Forgot your password?
typodupeerror

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

Communications

Ryan Lackey, Marc Rogers Reveal Inexpensive Tor Router Project At Def Con 38

Posted by timothy
from the widespread-and-easy-are-tightly-linked dept.
An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)
Security

DEFCON's Latest Challenge: Hacking Altruism 47

Posted by Soulskill
from the teach-a-man-to-phish dept.
jfruh writes: A casual observer at the latest DEFCON conference in Las Vegas might not have noticed much change from last year — still tons of leather, piercing, and body art, still groups of men gathered in darkened ballrooms furiously typing commands. But this year there's a new focus: hacking not just for the lulz, but focusing specifically on highlighting computer security problems that have the potential to do real-world physical harm to human beings.
Security

Silent Circle's Blackphone Exploited at Def Con 46

Posted by timothy
from the outharshing-one-another dept.
Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com's linked report: "However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities." Case reacts via Twitter to the crowing: "Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only "secure" because it has few users and little value as a target."
Privacy

John McAfee Airs His Beefs About Privacy In Def Con Surprise Talk 124

Posted by timothy
from the now-take-larry-ellison dept.
John McAfee made a surprise appearance at Def Con to talk about privacy: he's for it. Trouble is, he says, lots of companies feel otherwise, and he took the stage to single out "don't be evil" Google: “Google, or at least certain people within Google, I will not mention names because I am not a rude gentleman, would like us to believe that if we have nothing to hide, we should not mind if everybody knows everything that we do,” he said from the podium. “I have to take serious issue with that.” The BBC has video. McAfee also announced his new complaints website, The Brown List. (Good usernames are still available, and your complaint can be about anything, not just privacy violations by humongous corporations.)
Security

The CIA Does Las Vegas 124

Posted by Unknown Lamer
from the join-the-darker-side dept.
Nicola Hahn (1482985) writes Despite the long line of covert operations that Ed Snowden's documents have exposed, public outcry hasn't come anywhere near the level of social unrest that characterized the 1960s. Journalists like Conor Friedersdorf have suggested that one explanation for this is that the public is "informed by a press that treats officials who get caught lying and misleading (e.g., James Clapper and Keith Alexander) as if they're credible."

Certainly there are a number of well-known popular venues which offer a stage for spies to broadcast their messages from while simultaneously claiming to "cultivate conversations among all members of the security community, both public and private." This year, for instance, Black Hat USA will host Dan Greer (the CISO of In-Q-Tel) as a keynote speaker.

But after all of the lies and subterfuge is it even constructive to give voice to the talking points of intelligence officials? Or are they just muddying the water? As one observer put it, "high-profile members of the intelligence community like Cofer Black, Shawn Henry, Keith Alexander, and Dan Greer are positioned front and center in keynote slots, as if they were glamorous Hollywood celebrities. While those who value their civil liberties might opine that they should more aptly be treated like pariahs."
China

Bill Blunden's Rejected DEF CON Presentation Posted Online 40

Posted by timothy
from the what-I-was-going-to-say dept.
Nicola Hahn (1482985) writes "Though the Review Board at DEF CON squelched Bill Blunden's presentation on Chinese cyber-espionage, and the U.S. government has considered imposing visa restrictions to keep out Chinese nationals, Bill has decided to post both the presentation's slide deck and its transcript online. The talk focuses on Mike Rogers, in all his glory, a former FBI agent who delivers a veritable litany of hyperbolic misstatements (likely to be repeated endlessly on AM radio). Rather than allow the DEFCON Review Board to pass judgement as supposed .gov 'experts,' why not allow people to peruse the material and decide for themselves who is credible and who is not?" "Squelched" seems a little harsh (only so many talks can fit, and there's no accounting for taste), but it's certainly good to see any non-accepted DEF CON presentations made public.
Security

US May Prevent Chinese Hackers From Attending Def Con, Black Hat 193

Posted by timothy
from the like-a-george-lucas-script dept.
Taco Cowboy (5327) links to a report from Reuters that says "Washington is considering using visa restrictions to prevent Chinese nationals from attending popular summer hacking conferences in Las Vegas as part of a broader effort to curb Chinese cyber espionage, a senior administration official said Saturday. The official said that Washington could use such visa restrictions and other measures to keep Chinese from attending the August Def Con and Black Hat events to maintain pressure on China after the United States this week charged five Chinese military officers with hacking into U.S. companies to steal trade secrets."
Google

Emails Reveal Battle Over Employee Poaching Between Google and Facebook 132

Posted by samzenpus
from the you-scratch-my-back dept.
colinneagle (2544914) writes "Apple, Google, and a slew of other high-tech firms are currently embroiled in a class-action lawsuit on allegations that they all adhered to tacit anti-poaching agreements. With that case currently ongoing, we've seen a number of interesting executive emails come to light, including emails showing that Steve Jobs threatened Palm's CEO with a full-fledged legal assault if the company kept going after Apple engineers. There is also correspondence between Sergey Brin, Marissa Mayer, Facebook's Sheryl Sandberg, and Google's Jonathan Rosenberg discussing the threat that Google saw in Facebook hiring its engineers. The discussion elevates, with Sandberg pointing out the hypocrisy of Google growing to prominence by hiring engineers from major Silicon Valley firms. Rosenberg then hints at the potential for a 'deeper relationship' that Google would be willing to reach as long as Facebook stops hiring its engineers, going so far as to tell Sandberg to 'fix this problem.'"
Security

TrustyCon was the 'Rebel Conference' Across the Street From RSA 2014 (Video) 20

Posted by Roblimo
from the the-most-interesting-people-are-often-in-the-rebel-groups dept.
RSA holds big-time annual security conferences. The 2014 U.S. edition had 25,000 attendees, Stephen Colbert as the closing keynote speaker, and a major controversy (and some anger) from potential speakers and attendees over RSA's reputed $10 million contract with NSA to make sure the company's encryption software had back doors the secretive agency could use to spy on people and companies that use RSA software. This is part of a story that might be called The Snowden Revelations if it is made into a movie, but right now it's still controversial, and enough of a bombshell in the IT security industry that F-Secure's Mikko Hyppönen decided not to speak at this year's U.S. RSA conference, followed by Bruce Schneier, DEFCON founder Jeff Moss, Princeton professor Ed Felten, and other security luminaries.

And so, TrustyCon -- the Trustworthy Technology Conference -- was born. It was a sellout, with 400 people attending at $50 a head, and another 300 on a waiting list who couldn't get in. Slashdot's Tim Lord managed to get in, and got to speak briefly with several people there, including one of the TrustyCon organizers, Joel Wallenstrom. These were crude interviews, done on a "catch as catch can" basis, and the sound in them is poor. (Google sent a camera crew and shot over seven hours of the conference speakers, which you can watch on YouTube if you want to view TrustyCon presentations in good HD with great sound.). Will there be another TrustyCon next year? According to The Register, "The conference organizers said that, at this point, the plan is to hold another get-together next year, but that a final decision will be made closer to the time."
Bitcoin

Should Newsweek Have Outed Satoshi Nakamoto's Personal Details? 276

Posted by samzenpus
from the fame-and-misfortune dept.
Nerval's Lobster writes "Newsweek's Leah McGrath Goodman spent months tracking down the mysterious founder of Bitcoin, "Satoshi Nakamoto," a name that everybody seemed to believe was a pseudonym for either a single individual or a shadowy collective of programmers. If Satoshi Nakamoto, former government contractor and model-train enthusiast, is actually "Satoshi Nakamoto," Bitcoin founder, then he's sitting atop hundreds of millions of dollars in crypto-currency. Does the article's exhaustive listing of Nakamoto's personal details place his security at risk? Many in the Bitcoin community think so, and poured onto the Web to express that opinion. The Newsweek article has raised some interesting questions about the need for thorough journalism versus peoples' right to privacy. For example, should Goodman have posted an image of Nakamoto's house and car, even though information about both would probably be relatively simple to find online, anyway?"
Businesses

Silk Road 2.0 Pledges To Compensate Users For Stolen Bitcoins 84

Posted by timothy
from the but-they'll-do-it-bit-by-bit dept.
An anonymous reader writes "Online black market Silk Road 2.0 has pledged to pay back more than £1.7 million worth of bitcoins stolen from its servers during a heist last week. Speaking in a post on Reddit, Silk Road 2.0 moderator Defcon said the website would refund the more than 4,000 bitcoins stolen during the heist, and would not pay its staff until users had been reimbursed."
Government

Def Con Hackers On Whether They'd Work For the NSA 126

Posted by timothy
from the well-wouldja? dept.
Daniel_Stuckey writes "Premier hacker conference Def Con, which just wrapped up its 21st year, played host to security professionals who all had very different opinions on what the NSA is up to. In fact, the only thing everyone could agree on is that the PRISM revelations came as no surprise. Even if it isn't news to this crowd, it is still a significant development in the general climate of government surveillance and national security. And at Def Con, where government recruitment was hampered this year by conference founder Jeff Moss's requesting that feds stay away, it seemed like a good idea to walk around asking people if they would still want to work for the NSA."
Security

Wi-Fi Pineapple Hacking Device Sells Out At DEF CON 132

Posted by Unknown Lamer
from the but-it-doesn't-taste-like-a-pineapple dept.
darthcamaro writes "At the recent DEF CON conference over the weekend, vendor were selling all kinds of gear. But one device stood out from all the others: the Wi-Fi Pineapple — an all in one Wi-Fi hacking device that costs only $80 (a lot cheaper than a PwnPlug) and powered by a very vibrant open source community of users. Pineapple creator Darren Kitchen said that 1.2 Pineapple's per minute were sold on the first day of DEF CON (and then sold out). The Pineapple run Linux, based on OpenWRT, is packed with open source tools including Karma, DNS Spoof, SSL Strip, URL Snarf, Ngrep, and more and is powered by g a 400MHz Atheros AR9331 MIPS processor, 32MB of main memory and a complete 802.11 b/g/n stack. Is this a tool that will be used for good — or for evil?"
Transportation

Hackers Reveal Nasty New Car Attacks 390

Posted by samzenpus
from the unsafe-at-any-speed dept.
schwit1 writes "Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop–or even slow down–produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV's chassis. The more I pound the pedal, the louder the groan gets–along with the delighted cackling of the two hackers sitting behind me in the backseat. Luckily, all of this is happening at less than 5mph. So the Escape merely plows into a stand of 6-foot-high weeds growing in the abandoned parking lot of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have chosen as the testing grounds for the day's experiments, a few of which are shown in the video below. (When Miller discovered the brake-disabling trick, he wasn't so lucky: The soccer-mom mobile barreled through his garage, crushing his lawn mower and inflicting $150 worth of damage to the rear wall.) The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry's security problems before malicious hackers get under the hoods of unsuspecting drivers."
Security

PIN-Cracking Robot To Be Showed Off At Defcon 114

Posted by timothy
from the brute-force dept.
Sparrowvsrevolution writes "At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less. Engler and Vines built their bot, shown briefly in a preview video, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk."
Government

Researchers Now Pulling Out of DEF CON In Response To Anti-Fed Position 204

Posted by timothy
from the at-least-the-tsa-gives-free-massages dept.
darthcamaro writes "Earlier today it, Slashdot had a story about DEF CON's position on not allowing U.S. Federal agents to attend the annual hacking conference. We're now starting to see the backlash from the hacker community itself with at least two well respected hackers pulling out of the DEF CON speaking sessions so far: "'The issue we are struggling with, and the basis of our decision, is that we feel strongly that DEF CON has always presented a neutral ground that encouraged open communication among the community, despite the industry background and diversity of motives to attend,' security researcher Kevin Johnson wrote. 'We believe the exclusion of the "feds" this year does the exact opposite at a critical time.'" Meanwhile, Black Hat welcomes Federal attendees; this year's conference will feature as a speaker former NSA head Keith Alexander.
Security

DEF CON Advises Feds Not To Attend Conference 250

Posted by samzenpus
from the and-stay-out dept.
tsu doh nimh writes "One of the more time-honored traditions at DEF CON — the massive hacker convention held each year in Las Vegas — is 'Spot-the-Fed,' a playful and mostly harmless contest to out undercover government agents that attend the show each year. But that game might be a bit tougher when the conference rolls around again next month: In an apparent reaction to recent revelations about far-reaching U.S. government surveillance programs, DEF CON organizers are asking feds to just stay away: 'I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year,' conference organizer Jeff Moss wrote in a short post at Defcon.org. Krebsonsecurity writes that after many years of mutual distrust, the hacker community and the feds buried a lot of their differences in the wake of 911, with the director of NSA even delivering the keynote at last year's conference. But this year? Spot the fed may just turn into hack-the-fed."
Security

Black Hat Talks To Outline Attacks On Home Automation Systems 79

Posted by timothy
from the hal-do-you-do? dept.
colinneagle writes "If you use the Z-Wave wireless protocol for home automation then you might prepare to have your warm, fuzzy, happiness bubble burst; there will be several presentations about attacking the automated house at the upcoming Las Vegas hackers' conferences Black Hat USA 2013 and Def Con 21. For example, CEDIA IT Task force member Bjorn Jensen said, 'Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody's home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.' Among other things, the hacking Z-Wave synopsis adds, 'Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems...An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.'"
Transportation

FAA Denies Vulnerabilities In New Air Traffic Control System 141

Posted by Soulskill
from the what's-the-worst-that-could-happen dept.
bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."

Chemist who falls in acid will be tripping for weeks.

Working...