Forgot your password?
typodupeerror
Government

CIA Director Brennan Admits He Was Lying: CIA Really Did Spy On Congress 175

Posted by timothy
from the note-the-passive-voice-and-weasel-words dept.
Bruce66423 (1678196) writes with this story from the Guardian: The director of the Central Intelligence Agency, John Brennan, issued an extraordinary apology to leaders of the US Senate intelligence committee on Thursday, conceding that the agency employees spied on committee staff and reversing months of furious and public denials. Brennan acknowledged that an internal investigation had found agency security personnel transgressed a firewall set up on a CIA network, called RDINet, which allowed Senate committee investigators to review agency documents for their landmark inquiry into CIA torture." (Sen. Diane Feinstein was one of those vocally accusing the CIA of spying on Congress; Sen. Bernie Sanders has raised a similar question about the NSA.)
Security

"BadUSB" Exploit Makes Devices Turn "Evil" 168

Posted by timothy
from the thinkgeek-had-something-funnier-years-ago dept.
An anonymous reader writes with s snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing to persons unknown physical access to you computer's USB ports : When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
Businesses

Nokia Buys a Chunk of Panasonic 46

Posted by timothy
from the genune-panaphonics-bearer-bills dept.
jones_supa (887896) writes "Nokia's future as a company focused on providing network solutions, rather than mobile phones, looks to be bright. The company made big profits in the second quarter of 2014 after selling its mobile devices unit — the cornerstone of Nokia's rise in the 1990s — to Microsoft. Meanwhile Nokia has been buying up other businesses such as the Chicago-based SAC Wireless. Now Nokia is acquiring part of Panasonic's network business in an effort to boost its presence in Japan. The deal announced Thursday will give the Finnish firm control of roughly one third of Japan's mobile network market."
Businesses

Jesse Jackson: Tech Diversity Is Next Civil Rights Step 483

Posted by Soulskill
from the opportunity-shortage dept.
theodp writes: U.S. civil rights leader Rev. Jesse Jackson called on the Obama administration Monday to scrutinize the tech industry's lack of diversity. "There's no talent shortage. There's an opportunity shortage," Jackson said, calling Silicon Valley "far worse" than many others, such as car makers that have been pressured by unions. He said tech behemoths have largely escaped scrutiny by a public dazzled with their cutting-edge gadgets. Jackson spoke to press after meeting with Labor Secretary Tom Perez for a review of H-1B visas, arguing that data show Americans have the skills and should have first access to high-paying tech work. Jackson's Rainbow Push Coalition plans to file a freedom-of-information request next month with the EEOC to acquire employment data for companies that have not yet disclosed it publicly, which includes Amazon, Broadcom, Oracle, Qualcomm and Yelp. Unlike the Dept. of Labor, Jackson isn't buying Silicon Valley's argument that minority hiring statistics are trade secrets. Five years after Google's HR Chief would only reassure Congress the company had "a very strong internal Black Googler Network" and its CEO brushed off similar questions about its diversity numbers by saying "we're pretty happy with the way our recruiting work," Google — under pressure from Jackson — fessed up to having a tech workforce that's only 1% Black, apparently par for the course in Silicon Valley.
Networking

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common? 337

Posted by Soulskill
from the common-enough-to-make-you-sad dept.
An anonymous reader writes: I do some contract work on the side, and am helping a client set up a new point-of-sale system. For the time being, it's pretty simple: selling products, keeping track of employee time, managing inventory and the like. However, it requires a small network because there are two clients, and one of the clients feeds off of a small SQL Express database from the first. During the setup, the vendor disabled the local firewall, and in a number of emails back and forth since (with me getting more and more aggravated) they went from suggesting that there's no need for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going, odds are there will be e-Commerce worked into it, and probably credit card transactions... which worries the bejesus out of me.

So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.
The Military

Hackers Plundered Israeli Defense Firms That Built 'Iron Dome' Missile Defense 180

Posted by Soulskill
from the intercepting-missiles-is-easier-than-learning-not-to-click-on-attachments dept.
An anonymous reader writes: Brian Krebs reports on information from Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. that attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies. The attackers were seeking technical documents related to Iron Dome, Israel's air defense system. "IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. ... Once inside the IAI’s network, [the attackers] spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files, CyberESI said. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network. All told, CyberESI was able to identify and acquire more than 700 files — totaling 762 MB total size — that were exfiltrated from IAI’s network during the compromise. The security firm said most of the data acquired was intellectual property and likely represented only a small portion of the entire data loss by IAI." Most of the stolen material pertained to Arrow III missiles, UAVs, and ballistic rockets.
The Internet

The Misleading Fliers Comcast Used To Kill Off a Local Internet Competitor 249

Posted by Unknown Lamer
from the muni-broadband-madness! dept.
Jason Koebler (3528235) writes In the months and weeks leading up to a referendum vote that would have established a locally owned fiber network in three small Illinois cities, Comcast and SBC (now AT&T) bombarded residents and city council members with disinformation, exaggerations, and outright lies to ensure the measure failed. The series of two-sided postcards painted municipal broadband as a foolhardy endeavor unfit for adults, responsible people, and perhaps as not something a smart woman would do. Municipal fiber was a gamble, a high-wire act, a game, something as "SCARY" as a ghost. Why build a municipal fiber network, one asked, when "internet service [is] already offered by two respectable private businesses?" In the corner, in tiny print, each postcard said "paid for by SBC" or "paid for by Comcast." The postcards are pretty absurd and worth a look.
Cellphones

Lots Of People Really Want Slideout-Keyboard Phones: Where Are They? 540

Posted by timothy
from the could-be-anywhere-really dept.
Bennett Haselton writes: I can't stand switching from a slideout-keyboard phone to a touchscreen phone, and my own informal online survey found a slight majority of people who prefer slideout keyboards even more than I do. Why will no carrier make them available, at any price, except occasionally as the crummiest low-end phones in the store? Bennett's been asking around, of store managers and users, and arrives at even more perplexing questions. Read on, below.
Android

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code 145

Posted by timothy
from the little-of-this-little-of-that dept.
New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.
Networking

Verizon Now Throttling Top 'Unlimited' Subscribers On 4G LTE 271

Posted by timothy
from the we-meant-un-un-un-unlimited dept.
PC Magazine (along with Forbes, Reuters, and others) reports that those on the rightmost edge of the graph for Verizon's "unlimited" 4G LTE service are about to hit a limit: [T]hose in the top five percent of Verizon's unlimited data users (which requires one to pull down an average of just around 4.7 gigabytes of monthly data or so) who are enrolled on an unlimited data plan and have fulfilled their minimum contract terms (are now on a month-to-month plan) will be subject to network throttling if they're trying to connect up to a cellular tower that's experiencing high demand." As the article goes on to point out, though, [A] user would have to hit all of these criteria in order to have his or her connection slowed down. There are a lot of hoops to jump through, giving even more weight to the fact that Verizon's throttling — while annoying on paper — won't affect a considerable majority of those still holding on to their unlimited data plans.
Businesses

Cable Companies: We're Afraid Netflix Will Demand Payment From ISPs 200

Posted by timothy
from the who-pays-whom-for-what dept.
Dega704 (1454673) writes While the network neutrality debate has focused primarily on whether ISPs should be able to charge companies like Netflix for faster access to consumers, cable companies are now arguing that it's really Netflix who holds the market power to charge them. This argument popped up in comments submitted to the FCC by Time Warner Cable and industry groups that represent cable companies. (National Journal writer Brendan Sasso pointed this out.) The National Cable & Telecommunications Association (NCTA), which represents many companies including Comcast, Time Warner Cable, Cablevision, Cox, and Charter wrote to the FCC:

"Even if broadband providers had an incentive to degrade their customers' online experience in some circumstances, they have no practical ability to act on such an incentive. Today's Internet ecosystem is dominated by a number of "hyper-giants" with growing power over key aspects of the Internet experience—including Google in search, Netflix and Google (YouTube) in online video, Amazon and eBay in e-commerce, and Facebook in social media. If a broadband provider were to approach one of these hyper-giants and threaten to block or degrade access to its site if it refused to pay a significant fee, such a strategy almost certainly would be self-defeating, in light of the immediately hostile reaction of consumers to such conduct. Indeed, it is more likely that these large edge providers would seek to extract payment from ISPs for delivery of video over last-mile networks."
Related: an article at Gizmodo explains that it takes surprisingly little hardware to replicate (at least most of) Netflix's current online catalog in a local data center.
Cellphones

Compromise Struck On Cellphone Unlocking Bill 77

Posted by timothy
from the pit-carrier-against-carrier dept.
NotSanguine (1917456) writes The U.S. Senate has passed a bill (S.517) today, allowing users to unlock their phones when moving to another provider. From a recent article at thehill.com: "Consumers should be able to use their existing cell phones when they move their service to a new wireless provider," [Sen. Patrick] Leahy said in a statement. "Our laws should not prohibit consumers from carrying their cell phones to a new network, and we should promote and protect competition in the wireless marketplace," he said. [Sen. Chuck] Grassley called the bipartisan compromise "an important step forward in ensuring that there is competition in the industry and in safeguarding options for consumers as they look at new cell phone contracts." "Empowering people with the freedom to use the carrier of their choice after complying with their original terms of service is the right thing to do," he said. The House in February passed a companion bill sponsored on cellphone unlocking from House Judiciary Committee Chairman Bob Goodlatte (R-Va.)." Also at Ars Technica, as pointed out by reader jessepdx.
Encryption

Russia Posts $110,000 Bounty For Cracking Tor's Privacy 98

Posted by Soulskill
from the what-happens-in-siberia-stays-in-siberia dept.
hypnosec writes: The government of Russia has announced a ~$110,000 bounty to anyone who develops technology to identify users of Tor, an anonymising network capable of encrypting user data and hiding the identity of its users. The public description (in Russian) of the project has been removed now and it only reads "cipher 'TOR' (Navy)." The ministry said it is looking for experts and researchers to "study the possibility of obtaining technical information about users and users' equipment on the Tor anonymous network."
Encryption

New SSL Server Rules Go Into Effect Nov. 1 91

Posted by Soulskill
from the encrypt-your-calendars dept.
alphadogg writes: Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. The concern is that SSL server digital certificates issued by CAs at present for internal corporate e-mail servers, Web servers and databases are not unique and can potentially be used in man-in-the-middle attacks involving the setup of rogue servers inside the targeted network, say representatives for the Certification Authority/Browser Forum (CA/B Forum), the industry group that sets security and operational guidelines for digital certificates. Members include the overwhelming bulk of public CAs around the globe, plus browser makers such as Microsoft and Apple. The problem today is that network managers often give their servers names like 'Server1' and allocate internal IP addresses so that SSL certificates issued for them through the public CAs are not necessarily globally unique, notes Trend Micro's Chris Bailey.
Networking

Comcast Carrying 1Tbit/s of IPv6 Internet Traffic 146

Posted by Unknown Lamer
from the hurd-1.0-released dept.
New submitter Tim the Gecko (745081) writes Comcast has announced 1Tb/s of Internet facing, native IPv6 traffic, with more than 30% deployment to customers. With Facebook, Google/YouTube, and Wikipedia up to speed, it looks we are past the "chicken and egg" stage. IPv6 adoption by other carriers is looking better too with AT&T at 20% of their network IPv6 enabled, Time Warner at 10%, and Verizon Wireless at 50%. The World IPv6 Launch site has measurements of global IPv6 adoption.
Sony

Sony Agrees To $17.75m Settlement For 2011 PSN Attack 66

Posted by Unknown Lamer
from the claim-your-prize-now dept.
mrspoonsi (2955715) writes with word that Sony has agreed to settle a class action lawsuit brought by PSN users affected by the 2011 breach. From the article: Sony has finally agreed to a preliminary settlement of $15m, which may be able to appease most of the customers that suffered from this attack. The PlayStation Network users that did not partake in the "Welcome Back" program that Sony unveiled shortly after their online services were brought back will be able to choose from two of several options for compensation: One PlayStation 3 or PlayStation Portable game selected from a list of 14 games; three PlayStation 3 themes selected from a list of six themes; or a three-month subscription to PlayStation Plus free of charge. Claiming these benefits will be done on a first come, first serve basis ...The settlement isn't just about free games or services. Customers with documented identity theft charges are eligible for up to $2,500 per claim.
Science

Empathy For Virtual Characters Studied With FMRI Brain Imaging 52

Posted by Unknown Lamer
from the little-billy-loved-hearing-virtual-screams dept.
vrml (3027321) writes "A novel brain imaging study published by the prestigious Neuroimage journal sheds light on different reactions that players' brains display when they meet a virtual character in a game world. While their head was inside a fMRI machine, participants played an interactive virtual experience in which they had to survive a serious fire emergency in a building by reaching an exit as soon as possible. However, when they finally arrived at the exit, they also found a virtual character trapped under an heavy cabinet, begging them for help. Some participants chose not to help the character and took the exit, while others stopped to help although the fire became more and more serious and moving away the cabinet required considerable time. Functional brain imaging showed activation of very different brain areas in players when they met the character. When there was an increased functional connectivity of the brain salience network, which suggests an enhanced sensitivity to the threatening situation and potential danger, players ignored the character screams and went for the exit. In those players who helped the character, there was an engagement of the medial prefrontal and temporo-parietal cortices, which in the neuroscience literature are associated with the human ability of taking the perspective of other individuals and making altruistic choices. The paper concludes by emphasizing how virtual worlds can be a salient and ecologically valid stimulus for modern social neuroscience."
Encryption

CNN iPhone App Sends iReporters' Passwords In the Clear 40

Posted by Unknown Lamer
from the safe-reporting dept.
chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.
Verizon

Deaf Advocacy Groups To Verizon: Don't Kill Net Neutrality On Our Behalf 76

Posted by Soulskill
from the or-on-your-behalf dept.
Dega704 sends this quote from Ars: No company has lobbied more fiercely against network neutrality than Verizon, which filed the lawsuit that overturned the FCC's rules prohibiting ISPs from blocking and discriminating against Web content. But the absence of net neutrality rules isn't just good for Verizon—it's also good for the blind, deaf, and disabled, Verizon claims. That's what Verizon lobbyists said in talks with congressional staffers, according to a Mother Jones report last month. "Three Hill sources tell Mother Jones that Verizon lobbyists have cited the needs of blind, deaf, and disabled people to try to convince congressional staffers and their bosses to get on board with the fast lane idea," the report said. With "fast lanes," Web services—including those designed for the blind, deaf, and disabled—could be prioritized in exchange for payment. Now, advocacy groups for deaf people have filed comments with the FCC saying they don't agree with Verizon's position."
Electronic Frontier Foundation

EFF Releases Wireless Router Firmware For Open Access Points 56

Posted by Soulskill
from the secure-is-as-secure-does dept.
klapaucjusz writes: The EFF has released an experimental router firmware designed make it easy to deploy open (password-less) access points in a secure manner. The EFF's firmware is based on the CeroWRT fork of OpenWRT, but appears to remove some of its more advanced routing features. The EFF is asking for help to further develop the firmware. They want the open access point to co-exist on the same router as your typical private and secured access point. They want the owner to be able to share bandwidth, but with a cap, so guests don't degrade service for the owner. They're also looking to develop a network queueing, a minimalist web UI, and an auto-update mechanism. The EFF has also released the beta version of a plug-in called Privacy Badger for Firefox and Chrome that will prevent online advertisers from tracking you.

"Go to Heaven for the climate, Hell for the company." -- Mark Twain

Working...