Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Space

How Activists Tried To Destroy GPS With Axes 132

Posted by samzenpus
from the here's-johnny dept.
HughPickens.com writes Ingrid Burrington writes in The Atlantic about a little-remembered incident that occurred in 1992 when activists Keith Kjoller and Peter Lumsdaine snuck into a Rockwell International facility in Seal Beach, California and in what they called an "act of conscience" used wood-splitting axes to break into two clean rooms containing nine satellites being built for the US government. Lumsdaine took his axe to one of the satellites, hitting it over 60 times. The Brigade's target was the Navigation Satellite Timing And Ranging (NAVSTAR) Program and the Global Positioning System (GPS). Both men belonged to the Lockheed Action Collective, a protest group that staged demonstrations and blockaded the entrance at the Lockheed Missiles & Space Co. test base in Santa Cruz in 1990. They said they intentionally took axes to the $50-million Navstar Global Position System satellite to bring the public's attention to what they termed the government's attempt to control the world through modern technology. "I had to slow the deployment of this system (which) makes conventional warfare much more lethal and nuclear war winnable in the eyes of some," an emotional Kjoller told the judge before receiving an 18-month sentence. "It's something that I couldn't let go by. I tried to do what was right rather than what was convenient."

Burrington recently contacted Lumsdaine to learn more about the Brigade and Lumsdaine expresses no regrets for his actions. Even if the technology has more and more civilian uses, Lumsdaine says, GPS remains "military in its origins, military in its goals, military in its development and [is still] controlled by the military." Today, Lumsdaine views the thread connecting GPS and drones as part of a longer-term movement by military powers toward automated systems and compared today's conditions to the opening sequence of Terminator 2, where Sarah Connor laments that the survivors of Skynet's nuclear apocalypse "lived only to face a new nightmare: the war against the machines." "I think in a general way people need to look for those psychological, spiritual, cultural, logistical, technological weak points and leverage points and push hard there," says Lumsdaine. "It is so easy for all of us as human beings to take a deep breath and step aside and not face how very serious the situation is, because it's very unpleasant to look at the effort and potential consequences of challenging the powers that be. But the only thing higher than the cost of resistance is the cost of not resisting."
Businesses

Apple, Google, Bringing Low-Pay Support Employees In-House 80

Posted by samzenpus
from the come-on-into-the-house dept.
jfruh writes One of the knocks against Silicon Valley giants as "job creators" is that the companies themselves often only hire high-end employees; support staff like security guards and janitors are contracted out to staffing agencies and receive lower pay and fewer benefits, even if they work on-site full time. That now seems to be changing, with Apple and Google putting security guards on their own payroll.
Security

Anthem Blocking Federal Auditor From Doing Vulnerability Scans 83

Posted by samzenpus
from the suspicious-behavior dept.
chicksdaddy writes Anthem Inc., the Indiana-based health insurer, has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do. This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.
Chrome

Firefox 37 To Check Security Certificates Via Blocklist 29

Posted by timothy
from the making-a-list-pushing-it-multiple-times dept.
An anonymous reader writes The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser. OneCRL will permit non-live verification on EV certificates, trading off currency for speed. Chrome pushes its trawled list of CA revocations every few hours, and Firefox seems set to follow that method and frequency. Both Firefox and Chrome developers admit that OCSP stapling would be the better solution, but it is currently only supported in 9% of TLS certificates.
Canada

Star Trek Fans Told To Stop "Spocking" Canadian $5 Bill 219

Posted by samzenpus
from the draw-it-on-and-prosper dept.
bellwould writes The Toronto Sun is reporting that Bank of Canada executives are urging Star Trek fans to stop altering Wilfred Laurier's face on the Canadian $5 bill to look like Spock. Although not illegal to draw on the bills, a Bank of Canada spokesperson points out that the markings may reduce effectiveness of the security features or worse, the money may not be accepted.
Government

New Zealand Spied On Nearly Two Dozen Pacific Countries 125

Posted by samzenpus
from the keep-your-eyes-on-your-own-paper dept.
An anonymous reader writes New documents from Edward Snowden indicate New Zealand undertook "full take" interception of communications from Pacific nations and forwarded the data to the NSA. The data, collected by New Zealand's Government Communications Security Bureau, was then fed into the NSA's XKeyscore search engine to allow analysts to trawl for intelligence. The New Zealand link helped flesh out the NSA's ambitions to intercept communications globally.
Businesses

Demand For Linux Skills Rising This Year 91

Posted by samzenpus
from the popular-kids dept.
Nerval's Lobster writes This year is shaping up as a really good one for Linux, at least on the jobs front. According to a new report (PDF) from The Linux Foundation and Dice, nearly all surveyed hiring managers want to recruit Linux professionals within the next six months, with 44 percent of them indicating they're more likely to hire a candidate with Linux certification over one who does not. Forty-two percent of hiring managers say that experience in OpenStack and CloudStack will have a major impact on their hiring decisions, while 23 percent report security is a sought-after area of expertise and 19 percent are looking for Linux-skilled people with Software-Defined Networking skills. Ninety-seven percent of hiring managers report they will bring on Linux talent relative to other skills areas in the next six months.
Transportation

US Air Traffic Control System Is Riddled With Vulnerabilities 59

Posted by Soulskill
from the things-you-shouldn't-read-before-your-flight-today dept.
An anonymous reader writes: A recently released report (PDF) by the U.S. Government Accountability Office has revealed that despite some improvements, the Federal Aviation Administration (FAA) still needs to quash significant security control weaknesses that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). The report found that while the "FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment [...] a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems."
Privacy

Schneier: Either Everyone Is Cyber-secure Or No One Is 128

Posted by Soulskill
from the nobody's-safe-except-the-amish dept.
Presto Vivace sends a new essay from Bruce Schneier called "The Democratization of Cyberattack." Quoting: When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. ... We can't choose a world where the U.S. gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.
Encryption

FREAK Attack Threatens SSL Clients 72

Posted by Soulskill
from the another-day-another-vuln dept.
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.
Wireless Networking

Flaw In GoPro Update Mechanism Reveals Users' Wi-Fi Passwords 35

Posted by timothy
from the oopsie dept.
An anonymous reader writes A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own). The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera's Wi-Fi network. Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend's camera, but the friend forgot the login credentials.
GUI

Why We Should Stop Hiding File-Name Extensions 561

Posted by timothy
from the text-rules dept.
An anonymous reader writes 14 years after the Anna Kournikova virus took advantage of users' ignorance about file-name extensions in order to wreak worldwide havoc, virus writers and hackers are still taking advantage of the tendency of popular consumer operating systems to hide file-name extensions: Windows users still need to activate extension visibility manually – even though email-transmitted viruses depend most on less savvy users who will never do this. Additionally applications on even the latest versions of Apple's OSX operating system still require the user to 'opt in' to including a file-name extension during an initial save. In looking at some of the eccentricities of the modern user experience, this article argues that it might be time to admit that users need to understand, embrace and responsibly use the only plain-text, obvious indicator of what a file actually is.
Cellphones

Blackphone 2 Caters To the Enterprise, the Security-Minded and the Paranoid 58

Posted by samzenpus
from the press-p-for-privacy dept.
Mark Wilson writes While much of the news coming out of MWC 2015 has been dominated by Microsoft's Lumia 640, the Samsung Galaxy S6 Edge, and tablets from Sony, there's always room for something a little different. Following on from the security-focused Blackphone, Silent Circle used the Barcelona event to announce the follow-up — the Blackphone 2. The privacy-centric company has been working on the "world's first enterprise privacy platform" for some time now and the second generation Blackphone. As you would expect, there's a faster processor than before -- an 8-core beast -- as well as an upgraded 3GB RAM, a larger 5.5 inch screen and a bigger battery than before. Blackphone 2 has a $600 price tag and will be unleashed in July.
Communications

Jolla Partners With SSH To Create Sailfish Secure 30

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter muckracer writes Finnish mobile company Jolla will be working with Finland's SSH Communications to offer another version of its SailfishOS platform with stronger security credentials. The partnership was announced today at Jolla's press conference in Barcelona at the Mobile World Congress trade show. SSH will be providing comms encryption and key management to Sailfish Secure.
Privacy

AVG Announces Invisibility Glasses 150

Posted by samzenpus
from the now-you-see-it-now-you-don't dept.
BrianFagioli writes So what do these glasses from AVG Innovation Labs actually do? The security firm claims it can protect your identity in this new era of cameras everywhere. From the article: "'Through a mixture of technology and specialist materials, privacy wearables such as invisibility glasses can make it difficult for cameras or other facial recognition technologies to get a clear view of your identity', AVG claims. This is still in the prototype phase of testing, though it has been officially announced at Mobile World Congress in Barcelona. There's a lot of science behind this -- a series of infrared lights surrounding the eyes and nose is not visible to other people, but cameras will pick it up making recognition difficult at best. There's also reflective materials involved, which aids in the blocking, or so it's claimed."
Data Storage

Ask Slashdot: How Does One Verify Hard Drive Firmware? 323

Posted by Soulskill
from the very-carefully dept.
An anonymous reader writes: In light of recent revelations from Kaspersky Labs about the Equation Group and persistent hard drive malware, I was curious about how easy it might be to verify my own system's drives to see if they were infected. I have no real reason to think they would be, but I was dismayed by the total lack of tools to independently verify such a thing. For instance, Seagate's firmware download pages provide files with no external hash, something Linux distributions do for all of their packages. Neither do they seem to provide a utility to read off the current firmware from a drive and verify its integrity.

Are there any utilities to do such a thing? Why don't these companies provide verification software to users? Has anyone compiled and posted a public list of known-good firmware hashes for the major hard drive vendors and models? This seems to be a critical hole in PC security. I did contact Seagate support asking for hashes of their latest firmware; I got a response stating, "...If you download the firmware directly from our website there is no risk on the file be tampered with." (Their phrasing, not mine.) Methinks somebody hasn't been keeping up with world events lately.
Security

Uber Discloses Database Breach, Targets GitHub With Subpoena 47

Posted by Soulskill
from the another-day-another-breach dept.
New submitter SwampApe tips news that Uber has revealed a database breach from 2014. The company says the database contained names and diver's license numbers of their drivers, about 50,000 of which were accessed by an unauthorized third party. As part of their investigation into who was behind the breach, Uber has filed a lawsuit which includes a subpoena request for GitHub. "Uber's security team knows the public IP address used by the database invader, and wants to link that number against the IP addresses and usernames of anyone who looked at the GitHub-hosted gist in question – ID 9556255 – which we note today no longer exists. It's possible the gist contained a leaked login key, or internal source code that contained a key that should not have been made public."
Security

Blu-Ray Players Hackable Via Malicious Discs 107

Posted by Soulskill
from the physical-media-increasingly-sketchy dept.
An anonymous reader writes: Some Blu-Ray disc interactive features use a Java variant for UIs and applications. Stephen Tomkinson just posted a blog discussing how specially created Blu-Ray discs can be used to hack various players using exploits related to their Java usage. He hacked one Linux-based, network-connected player to get root access through vulnerabilities introduced by the vendor. He did the same thing against Windows Blu-Ray player software. Tomkinson was then able to combine both, along with detection techniques, into a single disc.
Privacy

NSA Spying Wins Another Rubber Stamp 87

Posted by Soulskill
from the once-more-unto-the-privacy-breach dept.
schwit1 sends this report from the National Journal: A federal court has again renewed an order allowing the National Security Agency to continue its bulk collection of Americans' phone records, a decision that comes more than a year after President Obama pledged to end the controversial program. The Foreign Intelligence Surveillance Court approved this week a government request to keep the NSA's mass surveillance of U.S. phone metadata operating until June 1, coinciding with when the legal authority for the program is set to expire in Congress. The extension is the fifth of its kind since Obama said he would effectively end the Snowden-exposed program as it currently exists during a major policy speech in January 2014. Obama and senior administration officials have repeatedly insisted that they will not act alone to end the program without Congress.
Security

Simple IT Security Tactics for Small Businesses (Video) 32

Posted by Roblimo
from the worry-more-about-criminal-attacks-than-government-intrusions dept.
Adam Kujawa is the lead person on the Malwarebytes Malware Intelligence Team, but he's not here to sell software. In fact, he says that buying this or that software package is not a magic bullet that will stop all attacks on your systems. Instead, he stresses coworker education. Repeatedly. Adam says phishing and other social engineering schemes are now the main way attackers get access to your company's information goodies. Hacking your firewall? Far less likely than it used to be, not only because firewalls are more sophisticated than ever, but also because even the least computer-hip managers know they should have one.