Follow Slashdot stories on Twitter


Forgot your password?
Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

Submission + - ICU Project Patches Memory Vulnerabilities (

msm1267 writes: Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched.

Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buffer overflow and integer overflow bugs in versions 52 through 54. Older versions of the library could also be affected, said researcher Pedro Ribeiro of Agile Information Security, who discovered the vulnerabilities while fuzzing LibreOffice, one of the numerous open source and enterprise software packages that are built using the library.

Submission + - Students Build Open Source Web-Based Threat Modeling Tool (

msm1267 writes: Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design.

The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so.

Submission + - In Breakthrough, US and Cuba to Resume Diplomatic Relations writes: Peter Baker reports at the NYT that in a deal negotiated during 18 months of secret talks hosted largely by Canada and encouraged by Pope Francis, the United States will restore full diplomatic relations with Cuba and open an embassy in Havana for the first time in more than a half-century. In addition, the United States will ease restrictions on remittances, travel and banking relations, and Cuba will release 53 Cuban prisoners identified as political prisoners by the United States government. Although the decades-old American embargo on Cuba will remain in place for now, the administration signaled that it would welcome a move by Congress to ease or lift it should lawmakers choose to. “We cannot keep doing the same thing and expect a different result. It does not serve America’s interests, or the Cuban people, to try to push Cuba toward collapse. We know from hard-learned experience that it is better to encourage and support reform than to impose policies that will render a country a failed state,” said the White House in a written statement. "The United States is taking historic steps to chart a new course in our relations with Cuba and to further engage and empower the Cuban people."

Submission + - Internet Voting Hack Alters PDF Ballots in Transmission (

msm1267 writes: Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be.

Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority.

The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify code strings representing votes and candidates within the PDF to change the submitted votes.

Submission + - Death Valley's Sailing Stones Caught in the Act (

Capt.Albatross writes: The flat surface of the Racetrack Playa in Death Valley is littered with rocks, some weighing hundreds of kilograms, each at the end of a track indicating that it has somehow slid across the surface. The mechanism behind this has been the subject of much speculation but little evidence, until a trio of scientists caught them in action with cameras and GPS.

Submission + - LibreSSL PRNG Vulnerability Patched (

msm1267 writes: The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG).

The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”

OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”

Submission + - TrueCrypt Cryptanalysis to Include Crowdsourcing (

msm1267 writes: A cryptanalysis of TrueCrypt will proceed as planned, said organizers of the Open Crypto Audit Project who announced the technical leads of the second phase of the audit and that there will be a crowdsourcing aspect to phase two.
The next phase of the audit, which will include an examination of everything including the random number generators, cipher suites, crypto protocols and more, could be wrapped up by the end of the summer.

Submission + - TCP/IP Might Have Been Secure From The Start, But...NSA! (

chicksdaddy writes: The pervasiveness of the NSA's spying operation has turned it into a kind of bugaboo — the monster lurking behind every locked networking closet ( and the invisible hand behind every flawed crypto implementation (

Those inclined to don the tinfoil cap won't be reassured by Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP — the Internet's lingua franca.

As noted on Veracode's blog (, Cerf said that given the chance to do it over again he would have designed earlier versions of TCP/IP to look and work like IPV6, the latest version of the IP protocol with its integrated network-layer security and massive 128 bit address space. IPv6 is only now beginning to replace the exhausted IPV4 protocol globally.

“If I had in my hands the kinds of cryptographic technology we have today, I would absolutely have used it,” Cerf said. (Check it out here:

Researchers at the time were working on just such a lightweight cryptosystem. On Stanford’s campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described the functioning of a public key cryptography system. But they didn’t yet have the algorithms to make it practical. (Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977).

As it turns out, however, Cerf revealed that he _did_ have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren’t they used? The culprit is one that’s well known now: the National Security Agency.

Cerf told host Leo Laporte that the crypto tools were part of a classified NSA project he was working on at Stanford in the mid 1970s to build a secure, classified Internet.

“During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”

Hindsight is 20:20, as the saying goes. Neither Cerf, nor the NSA nor anyone else could have predicted how much of our economy and that of the globe would come to depend on what was then a government backed experiment in computer networking. Besides, Cerf didn't elaborate on the cryptographic tools he was working with as part of his secure Internet research or how suitable (and scalable) they would have been.

But it’s hard to listen to Cerf lamenting the absence of strong authentication and encryption in the foundational protocol of the Internet, or to think about the myriad of online ills in the past two decades that might have been preempted with a stronger and more secure protocol and not wonder what might have been.

Submission + - How the NSA Plans to Infect 'Millions' of Computers with Malware (

Advocatus Diaboli writes: Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process. The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.

Submission + - Victim Groups in Target Breach 'Not Linked' (

msm1267 writes: Giant retailer Target has clarified that the partial personal information--including names, addresses, phone numbers and email addresses--of another 70 million individuals was also stolen during a two-week long breach of its systems starting the day before Thanksgiving. Target said: "These are two distinct groups and are not linked. While there may some overlap between the two groups (the 40 million and the 70 million) but we don’t know to what extent at this time."

Submission + - Stranded Antarctica ship passengers to be evacuated by Chinese helicopter ( 1

Taco Cowboy writes: A Russian foreign ministry statement said most of the 74 people onboard will be rescued by air after icebreakers failed due to poor visibility

It is hoped most of the 74 people on the Academician Shokalskiy will be picked up by the Chinese helicopter, leaving as few as possible onboard.

A Russian foreign ministry statement, cited in an AFP report, said: “A decision has been reached to evacuate 52 passengers and four crew members by helicopter from China’s Xue Long ship, should the weather allow.”

Submission + - Life-sized, Drivable 500,000 Piece Lego Car Runs on Air (

cartechboy writes: Two guys have made a life-sized Lego car that runs on air. That's right, the 256-piston, air-powered Lego working vehicle built with half a million black and yellow Lego pieces can actually be driven up to 18 mph. It was designed and built by 20-year-old Romanian Raul Oaida in 20 months after he and his partner, Australia-based Steve Sammartino raised "tens of thousands" of crowdfunded dollars with their prospectus entitled quite simply: "Super Awesome Micro Project." The car was built in Romania and then moved to Melbourne, Australia (presumably not brick-by-brick.) In the video, the only visible non-Lego components are the gauges, wheel rims, and tires (though the wheels have Lego faces--literally.)

Submission + - Meet Paunch: The Accused Author of the BlackHole Exploit Kit (

tsu doh nimh writes: In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as "Paunch," the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: "The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses."

Submission + - Brazil Admits To Spying On US diplomats After Blasting NSA Surveillance ( 3

cold fjord writes: The Verge reports, "Brazil this week admitted to spying on diplomats from countries including the US, Russia, and Iran as part of a domestic program launched 10 years ago ... The program was first revealed in a Monday report from the newspaper Folha de São Paulo, which obtained documents from the Brazilian Intelligence Agency, commonly known as ABIN. The revelations come at a sensitive time for current Brazilian president Dilma Rousseff, who has been among the most outspoken critics of the widespread surveillance conducted by the US National Security Agency (NSA). According to Folha, Brazilian intelligence spied on rooms rented out by the US embassy in Brasilia from 2003 to 2004. ... The report also claims that ABIN targeted Russian and Iranian officials, tracking their movements within the country ... Rousseff's office acknowledged Monday that the spying took place, but stressed that the operations were carried out within the law. The administration added that publishing classified documents is a crime in Brazil, and that those responsible "will be prosecuted according to the law." ....the revelations may put Rousseff in an awkward position. The Brazilian president cancelled a state dinner with Barack Obama earlier this year ... and lashed out against US spying in an impassioned speech to the UN in September."

Submission + - Atlanta man shatters coast-to-coast 'Cannonball Run' speed record (

The Grim Reefer writes: Before the transcontinental race in "Cannonball Run," the starter tells the gathered racers, "You all are certainly the most distinguished group of highway scofflaws and degenerates ever gathered together in one place."

Ed Bolian prefers the term "fraternity of lunatics."

Where the 1981 Burt Reynolds classic was a comedic twist on a race inspired by real-life rebellion over the mandated 55-mph speed limits of the 1970s, Bolian set out on a serious mission to beat the record for driving from New York to Los Angeles.

The mark? Alex Roy and David Maher's cross-country record of 31 hours and 4 minutes, which they set in a modified BMW M5 in 2006.

Bolian, a 28-year-old Atlanta native, had long dreamed of racing from East Coast to West. A decade ago, for a high school assignment, Bolian interviewed Brock Yates, who conceived the Cannonball Baker Sea-To-Shining-Sea Memorial Trophy Dash, aka the Cannonball Run.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce