Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Icefog Espionage Campaign 'Hit and Run' Targeted Operation (

msm1267 writes: An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.
The China-based campaign is two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.
However, while other APT campaigns maintain a long-term persistence inside infected networks, Icefog seems to do just the opposite. The attackers, Kaspersky researchers said, know what they need from a victim and once they have it, the target is abandoned. They’re also likely a small group of hired guns, akin to mercenaries, used to attack a particular group, steal data, and get out quickly.

Submission + - Regulation Hasn't Improved Fed IT Security: Survey (

Nerval's Lobster writes: Only 53 percent of federal information-security specialists believe their agencies have seen any real benefit from a 2002 law designed to create enforceable standards for federal cybersecurity during the past decade, says a new study. The Federal Information Security Management Act of 2002 was designed to recognize the importance of digital security, create standards federal agencies could follow to make sure their data protection was up to snuff, and help document both the effort to secure digital data and the improvements that resulted. After more than a decade, however, only 22 percent of federal IT security people believe the security procedures at their own agencies are “sufficient and sustainable,” let alone adequate to meet the demands of an increasingly risky digital landscape, according to a study sponsored by security vendor NetApp and conducted by Federal-agency-oriented IT social networking site MeriTalk. The situation for most agencies is far more dire now than when FISMA was passed. During the past 12 months, 64 percent of Federal agencies have had to defend themselves against leaks or insider threats, according to the survey. Another 48 percent had to defend against a state-sponsored threat and 60 percent were attacked by non-state-sponsored groups.

Comment Good enough to disable internet access? (Score 1) 387

Would disabling internet access be enough? You could have your app unload the Ethernet driver when it runs and then reload the driver when it exits. Of course your app would have to have system level permissions to futz with Ethernet and you'd have to deny those permissions to the user.

I'm not sure how you could disable running other applications if you're not allowed to change the OS configuration.

Comment Re:Play favorites? I believe it (Score 1) 323

Then just make a distinction between the meanings:

1) What the author meant when they wrote it
2) What the work meant to the culture of the time
3) What the work means to us now

What's hard about that? Why should someone else be able to say what the author meant? On the other hand the author shouldn't be able to tell others that they can't take a different meaning out of it, they can just be told that's not what the author said they meant.

Comment Re:Play favorites? I believe it (Score 1) 323

Then just make a distinction between the meanings:

1) What the author meant when they wrote it
2) What the work meant to the culture of the time
3) What the work means to us now

What's hard about that? Why should someone else be able to say what the author meant? On the other hand the author shouldn't be able to tell others that they can't take a different meaning out of it, they can just be told that's not what the author said they meant.

Comment Re:Another 25% are still lyiing (Score 1) 484

It depends on the class whether that is considered cheating though. I had some classes where the prof encouraged us to get to together to work on homework assignments, but we weren't allowed to just copy each other's work. However, they usually also singled out a few assignments that were to be done completely solo.

Comment Re:CarPC (Score 1) 202

If it's removable, you can take it with you, I've no idea why you would leave it in the car.

Yeah, but then you have to lug an iPad around everywhere you go. It's not like it will fit in your pocket.

Conversely, regular car stereos, not designed to be taken with you when you get out of the car are (or were) notoriously easy to steal. I imagine the same would be true of an aftermarket car computer or DIY car computer.

I think this is still true of aftermarket car stereos though they usually have removable faceplates that you can store in the glovebox (or take with you, but then you have the same problem as the iPad of lugging it around everywhere). If the car computer is integrated in the dash, then you would have to take the dash apart or really slash it up to get at the computer (not that this is hard, but I don't think it's a simple smash and grab). If it's just a laptop sitting under a seat with an LCD in the dash, then yeah you're right.

Comment Re:Add-ons (Score 1) 202

He wasn't complaining about paying extra for the satnav, he was complaining about being asked to pay an absurd amount for satnav. When you can get a good standalone unit for ~$200, ~$4000 sounds ridiculous especially considering the screen already exists so the only things you are paying for are the receiver and the software. Sure you're going to pay more to have it done by the dealer and have it integrated with the rest of the car information system, but about 20 times the cost of a standalone unit sounds like a rip-off to me.

Comment Re:Yes, SHA1 security is questionable.. (Score 1) 217

In a system that correctly applies the salt, your new input will not generate the same hash. i.e., User sets Password, Password is hashed with the salt (e.g., passwordHash = hash(salt+password) ) You discover the resultant hash, You find a collision that produces the same hash ( hash(collisionValue) == passwordHash ) You then try to use this collisionValue to gain access to the system, but because of the use of a salt the system will take your collisionValue and add the salt, this will produce a completely different resultant hash and will not match the stored password hash.

hash(salt+collisionValue) != passwordHash.

Unless you know of a side-channel attack, or have access to enough hashes where you already know the password in order to determine the salt (or format of the salt for a roaming salt) then your collision is not effective.

Okay, so salt is more useful than I thought. For some reason I was thinking collision == access, but you're right that no one allows you to provide just the hash as that would be stupid (and pretty much defeat the purpose of hashing the password) and, as you state, if the stored hash is generated (and therefore authenticated) with salt, then your collision value won't give you access.

A well written explanation, thank you.

Comment Re:Yes, SHA1 security is questionable.. (Score 2, Interesting) 217

I think you misunderstand what AndrewNeo was saying. When you have the hash itself, you can then try to find some input that also produces that hash (a collision). You don't have to know anything about the original password or the salt.

As far as I can tell, salting only helps against rainbow table attacks. OP wasn't using those, he was computing the hashes (and thus finding collisions) using only the EC2 GPU instance. He was generating the tables themselves. Salt won't help you in that case. It just requires more compute power which has now become available thanks to the EC2 GPU instances that Amazon is offering.

Comment Re:Simple: (Score 1) 347

This guide is not by a lawyer, but it seems to have a good general overview of the law regarding photography (warning: pdf link). Basically there are four aspects to photography as far as the law is concerned. This is US law.

1) Whether you have a right to take a photograph (e.g. there are laws that restrict you from taking pictures of some military bases whether you can see them from a public place or not)
2) Whether you have a right to be in the place where you're taking the photograph (e.g. with Stonehenge I presume it's private property so you if you run on without paying their admission fee you'd be trespassing)
3) Whether you have a right to publish the photograph (e.g. you can't legally publish an image of a copyrighted work as your MoMA visit indicates though surely fair use would apply to parody or the like)
4) Whether you have a right to make money off the publication of a photograph (e.g. you can't sell a photo you took of Brett Farve without his permission, but there has to be more to it than that because the paparazzi are always selling celebrity photos)

In general, those four rights are unrelated. That is, you can be trespassing, but still be able to take a photograph and publish it, you just might be arrested for trespassing. As for British law, I have no idea what your rights would be. The government has video cameras watching you on the streets in London, but I wouldn't be the least bit surprised if I learned it was illegal for a the general public to take pictures of those same cameras.

NY Times Confident of 'First Click Free' Paywalls 193

eldavojohn writes "One thing you might notice on Slashdot is that when someone submits a story linking to, it doesn't always work. While it's not truly a paywall, it appears to stop the user and require registration... sometimes. If you noticed this and it's seems to be non-deterministic in when and where it asks you to login, you're simply noticing the latest strategy of 'first click free' being employed. We've heard that normal paywalls are a miserable failure (the Wall Street Journal's, one of the more successful, only lets you see the first paragraph online). Will the drug pusher approach work out for The New York Times? The CEO seems to be certain that this blogger (and Slashdot) friendly paywall is the correct option and will keep The New York Times as a 'part of the conversation' online when news is rapidly circulating." I will tell you that if I am asked for a password, I almost always reject the story immediately, or go find a better URL. Heck, yesterday I rejected a NY Times story for this exact reason. So we'll see how it pans out.

Slashdot Top Deals

"If you can, help others. If you can't, at least don't hurt others." -- the Dalai Lama