wiredmikey writes "When delegates gather in Dubai in December for an obscure UN agency meeting, the mother of all cyber diplomatic battles is expected, with an intense debate over proposals to rewrite global telecom rules to effectively give the United Nations control over the Internet. Russia, China and other countries back a move to place the Internet under the authority of the International Telecommunications Union (ITU), a UN agency that sets technical standards for global phone calls. While US officials have said placing the Internet under UN control would undermine the freewheeling nature of cyberspace, some have said there is a perception that the US owns and manages the Internet. The head of the ITU, Hamadoun Toure, claims his agency has 'the depth of experience that comes from being the world's longest established intergovernmental organization.' But Harold Feld of the US-based non-government group Public Knowledge said any new rules could have devastating consequences. Some are concerned over a proposal by European telecom operators seeking to shift the cost of communication from the receiving party to the sender. This could mean huge costs for US Internet giants like Facebook and Google."

wiredmikey writes "Canada and the United States announced Friday they were launching a joint cybsersecurity plan that aims to better protect critical digital infrastructure and improve the response to cyber incidents. Under the action plan, the US Department of Homeland Security and Public Safety Canada will cooperate to protect vital cyber systems and respond to and recover from any cyber disruptions, by improving collaboration on managing cyber incidents between their respective cyber security operation centers, enhancing information sharing and engagement with the private sector and pursuing US-Canadian collaboration to promote cyber security awareness to the public."

CowboyRobot writes "As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."

jfruh writes "CoDeSys, a piece of software running on industrial control systems from hundreds of vendors, has been revealed to be easily hackable by security researchers, giving rise to a scenario where computer hacking could cross the line into the physical world. Worse, many of these systems are unneccessarily connected to the Internet, which is a terrible, terrible idea."

An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"

hackingbear writes "China Unicom, the country's second largest telecom operator, has replaced Cisco Systems routers in one of the country's most important backbone networks, citing security reasons [due to bugs and vulnerability.) The move came after a congressional report branded Huawei Technologies Co. Ltd. and ZTE Corp. security threats in the United States, citing bugs and vulnerability (rather than actual evidence of spying.) Surprising to us, up to now, Cisco occupies a large market share in China. It accounts for over a 70 percent share of China Telecom's 163 backbone network and over an 80 percent share of China Unicom's 169 backbone network. Let's wait to see who's the winner in this trade war disguised as national security."

Forecasters are tossing around words like "unprecedented" and "bizarre" (see this Washington Post blog entry) for the intensity and timing of Hurricane Sandy, which is threatening to hit the east coast of the U.S. early next week. Several people I know in the mid-Atlantic region have been ordering generators and stocking up on flashlight batteries and easy-to-prepare foods. Are you in the projected path of the storm? If so, have you taken any steps to prepare for it? (Are you doing off-site backup? Taking yourself off-site?)

Nerval's Lobster writes "The Green Grid, a nonprofit organization dedicated to making IT infrastructures and data centers more energy-efficient, is making the case that data center operators are operating their facilities in too conservative a fashion. Rather than rely on mechanical chillers, it argues in a new white paper (PDF), data centers can reduce power consumption via a higher inlet temperature of 20 degrees C. Green Grid originally recommended that data center operators build to the ASHRAE A2 specifications: 10 to 35 degrees C (dry-bulb temperature) and between 20 to 80 percent humidity. But the paper also presented data that a range of between 20 and 35 degrees C was acceptable. Data centers have traditionally included chillers, mechanical cooling devices designed to lower the inlet temperature. Cooling the air, according to what the paper originally called anecdotal evidence, lowered the number of server failures that a data center experienced each year. But chilling the air also added additional costs, and PUE numbers would go up as a result."

walterbyrd sends this snippet from an article by Robert X. Cringely: "Big tech employers are constantly lobbying for increases in H-1B quotas citing their inability to find qualified US job applicants. Microsoft cofounder Bill Gates and other leaders from the IT industry have testified about this before Congress. Both major political parties embrace the H-1B program with varying levels of enthusiasm. Bill Gates is wrong. What he said to Congress may have been right for Microsoft but was wrong for America and can only lead to lower wages, lower employment, and a lower standard of living. This is a bigger deal than people understand: it's the rebirth of industrial labor relations circa 1920. Our ignorance about the H-1B visa program is being used to unfairly limit wages and steal — yes, steal — jobs from U.S. citizens."

An anonymous reader writes "A new version of the Trusted Platform Module, called TPM2 or TPM 2.0 by Microsoft, has apparently been designed specifically for the release of Windows 8 this week. The details of this new standard have been kept secret. But a major update to the original TPM standard, which came out 10 years ago, seems to have been very quietly released on the Trusted Computing web site (FAQ) earlier this month. Following in the footsteps of the original, this version is quite a challenging read (security through incomprehensibility?). But this new version also seems to support some controversial crypto algorithms that were made public by the 'State Encryption Management Bureau' of China for the first time about 2 years ago. This is roughly the time that Microsoft seems to have begun working in earnest on TPM2, Windows 8, and probably even Surface. But that's probably just a coincidence. This crypto is controversial because of serious EU concerns with domestic restrictions on the implementation, use, and importation of cryptography in China."

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

hypnosec writes "A hacker who claims to be a member of the hacking collective Anonymous has revealed that the hacktivist group is working on a Wikileaks-like service dubbed Tyler and that it will be launched on December 21. The Anonymous member revealed that the service will be decentralized and will be based on peer-to-peer service, unlike Wikileaks, thus making Tyler rather immune to closure and raids. The site will serve as a haven for whistleblowers, where they can publish classified documents and information. The hacker said in an emailed interview that 'Tyler will be P2P encrypted software, in which every function of a disclosure platform will be handled and shared by everyone who downloads and deploys the software.'" That sounds like a lot to live up to. Decentralized, attack-resistant and encrypted all sound nice, but I'm curious both about the funding it would take, and whether it matches Wikileaks' own security.

Orome1 writes "Microsoft today announced the global availability of Windows 8. Beginning Friday, Oct. 26, consumers and businesses worldwide will be able to experience all that Windows 8 has to offer, including a new user interface and a wide range of applications with the grand opening of the Windows Store. Launching at the same time is a new member of the Windows family — Windows RT — designed for ARM-based tablets and available pre-installed on new devices. In addition to Microsoft Office 2013, Windows RT is designed exclusively for apps in the new Windows Store. In addition to the range of new Windows-based devices available, consumers can also upgrade their existing PCs. Through the end of January, consumers currently running PCs with Windows XP, Windows Vista or Windows 7 are qualified to download an upgrade to Windows 8 Pro for an estimated retail price of US$39.99." Also at Slash Cloud, where Nick Kolakowski writes: "If the operating system and its associated hardware capture the attention (and dollars) of mobile-device users, Microsoft will have successfully expanded the Windows brand to a new and rapidly growing market segment. But if it fails, and Apple and Google continue to rule the mobility space, then Microsoft is left with few alternatives."

concealment writes in with a story about a newly found security issue with the bar codes on boarding passes. "Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive. Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by technically minded travelers. Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process."

An anonymous reader writes "A web analytics company has agreed to settle Federal Trade Commission charges that it violated federal law by using its web-tracking software that collected personal data without disclosing the extent of the information that it was collecting. The company, Compete Inc., also allegedly failed to honor promises it made to protect the personal data it collected. KISSmetrics, the developer and seller of the homonymous tool, has agreed to pay up to make the suit go away, but the the two plaintiffs will get only $5,000 each, while the rest of the money — more than half a million dollars — will go to their lawyers for legal fees."

First time accepted submitter blandcramration writes "I have recently decided to further my education with a technical school associates degree. I am a first quarter student in my third week as an IT student. I have taught myself Python and have been working with computers for over 10 years. We've been learning C++ and though my instructor appears to know how to program, he doesn't really understand the procedure behind the veil, so to speak. In a traditional learning environment, I would rather learn everything about the computer process rather than fiddle around with something until I figure out how it works. I can do that on my own. I think the real issue is I'm not feeling challenged enough and I'm paying through the nose to go to school here. Am I even going to be able to land a decent job, or should I just take a few classes here and move on to a traditional college and get a computer science degree? I'm much more interested in an approach to computer science like From NAND to Tetris but I feel as if I should get a degree in something. What are your thoughts?"

An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"

An anonymous reader writes "An EXT4 file-system data corruption issue has reached the stable Linux kernel. The latest Linux 3.4, 3.5, 3.6 stable kernels have an EXT4 file-system bug described as an apparent serious progressive ext4 data corruption bug. Kernel developers have found and bisected the kernel issue but are still working on a proper fix for the stable Linux kernel. The EXT4 file-system can experience data loss if the file-system is remounted (or the system rebooted) too often."

Hugh Pickens writes "In 2007 businessman Russell Thornton lost his 3-year-old son at an amusement park. After a frantic 45-minute search, Thornton found the boy hiding in a play structure, but he was traumatized by the incident. It spurred him to build a device that would help other parents avoid that fate. Even though most statistics show that rates of violent crime against children have declined significantly over the last few decades, and that abductions are extremely rare, KJ Dell'Antonia writes that with the array of new gadgetry like Amber Alert and the Securus eZoom our children need never experience the fears that come with momentary separations, or the satisfaction of weathering them. 'You could argue that those of us who survived our childhoods of being occasionally lost, then found, are in the position of those who think car seats are overkill because they suffered no injury while bouncing around in the back of their uncle's pickup,' writes Dell'Antonia. 'Wouldn't a more powerful sense of security come from knowing your children were capable, and trusting in their ability to reach out for help at the moment when they realize they're not?'"

concealment writes with a tale of how an email sent to a mathematician led to him discovering that dozens of high profile companies were using easily crackable keys to authenticate mail sent from their domains. From the article: "The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender's DNS records and verify the validity of the signature. Harris wasn't interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game."