While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.
As for tax ID numbers, the Equifax spokeswoman said they "were generally housed in the same field" as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack. Equifax also said, in response to questions from The Wall Street Journal, that some additional drivers' license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that drivers' license numbers were accessed; the document submitted to the banking committee also includes drivers' license issue dates and states.
In their letter, the senators expressed their concern over these reports and reiterated the duty the CFPB has to not only investigate the breach but to bring action against Equifax if deemed necessary. "Consumer reporting agencies and the data they collect play a central role in consumers' access to credit and the fair and competitive pricing of that credit," they wrote. "Therefore, the CFPB has a duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers and bring enforcement actions as necessary."
The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.
Since the project is in such early development, current versions of LKRG will only report kernel integrity violations via kernel messages, but a full exploit mitigation system will be deployed as the system matures... While LKRG will remain an open source project, LKRG maintainers also have plans for an LKRG Pro version that will include distro-specific LKRG builds and support for the detection of specific exploits, such as container escapes. The team plans to use the funds from LKRG Pro to fund the rest of the project.
The first public version of LKRG -- LKRG v0.0 -- is now live and available for download on this page. A wiki is also available here, and a Patreon page for supporting the project has also been set up. LKRG kernel modules are currently available for main Linux distros such as RHEL7, OpenVZ 7, Virtuozzo 7, and Ubuntu 16.04 to latest mainlines.
Although iPhones and Android phones, computers, and instant messengers all come with encryption, camera makers have fallen behind. Not only does encryption protect reported work from prying eyes, it also protects sources -- many of whom put their lives at risk to expose corruption or wrongdoing... The lack of encryption means high-end camera makers are forcing their customers to choose between putting their sources at risk, or relying on encrypted, but less-capable devices, like iPhones. We asked the same camera manufacturers if they plan to add encryption to their cameras -- and if not, why. The short answer: don't expect much any time soon.
The article also cites high demand for data privacy experts, penetration testers with a scientific mind-set, and adaptable developers (including DevOps engineers), as well as experts in robotics and cryptology. But everyone's experiencing the job market differently, so the original submission ends with a question for Slashdot readers.
"What hires are you having the most difficulty making these days?"
"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea. Adobe said it plans to patch this zero-day on Monday, February 5.
[David Irvine, computer engineer and founder of MaidSafe, has devised an alternative to the "modern internet" he calls the Safe network]: the acronym stands for "Safe Access for Everyone." In this model, rather than being stored on distant servers, people's data -- files, documents, social-media interactions -- will be broken into fragments, encrypted and scattered around other people's computers and smartphones, meaning that hacking and data theft will become impossible. Thanks to a system of self-authentication in which a Safe user's encrypted information would only be put back together and unlocked on their own devices, there will be no centrally held passwords. No one will leave data trails, so there will be nothing for big online companies to harvest. The financial lubricant, Irvine says, will be a cryptocurrency called Safecoin: users will pay to store data on the network, and also be rewarded for storing other people's (encrypted) information on their devices. Software developers, meanwhile, will be rewarded with Safecoin according to the popularity of their apps. There is a community of around 7,000 interested people already working on services that will work on the Safe network, including alternatives to platforms such as Facebook and YouTube.
Here's a question to the contrary: Of all the tech companies you know well and follow -- small, medium, or large -- which are the ones that you respect the most, and why? Which are the companies that still -- or newly -- create great tech in a landscape dotted with profiteers? Also, what is your personal criteria for judging whether a tech company is "good," "neutral," or "bad?"
As Tara Siegel Bernard and Ron Lieber of the New York Times reported, the new service -- which is different from a "freeze" in some ways that are not clear from a legal and regulatory standpoint -- has not been working for some (and possibly all) mobile app users. The idea of the "lock" is that it can be undone in an instant with a swipe of the screen, without incurring a charge to freeze or unfreeze the report or having to provide a PIN number. But attempts by Siegel Bernard to lock her husband's credit report resulted in application timeouts.
Google engineers reported page load speed improvements varying from 18% to 35%, depending on the underlying network. Other browser makers have been notified of the Chrome team's plan, but none have provided input if they plan to implement a similar feature. Compared to most JS-based lazy loading scripts that only target images, Google implementation will also target iframes.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
HP, Dell, and Red Hat took previous steps during the past week.
"We are also offering a new option -- available for advanced users on impacted devices -- to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes..." Microsoft writes.
"We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device. "
"Two bad updates later, Malwarebytes released a fix," CSO reports, noting the company's blog post with steps to resolve the issue.
Long-time Slashdot reader marquis111 shares a link to an apology from Malwarebytes CEO Marcin Kleczynski, who says that he'll be "personally available" to discuss the problem on both the forums and at his personal email address.