An anonymous reader writes "In an email to the HTTP working group, Mark Nottingham laid out the three top proposals about how HTTP 2.0 will handle encryption. The frontrunner right now is this: 'HTTP/2 to only be used with https:// URIs on the "open" Internet. http:// URIs would continue to use HTTP/1.' This isn't set in stone yet, but Nottingham said they will 'discuss formalising this with suitable requirements to encourage interoperability.' There appears to be support from browser vendors; he says they have been 'among those most strongly advocating more use of encryption.' The big goal here is to increase the use of encryption on the open web. One big point in favor of this plan is that if it doesn't work well (i.e., if adoption is poor), then they can add support for opportunistic encryption later. Going from opportunistic to mandatory encryption would be a much harder task. Nottingham adds, 'To be clear — we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption. However, for the common case — browsing the open Web — you'll need to use https:// URIs and if you want to use the newest version of HTTP.'"
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's now on IFTTT. Check it out! Check out the new SourceForge HTML5 Internet speed test! ×
An anonymous reader writes "FireEye researchers have linked eleven distinct APT cyber espionage campaigns previously believed to be unrelated (PDF), leading them to believe that there is a shared operation that supplies and maintains malware tools and weapons used in them. The eleven campaigns they tied together were detected between July 2011 and September 2013, but it's possible and very likely that some of them were active even before then. Despite using varying techniques, tactics, and procedures, the campaigns all leveraged a common development infrastructure, and shared — in various combinations — the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates."
Trailrunner7 writes "The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said it is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications. The company also said that as of January 2016 it will no longer will validate any code signing or root certificate that uses SHA-1."
wiredmikey writes "According to a recent survey of malware analysts at U.S. enterprises, 40% of the time a device used by a member the senior leadership team became infected with malware was due to executives visiting a pornographic website. The study, from ThreatTrack Security, also found that nearly six in 10 of the malware analysts have investigated or addressed a data breach that was never disclosed by their company. When asked to identify the most difficult aspects of defending their companies' networks from advanced malware, 67% said the complexity of malware is a chief factor; 67% said the volume of malware attacks; and 58% cited the ineffectiveness of anti-malware solutions."
MojoKid writes "At APU13 today, AMD announced a full suite of new products and development tools as part of its push to improve HSA development. One of the most significant announcements to come out the sessions today-- albeit in a tacit, indirect fashion, is that Kaveri is going to pack a full 512 GPU cores. There's not much new to see on the CPU side of things — like Richland/Trinity, Steamroller is a pair of CPU modules with two cores per module. AMD also isn't talking about clock speeds yet, but the estimated 862 GFLOPS that the company is claiming for Kaveri points to GPU clock speeds between 700 — 800MHz. With 512 cores, Kaveri picks up a 33% boost over its predecessors, but memory bandwidth will be essential for the GPU to reach peak performance. For performance, AMD showed Kaveri up against the Intel 4770K running a low-end GeForce GT 630. In the intro scene to BF4's single-player campaign (1920x1080, Medium Details), the AMD Kaveri system (with no discrete GPU) consistently pushed frame rates in the 28-40 FPS range. The Intel system, in contrast, couldn't manage 15 FPS. Performance on that system was solidly in the 12-14 FPS range — meaning AMD is pulling 2x the frame rate, if not more."
jeditobe writes with a link to a talk (video recorded, with transcript) about a project we've been posting about for years: ambitious Windows-replacement ReactOS: "In this talk, Alex Ionescu, lead kernel developer for the ReactOS project since 2004 (and recently returning after a long hiatus) will talk about the project's current state, having just passed revision 60000 in the SVN repository. Alex will also cover some of the project's goals, the development and testing methodology being such a massive undertaking (an open source project to reimplement all of Windows from scratch!), partnership with other open source projects (MinGW, Wine, Haiku, etc...). Alex will talk both about the infrastructure side about running such a massive OS project (but without Linux's corporate resources), as well as the day-to-day development challenges of a highly distributed team and the lack of Win32 internals knowledge that makes it hard to recruit. Finally, Alex will do a few demos of the OS, try out a few games and applications, Internet access, etc, and of course, show off a few blue screens of death."
nk497 writes "Criminals are taking advantage of unpatched holes in Internet Explorer to launch 'diskless' attacks on PCs visiting malicious sites. Security company FireEye uncovered the zero-day flaw on at least one breached U.S. site, describing the exploit as a 'classic drive-by download attack'. But FireEye also noted the malware doesn't write to disk and disappears on reboot — provided it hasn't already taken over your PC — making it trickier to detect, though easier to purge. '[This is] a technique not typically used by advanced persistent threat (APT) actors,' the company said. 'This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods.'"
DavidGilbert99 writes "Nowhere is safe. Even in the cold expanse of space, computer malware manages to find a way. According to Russian security expert Eugene Kaspersky, the SCADA systems on board the International Space Station have been infected by malware which was carried into space on USB sticks by Russian astronauts."
Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog.
An anonymous reader writes "An Apple insider who asked not to be identified because the information is classified told Bloomberg that Apple's next iPhone models will come with curve displays and enhanced touchscreen sensors that can detect heavy and light touches. The two models -- 4.7-inches and 5.5-inches -- would be Apple's largest iPhones. Apple is still developing the two models and the person disclosed that Apple could launch the devices in the third quarter of next year."
mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free. The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system. The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. Several flaws have been known to the operator since 2009." There are two sets of problems: their website is not adequately secured, allowing identity harvesting attacks, and the transit cards themselves are easy to forge.
Trailrunner7 writes "In the wake of the publication of a new academic paper that says there is a fundamental flaw in the Bitcoin protocol that could allow a small cartel of participants to become powerful enough that it could take over the mining process and gather a disproportionate amount of the value in the system, researchers are debating the potential value of the attack and whether it's actually practical in the real world. The paper, published this week by researchers at Cornell University, claims that Bitcoin is broken, but critics say there's a foundational flaw in the paper's assertions. ... The idea of a majority of Bitcoin miners joining together to dominate the system isn't new, but the Cornell researchers say that a smaller pool of one third of the miners could achieve the same result, and that once they have, there would be a snowball effect with other miners joining this cartel to increase their own piece of the pie. However, other researchers have taken issue with this analysis, saying that it wouldn't hold together in the real world. 'The most serious flaw, perhaps, is that, contrary to their claims, a coalition of ES-miners [selfish miners] would not be stable, because members of the coalition would have an incentive to cheat on their coalition partners, by using a strategy that I'll call fair-weather mining,' Ed Felten, a professor of computer science and public affairs at Princeton University and director of the Center for Information Technology Policy, wrote in an analysis of the paper."
An anonymous reader writes "Wikimedia today announced the launch of a beta program simply called Beta Features. In short, the organization is offering a way for users to try out new features on Wikipedia and other Wikimedia sites before they are released for everyone. If you're reading this with bated breath, you'll be happy to know logged-in users can join the early testing right now on MediaWiki.org, meta.wikimedia.org and Wikimedia Commons. Wikimedia plans to release Beta Features on all wikis in two weeks, on November 21, although the date may shift depending on the feedback the organization receives."
An anonymous reader writes "Oracle acquired GlassFish when it acquired Sun Microsystems, and now — like OpenSolaris and OpenOffice — the company has announced it will no longer support a commercial version of the product. Mike Milinkovich, executive director of the Eclipse Foundation. said in an interview the decision wasn't exactly a surprise: "The only company that was putting any real investment in GlassFish was Oracle," Milinkovich said. "Nobody else was really stepping up to the plate to help. If you never contributed anything to it, you can't complain when something like this happens." An update to the open source version is still planned for 2014." GlassFish is an open source application server.
cold fjord sends this news from Reuters: "Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"
Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.
alphadogg writes "If you can't tell the difference between an inkblot that looks more like 'body builder lady with mustache and goofy in the center' than 'large steroid insect with big eyes,' then you can't crack passwords protected via a new scheme created by computer scientists that they've dubbed GOTCHA. GOTCHA, a snappy acronym for the decidedly less snappy Generating panOptic Turing Tests to Tell Computers and Humans Apart, is aimed at stymying hackers from using computers to figure out passwords, which are all too often easy to guess. GOTCHA, like its ubiquitous cousin CAPTCHA, relies on visual cues that typically only a human can appreciate. The researchers don't think that computers can solve the puzzles and have issued a challenge to fellow security researchers to use artificial intelligence to try to do so. You can find the GOTCHA Challenge here."
An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)
An anonymous reader writes "I've recently been charged with updating our existing serial console access tools. We have 12 racks of servers each with a console server in it (OpenGear, ACS, and a few others). Several of these systems host virtual machines which are also configured to have 'serial' management (KVM, virt serial). In total it comes to about 600 'systems.' All the systems also have remote power management (various vendors). Right now our team has a set of home grown scripts and a cobbled together database for keeping this all together. Today any admin can simply ssh into the master, run 'manage hostname console' and automatically get a serial console or run 'manage hostname power off' to cut the power to a system. I'd rather use some tools with more of a community than just the 4 of us. What tool(s) should I move my group onto for remote serial/power management?"
New submitter BitVulture writes "The hardcore Bitcoin community is abuzz with news of the closure of Inputs.io, a supposedly secure online Bitcoin wallet, after an attack resulted in the loss of 4100 Bitcoins. A PGP-signed message at the home page of the now mostly non-operational site briefly explains the situation: 'Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.' There's no word yet whether Inputs.io will eventually resume operations or whether the security breach will force the Bitcoin bank out of business."
An anonymous reader writes "Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses vulnerabilities they find. The minimum bounty for hacking any component of the Internet is $5,000."
An anonymous reader writes "Paedophiles may escape detection because highly-classified material about Britain's surveillance capabilities have been published by the Guardian newspaper, the UK government has claimed. A senior Whitehall official said data stolen by Edward Snowden, a former contractor to the US National Security Agency, could be exploited by child abusers and other cyber criminals. It could also put lives at risk by disclosing secrets to terrorists, insurgents and hostile foreign governments, he said."
wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."
ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."
rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."
tsu doh nimh writes "A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database."
New submitter bmurray7 writes "You might think that the country that has the fastest average home internet speeds would be a first adapter of modern browsers. Instead, as the Washington Post reports, a payment processing security standard forces most South Koreans to rely upon Internet Explorer for online shopping. Since the standard uses a unique encryption algorithm, an ActiveX control is required to complete online purchases. As a result, many internet users are in the habit of approving all AtivceX control prompts, potentially exposing them to malware."
ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."
onehitwonder writes "In short, they build it themselves. When Tesla Motors needed to improve the back-end software that runs its business, CEO Elon Musk decided not to upgrade the company's SAP system. Instead, he told his CIO, Jay Vijayan, to have the IT organization build a new back-end system, according to The Wall Street Journal. The company's team of 25 software engineers developed the new system in about four months, and it provided the company with speed and agility at a time when it was experiencing costly delivery delays on its all-electric Model S."
rtoz writes "For handling the future unreliable chips, a research group at MIT's Computer Science and Artificial Intelligence Laboratory has developed a new programming framework that enables software developers to specify when errors may be tolerable. The system then calculates the probability that the software will perform as it's intended. As transistors get smaller, they also become less reliable. This reliability won't be a major issue in some cases. For example, if few pixels in each frame of a high-definition video are improperly decoded, viewers probably won't notice — but relaxing the requirement of perfect decoding could yield gains in speed or energy efficiency."
wjcofkc writes "In the turbulent wake of the international uproar spurred by his leaked documents, Mr. Snowden published a letter over the weekend in Der Spiegel titled, "A Manifesto for the Truth". In the letter, Mr. Snowden reflects on the consequences of the information released so far, and their effect on exposing the extent and obscenity of international and domestic surveillance, while continuing to call out the NSA and GCHQ as the worst offenders. He further discusses how the debate should move forward, the intimidation of journalists, and the criminalization of the truth saying, 'Citizens have to fight suppression of information on matters of vital public importance. To tell the truth is not a crime.'"
An anonymous reader writes "Linus Torvalds announced the Linux 3.12 kernel release with a large number of improvements through many subsystems including new EXT4 file-system features, AMD Berlin APU support, a major CPUfreq governor improvement yielding impressive performance boosts for certain hardware/workloads, new drivers, and continued bug-fixing. Linus also took the opportunity to share possible plans for Linux 4.0. He's thinking of tagging Linux 4.0 following the Linux 3.19 release in about one year and is also considering the idea of Linux 4.0 being a release cycle with nothing but bug-fixes. Does Linux really need an entire two-month release cycle with nothing but bug-fixing? It's still to be decided by the kernel developers."
MojoKid writes "Microsoft has several valid reasons why you should upgrade to Windows 8.1, which is free if you already own Windows 8. However, there's a known issue that might give some gamers pause before clicking through in the Windows Store. There have been complaints of mouse problems after applying the Windows 8.1 update, most of which have been related to lag in video games, though Microsoft confirmed there are other potential quirks. Acknowledging the problem, Microsoft says it's also actively investigating the issues and working on a patch."
An anonymous reader writes "Intel shipped open-source Broadwell graphics driver support for Linux this weekend. While building upon the existing Intel Linux GPU driver, the kernel driver changes are significant in size for Broadwell. Code comments from Intel indicate that these processors shipping in 2014 will have "some of the biggest changes we've seen on the execution and memory management side of the GPU" and "dwarf any other silicon iteration during my tenure, and certainly can compete with the likes of the gen3->gen4 changes." Come next year, Intel may now be able to better take on AMD and NVIDIA discrete graphics solutions."
First time accepted submitter renzema writes "I'm looking for a way to do near-site backups — backups that are not on my physical property, but with a hard drive still accessible should I need to do a restore (let's face it — this is where cloud backup services are really weak — 1 TB at 3-4mb downloads just doesn't cut it). I've tried crashplan, but that requires that someone has a computer on all the time and they don't ship hard drives to Sweden. What I want is to be able to back up my Windows and Mac to both a local disk and to a disk that I own that is not on site. I don't want a computer running 24x7 to support this — just a router or NAS. I would even be happy with a local disk that is somehow mirrored to a remote location. I haven't found anything out there that makes this simple. Any ideas?" What, besides "walk over a disk once in a while," would you advise?
codeusirae writes "RAF pilots were left 'blinded' by a barrage of images while flying at speeds of over 1,000 mph when a number of technical glitches hit their high-tech helmets. The visors were supposed to provide the fighter pilots with complete vision and awareness, but problems with the display produced a blurring known as 'green-glow,' meaning they were unable to see clearly.The green glow occurred when a mass of information was displayed on the helmet-mounted display systems, including radar pictures and images from cameras mounted around the aircraft."
An anonymous reader writes "Despite what we hear about how much the U.S. government is struggling with a website, it is reassuring that most of government entities can update their websites within a day after they are asked to. This conclusion is the result of research done by the Networking Systems Laboratory at the Computer Science Department of the University of Houston. The research team tracked government websites and their update times, and found that 96% of the websites were updated within 24 hours after President Obama signed HR 2775 into law, ending the Government shutdown. Worth noting that two websites took 8 days to update. It is interesting that the team was able to use the shutdown as an opportunity to study the efficiency of the IT departments of various parts of Government."
An anonymous reader writes "Almost three years ago, I started looking for a cloud storage service. Encryption and the "zero-knowledge" concept were not concerns. Frankly, after two weeks testing services, it boiled down to one service I used for almost 2 years. It was perfect — in the technical sense — because it simply works as advertised and is one of the cheapest for 500GB. But this year, I decided changing that service for another one, that would encrypt my files before leaving my machine. Some of these services call themselves 'zero-knowledge' services, because (as they claim) clear text does not leave your host: they only receive encrypted data — keys or passwords are not sent. I did all testing I could, with the free bit of their services, and then, chose one of them. After a while, when the load got higher (more files, more folders, more GB...), my horror story began. I started experiencing sync problems of all sorts. In fact, I have paid for and tested another service and both had the same issues with sync. Worse, one of them could not even handle restoring files correctly. I had to restore from my local backup more than once and I ended up losing files for real. In your experience, which service (or services) are really able to handle more than a hundred files, in sync within 5+ hosts, without messing up (deleting, renaming, duplicating) files and folders?"
New submitter codeusirae writes "An initial round of criticism focused on how many files the browser was being forced to download just to access the site, per an article at Reuters. A thread at Reddit appeared and was filled with analyses of the code. But closer looks by others have teased out deeper, more systematic issues."
jones_supa writes "Edward Snowden papers unmask that the German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain's GCHQ eavesdropping agency. The bulk monitoring is carried out through direct taps into fibre optic cables and the development of covert relationships with telecommunications companies. A loose but growing eavesdropping alliance has allowed intelligence agencies from one country to cultivate ties with corporations from another to facilitate the trawling of the web. The files also make clear that GCHQ played a leading role in advising its European counterparts how to work around national laws intended to restrict the surveillance power of intelligence agencies."
sfcrazy writes "CyanogenMod team has announced the release of version 10.2 M1, just after the release of Android 4.4 aka Kit Kat. In a post the team says, "With all the Android 4.4 hype, we haven't forgotten about CM 10.2. Tonight the buildbots will focus their efforts on building and shipping out CyanogenMod 10.2 M1. Builds are already hitting the servers (please be patient, this will take a while). We are targeting over 70 devices for this initial M-release.""
N8F8 writes "Like many IT professionals, I provide a lot of free help desk-type support to friends and family. I've decided to expand my support work and create a site where veterans can receive free computer help. I'm using OSTicket for the ticket reporting. What I really need is an easy to use desktop-sharing system. In the past I've used TeamViewer because it is easy to use, but it is not really free for non-personal use. Recently I switched to Meraki Systems Manager because it is free — and it uses VNC — but unfortunately it isn't intended for the one-time-use type support I'll be offering. So I'm looking for a reliable, open source, easy to use desktop-sharing solution that I can set up on my site for people to join one-time-use help desk sessions."
An anonymous reader writes "The release of OpenBSD 5.4 has been announced. New and notable advancements include new or extended platforms like octeon and beagle, moving VAX to ELF format, improved hardware support including Kernel Mode Setting (KMS), overhauled inteldrm(4), experimental support for fuse(4), reworked checksum handling for network protocols, OpenSMTPD 5.3.3, OpenSSH 6.3, over 7,800 ports, and many other improvements and additions."
netbuzz writes "On Nov. 2, 1988, mainstream America learned for the first time that computers get viruses, too, as the now notorious "Morris worm" made front-page headlines after first making life miserable for IT professionals. A PBS television news report about the worm offers a telling look at how computer viruses were perceived (or not) at the time. 'Life in the modern world has a new anxiety today,' says the news anchor. 'Just as we've become totally dependent on our computers they're being stalked by saboteurs, saboteurs who create computer viruses.'"
Daniel_Stuckey writes "The group, called UnSystem, are self-proclaimed crypto-anarchists led by Cody Wilson—who you may remember as the creator of the controversial 3D-printed gun. After getting himself in hot water with the government for making the digital files to print an unregulated weapon freely available on the internet, Wilson's now endeavoring to bring Bitcoin back to its anarchist roots. Like other Bitcoin wallets, you'll be able to store, send, and receive coins, and interact with block chain, the Bitcoin public ledger. But Dark Wallet will include extra protections to make sure transactions are secure, anonymous, and hard to trace—including a protocol called "trustless mixing" that combines users' coins together before encoding it into the ledger."
Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"
wjcofkc writes "The United States Government has officially called in the calvary over the problems with Healthcare.gov. Tech titans Oracle, Red Hat and Google have been tapped to join the effort to fix the website that went live a month ago, only to quickly roll over and die. While a tech surge of engineers to fix such a complex problem is arguably not the greatest idea, if you're going to do so, you might as well bring in the big guns. The question is: can they make the end of November deadline?"
szotz writes "Keeping up the pace of Moore's Law is hard, but you wouldn't know it from the way chipmakers name their technology. The semiconductor industry's names for chip generations (Intel's 22nm, TSMC's 28nm, etc) have very little to do with actual physical sizes, says IEEE Spectrum. And the disconnect is only getting bigger. For the first time, the "pay us to make your chip" foundries are offering a new process (with a smaller-sounding name) that will produce chips that are no denser than their forbears. The move is not a popular one."
itwbennett writes "This brings to mind an earlier Slashdot discussion about whether we've hit the limit on screen resolution improvements on handheld devices. But this time, the question revolves around ever-faster graphics processing units (GPUs) and the resolution limits of desktop monitors. ITworld's Andy Patrizio frames the problem like this: 'Desktop monitors (I'm not talking laptops except for the high-end laptops) tend to vary in size from 20 to 24 inches for mainstream/standard monitors, and 27 to 30 inches for the high end. One thing they all have in common is the resolution. They have pretty much standardized on 1920x1080. That's because 1920x1080 is the resolution for HDTV, and it fits 20 to 24-inch monitors well. Here's the thing: at that resolution, these new GPUs are so powerful you get no major, appreciable gain over the older generation.' Or as Chris Angelini, editorial director for Tom's Hardware Guide, put it, 'The current high-end of GPUs gives you as much as you'd need for an enjoyable experience. Beyond that and it's not like you will get nothing, it's just that you will notice less benefit.'"