Forgot your password?
typodupeerror

+ - Hackers Can Control Your Phone Using a Tool That's Already Built Into It->

Submitted by Anonymous Coward
An anonymous reader writes "A lot of concern about the NSA’s seemingly omnipresent surveillance over the last year has focused on the agency’s efforts to install back doors in software and hardware. Those efforts are greatly aided, however, if the agency can piggyback on embedded software already on a system that can be exploited.

Two researchers have uncovered such built-in vulnerabilities in a large number of smartphones that would allow government spies and sophisticated hackers to install malicious code and take control of the device.

The vulnerabilities lie within a device management tool carriers and manufacturers embed in handsets and tablets to remotely configure them. Though some design their own tool, most use a tool developed by a specific third-party vendor—which the researchers will not identify until they present their findings next week at the Black Hat security conference in Las Vegas. The tool is used in some form in more than 2 billion phones worldwide. The vulnerabilities, they say, were found so far in Android and BlackBerry devices and a small number of Apple iPhones used by Sprint customers. They haven’t looked at Windows Mobile devices yet."

Link to Original Source

+ - Ask SlashDot: What should the NSA be able to do without a warrant?->

Submitted by LessThanObvious
LessThanObvious (3671949) writes "We have a general consensus in the U.S. and abroad that says the NSA has overstepped their boundaries in data collection and surveillance. The costs to liberty, free speech, privacy rights as well as economic and foreign policy costs outlined in the New America Open Technology Institute July 2014 Policy Paper — "Surveillance Costs" have been broadly discussed. It seems now that there is enough political inertia post Snowden and enough economic incentive to make changes to protect U.S. competitive position and international trust relationships for real change to come about. It is also pretty much a given that an organization like the NSA with a multibillion dollar budget is not going to simply dry up and blow away.

In a world where we are trying to defend our nation and others around the globe from highly sophisticated cyber-crime, cyber-attack and serious terror threats at home and abroad, it does seem that the NSA and other agencies have a legitimate role to play. Let's imagine a world where the NSA and other agencies rewrite the rules of when and where information could be collected, allowing for adequate transparency and protections for U.S. and foreign individuals rights. How can we find the needle in a stack of haystacks if they are no longer permitted to disturb the haystack?

Now under those circumstances what should the NSA be allowed to do without a warrant?"

Link to Original Source

+ - Private Bittorrent Trackers - A Misleading Name->

Submitted by ktetch-pirate
ktetch-pirate (1850548) writes "At some point in any P2P story, you will come across a comment saying how 'Private Trackers are better'. Yet Private Tracker users have less privacy than those that use public/open trackers, with the sites logging your activities and then sharing that info in a big database with dozens of other sites.
TorrentFreak's lead researcher explains how they got the name, and why, along with a more appropriate term for these kids of sites, that's more accurate."

Link to Original Source

+ - Is running mission-critical servers without a firewall a "thing"?

Submitted by Anonymous Coward
An anonymous reader writes "I do some contract work on the side (as many folks do), and am helping a client set up a new point of sale system. For the time being, it's pretty simple: selling products, keeping track of employee time, managing inventory and the like. However, it requires a small network because there are two clients, and one of the clients feeds off of a small SQL Express database from the first. During the setup the vendor disabled the local firewall, and in a number of emails back and forth since (with me getting more and more aggravated) they went from suggesting that there's no NEED for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going odds are there will be e-Commerce worked into it, and probably credit card transactions.. which worries the bejesus out of me.

So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns."

+ - Six Ways Big Telecom Tries to Kill Community Broadband

Submitted by Jason Koebler
Jason Koebler (3528235) writes "Beyond merely staying out of each other's way in many big cities, ISPs have managed to throw up legal, logistical, and financial roadblocks at every turn to prevent municipally owned fiber networks from taking hold in many parts of the country.
The lobbying money is well-documented, but some of the other strategies, such as threatening to cut off business with companies who help build municipal fiber networks, are less known. Catharine Rice of the Coalition for Local Internet Choice, says there are at least six distinct tactics national telecom companies have perfected to do this."

+ - A 24-Year-Old Scammed Apple 42 Times In 16 Different States-> 1

Submitted by redletterdave
redletterdave (2493036) writes "Sharron Laverne Parrish Jr., 24, allegedly scammed Apple not once, but 42 times, cheating the company out of more than $300,000 — and his scam was breathtakingly simple. According to a Secret Service criminal complaint, Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override. But that’s the problem with this system: as long as the number of digits is correct, the override code itself doesn’t matter."
Link to Original Source

+ - Cellphone Unlocking Bill Has One Big Gotcha-> 2

Submitted by itwbennett
itwbennett (1594911) writes "The cellphone unlocking bill that passed in the House of Representatives on Friday, and which President Obama said he would sign, comes with a catch that will likely prevent you from switching carriers — at least right away: Your existing wireless contract takes precedence over the law. So if your wireless contract says that you can't unlock your phone until your contract expires, you can't do it."
Link to Original Source

+ - Silicon Valley has created an imaginary staffing shortage->

Submitted by walterbyrd
walterbyrd (182728) writes "As longtime researchers of the STEM workforce and immigration who have separately done in-depth analyses on these issues, and having no self-interest in the outcomes of the legislative debate, we feel compelled to report that none of us has been able to find any credible evidence to support the IT industry's assertions of labor shortages."
Link to Original Source

+ - Bird flocks resemble liquid helium->

Submitted by sciencehabit
sciencehabit (1205606) writes "A flock of starlings flies as one, a spectacular display in which each bird flits about as if in a well-choreographed dance. Everyone seems to know exactly when and where to turn. Now, for the first time, researchers have measured how that knowledge moves through the flock—a behavior that mirrors certain quantum phenomena of liquid helium. Some of the more interesting findings: Tracking data showed that the message for a flock to turn started from a handful of birds and swept through the flock at a constant speed between 20 and 40 meters per second. That means that for a group of 400 birds, it takes just a little more than a half-second for the whole flock to turn."
Link to Original Source

+ - The Long and Winding Road to the Surveillance Society->

Submitted by smugfunt
smugfunt (8972) writes "There is a new blog post by Adam Curtis tracing some of the strange connections and interesting characters in the evolution of the digital Panopticon we find ourselves living in. He posits that many of the data-driven systems now used in all sectors of society have the effect (deliberate and accidental) of forestalling change/fostering stability. As always, he brings to our attention some hitherto unnoticed 'men behind the curtain'."
Link to Original Source

+ - Pi Power - the power supply the Raspberry Pi *should* have come with->

Submitted by nsayer
nsayer (86181) writes "The Raspberry Pi is awesome. There's only one thing I dislike about it — how you're meant to power it. Crappy USB power supplies are ubiquitous, and the power more or less goes straight onto the +5 rail. Not only that, but the micro USB connector is SMT, and USB cables are much thicker and heavier than their 2.1mm barrel connector cable counterparts. No, it's just not the best tool for the job.

So I made Pi Power. It's a small board that sits on the GPIO pins (it comes with a stacking header so you can piggyback onto it) and has a 2.1mm barrel connector that will accept any DC voltage from 6-15 volts and output up to 2A of well regulated 5V power.

I sell them on Tindie for $15 ( https://www.tindie.com/product... ) and am running an IndieGoGo campaign to fund building 1000 of them at http://igg.me/at/PiPower ."

Link to Original Source

+ - Ask Slashdot: After TrueCrypt->

Submitted by TechForensics
TechForensics (944258) writes "(Resubmitted because was not identified as "Ask Slashdot"

We all know the TrueCrypt story-- a fine, effective encryption program beginning to achieve wide use. When you see how the national security agency modified this tool so they could easily overcome it, you'll probably understand why they don't complain about PGP anymore. The slip that showed what was happening was the information that NSA "were really ticked about TrueCrypt" either because they couldn't circumvent it or found it too difficult. From the standpoint of privacy advocates, NSA's dislike for TrueCrypt was evidence it was effective.

Next, NSA directly wrapped up the makers of TrueCrypt in legal webs that made them insert an NSA backdoor and forbade them from revealing it was there. It's only because of the cleverness of the TrueCrypt makers the world was able to determine for itself that TrueCrypt was now compromised. (Among other things, though formerly staunch privacy advocates, the makers discontinued development of TrueCrypt and recommended something like Microsoft Bitlocker, which no one with any sense believes could be NSA – hostile. It then became logically defensible, since NSA was not complaining about PGP or other encryption programs, to posit they had already been compromised.

This is the situation we have: all of the main are important encryption programs are compromised at least in use against the federal government. Whether NSA tools are made available to local law enforcement is not known. This all begs the question:

Does the public now have *any* encryption that works? Even if we can see the source code of the encryption algorithm the source code of the program employing that algorithm must be considered false. (TrueCrypt was the only program NSA complained about.) In the case of other software, it becomes believable the NSA has allowed to be published only source code that hides their changes, and the only way around that may be to check and compile the published code yourself. Half the public probably doesn't bother.

Okay, Slashdot, what do you think? Where do we stand? And what ought we to do about it?We all know the TrueCrypt story-- a fine, effective encryption program beginning to achieve wide use. When you see how the national security agency modified this tool so they could easily overcome it, you'll probably understand why they don't complain about PGP anymore. The slip that showed what was happening was the information that NSA "were really ticked about TrueCrypt" either because they couldn't circumvent it or found it too difficult. From the standpoint of privacy advocates, NSA's dislike for TrueCrypt was evidence it was effective.

Next, NSA directly wrapped up the makers of TrueCrypt in legal webs that made them insert an NSA backdoor and forbade them from revealing it was there. It's only because of the cleverness of the TrueCrypt makers the world was able to determine for itself that TrueCrypt was now compromised. (Among other things, though formerly staunch privacy advocates, the makers discontinued development of TrueCrypt and recommended something like Microsoft Bitlocker, which no one with any sense believes could be NSA–hostile. It then became logically defensible, since NSA was not complaining about PGP or other encryption programs, to posit they had already been vitiated.

This is the situation we have: all of the main or important encryption programs are compromised at least in use against the federal government. Whether NSA tools are made available to local law enforcement is not known. This all begs the question:

Does the public now have *any* encryption that works? Even if we can see the source code of the encryption algorithm the source code of the program employing that algorithm must be considered tainted. (TrueCrypt was the only program NSA complained about.) In the case of other software, it becomes believable the NSA has allowed to be published only source code that hides their changes, and the only way around that may be to check and compile the published code yourself. Half the public probably doesn't bother. (Would it not be possible for the NSA to create a second TrueCrypt that has the same hash value as the original?)

Okay, Slashdot, what do you think? Where do we stand? And what ought we to do about it?"

Link to Original Source

After an instrument has been assembled, extra components will be found on the bench.

Working...