Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Security flaw in Yahoo mail exposes auth info

tdalek writes: After patching its plaintext authentication gaffe, Yahoo! Zimbra Desktop has fumbled the security and privacy ball once again. Yahoo! Zimbra now uses the standard authentication method used by the rest of the Yahoo! Mail family. However, unlike other implementations where invalid SSL certificates will throw up plenty of warnings for the user, Yahoo! Zimbra Desktop is trivially vulnerable to a man-in-the-middle attack, as it simply transmits the usernames & passwords regardless of who's picked up on the other side. With all of the news about DNS vulnerabilities, this seems like exceptionally poor timing for a MiTM. For the time being you may wish to switch to using the Yahoo! webmail interface, until this bug gets fixed.

Submission + - Yahoo! Zimbra Desktop vulnerable to MiTM

holdenkarau writes: "After patching the its plaintext authentication gaffe, Yahoo! Zimbra desktop has hit another stumbling block in the security road. Yahoo! Zimbra now uses the standard authentication method used by the rest of the Yahoo! Mail family. However, unlike other implementations where invalid SSL certificates will throw up plenty of warnings for the user, Yahoo! Zimbra Desktop is trivially vulnerable to a man-in-the-middle attack, as it simply transmits the usernames & passwords regardless of who's picked up on the other side. With all of the news about DNS vulnerabilities, this seems like exceptionally poor timing for a MiTM. For the time being you may wish to switch to using the Yahoo! webmail interface, until this bug gets fixed."

Amazon Kindle Endorsed By Oprah 197

Oprah Winfrey enthused about the Amazon Kindle on her show today — it's her "new favorite thing" — and had Jeff Bezos on to announce a $50-off offer good till Nov. 1. A plug on Oprah is ordinarily a sign that a product has crossed over into the mainstream. But her show's audience has been slipping lately, and it's unclear how many cash-strapped citizens will be willing to part with $309 (after the special offer) for a new techno-gadget, for which they then have to shell out more money for DRM-encrusted content.

Submission + - E-mails of Yahoo! iPhone users exposed

An anonymous reader writes: Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! Unlike the other default providers (gmail, etc.) Yahoo! doesn't use encryption for either downloading or sending messages. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request slightly obscured inside a bundle of XML, but security through obscurity isn't very effective. While the GSM protocol is cracked, this is probably of more concern to users who use the iPhone's built in Wi-Fi.
Technology (Apple)

Submission + - Tapping the iPhone, brought to you by Yahoo!

tdalek writes: You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing authentication information. It turns out that more that other Yahoo! applications are affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames and passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), now would be a good time to forward it elsewhere for the time being, and using that account instead.

Submission + - iPhone exposes emails in plaintext for Yahoo users 1

holdenkarau writes: "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing usernames & passwords. It turns out that more than just Yahoo! Zimbra Desktop is affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames & passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), you might want to look at forwarding it somewhere else for the time being, and using that account instead."

Submission + - iPhone & Yahoo! mail expose the text of emails

kingofthehobos writes: You may remember the recent Slashdot article about Yahoo! Desktop exposing usernames and passwords. It turns out that more than just Yahoo! Zimbra desktop is affected, although to a lesser degree. In the original security whole, Yahoo!'s desktop program transmitted the usernames & passwords in plaintext. On the iPhone, authentication is encrypted, however all the messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request, but security through obscurity isn't very effective. Looking at the screen capture there also appears to be a "imie" field, which seems like it could be useful for phone cloners (if people still do those sorts of shenanigans). If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), you might want to look at forwarding it somewhere else for the time being, and using that account instead.

Submission + - Yahoo! exposes usernames & passwords

tiffanydanica writes: "In a move hearkening back to the days of telnet, Yahoo!'s newest addition (Yahoo! Desktop) to there mail system exposes the full usernames & passwords over the wire (or wireless) in plaintext. But thats not all, doing some digging leads to the likely conclusion that all Yahoo! IMAP based client programs (including the Yahoo! iPhone) application are sending passwords in plaintext. CNET news, the Inquirer & Wired's Webmonkey are all reporting on the story (although in true Wired fashion the individual is called a "hacker"). So, if you know anyone who might have installed Yahoo! Zimbra Desktop, or used Yahoo!'s iPhone application passing the news on and getting them to switch back to the web interface and change their password (until the issues are fixed) would be ++good."

Submission + - Yahoo! exposes user passwords (uwaterloo.ca) 3

kingofthehobos writes: In a move hearkening back to the days of telnet, Yahoo!'s newest addition to there mail system exposes the full usernames & passwords over the wire (or wireless) in plaintext. Both CNET news & Wired's Webmonkey are reporting on the story (although in true Wired fashion the individual is called a "hacker"). So, if you know anyone who might have installed Yahoo! Zimbra Desktop getting them to switch back to the web interface and change there password (until the issues are fixed) would be ++good.

Submission + - How secure is our software?

alphabetasigmagamma writes: Is it reasonable to expect that sensitive information should be encrypted before sent across the internet? Recent news, such as the security breach discovered in Yahoo desktop's mail software, as reported by CNET and Wired's Webmonkey has made many people wonder how safe their personal information is, when being sent through third party applications. In the case of Yahoo, personal information, such as passwords were sent in clear text across the wire, exposing users to possible security breaches. Can we trust our sensitive information in a software ecosystem that encompasses hundreds of pieces of software that interact with the internet everyday?

Submission + - Security flaw in Yahoo mail exposes plaintext auth

holdenkarau writes: "Yahoo!'s acquisition of opensource mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. Ironically enough, the flaw was discovered during a Yahoo "hacku" day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent hoopla about gmail exposing the names associated with accounts, this seems down right scary. So if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the oh so retro web interface."

Submission + - Canadians get behind the OpenMoko/FreeRunner

mario writes: Now that the OpenMoko platform has stabilized enough to provide the OM2008 image (supporting the three major toolkits), things are starting to heat up.Linuxdevices is reporting on the start of a port of Devicescape's connect application.Koolu (another Canadian company) is also doing development for it's W.E. phone (a branded FreeRunner). Which leads me to ask, where are the American companies?
Linux Business

Submission + - Firms start developing for the OpenMoko/FreeRunner

Anonymous Coward writes: "Now that the OpenMoko platform has stabilized enough to provide a usable development image, things are starting to heat up. The freedom of the OpenMoko platform certainly seems to be working, developers are getting behind the OpenMoko in a big way. Linuxdevices&Linux.com are both reporting on the start of a port of Devicescape's connect application. Koolu is also doing development for it's W.E. phone (a branded FreeRunner). Hopefully, without the restrictiveness of cell-phone carriers we can star to see some truly innovative mobile applications come forward."

Submission + - Firms begin developing for the OpenMoko/FreeRunner

cscholden writes: Now that the OpenMoko platform has stabilized enough to provide a usable development image, things are starting to heat up. The freedom of the OpenMoko platform certainly seems to be working, developers are getting behind the OpenMoko in a big way. Linuxdevices & NewsForge/Linux.com are reporting on the start of a port of Devicescape's connect application.Koolu (another Canadian company) is also doing development for it's W.E. phone (a branded FreeRunner). Hopefully, without the restrictiveness of cell-phone carriers we can star to see some truly innovative mobile applications on the OpenMoko.

Slashdot Top Deals

RAM wasn't built in a day.
