An anonymous reader writes "Having entered my personal details (full real name, home address) to websites with an 'https://' prefix in order to purchase goods, I am still being sent emails from companies (or their agents) which include, in plain text, those same details I have entered over a secure connection. These are often companies which are very keen to tell you how much they value your privacy and how they will not pass your details on to third parties. What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable? I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this?"
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."
An anonymous reader writes "Tom's Hardware reports on the Connectify Switchboard software that "divides the user's traffic between Wi-Fi, 3G/4G and Ethernet-based connections on a packet-by-packet basis. Even a single stream — such as a Netflix movie — can be split between two or three Internet connections for a higher resolution and faster buffering." As part of its Kickstarter campaign, Connectify is geolocating their backers to optimize deployment of their servers. This is a clever way for supporters to influence the project beyond pledge levels and stretch goals, and it's actually kind of fun to watch."
hypnosec writes "Mozilla is not going ahead with its plans to block third-party cookies by default in the Beta version of its upcoming Firefox 22. Mozilla needs more time to analyze the outcome of blocking these cookies. The non-profit organization released Firefox Aurora on April 5 with a patch by Jonathan Mayer built into it which would only allow cookies from those websites which the user has visited. The patch would block the ones from sites which hadn't been visited yet. The reason for Mozilla's change in plans is that they're currently looking into 'false positives.' If a user visits one part of a group of site, cookies from that part will be allowed, but cookies from related sites in the group may be blocked, and they're worried it will create a poor user experience. On the other side of the coin, there are 'false negatives.' Just because a user may have visited a particular site doesn't mean she is comfortable with the idea of being tracked."
alphadogg writes "A data center in Sweden has cut its energy bills by a million dollars a year using seawater to cool its servers, though jellyfish are an occasional hazard. Interxion, a collocation company in the Netherlands that rents data center space in 11 countries, uses water pumped from the Baltic Sea to cool the IT equipment at its facilities in Stockholm. The energy used to cool IT equipment is one of the costliest areas of running a data center. Companies have traditionally used big, mechanical chillers, but some are turning to outside air and evaporative techniques as lower-cost alternatives."
msm1267 writes "Conpot, short for Control Honeypot, is one of the first publicly available honeypots for industrial control systems (ICS) and SCADA gear. Built by two researchers from the Honeynet Project, the hope is that others will take what they started, deploy it on their own critical infrastructure networks and share the findings. 'The main goal is to make this kind of technology available for a general audience,' said Lukas Rist, one of the developers. 'Not just for security researchers, but also for people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger.'" Unlike previous ICS Honeypots, this one simulates the control systems rather than requiring that you happen to own an actual industrial control system.
CowboyRobot writes "At the recent 2013 Open Networking Summit, Google Distinguished Engineer Amin Vahdat presented 'SDN@Google: Why and How', in which he described Google's 'B4' SDN network, one of the few actual implementations of software-defined networking. Google has deployed sets of Network Controller Servers (NCSs) alongside the switches, which run an OpenFlow agent with a 'thin level of control with all of the real smarts running on a set of controllers on an external server but still co-located.' By using SDN, Google hopes to increase efficiency and reduce cost. Unlike computation and storage, which benefit from an economy of scale, Google's network is getting much more expensive each year."
Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.
msm1267 writes "There are a lot of echoes of the disclosure debate in the current discussions about vulnerability exploit sales. The commercial exploit market has developed relatively quickly, at least the public portion of it. Researchers have been selling vulnerabilities to a variety of buyers – government agencies, contractors, other researchers and third-party brokers – for years. But it was done mostly under cover of darkness. Now, although the transactions themselves are still private, the fact that they're happening, and who's buying (and in some cases, selling) is out in the open. As with the disclosure debate, there are intelligent people lining up on both sides of the aisle and the discussion is generating an unprecedented level of malice."
An anonymous reader writes "Mozilla on Tuesday officially launched Firefox 21 for Windows, Mac, Linux, and Android. Improvements include the addition of multiple social providers on the desktop as well as open source fonts on Android. In the changelog, the company included an interesting point that's worth elaborating on: 'Preliminary implementation of Firefox Health Report.' Mozilla has revealed that FHR so far logs 'basic health information' about Firefox: time to start up, total running time, and number of crashes. Mozilla says the initial report is pretty simple but will grow 'in the coming months.' You can get it now from Mozilla."
Nerval's Lobster writes "Roughly 85 percent of IT managers polled by Forrester said they would hold onto networking infrastructure longer, but vendors retire products prematurely in an effort to force customers to upgrade. In a response that may seem familiar to anyone who's ever been pressured into buying a maintenance contract—either by an enterprise vendor or a major electronics retailer—over 80 percent of the 304 respondents said they don't like the misrepresented cost savings, new fees, and inflexible pricing models—but buy the products anyway. One of the survey's interesting points is that IT decision makers aren't willing to contradict the vendor. The uncertainty seems to come from the fact that the vendor may in fact be right—and a customer who contradicts what they're saying may end up shouldering the blame if the equipment goes south. It's the 'you never got fired for buying IBM' argument, applied to the networking space. The problem, of course, is that the vendor often works for its own agenda. Do you upgrade when the vendor (or reseller) suggests you do so? Or do you stick to your own way of doing things?"
An anonymous reader sent in this excerpt from Moxie Marlinspike's weblog: "Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they're working on in that country. Having published two reasonably popular MITM tools, it's not uncommon for me to get emails requesting that I help people with their interception projects. I typically don't respond, but this one (an email titled 'Solution for monitoring encrypted data on telecom') caught my eye. ... The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup. ... When they eventually asked me for a price quote, and I indicated that I wasn't interested in the job for privacy reasons, they responded with this: ' I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that's why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.'"
mask.of.sanity writes "While Hollywood often fails to portray hacking, one researcher has made the art of exploitation look more like the big screen. Kinectasploit is hacking in the form of a first-person shooter that melds Microsoft's Kinect controls with 20 hacking tools including Metasploit, Snort, Nessus, John the Ripper and Ettercap. The work in progress can be downloaded from github."
Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."
hypnosec writes "Linus Torvalds has released the Linux 3.10-rc1 kernel marking the closure of the 3.10 merge window. The Linux 3.10-rc1 is the second biggest rc release in years and the closure of the merge windows means that the features expected out of the Linux 3.9 successor are chalked out. "So this is the biggest -rc1 in the last several years (perhaps ever) at least as far as counting commits go," Linus notes in the release announcement."
First time accepted submitter llebeel writes "Kaspersky Lab has signed an agreement with chip designer Qualcomm to improve security at 'the lower level' of a smartphone's mobile operating system. The Russian security firm told The Inquirer that it has agreed to offer 'special terms' for preloading Kaspersky Mobile Security and Kaspersky Tablet Security products on Android devices powered by Qualcomm Snapdragon processors."
ASDFnz writes "It has been just over two months since the bitcoin block chain was rocked by a near disastrous fork causing the bitcoin price to crash. The culprit of the crash was found to be a bug that prevented pre version 7.1 bitcoin clients accepting large blocks that could be generated by version 8 clients. A temporary fix was put into place by Bitcoin Project lead developer Gavin Andresen that forced version 8 clients to generate blocks that version 7.1 could understand. It is important to note though, the fix was a temporary one! In just under two days on the 15th of May the fix will expire and version 8 clients will once again be able to make large blocks that older clients will not be able to understand."
theodp writes "In a widely-read WSJ Op-Ed, English major Kirk McDonald, president of online ad optimization service PubMatic, informed college grads that he considers them unemployable unless they can claim familiarity with at least two programming languages. 'Teach yourself just enough of the grammar and the logic of computer languages to be able to see the big picture,' McDonald advises. 'Get acquainted with APIs. Dabble in a bit of Python. For most employers, that would be more than enough.' Over at Typical Programmer, Greg Jorgensen is not impressed. 'I have some complaints about this "everyone must code" movement,' Jorgensen writes, 'and Mr. McDonald's article gives me a starting point because he touched on so many of them.'"
bennyboy64 writes "An Australian university appears to be excelling at cultivating some of Australia's best computer hackers. Following the University of NSW's students recently placing first, second and third in a hacking war game (the first place winners also won first place last year), The Sydney Morning Herald reports on what exactly about the NSW institution is breeding some of Australia's best hackers. It finds that a lecturer and mentor to the students with controversial views on responsible disclosure appears to the be the reason for their success."
An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"