46330279
submission
Sparrowvsrevolution writes:
The promise of a fully 3D-printable gun is that it can spread via the Internet and entirely circumvent gun control laws. Two days after that digital weapon's blueprint first appeared online, it seems to be fulfilling that promise. Files for the printable gun known as that "Liberator" have been downloaded more than 100,000 times in two days, according to Defense Distributed, the group that created it. Those downloads were facilitated by Kim Dotcom's startup Mega, which Defense Distributed is using to host the Liberator's CAD files. And it's also been uploaded to the Pirate Bay, where it's one of the most popular files in the filesharing site's uncensorable 3D printing category.
46224551
submission
Sparrowvsrevolution writes:
For the last eight months, a group called Defense Distributed has been seeking to create the world's first entirely 3D-printed handgun. Now they have. The "Liberator," as the group calls its printable firearm, is made of sixteen components, fifteen of which were printed in plastic on a Stratasys Dimension SST 3D printer. The only non-printed part is a common hardware store nail that serves as the gun's firing pin.
Last week, the Liberator was fired for the first time at a firing range and successfully shot a .380 caliber bullet using a remote firing setup. Over the weekend, Defense Distributed's founder, the anarchist and radical libertarian Cody Wilson, was bold enough to try firing it by hand. The results of that test, witnessed by a reporter, indicate that the era of the 3D-printed firearm may be upon us, for better or for worse.
45824441
submission
Sparrowvsrevolution writes:
In a cautionary tale for the coming "Internet of Things," hacker HD Moore gave a talk at the Infosec Southwest conference in Austin, showing how he was able to locate and access a hidden layer of vulnerable machines via 114,000 devices known as “serial servers” or “terminal servers”–systems that allow outmoded hardware to be accessed remotely over the Internet via their serial ports.
Analyzing a database of a year’s worth of Internet scan results he’s assembled, Moore discovered that thousands of devices had no authentication, weak or no encryption, default passwords, or had no automatic “log-off” functionality, leaving them pre-authenticated and ready to access. Moore says he could have in some cases switched off the ability to monitor traffic lights, disabled trucking companies’ gas pumps or faked credentials to get free fuel, sent fake alerts over public safety system alert systems, and changed environmental settings in buildings to burn out equipment or turn off refrigeration, leaving food stores to rot.
45702261
submission
Sparrowvsrevolution writes:
Bitcoin, despite what many users think, isn't really anonymous. Every transaction can be traced in the Bitcoin blockchain, making it in some ways even more difficult than traditional money to spend privately. But a group of cryptographers at Johns Hopkins University have come up with Zerocoin, an extension to the cryptographic currency that could make it truly anonymous and untraceable. If enough users adopted Zerocoin, it would represent an upgrade to Bitcoin's code that would allow any user to swap out his or her Bitcoins for Zerocoin tokens at any time and then redeem them for Bitcoins at will, using some clever cryptographic tricks to prevent anyone from tracing the tokens between those two transactions.
Until now, users who wanted to use Bitcoins for anonymous purposes (such as on the drug site Silk Road) have had to run them through a Bitcoin laundry service that mixes Bitcoins randomly to foil surveillance. But that's required depending on potentially shady third parties. Zerocoin would essentially build a laundry system into Bitcoin at the protocol level, without the need to trust anything other than the distributed code itself.
45590085
submission
Sparrowvsrevolution writes:
Bitcoin's recent spike and then collapse in value has convinced many that it's too unstable to use as a practical currency. But not the founder of Silk Road, the black market drug site that exclusively accepts Bitcoin in exchange for heroin, cocaine and practically every other drug imaginable. Silk Road's creator, who calls himself the Dread Pirate Roberts, broke his usual media silence to issue a short statement that Silk Road will survive Bitcoin's bubble and bust. The market's prices are generally pegged to the dollar, with prices in Bitcoin fluctuating to account for movements in the exchange rate. And Roberts explained that vendors on the site have the option to also hedge the Bitcoins that buyers place in escrow for their products, so that they can't lose money due to Bitcoin's volatility while the drugs are in the mail. As a result, only about 1,000 of the site's more than 11,000 product listings were taken down during the recent crash.
44293365
submission
Sparrowvsrevolution writes:
Apple has released a new update for iOS that prevents the jailbreak evasi0n released last month. But that hacking tool has already become the most popular jailbreak ever: It's been used to remove the software restrictions on 18.2 million devices in the 43 days between its release and the patch, according to data from Cydia, the app store for jailbroken devices. In its announcement of the update, Apple says it has fixed six bugs and was polite enough to credit the hackers behind evasi0n with finding four of them. At least one of the bugs used by evasi0n remains unpatched, according to David Wang, one of evasi0n's creators. And Wang says that he and his fellow hackers still have bugs in reserve for a new jailbreak, although they plan to keep them secret until the next major release.
44109475
submission
Sparrowvsrevolution writes:
At the Fast Software Encryption conference in Singapore earlier this week, University of Illinois at Chicago Professor Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987. Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router.
It's long been suspected that RC4 had weakness based on biases in how it generates random numbers. But sites have nonetheless been moving back to the scheme in response to news of vulnerabilities in AES and Triple DES exploited by recent cryptographic attacks like BEAST and Lucky 13, both of which showed flaws in SSL and TLS in combination with block ciphers. With the news of RC4's insecurity it now seems that it's likely safer to stick with those more modern ciphers and depend on browser vendors to patch the flaws used by those other attacks.
44039719
submission
Sparrowvsrevolution writes:
For the last six months, Cody Wilson and his non-profit group Defense Distributed have worked towards a controversial goal: To make as many firearm components as possible into 3D-printable, downloadable files. Now they’re seeking to make those files searchable, too–and to make a profit while they’re at it.
In a talk at the South By Southwest conference in Austin, Texas Monday afternoon, Wilson announced a new, for-profit spinoff of his gun-printing project that will serve as both a repository and search engine for CAD files, including the ones designed to let anyone build a deadly firearm in their garage. Though the search engine will index all types of files, Wilson says he hopes the group's reputation for hosting politically incendiary content will mean users trust that it won't censor search results. "When we say you should have access to these files, people believe we mean that,” says Wilson. “No takedowns. No removals. We’d fight everything to the full extent of the law.”
Along with the SXSW announcement, Wilson also released a provocative video where he lays out the plan for Defcad.com and criticizes gun control advocates and "collusive" 3D printing companies like Makerbot.
43829341
submission
Sparrowvsrevolution writes:
Google has taken a bold step to break the silence surrounding the secret demands the FBI makes that it hand over user data. In a new section of its bi-annual Transparency Report on government censorship and surveillance of its data, Google on Tuesday issued its first ever accounting of how many so-called "national security letters" (NSLs) it receives annually along with how many users were affected, albeit in extremely broad terms. In each of the last four years, the company has received NSLs targeting at least a thousand of its users, along with gag orders that have prevented it from revealing any of those surveillance orders.
The requests are limited in scope to users' registration data, not the content of private messages or IP addresses. But if the FBI knows a user's IP address, it could potentially use the requests to de-anonymize content associated with that address by linking it with a Google account. And the fact that thousands of Google users have been subjected to the NSLs means that they've likely been used far more broadly than has ever been reported by the FBI.
43110797
submission
Sparrowvsrevolution writes:
Over the first half of last week, Apple was been hit with the largest mass-hacking incident in its history. And the perpetrators were the company’s own users.
Nearly seven million iPhone, iPad and iPod touch owners cracked Apple’s restrictions on their devices using the jailbreaking tool Evasi0n in just the first four days it was online, according to the latest count of unique devices released by Jay Freeman, the administrator of the app store for jailbroken devices known as Cydia. That makes the iOS-hacking app the fastest-adopted jailbreak software of all time, Freeman says. The last jailbreak that came close was likely Jailbreakme 3 in 2011, which was used only 1.4 million times in nine days.
The high number of cracked devices may be a sign that Apple users want more open, less restricted gadgets. But it also reflects the higher number of iOS devices in the market since the last jailbreak, and pent up demand. It took hackers longer than ever before to develop this jailbreak: 136 days compared with as little as two weeks for the iPhone 3GS.
42951499
submission
Sparrowvsrevolution writes:
In the escalating chess match between Apple's security team and the jailbreakers who work to disassemble the restrictions on its devices, the exploit for every device ends up being more complex than the last. So it's no surprise that the latest, for iOS 6.1, has reached practically a grand master level of technological complexity.
David Wang, a developer for the hacker team that calls themselves the evad3rs has broken down the workings of the team's new iOS jailbreak, evasi0n, in an interview. He explains how the exploit chains together five distinct new bugs in iOS to escalate from a minor vulnerability in the device's mobile backup system into a series of tricks that defeat both the device's code-signing restrictions and its Address Space Layout Randomization to gain the ability to write persistent changes to the kernel. The step-by-step description of the process highlights just how much work and innovation went into evasi0n--and how hard Apple is working to raise the bar for jailbreakers.
42725191
submission
Sparrowvsrevolution writes:
H.D. Moore of Rapid7 has discovered a set of security flaws in three different implementations of the set of common (and notoriously troublesome) networking protocols known as Universal Plug and Play, or UPnP. For nearly the last six months, he's been scanning the Internet for devices made vulnerable by those UPnP bugs, and has discovered somewhere between 40 and 50 million routers, printers, servers and other devices susceptible to some sort of hacker compromise via the public Internet. At least some routers from every major vendor are vulnerable. And 23 million of the devices could be completely taken over and used as Linux machines capable of attacking the rest of a victim's internal network.
Moore recommends that users disable UPnP on their networking gear and other devices immediately, and that ISPs even go so far as to push new firmware to consumers' home routers.
42669067
submission
Sparrowvsrevolution writes:
Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet.
Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPNP) which maps the devices' location to any local router that has UPNP enabled--a common default setting. That feature, designed to allow users to remotely access their video files via remote PC or phone, effectively cuts a hole in any firewall that would expose the device to attackers, too. And security researcher H.D. Moore has been able to show that the flawed architecture isn't just used Swann, but instead effects every company that uses Ray Sharp's firmware. Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix.
42421047
submission
Sparrowvsrevolution writes:
Kim Dotcom's embattled company Mega relaunched over the weekend with a new promise that the upload service would encrypt all user data end-to-end. But the crypto community has started auditing Mega's code, and the response has generally been a collective facepalm. Among the problems in Mega's crypto implementation: It uses only browser-based encryption, which has generally been dismissed as insecure and would allow Mega or anyone who breaks its SSL to read users' plaintext at any time; It has no mechanism for allowing users to change a compromised password without losing access to their data permanently; It uses weak 1024-bit encryption keys in certain places, and several other potential problems.
Some in the security community have pointed out that Mega's intentions may not be legitimate security so much as plausible deniability--It only needs enough encryption to claim it can't see whether its users are uploading copyrighted content. But users should nonetheless wary of the site's inflated security claims.
42158225
submission
Sparrowvsrevolution writes:
Slashdot has closely followed the developing controversy around Defense Distributed, the group that hopes to create 3D printable guns to defeat gun control legislation. The group has yet to create an entirely 3D printable gun. But it's already testing the limits of gun control with a simpler invention: the 3D printable ammunition clip.
Over the past weekend, Defense Distributed successfully 3D-printed and tested an ammunition magazine for an AR semi-automatic rifle, loading and firing 86 rounds from the 30-round clip. That homemade chunk of curved plastic holds special significance: Between 1994 and 2004, so-called “high capacity magazines” capable of holding more than 10 bullets were banned from sale. And a new gun control bill proposed by California Senator Diane Feinstein in the wake of recent shootings would ban those larger ammo clips again. President Obama has also voiced support for the magazine restrictions.
Defense Distributed says it hopes to preempt any high capacity magazine ban by showing how impossible it has become to prevent the creation of a simple spring-loaded box in the age of cheap 3D printing. It's posted the 3D-printable magazine blueprints on its website, Defcad.org, and gun enthusiasts have already downloaded files related to the ammo holders more than 2,200 times.
