Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security

OPSEC For Activists, Because Encryption Is No Guarantee 49

Posted by Soulskill
from the protect-yourself-before-somebody-wrecks-yourself dept.
Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.
Advertising

Google Now Automatically Converts Flash Ads To HTML5 187

Posted by samzenpus
from the have-some-ads dept.
An anonymous reader writes "Google today began automatically converting Adobe Flash ads to HTML5. As a result, it's now even easier for advertisers to target users on the Google Display Network without a device or browser that supports Flash. Back in September, Google began offering interactive HTML5 backups when Flash wasn't supported. The Flash-to-HTML5 conversion tools for the Google Display Network and DoubleClick Campaign Manager created an HTML5 version of Flash ads, showing an actual ad rather than a static image backup. Now, Google will automatically convert eligible Flash campaigns, both existing and new, to HTML5."
Encryption

Gemalto: NSA and GCHQ Probably Hacked Us, But Didn't Get SIM Encryption Keys 97

Posted by Soulskill
from the hand-in-the-encrypted-cookie-jar dept.
An anonymous reader writes: Last week The Intercept published a report saying agents from the NSA and GCHQ penetrated the internal computer network of Gemalto, the world's largest maker of SIM cards. Gemalto has done an internal investigation, and surprisingly decided to post its results publicly. The findings themselves are a bit surprising, too: Gemalto says it has "reasonable grounds to believe that an operation by NSA and GCHQ probably happened."

They say the two agencies were trying to intercept encryption keys that were being exchanged between mobile operators and the companies (like Gemalto) who supplied them with SIM cards. The company said it had noticed several security incidents in 2010 and 2011 that fit the descriptions in The Intercept's documents. Gemalto had no idea who was behind them until now. They add, "These intrusions only affected the outer parts of our networks – our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks." They claim proper use of encryption and isolation of different networks prevented attackers from getting the information they were after.
Security

Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps 113

Posted by timothy
from the keeps-on-giving dept.
Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."
Security

US State Department Can't Get Rid of Email Hackers 86

Posted by Soulskill
from the your-government's-computer-is-broadcasting-an-IP-address dept.
An anonymous reader sends this quote from a Wall Street Journal report: Three months after the State Department confirmed hackers breached its unclassified email system, the government still hasn't been able to evict them from the network, say three people familiar with the investigation. Government officials, assisted by outside contractors and the National Security Agency, have repeatedly scanned the network and taken some systems offline. But investigators still see signs of the hackers on State Department computers, the people familiar with the matter said. Each time investigators find a hacker tool and block it, these people said, the intruders tweak it slightly to attempt to sneak past defenses. It isn't clear how much data the hackers have taken, the people said. They reaffirmed what the State Department said in November: that the hackers appear to have access only to unclassified email. Still, unclassified material can contain sensitive intelligence.
AT&T

AT&T Patents System To "Fast-Lane" File-Sharing Traffic 112

Posted by samzenpus
from the greased-lightning dept.
An anonymous reader writes Telecom giant AT&T has been awarded a patent for speeding up BitTorrent and other peer-to-peer traffic, and reducing the impact that these transactions have on the speed of its network. Unauthorized file-sharing generates thousands of petabytes of downloads every month, sparking considerable concern among the ISP community due to its detrimental effect on network speeds. AT&T and its Intellectual Property team has targeted the issue in a positive manner, and has appealed for the new patent to create a 'fast lane' for BitTorrent and other file-sharing traffic. As well as developing systems around the caching of local files, the ISP has proposed analyzing BitTorrent traffic to connect high-impact clients to peers who use fewer resources.
Cellphones

How NSA Spies Stole the Keys To the Encryption Castle 192

Posted by timothy
from the thanks-fellas-really-you've-done-enough dept.
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
Security

Superfish Security Certificate Password Cracked, Creating New Attack Vector 143

Posted by timothy
from the for-this-to-work-you-may-need-windows dept.
In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."
Google

Google: FBI's Plan To Expand Hacking Power a "Monumental" Constitutional Threat 51

Posted by samzenpus
from the lets-see-what-you-got dept.
schwit1 writes with news about Google's reservations to a Justice Department proposal on warrants for electronic data. "Any change in accessing computer data should go through Congress, the search giant said. The search giant submitted public comments earlier this week opposing a Justice Department proposal that would grant judges more leeway in how they can approve search warrants for electronic data. The push to change an arcane federal rule "raises a number of monumental and highly complex constitutional, legal, and geopolitical concerns that should be left to Congress to decide," wrote Richard Salgado, Google's director for law enforcement and information security. The provision, known as Rule 41 of the federal rules of criminal procedure, generally permits judges to grant search warrants only within the bounds of their judicial district. Last year, the Justice Department petitioned a judicial advisory committee to amend the rule to allow judges to approve warrants outside their jurisdictions or in cases where authorities are unsure where a computer is located. Google, in its comments, blasted the desired rule change as overly vague, saying the proposal could authorize remote searches on the data of millions of Americans simultaneously—particularly those who share a network or router—and cautioned it rested on shaky legal footing."
AI

Breakthrough In Face Recognition Software 142

Posted by Soulskill
from the anonymity-takes-another-hit dept.
An anonymous reader writes: Face recognition software underwent a revolution in 2001 with the creation of the Viola-Jones algorithm. Now, the field looks set to dramatically improve once again: computer scientists from Stanford and Yahoo Labs have published a new, simple approach that can find faces turned at an angle and those that are partially blocked by something else. The researchers "capitalize on the advances made in recent years on a type of machine learning known as a deep convolutional neural network. The idea is to train a many-layered neural network using a vast database of annotated examples, in this case pictures of faces from many angles. To that end, Farfade and co created a database of 200,000 images that included faces at various angles and orientations and a further 20 million images without faces. They then trained their neural net in batches of 128 images over 50,000 iterations. ... What's more, their algorithm is significantly better at spotting faces when upside down, something other approaches haven't perfected."
Networking

Flaw In Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details 57

Posted by timothy
from the oops-and-darnit dept.
An anonymous reader writes A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers [here's the report at seclists.org] to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins. The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.
Businesses

Cellphone Start-Ups Handle Calls With Wi-Fi 73

Posted by samzenpus
from the mixing-it-up dept.
HughPickens.com writes Brian Chen writes in the NYT that two companies, Republic Wireless and FreedomPop, that reduce cellphone costs by relying on strategically placed Wi-Fi routers are at the forefront of a tantalizing communications concept that has proved hard to produce on a big scale, The concept championed by the two little companies in their nationwide services is surprisingly simple. They offer services that rely primarily on Wi-Fi networks, and in areas without Wi-Fi, customers can pull a signal from regular cell towers. "Wi-Fi first is a massive disrupter to the current cost structure of the industry," says Stephen Stokols. "That's going to be a big shock to the carriers." For $5 a month, customers of Republic Wireless can make calls or connect to the Internet solely over Wi-Fi. For $10 a month, they can use both Wi-Fi and a cellular connection from Sprint in Republic's most popular option. Republic Wireless's parent company, Bandwidth.com, a telecommunications provider with about 400 employees, developed a technique to move calls seamlessly between different Wi-Fi networks and cell towers. "You can't pretend these companies are major players by any stretch. But I think their real importance is proof of concept," says Craig Moffett. "They demonstrate just how disruptive a Wi-Fi-first operator can be, and just how much cost they can take out."

In major cities, the Wi-Fi-first network makes sense. People use smartphones frequently while sitting around their offices and apartments, and Wi-Fi can handle the job just fine. But once people start moving around, it is not so simple. The benefit of a cell service is that your phone can switch among multiple towers while you are on the go which wi-fi is not designed to handle. Google may be experimenting with a hybrid approach similar to the small companies'. A person briefed on Google's plans, who spoke on the condition of anonymity because the conversations were private, says the company wants to make use of the fiber network it has installed in various cities to create an enormous network of Wi-Fi connections that phones could use to place calls and use apps over the Internet. In areas out of reach, Google's network would switch over to cell towers leased by T-Mobile USA and Sprint. Still many wonder if even the biggest companies could make a Wi-Fi-based phone network work. "There are just so many places where Wi-Fi doesn't reach," says Jan Dawson "and the quality of Wi-Fi that you can find is often subpar."
Government

How Big Telecom Tried To Kill Net Neutrality Before It Was Even a Concept 62

Posted by samzenpus
from the snuffing-it-out dept.
An anonymous reader writes This opinion piece at Ars looks at the telecommunications industry's ability to shape policy and its power over lawmakers. "...as the Baby Bells rolled out their DSL service, they saw the cable industry's more relaxed regulations and total lack of competition and wanted the same treatment from the government. They launched a massive lobbying effort to push the Clinton and Bush administrations, the Federal Communication Commission, and Congress to eliminate the network sharing requirement that had spawned the CLEC market and to deregulate DSL services more broadly. Between 1999 and 2002 the four companies spent a combined $95.6 million on lobbying the federal government, according to data from the Center for Responsive Politics, which would rank them above such trade group lobbying behemoths as the Chamber of Commerce and the American Medical Association in total lobbying expenditures for the years. The companies also spent millions to lobby the public directly through aggressive advertising and public relations campaigns."
Businesses

LinkedIn Restricts API Usage 69

Posted by samzenpus
from the keep-your-hands-off dept.
mpicpp points out LinkedIn's new API policy. "LinkedIn is restricting access to most of its application programming interfaces (APIs) to companies that have struck up partnerships with the social networking company. 'Over the past several years, we've seen some exciting applications from our developer community. While many delivered value back to our members and LinkedIn, not all have,' wrote Adam Trachtenberg, director of the LinkedIn developer network, explaining in a blog post the change in the company's API policy. Starting May 12, LinkedIn will only offer a handful of its APIs for general use, namely those that allow users and companies to post information about themselves on the service. After then, only companies that have enrolled in LinkedIn's partner program will have API access. Samsung, WeChat, and Evernote have already struck such partnerships. Currently, the social networking service offers a wide range of APIs, which allow third-party programs to draw content from, and place content into, LinkedIn. APIs have been seen as an additional channel for businesses to interact with their users and partners. A few companies, however, have recently scaled back access to APIs, which provide the programmatic ability to access a company's services and data. Netflix shut its public API channel in November, preferring to channel its user information through a small number of partners. ESPN also disabled public access to its APIs in December. LinkedIn's move is evidence of how the business use of APIs are evolving, said John Musser, founder and CEO at API Science, which offers an API performance testing service."
Facebook

Facebook Adds Legacy Contact Feature In Case You Die Before It Does 80

Posted by samzenpus
from the after-you're-gone dept.
alphadogg writes "Facebook has added an option for users to delegate management of their account for when they die. The idea is to avoid awkward lingering Facebook pages after a person passes on, perhaps featuring images or posts that someone would rather not be remembered by....This isn't the first time Facebook has put thought into what happens to users' accounts when the users die. A year ago the social network outlined a more flexible approach to memorializing accounts. Now memorialized accounts will have the word "Remembering" hovering above a person's name.
Electronic Frontier Foundation

EFF: Hundreds of S. Carolina Prisoners Sent To Solitary For Social Media Use 176

Posted by timothy
from the don't-you-have-enough-friends-already? dept.
According to the EFF's Deep LInks, Through a request under South Carolina’s Freedom of Information Act, EFF found that, over the last three years, prison officials have brought more than 400 hundred disciplinary cases for "social networking" — almost always for using Facebook. The offenses come with heavy penalties, such as years in solitary confinement and deprivation of virtually all privileges, including visitation and telephone access. In 16 cases, inmates were sentenced to more than a decade in what’s called disciplinary detention, with at least one inmate receiving more than 37 years in isolation. ... The sentences are so long because SCDC issues a separate Level 1 violation for each day that an inmate accesses a social network. An inmate who posts five status updates over five days, would receive five separate Level 1 violations, while an inmate who posted 100 updates in one day would receive only one. In other words, if a South Carolina inmate caused a riot, took three hostages, murdered them, stole their clothes, and then escaped, he could still wind up with fewer Level 1 offenses than an inmate who updated Facebook every day for two weeks.
Cellphones

Starting This Week, Wireless Carriers Must Unlock Your Phone 100

Posted by timothy
from the better-than-employees-must-wash-hands dept.
HughPickens.com writes Andrew Moore-Crispin reports that beginning today, as result of an agreement major wireless carriers made with FCC Chairman Tom Wheeler in late 2013, wireless carriers in the US must unlock your phone as soon as a contract term is fulfilled if asked to do so unless a phone is connected in some way to an account that owes the carrier money. Carriers must also post unlocking policies on their websites (here are links for AT&T, Verizon, Sprint, and T-Mobile), provide notice to customers when their devices are eligible for unlocking, respond to unlock requests within two business days, and unlock devices for deployed military personnel. So why unlock your phone? Unlocking a phone allows it to be used on any compatible network, regardless of carrier which could result in significant savings. Or you could go with an MVNO, stay on the same network, and pay much less for the same cellular service.
Censorship

Russia Seeking To Ban Tor, VPNs and Other Anonymizing Tools 215

Posted by samzenpus
from the no-secrets dept.
An anonymous reader writes Three separate Russian authorities have spoken out in favor of banning online anonymizing tools since February 5th, with particular emphasis on Tor, which — despite its popularity with whistle-blowers such as Edward Snowden and with online activists — Russia's Safe Internet League describes as an 'Anonymous network used primarily to commit crimes'. The three authorities involved are the Committee on Information Policy, Information Technologies and Communications, powerful Russian media watchdog Roskomnadzor and the Safe Internet League, comprising the country's top three network providers, including state telecoms provider Rostelecom. Roskomnadzor's press secretary Vadim Roskomnadzora Ampelonsky describes the obstacles to identifying and blocking Tor and VPN traffic as "difficult, but solvable."
Bitcoin

The Technologies That Betrayed Silk Road's Anonymity 129

Posted by samzenpus
from the little-mistakes dept.
itwbennett writes Silk Road was based on an expectation of anonymity: Servers operated within an anonymous Tor network. Transactions between buyers and sellers were conducted in bitcoin. Everything was supposedly untraceable. Yet prosecutors presented a wealth of digital evidence to convince the jury that Ross Ulbricht was Dread Pirate Roberts, the handle used by the chief operator of the site. From Bitcoin to server logins and, yes, Facebook, here's a look at 5 technologies that tripped Ulbricht up.
Businesses

Netflix Now Available In Cuba 125

Posted by samzenpus
from the binge-away dept.
aBaldrich writes Streaming video service Netflix will be available to Cuban customers starting today, at the $7.99 U.S. per month rate that it offers in the U.S., the company announced today. It'll still require an international payment method for now, as well as Internet access (which still isn't ubiquitous in [Cuba]), but it's an early start that Netflix says it wanted to offer in order to have it available as Cuban Internet access expands, and debit and credit cards become more available to Cuban citizens. Until now, Cubans have had little access to this kind of American entertainment. The U.S. government maintains a floating balloon tethered to an island in the Florida Keys that broadcasts the pro-democracy TV Marti network. The Cuban government constantly jams the signal. "Cuba has great filmmakers and a robust arts culture, and one day we hope to be able to bring their work to our global audience," Reed Hastings, the company's co-founder and chief executive officer, said in the statement.