Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

  • Hundreds of Police Agencies Distributing Spyware and Keylogger

    realized sends this news from the EFF: For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the "first step" in protecting their children online. ... As official as it looks,ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies. The way ComputerCOP works is neither safe nor secure. It isn't particularly effective either, except for generating positive PR for the law enforcement agencies distributing it.

    As security software goes, we observed a product with a keystroke-capturing function, also called a "keylogger," that could place a family's personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. EFF conducted a security review of ComputerCOP while also following the paper trail of public records to see how widely the software has spread. Based on ComputerCOP's own marketing information, we identified approximately 245 agencies in more than 35 states, plus the U.S. Marshals, that have used public funds (often the proceeds from property seized during criminal investigations) to purchase and distribute ComputerCOP. One sheriff's department even bought a copy for every family in its county.

    37 comments | 1 hour ago

  • China Worried About Terrorist Pigeons

    An anonymous reader writes: A pleasant event was planned for the 65th anniversary of the founding of the People's Republic of China. A ceremony at Tiananmen Square would release 10,000 pigeons at sunrise to symbolize an era of peace. Unfortunately, even symbols of peace can apparently remind people of violence. Chinese authorities searched all 10,000 pigeons for "dangerous materials," after the government was concerned they might be used for attacks. The pigeons' feathers were checked, and they were given a cavity search as well. The reports did not indicate what kind of "dangerous materials" these pigeons might be carrying. It's unclear whether any pigeons disclosed terror plots under interrogation.

    82 comments | 3 hours ago

  • Apple Fixes Shellshock In OS X

    jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.

    161 comments | yesterday

  • FBI Plans To Open Up Malware Analysis Tool To Outside Researchers

    Trailrunner7 writes: The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others. The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file.

    Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal's reach in the near future. "We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon," he said.

    28 comments | yesterday

  • CloudFlare Announces Free SSL Support For All Customers

    Z80xxc! writes: CloudFlare, a cloud service that sits between websites and the internet to provide a CDN, DDOS and other attack prevention, speed optimization, and other services announced today that SSL will now be supported for all customers, including free customers. This will add SSL support to approximately 2 million previously unprotected websites. Previously SSL was only available to customers paying at least $20/month for a "Pro" plan or higher.

    Browsers connect to CloudFlare's servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website's server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator's preferences. CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.

    66 comments | 2 days ago

  • CEO of Spyware Maker Arrested For Enabling Stalkers

    An anonymous reader writes: U.S. authorities have arrested and indicted the CEO of a mobile software company for selling spyware that enables "stalkers and domestic abusers." The U.S. Department of Justice accuses the man of promoting and selling software that can "monitor calls, texts, videos and other communications on mobile phones without detection." The agency pointed out this is the first criminal case based on mobile spyware, and promised to aggressively pursue makers of similar software in the future. Here's the legal filing (PDF). The FBI, with approval from a District Court, has disabled the website hosting the software.

    "The indictment alleges that StealthGenie's capabilities included the following: it recorded all incoming/outgoing voice calls; it intercepted calls on the phone to be monitored while they take place; it allowed the purchaser to call the phone and activate it at any time to monitor all surrounding conversations within a 15-foot radius; and it allowed the purchaser to monitor the user's incoming and outgoing e-mail messages and SMS messages, incoming voicemail messages, address book, calendar, photographs, and videos. All of these functions were enabled without the knowledge of the user of the phone."

    193 comments | 2 days ago

  • Man Walks Past Security Screening Staring At iPad, Causing Airport Evacuation

    First time accepted submitter chentiangemalc writes While Australia is on "high alert" for terror threats a man walked past a Sydney Airport security screening while engrossed in his iPad and delayed flights for an hour. From the article: "This event was captured on CCTV and unnerved officials so much that they evacuated passengers. As the Sydney Morning Herald reported, the man found himself (or, perhaps, didn't) going into the terminal through an exit passage that clearly was convenient for him, but less convenient for the hordes of passengers who not only had to be removed from Terminal 3, but also re-screened. A spokeswoman for Qantas told the Morning Herald: 'The man disembarked a flight and left. It appears he wasn't paying attention, was looking at his iPad, forgot something and walked back past (the security area).'"

    212 comments | 2 days ago

  • Bash To Require Further Patching, As More Shellshock Holes Found

    Bismillah writes Google security researcher Michael 'lcamtuf' Zalewski says he's discovered a new remote code execution vulnerability in the Bash parser (CVE-2014-6278) that is essentially equivalent to the original Shellshock bug, and trival to exploit. "The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said. "The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

    325 comments | 2 days ago

  • At CIA Starbucks, Even the Baristas Are Covert

    An anonymous reader writes with this interesting story about what it's like to work at “Store Number 1,” the CIA's Starbucks. The new supervisor thought his idea was innocent enough. He wanted the baristas to write the names of customers on their cups to speed up lines and ease confusion, just like other Starbucks do around the world. But these aren't just any customers. They are regulars at the CIA Starbucks. "They could use the alias 'Polly-O string cheese' for all I care," said a food services supervisor at the Central Intelligence Agency, asking that his identity remain unpublished for security reasons. "But giving any name at all was making people — you know, the undercover agents — feel very uncomfortable. It just didn't work for this location."

    241 comments | 2 days ago

  • NVIDIA Begins Requiring Signed GPU Firmware Images

    An anonymous reader writes: In a blow to those working on open-source drivers, soft-mods for enhancing graphics cards, and the Chinese knock-offs of graphics cards, NVIDIA has begun signing and validating GPU firmware images. With the latest-generation Maxwell GPUs, not all engine functionality is being exposed unless the hardware detects the firmware image was signed by NVIDIA. This is a setback to the open-source Nouveau Linux graphics driver but they're working towards a solution where NVIDIA can provide signed, closed-source firmware images to the driver project for redistribution. Initially the lack of a signed firmware image will prevent some thermal-related bits from being programmed but with future hardware the list of requirements is expected to rise.

    189 comments | 4 days ago

  • Apple Yet To Push Patch For "Shellshock" Bug

    An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.

    208 comments | 4 days ago

  • OpenMandriva Lx 2014.1 Released

    jrepin writes OpenMandriva is proud to announce the release of OpenMandriva Lx 2014.1 distribution of the GNU/Linux operating system. Most of developers efforts were focused on reducing system boot up time and memory usage. This version brings Linux kernel 3.15.10 (with special patches for desktop system performance, responsiveness, and realtime capabilities), KDE Software Compilation 4.13.3, Xorg 1.15.1, Mesa 10.2.6, LibreOffice 4.3.1, Firefox 32, GNU bash with latest security fixes, and many other updated software packages.

    30 comments | 4 days ago

  • Security Collapse In the HTTPS Market

    CowboyRobot writes: HTTPS has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. At the same time, widely reported security incidents (such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed) have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations (notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale) have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

    185 comments | 5 days ago

  • How the NSA Profits Off of Its Surveillance Technology

    blottsie writes: The National Security Agency has been making money on the side by licensing its technology to private businesses for more than two decades. It's called the Technology Transfer Program, under which the NSA declassifies some of its technologies that it developed for previous operations, patents them, and, if they're swayed by an American company's business plan and nondisclosure agreements, rents them out. The products include tools to transcribe voice recordings in any language, a foolproof method to tell if someone's touched your phone's SIM card, or a version of email encryption that isn't available on the open market.

    82 comments | 5 days ago

  • First Shellshock Botnet Attacking Akamai, US DoD Networks

    Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."

    236 comments | 5 days ago

  • Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

    The recently disclosed bug in bash was bad enough as a theoretical exploit; now, reports Ars Technica, it could already be being used to launch real attacks. In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion web pages that at least partially fit the profile for the Shellshock exploit. More bad news: "[T]he initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry." And CNET is not the only one to say that Shellshock, which can affect Macs running OS X as well as Linux and Unix systems, could be worse than Heartbleed.

    317 comments | about a week ago

  • Ask Slashdot: Is Reporting Still Relevant?

    New submitter MrWHO (68268) writes A while ago we switched for monitoring our systems to the ELK (ElasticSearch, LogStash and Kibana) stack. Our management wanted to keep the reports they got — and possibly never read — flowing in at the beginning of every week with statistics like sites traffic, servers downtime, security alerts and the works. As we migrated some of our clients to the same stack they kept all asking for the same thing: reporting. There was no way for us to create and schedule reports from ElasticSearch — searches for ElasticSearch and Jasper Reports returned nothing apart from people asking how to do it — so we created our own Jasper Reports plugin to create reports from ElasticSearch data, which we released on GitHub a while ago, and we promptly moved along.

    None of our clients were easily convinced that a dashboard — Kibana — was a substitute for mail delivered PDFs, even if all the information was there, with custom created panels and selectable date ranges. On the other hand, on the ElasticSearch mailing list when questions were asked about "how do I do reports?" the answer was, and I sum it up here, "Why would you want reports when you have a dashboard?" Are reports still relevant — the PDF, templated, straight in to your mail kind — or the subset of my clients — we operate mainly in Italy — is a skewed sample of what's the actual reality of access to summary data? Are dashboards — management targeted ones — the current accepted solution or — in your experience — reports are still a hot item for management?

    179 comments | about a week ago

  • Amazon Forced To Reboot EC2 To Patch Bug In Xen

    Bismillah writes AWS is currently emailing EC2 customers that it will need to reboot their instances for maintenance over the next few days. The email doesn't explain why the reboots are being done, but it is most likely to patch for the embargoed XSA-108 bug in Xen. ZDNet takes this as a spur to remind everyone that the cloud is not magical. Also at The Register.

    94 comments | about a week ago

  • Where Whistleblowers End Up Working

    HughPickens.com writes Jana Kasperkevic writes at The Guardian that it's not every day that you get to buy an iPhone from an ex-NSA officer. Yet Thomas Drake, former senior executive at National Security Agency, is well known in the national security circles for leaking information about the NSA's Trailblazer project to Baltimore Sun. In 2010, the government dropped all 10 felony charges against him and he pleaded guilty to a misdemeanor charge for unauthorized use of a computer and lost his livelihood. "You have to mortgage your house, you have to empty your bank account. I went from making well over $150,000 a year to a quarter of that," says Drake. "The cost alone, financially — never mind the personal cost — is approaching million dollars in terms of lost income, expenses and other costs I incurred."

    John Kiriakou became the first former government official to confirm the use of waterboarding against al-Qaida suspects in 2009. "I have applied for every job I can think of – everything from grocery stores to Toys R Us to Starbucks. You name it, I've applied there. Haven't gotten even an email or a call back," says Kiriakou. According to Kasperkevic, this is what most whistleblowers can expect. The potential threat of prosecution, the mounting legal bills and the lack of future job opportunities all contribute to a hesitation among many to rock the boat. "Obama and his attorney general, Eric Holder, declared a war on whistleblowers virtually as soon as they assumed office," says Kiriakou. "Washington has always needed an "ism" to fight against, an idea against which it could rally its citizens like lemmings. First, it was anarchism, then socialism, then communism. Now, it's terrorism. Any whistleblower who goes public in the name of protecting human rights or civil liberties is accused of helping the terrorists."

    224 comments | about a week ago

  • Ask Slashdot: How To Keep Students' Passwords Secure?

    First time accepted submitter bigal123 writes My son's school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation. Do others have good password management suggestions or suggestions for a single sign-on process (no/minimal cost) for kids in school accessing school provisioned resources?

    191 comments | about a week ago

Slashdot Login

Need an Account?

Forgot your password?