Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.
Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and learn more about it. Thanks for reading, and for making the site better!
Trailrunner7 writes "There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco's security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products." At long last, though, as the article points out, "Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers."
58 comments | yesterday
Z80xxc! writes: The Gmail team announced "Inbox" this morning, a new way to manage email. Inbox is email, but organized differently. Messages are grouped into "bundles" of similar types. "Highlights" pull out and display key information from messages, and messages can be "snoozed" to come back later as a reminder. Inbox is invite-only right now, and you can email email@example.com to request an invite.
162 comments | 2 days ago
An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.
The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.
123 comments | 3 days ago
Any gathering of 65,000 people in the desert is going to require some major infrastructure to maintain health and sanity. At Burning Man, some of that infrastructure is devoted to a supply chain for ice. Writes Bennett Haselton, The lines for ice bags at Burning Man could be cut from an hour long at peak times, to about five minutes, by making one small... Well, read the description below of how they do things now, and see if the same suggested change occurs to you. I'm curious whether it's the kind of idea that is more obvious to students of computer science who think algorithmically, or if it's something that could occur to anyone. Read on for the rest; Bennett's idea for better triage may bring to mind a lot of other queuing situations and ways that time spent waiting in line could be more efficiently employed.
335 comments | 3 days ago
MarkWhittington writes Tom Kalil, the Deputy Director for Policy for the White House Office of Science and Technology Policy and Senior Advisor for Science, Technology and Innovation for the National Economic Council, has an intriguing Tuesday post on the OSTP blog. Kalil is soliciting ideas for "bootstrapping a solar system civilization." Anyone interested in offering ideas along those lines to the Obama administration can contact a special email address that has been set up for that purpose. The ideas that Kalil muses about in his post are not new for people who have studied the question of how to settle space at length. The ideas consist of sending autonomous robots to various locations in space to create infrastructure using local resources with advanced manufacturing technology, such as 3D printing. The new aspect is that someone in the White House is publicly discussing these concepts.
351 comments | about a week ago
HughPickens.com writes: Michelle Cottle reports in The Atlantic that today, spouses have easy access to an array of sophisticated spy software that record every keystroke; compile detailed logs of calls, texts, and video chats; that track a phone's location in real time; recover deleted messages from all manner of devices (without having to touch said devices); and that turn phones into wiretapping equipment. One might assume that the proliferation of such spyware would have a chilling effect on extramarital activities. But according to Cottle, aspiring cheaters need not despair: software developers are also rolling out ever stealthier technology to help people conceal their affairs. Right or wrong, cheating apps tap into a potentially lucrative market and researchers regard the Internet as fertile ground for female infidelity in particular. "Men tend to cheat for physical reasons and women for emotional reasons," says Katherine Hertlein. "The Internet facilitates a lot of emotional disclosure and connections with someone else."
But virtual surveillance has its risks. Stumbling across an incriminating email your partner left open is one thing; premeditated spying can land you in court. A Minnesota man named Danny Lee Hormann, suspecting his wife of infidelity, installed a GPS tracker on her car and allegedly downloaded spyware onto her phone and the family computer. In March 2010, Hormann's wife had a mechanic search her car and found the tracker. She called the police, and Hormann spent a month in jail on stalking charges. "I always tell people two things: (1) do it legally, and (2) do it right," says John Paul Lucich, a computer-forensics expert and the author of Cyber Lies, a do-it-yourself guide for spouses looking to become virtual sleuths. Lucich has worked his share of ugly divorces, and he stresses that even the most damning digital evidence of infidelity will prove worthless in court — and potentially land you in trouble — if improperly gathered. His blanket advice: Get a really good lawyer.
304 comments | about a week ago
An anonymous reader writes Every day my gmail account receives 30-50 spam emails. Some of it is UCE, partially due to a couple dingbats with similar names who apparently think my gmail account belongs to them. The remainder looks to be spambot or Nigerian 419 email. I also run my own MX for my own domain, where I also receive a lot of spam. But with a combination of a couple DNSBL in my sendmail config, SpamAssassin, and procmail, almost none of it gets through to my inbox. In both cases there are rare false positives where a legit email ends up in my spam folder, or in the case of my MX, a spam email gets through to my Inbox, but these are rare occurrences. I'd think with all the Oompa Loompas at the Chocolate Factory that they could do a better job rejecting the obvious spam emails. If they did it would make checking for the occasional false positives in my spam folder a teeny bit easier. For anyone who's responsible for shunting Web-scale spam toward the fate it deserves, what factors go into the decision tree that might lead to so much spam getting through?
261 comments | about two weeks ago
wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.
101 comments | about two weeks ago
maynard writes: Kathy Sierra spent a tech career developing videogames and teaching Java programming in Sun Microsystems masterclasses. Up until 2007, she'd been a well regarded tech specialist who happened to be female. Until the day she opined on her private blog that given the crap-flood of bad comments, maybe forum moderation wasn't a bad idea. This opinion made her a target. A sustained trolling and harassment campaign followed, comprised of death and rape threats, threats against her family, fabricated claims of prostitution, and a false claim that she had issued a DMCA takedown to stifle criticism. All of this culminated in the public release of her private address and Social Security Number, a technique known as Doxxing. And so she fled from the public, her career, and even her home.
It turned out that a man named Andrew Auernheimer was responsible for having harassed Sierra. Known as 'Weev', he admitted it in a 2008 New York Times story on Internet Trolls. There, he spoke to the lengths which he and his cohorts went to discredit and destroy the woman. "Over a candlelit dinner of tuna sashimi, Weev asked if I would attribute his comments to Memphis Two, the handle he used to troll Kathy Sierra, a blogger. Inspired by her touchy response to online commenters, Weev said he "dropped docs" on Sierra, posting a fabricated narrative of her career alongside her real Social Security number and address. This was part of a larger trolling campaign against Sierra, one that culminated in death threats."
Now, seven years later, Kathy Sierra has returned to explain why she left and what recent spates of online harassment against women portend for the future if decent people don't organize. The situation has grown much more serious since she went into hiding all those years ago. It's more than just the threat of Doxxing to incite physical violence by random crazies with a screw loose. Read on for the rest of maynard's thoughts.
726 comments | about two weeks ago
blottsie writes Google is a long-time contributor to the Tor Project. But a security feature in Gmail poses a potential problem for Tor users who live under dangerous regimes or otherwise need to protect their anonymity, reports Joseph Cox at the Daily Dot. The email service kicks users out of their login session if it detects logins from IP addresses originating in other countries, then requires a user to enter a PIN code sent to a cellphone. Unless the user has a burner phone, this could potentially betray his or her identity to authorities.
74 comments | about two weeks ago
Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions.
21 comments | about two weeks ago
367 comments | about three weeks ago
JakartaDean writes with news that the cyberattack on J.P. Morgan Chase this summer resulted in stolen information on 76 million households and 7 million businesses. The compromised data included names, email addresses, phone numbers, and addresses. The bank said the attackers were unable to gather account numbers, social security numbers, or passwords. The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity. ... Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime.
76 comments | about three weeks ago
An anonymous reader writes: If you're a Grooveshark user, you should probably start backing up your collection. In a decision (PDF) released Monday, the United States District Court in Manhattan has found Grooveshark guilty of massive copyright infringement based on a preponderance of internal emails, statements from former top executives, direct evidence from internal logs, and willfully deleted files and source code. An email from Grooveshark's CTO in 2007 read, "Please share as much music as possible from outside the office, and leave your computers on whenever you can. This initial content is what will help to get our network started—it’s very important that we all help out! ... Download as many MP3’s as possible, and add them to the folders you’re sharing on Grooveshark. Some of us are setting up special 'seed points' to house tens or even hundreds of thousands of files, but we can’t do this alone." He also threatened employees who didn't contribute.
171 comments | about three weeks ago
blottsie writes: The National Security Agency has been making money on the side by licensing its technology to private businesses for more than two decades. It's called the Technology Transfer Program, under which the NSA declassifies some of its technologies that it developed for previous operations, patents them, and, if they're swayed by an American company's business plan and nondisclosure agreements, rents them out. The products include tools to transcribe voice recordings in any language, a foolproof method to tell if someone's touched your phone's SIM card, or a version of email encryption that isn't available on the open market.
83 comments | about a month ago
An anonymous reader points out this story about new regulations for media who wish to take pictures or video in federally designated wilderness areas. "The U.S. Forest Service has tightened restrictions on media coverage in vast swaths of the country's wild lands, requiring reporters to pay for a permit and get permission before shooting a photo or video in federally designated wilderness areas. Under rules being finalized in November, a reporter who met a biologist, wildlife advocate or whistleblower alleging neglect in 36 million acres of wilderness would first need special approval to shoot photos or videos even on an iPhone. Permits cost up to $1,500, says Forest Service spokesman Larry Chambers, and reporters who don't get a permit could face fines up to $1,000. First Amendment advocates say the rules ignore press freedoms and are so vague they'd allow the Forest Service to grant permits only to favored reporters shooting videos for positive stories.
299 comments | about a month ago
Bismillah writes AWS is currently emailing EC2 customers that it will need to reboot their instances for maintenance over the next few days. The email doesn't explain why the reboots are being done, but it is most likely to patch for the embargoed XSA-108 bug in Xen. ZDNet takes this as a spur to remind everyone that the cloud is not magical. Also at The Register.
94 comments | about a month ago
HughPickens.com writes Jana Kasperkevic writes at The Guardian that it's not every day that you get to buy an iPhone from an ex-NSA officer. Yet Thomas Drake, former senior executive at National Security Agency, is well known in the national security circles for leaking information about the NSA's Trailblazer project to Baltimore Sun. In 2010, the government dropped all 10 felony charges against him and he pleaded guilty to a misdemeanor charge for unauthorized use of a computer and lost his livelihood. "You have to mortgage your house, you have to empty your bank account. I went from making well over $150,000 a year to a quarter of that," says Drake. "The cost alone, financially — never mind the personal cost — is approaching million dollars in terms of lost income, expenses and other costs I incurred."
John Kiriakou became the first former government official to confirm the use of waterboarding against al-Qaida suspects in 2009. "I have applied for every job I can think of – everything from grocery stores to Toys R Us to Starbucks. You name it, I've applied there. Haven't gotten even an email or a call back," says Kiriakou. According to Kasperkevic, this is what most whistleblowers can expect. The potential threat of prosecution, the mounting legal bills and the lack of future job opportunities all contribute to a hesitation among many to rock the boat. "Obama and his attorney general, Eric Holder, declared a war on whistleblowers virtually as soon as they assumed office," says Kiriakou. "Washington has always needed an "ism" to fight against, an idea against which it could rally its citizens like lemmings. First, it was anarchism, then socialism, then communism. Now, it's terrorism. Any whistleblower who goes public in the name of protecting human rights or civil liberties is accused of helping the terrorists."
224 comments | about a month ago
blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.
93 comments | about a month ago
An anonymous reader writes Back in 2012, Google had made it mandatory for new Gmail users to simultaneously create Google+ (G+) accounts. This is no longer so. Following the departure of G+ founder Vic Gundotra in April 2014, Google has been quietly decoupling its social media site from its other services. First, YouTube was freed, then Google+ Photos. Now, anyone who wants to create a new Gmail account unencumbered with a G+ profile can also do so.
139 comments | about 1 month ago