Businesses

In Defense of Project Management For Software Teams (techbeacon.com) 160

mikeatTB writes: Many Slashdotters weighed in on Steven A. Lowe's post, "Is Project Management Killing Good Products, Teams and Software?", where he slammed project management and called for product-centrism. Many commenters pushed back, but one PM, Yvette Schmitter, has fired back with a scathing response post, noting: "As a project manager, I'm saddened to see that project management and project managers are getting a bad rap from both ends of the spectrum. Business tends not to see the value in them, and developers tend to believe their own 'creativity' is being stymied by them. Let's set the record straight: Project management is a prized methodology for delivering on leadership's expectations.

"The success of the methodology depends on the quality of the specific project manager..." she continues. "If the project is being managed correctly by the project manager/scrum master, that euphoric state that developers want to get to can be achieved, along with the project objectives -- all within the prescribed budget and timeline. Denouncing an entire practice based on what appears to be a limited, misaligned application of the correct methodology does not make all of project management and all project managers bad."

How do Slashdot readers feel about project management for software teams?
Security

'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware (sophos.com) 72

An anonymous reader writes: An investigation by Sophos has uncovered a new, lazy but effective ransomware attack where hackers brute force passwords on computers with [Microsoft's] Remote Desktop Protocol enabled, use off-the-shelf privilege escalation exploits to make themselves admins, turn off security software and then manually run fusty old versions of ransomware.
They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."

Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."
Iphone

Apple Fixes the iPhone X 'Unresponsive When It's Cold' Bug (arstechnica.com) 42

An anonymous reader quotes Ars Technica: Apple released iOS 11.1.2 for iPhones and iPads Thursday afternoon. It's a minor, bug-fix update that benefits iPhone X users who encountered issues after acquiring the new phone just under two weeks ago... The update fixes just two problems. The first is "an issue where the iPhone X screen becomes temporarily unresponsive to touch after a rapid temperature drop." Last week, some iPhone X owners began reporting on Reddit and elsewhere that their touchscreens became temporarily unresponsive when going outside into the cold... The update also "addresses an issue that could cause distortion in Live Photos and videos captured with iPhone X."
The article notes that the previous update "fixed a strange and widely mocked autocorrect bug that turned the letter 'i' into strange characters."

"To date, iOS 11's updates have largely been bug fixes."
Google

'I See Things Differently': James Damore on his Autism and the Google Memo (theguardian.com) 682

"James Damore opens up about his regrets -- and how autism may have shaped his experience of the world," writes the west coast bureau chief for the Guardian. An anonymous reader quotes their report: The experience has prompted some introspection. In the course of several weeks of conversation using Google's instant messaging service, which Damore prefers to face-to-face communication, he opened up about an autism diagnosis that may in part explain the difficulties he experienced with his memo. He believes he has a problem understanding how his words will be interpreted by other people... It wasn't until his mid-20s, after completing research in computational biology at Princeton and MIT, and starting a PhD at Harvard, that Damore was diagnosed with autism, although he was told he had a milder version of the condition known as "high-functioning autism"...

Damore argues that Google's focus on avoiding "micro-aggressions" is "much harder for someone with autism to follow". But he stops short of saying autistic employees should be given more leniency if they unintentionally offend people at work. "I wouldn't necessarily treat someone differently," he explains. "But it definitely helps to understand where they're coming from." I ask Damore if, looking back over the last few months, he feels that his difficult experience with the memo and social media may be related to being on the spectrum. "Yeah, there's definitely been some self-reflection," he says. "Predicting controversies requires predicting what emotional reaction people will have to something. And that's not something that I excel at -- although I'm working on it."

Transportation

DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data (arstechnica.com) 81

An anonymous reader quotes Ars Technica: DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
IBM

Tech Companies Try Apprenticeships To Fill The Tech Skills Gap (thehill.com) 123

Slashdot reader jonyen writes: For generations, apprenticeships have been the way of working life; master craftsmen taking apprentices under their wing, teaching them the tools of the trade. This declined during the Industrial Revolution as the advent of the assembly line enabled mass employment for unskilled laborers. The master-apprentice model went further out of focus as higher education and formal training became increasingly more valuable.

Fast forward to the 21st century, where employers are turning back the page to apprenticeships in an effort to fill a growing skills gap in the labor force in the digital age. Code.org estimates there will be a million unfulfilled tech jobs by 2020.

jonyen shared this article by IBM's Vice President of Talent:IBM is committed to addressing this shortage and recently launched an apprenticeship program registered with the US Department of Labor, with a plan to have 100 apprentices in 2018. ... Other firms have taken up the apprenticeship challenge as well. Salesforce CEO Marc Benioff, for example, has called for creating 5 million American apprentices in the next five years.

An apprenticeship offers the chance for Americans to get the formal education they need, whether through a traditional university, a community college or a trade school, while getting something else: On-the-job experience and an income... Right now, there are more than 6 million jobs in the U.S. that are going unfilled because employers can't find candidates with the right skills, according to the Labor Department.

IBM says their apprentices "are on their way to becoming software developers in our Cloud business and mainframe administrators for technologies like Blockchain, and we will add new apprenticeships in data analytics and cybersecurity as we replicate the program across the U.S."

"Ninety-one percent of apprentices in the U.S. find employment after completing their program, and their average starting wage is above $60,000."
Bug

iPhone X Owners Experience 'Crackling' or 'Buzzing' Sounds From Earpiece Speaker (macrumors.com) 104

MacRumors reports: A limited but increasing number of iPhone X owners claim to be experiencing so-called "crackling" or "buzzing" sounds emanating from the device's front-facing earpiece speaker at high or max volumes. Over two dozen users have said they are affected in a MacRumors discussion topic about the matter, while similar reports have surfaced on Twitter and Reddit since the iPhone X launched just over a week ago. On affected devices, the crackling sounds occur with any kind of audio playback, including phone calls, music, videos with sound, alarms, and ringtones. The issue doesn't appear to be limited to any specific iPhone X configuration or iOS version.
"The speakerphone for an $1100 phone should be at least as good as it was on the iPhone 6 and 7," complained one user, "but instead, it's crackly, edgy and buzzy."

"I believe we all knew the iPhone X would be highly scrutinized," writes Slashdot reader sqorbit, "but the reported problems appear to be stacking up."
The Military

Massive US Military Social Media Spying Archive Left Wide Open In AWS S3 Buckets (theregister.co.uk) 85

An anonymous reader quotes a report from The Register: Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages -- all scraped from around the world by the U.S. military to identify and profile persons of interest. The archives were found by veteran security breach hunter UpGuard's Chris Vickery during a routine scan of open Amazon-hosted data silos, and these ones weren't exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive. CENTCOM is the common abbreviation for the U.S. Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for U.S. Pacific Command, covering the rest of southern Asia, China and Australasia.

"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate." Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens. The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the U.S. government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Security

Windows 8 and Later Fail To Properly Apply ASLR (bleepingcomputer.com) 62

An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.

The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.

Privacy

Germany Bans Children's Smartwatches (bbc.com) 44

A German regulator has banned the sale of smartwatches aimed at children, describing them as spying devices. From a report: It had previously banned an internet-connected doll called, My Friend Cayla, for similar reasons. Telecoms regulator the Federal Network Agency urged parents who had such watches to destroy them. One expert said the decision could be a "game-changer" for internet-connected devices. "Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids' GPS tracking watches - the very watches that are supposed to help keep them safe," said Ken Munro, a security expert at Pen Test Partners.
Social Networks

Report Claims That 18 Nation's Elections Were Impacted By Social Engineering Last Year (bbc.com) 235

sqorbit writes: Independent watchdog group Freedom House released a report that claims that 18 nation's elections were "hacked." Of the 65 countries that Freedom House monitors, 30 appear to be using social media in order to affect elections by attempting to control online discussions. The report covers fake news posts, paid online opinion writers and trolling tactics. Other items in the report speak to online censorship and VPN blocking that blocks information within countries to interfere with elections. The report says net freedom could be aided by: large-scale programs that showed people how to spot fake news; putting tight controls on political adverts; and making social media giants do more to remove bots and tune algorithms to be more objective.
Security

Bluetooth Hack Affects 20 Million Amazon Echo, Google Home Devices (thehackernews.com) 40

In September, security researchers discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. We have now learned that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. The Hacker News reports: Amazon Echo is affected by the following two vulnerabilities: a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251); and an information disclosure flaw in the SDP server (CVE-2017-1000250). Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability: information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. The security firm [Armis, who disclosed the issue] notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.
Security

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com) 106

Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.
Communications

Phone Companies Get New Tools To Block Spam Calls (cnbc.com) 129

An anonymous reader shares a report: Phone companies will have greater authority to block questionable calls from reaching customers as regulators adopted new rules to combat automated messages known as robocalls. Rules adopted Thursday by the Federal Communications Commission represent the latest tools against "robocalls," which pester consumers, sometimes multiple times each day, and often push scams. Phone companies can already block some calls that trick consumers by showing up on Caller ID with fake numbers. The new rules make clear that they can block additional calls that are likely scams, such as numbers that start with a 911 area code, or one that isn't currently assigned to anyone.
Security

Internal Kaspersky Investigation Says NSA Worker's Computer Was Infested with Malware (vice.com) 141

A reader shares a report: The personal computer of an NSA worker who took government hacking tools and classified documents home with him was infected with a backdoor trojan, unrelated to these tools, that could have been used by criminal hackers to steal the US government files, according to a new report being released Thursday by Kaspersky Lab in response to recent allegations against the company. The Moscow-based antivirus firm, which has been accused of using its security software to improperly grab NSA hacking tools and classified documents from the NSA worker's home computer and provide them to the Russian government, says the worker had at least 120 other malicious files on his home computer in addition to the backdoor, and that the latter, which had purportedly been created by a Russian criminal hacker and sold in an underground forum, was trying to actively communicate with a malicious command-and-control server during the time Kaspersky is accused of siphoning the US government files from the worker's computer. Costin Raiu, director of the company's Global Research and Analysis Team, told Motherboard that his company's software detected and prevented that communication but there was a period of time when the worker had disabled his Kaspersky software and left his computer unprotected. Raiu says they found evidence that the NSA worker may have been infected with a second backdoor as well, though they saw no sign of it trying to communicate with an external server so they don't know if it was active on his computer.
Privacy

Consumers Are Holding Off On Buying Smart-Home Gadgets Due To Security, Privacy Fears (businessinsider.com) 143

According to a new survey from consulting firm Deloitte, consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes. The firm found that consumer interest in connected home technology lags behind their interest in other types of IoT devices. Business Insider reports: "Consumers are more open to, and interested in, the connected world," the firm said in its report. Noting the concerns about smart home devices, it added: "But not all IoT is created equal." Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives. Meanwhile, the vast majority of consumers think gadget makers weren't doing a good job of telling them about security risks. Fewer than 20% of survey respondents said they were very well informed about such risks and almost 40% said they weren't informed at all.
IT

Hoverboards Recalled For Fire and Explosion Risks -- Again (cnbc.com) 37

An anonymous reader shares a report: The Consumer Product Safety Commission recalled hoverboards from several companies over concerns the devices could catch fire or explode. The series of recalls affects roughly 16,000 hoverboards from brands including iHoverspeed, Sonic Smart Wheels, Tech Drift, iLive, Go Wheels, Drone Nerds, LayZ Board and Smart Balance Wheel. All the brands of self-balancing scooters share a common problem: lithium-ion batteries that could potentially overheat and cause a fire or explode. The agency is advising owners to stop using the hoverboards immediately and return them to the appropriate company for a replacement. Consumers can visit the CPSC website for details on the recalls and how to contact companies for replacements.
Security

Amazon Is Cutting Prices at Whole Foods Again (cnn.com) 122

An anonymous reader shares a report: Amazon is giving Whole Foods shoppers an early gift for the holidays. The grocer announced Wednesday it's slashing prices again, this time on several "holiday staples," including sweet potatoes, canned pumpkin and turkey. If you're an Amazon Prime member, you'll pay even less for turkey: Whole Foods slashed turkey prices to $1.99 per pound (compared to $2.49 for non-Prime members), or $2.99 per pound for an organic turkey ($3.49 for non-Prime members).
Security

Forbes '30 Under 30' Conference Website Exposed Attendees' Personal Information (vice.com) 12

An anonymous reader shares a Motherboard report: Every year, Forbes' 30 Under 30 list recognizes people blessed with both youth and exceptional talent in their field -- including celebrities, startup founders, doctors, and artists. These are smart, savvy professionals -- and when some of them include information security pros, they're bound to go poking around for vulnerabilities. That's what Yan Zhu, a privacy engineer who made the 2015 list, was doing when she found a gaping privacy hole in the way Forbes handles recipients' personal information. Once you make the list, Yan told me in a Twitter direct message, Forbes asks you to register for its annual Under 30 Summit conference. "They send you a link for conference registration, but it's not tied to your email address," she said. "So you can literally enter anyone's email address who is also a 30 Under 30 member and it shows you their personal info." That information carries over into all future years, she said.
Transportation

Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says (aviationtoday.com) 140

schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.
Communications

Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com) 32

An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
Security

About 15 Percent of US Agencies Detected Kaspersky Software on Networks (reuters.com) 81

Dustin Volz, reporting for Reuters: About 15 percent of U.S. federal agencies have reported some trace of Moscow-based Kaspersky Lab software on their systems, a Department of Homeland Security (DHS) official told Congress on Tuesday. Jeanette Manfra, assistant secretary for cyber security at DHS, told a U.S. House of Representatives panel that 94 percent of agencies had responded to a directive ordering them to survey their networks to identify any use of Kaspersky Lab products and to remove them. But Manfra said DHS did "not currently have conclusive evidence" that any networks had been breached due to their use of Kaspersky Lab software. The administration of President Donald Trump ordered civilian U.S. agencies in September to remove Kaspersky Lab from their networks, amid worries the antivirus firm was vulnerable to Kremlin influence and that using its anti-virus software could jeopardize national security.
Android

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (bleepingcomputer.com) 73

Catalin Cimpanu, writing for BleepingComputer: Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers. The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson -- the name of the main character in the Mr. Robot TV series. Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.
Security

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files (bbc.com) 36

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."
Transportation

US Airports Still Fail New Security Tests (go.com) 182

schwit1 quotes ABC News: In recent undercover tests of multiple airport security checkpoints by the Department of Homeland Security, inspectors said screeners, their equipment or their procedures failed more than half the time, according to a source familiar with the classified report. When ABC News asked the source if the failure rate was 80 percent, the response was, "You are in the ballpark." In a public hearing after a private classified briefing to the House Committee on Homeland Security, members of Congress called the failures by the Transportation Security Administration disturbing. Rep. Mike Rogers went as far as to tell TSA Administrator David Pekoske, "This agency that you run is broken badly, and it needs your attention."
Bug

The iPhone X Becomes Unresponsive When It Gets Cold (zdnet.com) 196

sqorbit writes: Apple is working on a fix for the newly release iPhone X. It appears that the touch screen can become unresponsive when the iPhone is subjected to cold weather. Users are reporting that locking and unlocking the phone resolves the issue. Apple stated that it is aware of the issue and it will be addressed in a future update.
Businesses

Equifax Tells Investors They Could Be Breached Again - And That They're Still Profitable (nypost.com) 90

"Equifax executives will forgo their 2017 bonuses," reports CNBC. But according to the New York Post, the company "hasn't lost any significant business customers... Equifax largely does business with banks and other financial institutions -- not with the people they collect information on."

Even though it's facing more than 240 class-action lawsuits, Equifax's revenue actually increased 3.8% from July to September, to a whopping $834.8 million, while their net income for that period was $96.3 million -- which is still more than the $87.5 million that the breach cost them, according to a new article shared by chicksdaddy: The disclosure, made as part of the company's quarterly filing with the US Securities and Exchange Commission, is the first public disclosure of the direct costs of the incident, which saw the company's stock price plunge by more than 30% and wiped out billions of dollars in value to shareholders. Around $55.5m of the $87.5m in breach-related costs stems from product costs â" mostly credit monitoring services that it is offering to affected individuals. Professional fees added up to another $17.1m for Equifax and consumer support costs totaled $14.9m, the company said. Equifax also said it has spent $27.3 million of pretax expenses stemming from the cost of investigating and remediating the hack to Equifax's internal network as well as legal and other professional expenses.

But the costs are likely to continue. Equifax is estimating costs of $56 million to $110 million in "contingent liability" in the form of free credit monitoring and identity theft protection to all U.S. consumers as a good will gesture. The costs provided by Equifax are an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. So far, however, the company has only incurred $4.7 million through the end of September. So, while the upper bound of those contingent liability costs is high, there's good reason to believe that they will never be reached.

The Post reports that some business customers "have delayed new contracts until Equifax proves that they've done enough to shore up their cybersecurity."

But in their regulatory filing Thursday, Equifax admitted that "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again."
Encryption

iPhone Encryption Hampers Investigation of Texas Shooter, Says FBI (chron.com) 240

"FBI officials said Tuesday they have been stymied in their efforts to unlock the cellphone of the man who shot and killed at least 26 people at a church here on Sunday," reports the Houston Chronicle. Slashdot reader Anon E. Muss writes: The police obtained a search warrant for the phone, but so far they've been unable to unlock it. The phone has been sent to the FBI, in the hope that they can break in... If it is secure, and the FBI can't open it, expect all hell to break loose. The usual idiots (e.g. politicians) will soon be ranting hysterically about the evil tech industry, and how they're refusing to help law enforcement.
FBI special agent Christopher Combs complained to the Chronicle that "law enforcement increasingly cannot get in to these phones."

A law professor at the Georgia Institute of Technology argues there's other sources of information besides a phone, and police officers might recognize this with better training. As just one example, Apple says the FBI could've simply just used the dead shooter's fingerprint to open his iPhone. But after 48 hours, the iPhone's fingerprint ID stops working.
Bug

Researchers Run Unsigned Code on Intel ME By Exploiting USB Ports (thenextweb.com) 171

Slashdot user bongey writes: A pair of security researchers in Russia are claiming to have compromised the Intel Management Engine just using one of the computer's USB ports. The researchers gained access to a fully functional JTAG connection to Intel CSME via USB DCI. The claim is different from previous USB DCI JTAG examples from earlier this year. Full JTAG access to the ME would allow making permanent hidden changes to the machine.
"Getting into and hijacking the Management Engine means you can take full control of a box," reports the Register, "underneath and out of sight of whatever OS, hypervisor or antivirus is installed."

They add that "This powerful God-mode technology is barely documented," while The Next Web points out that USB ports are "a common attack vector."
United States

H1-B Administrators Are Challenging An Unusually Large Number of Applications (bloomberg.com) 304

Long-time Slashdot reader decaffeinated quotes Bloomberg: Starting this summer, employers began noticing that U.S. Citizenship and Immigration Services was challenging an unusually large number of H-1B applications. Cases that would have sailed through the approval process in earlier years ground to a halt under requests for new paperwork. The number of challenges -- officially known as "requests for evidence" or RFEs -- are up 44 percent compared to last year, according to statistics from USCIS...

"We're entering a new era," said Emily Neumann, an immigration lawyer in Houston who has been practicing for 12 years. "There's a lot more questioning, it's very burdensome." She said in past years she's counted on 90 percent of her petitions being approved by Oct. 1 in years past. This year, only 20 percent of the applications have been processed. Neumann predicts she'll still have many unresolved cases by the time next year's lottery happens in April 2018.

Security

The Computer Scientist Who Prefers Voting With Paper (theatlantic.com) 219

Geoffrey.landis writes: The Atlantic profiles a computer scientist: Barbara Simons, who has been on the forefront of the pushback against electronic voting as a technology susceptible to fraud and hacking. When she first started writing articles about the dangers of electronic voting with no paper trail, the idea that software could be manipulated to rig elections was considered a fringe preoccupation; but Russia's efforts to influence the 2016 presidential election have reversed Simons's fortunes. According to the Department of Homeland Security, those efforts included attempts to meddle with the electoral process in 21 states; while a series of highly publicized hacks -- at Sony, Equifax, the U.S. Office of Personnel Management -- has driven home the reality that very few computerized systems are truly secure. Simons is a former President of the Association for Computing Machinery (ACM); and the group she helps run, Verified Voting, has been active in educating the public about the dangers of unverified voting since 2003.
Bug

Sex Toy Company Admits To Recording Users' Remote Sex Sessions, Calls It a 'Minor Bug' (theverge.com) 81

According to Reddit user jolioshmolio, Hong Kong-based sex toy company Lovense's remote control vibrator app (Lovense Remote) recorded a use session without their knowledge. "An audio file lasting six minutes was stored in the app's local folder," reports The Verge. "The user says he or she gave the app access to the mic and camera but only to use with the in-app chat function and to send voice clips on command -- not constant recording when in use." The app's behavior appears to be widespread as several others confirmed it too. From the report: A user claiming to represent Lovense responded and called this recording a "minor bug" that only affects Android users. Lovense also says no information or data was sent to the company's servers, and that this audio file exists only temporarily. An update issued today should fix the bug. This isn't Lovense's first security flub. Earlier this year, a butt plug made by the company -- the Hush -- was also found to be hackable. In the butt plug's case, the vulnerability had to do with Bluetooth, as opposed to the company spying on users.
Facebook

This Time, Facebook Is Sharing Its Employees' Data (fastcompany.com) 45

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

Encryption

Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted (techtarget.com) 104

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

Security

Man Who Sent GIF of Laughing Mouse To Employer After DDoS Attack Is Now Arrested (bleepingcomputer.com) 75

An anonymous reader writes: The FBI has arrested and charged a man for launching DDoS attacks against a wide range of targets, including his former employer, a Minnesota-based PoS repair shop. The man, who bought access to a VPN but didn't use it all the time, was caught after registering email accounts and sending taunting emails to victims, including his former employer. The taunting emails also included a GIF image of a laughing mouse, which eventually tied the man to the DDoS attacks as well. The guy also uploaded the image on Facebook in a post that asked people to join in DDoS attacks on banks as part of Anonymous' Operation Icarus. The suspect also created the fake email accounts using the name of another former colleague, trying to pin suspicions on him. The FBI was not only able to track the man's real IP address, but they also tied him to attacks without a doubt because he used a DDoS-for-hire service that was hacked and its database was shared with the FBI.
Spam

Security Firm Creates Chatbot To Respond To Scam Emails On Your Behalf (theverge.com) 70

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.
IT

After Outrage, Logitech Gives Free Upgrade To Owners of Soon To Be Obsolete Device (gizmodo.com) 105

It looks like Logitech didn't anticipate the barrage of criticism it received after announcing this week that it would be intentionally bricking its Harmony Link hub next March. The company is now reversing course. Its Harmony Link will still die next summer, but if you own one, the company is happy to give you a free upgrade to the more recent Harmony Hub model. From a report: Originally, Logitech planned to only offer Harmony Link owners with active warranties free upgrades to its new Harmony Hub devices. But for people out of warranty -- possibly the majority of Harmony Link users, as the devices were last sold in 2015 -- they would just get a one-time, 35 percent discount on a new $100 Harmony Hub. However, after customer outrage, Logitech revised it plans and announced that the company will give every Harmony Link owner a new Hub for free. Additionally, users who had already used the coupon to purchase a new Hub will also be able to contact Logitech in order to obtain a refund for the difference in price. However, Logitech is still not planning to extend support for the Harmony Link. The company says, "We made the business decision to end the support and services of the Harmony Link when the encryption certificate expires in the spring of 2018 -- we would be acting irresponsibly by continuing the service knowing its potential/future vulnerability."
Security

How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible (arstechnica.com) 34

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.
Encryption

DOJ: Strong Encryption That We Don't Have Access To Is 'Unreasonable' (arstechnica.com) 510

An anonymous reader quotes a report from Ars Technica: Just two days after the FBI said it could not get into the Sutherland Springs shooter's seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the "government's unexpected encryption warrior." According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying. "We have an ongoing dialogue with a lot of tech companies in a variety of different areas," he told Politico Pro. "There's some areas where they are cooperative with us. But on this particular issue of encryption, the tech companies are moving in the opposite direction. They're moving in favor of more and more warrant-proof encryption." "I want our prosecutors to know that, if there's a case where they believe they have an appropriate need for information and there is a legal avenue to get it, they should not be reluctant to pursue it," Rosenstein said. "I wouldn't say we're searching for a case. I''d say we're receptive, if a case arises, that we would litigate."

In the interview, Rosenstein also said he "favors strong encryption." "I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud," he explained. "And I'm in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I'm in favor of strong encryption." "This is, obviously, a related issue, but it's distinct, which is, what about cases where people are using electronic media to commit crimes? Having access to those devices is going to be critical to have evidence that we can present in court to prove the crime. I understand why some people merge the issues. I understand that they're related. But I think logically, we have to look at these differently. People want to secure their houses, but they still need to get in and out. Same issue here." He later added that the claim that the "absolutist position" that strong encryption should be by definition, unbreakable, is "unreasonable." "And I think it's necessary to weigh law enforcement equities in appropriate cases against the interest in security," he said.

Desktops (Apple)

Ask Slashdot: What Should A Mac User Know Before Buying a Windows Laptop? 449

New submitter Brentyl writes: Hello Slashdotters, longtime Mac user here faced with a challenge: Our 14-year-old wants a Windows laptop. He will use it for school and life, but the primary reason he wants Windows instead of a MacBook is gaming. I don't need a recommendation on which laptop to buy, but I do need a Windows survival kit. What does a fairly savvy fellow, who is a complete Windows neophyte, need to know? Is the antivirus/firewall in Windows 10 Home sufficient? Are there must-have utilities or programs I need to get? When connecting to my home network, I need to make sure I ____? And so on... Thanks in advance for your insights.
Security

WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools (vice.com) 102

An anonymous reader quotes a report from Motherboard: WikiLeaks published new alleged material from the CIA on Thursday, releasing source code from a tool called Hive, which allows its operators to control malware it installed on different devices. WikiLeaks previously released documentation pertaining to the tool, but this is the first time WikiLeaks has released extensive source code for any CIA spying tool. This release is the first in what WikiLeaks founder Julian Assange says is a new series, Vault 8, that will release the code from the CIA hacking tools revealed as part of Vault 7. "This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components," WikiLeaks said in its press release for Vault 8. "Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention." In its release, WikiLeaks said that materials published as part of Vault 8 will "not contain zero-days or similar security vulnerabilities which could be repurposed by others."
Google

Google Says Hackers Steal Almost 250,000 Logins Each Week (cnn.com) 33

Google is digging into the dark corners of the web to better secure people's accounts. From a report: For one year, Google researchers investigated the different ways hackers steal personal information and take over Google accounts. Google published its research, conducted between March 2016 and March 2017, on Thursday. Focusing exclusively on Google accounts and in partnership with the University of California, Berkeley, researchers created an automated system to scan public websites and criminal forums for stolen credentials. The group also investigated over 25,000 criminal hacking tools, which it received from undisclosed sources. Google said it is the first study taking a long term and comprehensive look at how criminals steal your data, and what tools are most popular. [...] Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week.
Microsoft

Microsoft To Integrate 3rd-party Security Info Into Its Windows Defender Advanced Threat Protection Service (zdnet.com) 26

Microsoft is partnering with other security vendors to integrate their macOS, Linux, iOS, and Android security wares with its Windows Defender Advanced Threat Protection (ATP) service From a report: Microsoft has announced the first three such partners: Bitdefender, Lookoutm and Ziften. These companies will feed any threats detected into the single Windows Defender ATP console. With Defender ATP, every device has its own timeline with event history dating back up to six months. According to Microsoft, no additional infrastructure is needed to onboard events from macOS, Linux, iOS and/or Android devices. Integration with Bitdefender's GravityZone Cloud -- which allows users to get macOS and Linux threat intelligence on malware and suspicious files -- is in public preview as of today. A trial version is available now. Integration with Lookout's Mobile Endpoint Security for iOS and Android and Ziften's Zenith systems and security operations platform for macOS and Linux will be in public preview "soon," Microsoft's blog post says.
Crime

Federal Prosecutors Charge Man With Hiring Hackers To Sabotage Former Employer (apnews.com) 18

According to the Associated Press, federal prosecutors have charged a man with paying computer hackers to sabotage websites affiliated with his former employer. From the report: The FBI says the case represents a growing form of cybercrime in which professional hackers are paid to inflict damage on individuals, businesses and others who rely on digital devices connected to the web. Prosecutors say 46-year-old John Kelsey Gammell hired hackers to bring down Washburn Computer Group in Monticello, but also made monthly payments between July 2015 and September 2016 to damage web networks connected to the Minnesota Judicial Branch, Hennepin County and several banks. The Star Tribune reports Gammell's attorney, Rachel Paulose, has argued her client didn't personally attack Washburn. Paulose has asked a federal magistrate to throw out evidence the FBI obtained from an unnamed researcher because that data could have been obtained by hacking.
Security

Linux Has a USB Driver Security Problem (bleepingcomputer.com) 156

Catalin Cimpanu, reporting for BleepingComputer: USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users' computers. The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem. "All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov said. The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched. Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.
Yahoo!

Former Yahoo CEO Marissa Mayer Apologizes For Data Breach, Blames Russians (reuters.com) 212

Former Yahoo chief executive officer Marissa Mayer apologized today for a pair of massive data breaches at Yahoo and blamed Russian agents on the growing number of incidents involving major U.S. companies. A reader shares a report: "As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users," she told the Senate Commerce Committee, testifying alongside the interim and former CEOs of Equifax and a senior Verizon Communications executive. "Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users' data."
Chrome

'How Chrome Broke the Web' (tonsky.me) 283

Reader Tablizer writes (edited and condensed): The Chrome team "broke the web" to make Chrome perform better, according to Nikita Prokopov, a software engineer. So the story goes like this: there's a widely-used piece of DOM API called "addEventListener." Almost every web site or web app that does anything dynamic with JS probably depends on this method in some way. In 2016, Google came along and decided that this API was not extensible enough. But that's not the end of the story. Chrome team proposed the API change to add passive option because it allowed them to speed up scrolling on mobile websites. The gist of it: if you mark onscroll/ontouch event listener as passive, Mobile Google can scroll your page faster (let's not go into details, but that's how things are). Old websites continue to work (slow, as before), and new websites have an option to be made faster at the cost of an additional feature check and one more option. It's a win-win, right? Turned out, Google wasn't concerned about your websites at all. It was more concerned about its own product performance, Google Chrome Mobile. That's why on February 1, 2017, they made all top-level event listeners passive by default. They call it "an intervention." Now, this is a terrible thing to do. It's very, very, very bad. Basically, Chrome broke half of user websites, the ones that were relying on touch/scroll events being cancellable, at the benefit of winning some performance for websites that were not yet aware of this optional optimization. This was not backward compatible change by any means. All websites and web apps that did any sort of draggable UI (sliders, maps, reorderable lists, even slide-in panels) were affected and essentially broken by this change.
Encryption

Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed (arstechnica.com) 76

An anonymous reader quotes a report from Ars Technica: A crippling flaw affecting millions -- and possibly hundreds of millions -- of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents. The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key. Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.

On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.

Encryption

How Cloudflare Uses Lava Lamps To Encrypt the Internet (zdnet.com) 110

YouTuber Tom Scott was invited to visit Cloudflare's San Francisco headquarters to check out the company's wall of lava lamps. These decorative novelty items -- while neat to look at -- serve a special purpose for the internet security company. Cloudflare takes pictures and video of the lava lamps to turn them into "a stream of random, unpredictable bytes," which is used to help create the keys that encrypt the traffic that flow through Cloudflare's network. ZDNet reports: Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services. Cloudflare is known for providing good standards of encryption, but it seems the secret is out -- this reputation is built in part on lava lamps. Roughly 10 percent of the Internet's traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required. According to Nick Sullivan, Cloudfare's head of cryptography, this is where the lava lamps shine. Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken. The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic. "Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data." Cloudflare also reportedly uses a "chaotic pendulum" in its London office to generate randomness, and in Singapore, they use a radioactive source.
Intel

MINIX: Intel's Hidden In-chip Operating System (zdnet.com) 271

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.

Slashdot Top Deals