beaverdownunder writes with an extract from The Guardian, based on a security diclosure from Gibson Security: "Snapchat users' phone numbers may be exposed to hackers due to an unresolved security vulnerability, according to a new report released by a group of Australian hackers. Snapchat is a social media program that allows users to send pictures to each other that disappear within 10 seconds. Users can create profiles with detailed personal information and add friends that can view the photos a user shares. But Gibson Security, a group of anonymous hackers from Australia, has published a new report with detailed coding that they say shows how a vulnerability can be exploited to reveal phone numbers of users, as well as their privacy settings." Snapchat downplays the significance of the hole.
Have you META-MODERATED today? Sign up for the Slashdot Daily Newsletter! DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. ×
An anonymous reader writes with this news from California: "According to the article, 'Officials at the Federal Bureau of Prisons say an inmate escaped from a minimum security area of the federal prison in Lompoc. Prison officials say Jeffrey Kilbride, 48, was discovered missing at around 1:30 p.m. on Friday....A search is reportedly underway. Prison officials say Kilbride was serving a 78-month sentence for conspiracy and fraud. He was due to be released on December 11, 2015.'" Here's why Kilbride was in prison.
theodp writes "Over at The Atlantic, Taylor Clark's epic Jesse Willms, the Dark Lord of the Internet tells the tale of how one of the most notorious alleged hustlers in the history of e-commerce made a fortune on the Web. 'Accusing Willms of being a scammer,' Clark writes, 'does him a disservice; what he accomplished elicits something close to awe, even among his critics.' The classic themes Willms' company employed in 'sponsored' links for products that included colon cleansers, teeth whiteners, and acai supplements, Clark reports, included dubious scientific claims and fake articles ('farticles'); implied endorsements from celebrities and TV networks; incredible 'testimonials"; manipulative plays on insecurities ('You wouldn't have to worry about being the 'fat bridesmaid' at your sister's wedding!'); and 'iron-clad' guarantees that 'free trials' of the products were absolutely 'risk free.' But beneath his promises of a 'free trial,' the FTC alleged, Willms buried an assortment of charges in the fine print of his terms and conditions. After the 14-day trial period for each product, customers automatically became enrolled in monthly subscription plans, for up to $80 a month. 'The product was never the point,' explained an FTC attorney. 'The point was to get as many hits on each credit card as you could.' Despite a publicized $359 million settlement with the FTC, Jesse Willms is doing just fine financially-and he has a new yellow Lamborghini to prove it. After settling his tax debts, Willms surrendered his assets of just $991,000 to get the financial judgment suspended. Willms has left diet products behind and pivoted into information services. 'As of November,' Clark notes, 'if you searched vehicle history on Google, Yahoo, or Bing, ads for Willms's sites were among the first things you would see.'"
Freshly Exhumed writes "On the morning of December 26th, 2013, an error on the website of Delta Air Lines' produced impossibly low fare discounts of as much as 90% for about 2 hours before the problem was corrected. Delta, to their PR benefit, have swallowed the losses, and the lucky customers have shared their delight via social media. Unfortunately for many buyers of goods from The Brick furniture retailer, no such consumer warmth is forthcoming. The Brick's website checkout had awarded them an additional 50% off, over and above all other costs, but the official corporate response has been to demand the money be returned. Affected customers are now lashing The Brick with social media opprobrium and drawing direct comparisons with Delta's response. So, given that these are not small, mom-and-pop companies, have we reached a point at which online retailers are expected to just swallow such costs for PR purposes, as part of doing web business?"
jones_supa writes "GNU Octave — the open source numerical computation suite compatible with MATLAB — is doing very well. The new 3.8 release is a big change, as it brings a graphical user interface, a feature which has long been requested by users. It is peppered with OpenGL acceleration and uses the super fast FLTK toolkit for widgets. The CLI interface still remains available and GNUplot is used as a fallback in cases where OpenGL or FLTK support is not available. Other changes to Octave 3.8 are support for nested functions with scoping rules, limited support for named exceptions, new regular expressions, a TeX parser for the FLTK toolkit, overhauls to many of the m-files, function rewrites, and numerous other changes and bug fixes."
McGruber writes "Myer, Australia's largest department store chain, has closed its website 'until further notice' at the height of the post-Christmas (and Australian summer) sales season. The website crashed on Christmas Day and has been down ever since. This means Myer will see no benefit for those days from booming domestic online sales, which were tipped to hit $344 million across the retail sector on Boxing Day alone. Teams from IBM and Myer's information technology division were 'working furiously' to fix the problem."
New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.
Kenseilon writes "The Verge reports that millions of Dogecoins — an alternative cryptocurrency — was stolen after the service DogeWallet was hacked. DogeWallet worked like a bank account for the currency, and the attackers modified it to make sure all transactions ended up in a wallet of their choice. This latest incident is just one in the long (and growing) list of problems that cryptocurrencies are currently facing. It brings to mind the incident where bitcoin exchange service GBL vanished and took a modest amount of Bitcoins with them. While not a similar case, it highlights the difficulties with trusting service provides in this market."
zlives writes "Tesla Motors has maintained that the most recent fire involving one of its Model S electric vehicles isn't the result of a vehicle or battery malfunction, but the company is still addressing the situation with a software fix, according to Green Car Reports. The California-based automaker has added a software function that automatically reduces the charge current by about 25 percent when power from the charging source fluctuates outside of a certain range, Green Car Reports says, citing the Twitter feed from an Apple employee, @ddenboer, who owns a Model S. You can read the text of the update below."
Tackhead writes "People of a certain age — the age before email filters were effective, may remember a few mid-90s buzzwords like 'bulletproof hosting' and 'double opt-in.' People may remember that Hormel itself conceded that although 'SPAM' referred to their potted meat product, the term 'spam' could refer to unsolicited commercial email. People may also remember AGIS, Cyberpromo, Sanford 'Spam King' Wallace, and Walt Rines. Ten years after a 2003 retrospective on Rines and Wallace, Ars Technica reminds us that the more things change, the more they stay the same."
An anonymous reader writes "Brian Krebs has done some detective work to determine who is behind the recent Target credit card hack. Krebs sifted through posts from a series of shady forums, some dating back to 2008, to determine the likely real-life identity of one fraudster. He even turns down a $10,000 bribe offer to keep the information under wraps."
An anonymous reader notes an article about how the tribulations of Healthcare.gov brought the idea of software testing into the public consciousness in a more detailed way than ever before. Quoting: "Suddenly, Americans are sitting at their kitchen tables – in suburbs, in cities, on farms – and talking about quality issues with a website. The average American was given nightly tutorials on load testing and performance bottlenecks when the site first launched, then crumbled moments later. We talked about whether the requirements were well-defined and the project schedule reasonably laid out. We talked about who owns the decision to launch and whether they were keeping appropriate track of milestones and iterations. ... When the media went from talking about the issues in the website to the process used to build the website was when things really got interesting. This is when software testers stepped out of the cube farm behind the coffee station and into the public limelight. Who were these people – and were they incompetent or mistreated? Did the project leaders not allocate enough time for testing? Did they allocate time for testing but not time to react to the testing outcome? Did the testers run inadequate tests? Were there not enough testers? Did they not speak up about the issues? If they did, were they not forceful enough?"
Like many other review sites, it seems that MacWorld can hardly find enough good things to say about the new Mac Pro, even while conceding it's probably not right for many users. 9to5 Mac has assembled a lot of the early reviews, including The Verge's, which has one of the coolest shots of its nifty design, which stacks up well against the old Pro's nifty design. The reviews mostly boil down to this: If you're in a field where you already make use of a high-end Mac for tasks like video editing, the newest one lives up to its hype.
An anonymous reader writes "In a letter to RSA executives, F-Secure's Mikko Hypponen says he is canceling his talk at the 2014 RSA Conference, due to the company's deal with the NSA, and how the agency has treated foreigners." From the letter: " I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are american anyway — why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event."
Trailrunner7 writes "One of the key tenets of the argument that the National Security Agency and some lawmakers have constructed to justify the agency's collection of phone metadata is that the information it's collecting, such as phone numbers and length of call, can't be tied to the callers' names. However, some quick investigation by some researchers at Stanford University who have been collecting information voluntarily from Android users found that they could correlate numbers to names with very little effort. The Stanford researchers recently started a program called Metaphone that gathers data from volunteers with Android phones. They collect data such as recent phone calls and text messages and social network information. The goal of the project, which is the work of the Stanford Security Lab, is to draw some lines connecting metadata and surveillance. As part of the project, the researchers decided to select a random set of 5,000 numbers from their data and see whether they could connect any of them to subscriber names using just freely available Web tools. The result: They found names for 27 percent of the numbers using just Google, Yelp, Facebook and Google Places. Using some other online tools, they connected 91 of 100 numbers with names."
dcblogs writes "The tech industry is seeing a shift toward a more independent, contingent IT workforce. About 18% of all IT workers today are self-employed, according to an analysis by Emergent Research, a firm focused on small businesses trends. This independent IT workforce is growing at the rate of about 7% per year, which is faster than the overall growth rate for independent workers generally, at 5.5%. A separate analysis by research firm Computer Economics finds a similar trend. This year, contract workers make up 15% of a typical large organization's IT staff at the median. This is up from a median of just 6% in 2011, said Longwell. The last time there was a similar increase in contract workers was in 1998, during the dot.com boom and the run-up to Y2K remediation efforts."
The Register reports that RSA isn't taking quietly the accusation reported by Reuters, based on documents released by Edward Snowden, that the company intentionally used weaker crypto at the request of the NSA, and accepted $10 million in exchange for doing so. RSA's defends the use of the Dual Elliptic Curve Deterministic Random Bit Generator, stating categorically "that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Jacob Appelbaum isn't shy about his role as a pro-privacy (and anti-secrecy) activist and hacker. A long-time contributor to the Tor project, and security researcher more generally, Appelbaum stood in for the strategically absent Julian Assange at HOPE in 2010, and more recently delivered Edward Snowden's acceptance speech when Snowden was awarded the Government Accountability Project's Whistleblower Prize. Now, he reports, his Berlin apartment appears to have been burglarized, and his computers tampered with. As reported by Deutsche Welle, "Appelbaum told [newspaper the Berliner Zeitung] that somebody had broken into his apartment and used his computer in his absence. 'When I flew away for an appointment, I installed four alarm systems in my apartment,' Appelbaum told the paper after discussing other situations which he said made him feel uneasy. 'When I returned, three of them had been turned off. The fourth, however, had registered that somebody was in my flat - although I'm the only one with a key. And some of my effects, whose positions I carefully note, were indeed askew. My computers had been turned on and off.'" It's not the first time by any means that Appelbaum's technical and political pursuits have drawn attention of the unpleasant variety.
Hugh Pickens DOT Com writes "Shona Ghosh writes at PC Pro that the final deadline for Windows XP support in April 2014 will act as the starting pistol for developing new exploits as hackers reverse-engineer patches issued for Windows 7 or Windows 8 to scout for XP vulnerabilities. "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares [them]," says Tim Rains, the director of Microsoft's Trustworthy Computing group. Microsoft says that XP shared 30 security holes with Windows 7 and Windows 8 between July 2012 and July 2013. Gregg Keizer says that if a major chunk of the world's PCs remains tied to XP, as seems certain, Microsoft will face an unenviable choice: Stick to plan and put millions of customers at risk from malware infection, or backtrack from long-standing policies and proclamations." (Read on for more.)
davecb writes "The Obamacare sign-up site was a classic example of managers saying 'not invented here' and doing everything wrong, as described in Poul-Henning Kamp's Center Wheel for Success, at ACM Queue." It's not just a knock on the health-care finance site, though: "We are quick to dismiss these types of failures as politicians asking for the wrong systems and incompetent and/or greedy companies being happy to oblige. While that may be part of the explanation, it is hardly sufficient. ... [New technologies] allow us to make much bigger projects, but the actual success/failure rate seems to be pretty much the same."
First time accepted submitter monkaru writes "Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is 'roll your own' the only reasonable path going forward?" What do you do nowadays, if anything, to maintain your online privacy upstream of your own computer?
An anonymous reader writes "Blender Foundation open movie projects like Sintel and Tears of Steel have been mentioned on Slashdot in the recent years. Now an old-timer, their open movie Big Buck Bunny from 2008, has been getting a make-over in a new release: The entire movie has been recreated in 3D stereo with a resolution of 4K (3840x2160) at 60fps. It took years to rework the movie because the original Big Buck Bunny was created for 2D. Most of the scenes had to be modified to work well in 3D stereo. Furthermore, the original movie was made for cinemas and was 24fps; a lot of changes to the animations had to be made to get the correct results. The creator of the reworked version explains about it on BlenderNation where he also talks about the fact that the entire movie was rendered via an online collaborative renderfarm, BURP, where volunteers provided spare CPU cycles to make it happen. If you want to see how your computer measures up to playing 4K content in 60 fps you can download the reworked movie from the official homepage — lower resolutions are also available."
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
Barence writes "The latest tests from Dennis Publishing's security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher — with five scoring 98% or 99% — Microsoft's free antivirus software protected against only 61% of the malware samples used in the test. Microsoft conceded last year that its security software was intended to offer only "baseline" performance"."
Lab Rat Jason writes "During a discussion with my wife last night, I came to the realization that the primary reason I have a Hadoop cluster tucked under my desk at home (I work in an office) is because my drive for learning is too aggressive for my IT department's security policy, as well as their hardware budget. But on closer inspection the issue runs even deeper than that. Time spent working on the somewhat menial tasks of the day job prevent me from spending time learning new tech that could help me do the job better. So I do my learning on my own time. As I thought about it, I don't know a single developer who doesn't have a home setup that allows them to tinker in a more relaxed environment. Or, put another way, my home setup represents the place I wish my company was going. So my question to Slashdot is this: How many of you find yourselves investing personal time to learn things that will directly benefit your employer, and how many of you are able to 'separate church and state?'"
theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations' best-and-brightest college students to work for nothing on the nation's cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Council's Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was advised by representatives from Cisco, JP Morgan Chase, Goldman Sachs, Northrop Grumman, the NSF, and the NSA. 'Do you desire to protect American interests and secure our Nation while building a meaningful and rewarding career?' reads the job posting for Secretary's Honors Program Cyber Student Volunteers (salary: $0.00-$0.00). 'If so, the Department of Homeland Security (DHS) is calling.' Student volunteers, DHS adds, will begin in spring 2014 and participate throughout the summer. Get your applications in by January 3, kids!"
First time accepted submitter wallydallas writes "I'm close to a solution, but I wonder how other people block their many devices and operating systems from updating in working hours. For example: I'm the IT guy who blocks iPads from updating when school is in session because we are in a rural location. 3mbps is the best WAN we can buy. Devices can update after hours just fine. We do this with our router (DDWRT) by blocking MESU.APPLE.COM. Many guests bring in Windows 7 laptops, and I want to welcome them, but not their updates. How can I block updates on Android Phones and Linux Laptops? I have a 4G device at home, and I'd like to apply the same tricks 24 hours a day so that I don't use up the bandwith from my vendor. And my many home visitors should have their updates blocked."
Hugh Pickens DOT Com writes "SF writer Charles Stross writes on his blog that like all currency systems, Bitcoin comes with an implicit political agenda attached and although our current global system is pretty crap, Bitcoin is worse. For starters, BtC is inherently deflationary. There is an upper limit on the number of bitcoins that can ever be created so the cost of generating new Bitcoins rises over time, and the value of Bitcoins rise relative to the available goods and services in the market. Libertarians love it because it pushes the same buttons as their gold fetish and it doesn't look like a "Fiat currency". You can visualize it as some kind of scarce precious data resource, sort of a digital equivalent of gold. However there are a number of huge down-sides to Bitcoin says Stross: Mining BtC has a carbon footprint from hell as they get more computationally expensive to generate, electricity consumption soars; Bitcoin mining software is now being distributed as malware because using someone else's computer to mine BitCoins is easier than buying a farm of your own mining hardware; Bitcoin's utter lack of regulation permits really hideous markets to emerge, in commodities like assassination and drugs and child pornography; and finally Bitcoin is inherently damaging to the fabric of civil society because it is pretty much designed for tax evasion. "BitCoin looks like it was designed as a weapon intended to damage central banking and money issuing banks, with a Libertarian political agenda in mind—to damage states ability to collect tax and monitor their citizens financial transactions," concludes Stross. "The current banking industry and late-period capitalism may suck, but replacing it with Bitcoin would be like swapping out a hangnail for Fournier's gangrene.""
JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.
New submitter ttyler writes "It turns out a MacBook's built-in camera can be activated without turning on the green LED. An earlier report suggested the FBI could activate a device's camera without having the light turn on, and there was a case in the news where a woman had nude pictures taken of her without her knowledge. The new research out of Johns Hopkins University confirms both situations are possible. All it takes are a few tweaks to the camera's firmware."
kthreadd writes "In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones."
Hugh Pickens DOT Com writes "Chuong Nguyen reports that Apple is forcing developers to adopt iOS 7's visual UI for their apps, and has advised iOS developers that all apps submitted after February 1, 2014 must be optimized for iOS 7 and built using Xcode 5 ... 'It's likely that Apple is more anxious than ever for developers to update their apps to fit in visually and mechanically with iOS 7, as it's the largest change in the history of Apple's mobile software,' says Matthew Panzarino. 'iOS 7 introduced a much more complex physical language while stripping out many of the visual cues that developers had relied on to instruct users. For better or worse, this has created a new aesthetic that many un-updated apps did not reflect.' Most app developers have been building apps optimized towards iOS 7 since Apple's World Wide Developer Conference in June 2013. Apple has been on a push over the past couple of years to encourage developers to support the latest editions of its OS faster than ever. To do this, it's made a habit of pointing out the adoption rates of new versions of iOS, which are extremely high. Nearly every event mentions iOS 7 adoption, which now tops 76% of all iOS users, and Apple publishes current statistics. In order to optimize apps for the new operating system, they must be built with the latest version of Xcode 5 which includes 64-bit support and access to new features like backgrounding APIs."
ananyo writes "The Guardian's technology editor, Charles Arthur, asks why researchers have remained largely silent in the wake of the revelation that the U.S. National Institute of Standards and Technology's standard for random numbers used for cryptography had been weakened by the NSA: 'The nature of the subversions sounds abstruse: the random-number generator, the 'Dual EC DRBG' standard, had been hacked by the NSA and the UK's GCHQ so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.' Arthur attributes the silence of UK academics, at least, to pressure from GCHQ. He goes on to say: 'For those who do care, White and Matthew Green, who teaches cryptography at Johns Hopkins University in Baltimore, Maryland, have embarked on an ambitious effort to clean up the mess — one that needs help. They have created a non-profit organization called OpenAudit.org, which aims to recruit experts to provide technical assistance for security projects in the public interest, especially open-source security software.'"
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
Nerval's Lobster writes "Tech publications and pundits alike have crowed about the benefits we're soon to collectively reap from healthcare analytics. In theory, sensors attached to our bodies (and appliances such as the fridge) will send a stream of health-related data — everything from calorie and footstep counts to blood pressure and sleep activity — to the cloud, which will analyze it for insight; doctors and other healthcare professionals will use that data to tailor treatments or advise changes in behavior and diet. But the sensors still leave a lot to be desired: 'smart bracelets' such as Nike's FuelBand and FitBit can prove poor judges of physical activity, and FitBit's associated app still requires you to manually input records of daily food intake (the FuelBand is also a poor judge of lower-body activity, such as running). FDA-approved ingestible sensors are still being researched, and it'd be hard to convince most people that swallowing one is in their best interests. Despite the hype about data's ability to improve peoples' health, we could be a long way from any sort of meaningful consumer technology that truly makes that happen."
sfcrazy writes "The Fedora Project has announced the release of Fedora 20, code named Heisenbug (release notes). Fedora 20 is dedicated to Seth Vidal, the lead developer of Yum and the Fedora update repository, who recently died in a road accident. Gnome is the default DE of Fedora, and so it is for Fedora 20. However unlike Ubuntu (where they had to create different distros for each DE) Fedora comes with KDE, XFCE, LXDE and MATE. You can install the DE of your choice on top of base Fedora."
mrspoonsi writes "Business Insider Reports: The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday's '60 Minutes.' Called a BIOS attack, the exploit would have ruined, or 'bricked,' computers across the country, causing untold damage to the national and even global economy. Even more shocking, CBS goes as far as to point a finger directly at China for the plot — 'While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.' The NSA says it closed this vulnerability by working with computer manufacturers. Debora Plunkett, director of cyber defense for the NSA: One of our analysts actually saw that the nation state had the intention to develop and to deliver — to actually use this capability — to destroy computers."
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
hawkinspeter writes "The Register is hosting an exclusive that Bruce Schneier will be leaving his position at BT as security futurologist. From the article: 'News of the parting of the ways reached El Reg via a leaked internal email. Our source suggested that Schneier was shown the door because of his recent comments about the NSA and GCHQ's mass surveillance activities.'"
An anonymous reader writes "The OpenBSD project has no reason to follow the steps taken by FreeBSD with regard to hardware-based cryptography because it has already been doing this for a decade, according to Theo de Raadt. 'FreeBSD has caught up to what OpenBSD has been doing for over 10 years,' the OpenBSD founder told iTWire. 'I see nothing new in their changes. Basically, it is 10 years of FreeBSD stupidity. They don't know a thing about security. They even ignore relevant research in all fields, not just from us, but from everyone.'"
New submitter StirlingArcher writes "I've always built/maintained my parents' PC's, but as Mum has got older her PC seems to develop problems more readily. I would love to switch her to Linux, but she struggles with change and wants to stay with Vista and MS Office. I've done the usual remove Admin rights, use a credible Internet Security package. Is there anything more dramatic that I could do, without changing the way she uses her PC or enforcing a new OS on her again? One idea was to use a Linux OS and then run Vista in a VM, which auto-boots and creates a backup image every so often. Thanks for any help!"
Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it's deployed properly, reducing the errors that could make surveillance and other attacks easier."
Daniel_Stuckey writes "Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, [artist Aram] Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year. He brings the books to his exhibits, called 'Forgot Your Password,' where you're free to see if he's got your data—and whether anyone else who wanders through is entirely capable of logging onto your account and making Connections with unsavory people. In fact, Bartholl insists: "These eight volumes contain 4.7 million LinkedIn clear text user passwords printed in alphabetical order," the description of his project reads. "Visitors are invited to look up their own password.""
jones_supa writes "The most widely used cellphone encryption cipher A5/1 can be easily defeated by the National Security Agency, an internal document shows. This gives the agency the means to intercept most of the billions of calls and texts that travel over radiowaves every day, even when the agency would not have the encryption key. Encryption experts have long known the cipher to be weak and have urged providers to upgrade to newer systems. Consequently it is also suggested that other nations likely have the same cracking capability through their own intelligence services. The vulnerability outlined in the NSA document concerns encryption developed in the 1980s but still used widely by cellphones that rely on 2G GSM. It is unclear if the agency may also be able to decode newer forms of encryption, such as those covered under CDMA."
msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"
itwbennett writes "Two reports out this week, one a new 'codex' released by 451 Research and the other an updated survey into cloud IaaS pricing from Redmonk, show just how insane cloud pricing has become. If your job requires you to read these reports, good luck. For the rest of us, Redmonk's Stephen O'Grady distilled the pricing trends down to this: 'HP offers the best compute value and instance sizes for the dollar. Google offers the best value for memory, but to get there it appears to have sacrificed compute. AWS is king in value for disk and it appears no one else is even trying to come close. Microsoft is taking the 'middle of the road,' never offering the best or worst pricing.'"
Frequent contributor Bennett Haselton writes: "Google has fixed a vulnerability, first discovered by researcher Gergely Kalman, which let users search for credit card numbers by using hex number ranges. However, Google should have acknowledged or at least responded to the original bug finder (and possibly even paid him a bounty for it), and should have been more transparent about the process in general." Read on for the rest of the story.
Qedward writes "Munich's switch to open source software has been successfully completed, with the vast majority of the public administration's users now running its own version of Linux, city officials said today. In one of the premier open source software deployments in Europe, the city migrated from Windows NT to LiMux, its own Linux distribution. LiMux incorporates a fully open source desktop infrastructure. The city also decided to use the Open Document Format (ODF) as a standard, instead of proprietary options. Ten years after the decision to switch, the LiMux project will now go into regular operation, the Munich City council said."
astroengine writes "A coolant system glitch on the International Space Station has forced several of the orbital outpost's modules offline as astronauts and ground control manage the problem. The crew are not in danger and ground control teams are currently working to see how best to troubleshoot. The issue, that occurred early on Wednesday, focuses on one of the space station's two external ammonia cooling loops, along which the station's electrical systems use to regulate their temperatures. The loop 'automatically shut down when it reached pre-set temperature limits,' said NASA in a statement. It is thought that a flow control valve in the ammonia pump itself may have malfunctioned."
wiredmikey writes "Business for Switzerland's 55 data centers is booming. They benefit from the Swiss reputation for security and stability, and some predict the nation already famous for its super-safe banks will soon also be known as the world's data vault. For example, housed in one of Switzerland's numerous deserted Cold War-era army barracks, one high-tech data center is hidden behind four-ton steel doors built to withstand a nuclear attack — plus biometric scanners and an armed guard. Such tight security is in growing demand in a world shaking from repeated leaks scandals and fears of spies lurking behind every byte."