Dangerous_Minds writes "Recently, Slashdot posted about how cloud storage company Mega was 'riddled' with security holes. Freezenet points out that Mega has issued a response to some of these criticisms including one which criticized its use of SSL. Mega responded saying that if you could break SSL, you could break things much more interesting than Mega."

CowboyRobot writes "In 25 years, an odd thing will happen to some of the no doubt very large number of computing devices in our world: an old, well-known and well-understood bug will cause their calculation of time to fail. The problem springs from the use of a 32-bit signed integer to store a time value, as a number of seconds since 00:00:00 UTC on Thursday, 1 January 1970, a practice begun in early UNIX systems with the standard C library data structure time_t. On January 19, 2038, at 03:14:08 UTC that integer will overflow. It's not difficult to come up with cases where the problem could be real today. Imagine a mortgage amortization program projecting payments out into the future for a 30-year mortgage. Or imagine those phony programs politicians use to project government expenditures, or demographic software, and so on. It's too early for panic, but those of us in the early parts of their careers will be the ones who have to deal with the problem."

twoheadedboy writes "Kim Dotcom launched his new project Mega on Sunday, claiming it was to be 'the privacy company.' But it might not be so private after all, as security professionals have ripped it to shreds. There are numerous problems with how encryption is handled, an XSS flaw and users can't change their passwords, they say. But there are suspicions Mega is handing out encryption keys to users and touting strong security to cover its own back. After all, if Kim Dotcom and Co don't know what goes on the site, they might not be liable for copyright prosecutions, as they were for Megaupload, Mega's preprocessor." On this front, reader mask.of.sanity points out a tool in development called MegaCracker that could reveal passwords as users sign up for the site.

DavidGilbert99 writes "Eugene Kaspersky and Mikko Hypponen have been watching the cyber security world every since happy hackers were writing viruses for nothing more than their own entertainment. Today however things are very much different. At the DLD 2013 conference, the pair debated the current state of cyber warfare and cyber weapons. Kaspersky said that while cyber weapons may be much 'cleaner' than traditional missiles, guns and bombs, they are 'much worse' as they can be used by just about anyone who has some level of computer proficiency. Both agreed that it was very difficult to protect against the highly-complex nation-state developed malware like Stuxnet, Flame and Gauss. Hypponen said that we are in the 'first stages of a cyber-arms race' warning: 'I think we've only seen the very beginning of these problems.'"

innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."

Kim Dotcom's new "Mega" cloud service appears to be a hit. According to Dotcom over 1 million have signed up for their free 50 gigabytes of storage. Although that is about 1% of the Dropbox user base, it's not a bad start. From the article: "Mega quickly jumped up to around 100,000 users within an hour or so of the site's official launch. A few hours after that, Mega had ballooned up to approximately a quarter of a million users. Demand was great enough to knock Mega offline for a number of users attempting to either connect up or sign up for new accounts, and Mega's availability remains spotty as of this articles' writing."

An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"

hypnosec writes "How long does a bug take to get resolved? A week? A month? A year? Well, a bug prevalent in the KDE libraries since 2002 has finally been resolved after a decade it has been revealed. The bug was present in the "Reject Cross-Domain Cookies" feature of KDE Libraries. Thiago Macieira noted in the KDE Libraries Revision 974b14b8 that he observed that his web cookies were being forgotten following a kded restart."

An anonymous reader writes "After months of hype riding the coattails of the MegaUpload controversy, Kim Dotcom's new cloud storage site, Mega, is finally going live. After being available to early adopters briefly, it's now open to the public with 50GB of free storage and end-to-end encryption. Several outlets have posted early hands-on reports for the service, including Ars Technica and The Next Web. In an interview, Dotcom spoke about how Mega's encryption scheme benefits both the users and the company: 'The Mega business plan will be a distributed model, with hundreds of companies large and small, around the world, hosting files. A hosting company can be huge or it can own just two or three servers Dotcom says—just as long as it's located outside the U.S. "Each file will be kept with at least two different hosters, [in] at least two different locations," said Dotcom. "That's a great added benefit for us because you can work with the smallest, most unreliable [hosting] companies. It doesn't matter because they can't do anything with that data." More than 1000 hosts answered a request for expressions of interest on the Mega home page. Dotcom says several hundred will be active partners within months.' On top of that, the way it's designed will protect Mega from legal problems: 'It's all about the plausible deniability. Mega doesn't know what you're uploading. ... Mega isn't so much securing your files for you as it is securing itself from your files. If Mega just takes down all the DMCAed links, it will have a 100 percent copyrighted material takedown record as far as its own knowledge is concerned. It literally can't know about cases that aren't actively pointed out to it, complete with file decryption keys.'"

dstates writes "The Department of Health and Human Services has released newly revised rules for the Health Information Privacy and Accountability Act (HIPAA) to ensure patient access to electronic copies of their electronic medical records. Several years ago, there was a great deal of excitement about personalized health information management (e.g. Microsoft HealthVault and Google Health). Unfortunately, patients found it difficult to obtain their medical records from providers in formats that could easily be imported. Personalized health records were time consuming and difficult to maintain, so these initiatives have not lived up to their expectations (e.g. Google Health has been discontinued). The new rules should address this directly and hopefully will revitalize interest in personal health information management. The new HIPAA rules also greatly strengthen patient privacy, the ability of patients to control who sees their medical information, and increases the penalties for leaking medical records information. 'Much has changed in health care since HIPAA was enacted over fifteen years ago,' said HHS Secretary Kathleen Sebelius. 'The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age.'"

Trailrunner7 writes "Up to a million Android users in China could be part of a large mobile botnet, according to research unveiled by Kingsoft Security, a Hong Kong-based security company, this week. The botnet has spread across phones running the Android operating system via Android.Troj.mdk, a Trojan that researchers said exists in upwards of 7,000 applications available from non-Google app marketplaces, including the popular Temple Run and Fishing Joy games." Update: 01/19 12:54 GMT by S : Changed summary to reflect that these apps didn't come from Google Play.

An anonymous reader writes "Google on Friday announced yet another security improvement for Chrome 25. In addition to killing silent extension installation, the omnibox in Google's browser will send all searches over a Secure Sockets Layer (SSL) connection. Chrome already does this for users who are signed in to Google: when they search from the address bar, their queries are sent over HTTPS. As of Chrome 25, however, the same will happen for users who aren't signed in to Google."

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"

An anonymous reader writes "Dozens of volunteers who anonymously donated their genomic data to a public database for medical research have been identified by a team led by Yaniv Erlich, a former computer security researcher turned geneticist. Erlich's team matched Y chromosomal markers in genomes compiled by the 1000 Genomes Project with non-anonymous genomic databases, for example some assembled from contributions by family tree enthusiasts (abstract). After finding a match on a presumed relative of the study participant, the researchers pieced together the relative's family tree through search engines and the like, until they were able to identify the participant based on gender, age, place of birth, and other supposedly 'non-identifying' information associated with the genome. The names of the identified participants have not been released."

McGruber writes "The Transportation Security Administration (TSA) has ended a contract with Rapiscan, a unit of OSI Systems Inc., manufacturer of about half of all of the controversial full-body scanners used on air passengers. TSA officials claim that Rapiscan failed to deliver software that would protect the privacy of passengers, but the contract termination happened immediately after the TSA finally got around to studying the health effects of the scanners, and Congress had a hearing on TSA's 'Scanner Shuffle'."

redletterdave writes "For the second time in a row, Microsoft's Security Essentials failed to earn certification from AV-Test, the independent German testing lab best known for evaluating the effectiveness of antivirus software. Out of 25 different security programs tested by AV-Test, including software from McAfee, Norman, Kaspersky, and others, Microsoft's Security Essentials was just one out of three that failed to gain certification. These results are noteworthy because Microsoft Security Essentials is currently (as of December) the most popular security suite in North America and the world."

Qedward writes with this except from Computerworld UK: "Germany should change a law to enable public administrations to make their software available as free and open source, a German parliamentary committee has advised. German public administrations currently are not allowed to give away goods, including software, said Jimmy Schulz, a member of Parliament and chairman of the Interoperability, Standards and Free Software Project Group. The current law prohibits governments from being part of the development process in the free software community, he said. 'This is a clear disadvantage because it cuts off all benefits obtained from free software, such as being cost-efficient and state-of-the-art,' he said. Besides a recommendation that the government should explore whether the law can be changed for software, the group also called for the use of open standards in order to make sure that everybody can have access to important information, Schulz said. 'We also called for public administrations in general to make sure that new software is created as platform independent as possible,' he added. While the project group is not in favour of giving priority to one type of software over another, it said in its recommendation to the Parliament earlier this week that free and open source software could be a viable alternative to proprietary software." I think a fair rule is that, barring extraordinary and demonstrated need, all tax dollars for software should go only for the development of software for which source is available gratis to all taxpayers, and that secret-source software makers are free to change to fit this requirement any time they'd like to have their software considered for a bid.

Rikki Endsley has been Community Manager for USENIX since September, 2011. She also edits their magazine, ;login:, writes for publications ranging from Linux.com to Network World, and is a long-distance runner to boot. But this interview concentrates on USENIX, a worthy organization that does a great job of helping its members (and the entire Unix/Linux community) stay up to date technically and, with its job board, keep USENIX members employed. Toward the end of the conversation, Rikki mentions some of the intangible but valuable benefits people get when they attend USENIX events. (Remember: If you don't have time to watch the video, can't see the video or just don't like video, you can click on the "Show/Hide Transcript" link and read a text version of the video.)

kthreadd writes "The Red Hat Enterprise Linux 5 derivative CentOS version 5.9 has been released just 10 days after its upstream provider. According to the release notes a number of changes have been made. New packages available in CentOS 5.9 includes for example OpenJDK 7 and Rsyslog 5. Several drivers have also been updated in the kernel which has been updated to version 2.6.18-348, including support for Microsoft's virtualization environment Hyper-V." CentOS has been plugging away now for nearly 10 years.