Learn to Build 14 Websites with 28 Hours of Instruction on HTML, JavaScript, MySQL & More for $14 ×
Electronic Frontier Foundation

Humble Bundle Announces 'Hacker' Pay-What-You-Want Sale (humblebundle.com) 42

An anonymous reader writes: Humble Bundle announced a special "pay what you want" sale for four ebooks from No Starch Press, with proceeds going to the Electronic Frontier Foundation (or to the charity of your choice). This "hacker edition" sale includes two relatively new titles from 2015 -- "Automate the Boring Stuff with Python" and Violet Blue's "Smart Girl's Guide to Privacy," as well as "Hacking the Xbox: An Introduction to Reverse Engineering" by Andrew "bunnie" Huang, and "The Linux Command Line".

Hackers who are willing to pay "more than the average" -- currently $14.87 -- can also unlock a set of five more books, which includes "The Maker's Guide to the Zombie Apocalypse: Defend Your Base with Simple Circuits, Arduino, and Raspberry Pi". (This level also includes "Bitcoin for the Befuddled" and "Designing BSD Rootkits: An Introduction to Kernel Hacking".) And at the $15 level -- just 13 cents more -- four additional books are unlocked. "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" is available at this level, as well as "Hacking: The Art of Exploitation" and "Black Hat Python."

Nice to see they've already sold 28,506 bundles, which are DRM-free and available in PDF, EPUB, and MOBI format. (I still remember Slashdot's 2012 interview with Make magazine's Andrew "bunnie" Huang, who Samzenpus described as "one of the most famous hardware and software hackers in the world.")
Security

Berkeley Researchers Examine Five Worst-Case Security Nightmares (berkeley.edu) 21

An anonymous reader writes: Berkeley researchers have gamed out five worst-case security scenarios at their Center for Long-Term Cybersecurity, calling it "a disciplined, imaginative approach to modeling what cybersecurity could mean in the future...to provoke a discussion about what the cybersecurity research and policy communities need to do now in order to be better positioned..." Two of the scenarios are set in 2020 -- one called "The New Normal" imagining a world were users assume their personal information can no longer be kept safe, and another involving the privacy and security implications in a world where hackers lurk undetected on a now-ubiquitous Internet of Things.

"Our goal is to identify emerging issues that will become more important..." they write in an executive summary, including "issues on the table today that may become less salient or critical; and new issues that researchers and decision-makers a few years from now will have wished people in the research and policy communities had noticed -- and begun to act on -- earlier.

Scenario #2 imagines a super-intelligent A.I. which can predict and even manipulate the behavior of individuals, and scenario #3 involves criminals exploiting valuable data sets -- and data scientists -- after an economic collapse.
Security

Slack To Disable Thousands of Logins Leaked on GitHub (detectify.com) 25

An anonymous reader writes: Thursday one technology site reported that thousands of developers building bots for the team-collaboration tool Slack were exposing their login credentials in public GitHub repositories and tickets. "The irony is that a lot of these bots are mostly fun 'weekend projects', reported Detectify. "We saw examples of fit bots, reminding you to stretch throughout the day, quote bots, quoting both Jurassic Park...and Don Quixote...."

Slack responded that they're now actively searching for publicly-posted login credentials, "and when we find any, we revoke the tokens and notify both the users who created them, as well as the owners of affected teams." Detectify notes the lapse in security had occurred at a wide variety of sites, including "Forbes 500 companies, payment providers, multiple internet service providers and health care providers... University classes at some of the world's best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on..."

AI

Google AI Has Access To 1.6M People's NHS Records (newscientist.com) 49

Hal Hodson, reporting for New Scientist:It's no secret that Google has broad ambitions in healthcare. But a document obtained by New Scientist reveals that the tech giant's collaboration with the UK's National Health Service goes far beyond what has been publicly announced. The document -- a data-sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust -- gives the clearest picture yet of what the company is doing and what sensitive data it now has access to. The agreement gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust -- Barnet, Chase Farm and the Royal Free -- each year. This will include information about people who are HIV-positive, for instance, as well as details of drug overdoses and abortions. The agreement also includes access to patient data from the last five years. According to their original agreement, Google cannot use the data in any other part of its business.
Government

Supreme Court Gives FBI More Hacking Power (theintercept.com) 173

An anonymous reader cites an article on The Intercept (edited and condensed): The Supreme Court on Thursday approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes, which will take immediate effect in December unless Congress adopts competing legislation, would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant. Previously, under the federal rules on criminal procedures, a magistrate judge couldn't approve a warrant request to search a computer remotely if the investigator didn't know where the computer was -- because it might be outside his or her jurisdiction. The rule change would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor."Unbelievable," said Edward Snowden. "FBI sneaks radical expansion of power through courts, avoiding public debate." Ahmed Ghappour, a visiting professor at University of California Hastings Law School, has described it as "possibly the broadest expansion of extraterritorial surveillance power since the FBI's inception."
Communications

The Critical Hole At the Heart Of Our Cell Phone Networks (wired.com) 30

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.
Encryption

Top Security Experts Say Anti-Encryption Bill Authors Are 'Woefully Ignorant' (dailydot.com) 89

blottsie writes from a report on the Daily Dot: In a Wall Street Journal editorial titled "Encryption Without Tears," Sens. Richard Burr and Dianne Feinstein pushed back on widespread condemnation of their Compliance with Court Orders Act, which would require tech companies to provide authorities with user data in an "intelligible" format if served with a warrant. But security experts Bruce Schneir, Matthew Green, and others say the lawmakers entirely misunderstand the issue. "On a weekly basis we see gigabytes of that information dumped to the Internet," Green told the Daily Dot. "This is the whole problem that encryption is intended to solve." He added: "You can't hold out the current flaws in the Internet as a justification for why the Internet shouldn't be made secure." "These criticisms of Burr and Feinstein's analogy emphasize an important point about digital security: The differences between the levels of encryption protecting certain types of data -- purchase records on Amazon's servers versus photos on an iPhone, for example -- lead to different levels of risk," writes Eric Geller of the Daily Dot.
Security

Cisco Finds Backdoor Installed On 12 Million PCs (securityweek.com) 67

Reader wiredmikey writes: Security researchers at Cisco have come across a piece of software that installed backdoors on 12 million computers around the world. Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other tools, such as a known scareware called System Healer, but also of harvesting personal information. The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The "features" have led Cisco Talos to classify the Tuto4PC software as a "full backdoor capable of a multitude of undesirable functions on the victim machine." Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco's systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.Tuto4PC has received flak from many over the years, including French regulators.
Bug

American Samoa Domain Registry Was Exposing Client Data Since the Mid-1990s (softpedia.com) 17

An anonymous reader quotes a report from Softpedia: A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner. The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL. Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald's, British Gas, Bose, Adidas, the University of Texas, and many link shortening services. This flawed system has been online since the mid-1990s. The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing, with the registry issuing a statement today denying the incident and calling the allegations "inaccurate, misleading and sexed-up to the max," after previously acknowledging and fixing the security flaws.
Government

House Passes Email Privacy Act, Requiring Warrants For Obtaining Emails (techcrunch.com) 61

An anonymous reader quotes a report from TechCrunch: The U.S. House of Representatives has passed H.R. 699, the Email Privacy Act, sending it on to the Senate and from there, hopefully anyhow, to the President. The yeas were swift and unanimous. The bill, which was introduced in the House early last year and quickly found bipartisan support, updates the 1986 Electronic Communications Privacy Act, closing a loophole that allowed emails and other communications to be obtained without a warrant. It's actually a good law, even if it is arriving a couple of decades late. "Under current law, there are more protections for a letter in a filing cabinet than an email on a server," said Congresswoman Suzan Delbene during the debate period. An earlier version of the bill also required that authorities disclose that warrant to the person it affected within 10 days, or 3 if the warrant related to a government entity. That clause was taken out in committee -- something trade groups and some of the Representatives objected to as an unpleasant compromise.
Government

Former Tor Developer Created Malware To Hack Tor Users For The FBI (dailydot.com) 72

Patrick O'Neill writes: Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago. Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases. The Tor Project has confirmed this report in a statement after being contacted by the Daily Dot, "It has come to out attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware." Maybe Tor users will now be less likely to anonymously check Facebook each month...
Communications

There Will Be A Huge New 'Panama Papers' Data Dump (businessinsider.com) 109

An anonymous reader writes: The International Consortium of Investigative Journalists said in an email that on May 9 it would "publish what will likely be the largest-ever release of information about secret offshore companies and the people behind them," based on data from the Panama Papers investigation. "The searchable database will include information about more than 200,000 companies, trusts, foundations, and funds incorporated in 21 tax havens, from Hong Kong to Nevada in the United States." The ICIJ said in the email, "The impact of Panama Papers has been epic." The investigation has caused Icelandic Prime Minister Sigmundur David Gunnlaugsson to resign following revelations about his personal finances. It has caused Putin to point fingers at the West, accusing the U.S. of trying to weaken Russia. It has even created drama in the UK with calls for Prime Minister David Cameron to resign after his connections to offshore companies became evident. In addition, the ICIJ said, "[The Panama Papers investigation] sparked a new sense of urgency among lawmakers and regulators to close loopholes and make information about the owners of shell companies public."
Encryption

A Complete Guide To The New 'Crypto Wars' (dailydot.com) 68

blottsie writes: The latest debate over encryption did not begin with a court order demanding Apple help the FBI unlock a dead terrorist's iPhone. The new "Crypto Wars," chronicled in a comprehensive timeline by Eric Geller of the Daily Dot, dates back to at least 2003, with the introduction of "Patriot Act II." The battle over privacy and personal security versus crime-fighting and national security has, however, become a mainstream debate in recent months. The timeline covers a wide-range of incidents where the U.S. and other allied governments have tried to restrict citizens' access to strong encryption. The timeline ends with the director of national intelligence blaming NSA whistleblower Edward Snowden for advancing the spread of user-friendly, widely available strong encryption.
Security

Symantec: Cruz and Kasich Campaign Apps May Expose Sensitive Data (go.com) 32

An anonymous reader writes: Apps released by the campaigns of Republican presidential contenders Ted Cruz and John Kasich have the potential for hackers to access users' personal information. According to an independent analysis by Symantec, the "Cruz Crew" app could allow third parties to capture a phone's unique identifying number and other personal information while the Kasich 2016 app could expose users' location data and information about other apps installed on the phones. First it was Veracode that reported potential vulnerabilities with the apps, now it's Symantec. Apparently the Cruz campaign updated its app to resolve the issues after the Veracode report was released. Kasich spokesman Rob Nichols said the security experts didn't know what they were talking about. Both campaigns have yet to respond to the latest Symantec analysis. Neither security firm found any issues in the app released by the campaign of Democrat Bernie Sanders. Republican Donald Trump and Democrat Hillary Clinton do not have campaign apps.
Encryption

US Wants Its Own Secure and Self-Destructing Messaging App -- And It's Willing to Pay (bloomberg.com) 83

Long time reader schwit1 writes: The Defense Advanced Research Projects Agency (DARPA), an agency within the Department of Defense historically known for creating the Internet itself, has published a call for companies to submit proposals to build a robust messaging platform that the military could use for secure communication of everything from intelligence to procurement contracts. "Troops on the ground in denied communications environments would have a way to securely communicate back to HQ and DoD back office executives could rest assured that their logistics system is efficient, timely and safe from hackers," according to the DARPA proposal. The request for proposals, reported earlier by the UK's Telegraph outlet, also says that the messaging platform should incorporate a customized blockchain, the distributed ledger technology that underpins the digital currency bitcoin, for recording messages and contract information. The proposal says such a distributed ledger would allow the military to conduct its business in a more efficient and secure fashion.Motherboard's Lorenzo Franceschi-Bicchierai reports that DARPA is willing to pay people to make this app. "This project falls under the rules of the Small Business Technology Transfer (STTR) program. During the first phase, according to the program's rules, successful applicants might be awarded no more than $150,000 for one year. The companies and researchers who are part of phase one can then be eligible for a phase two award of up to $1 million for two years. Lastly, during phase three, the company or companies can pursue commercialization, and receive no funds from the federal government."
Government

Spy Chief Complains That Edward Snowden Sped Up Spread of Encryption By 7 Years (theintercept.com) 242

An anonymous reader cites an article on The Intercept: The director of national intelligence on Monday blamed NSA whistleblower Edward Snowden for advancing the development of user-friendly, widely available strong encryption. "As a result of the Snowden revelations, the onset of commercial encryption has accelerated by seven years," James Clapper said. The shortened timeline has had "a profound effect on our ability to collect, particularly against terrorists," he said. When pressed by The Intercept to explain his figure, Clapper said it came from the National Security Agency. "The projected growth maturation and installation of commercially available encryption -- what they had forecasted for seven years ahead, three years ago, was accelerated to now, because of the revelation of the leaks." Asked if that was a good thing, leading to better protection for American consumers from the arms race of hackers constantly trying to penetrate software worldwide, Clapper answered no. "From our standpoint, it's not ⦠it's not a good thing," he said."Of all the things I've been accused of," Snowden said, "this is the one of which I am most proud."
Security

Over 1M BeautifulPeople Dating Site User Details Leak Online (thenextweb.com) 50

An anonymous reader writes: Personal information of over one million users stored by popular dating site BeautifulPeople has leaked, and is now accessible online. We already knew that BeautifulPixel.com was hacked (it happened in November 2015), but this is the first confirmation from a security researcher that the details are legitimate. (BeautifulPeople had downplayed it at the time, saying that it was a staging server, and not a production server, that was hacked.) Security researcher Troy Hunt, citing a source, noted that the data has been sold online. The leaked personal information include email addresses, phone numbers, as well as hair color, weight, job and other details.Troy also noted that of the 1.1 million users details,170 of them have government email addresses. Some of you may remember BeautifulPixel as the creator the "Shrek" virus.
Security

'I Hacked Facebook -- and Found Someone Had Beaten Me To It' (theregister.co.uk) 51

An anonymous reader shares an article on The Register: A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp -- and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system. According to Tsai, he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer. According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.
Democrats

Spy Chief Pressed For Number Of Americans Ensnared In Data Espionage (reuters.com) 34

Dustin Volz, reporting for Reuters: U.S. lawmakers are pressing the nation's top intelligence official to estimate the number of Americans ensnared in email surveillance and other such spying on foreign targets, saying the information was needed to gauge possible reforms to the controversial programs. Eight Democrats and six Republicans made the request to Director of National Intelligence James Clapper in a letter seen by Reuters on Friday, reflecting the continued bipartisan concerns over the scope of U.S. data espionage. "You have willingly shared information with us about the important and actionable intelligence obtained under these surveillance programs," wrote the lawmakers, all members of the U.S. House of Representatives' Judiciary Committee. "Now we require your assistance in making a determination that the privacy protections in place are functioning as designed." They requested that Clapper provide the information about data collected under a statute, known as Section 702, by May 6.
Security

MongoDB Config Error Exposed 93M Mexican Voter Records (csoonline.com) 69

An anonymous reader cites an article on CSOOnline: A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015. Vickery, who works as a security researcher at Kromtech, discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more. [...] Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.

Slashdot Top Deals