Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Give 'em money. I'm not even kidding. (Score 1) 128

Want to know when somebody finds a XSS vuln in your timesheet app? Give 'em a starbucks gift card. Or a $20 pre-paid gift debit card they can use anywhere.

Sure, employees will try to game the system at first, and you'll find loopholes in your "rules" of the game. But the end result is net positive:

1) Your employees are *paid* and *happy* to notify the company of vulnerabilities, and
2) You. Fucking. Fix. Vulnerabilities.

Seriously, it's a net win for both the company and the employees. Just do it.

Comment From GRC who brought you ShieldsUp! and SpinRite (Score -1, Flamebait) 31

SQRL, ShieldsUp and SpinRite are all crap. When I first heard about SQRL I knew it wasn't thought through completely, like how ShieldsUp! permits joe-random-employee at $office to cause to portscan the ever loving shit out of your corporate firewall. I've blocked the scanner from at multiple offices.

And no, SpinRite doesn't do jack.

Comment Stallman's open-source-everwhere view blinds him (Score 5, Informative) 208

Source: e-mail exchange with him, based on my shmoocon presentation on hacking USB flash drives.

In short: I said there's no way you can have open source firmware for a proprietary undocumented ASIC, that has to keep track with new developments in flash memory every 3 months.

He want on to ask if there was a way to buy a USB flash drive that wasn't field-reprogrammable, or to "convince a company to make USBs [sic] that way". I'm not aware of any, and it's impossible as-is to A) ask a vendor "What chips are you using?" and B) have the vendor use the same controller/flash chips on the same device.

Dude wouldn't listen, and I gave up trying to educate him.

Submission + - SPAM:

Dicdkerman writes: You know this in order to tell you about anything that puts forth the opinion of Fallout Shelter Hack Cheats so well. For those who are hitting the achievement that requires having several dwellers survive 15 hours in the Wastelands, this is actually pretty easy to achieve with an experienced dweller equipped with a good weapon and plenty of Stimpacks. According to Sam Costley, "When you go to bed, resources are not used here to download the software ===>>>>> [spam URL stripped]...
Link to Original Source

Submission + - Cisco Talos Thwarts Massive Exploit Kit Generating $60M Annually From Ransomware (

Da w00t writes: Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit. Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in depth visibility into the domain activity associated with the adversaries.

Submission + - Bypassing browser pop-up blocking: When does software start becoming malware? (

Da w00t writes: Talos security researchers detected a malicious shockwave flash file that not only bypasses pop-up blockers, but also accurately fingerprints computers with the help of some Javascript. The “Infinity Popup Toolkit” is a prime example of software that falls into this gray area by bypassing browser pop-up blocking.

Submission + - SSH Brute force Attackers Taken Down (

An anonymous reader writes: Cisco Talos and Level 3 communications have worked to take down a group that was conducting large scale SSH Brute Force attacks. At times the group was accounting for more than a third of the SSH traffic on the Internet. The threat has been known and action needed to be taken. Show your support by tweeting #DownWithSSHPsychos

Submission + - Sniff and decrypt BLE with Ubertooth (

mpeg4codec writes: Hot on the heels of Omri Iluz's BLE-sniffer-on-the-cheap, I decided to write up the BLE (Bluetooth Smart) sniffer I built on Ubertooth. My sniffer is highly robust, can capture data from connections, and is 100% open source.

I also discovered a major flaw in BLE's crypto that allows an attacker to crack its encryption key and decrypt data, 100% passively. I wrote a tool called crackle that will automatically decrypt encrypted BLE data captured by Ubertooth.

Comment Classified. You keep using that word. (Score 1) 243

I do not think it means what you think it means. Classified documents originate from a classification authority. There is no classification authority within Apple. Classification authorities are within the state and federal government. While Apple is large (and last I heard had more money than the federal reserve), that doesn't mean they can classify documents :)

Now, there can be trade secrets, that's an entirely different thing. :)

Comment So, that KORUS treaty is still a problem, I think. (Score 4, Interesting) 378

Slashdot Top Deals

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken