hackingbear writes "China Unicom, the country's second largest telecom operator, has replaced Cisco Systems routers in one of the country's most important backbone networks, citing security reasons [due to bugs and vulnerability.) The move came after a congressional report branded Huawei Technologies Co. Ltd. and ZTE Corp. security threats in the United States, citing bugs and vulnerability (rather than actual evidence of spying.) Surprising to us, up to now, Cisco occupies a large market share in China. It accounts for over a 70 percent share of China Telecom's 163 backbone network and over an 80 percent share of China Unicom's 169 backbone network. Let's wait to see who's the winner in this trade war disguised as national security."

Forecasters are tossing around words like "unprecedented" and "bizarre" (see this Washington Post blog entry) for the intensity and timing of Hurricane Sandy, which is threatening to hit the east coast of the U.S. early next week. Several people I know in the mid-Atlantic region have been ordering generators and stocking up on flashlight batteries and easy-to-prepare foods. Are you in the projected path of the storm? If so, have you taken any steps to prepare for it? (Are you doing off-site backup? Taking yourself off-site?)

Nerval's Lobster writes "The Green Grid, a nonprofit organization dedicated to making IT infrastructures and data centers more energy-efficient, is making the case that data center operators are operating their facilities in too conservative a fashion. Rather than rely on mechanical chillers, it argues in a new white paper (PDF), data centers can reduce power consumption via a higher inlet temperature of 20 degrees C. Green Grid originally recommended that data center operators build to the ASHRAE A2 specifications: 10 to 35 degrees C (dry-bulb temperature) and between 20 to 80 percent humidity. But the paper also presented data that a range of between 20 and 35 degrees C was acceptable. Data centers have traditionally included chillers, mechanical cooling devices designed to lower the inlet temperature. Cooling the air, according to what the paper originally called anecdotal evidence, lowered the number of server failures that a data center experienced each year. But chilling the air also added additional costs, and PUE numbers would go up as a result."

walterbyrd sends this snippet from an article by Robert X. Cringely: "Big tech employers are constantly lobbying for increases in H-1B quotas citing their inability to find qualified US job applicants. Microsoft cofounder Bill Gates and other leaders from the IT industry have testified about this before Congress. Both major political parties embrace the H-1B program with varying levels of enthusiasm. Bill Gates is wrong. What he said to Congress may have been right for Microsoft but was wrong for America and can only lead to lower wages, lower employment, and a lower standard of living. This is a bigger deal than people understand: it's the rebirth of industrial labor relations circa 1920. Our ignorance about the H-1B visa program is being used to unfairly limit wages and steal — yes, steal — jobs from U.S. citizens."

An anonymous reader writes "A new version of the Trusted Platform Module, called TPM2 or TPM 2.0 by Microsoft, has apparently been designed specifically for the release of Windows 8 this week. The details of this new standard have been kept secret. But a major update to the original TPM standard, which came out 10 years ago, seems to have been very quietly released on the Trusted Computing web site (FAQ) earlier this month. Following in the footsteps of the original, this version is quite a challenging read (security through incomprehensibility?). But this new version also seems to support some controversial crypto algorithms that were made public by the 'State Encryption Management Bureau' of China for the first time about 2 years ago. This is roughly the time that Microsoft seems to have begun working in earnest on TPM2, Windows 8, and probably even Surface. But that's probably just a coincidence. This crypto is controversial because of serious EU concerns with domestic restrictions on the implementation, use, and importation of cryptography in China."

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

hypnosec writes "A hacker who claims to be a member of the hacking collective Anonymous has revealed that the hacktivist group is working on a Wikileaks-like service dubbed Tyler and that it will be launched on December 21. The Anonymous member revealed that the service will be decentralized and will be based on peer-to-peer service, unlike Wikileaks, thus making Tyler rather immune to closure and raids. The site will serve as a haven for whistleblowers, where they can publish classified documents and information. The hacker said in an emailed interview that 'Tyler will be P2P encrypted software, in which every function of a disclosure platform will be handled and shared by everyone who downloads and deploys the software.'" That sounds like a lot to live up to. Decentralized, attack-resistant and encrypted all sound nice, but I'm curious both about the funding it would take, and whether it matches Wikileaks' own security.

Orome1 writes "Microsoft today announced the global availability of Windows 8. Beginning Friday, Oct. 26, consumers and businesses worldwide will be able to experience all that Windows 8 has to offer, including a new user interface and a wide range of applications with the grand opening of the Windows Store. Launching at the same time is a new member of the Windows family — Windows RT — designed for ARM-based tablets and available pre-installed on new devices. In addition to Microsoft Office 2013, Windows RT is designed exclusively for apps in the new Windows Store. In addition to the range of new Windows-based devices available, consumers can also upgrade their existing PCs. Through the end of January, consumers currently running PCs with Windows XP, Windows Vista or Windows 7 are qualified to download an upgrade to Windows 8 Pro for an estimated retail price of US$39.99." Also at Slash Cloud, where Nick Kolakowski writes: "If the operating system and its associated hardware capture the attention (and dollars) of mobile-device users, Microsoft will have successfully expanded the Windows brand to a new and rapidly growing market segment. But if it fails, and Apple and Google continue to rule the mobility space, then Microsoft is left with few alternatives."

concealment writes in with a story about a newly found security issue with the bar codes on boarding passes. "Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive. Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by technically minded travelers. Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process."

An anonymous reader writes "A web analytics company has agreed to settle Federal Trade Commission charges that it violated federal law by using its web-tracking software that collected personal data without disclosing the extent of the information that it was collecting. The company, Compete Inc., also allegedly failed to honor promises it made to protect the personal data it collected. KISSmetrics, the developer and seller of the homonymous tool, has agreed to pay up to make the suit go away, but the the two plaintiffs will get only $5,000 each, while the rest of the money — more than half a million dollars — will go to their lawyers for legal fees."

First time accepted submitter blandcramration writes "I have recently decided to further my education with a technical school associates degree. I am a first quarter student in my third week as an IT student. I have taught myself Python and have been working with computers for over 10 years. We've been learning C++ and though my instructor appears to know how to program, he doesn't really understand the procedure behind the veil, so to speak. In a traditional learning environment, I would rather learn everything about the computer process rather than fiddle around with something until I figure out how it works. I can do that on my own. I think the real issue is I'm not feeling challenged enough and I'm paying through the nose to go to school here. Am I even going to be able to land a decent job, or should I just take a few classes here and move on to a traditional college and get a computer science degree? I'm much more interested in an approach to computer science like From NAND to Tetris but I feel as if I should get a degree in something. What are your thoughts?"

An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"

An anonymous reader writes "An EXT4 file-system data corruption issue has reached the stable Linux kernel. The latest Linux 3.4, 3.5, 3.6 stable kernels have an EXT4 file-system bug described as an apparent serious progressive ext4 data corruption bug. Kernel developers have found and bisected the kernel issue but are still working on a proper fix for the stable Linux kernel. The EXT4 file-system can experience data loss if the file-system is remounted (or the system rebooted) too often."

Hugh Pickens writes "In 2007 businessman Russell Thornton lost his 3-year-old son at an amusement park. After a frantic 45-minute search, Thornton found the boy hiding in a play structure, but he was traumatized by the incident. It spurred him to build a device that would help other parents avoid that fate. Even though most statistics show that rates of violent crime against children have declined significantly over the last few decades, and that abductions are extremely rare, KJ Dell'Antonia writes that with the array of new gadgetry like Amber Alert and the Securus eZoom our children need never experience the fears that come with momentary separations, or the satisfaction of weathering them. 'You could argue that those of us who survived our childhoods of being occasionally lost, then found, are in the position of those who think car seats are overkill because they suffered no injury while bouncing around in the back of their uncle's pickup,' writes Dell'Antonia. 'Wouldn't a more powerful sense of security come from knowing your children were capable, and trusting in their ability to reach out for help at the moment when they realize they're not?'"

concealment writes with a tale of how an email sent to a mathematician led to him discovering that dozens of high profile companies were using easily crackable keys to authenticate mail sent from their domains. From the article: "The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender's DNS records and verify the validity of the signature. Harris wasn't interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game."

An anonymous reader writes "Windows 7 was expected to have Service Pack 2 issued roughly 3 years from its introduction (late 2009). People, including myself, have been asking 'Where is it?' and the answer apparently is, 'It isn't, and will never be' which lends itself to the giant pain of installing Windows 7, then Service Pack 1, and hundreds of smaller hotfix patches. Why Microsoft? No go to Service Pack 2 for Windows 7!"

helix2301 writes with an excerpt from CNet "Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores in the last month. At least one point-of-sale terminal in 63 different stores was compromised recording card details. Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination."

tlhIngan writes "Heads up CyanogenMod users — you will want to update to the latest nightly build as it turns out that your unlock patterns were accidentally logged. The fix has been committed and is in the latest build. While not easy to access (it requires access to a backup image or the device), it was a potential security hole. It was added back in August when Cyanogen added the ability to customize the screen lock size.`"

An anonymous reader writes "PS3 security has been compromised again. The holy grail of the PS3 security encryption keys — LV0 keys — have been found and leaked into the wild. For the homebrew community, this means deeper access into the PS3: the possibility of custom (or modified) firmware up to the most recent version, the possibility of bypassing PS3 hypervisor for installing GNU/Linux with full hardware access, dual firmware booting, homebrew advanced recovery (on the molds of Bootmii on Wii), and more. It might lead to more rampant piracy too, because the LV0 keys could facilitate the discovering of the newer games' encryption keys, ones that require newer firmware."

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."