Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

United Kingdom

UK Licensing Site Requires MSIE Emulation, But Won't Work With MSIE 18

Posted by timothy
from the strange-circlings-back dept.
Anne Thwacks writes The British Government web site for applying for for a licence to be a security guard requires a plugin providing Internet Explorer emulation on Firefox to login and apply for a licence. It won't work with Firefox without the add-on, but it also wont work with Internet Explorer! (I tried Win XP and Win7 Professional). The error message says "You have more than one browser window open on the same internet connection," (I didn't) and "to avoid this problem, close your browser and reopen it." I did. No change.

I tried three different computers, with three different OSes. Still no change. I contacted their tech support and they said "Yes ... a lot of users complain about this. We have known about it since September, and are working on a fix! Meanwhile, we have instructions on how to use the "Fire IE" plugin to get round the problem." Eventually, I got this to work on Win7pro. (The plugin will not work on Linux). The instructions require a very old version of the plugin, and a bit of trial and error is needed to get it to work with the current one. How can a government department concerned with security not get this sort of thing right?"

Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government 110

Posted by Soulskill
from the year-of-the-ddos dept.
An anonymous reader writes: During the past two days, popular code hosting site GitHub has been under a DDoS attack, which has led to intermittent service interruptions. As blogger Anthr@X reports from traceroute lists, the attack originated from MITM-modified JavaScript files for the Chinese company Baidu's user tracking code, changing the unencrypted content as it passed through the great firewall of China to request the URLs and The Chinese government's dislike of widespread VPN usage may have caused it to arrange the attack, where only people accessing Baidu's services from outside the firewall would contribute to the DDoS. This wouldn't have been the first time China arranged this kind of "protest."

Big Vulnerability In Hotel Wi-Fi Router Puts Guests At Risk 40

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel's reservation and keycard systems. The vulnerability, which was discovered by Justin W. Clarke of the security firm Cylance, gives attackers read-write access to the root file system of the ANTlabs devices. The discovery of the vulnerable systems was particularly interesting to them in light of an active hotel hacking campaign uncovered last year by researchers at Kaspersky Lab. In that campaign, which Kaspersky dubbed DarkHotel.

Millennial Tech Workers Losing Ground In US 376

Posted by samzenpus
from the no-work-for-you dept.
Nerval's Lobster writes Millennial tech workers are entering the U.S. workforce at a comparable disadvantage to other tech workers throughout the industrialized world, according to study earlier this year from Educational Testing Services (PDF). How do U.S. millennials compare to their international peers, at least according to ETS? Those in the 90th percentile (i.e., the top-scoring) actually scored lower than top-scoring millennials in 15 of the 22 studied countries; low-scoring U.S. millennials ranked last (along with Italy and England/Northern Ireland). While some experts have blamed the nation's education system for the ultimate lack of STEM jobs, other studies have suggested that the problem isn't in the classroom; a 2014 report from the U.S. Census Bureau suggested that many of the people who earned STEM degrees didn't actually go into careers requiring them. In any case, the U.S. is clearly wrestling with an issue; how can it introduce more (qualified) STEM people into the market?

Win Or Lose, Discrimination Suit Is Having an Effect On Silicon Valley 324

Posted by samzenpus
from the to-pay-or-not-to-pay-that-is-the-question dept.
SpzToid sends word that the Ellen Pao vs. Kleiner Perkins Caufield & Byers discrimination case wrapped up yesterday. No matter what the outcome turns out to be, it has already affected how business is being done in Silicon Valley. "'Even before there's a verdict in this case, and regardless of what the verdict is, people in Silicon Valley are now talking,' said Kelly Dermody, managing partner at Lieff Cabraser Heimann & Bernstein, who chairs the San Francisco law firm's employment practice group. 'People are second-guessing and questioning whether there are exclusionary practices [and] everyday subtle acts of exclusion that collectively limit women's ability to succeed or even to compete for the best opportunities. And that's an incredibly positive impact.' Women in tech have long complained about an uneven playing field — lower pay for equal work, being passed over for promotions and a hostile 'brogrammer' culture — and have waited for a catalyst to finally overhaul the status quo. This trial — pitting a disgruntled, multimillionaire former junior partner against a powerful Menlo Park, Calif., venture capital firm — was far from the open-and-shut case that many women had hoped for. More gender discrimination suits against big tech firms are expected to follow; some already have, including lawsuits against Facebook Inc. and Twitter Inc."

Generate Memorizable Passphrases That Even the NSA Can't Guess 252

Posted by timothy
from the exercise-for-the-reader dept. writes Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you'll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You'll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You'll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like "cap liz donna demon self", "bang vivo thread duct knob train", and "brig alert rope welsh foss rang orb". If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

After you've generated your passphrase, the next step is to commit it to memory.You should write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn't take more than two or three days before you no longer need the paper, at which point you should destroy it. "Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It's a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training."

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption 22

Posted by timothy
from the process-not-product dept.
ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

MIT Debuts Integer Overflow Debugger 34

Posted by timothy
from the measure-twice-cut-once dept.
msm1267 writes Students from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems. Researchers from the school's Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection. As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes.

RSA Conference Bans "Booth Babes" 322

Posted by timothy
from the can-I-ask-you-some-technical-questions dept.
netbuzz writes In what may be a first for the technology industry, RSA Conference 2015 next month apparently will be bereft of a long-controversial trade-show attraction: "booth babes." New language in its exhibitor contract, while not using the term 'booth babe," leaves no doubt as to what type of salesmanship RSA wants left out of its event. Says a conference spokeswoman: "We thought this was an important step towards making all security professionals feel comfortable and equally respected during the show." Easier at a venue like RSA; the annual Consumer Electronics Show, not so much.

NJ School District Hit With Ransomware-For-Bitcoins Scheme 167

Posted by timothy
from the so-is-there-a-downside? dept.
An anonymous reader sends news that unidentified hackers are demanding 500 bitcoins, currently worth about $128,000, from administrators of a New Jersey school district. Four elementary schools in Swedesboro-Woolwich School District, which enroll more than 1,700 students, are now locked out of certain tasks: "Without working computers, teachers cannot take attendance, access phone numbers or records, and students cannot purchase food in cafeterias. Also, [district superintendent Dr. Terry C. Van Zoeren] explained, parents cannot receive emails with students grades and other information." According to this blog post from security company BatBlue, the district has been forced to postpone the Common Core-mandated PARCC state exams, too. Small comfort: "Fortunately the Superintendent told CBS 3’s Walt Hunter the hackers, using a program called Ransomware, did not access any personal information about students, families or teachers." Perhaps the administrators can take heart: Ransomware makers are, apparently, starting to focus more on product support; payment plans are probably on the way.

Many Password Strength Meters Are Downright Weak, Researchers Say 157

Posted by timothy
from the it's-like-pressing-the-walk-button dept.
alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results. Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).

GNOME 3.16 Released 175

Posted by timothy
from the gnome-3:16-signs-for-every-sporting-event dept.
kthreadd writes Version 3.16 of GNOME, the primary desktop environment for GNU/Linux operating systems has been released. Some major new features in this release include a overhauled notification system, an updated design of the calendar drop down and support for overlay scrollbars. Also, the grid view in Files has been improved with bigger thumbnail icons, making the appearance more attractive and the rows easier to read. A video is available which demonstrates the new version.

Draconian Australian Research Law Hits Scientists 147

Posted by Soulskill
from the blunder-down-under dept.
An anonymous reader writes: The Australian government is pushing ahead with a draconian law placing "dual use" science (e.g. encryption, biotechnology) under the control of the Department of Defence. The Australian ACLU, Civil Liberties Australia, warns the law punishes scientists with $400,000 fines, 10 years in jail and forfeiture of their work, just for sending an "inappropriate" e-mail.

Scientists — including the academics union — warn the laws are unworkable despite attempted improvements, and will drive researchers offshore (paywalled: mirror here).

Flash-Based Vulnerability Lingers On Many Websites, Three Years Later 42

Posted by Soulskill
from the what's-old-is-new dept.
itwbennett writes: The vulnerability known as CVE-2011-2461 was unusual because fixing it didn't just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't. Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers. They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.

Chinese CA Issues Certificates To Impersonate Google 133

Posted by Soulskill
from the doing-trust-wrong dept.
Trailrunner7 writes: Google security engineers, investigating fraudulent certificates issued for several of the company's domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain. Google's engineers were able to block the fraudulent certificates in the company's Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered. But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic.

A Bechdel Test For Programmers? 515

Posted by timothy
from the this-code-feels-different dept.
Nerval's Lobster writes In order for a movie or television show to pass the Bechdel Test (named after cartoonist and MacArthur genius Alison Bechdel), it must feature two female characters, have those two characters talk to one another, and have those characters talk to one another about something other than a man. A lot of movies and shows don't pass. How would programming culture fare if subjected to a similar test? One tech firm, 18F, decided to find out after seeing a tweet from Laurie Voss, CTO of npm, which explained the parameters of a modified Bechdel Test. According to Voss, a project that passes the test must feature at least one function written by a woman developer, that calls a function written by another woman developer. 'The conversation started with us quickly listing the projects that passed the Bechdel coding test, but then shifted after one of our devs then raised a good point,' read 18F's blog posting on the experiment. 'She said some of our projects had lots of female devs, but did not pass the test as defined.' For example, some custom languages don't have functions, which means a project built using those languages would fail even if written by women. Nonetheless, both startups and larger companies could find the modified Bechdel Test a useful tool for opening up a discussion about gender balance within engineering and development teams.
Hardware Hacking

Hack Air-Gapped Computers Using Heat 122

Posted by timothy
from the oh-baby-you're-so-communicative dept.
An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner. Also at Wired.

IBM Will Share Tech With China To Help Build IT Industry There 108

Posted by Soulskill
from the different-tack-from-Google dept.
An anonymous reader sends this report from Reuters: IBM Corp will share technology with Chinese firms and will actively help build China's industry, CEO Virginia Rometty said in Beijing as she set out a strategy for one of the foreign firms hardest hit by China's shifting technology policies. IBM must help China build its IT industry rather than viewing the country solely as a sales destination or manufacturing base, Rometty said. ... [Her] remarks were among the clearest acknowledgements to date by a high-ranking foreign technology executive that companies must adopt a different tack if they are to continue in China amid growing political pressure. A number of U.S. technology companies operating in China are forming alliances with domestic operators, hoping a local partner will make it easier to operate in the increasingly tough environment for foreign businesses.

Possible Security Breach 49

Posted by Soulskill
from the another-day,-another-breach dept.
New submitter FalleStar writes: Today, the world's largest video game livestreaming website,, posted the following blog entry: "We are writing to let you know that there may have been unauthorized access to some Twitch user account information. For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account. We also recommend that you change your password at any website where you use the same or a similar password." The full details of the breach have yet to be released. Back in a 2013 blog post, Twitch reported that one of their CDNs had mistakenly exposed user account information, and they mentioned that their user passwords are hashed, but did not indicate whether or not they are salted. In addition to the blog post, Twitch users are being notified of the intrusion by email. According to one such email, compromised data may include the last IP address a user logged in from, as well as some credit card information — but not full card numbers, since Twitch doesn't store those.

Nobody Is Sure What Should Count As a Cyber Incident 49

Posted by Soulskill
from the playing-by-hundreds-of-different-rulebooks dept.
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.

Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.

While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."