An anonymous reader writes We've been calling it for years — connect everything in your house to the internet, and people will find a way to attack it. This post provides a technical walkthrough of how internet-connected lighting systems are vulnerable to outside attacks. Quoting: "With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads. ... Monitoring packets captured from the mesh network whilst adding new bulbs, we were able to identify the specific packets in which the WiFi network credentials were shared among the bulbs. The on-boarding process consists of the master bulb broadcasting for new bulbs on the network. A new bulb responds to the master and then requests the WiFi details to be transferred. The master bulb then broadcasts the WiFi details, encrypted, across the mesh network. The new bulb is then added to the list of available bulbs in the LIFX smart phone application."
M-Saunders writes: Perl 6 has been in development since 2000. So why, 14 years later, hasn't it been released yet? Linux Voice caught up with Damian Conway, one of the architects of Perl 6, to find out what's happening. "Perl 6 has all of the same features [as Perl 5] but with the rough edges knocked off of them", he says. Conway also talks about the UK's Year of Code project, and how to get more people interested in programming.
mask.of.sanity writes Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids. Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with, but experts weren't sure if the technology could be used to locate individuals.
realized (2472730) writes "In nine cases in 2013, state police were unable to break the encryption used by criminal suspects they were investigating, according to an annual report on law enforcement eavesdropping released by the U.S. court system on Wednesday. That's more than twice as many cases as in 2012, when police said that they'd been stymied by crypto in four cases—and that was the first year they'd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero."
wiredmikey (1824622) writes "Security researchers have found a way to disable the protection systems provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a software tool designed to prevent vulnerabilities from being exploited by using various mitigation technologies. Others have managed to bypass EMET in the past, but researchers from Offensive Security have focused on disarming EMET, rather than on bypassing mitigations, as this method gives an attacker the ability use generic shellcodes such as the ones generated by Metasploit. The researchers managed to disarm EMET and get a shell after finding a global variable in the .data section of the EMET.dll file. Initially, they only managed to get a shell by executing the exploit with a debugger attached, due to EMET's EAF checks. However, they've succeeded in getting a shell outside the debugger after disarming EAF with a method described by security researcher Piotr Bania in January 2012. The researchers tested their findings on Windows 7, Internet Explorer 8 and EMET 4.1 update 1."
New submitter marxmarv writes If you search the web for communications security information, or read online tech publications like Linux Journal or BoingBoing, you might be a terrorist. The German publication Das Erste disclosed a crumb of alleged XKeyScore configuration, with the vague suggestion of more source code to come, showing that Tor directory servers and their users, and as usual the interested and their neighbor's dogs due to overcapture, were flagged for closer monitoring. Linux Journal, whose domain is part of a listed selector, has a few choice words on their coveted award. Would it be irresponsible not to speculate further?
An anonymous reader writes with this excerpt from TechDirt: Three years ago we wrote about how Austrian police had seized computers from someone running a Tor exit node. This kind of thing happens from time to time, but it appears that folks in Austria have taken it up a notch by... effectively now making it illegal to run a Tor exit node. According to the report, which was confirmed by the accused, the court found that running the node violated 12 of the Austrian penal code, which effectively says:"Not only the immediate perpetrator commits a criminal action, but also anyone who appoints someone to carry it out, or anyone who otherwise contributes to the completion of said criminal action." In other words, it's a form of accomplice liability for criminality. It's pretty standard to name criminal accomplices liable for "aiding and abetting" the activities of others, but it's a massive and incredibly dangerous stretch to argue that merely running a Tor exit node makes you an accomplice that "contributes to the completion" of a crime. Under this sort of thinking, Volkswagen would be liable if someone drove a VW as the getaway car in a bank robbery. It's a very, very broad interpretation of accomplice liability, in a situation where it clearly does not make sense.
wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."
the simurgh writes: As many who follow the Kim Dotcom saga know, New Zealand police seized his encrypted computer drives in 2012, copies of which were illegally passed to the FBI. Fast-forward to 2014: Dotcom wants access to the seized but encrypted content. A New Zealand judge has now ruled that even if the Megaupload founder supplies the passwords, the encryption keys cannot be forwarded to the FBI.
jfruh (300774) writes Tech writer Tyler Hayes had never come close to hitting the 250 GB monthly bandwidth cap imposed by Cox Cable — until suddenly he was blowing right through it, eating up almost 80 GB a day. Using the Mac network utility little snitch, he eventually tracked down the culprit: a screensaver on his new Kindle Fire TV. A bug in the mosaic screensaver caused downloaded images to remain uncached.
New submitter Aryeh Goretsky writes: The IEEE Standards Assocation has launched an Anti-Malware Support Service to help the computer security industry respond more quickly to malware. The first two services available are a Clean file Metadata Exchange (PDF), to help prevent false positives in anti-malware software, and a Taggant System (PDF) to help prevent software packers from being abused. Official announcement is available at the offical website."
MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products: As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.
An anonymous reader writes In a post published Monday, Symantec writes that western countries including the U.S., Spain, France, Italy, Germany, Turkey, and Poland are currently the victims of an ongoing cyberespionage campaign. The group behind the operation, called Dragonfly by Symantec, originally targeted aviation and defense companies as early as 2011, but in early 2013, they shifted their focus to energy firms. They use a variety of malware tools, including remote access trojans (RATs) and operate during Eastern European business hours. Symantec compares them to Stuxnet except that "Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."
Vigile (99919) writes "As SSD controllers continue to evolve, so does the world of flash memory. With the release of the Samsung 850 Pro SSD announced today, Samsung is the first company to introduce 3D NAND technology to the consumer. By using 30nm process technology that might seem dated in some applications, Samsung has been reliably able to stack lithography and essentially "tunnel holes" in the silicon while coating the inside with the material necessary to hold a charge. The VNAND being used with the Samsung 850 Pro is now 32 layers deep, and though it lowers the total capacity per die, it allows Samsung to lower manufacturer costs with more usable die per wafer. This results in more sustainable and reliable performance as well as a longer life span, allowing Samsung to offer a 10 year warranty on the new drives. PC Perspective has a full review with performance results and usage over time that shows Samsung's innovation is leading the pack."
An anonymous reader writes For some reason that escapes me, a Judge has granted Microsoft permission to hijack NoIP's DNS. This is necessary according to Microsoft to thwart a "global cybercrime epidemic" being perpetrated by infected machines running Microsoft software. No-IP is a provider of dynamic DNS services (among other things). Many legitimate users were affected by the takedown: "This morning, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives. ... We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening."
tsu doh nimh writes In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company's recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. Some anti-spam experts who worked very closely on Canada's Anti-Spam Law (CASL) say they are baffled by Microsoft's response to a law which has been almost a decade in the making. Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide "warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased." Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.
Ars Technica has spent some time with pre-production (but very nearly final) samples of the Blackphone, from Geeksphone and Silent Circle. They give it generally high marks; the hardware is mostly solid but not cutting edge, but the software it comes with distinguishes it from run-of-the-mill Android phones. Though it's based on Android, the PrivOS system in these phone offers fine grained permissions, and other software included with the phone makes it more secure both if someone has physical access to the phone (by encrypting files, among other things) and if communications between this phone and another are being eavesdropped on. A small taste: At first start up, Blackphone’s configuration wizard walks through getting the phone configured and secured. After picking a language and setting a password or PIN to unlock the phone itself, the wizard presents the option of encrypting the phone’s stored data with another password. If you decline to encrypt the phone’s mini-SD storage during setup, you’ll get the opportunity later (and in the release candidate version of the PrivOS we used, the phone continued to remind me about that opportunity each time I logged into it until I did). PrivOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks.
New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)
MojoKid (1002251) writes LG is probably getting a little tired of scraping for brand recognition versus big names like Samsung, Apple and Google. However, the company is also taking solace in the fact that their smartphone sales figures are heading for an all-time high in 2014, with an estimated 60 million units projected to be sold this year. LG's third iteration of their popular "G" line of flagship smartphones, simply dubbed the LG G3, is the culmination of all of the innovation the company has developed in previous devices to date, including its signature rear button layout, and a cutting-edge 5.5-inch QHD display that drives a resolution of 2560X1440 with a pixel density of 538 PPI. Not satisified with pixel overload, LG decide to equip their new smartphone with 'frickin' laser beams' to assist its 13MP camera in targeting subjects for auto-focus. The G3 performs well in the benchmarks with a Snapdragon 801 on board and no doubt its camera takes some great shots quickly and easily. However, it's questionable how much of that super high res 2560 display you can make use of on a 5.5-inch device.
mpicpp (3454017) writes Apple told news website The Loop that it has decided to abandon Aperture, its professional photo-editing software application. "With the introduction of the new Photos app and iCloud Photo Library, enabling you to safely store all of your photos in iCloud and access them from anywhere, there will be no new development of Aperture," Apple said in a statement to The Loop. "When Photos for OS X ships next year, users will be able to migrate their existing Aperture libraries to Photos for OS." The new Photos app, which will debut with OS X Yosemite when it launches this fall, will also replace iPhoto. It promises to be more intuitive and user friendly, but as such, likely not as full featured as what Aperture currently offers.
NotInHere (3654617) writes In 1996, Markus F. X. J. Oberhumer wrote an implementation of the Lempel–Ziv compression, which is used in various places like the Linux kernel, libav, openVPN, and the Curiosity rover. As security researchers have found out, the code contained integer overflow and buffer overrun vulnerabilities, in the part of the code that was responsible for processing uncompressed parts of the data. Those vulnerabilities are, however, very hard to exploit, and their scope is dependent on the actual implementation. According to Oberhumer, the problem only affects 32-bit systems. "I personally do not know about any client program that actually is affected", Oberhumer sais, calling the news about the possible security issue a media hype.
jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."
McGruber (1417641) writes In December 2013, Slashdot reported the arrest of seven metro Atlanta residents for allegedly selling counterfeit MARTA Breeze cards, stored-value smart cards that passengers use as part of an automated fare collection system on Atlanta's subway. Now, six months later (June 2014), the seven suspects have finally been indicted. According to the indictment, the co-conspirators purchased legitimate Breeze cards for $1, then fraudulently placed unlimited or monthly rides on the cards. They then sold the fraudulent cards to MARTA riders for a discounted cash price. Distributors of the fraudulent cards were stationed at several subway stations. The indictment claims that the ring called their organization the "Underground Railroad."
An anonymous reader writes As the support for the Microsoft (MS) Windows XP service is terminated this year, the government will try to invigorate open source software in order to solve the problem of dependency on certain software. By 2020 when the support of the Windows 7 service is terminated, it is planning to switch to open OS and minimize damages. Industry insiders pointed out that the standard e-document format must be established and shared as an open source before open source software is invigorated. A similar suggestion that Korea might embrace more open source (but couched more cautiously, with more "should" and "may") is reported on the news page of the EU's program on Interoperability Solutions for European Public Administrations, based on a workshop presentation earlier this month by Korea's Ministry of Science, ICT, and Future Planning. (And at a smaller but still huge scale, the capitol city of Seoul appears to be going in for open source software in a big way, too.)
New submitter outofluck70 (1734164) writes Got an email today from Microsoft, text is below. [Note: text here edited for formatting and brevity; see the full text at seclists.org.] They are no longer going to send out emails regarding patches, you have to use RSS or keep visiting their security sites. They blame "governmental policies" as the reason. What could the real reason be? Anybody in the know? From the email: "Notice to IT professionals: As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following: Security bulletin advance notifications; Security bulletin summaries; New security advisories and bulletins; Major and minor revisions to security advisories and bulletins. In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website." WindowsIT Pro blames Canada's new anti-spam law.
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.
Trailrunner7 (1100399) writes ... Security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones, and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops. The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so. The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt's Fifth Amendment rights. The ruling.
Last fall, Newegg lost a case against patent troll TQP for using SSL with RC4, despite arguments from Diffie of Diffie-Hellman key exchange. Intuit was also targeted by a lawsuit for infringing the same patent, and they were found not to be infringing. mpicpp (3454017) sends this excerpt from Ars: U.S. Circuit Judge William Bryson, sitting "by designation" in the Eastern District of Texas, has found in a summary judgment ruling (PDF) that the patent, owned by TQP Development, is not infringed by the two defendants remaining in the case, Intuit Corp. and Hertz Corp. In a separate ruling (PDF), Bryson rejected Intuit's arguments that the patent was invalid. Not a complete victory (a clearly bogus patent is still not invalidated), but it's a start.
angry tapir writes The Australian government has indicated it intends to seek a boost to the powers of Australia's spy agencies, particularly ASIO (the Australian Security Intelligence Organization). The attorney-general told the Senate today that the government would introduce legislation based on recommendations of a parliamentary committee that last year canvassed "reforms" including boosting ASIO's power to penetrate third party computer systems to intercept communications to and from a target. That report also covered other issues such as the possibility of introducing a mandatory data retention scheme for ISPs and telcos.
cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.
itwbennett writes: A group of researchers from Google, the Hong Kong University of Science and Technology and the University of Nebraska undertook a study of over 26 million builds by 18,000 Google engineers from November 2012 through July 2013 to better understand what causes software builds to fail and, by extension, to improve developer productivity. And, while Google isn't representative of every developer everywhere, there are a few findings that stand out: Build frequency and developer (in)experience don't affect failure rates, most build errors are dependency-related, and C++ generates more build errors than Java (but they're easier to fix).
chicksdaddy (814965) writes "According to DUO, PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically. However, researchers at DUO noticed that the PayPal iOS application would briefly display a user's account information and transaction history prior to displaying that error message and logging them out. ... The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal's back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled. They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client — not on the server." The attack worked simply by intercepting a server response and toggling a flag (2fa_enabled) from true to false. After being alerted, PayPal added a workaround to limit the scope of the hole. Update: 06/26 00:42 GMT by T : (Get the story straight from the source: Here's the original report from DUO.)
Google I/O, the company's annual developer tracking^wdevelopers conference, has opened today in San Francisco. This year the company has reduced the number of conference sessions to 80, but also promised a broader approach than in previous years -- in other words, there may be a shift in focus a bit from Google's best known platforms (Chrome/Chrome OS and Android). Given its wide-ranging acquisitions and projects (like the recent purchase of Nest, which itself promptly bought Dropcam, the ever smarter fleet of self-driving cars, the growing number of Glass devices in the wild, and the announcement of a 3D scanning high end tablet quite unlike the Nexus line of tablets and phones), there's no shortage of edges to focus on. Judging from the booths set up in advance of the opening (like one with a sign announcing "The Physical Web," expect some of the stuff that gets lumped into "the Internet of Things." Watch this space -- updates will appear below -- for notes from the opening keynote, or follow along yourself with the live stream, and add your own commentary in the comments. In the days to come, watch for some video highlights of projects on display at I/O, too. Update: 06/25 17:41 GMT by T : Updates rolling in below on Android, wearables, Android in cars, Chromecast, smart watches, etc.Keep checking back! (Every few minutes, I get another chunk in there.)
An anonymous reader writes The experts at Kaspersky Lab have discovered evidence of a targeted attack against the clients of a large European bank. According to the logs found in the server used by the attackers, apparently in the space of just one week cybercriminals stole more than half a million euros from accounts in the bank. The experts also detected transaction logs on the server, containing information about which sums of money were taken from which accounts. All in all, more than 190 victims could be identified, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between 1,700 to 39,000 euros.
An anonymous reader writes Work/life balance is a constant problem in the tech industry. Even though experienced and mature engineers have been vocal in fighting it, every new generation buys into the American cultural identity of excessive work being a virtue. Each generation suffers for it, and the economy does, too. This article backs up that wisdom with hard numbers: "The 40-hour workweek is mostly a thing of the past. Ninety-four percent of professional workers put in 50 or more hours, and nearly half work 65 or above. All workers have managed to cut down on our time on the job by 112 hours over the last 40 years, but we're far behind other countries: The French cut down by 491 hours, the Dutch by 425, and Canadians by 215 in the same time period. ... This overwork shows up in our sleep. Out of five developed peers, four other countries sleep more than us. That has again worsened over the years. In 1942, more than 80 percent of Americans slept seven hours a night or more. Today, 40 percent sleep six hours or less. A lack of sleep makes us poorer workers: People who sleep less than seven hours a night have a much harder time concentrating and getting work done."
msm1267 (2804139) writes Controversial spyware commercially developed by Italy's Hacking Team and sold to governments and law enforcement for the purpose of surveillance has a global command and control infrastructure. For the first time, security experts have insight into how its mobile malware components work. Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Monk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting Hacking Team's Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices. Adds reader Trailrunner7: [T]he report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices. The new modules enable governments and law enforcement officers with extensive monitoring capabilities over victims, including the ability to report on their location, steal data from their device, use the device's microphone in real time, intercept voice and SMS messages sent via applications such as Skype, WhatsApp, Viber, and much more.
mpicpp (3454017) writes with news that a dump of fare logs from NYC cabs resulted in trip details being leaked thanks to using an MD5 hash on input data with a very small key space and regular format. From the article: City officials released the data in response to a public records request and specifically obscured the drivers' hack license numbers and medallion numbers. ... Presumably, officials used the hashes to preserve the privacy of individual drivers since the records provide a detailed view of their locations and work performance over an extended period of time.
It turns out there's a significant flaw in the approach. Because both the medallion and hack numbers are structured in predictable patterns, it was trivial to run all possible iterations through the same MD5 algorithm and then compare the output to the data contained in the 20GB file. Software developer Vijay Pandurangan did just that, and in less than two hours he had completely de-anonymized all 173 million entries.
It turns out there's a significant flaw in the approach. Because both the medallion and hack numbers are structured in predictable patterns, it was trivial to run all possible iterations through the same MD5 algorithm and then compare the output to the data contained in the 20GB file. Software developer Vijay Pandurangan did just that, and in less than two hours he had completely de-anonymized all 173 million entries.
An anonymous reader writes in with news that the memo presenting a case for killing Anwar al-Awlaki has been released thanks to a Freedom of Information Act lawsuit. The U.S. Court of Appeals for the Second Circuit on Monday released a secret 2010 Justice Department memo justifying the killing of Anwar al-Awlaki, a U.S citizen killed in a drone strike in 2011. The court released the document as part of a Freedom of Information Act lawsuit filed by The New York Times and the American Civil Liberties Union to make the document public. Then-acting Assistant Attorney General David Barron, in the partially redacted 41-page memo, outlines the justification of the drone strike in Yemen to take out al-Awlaki, an alleged operational leader of al Qaeda.
An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."
Presto Vivace writes: Fortune has an article about increasingly overt age discrimination in the tech industry. Quoting: "It's a widely accepted reality within the technology industry that youth rules. But at least part of the extreme age imbalance can be traced back to advertisements for open positions that government regulators say may illegally discriminate against older applicants. Many tech companies post openings exclusively for new or recent college graduates, a pool of candidates that is overwhelmingly in its early twenties. ... 'In our view, it's illegal,' Raymond Peeler, senior attorney advisor at the Equal Employment Opportunity Commission, the federal agency that enforces workplace discrimination laws said about the use of 'new grad' and 'recent grad' in job notices. 'We think it deters older applicants from applying.'" Am I the only one who thinks many of the quality control issues and failed projects in the tech industry can be attributed to age discrimination?
An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."
An anonymous reader writes "With the Linux 3.16 kernel the Nouveau driver now supports re-clocking for letting the NVIDIA GPU cores and video memory on this reverse-engineered NVIDIA driver run at their designed frequencies. Up to now the Nouveau driver has been handicapped to running at whatever (generally low) clock frequencies the video BIOS programmed the hardware to at boot time, but with Linux 3.16 is experimental support for up-clocking to the hardware-rated speeds. The results show the open-source NVIDIA driver running multiple times faster, but it doesn't work for all NVIDIA hardware, causes lock-ups for some GPUs at some frequencies, and isn't yet dynamically controlled. However, it appears to be the biggest break-through in years for this open-source NVIDIA driver that up to now has been too slow for most Linux games."
drinkypoo writes: Zachary Wikholm of Security Incident Response Team (CARISIRT) has publicly announced a serious failure in IPMI BMC (management controller) security on at least 31,964 public-facing systems with motherboards made by SuperMicro: "Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152." These BMCs are running Linux 2.6.17 on a Nuvoton WPCM450 chip. An exploit will be rolled into metasploit shortly. There is already a patch available for the affected hardware.
itwbennett writes: "A proposed $324.5 million settlement of claims that Silicon Valley companies (Adobe, Apple, Google, and Intel) suppressed worker wages by agreeing not to hire each others' employees may not be high enough, a judge signaled on Thursday. Judge Lucy Koh didn't say whether she would approve the settlement, but she did say in court that she was worried about whether that amount was fair to the roughly 64,000 technology workers represented in the case. Throughout Thursday's hearing, she questioned not just the amount but the logic behind the settlement as presented by lawyers for both the plaintiffs and the defendants."
An anonymous reader writes Der Spiegel has written a piece on the extent of collaboration between Germany's intelligence agency, Bundesnachrichtendienst (BND), and the U.S.'s National Security Agency (NSA). The sources cited in the piece do reveal BND's enthusiastic collusion in enabling the NSA to tap fiber optic cables in Germany, but they seem inconclusive as to how much information from the NSA's collection activity in the country is actually shared between the NSA and BND. Of note is evidence that the NSA's collection methods do not automatically exclude German companies and organizations from their data sweep; intelligence personnel have to rectro-actively do so on an individual basis when they realize that they are surveilling German targets. Germany's constitution protects against un-warranted surveillance of correspondence, either by post or telecommunications, of German citizens in Germany or abroad and foreigners on German soil.
New submitter UrsaMajor987 (3604759) writes I recently retired after a long career in IT. I am not ready to kick the bucket quite yet, but having seen the difficulty created by people dying without a will and documenting what they have and where it is, I am busy doing just that. At the end of it all, I will have documentation on financial accounts, passwords, etc., which I will want to share with a few people who are pretty far away. I can always print a copy and have it delivered to them, but is there any way to share this sort of information electronically? There are lots of things to secure transmission of data, but once it arrives on the recipients' desktop, you run the risk of their system being compromised and exposing the data. Does anyone have any suggestions? Is paper still the most secure way to go?
msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.
MojoKid (1002251) writes For years, we've heard rumors that Intel was building custom chips for Google or Facebook, but these deals have always been assumed to work with standard hardware. Intel might offer a different product SKU with non-standard core counts, or a specific TDP target, or a particular amount of cache — but at the end of the day, these were standard Xeon processors. Today, it looks like that's changing for the first time — Intel is going to start embedding custom FPGAs into its own CPU silicon. The new FPGA-equipped Xeons will occupy precisely the same socket and platform as the standard, non-FPGA Xeons. Nothing will change on the customer front (BIOS updates may be required), but the chips should be drop-in compatible. The company has not stated who provided its integrated FPGA design, but Altera is a safe bet. The two companies have worked together on multiple designs and Altera (which builds FPGAs) is using Intel for its manufacturing. This move should allow Intel to market highly specialized performance hardware to customers willing to pay for it. By using FPGAs to accelerate certain specific types of workloads, Intel Xeon customers can reap higher performance for critical functions without translating the majority of their code to OpenCL or bothering to update it for GPGPU.
DavidGilbert99 (2607235) writes Mobile malware on Android is nothing new, but now security company FireEye has discovered in the Google Play store a sophisticated piece of malware which is posing as....the official Google Play store. Using the same icon but a different name, the malware is not being detected by the vast majority of security vendors, is difficult to uninstall and steals your messages, security certificates and banking details.
An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."