For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
United States

Federal Wiretaps Down Slightly, Encryption Impact Decreases 5 5

coondoggie writes: According to the 2014 Wiretap Report, released today by the Administrative Office of the United States Courts a total of a total of 3,554 wiretaps were reported as authorized, with 1,279 authorized by federal judges and 2,275 authorized by state judges. Compared to the applications approved during 2013, the number approved by federal judges decreased 13% in 2014 and the number approved by state judges increased 8%. One state wiretap application was denied in 2014, the report stated.
Security

Amazon's New SSL/TLS Implementation In 6,000 Lines of Code 97 97

bmearns writes: Amazon has announced a new library called "s2n," an open source implementation of SSL/TLS, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it's just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn't going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.
Privacy

Surveillance Court: NSA Can Resume Bulk Surveillance 153 153

An anonymous reader writes: We all celebrated back in May when a federal court ruled the NSA's phone surveillance illegal, and again at the beginning of June, when the Patriot Act expired, ending authorization for that surveillance. Unfortunately, the NY Times now reports on a ruling from the Foreign Intelligence Surveillance Court, which concluded that the NSA may temporarily resume bulk collection of metadata about U.S. citizens's phone calls. From the article: "In a 26-page opinion (PDF) made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said that the Second Circuit was wrong, too. 'Second Circuit rulings are not binding' on the surveillance court, he wrote, 'and this court respectfully disagrees with that court's analysis, especially in view of the intervening enactment of the U.S.A. Freedom Act.' When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying that it would be prudent to see what Congress did as Section 215 neared its June 1 expiration."
Security

Stanford Starts the 'Secure Internet of Things Project' 74 74

An anonymous reader writes: The internet-of-things is here to stay. Lots of people now have smart lights, smart thermostats, smart appliances, smart fire detectors, and other internet-connect gadgets installed in their houses. The security of those devices has been an obvious and predictable problem since day one. Manufacturers can't be bothered to provide updates to $500 smartphones more than a couple years after they're released; how long do you think they'll be worried about security updates for a $50 thermostat? Security researchers have been vocal about this, and they've found lots of vulnerabilities and exploits before hackers have had a chance to. But the manufacturers have responded in the wrong way.

Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.
Privacy

When a Company Gets Sold, Your Data May Be Sold, Too 91 91

An anonymous reader writes: A new report points out that many of the top internet sites have language in their privacy policies saying that your private data might be transferred in the event of an acquisition, bankruptcy sale, or other transaction. They effectively say, "We won't ever sell your information, unless things go bad for us." 85 of the top 100 websites in the U.S. (ranked by Alexa), had this sort of language, including Amazon, Apple, Facebook, Google, Hulu, and LinkedIn. (RadioShack did this recently.) "The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers' names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more. Because the site's privacy policy had promised never to sell or share members' personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about two million Texans." But with this new language, users no longer enjoy that sort of protection. Only 17 of the top 100 sites even say they will notify customers of the data transfer. Only a handful allow users to opt out.
Encryption

NIST Updates Random Number Generation Guidelines 64 64

An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online.
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
Government

Editor of 'Reason' Discusses Federal Subpoena To Unmask Commenters 144 144

mi points out an article from Nick Gillespie, editor of libertarian website Reason, who was recently asked by the federal government to provide identifying information on anonymous commenters from one of the site's blog posts. Not only was Reason issued a subpoena for the commenters's identities, but they were also placed under a gag order, preventing them from even mentioning it to somebody who wasn't their lawyer. Gillespie says the comments in question were "hyperbolic, in questionable taste–and fully within the norms of Internet commentary." He continues: To the extent that the feds actually thought these were serious plans to do real harm, why the hell would they respond with a slow-moving subpoena whose deadline was days away? By spending five minutes doing the laziest, George Jetson-style online "research" (read: Google and site searches), they would have found publicly available info on some of the commenters. I'm talking things like websites and Google+ pages. One of the commenters had literally posted thousands of comments at Reason.com, from which it is clear that he (assuming it is a he) is not exactly a threat to anyone other than common decency."
Privacy

ICANN Seeks Comment On Limiting Anonymized Domain Registration 86 86

angry tapir writes: Privacy advocates are sounding the alarm over a potential policy change (PDF) that would prevent some people from registering website addresses without revealing their personal information. ICANN, the regulatory body that oversees domain names, has asked for public comment on whether it should prohibit the private registration of domains which are "associated with commercial activities and which are used for online financial transactions."
Government

France, Up In Arms Over NSA Spying, Passes New Surveillance Law 80 80

An anonymous reader writes: French President Francois Hollande held an emergency meeting with top security officials to respond to WikiLeaks documents that say the NSA eavesdropped on French presidents. The documents published in Liberation and investigative website Mediapart include material that appeared to capture current president, François Hollande; the prime minister in 2012, Jean-Marc Ayrault; and former presidents Nicolas Sarkozy and Jacques Chirac, talking candidly about Greece's economy and relations with Germany. The Intercept reports: "Yet also today, the lower house of France's legislature, the National Assembly, passed a sweeping surveillance law. The law provides a new framework for the country's intelligence agencies to expand their surveillance activities. Opponents of the law were quick to mock the government for vigorously protesting being surveilled by one of the country's closest allies while passing a law that gives its own intelligence services vast powers with what its opponents regard as little oversight. But for those who support the new law, the new revelations of NSA spying showed the urgent need to update the tools available to France's spies."
Australia

Aussie Telco Caught Handing Over User Mobile Numbers To Websites Without Consent 35 35

AlbanX writes: Australian telco Optus has been nabbed passing its customers' mobile phone numbers to third-party websites without the customers' knowledge or consent. The practice, known as HTTP header enrichment, aims to streamline the process of direct billing for customers, but they're not happy. The discovery was made by a user on the telco forum Whirlpool, and Optus confirmed it. They said, "Optus adds our customers' mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites."
Security

Emergency Adobe Flash Patch Fixes Zero-Day Under Attack 71 71

msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.
Security

New Snowden Leaks Show NSA Attacked Anti-Virus Software 98 98

New submitter Patricbranson writes: The NSA, along with its British counterpart Government Communications Headquarters (GCHQ), spent years reverse-engineering popular computer security software in order to spy on email and other electronic communications, according to the classified documents published by the online news site The Intercept. With various countries' spy agencies trying to make sure computers aren't secure (from their own intrusions, at least), it's no wonder that Kaspersky doesn't want to talk about who hacked them.
Google

DOJ Vs. Google: How Google Fights On Behalf of Its Users 78 78

Lauren Weinstein writes: While some companies have long had a "nod and wink" relationship with law enforcement and other parts of government -- willingly turning over user data at mere requests without even attempting to require warrants or subpoenas, it's widely known that Google has long pushed back -- sometimes though multiple layers of courts and legal processes -- against data requests from government that are not accompanied by valid court orders or that Google views as being overly broad, intrusive, or otherwise inappropriate. Over the last few days the public has gained an unusually detailed insight into how hard Google will fight to protect its users against government overreaching, even when this involves only a single user's data. One case reaches back to the beginning of 2011, when the U.S. Department of Justice tried to force Google to turn over more than a year's worth of metadata for a user affiliated with WikiLeaks. While these demands did not include the content of emails, they did include records of this party's email correspondents, and IP addresses he had used to login to his Gmail account. Notably, DOJ didn't even seek a search warrant. They wanted Google to turn over the data based on the lesser "reasonable grounds" standard rather than the "probable cause" standard of a search warrant itself. And most ominously, DOJ wanted a gag order to prevent Google from informing this party that any of this was going on, which would make it impossible for him to muster any kind of legal defense.
Privacy

Louisiana Governor Vetoes License Plate Reader Bill, Citing Privacy Concerns 131 131

An anonymous reader writes: Louisiana Governor Bobby Jindal has vetoed a plan to acquire license plate reading cameras in the state. Law enforcement agencies nationwide use such cameras to scan cars and compare them to a "hot list" of stolen or wanted vehicles. That data is kept for weeks, or even years In some cases. Jindal wrote in a signing statement: "Senate Bill No. 250 would authorize the use of automatic license plate reader camera surveillance programs in various parishes throughout the state. The personal information captured by these cameras, which includes a person’s vehicle location, would be retained in a central database and accessible to not only participating law enforcement agencies but other specified private entities for a period of time regardless of whether or not the system detects that a person is in violation of vehicle insurance requirements. Camera programs such as these that make private information readily available beyond the scope of law enforcement, pose a fundamental risk to personal privacy and create large pools of information belonging to law abiding citizens that unfortunately can be extremely vulnerable to theft or misuse. For these reasons, I have vetoed Senate Bill No. 250 and hereby return it to the Senate."
Government

Swedish Investigators Attempt Assange Interview; Wikileaks Makes Major Release 153 153

cold fjord writes: It seems Julian Assange rates his own section (The Assange Matter) on a Swedish government website related to the investigation. It contains some FAQs on points that seem to keep coming up in Slashdot discussions. The website isn't completely up to date at the moment since it doesn't discuss the recent attempt by Swedish investigators to interview Assange in the Ecuadorian embassy in London. Unfortunately that attempt failed since the government of Ecuador didn't give permission to the Swedish delegation to enter their embassy. That is quite odd given the years of demands for this. Concurrent with this, Wikileaks has started releasing what is reported to be more than 500,000 leaked Saudi Arabian diplomatic documents that are sure to stir up some controversies. Most are in Arabic so it may take some time for their contents to filter out.
Transportation

Allstate Patents Physiological Data Collection 142 142

TigerPlish writes: Allstate has been granted patent no. US 20140080100 A1 for a "driving-behavior database that it said might be useful for health insurers, lenders, credit-rating agencies, marketers and potential employers." The program is just in the patent stage for now, but the company says: "the invention has the potential to evaluate drivers' physiological data, including heart rate, blood pressure and electrocardiogram signals, which could be recorded from steering wheel sensors." Imagine a world where you are denied employment or credit based on the information obtained from your car and sold by your insurer. What could possibly go wrong?
Crime

Dallas Police Falsely Credit TrapWire System For Arrests 31 31

In April, the Texas Department of Public Safety told a reporter for the Dallas Morning News, inspired by information leaked by Wikileaks to ask about ways that the agency might be compromising citizen's privacy and other rights, that the TrapWire behavioral analysis system employed in combination with surveillance equipment posted at various high-profile locations around the state had resulted in 44 arrests. However, after numerous public records requests for more information about those claimed arrests, the agency admitted that the true figure is somewhat lower: namely, zero. The story naturally involves "millions" of dollars (though an exact figure for the zero-arrest system isn't named), and Austin-based Stratfor, a company that's been named a few times here on Slashdot.
Encryption

Two Years After Snowden Leaks, Encryption Tools Are Gaining Users 69 69

Patrick O'Neill writes: It's not just DuckDuckGo — since the first Snowden articles were published in June 2013, the global public has increasingly adopted privacy tools that use technology like strong encryption to protect themselves from eavesdroppers as they surf the Web and use their phones. The Tor network has doubled in size, Tails has tripled in users, PGP has double the daily adoption rate, Off The Record messaging is more popular than ever before, and SecureDrop is used in some of the world's top newsrooms.
Education

School Lunch Program Scans Student Thumbprints For 'Tracking Purposes' 141 141

schwit1 writes with news that a school district in Pennsylvania is providing free lunches to schoolchildren as part of an initiative to improve nutrition. Instead of providing the lunches to all students without question, they made the program opt-in. Since not all students get the lunches, they needed a way to track who was getting them. Officials decided the best way to do so would be to invest in biometric software that scans students's thumbprints every time they pick up lunch. The data collected by these scanners goes not just to the school district, but to the federal government as well.