holy_calamity writes "MIT Technology Review reports that efforts by U.S. government agencies and defense contractors to develop malware to attack enemies is driving a black market in zero-day vulnerabilities. Experts warn that could make the internet less secure for everyone, since malicious code is typically left behind on targeted systems and often shows up on untargeted ones, providing opportunities for reverse engineering. '"On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices," says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.'"

An anonymous reader writes "Last night before the State of the Union speech, President Obama signed an executive order for improving cybersecurity of critical infrastructure (PDF). The highlights of the order are: 'information sharing programs' for the government to provide threat reports to industry; an overarching cybersecurity framework developed by NIST to figure out best practices for securing critical infrastructure; and reviews of existing regulations to make sure they're effective. The ACLU supports the Order, as does the EFF. '"A lot of what this shows is that the president can do a lot without cybersecurity legislation," said Mark Jaycox, policy analyst and legislative assistant for the Electronic Frontier Foundation, who points out that the executive order satisfies the need for information sharing without the privacy problems that existed under legislative proposals where loopholes would have allowed companies to dump large amounts of data on the government in an effort to obtain legal immunities. Without those immunities, companies will by nature be more circumspect about what they provide the government, thus limiting what they hand over, Jaycox said.'"

dstates writes with news from NASA about the state of available water in the Middle East. From the NASA article: "'GRACE data show an alarming rate of decrease in total water storage in the Tigris and Euphrates river basins, which currently have the second fastest rate of groundwater storage loss on Earth, after India,' said Jay Famiglietti, principal investigator of the study and a hydrologist and professor at UC Irvine. 'The rate was especially striking after the 2007 drought. Meanwhile, demand for freshwater continues to rise, and the region does not coordinate its water management because of different interpretations of international laws.'" dstates adds: "Water is a huge global security issue. To understand the middle east, you need to understand that the Golan Heights provides a significant amount of the water used in Israel. Focusing on conflicts and politics means that huge volumes of valuable water are being wasted in the Middle East, and this will only exacerbate future conflicts. Water is a serious issue between India and China. And then there is Africa. U.S. food exports are in effect exporting irrigation water drawn from the Ogallala aquifer. Fracking trades water for energy, and lack of water limits fracking in many parts of th world. Think about it."

jfruh writes "Here's an old computer science joke: What's the difference between hardware and software? If you use hardware long enough, it breaks. If you use software long enough, it works. The truth behind that is the reason that so much decades-old COBOL code is out there still driving crucial applications at banks and other huge companies. Many attempts to replace COBOL applications flopped in the 1980s and '90s, and we're stuck with them for the foreseeable future — but the Baby Boomers who wrote all that code are now retiring en masse."

isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."

coondoggie writes "The US Department of Energy today said it would spend $20 million on the development of advanced cybersecurity tools to help protect the nation's vulnerable energy supply. The DOE technologies developed under this program should be interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."

Nerval's Lobster writes "Gavin Newsom, former mayor of San Francisco and current lieutenant governor of California, argues in his new book Citizenville that citizens need to take the lead in solving society's problems, sidestepping government bureaucracy with a variety of technological tools. It's more efficient for those engineers and concerned citizens to take open government data and use it to build apps that serve a civic function—such as Google Earth, or a map that displays crime statistics—than for government to try and provide these tools itself. But Newsom doesn't limit his attacks on government bureaucracy to politicians; he also reserves some fire for the IT departments, which he views as an outdated relic. 'The traditional IT department, which set up and maintained complex, centralized services—networks, servers, computers, e-mail, printers—may be on its way out,' he writes. 'As we move toward the cloud and technology gets easier to use, we'll have less need for full-time teams of people to maintain our stuff.' Despite his advocacy of the cloud and collaboration, he's also ambivalent about Wikileaks. 'It has made government and diplomacy much more challenging and ultimately less honest,' he writes at one point, 'as people fear that their private communications might become public.' Nonetheless, he thinks WikiLeaks and its ilk are ultimately here to stay: 'It is happening, and it's going to keep happening, and it's going to intensify.' In the end, he feels the benefits of collaboration and openness outweigh the drawbacks." Keep reading for the rest of Nick's review.

CowboyRobot writes "The January edition of Science, Technology & Human Values published an article titled Technological Change and Professional Control in the Professoriate, which details interviews with 42 faculty members at three research-intensive universities. The research concludes that faculty have little interest in the latest IT solutions. 'I went to [a course management software workshop] and came away with the idea that the greatest thing you could do with that is put your syllabus on the Web and that's an awful lot of technology to hand the students a piece of paper at the start of the semester and say keep track of it,' said one. 'What are the gains for students by bringing IT into the class? There isn't any. You could teach all of chemistry with a whiteboard. I really don't think you need IT or anything beyond a pencil and a paper,' said another."

danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.

First time accepted submitter Bitsy Boffin writes "Xtra, the largest ISP in New Zealand, which outsources email provision to Yahoo, has in the last two days been subject to a widespread email compromise, causing potentially thousands of accounts to send spam messages to every address in their webmail address books. Discussion at Geekzone centers around this potentially being a continuation of the Yahoo XSS exploit. While Telecom NZ, the owners of Xtra internet service provider indicate that the problem was "resolved", reports of spam from its members continue unabated. Telecom NZ are advising those affected to change their passwords."

An anonymous reader writes "If you're a hacker or a security researcher, this is a reminder that you don't have to take on Google's or Mozilla's software to get paid for finding a bug. In its first week, the Mega vulnerability reward program has already confirmed and fixed seven bugs, showing that Dotcom really does put his money where his mouth is. Although Mega hasn't shared how much money it paid out in the first week, how many bug submissions were made, or even who found which bugs, the company did briefly detail the discovered security holes. It also confirmed that the program is here to stay and urged those participating to find more severe bugs."

Bomarc writes "Twice now I've been advised to 'flash the BIOS to the latest,' once by a (major) hard drive controller maker (RAID); once by an OEM (who listed the update as 'critical,' and has removed older versions of the BIOS). Both times, the update has bricked an expensive piece of equipment. Both times, the response after the failed flash was 'It's not our problem, it's out of warranty.' Given that they recommended / advised that the unit be upgraded, shouldn't they shoulder the responsibility of BIOS upgrade failure? Also, if their design had sockets rather than soldering on parts, one could R/R the faulty part (BIOS chip), rather than going to eBay and praying. Am I the only one that has experienced this type of problem? Have you been advised to upgrade a BIOS (firmware); and the upgrade bricked the part or system? If so, what did you do? Should I name the companies?"

Reader hessian six months ago de-installed the Adobe Flash player on all of his browsers, probably a prudent move in light of various recent vulnerabilities. "This provoked some shock and incredulity from others. After all, Flash has been an essential content interpreter for over a decade. It filled the gap between an underdeveloped JavaScript and the need for media content like animation, video and so on." But it turns out that life sans Flash can still be worth living. Are there things you rely on that make Flash hard to give up?

An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"

First time accepted submitter YurB writes "Matthew Garrett, a Linux kernel developer who was investigating the recent Linux-on-Samsung-in-UEFI-mode problem, has bricked a Samsung laptop using a test userspace program in Windows. The most fascinating part of the story is on what is actually causing the firmware boot failure: 'Unfortunately, it turns out that some Samsung laptops will fail to boot if too much of the [UEFI] variable storage space is used. We don't know what "too much" is yet, but writing a bunch of variables from Windows is enough to trigger it. I put some sample code here — it writes out 36 variables each containing a kilobyte of random data. I ran this as an administrator under Windows and then rebooted the system. It never came back.'"

An anonymous reader writes "We have started seeing an increase in iPhone issues related to battery life and overheating. All of them seem to be related to users upgrading their devices to iOS 6.1. Furthermore, Vodafone UK today began sending out text messages to iPhone 4S owners on its network, warning them not to upgrade to iOS 6.1 due to issues with 3G performance. The text reads, 'If you've not already downloaded iOS 6.1 for your iPhone 4s, please hold off for the next version while Apple fixes 3G performance issues. Thanks.'"

Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."

tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."

tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."

New submitter rHBa sends this article about another high-profile email account breach: "The apparent hack of several e-mail accounts has exposed personal photos and sensitive correspondence from members of the Bush family, including both former U.S. presidents. The posted photos and e-mails contain a watermark with the hacker's online alias, 'Guccifer.' ... Included in the hacked material is a confidential October 2012 list of home addresses, cell phone numbers, and e-mails for dozens of Bush family members, including both former presidents, their siblings, and their children. ... Correspondence obtained by the hacker indicates that at least six separate e-mail accounts have been compromised, including the AOL account of Dorothy Bush Koch, daughter of George H.W. Bush and sister of George W. Bush. Other breached accounts belong to Willard Heminway, 79, an old friend of the 41st president who lives in Greenwich, Connecticut; CBS sportscaster Jim Nantz, a longtime Bush family friend; former first lady Barbara Bush’s brother; and George H.W. Bush’s sister-in-law. "