We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
benrothke writes If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLS has shown that perhaps the emperor isn't wearing anything at all. There is a perception that if a web site is SSL secured, then it's indeed secure. Read a few pages in this important book, and the SSL = security myth is dispelled. For the first 8 of the 16 chapters, Ristic, one of the greatest practical SSL./TLS experts around, spends 230 pages showing countless weaknesses, vulnerabilities, attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can, if done correctly, be deployed to provide adequate security. Keep reading for the rest of Ben's review.
89 comments | 3 days ago
coondoggie writes: The U.S. Marshals office says it will auction off almost 50,000 bitcoins (about $20 million worth) seized from alleged Silk Road creator Ross Ulbricht. The auction, which is the second sale of Silk Road's bitcoin collection, will take place during a 6-hour period on Dec. 4 from 8:00 a.m. until 2:00 p.m. EST. Bids will be accepted by email from pre-registered bidders only, the U.S. Marshals office said. In June more than $17 million in bitcoins seized from the Silk Road take-down were auctioned off.
119 comments | about two weeks ago
Bennett Haselton writes: My last article garnered some objections from readers saying that the sample sizes were too small to draw meaningful conclusions. (36 out of 47 survey-takers, or 77%, said that a picture of a black woman breast-feeding was inappropriate; while in a different group, 38 out of 54 survey-takers, or 70%, said that a picture of a white woman breast-feeding was inappropriate in the same context.) My conclusion was that, even on the basis of a relatively small sample, the evidence was strongly against a "huge" gap in the rates at which the surveyed population would consider the two pictures to be inappropriate. I stand by that, but it's worth presenting the math to support that conclusion, because I think the surveys are valuable tools when you understand what you can and cannot demonstrate with a small sample. (Basically, a small sample can present only weak evidence as to what the population average is, but you can confidently demonstrate what it is not.) Keep reading to see what Bennett has to say.
245 comments | about two weeks ago
Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame. “This has impacted some of our unclassified email traffic and our access to public websites from our main unclassified system,” said one senior State Department official, adding that the department expected its systems to be up soon. ....The breach at the White House was believed to be the work of hackers in Russia, while the breaches at NOAA and the Postal Service were believed to the work of hackers inside China. Attributing attacks to a group or nation is difficult because hackers typically tend to route their attack through compromised web servers all over the world. A senior State Department official said the breach was discovered after “activity of concern” was detected on portions of its unclassified computer system. Officials did not say how long hackers may have been lurking in those systems, but security improvements were being added to them on Sunday.
54 comments | about two weeks ago
New submitter hawkbug writes For the past 15 years, I have hosted my own email server at home and it's been pretty painless. I had always used a local Denver ISP on a single static IP. Approximately two years ago, I switched to a faster connection, which now is hosted on Comcast. They provide me 5 static IPs and much faster speeds. It's a business connection with no ports blocked, etc. It has been mostly fine these last two years, with the occasional outage due to typical Comcast issues. About two weeks ago, I came across a serious issue. The following email services started rejecting all email from my server: Hotmail, Yahoo, and Gmail. I checked, and my IP is not on any real time blacklists for spammers, and I don't have any security issues. My mail server is not set as an open relay, and I use SPF records and pass all SPF tests. It appears that all three of those major email services started rejecting email from me based on a single condition: Comcast. I can understand the desire to limit spam — but here is the big problem: I have no way to combat this. With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder. Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc. Since I am not doing any of those things, I would expect some sort of option to have my IP whitelisted or verified. However, I can not find a single option to do so. The part that bugs me is that this happened two weeks ago with multiple major email services. Obviously, they are getting anti-spam policies from a central location of some kind. I don't know where. If I did, I could possibly go after the source and try to get my IP whitelisted. When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option. Is there anything I can do to remedy this situation?
405 comments | about two weeks ago
theodp writes: The Duke Chronicle published an e-mail reportedly sent to hundreds of Duke students who took Computer Science 201 (Data Structures & Algorithms) last spring, giving those who copied solutions to class problems until Nov. 12th to turn themselves in for cheating. "Students who have violated course policies but do not step forward by November 12, 2014," warns the e-mail, "will not be offered faculty-student resolution and will be referred to the Office of Student Conduct for disciplinary processes without any recommendation for leniency." The Chronicle adds that CS Prof Owen Astrachan, co-director of undergraduate studies, admitted that there is a fine line between collaboration and cheating in computer science — online and in person, although Astrachan made it clear in comments that "Students who copied code from the Internet are in violation of the community standard and course policies."
320 comments | about two weeks ago
Presto Vivace points out this troubling new report from the Electronic Frontier Foundation:
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the U.S. and Thailand intercepting their customers' data to strip a security flag — called STARTTLS — from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
245 comments | about two weeks ago
An anonymous reader writes with news that Aereo is shutting down its Boston office and laying off some NYC staff. "Aereo's bad year just got worse. The company said on Thursday that it will shut down its Boston office and lay off 43 employees, citing yet another adverse court ruling and its trouble obtaining additional investment. According to Virginia Lam, a VP at Aereo, the company is not shutting down entirely: 'In an effort to reduce costs, we made the difficult decision to lay off some of our staff in Boston and New York. We are continuing to conserve resources while we chart our path forward. We are grateful to our employees for their loyalty, hard work and dedication. This was a difficult, but necessary step in order to preserve the company. We decline to comment further,' Lam wrote in an email."
40 comments | about three weeks ago
wiredmikey writes Home Depot said on Thursday that hackers managed to access 53 million customer email addresses during the massive breach that was disclosed in September when the retail giant announced that 56 million customer payment cards were compromised in a cyber attack. The files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information, the company said. The company also said that the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
99 comments | about three weeks ago
MojoKid writes Net neutrality is an attractive concept, particularly if you've followed the ways the cable and telco companies have gouged customers in recent years, but only to a limited extent. There are two problems with net neutrality as its commonly proposed. First, there's the fact that not all traffic prioritization is bad all of the time. Video streams and gaming are two examples of activities that require low-latency packet delivery to function smoothly. Email and web traffic can tolerate significantly higher latencies, for example. Similarly, almost everyone agrees that ISPs have some responsibility to control network performance in a manner that guarantees the best service for the most number of people, or that prioritizes certain traffic over others in the event of an emergency. These are all issues that a careful set of regulations could preserve while still mandating neutral traffic treatment in the majority of cases, but it's a level of nuance that most discussions of the topic don't touch. The larger and more serious problem with net neutrality as its often defined, however, is that it typically deals only with the "last mile," or the types and nature of the filtering an ISP can apply to your personal connection.
200 comments | about three weeks ago
whoever57 writes How widely are DKIM and DMARC being implemented? Some time ago, Yahoo implemented strict checks on DKIM before accepting email, breaking many mailing lists. However, Spamassassin actually assigns a positive score (more likely to be spam) to DKIM-signed emails, unless the signer domain matches the from domain. Some email marketing companies don't provide a way for emails to be signed with the sender's domain — instead, using their own domain to sign emails. DMARC doesn't seem to have a delegation mechanism, by which a domain owner could delegate other domains as acceptable signatures for emails their emails. All of these issues suggest that the value of DKIM and DMARC is quite low, both as a mechanism to identify valid emails and as a mechanism to identify spam. In fact, spam is often dkim-signed. Are Slashdot users who manage email delivery actually using DKIM and DMARC?
139 comments | about three weeks ago
An anonymous reader writes At the Washington Post, Brett Frischmann elaborates on the theory that the continuing flaw with the FCC's Net-Neutrality strategy lies in the perverse distinction between "End User" and "Edge Provider". Succinctly: "The key to an open Internet is nondiscrimination and in particular, a prohibition on discrimination or prioritization based on the identity of the user (sender/receiver) or use (application/content)," and then, "Who exactly are the end users that are not edge providers? In other words, who uses the Internet but does not provide any content, application, or service? The answer is no one. All end users provide content as they engage in communications with other end users, individually or collectively. ... Think of all the startups and small businesses run from people's homes on home Internet connections, using WordPress tools or Amazon hosting services. Are they 'end users' when they email their friends but 'edge providers' when they switch windows to check their business metrics?"
97 comments | about three weeks ago
dkatana writes: The ongoing deployment of internet-of-things devices is already creating serious issues and discussions about the privacy of users, IoT security, and the potential threat of cyber criminals taking control of sensors and smart devices connected to the Internet.
168 comments | about a month ago
VoiceOfDoom writes Major UK charity The Samaritans have launched an app titled "Samaritans Radar", in an attempt to help Twitter users identify when their friends are in crisis and in need of support. Unfortunately the privacy implications appear not to have been thought through — installing the app allows it to monitor the Twitter feeds of all of your followers, searching for particular phrases or words which might indicate they are in distress. The app then sends you an email suggesting you contact your follower to offer your help. Opportunities for misuse by online harassers are at the forefront of the concerns that have been raised, in addition; there is strong evidence to suggest that this use of personal information is illegal, being in contravention of UK Data Protection law.
74 comments | about a month ago
Advocatus Diaboli writes with a selection from The Intercept describing instructions for commercial spyware sold by Italian security firm Hacking Team. The manuals describe Hacking Team's software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team's manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software. (Here are the manuals themselves.)
37 comments | about a month ago
Bennett Haselton writes: Social networking company Ello has converted itself to a Public Benefit Corporation, bound by a charter saying that they will not now, nor in the future, make money by running advertisements or selling user data. Ello had followed these policies from the outset, but skeptics worried that venture capitalist investors might pressure Ello to change those policies, so this binding commitment was meant to assuage those fears. But is the commitment really legally binding and enforceable down the road? Read on for the rest.
153 comments | about a month ago
An anonymous reader writes Once again, a shadow of a signal that scientists hoped would amplify into conclusive evidence of dark matter has instead flatlined, repeating a maddening refrain in the search for the invisible, omnipresent particles. The Fermi Large Area Telescope (LAT) failed to detect the glow of gamma rays emitted by annihilating dark matter in miniature "dwarf" galaxies that orbit the Milky Way, scientists reported Friday at a meeting in Nagoya, Japan. The hint of such a glow showed up in a Fermi analysis last year, but the statistical bump disappeared as more data accumulated. "We were obviously somewhat disappointed not to see a signal," said Matthew Wood, a postdoctoral researcher at Stanford University who was centrally involved the Fermi-LAT collaboration's new analysis, in an email.
137 comments | about a month ago
Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.
What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.
126 comments | about a month ago
Trailrunner7 writes "There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco's security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products." At long last, though, as the article points out, "Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers."
60 comments | about a month ago
Z80xxc! writes: The Gmail team announced "Inbox" this morning, a new way to manage email. Inbox is email, but organized differently. Messages are grouped into "bundles" of similar types. "Highlights" pull out and display key information from messages, and messages can be "snoozed" to come back later as a reminder. Inbox is invite-only right now, and you can email email@example.com to request an invite.
173 comments | about a month ago