Trust the World's Fastest VPN with Your Internet Security & Freedom with PureVPN - 79% off. ×
Government

Snowden: 'Governments Can Reduce Our Dignity To That Of Tagged Animals' (theguardian.com) 77

An anonymous reader writes: NSA whistleblower Edward Snowden writes a report on The Guardian explaining why leaking information about wrongdoing is a vital act of resistance. "One of the challenges of being a whistleblower is living with the knowledge that people continue to sit, just as you did, at those desks, in that unit, throughout the agency; who see what you saw and comply in silence, without resistance or complaint," Snowden writes. "They learn to live not just with untruths but with unnecessary untruths, dangerous untruths, corrosive untruths. It is a double tragedy: what begins as a survival strategy ends with the compromise of the human being it sought to preserve and the diminishing of the democracy meant to justify the sacrifice." He goes on to explain the importance and significance of leaks, how not all leaks are alike, nor are their makers, and how our connected devices come into play in the post-9/11 period. Snowden writes, "By preying on the modern necessity to stay connected, governments can reduce our dignity to something like that of tagged animals, the primary difference being that we paid for the tags and they are in our pockets."
Security

Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World (arstechnica.com) 73

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.
Ubuntu

Ubuntu Founder Pledges No Back Doors In Linux (eweek.com) 99

Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
Government

Kim Jong-Un Bans All Weddings, Funerals And Freedom Of Movement In North Korea (independent.co.uk) 197

An anonymous reader quotes a report from The Independent: Weddings and funerals have been banned and Pyongyang is in lockdown as preparations for a once-in-a-generation party congress get underway in North Korea. The ruling Worker's Party of Korea, headed by the country's leader, Kim Jong-un, is due to stage the first gathering of its kind for 36 years on Friday. Free movement in and out of the capital has also been forbidden and there has been an increase in inspections and property searches, according to Daily NK, which claims to have sources in the country. The temporary measures are said to be an attempt to minimize the risk of "mishaps" at the event, according to Cheong Joon-hee, a spokesman at South Korea's Unification Ministry. Meanwhile, North Korea has been conducting missile tests left and right, many of which have failed miserably.
AI

Self-Driving Features Could Lead To More Sex In Moving Cars, Expert Warns (www.cbc.ca) 264

An anonymous reader writes: According to CBC.ca, "At least one expert is anticipating that, as the so-called 'smart' cars get smarter, there will eventually be an increase in an unusual form of distracted driving: hanky-panky behind the wheel." Barrie Kirk of the Canadian Automated Vehicles Centre of Excellence said, "I am predicting that, once computers are doing the driving, there will be a lot more sex in cars. That's one of several things people will do which will inhibit their ability to respond quickly when the computer says to the human, 'Take over.'" Federal officials, who have been tasked with building a regulatory framework to govern driverless cars, highlighted their concerns in briefing notes compiled for Transport Minister Marc Garneau. "Drivers tend to overestimate the performance of automation and will naturally turn their focus away from the road when they turn on their auto-pilot," said the note. The Tesla autopilot feature has been receiving the most criticism as there have been many videos posted online showing Tesla drivers engaged in questionable practices, including reading a newspaper or brushing their teeth.
EU

Greenpeace Leaks Big Part Of Secret TTIP Documents (bbc.com) 118

An anonymous reader writes: The environmental group Greenpeace has obtained 248 pages of classified documents from the Transatlantic Trade and Investment Partnership (TTIP) trade talks. The group warns EU standards on the environment and public health risk being undermined by compromises with the US, specifically that US corporations may erode Europe's consumer protections. The TTIP would "harmonize regulations across a huge range of business sectors, providing a boost to exporters on both sides of the Atlantic," writes the BBC. After the Greenpeace leak was published, EU Trade Commissioner Cecilia Malmstroem said in her blog, "I am simply not in the business of lowering standards." Meanwhile, Greenpeace EU director Jorgo Riss said, "These leaked documents confirm what we have been saying for a long time: TTIP would put corporations at the center of policy-making, to the detriment of environment and public health." You can be the judge for yourself. The leaked documents are available for download here.
Encryption

Without Encryption, Everything Stops, Says Snowden (thehill.com) 139

An anonymous reader writes about Snowden's appearance on a debate with CNN's Fareed Zakaria: Edward Snowden defended the importance of encryption, calling it the "backbone of computer security." He said, "Encryption saves lives. Encryption protects property. Without it, our economy stops. Our government stops. Everything stops. Our intelligence agencies say computer security is a bigger problem than terrorism, than crime, than anything else," he noted. "[...] Lawful access to any device or communication cannot be provided to anybody without fatally compromising the security of everybody."
Music

Audiophile Torrent Site What.CD Fully Pwnable Thanks To Wrecked RNG (theregister.co.uk) 121

Reader mask.of.sanity writes: Users of popular audiophile torrent site What.CD can make themselves administrators to completely compromise the private music site and bypass its notorious download ratio limits thanks to the use of the mt_rand function for password resets, a researcher has found. From the report (edited and condensed):What.CD is the world's most popular high quality music private torrent site that requires its users to pass an interview testing their knowledge of audio matters before they are granted an account. Users must maintain a high upload to download ratio to continue to download from the site. [...] "I reported it a year ago, and they acknowledged it but said 'don't worry about it,'" said New-Zealand-based independent security researcher who goes by the alias ss23.
Bitcoin

Craig Wright Claims He's Satoshi Nakamoto, the Creator Of Bitcoin 145

Australian entrepreneur Craig Wright has put an end to the years-long speculation about the creator of Bitcoin. In an interview with the BBC, The Economist (may have a paywall), and GQ, Wright claimed that he is indeed the person who developed the concepts on which Bitcoin cryptocurrency is built. According to the BBC, Mr. Wright provided "technical proof to back up his claim using coins known to be owned by Bitcoin's creator." Wright writes in a blog post: [A]fter many years, and having experienced the ebb and flow of life those years have brought, I think I am finally at peace with what he meant. If I sign Craig Wright, it is not the same as if I sign Craig Wright, Satoshi[...] Since those early days, after distancing myself from the public persona that was Satoshi, I have poured every measure of myself into research. I have been silent, but I have not been absent. I have been engaged with an exceptional group and look forward to sharing our remarkable work when they are ready. Satoshi is dead. But this is only the beginning. According to Wright's website, he is a "computer scientist, businessman and inventor" born in Brisbane, Australia, in October 1970. Some have questioned the authenticity and relevance of the "technical proof" Wright has provided. Nik Cubrilovic, an Australian former hacker and leading internet security blogger, wrote, "I don't believe for a second Wright is Satoshi. I know two people who worked with Wright, characterized him as crazy and schemer/charlatan." Michele Spagnuolo, Information Security Engineer at Google added, "He's not Satoshi. He just reused a signed message (of a Sartre text) by Satoshi with block 9 key as 'proof.'"
Crime

The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com) 220

schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"

Government

US Spy Court Didn't Reject a Single Government Surveillance Request In 2015 (zdnet.com) 91

schwit1 shares news from ZDNet's security blog: In more than three decades years, the FISA Court has only rejected 12 requests. A secret court that oversees the US government's surveillance requests accepted every warrant that was submitted last year, according to new figures.The Washington DC.-based Foreign Intelligence Surveillance Court received 1,457 requests from the National Security Agency and the Federal Bureau of Investigation to intercept phone calls and emails. In long-standing fashion, the court did not reject a single warrant, entirely or in part.

The FBI also issued 48,642 national security letters, a subpoena-like power that compels a company to turn over data on national security grounds without informing the subject of the letter. The memo said the majority of these demands sought data on foreigners, but almost one-in-five were requests for data on Americans.

It'll be interesting to see if the numbers go down any in 2016, since in November the court appointed five new lawyers to push back against government requests. Meanwhile, a new report shows an increase in the number of government requests to Facebook about their users, more than half of which contained a non-disclosure order prohibiting Facebook from notifying those users.
Microsoft

Amazon Beats Microsoft In 'The Battle of Seattle' (usatoday.com) 109

An anonymous reader writes: Yesterday Amazon CEO Jeff Bezos earned $5 billion in one afternoon when the company's stock price jumped 9.6%. Amazon reported an actual profit of $513 million (nearly double the amount expected), and next year Amazon's sales are projected by analysts to be 63% higher than Microsoft's, which USA Today calls "a good illustration of how growth in the sector has moved from hardware, software and chip companies to Internet firms selling goods or advertising online... [W]hile Bill Gates helped put Seattle area on the map as a U.S. tech hub, Bezos now runs the largest tech company in the State of Washington, by far, in terms of sales."

Amazon's Echo and Alexa devices are believed to be outselling their Kindles (and Alexa will soon make her first appearance on a non-Amazon device). But Amazon attributed their surprise jump in revenue to a 51% annual increase in the "tens of millions" of subscribers paying for their Amazon Prime shipping service (which in San Francisco now even includes delivery from restaurants), as well as a 64% increase from their AWS cloud service, which recently announced a new automated security assessment tool.

Amazon ultimately reported more than twice as much new business as Google and three times as much as Facebook, according to USA Today, which notes that now of all the tech companies, only Apple has more revenue than Amazon, and because of the jump in their stock price, Jeff Bezos is now the fourth-richest person in the world. But with all that money floating around, Seattle tech blogger Jeff Reifman is now wondering why Amazon's local home delivery vehicles in Seattle seem to be operating with out of state plates.
Security

Malware Taps Windows' 'God Mode' 114

Reader wiredmikey writes: Researchers at McAfee have discovered a piece of malware dubbed "Dynamer" that is taking advantage of a Windows Easter Egg -- or a power user feature, as many see it -- called "God Mode" to gain persistency (warning: annoying popup ads) on an infected machine. God Mode, as many of you know, is a handy tool for administrators as it is essentially a shortcut to accessing the operating system's various control settings. Dynamer malware is abusing the function by installing itself into a folder inside of the %AppData% directory and creating a registry run key that persists across reboots. Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.Fortunately, there's a way to remove it. McAfee writes: Fortunately, there is a way to defeat this foe. First, the malware must be terminated (via Task Manager or other standard tools). Next, run this specially crafted command from the command prompt (cmd.exe): > rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q.
Security

Berkeley Researchers Examine Five Worst-Case Security Nightmares (berkeley.edu) 22

An anonymous reader writes: Berkeley researchers have gamed out five worst-case security scenarios at their Center for Long-Term Cybersecurity, calling it "a disciplined, imaginative approach to modeling what cybersecurity could mean in the future...to provoke a discussion about what the cybersecurity research and policy communities need to do now in order to be better positioned..." Two of the scenarios are set in 2020 -- one called "The New Normal" imagining a world were users assume their personal information can no longer be kept safe, and another involving the privacy and security implications in a world where hackers lurk undetected on a now-ubiquitous Internet of Things.

"Our goal is to identify emerging issues that will become more important..." they write in an executive summary, including "issues on the table today that may become less salient or critical; and new issues that researchers and decision-makers a few years from now will have wished people in the research and policy communities had noticed -- and begun to act on -- earlier.

Scenario #2 imagines a super-intelligent A.I. which can predict and even manipulate the behavior of individuals, and scenario #3 involves criminals exploiting valuable data sets -- and data scientists -- after an economic collapse.
Security

Slack To Disable Thousands of Logins Leaked on GitHub (detectify.com) 27

An anonymous reader writes: Thursday one technology site reported that thousands of developers building bots for the team-collaboration tool Slack were exposing their login credentials in public GitHub repositories and tickets. "The irony is that a lot of these bots are mostly fun 'weekend projects', reported Detectify. "We saw examples of fit bots, reminding you to stretch throughout the day, quote bots, quoting both Jurassic Park...and Don Quixote...."

Slack responded that they're now actively searching for publicly-posted login credentials, "and when we find any, we revoke the tokens and notify both the users who created them, as well as the owners of affected teams." Detectify notes the lapse in security had occurred at a wide variety of sites, including "Forbes 500 companies, payment providers, multiple internet service providers and health care providers... University classes at some of the world's best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on..."

Democrats

White House Releases Report On How To Spur Smart-Gun Technology (computerworld.com) 313

Lucas123 writes: A report commissioned by the White House involving the Defense, Justice and Homeland Security Departments has begun a process to define, for the first time, the requirements that manufacturers would need to meet for federal, state, and municipal law enforcement agencies to consider purchasing firearms with "smart" safety technology. They've committed to completing that process by October, and will also identify agencies interested in taking part in a pilot program to develop the smart gun technology. The DoD will help manufacturers test smart guns under "real-world conditions" at the U.S. Army Aberdeen Test Center in Maryland. Manufacturers would be eligible to win cash prizes through that program as well. In addition to spurring the adoption of smart gun technology, the report stated that the Social Security Administration has published a proposed rule that would require individuals prohibited from buying a gun due to mental health issues to be included in a background check system.
Iphone

FBI Bought $1M iPhone 5C Hack, But Doesn't Know How It Works (theguardian.com) 76

An anonymous reader writes: The FBI has no idea how the hack used in unlocking the San Bernardino shooter's iPhone 5C works, but it paid a sum less than $1m for the mechanism, according to a report. Reuters, citing several U.S. government sources, note that the government intelligence agency didn't pay a value over $1.3m for purchasing the hack from professional hackers, as previously reported by many outlets. The technique can also be used as many times as needed without further payments, the report adds. The FBI director, James Comey, said last week that the agency paid more to get into the iPhone 5C than he will make in the remaining seven years and four months he has in his job, suggesting the hack cost more than $1.3m, based on his annual salary.
Security

GCHQ Has Disclosed Over 20 Vulnerabilities This Year (vice.com) 29

Joseph Cox, reporting for Motherboard: Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK's signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla. Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS. "So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products," a GCHQ spokesperson told Motherboard in an email. CESG, or the National Technical Authority for Information Assurance, is the information security wing of GCHQ. Those issues include a kernel vulnerability in OS X El Captain v10.11.4, the latest version, that would allow arbitrary code execution, and two in iOS 9.3, one of which would have done largely the same thing, and the other could have let an application launch a denial of service attack.
Security

US Toy Maker Maisto's Website Pushes Ransomware (pcworld.com) 26

An anonymous reader shares a PCWorld article: Attackers are aggressively pushing a new file-encrypting ransomware program called CryptXXX by compromising websites, the latest victim being U.S. toy maker Maisto. Fortunately, there's a tool that can help users decrypt CryptXXX affected files for free. Security researchers from Malwarebytes reported Thursday that maisto.com was infected with malicious JavaScript that loaded the Angler exploit kit. This is a Web-based attack tool that installs malware on users' computers by exploiting vulnerabilities in their browser plug-ins. It also steals bitcoins from local wallets, a double hit to victims, because it then asks for the equivalent of $500 in bitcoins in order to decrypt their files. [...] Researchers from antivirus firm Kaspersky Lab recently updated their ransomware decryption toolto add support for CryptXXX affected files. The attack code exploits vulnerabilities in older versions of applications such as Flash, Java, Internet Explorer, and Silverlight. At this point, it isn't clear exactly how many users are affected.
Government

Supreme Court Gives FBI More Hacking Power (theintercept.com) 174

An anonymous reader cites an article on The Intercept (edited and condensed): The Supreme Court on Thursday approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes, which will take immediate effect in December unless Congress adopts competing legislation, would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant. Previously, under the federal rules on criminal procedures, a magistrate judge couldn't approve a warrant request to search a computer remotely if the investigator didn't know where the computer was -- because it might be outside his or her jurisdiction. The rule change would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor."Unbelievable," said Edward Snowden. "FBI sneaks radical expansion of power through courts, avoiding public debate." Ahmed Ghappour, a visiting professor at University of California Hastings Law School, has described it as "possibly the broadest expansion of extraterritorial surveillance power since the FBI's inception."

Slashdot Top Deals