msm1267 writes: The Commerce Department's Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries. For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

An anonymous reader writes: In response to a slew of new research about network-level attacks against Tor, academics from the U.S. and Israel built a new Tor client called Astoria designed to beat adversaries like the NSA, GCHQ, or Chinese intelligence who can monitor a user's Tor traffic from entry to exit. Astoria differs most significantly from Tor's default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.

An anonymous reader writes with news, as reported by The Stack, that regional health insurer CareFirst BlueCross BlueShield, has confirmed a breach which took place last summer, and may have leaked personal details of as many as 1.1 million of the company's customers: "The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a 'sophisticated cyberattack' and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers. All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, CareFirst said in a statement posted on its website." Free credit monitoring is pretty weak sauce for anyone who actually ends up faced with identity fraud.

itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.

An anonymous reader writes: For the past few days kernel developers and Linux users have been investigating an EXT4 file-system corruption issue affecting the latest stable kernel series (Linux 4.0) and the current development code (Linux 4.1). It turns out that Linux users running the EXT4 file-system on a RAID0 configuration can easily destroy their file-system with this newest "stable" kernel. The cause and fix have materialized but it hasn't yet worked its way out into the mainline kernel, thus users should be warned before quickly upgrading to the new kernel on systems with EXT4 and RAID0.

derekmead writes: The oldest stone tools ever found have been discovered by scientists in Kenya who say they are 3.3m years old, making them by far the oldest such artifacts discovered. Predating the rise of humans' first ancestors in the Homo genus, the artifacts were found near Lake Turkana, Kenya. More than 100 primitive hammers, anvils and other stone tools have been found at the site. An in-depth analysis of the site, its contents, and its significance as a new benchmark in evolutionary history will be published in the May 21 issue of Nature.

An anonymous reader writes: Scotland Yard was worried that fans of shows like the X Files and Star Trek might run amok during the Millennium according to secret files. The file, called UFO New Religious Movements (NRMs) And The Millennium, reveals that anti-terrorism experts were also concerned about the brain-washing effect of Dark Skies, Roswell, Millennium and The Lawnmower Man on viewers. According to the Telegraph: "The secret briefing note was obtained from the Met under the Freedom of Information Act by Sheffield-based British X-Files expert Dr Dave Clarke while researching a new book, How UFOs Conquered the World. Dr Clarke, who teaches investigative journalism at Sheffield Hallam University, said: 'The documents show the police and security services were concerned about the export of some new religious movements concerning UFOs and aliens from the USA in the aftermath of the mass suicide by followers of the Heaven's Gate.'"

coondoggie writes: Criminals taking advantage of personal data found on social media and vulnerabilities of the digital currency system are two of the emerging Internet law-breaking trends identified by the FBI's Internet Crime Complaint Center (IC3) in its annual look at online crime. The IC3 said 12% of the complaints submitted in 2014 contained a social media trait. Complaints involving social media have quadrupled over the last five years. In most cases, victim’s personal information was exploited through compromised accounts or social engineering.

stowie writes: The Hycopter uses its frame to store energy in the form of hydrogen instead of air. With less lift power required, its fuel cell turns the hydrogen in its frame into electricity to power its rotors. The drone can fly for four hours at a time and 2.5 hours when carrying a 2.2-pound payload. “By removing the design silos that typically separate the energy storage component from UAV frame development - we opened up a whole new category in the drone market, in-between battery and combustion engine systems,” says CEO Taras Wankewycz.

An anonymous reader writes: While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is "a direct result of weakening cryptography legislation in the 1990s," researcher J. Alex Halderman said. "Thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software. The backdoor might have seemed like a good idea at the time. Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy."

An anonymous reader writes: Today, an Icelandic prosthetic-maker announced that two amputees have been testing brain-controlled bionic legs for over a year. The devices respond to impulses in the subjects' residual limbs, via sensors that were implanted in simple, 15-minute-long procedures. "When the electrical impulse from his brain reaches the base of his leg, a pair of sensors embedded in his muscle tissue connect the neural dots, and wirelessly transmit that signal to the Proprio Foot. Since the command reaches the foot before the wearer's residual muscles actually contract, there's no unnatural lag between intention and action." This is a huge step forward (sorry) for this class of bionics. It may seem like a solved problem based on reports and videos from laboratories, but it's never been exposed to real world use and everyday wear and tear like this.

An anonymous reader writes: A team of security researchers has revealed a new encryption vulnerability called 'Logjam,' which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."

Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).