GNU is Not Unix

Video Purism Offers Free (as in Freedom) Laptops (Video) 44 44

Purism uses its own OS, PureOS, which is a Debian derivative by way of Ubuntu and other members of the Debian-derivative family, but with no taint of proprietary code. Now imagine all the binaries stripped out of the Linux kernel, making it closer to the FSF ideal of a 100% free operating system than the Linux kernel in use almost everywhere else.

They're still using a proprietary BIOS, but have people working on a Free one. The main thing, though, is that Purism is working to give you all the privacy and freedom they can -- with more coming as they keep working to replace proprietary bits of the OS, BIOS, and hardware drivers with Free Software. Best of all, even if you don't need a new laptop right now, you can download PureOS and run it on any compatible hardware you already own.
Windows

A Naysayer's Take On Windows 10: Potential Privacy Mess, and Worse 330 330

Lauren Weinstein writes: I had originally been considering accepting Microsoft's offer of a free upgrade from Windows 7 to Windows 10. After all, reports have suggested that it's a much more usable system than Windows 8/8.1 — but of course in keeping with the 'every other MS release of Windows is a dog' history, that's a pretty low bar. However, it appears that MS has significantly botched their deployment of Windows 10. I suppose we shouldn't be surprised, even though hope springs eternal. Since there are so many issues involved, and MS is very aggressively pushing this upgrade, I'm going to run through key points here quickly, and reference other sites' pages that can give you more information right now. But here's my executive summary: You may want to think twice, or three times, or many more times, about whether or not you wish to accept the Windows 10 free upgrade on your existing Windows 7 or 8/8.1 system. Now that we're into the first week of widespread availability for the new version, if you're a Windows user and upgrader, has your experience been good, horrible, or someplace between?
Piracy

Interviews: Kim Dotcom Answers Your Questions 71 71

Kim Dotcom was the founder of Megaupload, its successor Mega, and New Zealand's Internet Party. A while ago you had a chance to ask him about those things as well as the U.S. government charging him with criminal copyright violation and racketeering. Below you'll find his answers to your questions.
Privacy

Kentucky Man Arrested After Shooting Down Drone 1134 1134

McGruber writes: Hillview, Kentucky resident William H. Merideth describes his weekend: "Sunday afternoon, the kids – my girls – were out on the back deck, and the neighbors were out in their yard. And they come in and said, 'Dad, there's a drone out here, flying over everybody's yard.'" Merideth's neighbors saw it too. "It was just hovering above our house and it stayed for a few moments and then she finally waved and it took off," said neighbor Kim VanMeter. Merideth grabbed his shotgun and waited to see if the drone crossed over his property. When it did, he took aim and shot it out of the sky.

The owners showed up shortly, and the police right after. He was arrested and charged with first degree criminal mischief and first degree wanton endangerment before being released the next day. Merideth says he will pursue legal action against the drone's owner: "He didn't just fly over. If he had been moving and just kept moving, that would have been one thing -- but when he come directly over our heads, and just hovered there, I felt like I had the right. You know, when you're in your own property, within a six-foot privacy fence, you have the expectation of privacy. We don't know if he was looking at the girls. We don't know if he was looking for something to steal. To me, it was the same as trespassing."
Bug

Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online 85 85

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.
Security

Video Veteran IT Journalist Worries That Online Privacy May Not Exist (Video) 43 43

Tom Henderson is a long-time observer of the IT scene, complete with scowl and grey goatee. And cynicism. Tom is a world-class cynic, no doubt about it. Why? Cover enterprise IT security and other computing topics long enough for big-time industry publications like ITWorld and its IDG brethren, and you too may start to think that no matter what you do, your systems will always have (virtual) welcome mats in front of them, inviting crackers to come in and have a high old time with your data.

Note: Alert readers have probably noticed that we talked with Tom about cloud security back in March. Another good interview, worth seeing (or reading).
Chrome

Chrome Extension Thwarts User Profiling Based On Typing Behavior 60 60

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.
Security

Your Stolen Identity Goes For $20 On the Internet Black Market 57 57

HughPickens.com writes: Keith Collins writes at Quartz that the going rate for a stolen identity is about twenty bucks on the internet black market. Collins analyzed hundreds of listings for a full set of someone's personal information—identification number, address, birthdate, etc., known as "fullz" that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. The listings ranged in price from less than $1 to about $450, converted from bitcoin. The median price for someone's identity was $21.35. The most expensive fullz came from a vendor called "OsamaBinFraudin," and listed a premium identity with a high credit score for $454.05. Listings on the lower end were typically less glamorous and included only the basics, like the victim's name, address, social security number, perhaps a mother's maiden name. Marketplaces on the dark web, not unlike eBay, have feedback systems for vendors ("cheap and good A+"), refund policies (usually stating that refunds are not allowed), and even well-labeled sections. "There is no shortage of hackers willing to do about anything, computer related, for money," writes Elizabeth Clarke. "and they are continually finding ways to monetize personal and business data."
Google

Google Is Dropping Its Google+ Requirement Across All Products Including YouTube 167 167

An anonymous reader writes: After years of plugging Google+ into all of its services, today Google announced that your Google+ profile will no longer be your identity in all its products. The company says it will take a few months for all the changes to happen, but the first product to be uncoupled will be YouTube. Bradley Horowitz, Google's vice president of streams, photos, and sharing, says the changes are a response to user feedback: "We've also heard that it doesn't make sense for your Google+ profile to be your identity in all the other Google products you use."
ch

Swiss Researchers Describe a Faster, More Secure Tor 59 59

An anonymous reader writes: Researchers from the Swiss Federal Institute of Technology and University College London published a paper this week describing a faster and more secure version of Tor called HORNET. On one hand, the new onion routing network can purportedly achieve speeds of up to 93 gigabits per second and "be scaled to support large numbers of users with minimal overhead". On the other hand, researchers cannot claim to be immune to "confirmation attacks" known to be implemented on Tor, but they point out that, given how HORNET works, perpetrators of such attacks would have to control significantly more ISPs across multiple geopolitical boundaries and probably sacrifice the secrecy of their operations in order to successfully deploy such attacks on HORNET.
KDE

KDE Community Announces Fully Open Source Plasma Mobile 44 44

sfcrazy writes: Today, during the Akademy event, the KDE Community announced Plasma Mobile project. It's a Free (as in Freedom and beer), user-friendly, privacy-enabling and customizable platform for mobile devices. Plasma Mobile claims to be developed in an open process, and considering the community behind it, I don't doubt it. A great line: "Plasma Mobile is designed as an ‘inclusive’ platform and will support all kinds of apps. In addition to native apps written in Qt, it also supports GTK apps, Android apps, Ubuntu apps, and many others." And if you have a Nexus 5, you can download and play with a prototype now.
Privacy

After Progressive Insurance's Snapshot Hacked, Manufacturer Has Been, Too 3 3

An anonymous reader writes: Progressive Insurance sells a tracking device called Snapshot that is advertised as a "little device [that] turns your safe driving into savings." However Snapshot itself has been hacked, and Xirgo Technologies, which makes Snapshot, is currently hacked due to out-of-date software on their website — and has been that way since at least May 5th of 2015. Given that Chrysler just did a recall of 1.4 million cars, people should really think twice before blindly trusting the safety of their cars to any random company, especially if that company can't even keep their WordPress up-to-date or remove hacked code from their site.
Communications

An Interview With Hacking Team's CEO 80 80

Alastair Stevenson writes: I talked to the leader of the world's most hated surveillance company about its path to recovery and morals, following a massive attack on its systems. CEO David Vincenzetti, as you might expect, thinks that his company "deserves the protection of law and order," and disclaims (also as you'd expect) responsibility for what its clients do with the privacy-unraveling software it provides: Law enforcement must have a way to do what it has always done, that is to track criminals and prevent or prosecute crime. With the development of global terrorism and especially the ‘lone wolf’ terrorist, this requirement is even more important. Hacking Team has helped fight crime by providing a surveillance tool to law enforcement. The company believes this is a small step toward a more secure world for all who wish to used the Internet and digital tools lawfully.
Privacy

Researchers: Mobile Users Will Trade Data For Fun and Profit 21 21

itwbennett writes: Even as mobile users become more security and privacy conscious, researchers and other mobile data collectors still to collect user data in order to build products and services. The question: How to get users to give up that data? Researchers at the New Jersey Institute of Technology tested two incentives: gamification and micropayments. The test involved building a campus Wi-Fi coverage map using user data collected from student participants who either played a first-person shooter game or who were paid to complete certain tasks (e.g., taking photos). The game turned out to be a quick and efficient way to build the Wi-Fi coverage map. But data from the micropayments group was found to be "sometimes unreliable, and individuals were trying to trick the system into thinking they had accomplished tasks."
Privacy

US Court: 'Pocket-Dialed' Calls Are Not Private 179 179

itwbennett writes: In a case of a pocket-dialed call, a conscientious secretary, and sensitive personnel issues, a federal appeals court in Ohio has ruled pocket-dialers shouldn't have any expectation of privacy. 'Under the plain-view doctrine, if a homeowner neglects to cover a window with drapes, he would lose his reasonable expectation of privacy with respect to a viewer looking into the window from outside of his property,' the court said. The same applies to pocket-dialed calls, according to the court. If a person doesn't take reasonable steps to keep their call private, their communications are not protected by the Wiretap Act.
Facebook

New York Judge Rules Against Facebook In Search Warrant Case 157 157

itwbennett writes: Last year, Facebook appealed a court decision requiring it to hand over data, including photos and private messages, relating to 381 user accounts. (Google, Microsoft, and Twitter, among other companies backed Facebook in the dispute). On Tuesday, Judge Dianne Renwick of the New York State Supreme Court ruled against Facebook, saying that Facebook has no legal standing to challenge the constitutionality of search warrants served on its users.
Privacy

FCC CIO: Consumers Need Privacy Controls In the Internet of Everything Era 46 46

Lemeowski writes: Who is responsible for ensuring security and privacy in the age of the Internet of Things? As the number of Internet-connected devices explodes — Gartner estimates that 25 billion devices and objects will be connected to the Internet by 2020 — security and privacy issues are poised to affect everyone from families with connected refrigerators to grandparents with healthcare wearables. In this interview, U.S. Federal Communications Commission CIO David Bray says control should be put in the hands of individual consumers. Speaking in a personal capacity, Bray shares his learnings from a recent educational trip to Taiwan and Australia he took as part of an Eisenhower Fellowship: "A common idea Bray discussed with leaders during his Eisenhower Fellowship was that the interface for selecting privacy preferences should move away from individual Internet platforms and be put into the hands of individual consumers." Bray says it could be done through an open source agent that uses APIs to broker their privacy preferences on different platforms.
Bug

Bug Exposes OpenSSH Servers To Brute-Force Password Guessing Attacks 157 157

itwbennett writes: OpenSSH servers with keyboard-interactive authentication enabled, which is the default setting on many systems, including FreeBSD ones, can be tricked to allow many authentication retries over a single connection, according to a security researcher who uses the online alias Kingcope, who disclosed the issue on his blog last week. According to a discussion on Reddit, setting PasswordAuthentication to 'no' in the OpenSSH configuration and using public-key authentication does not prevent this attack, because keyboard-interactive authentication is a different subsystem that also relies on passwords.
Government

FBI's Hacks Don't Comply With Legal Safeguards 64 64

An anonymous reader writes: The FBI hacks computers. Specifics are scarce, and only a trickle of news has emerged from court filings and FOIA responses. But we know it happens. In a new law review article, a Stanford Ph.D. candidate and privacy expert pulls together what's been disclosed, and then matches it against established law. The results sure aren't pretty. FBI agents deceive judges, ignore time limits, don't tell computer owners after they've been hacked, and don't get 'super-warrants' for webcam snooping. Whatever you think of law enforcement hacking, it probably shouldn't be this lawless.
Privacy

Free Tools For Detecting Hacking Team Malware In Your Systems 62 62

An anonymous reader writes: Worried that you might have been targeted with Hacking Team spyware, but don't know how to find out for sure? IT security firm Rook Security has released Milano, a free automated tool meant to detect the Hacking Team malware on a computer system. Facebook has also offered a way to discover if your Mac(s) have been compromised by Hacking Team malware: they have provided a specific query pack for its open source OS analysis tool osquery.