An anonymous reader writes "Microsoft announced yesterday their plans to encrypt customer data to prevent government snooping. Free Software Foundation executive director John Sullivan questions the logic of trusting non-free software, regardless of promises or even intent. He says, 'Microsoft has made renewed security promises before. In the end, these promises are meaningless. Proprietary software like Windows is fundamentally insecure not because of Microsoft's privacy policies but because its code is hidden from the very users whose interests it is supposed to secure. A lock on your own house to which you do not have the master key is not a security system, it is a jail. ... If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing. When we don't have that, back doors and privacy violations are inevitable.'"
Navigate with confidence through the cloud. Sign up for the SlashCloud Update newsletter now.
Hugh Pickens DOT Com writes "Josh Gerstein writes on Politico that President Barack Obama told Chris Matthews in an interview recorded for MSNBC's 'Hardball' that he'll be reining in some of the snooping conducted by the NSA, but he did not detail what new limits he plans to impose on the embattled spy organization. 'I'll be proposing some self-restraint on the NSA. And...to initiate some reforms that can give people more confidence,' said the President who insisted that the NSA's work shows respect for the rights of Americans, while conceding that its activities are often more intrusive when it comes to foreigners communicating overseas. 'The NSA actually does a very good job about not engaging in domestic surveillance, not reading people's emails, not listening to the contents of their phone calls. Outside of our borders, the NSA's more aggressive. It's not constrained by laws.' During the program, Matthews raised the surveillance issue by noting a Washington Post report on NSA gathering of location data on billion of cell phones overseas. 'Young people, rightly, are sensitive to the needs to preserve their privacy and to retain internet freedom. And by the way, so am I,' responded the President. 'That's part of not just our First Amendment rights and expectations in this country, but it's particularly something that young people care about, because they spend so much time texting and-- you know, Instagramming.' With some at the NSA feeling hung out to dry by the president, Obama also went out of his way to praise the agency's personnel for their discretion. 'I want to everybody to be clear: the people at the NSA, generally, are looking out for the safety of the American people. They are not interested in reading your emails. They're not interested in reading your text messages. And that's not something that's done. And we've got a big system of checks and balances, including the courts and Congress, who have the capacity to prevent that from happening.'"
Nerval's Lobster writes "Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security. Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers' devices and Microsoft servers, as well as data moving between Microsoft data-centers. The increased-transparency part of Microsoft's new initiative is perhaps the most interesting, considering the company's longstanding advocacy of proprietary software. But Microsoft actually isn't planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to its general counsel Brad Smith, "transparency" means "building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors." In addition, Microsoft plans on opening a network of "transparency centers" where customers can go to "assure themselves of the integrity of Microsoft's products." That's not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft's part will assure anyone that it hasn't been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives."
tramp writes "The National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, according to top-secret documents and interviews with U.S. intelligence officials, enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable. Of course it is 'only metadata' and absolutely not invading privacy if you ask our 'beloved' NSA." Pretty soon, the argument about whether you have in any given facet of your life a "reasonable expectation of privacy" may take on a whole new meaning. Also at Slash BI.
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
chicksdaddy writes "Cyber attacks on 'connected vehicles' are still in the proof of concept stage. But those proofs of concept are close enough to the real thing to prompt an inquiry from U.S. Senator Ed Markey, who sent a letter to 20 major auto manufacturers (PDF) asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles. Markey's letter, dated December 2, cites recent reports of 'commands...sent through a car's computer system that could cause it to suddenly accelerate, turn or kill the breaks,' and references research conducted by Charlie Miller and Chris Valasek (PDF) on the Toyota Prius and Ford Escape. 'Today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN) ... Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another,' Markey wrote. Among the questions Markey wants answers to: What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points? What are automakers' methods for testing for vulnerabilities in technologies it deploys — including third pressure technologies? Markey asks specifically about tire pressure monitors, bluetooth and other wireless technologies and GPS (like Onstar). What third party penetration testing is conducted on vehicles (and any results)? What intrusion detection features exist for critical components like controller area network (CAN) buses on connected vehicles?"
cathyreisenwitz sends word of a San Francisco trial in which the U.S. government appears to be manipulating the no-fly list to its advantage. The court case involves a Stanford Ph.D. student who was barred from returning to the U.S. after visiting her native Malaysia. She's one of roughly 700,000 people on the no-fly list. Here's the sketchy part: the woman's eldest daughter, who was born in the U.S. and is a U.S. citizen, was called as a witness for the trial. Unfortunately, she mysteriously found herself on the no-fly list as well, and wasn't able to board a plane to come to the trial. Lawyers for the Department of Justice told the court that she simply missed her plane, but she was able to provide documents from the airline explaining that the Department of Homeland Security was not allowing her to fly.
An anonymous reader writes "I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"
jfruh writes "One of the most potent aspects of Anonymous is, well, its anonymity — but that isn't absolute. Eric Rosol was caught by federal authorities participating in a DDoS attack on a company owned by Koch Industry; for knocking a website offline for 15 minutes, Rosol got two years of probation and had to pay $183,000 in restitution (the amount Koch paid to a security consultant to protect its website ater the attack)." The worst part? From the article: "Eric J. Rosol, 38, is said to have admitted that on Feb. 28, 2011, he took part in a denial of service attack for about a minute on a Web page of Koch Industries..."
SpaceX launched a Falcon 9 rocket this afternoon in a bid to deliver a large commercial satellite into geostationary orbit. The flight was successful: "Approximately 185 seconds into flight, Falcon 9’s second stage’s single Merlin vacuum engine ignited to begin a five minute, 20 second burn that delivered the SES-8 satellite into its parking orbit. Eighteen minutes after injection into the parking orbit, the second stage engine relit for just over one minute to carry the SES-8 satellite to its final geostationary transfer orbit. The restart of the Falcon 9 second stage is a requirement for all geostationary transfer missions." This is a significant milestone for SpaceX, and it fulfills another of the three objectives set forth by the U.S. Air Force to certify SpaceX flights for National Security Space missions.
Trailrunner7 writes "The skies may soon be full of drones – some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of those drones to anyone with $400 and an hour of free time. Small drones, like the ones that Amazon is planning to use to deliver small packages in short timeframes in a few years, are quite inexpensive and easy to use. They can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn't require the use of any exploit or security vulnerability."
An anonymous reader writes "D-Link has released firmware patches for a number of its older routers sporting a critical authentication security bypass vulnerability discovered in October. The flaw was discovered and its exploitability proved with a PoC by Tactical Network Solutions' security researcher Craig Heffner. D-Link confirmed the existence of the problem a few weeks later."
mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."
theodp writes "'The night watchman of the future,' explains the NY Times' John Markoff, 'is 5 feet tall, weighs 300 pounds and looks a lot like R2-D2 – without the whimsy. And will work for $6.25 an hour.' California-based Knightscope has developed a mobile robot known as the K5 Autonomous Data Machine as a safety and security tool for corporations, as well as for schools and neighborhoods. 'But what is for some a technology-laden route to safer communities and schools,' writes Markoff, 'is to others an entry point to a post-Orwellian, post-privacy world.'"
CowboyRobot writes "In November, Denmark-based Bitcoin Internet Payment System suffered a DDoS attack. Unfortunately for users of the company's free online wallets for storing bitcoins, the DDoS attack was merely a smokescreen for a digital heist that quickly drained numerous wallets, netting the attackers a reported 1,295 bitcoins — worth nearly $1 million — and leaving wallet users with little chance that they'd ever see their money again. Given the potential spoils from a successful online heist, related attacks are becoming more common. But not all bitcoin heists have been executed via hack attacks or malware. For example, a China-based bitcoin exchange called GBL launched in May. Almost 1,000 people used the service to deposit bitcoins worth about $4.1 million. But the exchange was revealed to be an elaborate scam after whoever launched the site shut it down on October 26 and absconded with the funds. The warnings are all the same: 'Don't trust any online wallet', 'Find alternative storage solutions as soon as possible', and 'You don't have to keep your Bitcoins online with someone else. You can store your Bitcoins yourself, encrypted and offline.'"
An anonymous reader writes "A week ago, Slashdot was asked, "How do you protect your privacy?" The question named many different ways privacy is difficult to secure these days, but almost all of the answers focused on encrypting internet traffic. But what can you do about your image being captured by friends and strangers' cameras (not to mention drones, police cameras, security cameras, etc.)? How about when your personal data is stored by banks and healthcare companies and their IT department sucks? Heck; off-the-shelf tech can see you through your walls. Airport security sniffs your skin. There are countless other ways info on you can be collected that has nothing to do with your internet hygiene. Forget the NSA; how do you protect your privacy from all these others? Can you?"
Hugh Pickens DOT Com writes "Scott Jaschik writes in Inside Higher Education that the academic job market is structured in many respects like a drug gang, with an expanding mass of outsiders and a shrinking core of insiders and with income distribution within gangs extremely skewed in favor of those at the top, while the rank-and-file street sellers earned even less than employees in legitimate low-skilled activities. According to Alexandre Afonso, academic systems rely at least to some extent on the existence of a supply of 'outsiders' ready to forgo wages and employment security in exchange for the prospect of prestige, freedom and reasonably high salaries that tenured positions entail. 'What you have is an increasing number of brilliant PhD graduates arriving every year into the market hoping to secure a permanent position as a professor and enjoying freedom and high salaries, a bit like the rank-and-file drug dealer hoping to become a drug lord,' says Afonso. 'To achieve that, they are ready to forgo the income and security that they could have in other areas of employment by accepting insecure working conditions in the hope of securing jobs that are not expanding at the same rate.' The Chronicle of Higher Education recently reported on adjunct lecturers who rely on food stamps to make ends meet. Afonso adds that he is not trying to discourage everyone from pursuing Ph.D.s but that prospective graduate students need to go in with a full awareness of the job market."
Charliemopps writes "For 20 years the password for the U.S. nuclear arsenal was '00000000.' Kennedy instituted a security system on all nuclear warheads to prevent them from being armed by someone unauthorized. It was called PAL, and promised to secure the entire US arsenal around the world. Unfortunately for Kennedy (and I guess, the whole world) U.S. military leadership was more concerned about delaying a launch than securing Armageddon. They technically obeyed the order but then set the password to 8 Zeros, or '00000000'."
judgecorp writes "Fujitsu has launched a laptop which authenticates users using the veins of their palm. The contactless technology is hard to deceive and — since it detects haemoglobin in the veins, is not so likely to be breakable using the gruesome method of cutting off a hand."
CowboyRobot writes "The incentives are high for many businesses and government agencies to not be too heavy handed in combating the global botnet pandemic. There's money to be had and, with each passing day, more interesting ways are being uncovered in how to package the data, and how to employ it. It used to be that the worlds of bug hunters and malware analysts were separate and far between. In the last couple of years the ability to analyze malware samples and identify exploitable vulnerabilities in them has become very important. Given that some botnets have a bigger pool of victims than many commercial software vendors have licensed customers, the value of an exploit that grants reliable remote control of a popular malware agent is rising in value. In many ways, botnets have become a golden goose to those charged with gathering intelligence on the populations of foreign entities. The bulk of the victim's data is useful for mapping populations, communication profiles, and as egress points for counter intelligence exercises. Then, given how many botnet victims there are, the probability that a few 'interesting' computers will have succumbed along the way is similarly high — providing direct insight in to a pool of high value targets."