OverTheGeicoE writes "TSA recently announced that it would remove all of Rapiscan's X-ray body scanners from airports by June. As part of this effort, it is trying to move a millimeter-wave body scanner from the Helena, Montana airport to replace an X-ray unit at a busier airport. Strangely enough, they have encountered resistance from the Helena's Airport Manager, Ron Mercer. Last Thursday, workers came to remove the machine, but were prevented from doing so by airport officials. Why? Perhaps Mercer agrees with Cindi Martin, airport director at Montana's Glacier Park International Airport airport, who called the scheduled removal of her airport's scanner 'a great disservice to the flying public' in part because it 'removed the need for the enhanced pat-down.'"

colinneagle writes "Once upon a time, Microsoft claimed that falling prey to social engineering tactics and then being hacked was a 'rookie mistake.' But now is the time for companies to jump on the bandwagon, to admit they were targeted by cyberattacks and successfully infiltrated. The stage is so crowded with 'giants' at this point, that there are fewer 'bad press' repercussions than if only one major company had admitted to being breached. Microsoft now admitted, hey we were hacked too. 'As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,' wrote Matt Thomlinson, General Manager of Microsoft's Trustworthy Computing Security. Unlike the New York Times and the Wall Street Journal there was no mention of Chinese hackers."

An anonymous reader writes "A small U.S. university has come up with a novel solution to reduce the possibility of using a dead person's hand to get past a fingerprint scanner through the use of hemoglobin detection. The device quickly checks the fingerprint and hemoglobin 'non-intrusively' to verify the identity and whether the individual is alive. This field of research is called Biocryptology and seeks to ensure that biometric security devices can't be easily bypassed."

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"

nbauman writes "A New York Times consumer columnist tracked down the people who run a 'This is your second and final notice" robocall operation. The calls came from Account Management Assistance, which promises to negotiate lower credit card rates with banks. One woman paid them $1,000, and all they did was give her a limited-time zero-percent credit card that she could have gotten herself. AMA has a post office box in Orlando, Florida. The Better Business Bureau has a page for Your Financial Ladder, which does business as Account Management Assistance, and as Economic Progress. According to a Florida incorporation filing, Economic Progress is operated by Brenda Helfenstine, with her husband Tony. The Arkansas attorney general has sued Your Financial Ladder for violating the Telemarketing Consumer Fraud and Abuse Prevention Act. The Florida Department of Agriculture and Consumer Services investigated Your Financial Ladder, but the investigator went to 1760 Sundance Drive, St. Cloud, which turned out to be a residence, and gave up. The Times notes that you can type their phone number (855-462-3833) into http://800notes.com/ and get lots of reports on them."

An anonymous reader writes "Stephen Totilo at Kotaku has a long article detailing the exploits of an Australian hacker who calls himself SuperDaE. He managed to break into networks at Microsoft, Sony, and Epic Games, from which he retrieved information about the PS4 and next-gen Xbox 'Durango' (which turned out to be correct), and he even secured developer hardware for Durango itself. He uncovered security holes at Epic, but notified the company rather than exploiting them. He claims to have done the same with Microsoft. He hasn't done any damage or facilitated piracy with the access he's had, but simply breaching the security of those companies was enough to get the U.S. FBI to convince Australian authorities to raid his house and confiscate his belongings. In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out. The article describes both SuperDaE's activities and a journalist's efforts to verify his claims."

Hugh Pickens writes "The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The 'Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff' is surprisingly detailed. Now as the College of Cardinals prepares to elect a new pope, security people like Bruce Schneier wonder about the process. How does it work, and just how hard would it be to hack the vote? First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. Second, the small group of voters — all of whom know each other — makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find. A cardinal can't stuff ballots when he votes. Then the complicated paten-and-chalice ritual ensures that each cardinal votes once — his ballot is visible — and also keeps his hand out of the chalice holding the other votes. Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good."

First time accepted submitter punk2176 writes "Recently I started a free and open source project known as the PunkSPIDER project and presented it at ShmooCon 2013. If you haven't heard of it, it's at heart, a project with the goal of pushing for improved global website security. In order to do this we built a Hadoop distributed computing cluster along with a website vulnerability scanner that can use the cluster. Once we finished that we open sourced the code to our scanner and unleashed it on the Internet. The results of our scans are provided to the public for free in an easy-to-use search engine. The results so far aren't pretty." The Register has an informative article, too.

New submitter haberb writes "I always thought my HTC phones were of average or above average quality, and certainly no less secure than an vanilla Android install, but it turns out someone was still not impressed. 'Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.' Perhaps this will push HTC to release some of the ICS upgrades they promised a few months ago but never delivered, or perhaps the reason they fell through in the first place?"

An anonymous reader writes "Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22. Kudos to Mozilla for protecting their users and being so open to community submissions. The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'"

kthreadd writes "Minix, originally designed as an example for teaching operating system theory which was both inspiration and cause for the creation of Linux has just been released as version 3.2.1. Major new features include full support for shared libraries and improved support for USB devices such as keyboards, mice and mass storage devices. The system has received many performance improvements and several userland tools have been imported from NetBSD."

rtfa-troll writes "There has been a worldwide (all locations) total outage of storage in Microsoft's Azure cloud. Apparently, 'Microsoft unwittingly let an online security certificate expire Friday, triggering a worldwide outage in an online service that stores data for a wide range of business customers,' according to the San Francisco Chronicle (also Yahoo and the Register). Perhaps too much time has been spent sucking up to storage vendors and not enough looking after the customers? This comes directly after a week-long outage of one of Microsoft's SQL server components in Azure. This is not the first time that we have discussed major outages on Azure and probably won't be the last. It's certainly also not the first time we have discussed Microsoft cloud systems making users' data unavailable."

At last year's RSA security conference, we ran into the Pwnie Plug. The company has just come out with a new take on the same basic idea of pen-testing devices based on commodity hardware. Reader puddingebola writes with an excerpt from Wired: "The folks at security tools company Pwnie Express have built a tablet that can bash the heck out of corporate networks. Called the Pwn Pad, it's a full-fledged hacking toolkit built atop Google's Android operating system. Some important hacking tools have already been ported to Android, but Pwnie Express says that they've added some new ones. Most importantly, this is the first time that they've been able to get popular wireless hacking tools like Aircrack-ng and Kismet to work on an Android device." Pwnie Express will be back at RSA and so will Slashdot, so there's a good chance we'll get a close-up look at the new device, which runs about $800.

Questioning his belief in relational database dogma, new submitter Travis Brown happened to evaluate Amazon's Dynamo DB and MonogDB. His situation was the opposite of Jeff Cogswell's: he started off wanting to prefer Dynamo DB, but came to the conclusion that the benefits of Amazon managing the database for him didn't outweigh the features Mongo offers. From the article: "DynamoDB technically isn't a database, it's a database service. Amazon is responsible for the availability, durability, performance, configuration, optimization and all other manner of minutia that I didn't want occupying my mind. I've never been a big fan of managing the day-to-day operations of a database, so I liked the idea of taking that task off my plate. ... DynamoDB only allows you to query against the primary key, or the primary key and range. There are ways to periodically index your data using a separate service like CloudSearch, but we are quickly losing the initial simplicity of it being a database service. ... However, it turns out MongoDB isn't quite as difficult as the nerds had me believe, at least not at our scale. MongoDB works as advertised and auto-shards and provides a very simple way to get up and running with replica sets." His weblog entry has a few code snippets illustrating how he came to his conclusions.

Trailrunner7 writes "In the wake of high-profile compromises of companies such as Facebook, the New York Times, Apple and others, officials at Zendesk, an online customer support provider, said that the company also had been compromised and the attackers had made off with the email addresses of customers of Twitter, Tumblr and Pinterest, all of which use Zendesk's services. All three companies sent out emails to affected customers, notifying them of the incident and warning that their email addresses may have been compromised. In what has become an almost daily occurrence now, Zendesk officials posted a notice on the company's blog with the heading "We've been hacked". The Zendesk hack notice says that the company became aware of the attack on its network sometime this week and that the company then identified and patched the vulnerability the attackers had used."

mk1004 writes "Yahoo news has an article explaining how the text-based CAPTCHA is giving way to ad-based challenge/response. It's claimed that users are faster at responding to familiar logos, shortening the amount of time they spend proving that they are human. From the article: 'Rather than taking just a mere glance to figure out, recent studies show that a typical CAPTCHA takes, on average, 14 seconds to solve, with some taking much, much longer. Multiply that by the millions and millions of verifications per day, and Web users as a whole are wasting years and years of their lives just trying to prove they're not actually computers. This has led many companies to abandon the age-old system in favor of something not only more secure, but also easier to use for your average Webgoer: Ad-based verification, which can actually cut the time it takes to complete the task in half.'"

codegen writes "The Ontario Court of Appeal has just ruled that the police can search your cellphone if you are arrested without a warrant if it is not password protected. But the ruling also stated that if it is password protected, then the police need a warrant. Previous to this case there was no decision on if the police could search your phone without a warrant in Canada."

Lasrick writes "David Axe at Wired's Danger Room explains: 'For the first time, America's top-of-the-line F-22 fighters and Britain's own cutting-edge Typhoon jets have come together for intensive, long-term training in high-tech warfare. If only the planes could talk to each other on equal terms. The F-22 and the twin-engine, delta-wing Typhoon — Europe’s latest warplane — are stuck with partially incompatible secure communications systems. For all their sophisticated engines, radars and weapons, the American and British pilots are reduced to one-way communication, from the Brits to the Yanks. That is, unless they want to talk via old-fashioned radio, which can be intercepted and triangulated and could betray the planes’ locations. That would undermine the whole purpose of the F-22s radar-evading stealth design, and could pose a major problem if the Raptor and the Typhoon ever have to go to war together.'"

netbuzz writes "Educause members and 7,000 university websites are being forced to change account passwords after a security breach involving the organization's .edu domain server. However, some initially hesitated to comply because the Educause notification email bore tell-tale markings of a phishing attempt. 'Given what is known about phishing and user behavior, this was bad form,' says Gene Spafford, a Purdue University computer science professor and security expert. 'For an education-oriented organization to do this is particularly troubling.'"

Lasrick writes "The Bulletin has an interesting article about the likelihood of terrorists obtaining nuclear material. 'Since 1993, the International Atomic Energy Agency (IAEA) has logged roughly 2,000 cases of illicit or unauthorized trafficking of nuclear and radioactive material. Thirty illicit radioactive trafficking incidents were reported in the former Soviet region alone from 2009 to 2011. As Obama said in December, "Make no mistake, if [terrorists] get [nuclear material], they will use it."'"