We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
kthreadd writes The OpenSSL project has released its second feature release of the OpenSSL 1.0 series, version 1.0.2 which is ABI compatible with the 1.0.0 and 1.0.1 series. Major new features in this release include Suite B support for TLS 1.2 and DTLS 1.2 and support for DTLS 1.2. selection. Other major changes include TLS automatic EC curve selection, an API to set TLS supported signature algorithms and curves, the SSL_CONF configuration API, support for TLS Brainpool, support for ALPN and support for CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
85 comments | yesterday
jaa101 writes The Register (UK) and the Global Times (China) report that foreign VPN services are unavailable in China. A quote sourced to "one of the founders of an overseas website which monitors the Internet in China" claimed 'The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it.' An upgrade of the Great Firewall of China is blamed and China appears to be backing the need for the move to maintain cyberspace sovereignty.
192 comments | 2 days ago
dkatana writes: Overall, demand for encryption is growing. Cloud encryption services provider CipherCloud recently received a $50 million investment by Deutsche Telekom, which the company said positions it for "explosive growth" this year. The services are designed to allow corporations to benefit from the cost savings and elasticity of cloud-based data storage, while ensuring that sensitive information is protected.
Now, both Apple and Google are providing full encryption as a default option on their mobile operating systems with an encryption scheme they are not able to break themselves, since they don't hold the necessary keys.
Some corporations have gone as far as turning to "zero-knowledge" services, usually located in countries such as Switzerland. These services pledge that they have no means to unlock the information once the customer has entered the unique encryption keys. This zero-knowledge approach is welcomed by users, who are reassured that their information is impossible to retrieve — at least theoretically — without their knowledge and the keys.
83 comments | 2 days ago
ErnieKey writes Researchers from German-based Hasso Plattner Institute have come up with a process that may make teleportation a reality — at least in some respects. Their 'Scotty' device utilizes destructive scanning, encryption, and 3D printing to destroy the original object so that only the received, new object exists in that form, pretty much 'teleporting' the object from point A to point B. Scotty is based on an off-the-shelf 3D printer modified with a 3-axis milling machine, camera, and microcontroller for encryption, using Raspberry Pi and Arduino technologies." This sounds like an interesting idea, but mostly as an art project illustrating the dangers of DRM. Can you think of an instance where you would actually want the capabilities this machine claims to offer?
161 comments | 3 days ago
SonicSpike writes The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant. It's called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court's jurisdiction.
371 comments | 5 days ago
Saint Aardvark writes If, like me, you administer FreeBSD systems, you know that (like Linux) there is an embarrassment of riches when it comes to filesystems. GEOM, UFS, soft updates, encryption, disklabels — there is a *lot* going on here. And if, like me, you're coming from the Linux world your experience won't be directly applicable, and you'll be scaling Mount Learning Curve. Even if you *are* familiar with the BSDs, there is a lot to take in. Where do you start? You start here, with Michael W. Lucas' latest book, FreeBSD Mastery: Storage Essentials. You've heard his name before; he's written Sudo Mastery (which I reviewed previously), along with books on PGP/GnuPGP, Cisco Routers and OpenBSD. This book clocks in at 204 pages of goodness, and it's an excellent introduction to managing storage on FreeBSD. From filesystem choice to partition layout to disk encryption, with sidelong glances at ZFS along the way, he does his usual excellent job of laying out the details you need to know without every veering into dry or boring. Keep reading for the rest of Saint Aardvark's review.
75 comments | about a week ago
According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”
199 comments | about a week ago
According to an article at The Wall Street Journal, President Obama has sided with British Prime Minister David Cameron in saying that police and government agencies should not be blocked by encryption from viewing the content of cellphone or online communications, making the pro-spying arguments everyone has come to expect: “If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem,” Obama said. He said he believes Silicon Valley companies also want to solve the problem. “They’re patriots.” ... The president on Friday argued there must be a technical way to keep information private, but ensure that police and spies can listen in when a court approves. The Clinton administration fought and lost a similar battle during the 1990s when it pushed for a “clipper chip” that would allow only the government to decrypt scrambled messages.
554 comments | about a week ago
HughPickens.com writes: It's common knowledge the NSA collects plenty of data on suspected terrorists as well as ordinary citizens, but the agency also has algorithms in place to filter out information that doesn't need to be collected or stored for further analysis, such as spam emails. Now Alice Truong reports that during operations in Afghanistan after 9/11, the U.S. was able to analyze laptops formerly owned by Taliban members. According to NSA officer Michael Wertheimer, they discovered an email written in English found on the computers contained a purposely spammy subject line: "CONSOLIDATE YOUR DEBT."
According to Wertheimer, the email was sent to and from nondescript addresses that were later confirmed to belong to combatants. "It is surely the case that the sender and receiver attempted to avoid allied collection of this operational message by triggering presumed "spam" filters (PDF)." From a surveillance perspective, Wertheimer writes that this highlights the importance of filtering algorithms. Implementing them makes parsing huge amounts of data easier, but it also presents opportunities for someone with a secret to figure out what type of information is being tossed out and exploit the loophole.
110 comments | about two weeks ago
An anonymous reader writes: British prime minister David Cameron is currently visiting Washington to discuss the future of cyber-security in Britain and North America. The leaders have announced that their respective intelligence agencies will mount ongoing cyber-attack "war games" starting this summer in an effort to strengthen the West's tarnished reputation following the Sony hacking scandal. Somewhat relatedly, a recently-leaked Edward Snowden document show the NSA giving dire warnings in 2009 of the threat posed by the lack of encrypted communications on the internet.
77 comments | about two weeks ago
jones_supa writes Gustav Nipe, president of Sweden's Pirate Party's youth wing, was successful with somewhat trivial social engineering experiment in the area of the Sälen security conference. He set up a WiFi hotspot named "Öppen Gäst" ("Open Guest") without any kind of encryption. What do you know, a large amount of unsuspecting high profile guests associate with the network. Nipe says he was able to track which sites people visited as well as the emails and text messages of around 100 delegates, including politicians and journalists as well as security experts. He says that he won't be revealing which sites were visited by specific experts, as the point was just to draw attention to the issue of rogue network monitoring. The stunt has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden's Personal Data Act.
67 comments | about two weeks ago
HughPickens.com writes The death of the mainframe has been predicted many times over the years but it has prevailed because it has been overhauled time and again. Now Steve Lohr reports that IBM has just released the z13, a new mainframe engineered to cope with the huge volume of data and transactions generated by people using smartphones and tablets. "This is a mainframe for the mobile digital economy," says Tom Rosamilia. "It's a computer for the bow wave of mobile transactions coming our way." IBM claims the z13 mainframe is the first system able to process 2.5 billion transactions a day and has a host of technical improvements over its predecessor, including three times the memory, faster processing and greater data-handling capability. IBM spent $1 billion to develop the z13, and that research generated 500 new patents, including some for encryption intended to improve the security of mobile computing. Much of the new technology is designed for real-time analysis in business. For example, the mainframe system can allow automated fraud prevention while a purchase is being made on a smartphone. Another example would be providing shoppers with personalized offers while they are in a store, by tracking their locations and tapping data on their preferences, mainly from their previous buying patterns at that retailer.
IBM brings out a new mainframe about every three years, and the success of this one is critical to the company's business. Mainframes alone account for only about 3 percent of IBM's sales. But when mainframe-related software, services and storage are included, the business as a whole contributes 25 percent of IBM's revenue and 35 percent of its operating profit. Ronald J. Peri, chief executive of Radixx International was an early advocate in the 1980s of moving off mainframes and onto networks of personal computers. Today Peri is shifting the back-end computing engine in the Radixx data center from a cluster of industry-standard servers to a new IBM mainframe and estimates the total cost of ownership including hardware, software and labor will be 50 percent less with a mainframe. "We kind of rediscovered the mainframe," says Peri.
164 comments | about two weeks ago
Dr_Barnowl writes: The BBC reports that UK Prime Minister David Cameron has vowed to introduce a "comprehensive piece of legislation" aimed at there being no "means of communication ... we cannot read," in the aftermath of the Charlie Hebdo attacks in Paris. While he didn't mention encryption specifically, the only logical means by which this could occur would be by the introduction of compulsory key escrow, and the banning of forms of encryption which do not use it. While the UK already essentially has a legal means to demand your encryption keys (and imprison you indefinitely if you don't comply), this would fall short if you have a credible reason for not having the key any more (such as using an OTR plugin for your chosen chat program).
The U.S. tried a similar tack with Clipper in the 90s. As we all know, terrorists with any technical chops are unlikely to be affected, given the vast amount of freely available, military-grade crypto now available, and the use of boring old cold war tradecraft. Ironically, France used to ban the use of strong cryptography but has largely liberalized its regime since 2011.
329 comments | about two weeks ago
rossgneumann writes A new anonymous online drug market has emerged, but instead of using the now infamous Tor network, it uses the lesser known "I2P" alternative. "Silk Road Reloaded" launched yesterday, and is only accessible by downloading the special I2P software, or by configuring your computer in a certain way to connect to I2P web pages, called 'eepsites', and which end in the suffix .i2p. The I2P project site is informative, as is the Wikipedia entry.
155 comments | about two weeks ago
Press2ToContinue writes "There is a new idea out there, proposed by Shawn Wilkinson, Tome Boshevski & Josh Brandof, that if you have unused disk space on your HD that you should rent it out. It is a great idea and the concept may have a whole range of implementations. The 3 guys describe their endeavor as: "Storj is a peer-to-peer cloud storage network implementing end-to-end encryption would allow users to transfer and share data without reliance on a third party data provider. The removal of central controls would eliminate most traditional data failures and outages, as well as significantly increasing security, privacy, and data control. A peer-to-peer network and basic encryption serve as a solution for most problems, but we must offer proper incentivisation for users to properly participate in this network."
331 comments | about two weeks ago
jones_supa writes: As you may have heard, the NSA has had some success in cracking Secure Shell (SSH) connections. To respond to these risks, a guide written by Stribika tries to help you make your shell as robust as possible. The two main concepts are to make the crypto harder and make stealing keys impossible. So prepare a cup of coffee and read the tutorial carefully to see what could be improved in your configuration. Stribika gives also some extra security tips: don't install what you don't need (as any code line can introduce a bug), use the kind of open source code that has actually been reviewed, keep your software up to date, and use exploit mitigation technologies.
148 comments | about three weeks ago
msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.
181 comments | about three weeks ago
An anonymous reader writes: A post at Medium asks why, in this age of surveillance and privacy-related bogeymen, we aren't making greater use of SSH for our secure computing needs?
"SSH is one of the most accessible secure protocols ever, second only to HTTPS of course. Let's see what we have so far: Binary protocol, mandatory encryption, key pinning, multiplexing, compression (yes, it does that too). Aren't these the key features for why we invented HTTP/2?
Admittedly, SSH is missing some pieces. It's lacking a notion of virtual hosts, or being able to serve different endpoints on different hostnames from a single IP address. On the other hand, SSH does have several cool features over HTTP/2 though, like built-in client authentication which removes the need for registration and remembering extra passwords."
203 comments | about three weeks ago
An anonymous reader writes Earlier last year WhatsApp announced partnership with Open WhisperSystems to integrate the ratcheting forward secrecy protocol found in their app called TextSecure, into WhatsApp. The protocol is supposed to provide end-to-end encryption between WhatsApp clients. So far it has been implemented only in WhatsApp on Android, with the rest of platforms yet to come. The implementation however has already made it into unofficial WhatsApp libraries which allow developers to use WhatsApp service in their applications, starting with a python-library called yowsup, and the rest will follow. It's worth mentioning that none of those libraries are supported nor approved by WhatsApp, so one has to wonder if WhatsApp is going to take some legal action (again) against them.
29 comments | about three weeks ago
An anonymous reader writes Kim Dotcom, founder of file hosting service Mega, revealed his company will be launching a browser-based chat service "soon." Dotcom referred to the service with the hashtag #MegaChat, though he confirmed with VentureBeat that this may not be its final name. This is not the first time Dotcom has talked about the upcoming service, which gets mentioned every few months but has yet to hit public availability in any form. There is naturally a lot of hype surrounding it, given the increasing importance put on secure communications on the Internet.
40 comments | about a month ago