Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Government

Obama Changed Rules Regarding Raw Intelligence, Allowing NSA To Share Raw Data With US's Other 16 Intelligence Agencies (schneier.com) 205

An anonymous reader quotes a report from Schneier on Security: President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the U.S.'s other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. Here are the new procedures. This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.
Government

Hacker Steals 900 GB of Cellebrite Data (vice.com) 69

An anonymous reader shares a Motherboard report: Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite's products. The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies. Cellebrite is an Israeli company whose main product, a typically laptop-sized device called the Universal Forensic Extraction Device (UFED), can rip data from thousands of different models of mobile phones. That data can include SMS messages, emails, call logs, and much more, as long as the UFED user is in physical possession of the phone.
Privacy

Japan Researchers Warn of Fingerprint Theft From 'Peace' Sign (phys.org) 119

Tulsa_Time quotes a report from Phys.Org: Could flashing the "peace" sign in photos lead to fingerprint data being stolen? Research by a team at Japan's National Institute of Informatics (NII) says so, raising alarm bells over the popular two-fingered pose. Fingerprint recognition technology is becoming widely available to verify identities, such as when logging on to smartphones, tablets and laptop computers. But the proliferation of mobile devices with high-quality cameras and social media sites where photographs can be easily posted is raising the risk of personal information being leaked, reports said. The NII researchers were able to copy fingerprints based on photos taken by a digital camera three meters (nine feet) away from the subject.
Medicine

Implantable Cardiac Devices Could Be Vulnerable To Hackers, FDA Warns (vice.com) 60

The U.S. Food and Drug Administration warned on Monday that pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients' lives at risk, as hackers could remotely access the devices and change the heart rate, administer shocks, or quickly deplete the battery. Thankfully, St. Jude released a new software patch on the same day as the FDA warning to address these vulnerabilities. Motherboard reports: St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly, if it's too slow or too fast. They work together with the Merlin@home Transmitter, located in the patient's house, which sends the patient's data to their physician using the Merlin.net Patient Care Network. Hackers could have exploited the transmitter, the manufacturer confirmed. "[It] could (...) be used to modify programming commands to the implanted device," the FDA safety communication reads. In an emailed response to Motherboard, a St. Jude Medical representative noted that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said. This warning comes a few days after Abbott Laboratories acquired St. Jude Medical, and four months after a group of experts at Miami-based cybersecurity company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical's pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.
Bug

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com) 33

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.
Chrome

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension (bleepingcomputer.com) 144

An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"
Medicine

Microsoft Anti-Porn Workers Sue Over PTSD (thedailybeast.com) 300

An anonymous reader shares with us a report from The Daily Beast: When former Microsoft employees complained of the horrific pornography and murder films they had to watch for their jobs, the software giant told them to just take more smoke breaks, a new lawsuit alleges. Members of Microsoft's Online Safety Team had "God-like" status, former employees Henry Soto and Greg Blauert allege in a lawsuit filed on Dec. 30. They "could literally view any customer's communications at any time." Specifically, they were asked to screen Microsoft users' communications for child pornography and evidence of other crimes. But Big Brother didn't offer a good health care plan, the Microsoft employees allege. After years of being made to watch the "most twisted" videos on the internet, employees said they suffered severe psychological distress, while the company allegedly refused to provide a specially trained therapist or to pay for therapy. The two former employees and their families are suing for damages from what they describe as permanent psychological injuries, for which they were denied worker's compensation. "Microsoft applies industry-leading, cutting-edge technology to help detect and classify illegal images of child abuse and exploitation that are shared by users on Microsoft Services," a Microsoft spokesperson wrote in an email. "Once verified by a specially trained employee, the company removes the image, reports it to the National Center for Missing and Exploited Children, and bans the users who shared the images from our services. We have put in place robust wellness programs to ensure the employees who handle this material have the resources and support they need." But the former employees allege neglect at Microsoft's hands.
Security

Windows 10 Will Soon Lock Your PC When You Step Away From It (theverge.com) 172

An anonymous reader quotes a report from The Verge: Microsoft is working on a new Windows 10 feature that will automatically lock and secure a PC when the operating system detects someone has moved away from the machine. The feature is labelled as Dynamic Lock in recent test builds of Windows 10, and Windows Central reports that Microsoft refers to this as "Windows Goodbye" internally. Microsoft currently uses special Windows Hello cameras to let Windows 10 users log into a PC with just their face. Big corporations teach employees to use the winkey+L combination to lock machines when they're idle, but this new feature will make it an automatic process. It's not clear exactly how Microsoft will detect inactivity, but it's possible the company could use Windows Hello-compatible machines or detect idle activity and lock the machine accordingly. Windows can already be configured to do this after a set time period, but it appears Microsoft is streamlining this feature into a simple setting for anyone to enable. Microsoft is planning to deliver Dynamic Lock as part of the Windows 10 Creators Update, expected to arrive in April.
Privacy

Why You Shouldn't Trust Geek Squad (networkworld.com) 389

An anonymous reader quotes a report from Network World: The Orange County Weekly reports that Best Buy's "Geek Squad" repair technicians routinely search devices brought in for repair for files that could earn them $500 reward as FBI informants. This revelation came out in a court case, United States of America v. Mark A. Rettenmaier. Rettenmaier is a prominent Orange County physician and surgeon who took his laptop to the Mission Viejo Best Buy in November 2011 after he was unable to start it. According to court records, Geek Squad technician John "Trey" Westphal found an image of "a fully nude, white prepubescent female on her hands and knees on a bed, with a brown choker-type collar around her neck." Westphal notified his boss, who was also an FBI informant, who alerted another FBI informant -- as well as the FBI itself. The FBI has pretty much guaranteed the case will be thrown out by its behavior, this illegal search aside. According to Rettenmaier's defense attorney, agents conducted two additional searches of the computer without obtaining necessary warrants, lied to trick a federal magistrate judge into authorizing a search warrant for his home, then tried to cover up their misdeeds by initially hiding records. Plus, the file was found in the unallocated "trash" space, meaning it could only be retrieved by "carving" with sophisticated forensics tools. Carving (or file carving) is defined as searching for files or other kinds of objects based on content, rather than on metadata. It's used to recover old files that have been deleted or damaged. To prove child pornography, you have to prove the possessor knew what he had was indeed child porn. There has been a court case where files found on unallocated space did not constitute knowing possession because it's impossible to determine who put the file there and how, since it's not accessible to the user under normal circumstances.
Microsoft

Microsoft To Enhance User Privacy Controls In Upcoming Windows 10 Update (hothardware.com) 183

MojoKid writes: When Microsoft first launched Windows 10, it was generally well-received but also came saddled with a number of privacy concerns. It has taken quite a while for Microsoft to respond to these concerns in a meaningful way, but the company is finally proving that it's taking things seriously by detailing some enhanced privacy features coming to a future Windows 10 build. Microsoft is launching what it calls a (web-based) privacy dashboard, which lets you configure anything and everything about information that might be sent to back to the mothership. You can turn all tracking off, or pick and choose, if certain criteria don't concern you too much, like location or health activity, for example. Also, for fresh installs, you'll be given more specific privacy options so that you can feel confident from the get-go about the information you're sending Redmond's way. If you do decide to send any information Microsoft's way, the company promises that it won't use your information for the sake of targeted advertising.
AI

LinkedIn's and eBay's Founders Are Donating $20 Million To Protect Us From AI (recode.net) 74

Reid Hoffman, the founder of LinkedIn, and Pierre Omidyar, the founder of eBay, have each committed $10 million to fund academic research and development aimed at keeping artificial intelligence systems ethical and to prevent building AI that may harm society. Recode reports: The fund received an additional $5 million from the Knight Foundation and two other $1 million donations from the William and Flora Hewlett Foundation and Jim Pallotta, founder of the Raptor Group. The $27 million reserve is being anchored by MIT's Media Lab and Harvard's Berkman Klein Center for Internet and Society. The Ethics and Governance of Artificial Intelligence Fund, the name of the fund, expects to grow as new funders continue to come on board. AI systems work by analyzing massive amounts of data, which is first profiled and categorized by humans, with all their prejudices and biases in tow. The money will pay for research to investigate how socially responsible artificially intelligent systems can be designed to, say, keep computer programs that are used to make decisions in fields like education, transportation and criminal justice accountable and fair. The group also hopes to explore ways to talk with the public about and foster understanding of the complexities of artificial intelligence. The two universities will form a governing body along with Hoffman and the Omidyar Network to distribute the funds. The $20 million from Hoffman and the Omidyar Network are being given as a philanthropic grant -- not an investment vehicle.
Microsoft

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues? 128

An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.
Education

Ask Slashdot: What's The Best Job For This Recent CS Grad? 259

One year away from graduating with a CS degree, an anonymous reader wants some insights from the Slashdot community: [My] curriculum is rather broad, ranging from systems programming on a Raspberry Pi to HTML, CSS, JavaScript, C, Java, JPA, Python, Go, Node.js, software design patterns, basic network stuff (mostly Cisco) and various database technologies... I'm working already part-time as a system administrator for two small companies, but don't want to stay there forever because it's basically a dead-end position. Enjoying the job, though... With these skills under my belt, what career path should I pursue?
There's different positions as well as different fields, and the submission explains simply that "I'm looking for satisfying and rewarding work," adding that "pay is not that important." So leave your suggestions in the comments. What's the best job for this recent CS grad?
Mozilla

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 112

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

Education

What's Happening As The University of California Tries To Outsource IT Jobs To India (pressreader.com) 483

Long-time Slashdot reader Nova Express shares an epic column by Pulitzer Prize-winning journalist Michael Hiltzik. It details what's happening now as the University of California tries to outsources dozens of IT jobs -- about 20% of their IT workforce -- by February 28th. Some of the highlights:
  • The CEO of UCSF's Medical Center says he expects their security to be at least as good as it is now, but acknowledges "there are no guarantees."
  • Nine workers have filed a complaint with the state's Department of Fair Employment and Housing arguing they're facing discrimination.
  • California Senator Feinstein is already complaining that the university is tapping $8.5 billion in federal funding "to replace Californian IT workers with foreign workers or labor performed abroad."
  • Representative Zoe Lofgren (from a district in Silicon Valley) is arguing that the university "is training software engineers at the same time they're outsourcing their own software engineers. What message are they sending their own students?"
  • 57-year-old sys-admin Kurt Ho says his replacement spent just two days with him, then "told me he would go back to India and train his team, and would be sending me emails with questions."
  • The university's actions will ultimately lower their annual $5.83 billion budget by just 0.1%.

Slashdot Top Deals