Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

NSA Chief: Arguing Against Encryption Is a Waste of Time (theintercept.com) 184

An anonymous reader writes: On Thursday, NSA director Mike Rogers said, "encryption is foundational to the future." He added that it was a waste of time to argue that encryption is bad or that we ought to do away with it. Rogers is taking a stance in opposition to many other government officials, like FBI director James Comey. Rogers further said that neither security nor privacy should be the imperative that drives everything else. He said, "We've got to meet these two imperatives. We've got some challenging times ahead of us, folks."

The Russian Plan To Use Space Mirrors To Turn Night Into Day (vice.com) 126

merbs writes: Throughout the early 90s, a team of Russian astronomers and engineers were hellbent on literally turning night into day. By shining a giant mirror onto the earth from space, they figured they could bring sunlight to the depths of night, extending the workday, cutting back on lighting costs and allowing laborers to toil longer. If this sounds a bit like the plot of a Bond film, well, it's that too. The difference is that for a second there, the scientists, led by Vladimir Sergeevich Syromyatnikov, one of the most important astronautical engineers in history, actually pulled it off.

Submission + - LastPass Disputes Severity of LostPass Phishing Attack

Trailrunner7 writes: A security researcher has developed a phishing attack against the LastPass password manager app that is virtually impossible to detect and has the ability to mimic the LastPass login sequence perfectly.

The technique takes advantage of several weaknesses in the way that LastPass handles user logout notifications and the resulting authentication sequence. Sean Cassidy, the CTO of Seattle-based Praesidio, developed the attack and has released code for the technique, which he calls LostPass. In essence, the technique allows an attacker to copy much of the login sequence for a LastPass user, including the use of identical login dialogs and the ability to capture and replay two-factor authentication codes.

In order for LostPass to work, an attacker needs to get a victim to visit a malicious site where the LostPass code is deployed. The code will check to see if the victim has LastPass installed, and if so, use a CSRF (cross-site request forgery) weakness in LastPass to force the victim to log out of the app. The attacker using LostPass then will show the victim the notification telling her she’s logged out and when she clicks on it, will bring her to the login page the attacker controls. It will look identical to the authentic one.

Once the victim enters her credentials, they are sent to the attacker’s server, who can use the LastPass API to check their authenticity. If the server says that 2FA is set up on the victim’s account, LostPass will display a screen to enter the 2FA code, which the attacker will capture and use to log in to the victim’s account.

LastPass says Cassidy didn't contact him in November, as he claims, but Cassidy said he did and also gave the company all of the information in his ShmooCon talk well before he spoke.

Submission + - Future iPhones may contain Li-Fi, a technology with a transfer speed of 224 Gbps (bgr.com)

An anonymous reader writes: Recently discovered code in iOS suggests that Apple may be exploring the feasibility of incorporating Li-Fi functionality into future iPhone models. Li-Fi, in case you’re unfamiliar, is a technology capable of transmitting data via light. What makes Li-Fi so compelling is that it’s effectively Wi-Fi on steroids and can transmit data more than 100 times faster than a standard Wi-Fi connection.

In lab conditions, researchers this past February were able to achieve Li-Fi speeds of 224 gigabits per second, fast enough to download multiple HD movies in less than two seconds. While Li-Fi still remains something of an experimental technology, iOS 9’s references to the blazing fast data transfer technology are certainly intriguing.

Is this likely to be a feature with the iPhone 7? Not a chance. As it stands today, Li-Fi, despite its promises of speed, is still plagued with a number of limitations. At a base level, it can’t work through walls because, well, visible light can’t travel through walls. In this respect, Wi-Fi has a huge practical advantage. Not only that, but a Li-Fi enabled device needs to have a direct line of sight to an operational light sensor to operate. This operational limitation, however, does make Li-Fi a more secure transfer protocol than Wi-Fi. Today, Li-Fi is far from being a true Wi-Fi replacement, but it’s not out of the realm of comprehension that Li-Fi, in the future, may dutifully serve as a Wi-Fi supplement.

Submission + - UK Voice Crypto Standard Built for Key Escrow, Mass Surveillance

Trailrunner7 writes: The U.K. government’s standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research.

The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.’s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

“MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder’s public key because it uses identity-based encryption (IBE),” Dr. Steven Murdoch of University College London’s Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard.

“By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,” Murdoch said by email.

He added that the design of Secure Chorus “is not an accident.”

Submission + - Portable encryption in your web browser (zipit.io)

An anonymous reader writes: The great thing about web browsers — they're everywhere. Using Stanford's Cryptographic Javascript Library (https://crypto.stanford.edu/sjcl/) — we're able to encrypt and decrypt using the most secure crypto available. It all runs locally in your web browser, without any app downloads or cloud servers to manage the data. So when you encrypt a file with Zip It the magic happens entirely in your web browser — no data is sent to the server. You can even download the website and run your own Zip It clone and the files will self-decrypt on your computer, your phone, and almost anywhere that JavaScript and HTML are available.

EU Companies Can Monitor Employees' Private Conversations While At Work (softpedia.com) 127

An anonymous reader writes: A recent ruling of the European Court of Human Rights has granted EU companies the right to monitor and log private conversations that employees have at work while using the employer's devices. The ruling came after a Romanian was fired for using Yahoo Messenger back in 2007, while at work, to have private conversations with his girlfriend. He argued that his employer was breaking his right for privacy and correspondence. Both Romanian and European courts disagreed.

Submission + - Human Brain Still Beats Computers at Finding Messages and Meaning within Noise (hackaday.com)

szczys writes: One thing the human brain still does a lot better than computers is to recognize patterns within noise. That's why CAPCHA uses distorted images to prove you're human, and random number generators are often inspected by visual representation. There is a technology that leverages this human knack for signal processing to make us part of the machine. Hellschreiber is a communications device where the machine has no idea whatsoever what the message actually is. It transfers a signal from one unit to the next which is assembled into an image. A human looking at the image will see words, much like CAPTCHA. But even if the signal isn't perfect, our brains can often pick out the order within the madness, much like inspecting a PRNG for uniform distribution.

Submission + - List of Major Linux Desktop Problems Updated for 2016

An anonymous reader writes: Phoronix reports that Artem S. Tashkinov's Major Linux Problems on the Desktop has been updated for 2016. It is a comprehensive list of various papercut issues and other inconveniences of Linux on the PC desktop. Among the issues cited for Linux not being ready for the desktop include graphics driver issues, audio problems, hardware compatibility problems, X11 troubles, a few issues with Wayland, and font problems. At the project management side, there is also cited a lack of cooperation among open source developers and fragmentation of desktops. Let's discuss.

Physicists Figure Out How To Make Cleaner Fuel Cells (eurekalert.org) 32

Mal-2 writes: An international group of scientists from Russia, France, and Germany have developed ion-exchange synthetic membranes based on amphiphilic compounds that are able to convert the energy of chemical reactions into electrical current. The new development described in the journal Physical Chemistry, Chemical Physics could potentially be used in fuel cells, and in separation and purification processes (abstract).

The molecules in question, with the working names A-Na and Azo-Na, are promising substances that are classified as benzenesulfonates. They are wedge-shaped and can independently assemble themselves into supramolecular structures — complex organized groups of multiple molecules. Depending on the conditions set by the scientists, the molecules form discs, which, in turn, form columns with ion channels inside.


Coding Styles Survive Binary Compilation, Could Lead Investigators Back To Programmers (princeton.edu) 164

An anonymous reader writes: Researchers have created an algorithm that can accurately detect code written by different programmers (PDF), even if the code has been compiled into an executable binary. Because of open source coding repositories like GitHub, state agencies can build a database of all developers and their coding styles, and then easily compare the coding style used in "anti-establishment" software to detect the culprit. Despite all the privacy implications this research may have, the algorithm can also be used by security researchers to track down malware authors. We also discussed an earlier phase of this research.

Submission + - Posture Affects Standing, and Not Just the Physical Kind (nytimes.com)

An anonymous reader writes: As somebody who sits in front of a computer most of the day, and has for a number of years, this article at the NY Times struck a bit close to home. It compiles a list of the negative consequences of poor posture. There are the obvious ones, like neck and muscle pain, joint problems, digestive issues, and so forth. But there are social problems, too. We're probably all aware that slouching can give a worse first impression than standing straight, but there's also evidence it can contribute to who a mugger picks to rob, and how you feel. "In a study of 110 students at San Francisco State University, half of whom were told to walk in a slumped position and the other half to skip down a hall, the skippers had a lot more energy throughout the day (abstract)." So take this as your yearly reminder, fellow keyboard-hunchers — sit up straight, move around every so often, and maybe invest in that standing desk.

Microsoft Has Your Encryption Key If You Use Windows 10 (theintercept.com) 314

An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it. As Matthew Green, professor of cryptography at Johns Hopkins University puts it, 'Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.'"

Submission + - AWS Releases Smallest, Cheapest EC2 Instance Yet (thestack.com)

An anonymous reader writes: After announcing the prospective launch of a very small instance type for its EC2 computing service in Las Vegas this October, Amazon’s cloud platform AWS has now set the new t2.nano instances live. The new instances will provide 512 MiB of memory and one burstable virtual CPU core. According to Amazon, the small instances will work best in developer environments, low-traffic website hosting and running micro services. The cloud giant also hopes to see lots of t2.nano instances used in training and education sectors.

Slashdot Top Deals

"It takes all sorts of in & out-door schooling to get adapted to my kind of fooling" - R. Frost