Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Submission + - Russian troll factory paid US activists to fund protests during election (theguardian.com) 1

bestweasel writes: The Guardian reports on another story about Russian meddling but interestingly this one comes from a Russian news source, RBC. Russian trolls posing as Americans made payments to genuine activists in the US to help fund protest movements on socially divisive issues.
On Tuesday, the newspaper RBC published a major investigation into the work of a so-called Russian âoetroll factoryâ since 2015, including during the period of the US election campaign, disclosures that are likely to put further spotlight on alleged Russian meddling in the election.
RBC said it had identified 118 accounts or groups inÂFacebook, Instagram and Twitter that were linked to the troll factory, all of which had been blocked in August and September this year as part of the US investigation into Russian electoral meddling.
RBC story (in Russian).
Moscow Times: Kremlin Troll Factory's Methods and Figures Revealed

Submission + - Tribal "Sovereign Immunity" Patent Protection Could Be Outlawed

AnalogDiehard writes: The recent — and questionable — practice of technological and pharmaceutical companies selling their patents to US native indian tribes (where they enjoy "sovereign immunity" from the inter partes review (IPR) process of the PTO) then the tribes licensing them back to the companies is drawing scrutiny from a federal court and has inspired a new US bill outlawing the practice. The IPR process is a "fast track" (read: much less expensive) process through the PTO to review the validity of challenged patents — it is loved by defendants and hated by patent holders. Not only has US Circuit Judge William Bryson invalidated Allergan's pharmaceutical patents due to "obviousness", he is questioning the legitimacy of the sovereign immunity tactic. The judge was well aware that the tactic could endanger the IPR process which was a central component of the America Invents Act of 2011 and writes that sovereign immunity "should not be treated as a monetizable commodity that can be purchased by private entities as part of a scheme to evade their legal responsibility." US Senator Claire McCaskill (D-Mo.) — no stranger to abuses of the patent system — has introduced a bill that would outlaw the practice she describes as "one of the most brazen and absurd loopholes I've ever seen and it should be illegal." Sovereign immunity is not absolute and has been limited by Congress and the courts in the past. The bill would apply only to the IPR proceedings and not to patent disputes in federal courts.

Submission + - Tesla employees detail how they were fired, claim dismissals were not performanc (cnbc.com)

joshtops writes: Tesla is trying to disguise layoffs by calling the widespread terminations performance related, allege several current and former employees. On Friday, the San Jose Mercury News first reported that Tesla had dismissed an estimated 400 to 700 employees. That number represents between 1 and 2 percent of its entire workforce. But one former employee, citing internal information shared by a manager, said the total number fired is higher than 700 at this point. Most of the people let go from Tesla so far have been from its motors business, said people familiar with the matter. They were not from other initiatives like Tesla Powerwall, which is helping restore electricity to the residents of Puerto Rico now. The mass firings, which affected Tesla employees across the U.S., had begun by the weekend of Oct. 7 and continued even after the initial news report, sources said. Among those whose jobs were terminated in this phase, some were given severance packages quickly while others are still waiting on separation agreements. Some terminated employees told CNBC they were informed via email or a phone call "without warning," and told not to come into work the next day. The company also dismissed other employees without specifying a given performance issue, according to these people. "Seems like performance has nothing to do with it," one Tesla employee told CNBC under the condition of anonymity. "Those terminated were generally the highest paid in their position," this person said, suggesting that the firings were driven by cost-cutting. That assessment was echoed by several others, including three employees fired from Tesla during this latest wave.

Submission + - In a Post-Password Era, Getting Rid of Passwords is the Problem (securityledger.com)

chicksdaddy writes: Large, tech savvy corporations recognize that the static password is dead. Still, they can't seem to stop using and relying on them. That's the conclusion of a panel discussion at the Akamai EDGE (https://edge.akamai.com) event in Las Vegas last week, where executives at some of the U.S.’s leading corporations, agreed that the much maligned password won’t be abandoned any time soon, even as data breaches and follow-on attacks like automated “credential stuffing” make passwords more susceptible than ever to abuse, The Security Ledger reports. (https://securityledger.com/2017/10/in-post-password-era-passwords-are-the-problem/)

“We reached the end of needing passwords maybe seven years ago, but we still use them,” said Steve Winterfeld, Director of Cybersecurity, at clothing retailer Nordstrom. “They’re still the primary layer of defense.” “It’s hard to kill them,” noted Shalini Mayor, who is a Senior Director at Visa Inc. “The question is what to replace them with.”

This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called “credential stuffing” techniques, which use automated password guessing attacks against web-based applications.

Large retailers and other vendors often perceive what Patrick Sullivan, the Director of Security Technology and Strategy at Akamai likened to a “disruption in the force” well before major breaches are disclosed as stolen credentials from those hacks are used to try to break into their own system. However, the sheer number of breaches make spotting the source of a particular leaked credential all but impossible.

Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani said Visa is “looking at” biometric technologies like Apple’s TouchID as a tool for making payments securely. Such technologies – from fingerprint scans to facial and retinal scans – promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.

Submission + - Google Home finally gets a real sleep timer! (vortex.com)

Lauren Weinstein writes: Google Home, nearly a year after its initial release, finally has a real sleep timer! (https://support.google.com/googlehome/answer/7028899).

Some readers have speculated that this popular post from early this month: "How to Fake a Sleep Timer on Google Home" (https://lauren.vortex.com/2017/10/04/how-to-fake-a-sleep-timer-on-google-home)
somehow "shamed" Google into final action on this. I wouldn't go that far. But I'll admit that it's somewhat difficult to stop chuckling a bit right now. In any case, thanks to the Home team!

Submission + - Smartphones Are Killing Americans, But Nobody's Counting (bloomberg.com)

Zorro writes: Amid a historic spike in U.S. traffic fatalities, federal data on the danger of distracted driving are getting worse.

Increase in fatalities has been largely among bicyclists, motorcyclists, and pedestrians—all of whom are easier to miss from the driver’s seat than, say, a 4,000-pound SUV—especially if you’re glancing up from your phone rather than concentrating on the road. Last year, 5,987 pedestrians were killed by cars in the U.S., almost 1,100 more than in 2014—that’s a 22 percent increase in just two years.

Submission + - These guys are transcribing all the audio on the internet. (fluiddata.com)

An anonymous reader writes: I've been into podcasting for a number of years now and I ran across this website called FluidDATA. It looks like they've made an audio search engine that lets your search for words or phrases in audio files. And from what I can tell, it looks like they have millions of files...

Are these guys going to be the google of audio?

Submission + - Ophelia Became a Major Hurricane Where No Storm Had Before (arstechnica.com)

An anonymous reader writes: The system formerly known as Hurricane Ophelia is moving into Ireland on Monday, bringing "status red" weather throughout the day to the island. The Irish National Meteorological Service, Met Eireann, has warned that, "Violent and destructive gusts of 120 to 150km/h are forecast countrywide, and in excess of these values in some very exposed and hilly areas. There is a danger to life and property." Ophelia transitioned from a hurricane to an extra-tropical system on Sunday, but that only marginally diminished its threat to Ireland and the United Kingdom on Monday, before it likely dissipates near Norway on Tuesday. The primary threat from the system was high winds, with heavy rains. Forecasters marveled at the intensification of Ophelia on Saturday, as it reached Category 3 status on the Saffir-Simpson scale and became a major hurricane. For a storm in the Atlantic basin, this is the farthest east that a major hurricane has been recorded during the satellite era of observations. Additionally, it was the farthest north, at 35.9 degrees north, that an Atlantic major hurricane has existed this late in the year since 1939.

Submission + - 6 Hard Truths IT Must Learn To Accept

snydeq writes: The rise of shadow IT, shortcomings in the cloud, security breaches — IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks, writes Dan Tynan in an article on six hard truths IT must learn to accept. 'It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything.' What are some hard truths your organization has been dealing with?

Submission + - Second Crypto Bug of the Day: Infineon TPM Chipsets Generate Insecure RSA Keys (bleepingcomputer.com)

An anonymous reader writes: Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack. TPM stands for Trusted Platform Module (TPM), which is an international standard for secure cryptoprocessors that are used to store critical data such as passwords, certificates, and encryption keys.

According to a security alert issued by Infineon last week and research published today, a vulnerability in the Infineon TPM firmware results in the generation of weak RSA keys. The vulnerability allows for an attack on RSA1024 and RSA2048, and affects chips manufactured as early as 2012. RSA encryption works by encrypting data with a dual private and public key. The attack allows an attacker to determine the private key.

  Infineon issued a firmware update last week and has forwarded the update to motherboard vendors which are now working on integrating the Infineon TPM firmware update into all their products. Known affected vendors include Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba, and other smaller Chromebook vendors. Both Microsoft and Google have issued "workarounds" as part of security updates, but fixing this attack surface will require manually patching the motherboard firmware of all affected vendors.

Submission + - With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com)

szczys writes: As the number and frequency of password breaches rises, users are encouraged to use Two-Factor Authentication as an additional safeguard. This protects from an attacker listening in right now, but in many case a database breach will negate the protections of two-factor:

To fake an app-based 2FA query, someone has to know your TOTP password. That’s all, and that’s relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone’s TOTP keys. How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle’s flash memory, and the device was shipped with it installed. This was pretty plausibly “something you had” even though it was based on a secret number embedded in silicon. (More like “something you don’t know?”) The app authenticators are doing something very similar, even though it’s all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into “something I know”, at least for me.

In the case of a database breach it may be years before the attack is disclosed to the user. During all of that time, if the TOTP keys were included in the breach it is the complexity of the passwords (and the regular changing of passwords) that will protect against a compromised account. In other words, 2FA is an enhancement to password security, but good password practices are far and away still the most important of security protocols. Despite constant warnings on this topic, there's no reason to believe users will start using and regularly changing strong passwords.

Submission + - WPA2 security flaw puts almost every Wi-Fi device at risk of eavesdropping (zdnet.com) 1

An anonymous reader writes: A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: hackers can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices — putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

Slashdot Top Deals

At these prices, I lose money -- but I make it up in volume. -- Peter G. Alaquon

Working...