including Kernel Mode Setting (KMS), overhauled inteldrm(4), experimental support for fuse(4), reworked checksum handling for network protocols, OpenSMTPD 5.3.3, OpenSSH 6.3, over 7,800 ports, and many other improvements and additions."
netbuzz writes "On Nov. 2, 1988, mainstream America learned for the first time that computers get viruses, too, as the now notorious "Morris worm" made front-page headlines after first making life miserable for IT professionals. A PBS television news report about the worm offers a telling look at how computer viruses were perceived (or not) at the time. 'Life in the modern world has a new anxiety today,' says the news anchor. 'Just as we've become totally dependent on our computers they're being stalked by saboteurs, saboteurs who create computer viruses.'"
Daniel_Stuckey writes "The group, called UnSystem, are self-proclaimed crypto-anarchists led by Cody Wilson—who you may remember as the creator of the controversial 3D-printed gun. After getting himself in hot water with the government for making the digital files to print an unregulated weapon freely available on the internet, Wilson's now endeavoring to bring Bitcoin back to its anarchist roots. Like other Bitcoin wallets, you'll be able to store, send, and receive coins, and interact with block chain, the Bitcoin public ledger. But Dark Wallet will include extra protections to make sure transactions are secure, anonymous, and hard to trace—including a protocol called "trustless mixing" that combines users' coins together before encoding it into the ledger."
Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"
wjcofkc writes "The United States Government has officially called in the calvary over the problems with Healthcare.gov. Tech titans Oracle, Red Hat and Google have been tapped to join the effort to fix the website that went live a month ago, only to quickly roll over and die. While a tech surge of engineers to fix such a complex problem is arguably not the greatest idea, if you're going to do so, you might as well bring in the big guns. The question is: can they make the end of November deadline?"
szotz writes "Keeping up the pace of Moore's Law is hard, but you wouldn't know it from the way chipmakers name their technology. The semiconductor industry's names for chip generations (Intel's 22nm, TSMC's 28nm, etc) have very little to do with actual physical sizes, says IEEE Spectrum. And the disconnect is only getting bigger. For the first time, the "pay us to make your chip" foundries are offering a new process (with a smaller-sounding name) that will produce chips that are no denser than their forbears. The move is not a popular one."
itwbennett writes "This brings to mind an earlier Slashdot discussion about whether we've hit the limit on screen resolution improvements on handheld devices. But this time, the question revolves around ever-faster graphics processing units (GPUs) and the resolution limits of desktop monitors. ITworld's Andy Patrizio frames the problem like this: 'Desktop monitors (I'm not talking laptops except for the high-end laptops) tend to vary in size from 20 to 24 inches for mainstream/standard monitors, and 27 to 30 inches for the high end. One thing they all have in common is the resolution. They have pretty much standardized on 1920x1080. That's because 1920x1080 is the resolution for HDTV, and it fits 20 to 24-inch monitors well. Here's the thing: at that resolution, these new GPUs are so powerful you get no major, appreciable gain over the older generation.' Or as Chris Angelini, editorial director for Tom's Hardware Guide, put it, 'The current high-end of GPUs gives you as much as you'd need for an enjoyable experience. Beyond that and it's not like you will get nothing, it's just that you will notice less benefit.'"
An anonymous reader writes "Do you think an airgap can protect your computer? Maybe not. According to this story at Ars Technica, security consultant Dragos Ruiu is battling malware that communicates with infected computers using computer microphones and speakers." That sounds nuts, but it is a time-tested method of data transfer, after all.
First time accepted submitter taxtropel was one of many readers to note that Google has officially released its newest version of Android. taxtropel extracts from the announcement: "Today we are announcing Android 4.4 KitKat, a new version of Android that brings great new features for users and developers. The very first device to run Android 4.4 is the new Nexus 5, available today on Google Play, and coming soon to other retail outlets. We'll also be rolling out the Android 4.4 update worldwide in the next few weeks to all Nexus 4, Nexus 7, and Nexus 10 devices, as well as the Samsung Galaxy S4 and HTC One Google Play Edition devices." Reader SmartAboutThings adds: "Almost all of the features that the Nexus 5 comes with are not a surprise, since they were heavily leaked before. Still, for those that have obediently waited this day, here are some of its most important specs: 2.2Ghz quad-core Snapdragon 800 and 2GB of RAM, 4.95-inch 1080p display, Wireless charging, 2,300 mAh battery, LTE, Bluetooth 4.0, 802.11ac WiFi and NFC; Gorilla Glass 3, Front 1.3-megapixel camera and 8-megapixel sensor on the back with optical image stabilization (OIS)."
An anonymous reader writes "Google today announced Chrome is getting an automatic download blocking feature for malware. Google has already added the new functionality to the latest build of Chrome Canary. All versions of Chrome will soon automatically block downloads and let you know in a message at the bottom of your screen. You will be able to "Dismiss" the message, although it's not clear if you will be able to stop or revert the block."
itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."
Nerval's Lobster writes "Government whistleblower Edward Snowden, exiled in Russia after releasing top-secret documents about the National Security Agency's surveillance activities to the press, has a new job: tech support. Snowden's lawyer, Anatoly Kucherena, told the Associated Press that his client starts work Nov. 1 for a "major" Russian Website, which he declined to name. In June, Snowden—a former CIA employee who worked as a contractor for the NSA—began feeding an enormous pile of classified charts and documents about federal surveillance programs to The Guardian and other newspapers. Many of those documents suggested that the NSA, ordinarily tasked with intercepting communications from terrorists and foreign governments, collects massive amounts of information on ordinary Americans, which in turn ignited a firestorm of controversy. The Snowden revelations have continued into this week, with The Washington Post reporting that the NSA has aggressively targeted Google and Yahoo servers. Snowden's documents suggest that the agency has figured out how to tap the links connecting the two tech giants' datacenters to the broader Web. Google told the Post that it was "troubled" by the report. A Yahoo spokesperson insisted that the company had "strict controls in place to protect the security of our datacenters" and that "we have not given access to our data centers to the NSA or to any other government agency.""
angry tapir writes "Two privacy-focused email providers have launched the Dark Mail Alliance, a project to engineer an email system with robust defenses against spying. Silent Circle and Lavabit abruptly halted their encrypted email services in August, saying they could no longer guarantee email would remain private after court actions against Lavabit, reportedly an email provider for NSA leaker Edward Snowden."
dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."
MojoKid writes "Rumors around the what and when of Google's upcoming Nexus 5 smartphone have been plentiful, and ahead of the supposed release date on Halloween, a benchmark score for the handset has slipped out from Rightware, and it's downright impressive. According to Rightware's Power Board, the Nexus 5 delivered the second-highest Benchmark X gaming score among smartphones, behind only the iPhone 5S, making it the most powerful Android-based handset in the land. The LG-made phone shares a GPU (the Adreno 330) with the third-place Sharp Aquos SHL23 but bested the latter handset with a score of 14.27 to 13.10. A leaked user manual revealed that the Nexus 5 will boast a full HD 4.95-inch display, Snapdragon 800 processor (2.3GHz), 2GB of RAM, 16GB or 32GB of onboard storage, and 8MP rear-facing and 1.3MP front-facing cameras."
stry_cat writes "Ed Bot makes the case against Gmail: 'Gmail was a breath of fresh air when it debuted. But this onetime alternative is showing signs that it's past its prime, especially if you want to use the service with a third-party client. That's the way Google wants it, which is why I've given up on Gmail after almost a decade.' Personally, I've always thought it odd that no other email provider ever adopted Gmails "search not sort" mentality. I've been a Gmail user since you needed an invitation to get an account. However Gmail has been steadily moving towards a more traditional email experience. Plus there's the iGoogle disaster that got me looking into alternatives to everything Google."
barlevg writes "The Washington Post reports that, according to documents obtained from Edward Snowden, through their so-called 'MUSCULAR' initiative, the National Security Agency has exploited a weakness in the transfers between data centers, which Google and others pay a premium to send over secure fiber optic cables. The leaked documents include a post-it note as part of an internal NSA Powerpoint presentation showing a diagram of Google network traffic, an arrow pointing to the Google front-end server with text reading, 'SSL Added and Removed Here' with a smiley face. When shown the sketch by The Post and asked for comment, two engineers with close ties to Google responded with strings of profanity." The Washington Post report is also summarized at SlashBI. Also in can't-trust-the-government-not-to-spy news, an anonymous reader writes: "According to recent reports, the National Security Agency collects 'one-end foreign' Internet metadata as it passes through the United States. The notion is that purely domestic communications should receive greater protection, and that ordinary Americans won't send much personal information outside the country. A researcher at Stanford put this hypothesis to the test... and found that popular U.S. websites routinely pass browsing activity to international servers. Even the House of Representatives website was sending traffic to London. When the NSA vacuums up international Internet metadata, then, it's also snooping on domestic web browsing by millions of Americans."
Trailrunner7 writes "If espionage is the world's second-oldest profession, counterfeiting may be in the running to be third on that list. People have been trying to forge currency for just about as long as currency has been circulating, and anti-counterfeiting methods have tried to keep pace with the state of the art. The anti-counterfeiting technology in use today of course relies on computers and software, and like all software, it has bugs, as researchers at IOActive discovered when they reverse-engineered the firmware in a popular Euro currency verifier and found that they could insert their own firmware and force the machine to verify any piece of paper as a valid Euro note. 'The impact is obvious. An attacker with temporary physical access to the device could install customized firmware and cause the device to accept counterfeit money. Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible.'"
mask.of.sanity writes "Researchers have demonstrated how controller area networks in cars can make vehicles appear to drive slower than their actual speed, manipulate brakes, wind back odometers and set off all kinds of alarms and lights from random fuzzing (video). The network weaknesses stem from a lack of authentication which they say is absent to improve performance. The researchers have also built a $25 open-source fuzzing tool to help others enter the field."
jfruh writes "Most day-to-day programmers have only a general idea of how compilers transform human-readable code into the machine language that actually powers computers. In an attempt to streamline applications, many compilers actually remove code that it perceives to be undefined or unstable — and, as a research group at MIT has found, in doing so can make applications less secure. The good news is the researchers have developed a model and a static checker for identifying unstable code. Their checker is called STACK, and it currently works for checking C/C++ code. The idea is that it will warn programmers about unstable code in their applications, so they can fix it, rather than have the compiler simply leave it out. They also hope it will encourage compiler writers to rethink how they can optimize code in more secure ways. STACK was run against a number of systems written in C/C++ and it found 160 new bugs in the systems tested, including the Linux kernel (32 bugs found), Mozilla (3), Postgres (9) and Python (5). They also found that, of the 8,575 packages in the Debian Wheezy archive that contained C/C++ code, STACK detected at least one instance of unstable code in 3,471 of them, which, as the researchers write (PDF), 'suggests that unstable code is a widespread problem.'"
McGruber writes "The U.S. government fined Infosys $35 million after an investigation by the Department of Homeland Security and the State Department found that the Indian company used inexpensive, easy-to-obtain B-1 visas meant to cover short business visits — instead of harder-to-get H-1B work visas — to bring an unknown number of its employees for long-term stays. The alleged practice enabled Infosys to undercut competitors in bids for programming, accounting and other work performed for clients, according to people close to the investigation. Infosys clients have included Goldman Sachs Group, Wal-Mart Stores Inc. and Cisco Systems Inc. Infosys said in an email that it is talking with the U.S. Attorney's office, 'regarding a civil resolution of the government's investigation into the company's compliance' with employment-record 'I-9 form' requirements and past use of the B-1 visa. A company spokesman, who confirmed a resolution will be announced Wednesday, said Infosys had set aside $35 million to settle the case and cover legal costs. He said the sum was 'a good indication' of the amount involved."
rjmarvin writes "Adobe's investigation into the massive data breach they were hit with this past August has revealed that over 38 million active users, not to mention inactive accounts, had their user IDs and passwords pilfered by hackers. An Adobe spokesperson confirmed the number, along with the theft of Adobe Photoshop source code. The initial report earlier this month put the extent of the breach at only 3 million credit card accounts, plus stolen Adobe Acrobat, Reader and ColdFusion source code."
An anonymous reader writes "Mozilla today officially launched Firefox 25 for Windows, Mac, Linux, and Android. Additions include Web Audio API support, as well as guest browsing and mixed content blocking on Android. Firefox 25 can be downloaded from Firefox.com and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. The release notes are here: desktop, mobile."
A year ago today, Superstorm Sandy struck the northeastern U.S. The storm destroyed homes — in some cases entire neighborhoods — and brought unprecedented disruptions to the New York City area's infrastructure, interrupting transportation, communications, and power delivery. It even damaged a Space Shuttle. In the time since, the U.S. hasn't faced a storm with Sandy's combination of power and placement, but businesses have had some time to rethink how much trust they can put in even seemingly impregnable data centers and other bulwarks of modernity: a big enough storm can knock down nearly anything. Today, parts of western Europe are recovering from a major storm as well: more than a dozen people were killed as the predicted "storm of the century" hit London, Amsterdam, and other cities on Sunday and Monday. In Amsterdam, the city's transportation system took a major hit; some passengers had to shelter in place in stopped subway cars while the storm passed. Are you (or your employer) doing anything different in the post-Sandy era, when it comes to preparedness to keep people, data, and equipment safe?