JonZittrain writes: This summer, ISIS insurgents captured Mosul — with with it, three divisions' worth of advanced American military hardware. After ISIS used it to capture the Mosul Dam, the U.S. started bombing its own pirated equipment. Could sophisticated military tanks and anti-aircraft missiles given or sold to countries like Iraq be equipped with a way to disable them if they're compromised, without opening them up to hacking by an enemy?

We already require extra authentication at a distance to arm nuclear weapons, and last season's 24 notwithstanding, we routinely operate military drones at a distance. Reportedly in the Falkland Islands war, Margaret Thatcher was able to extract codes to disable Argentina's Exocet missiles from the French. The simplest implementation might be like the proposal for land mines that expire after a certain time. Perhaps tanks — currently usable without even an ignition key — could require a renewal code digitally signed by the owning country to be entered manually or received by satellite every six months or so.

I'm a skeptic of kill switches, especially in consumer devices, but still found myself writing up the case for a way to disable military hardware in the field. There are lots of reasons it might not work — or work too well — but is there a way to improve on what we face now?

MojoKid writes We're often told that having a kill switch in our mobile devices — mostly our smartphones — is a good thing. At a basic level, that's hard to disagree with. If every mobile device had a built-in kill switch, theft would go down — who would waste their time over a device that probably won't work for very long? Here's where the problem lays: It's law enforcement that's pushing so hard for these kill switches. We first learned about this last summer, and this past May, California passed a law that requires smartphone vendors to implement the feature. In practice, if a smartphone has been stolen, or has been somehow compromised, its user or manufacturer would be able to remotely kill off its usability, something that would be reversed once the phone gets back into its rightful owner's hands. However, such functionality should be limited to the device's owner, and no one else. If the owner can disable a phone with nothing but access to a computer or another mobile device, so can Google, Samsung, Microsoft, Nokia or Apple. If the designers of a phone's operating system can brick a phone, guess who else can do the same? Everybody from the NSA to your friendly neighborhood police force, that's who. At most, all they'll need is a convincing argument that they're acting in the interest of "public safety."

Dr. Damage writes: The TSX instructions built into Intel's Haswell CPU cores haven't become widely used by everyday software just yet, but they promise to make certain types of multithreaded applications run much faster than they can today. Some of the savviest software developers are likely building TSX-enabled software right about now. Unfortunately, that work may have to come to a halt, thanks to a bug—or "errata," as Intel prefers to call them—in Haswell's TSX implementation that can cause critical software failures. To work around the problem, Intel will disable TSX via microcode in its current CPUs — and in early Broadwell processors, as well.

First time accepted submitter GreyViking (3606993) writes Over the past few years, I've witnessed a variety of my intelligent but largely non-technical nearest-and-dearest struggling to complete online job applications. The majority of these online forms are multiple screens long, and because they're invariably HTTPS, they'll time out after a finite time which isn't always made known to the user. Some sites actively disable back/forward buttons but many don't, and text that's sometime taken a lot of effort to compile, cut and paste can be lost. And did I mention text input boxes that are too small? Sometimes it seems that the biggest obstacle to getting a job can be being able to conquer the online application, and really, there has to be a better way: but what is it?

theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.

Taco Cowboy sends a report into China's development of anti-satellite technology, and efforts by the U.S. and Japan to build defenses for this new potential battleground. Last year, China launched what they said was a science space mission, but they did so at night and with a truck-based launch system, which are not generally used for science projects. Experts believe this was actually a missile test for targets in geostationary orbit. U.S. and Japanese analysts say China has the most aggressive satellite attack program in the world. It has staged at least six ASAT missile tests over the past nine years, including the destruction of a defunct Chinese weather satellite in 2007. ... Besides testing missiles that can intercept and destroy satellites, the Chinese have developed jamming techniques to disrupt satellite communications. In addition, ... the Chinese have studied ground-based lasers that could take down a satellite's solar panels, and satellites equipped with grappling arms that could co-orbit and then disable expensive U.S. hardware. To defend themselves against China, the U.S. and Japan are in the early stages of integrating their space programs as part of negotiations to update their defense policy guidelines. ... Both countries have sunk billions of dollars into a sophisticated missile defense system that relies in part on data from U.S. spy satellites. That's why strategists working for China's People's Liberation Army have published numerous articles in defense journals about the strategic value of chipping away at U.S. domination in space.

Trailrunner7 (1100399) writes It's been a weird couple of weeks for Microsoft. On June 30 the company announced its latest malware takedown operation, which included a civil law suit against Vitalwerks, a small Nevada hosting provider, and the seizure of nearly two dozen domains the company owned. Now, 10 days later, Microsoft has not only returned all of the seized domains but also has reached a settlement with Vitalwerks that resolves the legal action. Some in the security research community criticized Microsoft harshly for what they saw as heavy handed tactics. Within a few days of the initial takedown and domain seizure Microsoft returned all of the domains to Vitalwerks, which does business as No-IP.com. On Wednesday, the software giant and the hosting provider released a joint statement saying that they had reached a settlement on the legal action. "Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks' services," the companies said in a joint statement. "Microsoft identified malware that had escaped Vitalwerks' detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware."

wiredmikey (1824622) writes "Security researchers have found a way to disable the protection systems provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a software tool designed to prevent vulnerabilities from being exploited by using various mitigation technologies. Others have managed to bypass EMET in the past, but researchers from Offensive Security have focused on disarming EMET, rather than on bypassing mitigations, as this method gives an attacker the ability use generic shellcodes such as the ones generated by Metasploit. The researchers managed to disarm EMET and get a shell after finding a global variable in the .data section of the EMET.dll file. Initially, they only managed to get a shell by executing the exploit with a debugger attached, due to EMET's EAF checks. However, they've succeeded in getting a shell outside the debugger after disarming EAF with a method described by security researcher Piotr Bania in January 2012. The researchers tested their findings on Windows 7, Internet Explorer 8 and EMET 4.1 update 1."

A while ago you had the chance to ask programmer and open source advocate Bruce Perens about the future of open source, its role in government, and a number of other questions. Below you'll find his answers and an update on what he's doing now.

KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.

DavidGilbert99 writes: "The Heartbleed Bug cause widespread panic from internet users around the world worried their sensitive information was being targeted. While system administrators were warned to patch their systems, a security researcher notes that 300,000 servers remain vulnerable to the heartbleed flaw a full month later. He said, 'Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.' A developer at Vivaldi Technologies AS also pointed out that a significant number of server administrators botched their response, going from safe to vulnerable."

New submitter electronic convict writes: "Hulu, apparently worried that too many non-U.S. residents are using cheap VPN services to watch its U.S. programming, has started blocking IP address ranges belonging to known VPN services. Hulu didn't announce the ban, but users of the affected VPNs are getting this message: 'Based on your IP-address, we noticed that you are trying to access Hulu through an anonymous proxy tool. Hulu is not currently available outside the U.S. If you're in the U.S. you'll need to disable your anonymizer to access videos on Hulu.' Hulu may make Hollywood happy by temporarily locking out foreign users — at least until they find new VPN providers. But in so doing it's now forcing its U.S. customers to sacrifice their privacy and even to risk insecure connections. Hulu hasn't even implemented SSL on its site."

OffTheLip (636691) writes "According to a Customer Advisory released by HP and reported on by the Channel Register website, a recently released firmware update for the ubiquitous HP Proliant server line could disable the network capability of affected systems. Broadcom NICs in G2-G7 servers are identified as potentially vulnerable. The release date for the firmware was April 18 so expect the number of systems affected to go up. HP has not released the number of systems vulnerable to the update."

schwit1 (797399) writes "An electromagnetic pulse is a burst of electromagnetic energy strong enough to disable, and even destroy, nearby electronic devices. In the first few minutes of an EMP, nearly half a million people would die. That's the worst-case scenario that author William R. Forstchen estimated would be the result of an EMP on the electric grid. 'If you do a smart plan — the Congressional EMP Commission estimated that you could protect the whole country for about $2 billion,' Peter Vincent Pry, executive director of the Task Force on National and Homeland Security and director of the U.S. Nuclear Strategy Forum, told Watchdog.org. 'That's what we give away in foreign aid to Pakistan every year.' He said the more officials plan, the lower the estimated cost gets. 'The problem is not the technology,' Pry said. 'We know how to protect against it. It's not the money, it doesn't cost that much. The problem is the politics. It always seems to be the politics that gets in the way.'"

fructose writes: "The Nest Protect has a flaw in its software that, under the right circumstances, could disable the alarm and not notify the owners of a fire. To remedy this flaw, they are disabling the Nest Wave feature through automatic updates. Owners who don't have their Nest Protects connected to their WiFi net or don't have a Nest account are suggested to either update the device manually or return it to Nest for a full refund. While they work out the problem, all sales are being halted to prevent unsafe units from being sold. There have been no reported incidents resulting from this flaw, but they aren't taking any chances."

jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction."

alphadogg writes "A second federal bill that proposes 'kill-switch' technology be made mandatory in smartphones as a means to reduce theft of the devices was introduced Monday. The kill switch would allow consumers to remotely wipe and disable a stolen smartphone and is considered by proponents to be a key tool in combating the increasing number of smartphone robberies. The Smartphone Theft Prevention Act was introduced into the U.S. House of Representatives as H.R. 4065 by Jose Serrano, a New York Democrat, as a companion to a Senate bill that was introduced Feb. 13. The two follow a similar law proposed by officials in California last month."

An anonymous reader writes "On Friday, Chrome 33 was shipped out the everyone on the stable channel. Among other things, it removes the developer flag to disable the "Instant Extended API", which powers an updated New Tab page. The new New Tab page receieved a large amount of backlash from users, particularly due to strange behavior when Google wasn't set as the default search engine. It also moves the apps section to a separate page and puts the button to reopen recently closed tabs in the Chrome menu. With the option to disable this change removed, there has been tremendous backlash on Google Chrome's official forum. The official suggestion from Google as well as OMG! Chrome is to try some New Tab page changing extensions, such as Replace New Tab, Modern New Tab Page, or iChrome."

An anonymous reader writes "Yonhap News Agency reports that South Korea has announced it is developing offensive cyber-capabilities to target North Korea's nuclear facilities. Yonhap speculates the tools will be similar to the Stuxnet computer virus the U.S. used against Iran's uranium enrichment program. A report in The Diplomat questions this assertion, noting that a Stuxnet-like virus would only temporarily disrupt Pyongyang's ability to build more nuclear weapons, while doing nothing to address its existing ones. Instead, The Diplomat suggests Seoul is interested in developing cyber-capabilities that temporarily disable North Korea's ability to launch nuclear missiles, which would be complement Seoul's efforts to develop precision-guided missiles to preemptively destroy Pyongyang's nuclear and missile facilities."

alphadogg writes "Pressure on the cellphone industry to introduce technology that could disable stolen smartphones has intensified with the introduction of proposed federal legislation that would mandate such a system. Senate bill 2032, 'The Smartphone Prevention Act,' was introduced to the U.S. Senate this week by Amy Klobuchar, a Minnesota Democrat. The bill promises technology that allows consumers to remotely wipe personal data from their smartphones and render them inoperable. But how that will be accomplished is currently unclear. The full text of the bill was not immediately available and the offices of Klobuchar and the bill's co-sponsors were all shut down Thursday due to snow in Washington, D.C."