Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Yahoo Denies Ad-blocking Users Access To Email ( 323

JoeyRox writes: Yahoo is running an A/B test that blocks access to Yahoo email if the site detects that the user is running an Ad Blocker. Yahoo says that this a trial rather than a new policy, effecting only a "small number" of users. Those lucky users are greeted with a message that reads "Please disable Ad Blocker to continue using Yahoo Mail." Regarding the legality of the move, "Yahoo is well within its rights to do so," said Ansel Halliburton an attorney at Kronenberger Rosenfeld who specializes in Internet law.

File Says NSA Found Way To Replace Email Program ( 93

schwit1 writes: Newly disclosed documents show that the NSA had found a way to create the functional equivalent of programs that had been shut down. The shift has permitted the agency to continue analyzing social links revealed by Americans' email patterns, but without collecting the data in bulk from American telecommunications companies — and with less oversight by the Foreign Intelligence Surveillance Court.

The disclosure comes as a sister program that collects Americans' phone records in bulk is set to end this month. Under a law enacted in June, known as the USA Freedom Act, the program will be replaced with a system in which the NSA can still gain access to the data to hunt for associates of terrorism suspects, but the bulk logs will stay in the hands of phone companies.

The newly disclosed information about the email records program is contained in a report by the NSA's inspector general that was obtained through a lawsuit under the Freedom of Information Act. One passage lists four reasons the NSA decided to end the email program and purge previously collected data. Three were redacted, but the fourth was uncensored. It said that "other authorities can satisfy certain foreign intelligence requirements" that the bulk email records program "had been designed to meet."


2016 Presidential Candidate Security Investigation ( 97

New submitter Fryan writes: InfoSec Institute has assessed the security posture of 16 of the presidential candidates' websites. This is an indicator of the level of security awareness the candidate and the campaign staff has. The recent breaches and security lapses of high profile individuals highlight the absolute need for everyone to take security awareness seriously. The hacking of the Director of the CIA's (John Brennan) personal email account, and the storage of classified emails on a personal email server with Hillary Clinton, show how damaging a lack of basic good security hygiene can be. In this survey (of only the best known presidential candidates, not the scads of others), the authors give both their highest grade (an A) and lowest (a D) for candidates still in the race to two Republicans, Ben Carson and Jim Gilmore, respectively; surprising for a tech-focused campaign, Lawrence Lessig (who has ended his candidacy since the survey began) ranked even lower, with a D-.

Speaking of presidential candidates, the fourth Republican debate, hosted by Fox Business, will kick off about an hour after this post goes live (9:00 PM Eastern, 0200 GMT). Feel free to discuss it alongside the security report.

ProtonMail Restores Services After Epic DDoS Attacks 57

An anonymous reader writes: After several days of intense work, Switzerland-based end-to-end encrypted e-mail provider ProtonMail has largely mitigated the DDoS attacks that made it unavailable for hours on end in the last week. The attacks exceeded 100Gbps, and are still going on, but they are no longer capable of knocking ProtonMail offline for extended periods of time. The ProtonMail community of users proved to be invaluable for the company. In fact, in just a few days, they donated over $50,000 to the company's "defense fund," providing the resources to resist further attacks against email privacy.

Comcast Resets Nearly 200,000 Passwords After Customer List Goes On Sale ( 43

itwbennett writes: Over the weekend a Dark Web marketplace had 590,000 Comcast email addresses and passwords for sale, offering the entire list for $1,000, writes CSO's Steve Ragan. Saturday evening Ragan contacted Comcast about the accounts being sold online and learned that Comcast had 'already obtained a copy of the list' and was checking it against their customer base. 'Of the 590,000 records being sold, only about 200,000 of them were active,' Comcast said. Still unknown is the source of the data being sold online, although signs point to it being recycled.

Hackers Who Hit CIA Director Break Into Law Enforcement Tools ( 35

An anonymous reader writes: The same group of hackers who hacked into the personal email account of CIA director John Brennan have now exploited a vulnerability to gain access to a private law enforcement portal. They demonstrated access to a system called JABS — the Joint Automated Booking System — which is a database of arrest records. "It was through the vulnerable law enforcement portal that the hackers say they also obtained a list of about 3,000 names, titles, email addresses and phone numbers for government employees that they posted to Pastebin on Thursday. The posting, which they indicated was just "Part 1" of a presumably multi-part leak, consisted of a snippet of an alphabetical list of government employees working for the FBI and other federal agencies as well as various local police and sheriff departments around the country. It included job titles, email addresses and phone numbers."

Ask Slashdot: Secure, Yet Accessible E-mail Archive Storage? 74

New submitter mlts writes: As of now, I just leave E-mail in a 'received-2015' subfolder on my provider's server, adding a new folder yearly. With the rise of E-mail account intrusions (where even though I'm likely not a primary target, but it is a concern), what is a secure, but yet accessible way to archive E-mail? I'm far less worried about the FBI/NSA/Illuminati, as I am about having stuff divulged to all and sundry if a mass breach happens. A few alternative I've considered: 1) Running my own physical IMAP server. The server would run on a hypervisor (likely ESXi), have Dovecot limited to the VPN I use, and use other sane techniques to limit access. 2) Archive the E-mail files through a cloud provider, with a client encryption utility (EncFS, BoxCryptor, etc.) In this case, E-mail would be stored in a different file a week. 3) Move it to local storage on a virtual machine, and if access is needed, use LogMeIn or another remote access item to fire up Thunderbird to access it. What would be a recommended way to secure E-mail that sits around, for the long haul, but still have it accessible? Even if you're not specifically worried about it, keeping older email around on a provider's server opens you up to warrantless access by U.S. law enforcement officials.

Google Tries To Guess Your Email Responses ( 131

An anonymous reader writes: Google's research blog today announced a new feature for their Inbox email app: a neural network that composes short responses to emails you receive. For example, if somebody emails you an invitation to an event, the app will detect that by scanning the words in the message and present you with three options for a quick response. Google says, "A naive attempt to build a response generation system might depend on hand-crafted rules for common reply scenarios. But in practice, any engineer's ability to invent 'rules' would be quickly outstripped by the tremendous diversity with which real people communicate. A machine-learned system, by contrast, implicitly captures diverse situations, writing styles, and tones. These systems generalize better, and handle completely new inputs more gracefully than brittle, rule-based systems ever could." Of course, you can skip them entirely, or use them and add your own words as well. How long until our email systems do most of our talking for us?

Why Avast Won't Show Source Code To the Government, But Others Do ( 79

An anonymous reader writes: Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn't even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they "permitted source code review in controlled environments to meet government requirements." In addition to raising questions about whether a security product can be trusted under such circumstances, it also causes political problems: "Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country."

Anonymous Says US Senators Were 'Incorrectly Outed' As KKK Members 262

Dave Knott writes: Nine names, 23 email addresses and 57 unlabelled phone numbers were published by hackers last weekend as part of an Anonymous-organized effort to "unhood" members of the Ku Klux Klan. There are doubts, however, about the Operation KKK data dump's veracity — and about one file, in particular, that alleges four U.S. senators and five mayors have hate group associations. The questionable data was released on PasteBin by an individual called Amped Attacks, who has now distanced himself from Anonymous, stating "i am not apart of anonymous nor have i ever claimed to be. i am my own man that acts on my own accord. i do however respect #OpKKK." To clarify the situation, Anonymous took to Twitter on Tuesday evening to state that "the twitter account that released the pastebin with the government officials that are clearly not KKK". Meanwhile, the Anonymous members behind Operation KKK say that "the actual release for Operation KKK will be 5 Nov." This is of course a date that has no small significance for Anonymous.

The Rise of Political Doxing ( 176

An anonymous reader writes: Security guru Bruce Schneier predicts a new trend in hacking: political doxing. He points to the recent hack of CIA director Jack Brennan's personal email account and notes that it marks a shift in the purpose of email hacking: "Here, the attacker had a more political motive. He wasn't out to intimidate Brennan; he simply wanted to embarrass him. His personal papers were dumped indiscriminately, fodder for an eager press." Schneier continues, "As people realize what an effective attack this can be, and how an individual can use the tactic to do considerable damage to powerful people and institutions, we're going to see a lot more of it. ... In the end, doxing is a tactic that the powerless can effectively use against the powerful."
United Kingdom

UK Plans To Allow Warrantless Searches of Internet History ( 136

whoever57 writes: The UK government plans to require ISPs and telcoms companies to maintain browsing and email history of UK residents for a period of 12 months and make the data available to police on request without a warrant. "The new powers would allow the police to seize details of the website and searches being made by people they wanted to investigate." Exactly how they expect the ISPs to provide search histories now that most Google searches use SSL isn't explained (and probably not even considered by those proposing the legislation). Similarly with Gmail and other email providers using SMTP TLS and IMAPS, much email is opaque to ISPs. Will this drive more use of VPNs and TOR? This comes alongside news that UK police used powers granted to them by anti-terrorism laws to seize a journalist's laptop.

Google Fiber Goes Down During World Series, Credits KC 2 Days of Service ( 183

kstatefan40 writes: Google Fiber went down in Kansas City during one of the most important times in the local market: Game 1 of the World Series between the New York Mets and the Kansas City Royals at Kauffman Stadium. Yesterday, I got an apology from them via email, and even though I wasn't home during the outage, they're making up for it by proactively giving the entire market 2 days of service off of their next bill. The rest of the industry could really learn from their customer service.

When was the last time a telecom provider gave you a discount on your bill without you asking for it?
The only times I've gotten much apology from my own ISP is when I threaten (with reason) to jump ship.
United States

US Senate Passes the Cybersecurity Information Sharing Act 74-21 ( 157

blottsie writes with news that the U.S. Senate voted 74-21 in favor of CISA, a controversial cybersecurity bill. All five amendments submitted in an attempt to bolster privacy failed to pass. From The Guardian's coverage: Try asking the bill’s sponsors how the bill will prevent cyberattacks or force companies and governments to improve their defenses. They can’t answer. They will use buzzwords like “info-sharing” yet will conveniently ignore the fact that companies and the government can already share information with each other as is. There were barely any actual cybersecurity experts who were for the bill. A large group of respected computer scientists and engineers were against it. So were cyberlaw professors. Civil liberties groups uniformly opposed (and were appalled by) the bill. So did consumer groups. So did the vast majority of giant tech companies. Yet it still sailed through the Senate, mostly because lawmakers - many of whom can barely operate their own email - know hardly anything about the technology that they’re crafting legislation about.

Why IoT Security Is So Critical ( 148

An anonymous reader writes: Software engineer Ben Dickson starts off an opinion piece about Internet of Things security with this amusing comment: "Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would've laughed at you and said you watch too much James Bond. But today, if you tell me that hackers with malicious intents can use my toaster to break into my Facebook account, I will panic and quickly pull the plug from the evil appliance." Dickson then lays out many of the issues with securing internet-connected devices, and explains the work being done to make them more secure. He highlights areas that manufacturers must focus on: "In contrast to human-controlled devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system. ... There also must be a sound plan for installing security updates on IoT devices. Each consumer will likely soon own scores — if not hundreds — of connected devices. The idea of manually installing updates on so many devices is definitely out of the question, but having them automatically pushed by manufacturers also can be a risky business."

Intel Pulling the Plug On McAfee/MX Logic Anti-Spam ( 42

New submitter d4nimal writes: Intel today announced that it is killing the MX Logic/McAfee/Intel Security spam protection service (PDF). The last date of service is January, 2017. This comes on the heels of numerous outages and a general rise in user and admin dissatisfaction. Intel purchased the service as part of its McAfee acquisition in 2010. MX Logic was bought by McAfee less than a year earlier.

How Scientists Are Circumventing Journal Paywalls ( 204

Bruce66423 writes: Some academics are fighting back against publishers of academic journals by providing copies of papers to researchers who don't have access. For some reason, the publishers aren't happy! Cognitive scientist Andrea Kuszewski said, "Basically you tweet out a link to the paper that you need, with the hashtag and then your email address. And someone will respond to your email and send it to you." That begins the conversation, and then the scientists cover their tracks: "Once contact is made, all subsequent conversation is kept off of social media — instead, scientists correspond via email. The original tweet is deleted, so there's no public record of the paper changing hands. Kuszewski and others say the method is necessary to get up-to-date research in the hands of academics from developing countries, and her and other scientists say they consider the pirating 'civil disobedience' against a system that includes for-profit publishing companies."

Feds Looking Into Reports CIA Director's Email Was Hacked ( 100

An anonymous reader writes: The FBI and Secret Service are looking into reports that non-government personal accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson were hacked. NBC reports: "Questions over a possible hacking of a private email account belonging to the CIA director arose late on Sunday after the New York Post published a story in which a hacker claimed to have gained access to the account. Described by the Post as a 'stoner high school student,' the individual claimed to have taken documents that included the Social Security numbers of top intelligence officials, among other information." ComputerWorld's story on the hack describes some of the images published by the hacker as well, poking fun at Brennan: Another screenshot shows Brennan’s wireless phone bill as the hacker taunted the CIA to “step your game up homies, we own everything of you.” One tweet contains a screenshot of suspicious activity logs as Brennan was “trying to get CWA arrested.” Yet another shows a CIA Office of General Counsel fax cover page. Supposedly, Brennan offered the hacker money to “leave him alone.”

The Hostile Email Landscape ( 217

An anonymous reader writes: As we consolidate on just a few major email services, it becomes more and more difficult to launch your own mail server. From the article: "Email perfectly embodies the spirit of the internet: independent mail hosts exchanging messages, no host more or less important than any other. Joining the network is as easy as installing Sendmail and slapping on an MX record. At least, that used to be the case. If you were to launch a new mail server right now, many networks would simply refuse to speak to you. The problem: reputation. ... Earlier this year I moved my personal email from Google Apps to a self-hosted server, with hopes of launching a paid mail service à la Fastmail on the same infrastructure. ... I had no issues sending to other servers running Postfix or Exim; SpamAssassin happily gave me a 0.0 score, but most big services and corporate mail servers were rejecting my mail, or flagging it as spam: accepted my email, but discarded it. GMail flagged me as spam. MimeCast put my mail into a perpetual greylist. Corporate networks using Microsoft's Online Exchange Protection bounced my mail."