fsagx writes "Steve Gibson has proposed a new standard method for website authentication. The SQRL system (pronounced 'squirrel') eliminates problems inherent in traditional login techniques. The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."

Trailrunner7 writes "The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol [original analysis] and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users' text messages–or decrypt them and hand them over at the order of a government agency. ... The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system. One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users' messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users' iMessages, but it's possible that the company could. Users' AppleID passwords also are sent in clear text to the Apple servers."

CowboyRobot writes "Penetration tester and long-time security professional Sumit 'Sid' Siddharth has developed a real-world SQL injection sandbox simulator, and invites the public for a capture the flag event later this month. 'The only way you can understand the true impact of vulnerabilities is by practicing exploitation. Even vulnerability identification goes hand-in-hand with exploitation,' says Siddharth. 'Sometimes identifying the vulnerability is really difficult, and it's only when you know advanced exploitation techniques that you can do so. We've also put together some really nice examples where identifying the vulnerability is really difficult, and we've asked people to find the needle in the haystack because that's how websites get compromised at the end of the day,'"

llebeel writes "Canonical announced its free Ubuntu 13.10 Linux operating system (OS) release, on the same day as Microsoft's remedial Windows 8.1 service pack update. We speak to Canonical founder and Ubuntu creator Mark Shuttleworth who tells us what to expect." Adds reader jrepin: "Kubuntu Linux 13.10 has just been released and is available for download. It comes with KDE Software Compilation 4.11, a new application for discovering and installing software, a simpler way to manage your system users. and a new Network Manager applet gives a simpler UI for connecting to a range of network types. You can now setup Wifi networking from the installer making it easier to install updates and extra packages during the install." ZDNet has a fairly tepid review of the incremental rather than startling improvements of the new release, and notes "Ubuntu 14.04 LTS, due for release on 17 April next year, will now perhaps come as even more of a shock if its promised big changes are fully realised."

The newest iteration of Windows has begun rolling out, and is winning positive reviews. (Here's an in-depth review from Ars, and a more concise one from Wired — both give 8.1 a thumbs-up). Kelerei wrote with the above-linked TechDirt article on the release, noting that it is a staged rollout rather than global. Starting this morning, though, 8.1 is available to some customers. Kelerei writes: "The upgrade is optional (and free) for existing Windows 8 users, though if one looks at the changes, it's hard to imagine why those already on it wouldn't upgrade." Also at Slash BI.