×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

  • FBI Drone Deployment Timeline

    An anonymous reader writes "The FBI insists that it uses drone technology to conduct surveillance in 'very limited circumstances.' What those particular circumstances are remain a mystery, particularly since the Bureau refuses to identify instances where agents deployed unmanned aerial vehicles, even as far back as 2006. In a letter to Senator Ron Paul last July, the FBI indicated that it had used drones a total of ten times since late 2006—eight criminal cases and two national security cases—and had authorized drone deployments in three additional cases, but did not actually fly them. The sole specific case where the FBI is willing to confirm using a drone was in February 2013, as surveillance support for a child kidnapping case in Alabama. New documents obtained by MuckRock as part of the Drone Census flesh out the timeline of FBI drone deployments in detail that was previously unavailable. While heavily redacted—censors deemed even basic facts that were already public about the Alabama case to be too sensitive for release, apparently—these flight orders, after action reviews and mission reports contain new details of FBI drone flights."

    5 comments | about half an hour ago

  • Retired SCOTUS Justice Wants To 'Fix' the Second Amendment

    CanHasDIY (1672858) writes "In his yet-to-be-released book, Six Amendments: How and Why We Should Change the Constitution, John Paul Stevens, who served as an associate justice of the Supreme Court for 35 years, believes he has the key to stopping the seeming recent spate of mass killings — amend the Constitution to exclude private citizens from armament ownership. Specifically, he recommends adding 5 words to the 2nd Amendment, so that it would read as follows: 'A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms when serving in the Militia shall not be infringed.'

    What I find interesting is how Stevens maintains that the Amendment only protects armament ownership for those actively serving in a state or federal military unit, in spite of the fact that the Amendment specifically names 'the People' as a benefactor (just like the First, Fourth, Ninth, and Tenth) and of course, ignoring the traditional definition of the term militia. I'm personally curious about his other 5 suggested changes, but I guess we'll have to wait until the end of April to find out."

    1159 comments | 10 hours ago

  • How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

    jammag writes: "Heartbleed has dealt a blow to the image of free and open source software. In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily. As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.' Many users of proprietary software, tired of FOSS's continual claims of superior security, welcome the idea that Heartbleed has punctured FOSS's pretensions. But is that what has happened?"

    522 comments | yesterday

  • Lack of US Cybersecurity Across the Electric Grid

    Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."

    92 comments | yesterday

  • The Security of Popular Programming Languages

    An anonymous reader writes "Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done. How secure the language might be is simply an afterthought, which is usually too late. A new WhiteHat Security report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications."

    180 comments | yesterday

  • OpenBSD Team Cleaning Up OpenSSL

    First time accepted submitter Iarwain Ben-adar (2393286) writes "The OpenBSD has started a cleanup of their in-tree OpenSSL library. Improvements include removing "exploit mitigation countermeasures", fixing bugs, removal of questionable entropy additions, and many more. If you support the effort of these guys who are responsible for the venerable OpenSSH library, consider a donation to the OpenBSD Foundation. Maybe someday we'll see a 'portable' version of this new OpenSSL fork. Or not."

    279 comments | yesterday

  • Guardian and WaPo Receive Pulitzers For Snowden Coverage

    Late Yesterday, the Pulitzer Prize board announced (PDF) the 2014 Pulitzer Prize winners. The public service prize was awarded to the Guardian and the Washington Post. The Washington Post was given the award for its role in revealing widespread surveillance by the NSA, "...marked by authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of national security," and the Guardian for sparking "...a debate about the relationship between the government and the public over issues of security and privacy." Snowden released a statement praising the Pulitzer board: "Today's decision is a vindication for everyone who believes that the public has a role in government. We owe it to the efforts of the brave reporters and their colleagues who kept working in the face of extraordinary intimidation, including the forced destruction of journalistic materials, the inappropriate use of terrorism laws, and so many other means of pressure to get them to stop what the world now recognizes was work of vital public importance. This decision reminds us that what no individual conscience can change, a free press can. "

    78 comments | yesterday

  • Microsoft Confirms It Is Dropping Windows 8.1 Support

    snydeq (1272828) writes "Microsoft TechNet blog makes clear that Windows 8.1 will not be patched, and that users must get Windows 8.1 Update if they want security patches, InfoWorld's Woody Leonhard reports. 'In what is surely the most customer-antagonistic move of the new Windows regime, Steve Thomas at Microsoft posted a TechNet article on Saturday stating categorically that Microsoft will no longer issue security patches for Windows 8.1, starting in May,' Leonhard writes. 'Never mind that Windows 8.1 customers are still having multiple problems with errors when trying to install the Update. At this point, there are 300 posts on the Microsoft Answers forum thread 'Windows 8.1 Update 1 Failing to Install with errors 0x80070020, 80073712 and 800F081F.' The Answers forum is peppered with similar complaints and a wide range of errors, from 800F0092 to 80070003, for which there are no solutions from Microsoft. Never mind that Microsoft itself yanked Windows 8.1 Update from the corporate WSUS update server chute almost a week ago and still hasn't offered a replacement.'"

    564 comments | 2 days ago

  • IRS Can Now Seize Your Tax Refund To Pay a Relative's Debt

    Hugh Pickens DOT Com (2995471) writes "Just in time for the April 15 IRS filing deadline comes news from the Washington Post that hundreds of thousands of taxpayers expecting refunds are instead getting letters informing them of tax debts they never knew about: often a debt incurred by their parents. The government is confiscating their checks, sometimes over debts 20—30 years old. For example, when Mary Grice was 4 (in 1960), her father died ... 'Until the kids turned 18, her mother received survivor benefits from Social Security ... Now, Social Security claims it overpaid someone in the Grice family in 1977. ... Four years after Sadie Grice died, the government is coming after her daughter. ... "It was a shock," says Grice, 58. "What incenses me is the way they went about this. They gave me no notice, they can't prove that I received any overpayment, and they use intimidation tactics, threatening to report this to the credit bureaus."' The Treasury Department has intercepted ... $75 million from debts delinquent for more than 10 years according to the department's debt management service. 'The aggressive effort to collect old debts started three years ago — the result of a single sentence tucked into the farm bill lifting the 10-year statute of limitations on old debts to Uncle Sam.'"

    610 comments | 2 days ago

  • First Phase of TrueCrypt Audit Turns Up No Backdoors

    msm1267 (2804139) writes "A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released today (PDF) by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

    The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly."

    171 comments | 2 days ago

  • Heartbleed Disclosure Timeline Revealed

    bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."

    62 comments | 2 days ago

  • Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty

    SpacemanukBEJY.53u (3309653) writes "It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."

    56 comments | 2 days ago

  • Private Keys Stolen Within Hours From Heartbleed OpenSSL Site

    Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."

    151 comments | 3 days ago

  • US Takes Out Gang That Used Zeus Malware To Steal Millions

    coondoggie (973519) writes "The US Department of Justice charged nine members of a group that used Zeus malware to infect thousands of business computers and illegally siphon-off millions of dollars into over-seas bank accounts. The DoJ said an indictment was unsealed in connection with the arraignment this week at the federal courthouse in Lincoln, Neb., of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36. Konovalenko and Kulibaba were recently extradited from the United Kingdom."

    38 comments | 3 days ago

  • Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

    An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

    134 comments | 3 days ago

  • NSA Allegedly Exploited Heartbleed

    squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.

    149 comments | 5 days ago

  • $250K Reward Offered In California Power Grid Attack

    An anonymous reader writes "The Associated Press reports that Pacific Gas & Electric Co. has put up a $250,000 reward for 'information leading to an arrest and conviction in a startling attack mounted nearly a year ago on telephone lines and the power grid in Silicon Valley.' Besides cutting power lines, the attackers also cut AT&T fiber-optic phone lines, thereby denying some people access to 911, and fired shots into a PB&E substation, knocking out 17 transformers in Silicon Valley and causing $15 million in damage. As of this post, the perpetrators are still unidentified and continue to elude the FBI. Meanwhile, the Federal Energy Regulatory Commission (FERC) on Thursday was brought before the Senate Energy Committee to explain why the FERC disseminated via insecure media a sensitive document describing where all the nation's power grids are particularly sensitive to a physical attack. FERC responded with assurances that databases are currently being scrubbed and procedures being implemented to safeguard critical data."

    111 comments | 5 days ago

  • 'weev' Conviction Vacated

    An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"

    147 comments | 5 days ago

  • Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

    nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."

    444 comments | about a week ago

  • Google Chrome Flaw Sets Your PC's Mic Live

    First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."

    152 comments | about a week ago

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...