An anonymous reader writes Recent research has identified that only one in ten cloud apps are secure enough for enterprise use. According to a report from cloud experts Netskope, organizations are employing an average of over 600 business cloud apps, despite the majority of software posing a high risk of data leak. The company showed that 15% of logins for business apps used by organizations had been breached by hackers. Over 20% of businesses in the Netskope cloud actively used more than 1,000 cloud apps, and over 8% of files in corporate-sanctioned cloud storage apps were in violation of DLP policies, source code, and other policies surrounding confidential and sensitive data. Google Drive, Facebook, Youtube, Twitter and Gmail were among the apps investigated in the Netskope research.

New submitter stephenpeters writes The AdNauseam browser extension claims to click on each ad you have blocked with AdBlock in an attempt to obfuscate your browsing data. Officially launched mid November at the Digital Labour conference in New York, the authors hope this extension will register with advertisers as a protest against their pervasive monitoring of users online activities. It will be interesting to see how automated ad click browser extensions will affect the online ad arms race. Especially as French publishers are currently planning to sue Eyeo GmbH, the publishers of Adblock. This might obfuscate the meaning of the clicks, but what if it just encourages the ad sellers to claim even higher click-through rates as a selling point?

benrothke writes There are really two stories within Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. The first is how Brian Krebs uncovered the Russian cybergangs that sent trillions of spam emails for years. As interesting and compelling as that part of the story is; the second storyline is much more surprising and fascinating. Brian Krebs is one of the premier cybersecurity journalists. From 1995 to 2009, he was a reporter for The Washington Post, where he covered Internet security, technology policy, cybercrime and privacy issues. When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians. Many of the stories Krebs ran took months to get approval and many were rejected. It was the extreme reticence by the Post to deal with the issue that ultimately led Krebs to leave the paper. Before Krebs wrote this interesting book and did his groundbreaking research, it was clear that there were bad guys abroad spamming American's with countless emails for pharmaceuticals which led to a global spam problem. Read below for the rest of Ben's review.

Frosty P writes: A scientific paper titled "Get Me Off Your F****** Mailing List" was actually accepted by the International Journal of Advanced Computer Technology. As reported at Vox and other web sites, the journal, despite its distinguished name, is a predatory open-access journal. These sorts of low-quality journals spam thousands of scientists, offering to publish their work for a fee. In 2005, computer scientists David Mazières and Eddie Kohler created this highly profane ten-page paper as a joke, to send in replying to unwanted conference invitations. It literally just contains that seven-word phrase over and over, along with a nice flow chart and scatter-plot graph. More recently, computer scientist Peter Vamplew sent it to the IJACT in response to spam from the journal, and the paper was automatically accepted with an anonymous reviewer rating it as "excellent," and requested a fee of $150. Over the years, the number of these predatory journals has exploded. Jeffrey Beall, a librarian at the University of Colorado, keeps an up-to-date list of them to help researchers avoid being taken in; it currently has 550 publishers and journals on it."

angry tapir writes An Android Trojan program that's behind one of the longest running multipurpose mobile botnets has been updated to become stealthier and more resilient. The botnet is mainly used for instant message spam and rogue ticket purchases, but it could be used to launch targeted attacks against corporate networks because the malware allows attackers to use the infected devices as proxies, according to security researchers.

Nerval's Lobster writes Over at Dice, there's a discussion of the technologies that could actually alter how you work (and what you work on) over the next few years, including 3D printing, embedded systems, and evolving Web APIs. Granted, predicting the future with any accuracy is a nigh-impossible feat, and a lot of nascent technologies come with an accompanying amount of hype. But given how these listed technologies have actually been around in one form or another for years, and don't seem to be fading away, it seems likely that they'll prove an increasing factor in how we live and work over the next decade and beyond. For those who have no interest in mastering aspects of the so-called "Internet of Things," or other tech on this list, never fear: if the past two decades have taught us anything, it's that lots of old hardware and software never truly goes away, either (hi, mainframes!).

Bennett Haselton writes: My last article garnered some objections from readers saying that the sample sizes were too small to draw meaningful conclusions. (36 out of 47 survey-takers, or 77%, said that a picture of a black woman breast-feeding was inappropriate; while in a different group, 38 out of 54 survey-takers, or 70%, said that a picture of a white woman breast-feeding was inappropriate in the same context.) My conclusion was that, even on the basis of a relatively small sample, the evidence was strongly against a "huge" gap in the rates at which the surveyed population would consider the two pictures to be inappropriate. I stand by that, but it's worth presenting the math to support that conclusion, because I think the surveys are valuable tools when you understand what you can and cannot demonstrate with a small sample. (Basically, a small sample can present only weak evidence as to what the population average is, but you can confidently demonstrate what it is not.) Keep reading to see what Bennett has to say.

An anonymous reader writes I run the IT department for a medium-sized online retailer, and we own a set of marketing toll-free numbers that route to our VoIP system for sales. Yesterday we began receiving dozens and now hundreds of calls from non-customers claiming that we're calling out from our system and offering them $1 million in prizes and asking for their checking account details (a classic phishing scheme). After verifying that our own system wasn't compromised, we realized that someone was spoofing the Caller ID of our company on a local phone number, and then they were forwarding call-backs to their number to one of our 1-800 numbers. We contacted the registered provider of the scammer's phone number, Level3, but they haven't been able to resolve the issue yet and have left the number active (apparently one of their sub-carriers owns it). At this point, the malicious party is auto-dialing half of the phone book in the DC metro area and it's causing harm to our business reputation. Disabling our inbound 800 number isn't really possible due to the legitimate marketing traffic. Do you have any suggestions?

New submitter hawkbug writes For the past 15 years, I have hosted my own email server at home and it's been pretty painless. I had always used a local Denver ISP on a single static IP. Approximately two years ago, I switched to a faster connection, which now is hosted on Comcast. They provide me 5 static IPs and much faster speeds. It's a business connection with no ports blocked, etc. It has been mostly fine these last two years, with the occasional outage due to typical Comcast issues. About two weeks ago, I came across a serious issue. The following email services started rejecting all email from my server: Hotmail, Yahoo, and Gmail. I checked, and my IP is not on any real time blacklists for spammers, and I don't have any security issues. My mail server is not set as an open relay, and I use SPF records and pass all SPF tests. It appears that all three of those major email services started rejecting email from me based on a single condition: Comcast. I can understand the desire to limit spam — but here is the big problem: I have no way to combat this. With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder. Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc. Since I am not doing any of those things, I would expect some sort of option to have my IP whitelisted or verified. However, I can not find a single option to do so. The part that bugs me is that this happened two weeks ago with multiple major email services. Obviously, they are getting anti-spam policies from a central location of some kind. I don't know where. If I did, I could possibly go after the source and try to get my IP whitelisted. When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option. Is there anything I can do to remedy this situation?

First time accepted submitter Biswa writes YouTube launched its ad-free subscription music service called MusicKey. today. From the TechCrunch article: "YouTube finally unveiled its subscription music service today, and in some ways it’s very much like existing streaming music services, especially since it comes bundled with Google Play Music All Access. But YouTube Music Key also very much not like other streaming music services, because of the ways in which music is (or rather isn’t) defined on YouTube. One of the first questions I had about Google Music Key was how the company would define what kind of content from YouTube gets included: Would a home-shot cover of a Black Keys song with 253 views be as ad-free as the official music video for the original? Or was this a private club, designed for the traditionally defined music industry? Turns out, the nature of what Music Key encompasses is somewhat of a moving target, and the limited beta access that will initially gate entry to the service is in part due to that variability."

Presto Vivace points out this troubling new report from the Electronic Frontier Foundation: Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the U.S. and Thailand intercepting their customers' data to strip a security flag — called STARTTLS — from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

whoever57 writes How widely are DKIM and DMARC being implemented? Some time ago, Yahoo implemented strict checks on DKIM before accepting email, breaking many mailing lists. However, Spamassassin actually assigns a positive score (more likely to be spam) to DKIM-signed emails, unless the signer domain matches the from domain. Some email marketing companies don't provide a way for emails to be signed with the sender's domain — instead, using their own domain to sign emails. DMARC doesn't seem to have a delegation mechanism, by which a domain owner could delegate other domains as acceptable signatures for emails their emails. All of these issues suggest that the value of DKIM and DMARC is quite low, both as a mechanism to identify valid emails and as a mechanism to identify spam. In fact, spam is often dkim-signed. Are Slashdot users who manage email delivery actually using DKIM and DMARC?

Bennett Haselton writes: Social networking company Ello has converted itself to a Public Benefit Corporation, bound by a charter saying that they will not now, nor in the future, make money by running advertisements or selling user data. Ello had followed these policies from the outset, but skeptics worried that venture capitalist investors might pressure Ello to change those policies, so this binding commitment was meant to assuage those fears. But is the commitment really legally binding and enforceable down the road? Read on for the rest.

HughPickens.com writes James Swearingen writes at The Atlantic that the Internet can be a mean, hateful, and frightening place — especially for young women but human behavior and the limits placed on it by both law and society can change. In a Pew Research Center survey of 2,849 Internet users, one out of every four women between 18 years old and 24 years old reports having been stalked or sexually harassed online. "Like banner ads and spam bots, online harassment is still routinely treated as part of the landscape of being online," writes Swearingen adding that "we are in the early days of online harassment being taken as a serious problem, and not simply a quirk of online life." Law professor Danielle Citron draws a parallel between how sexual harassment was treated in the workplace decades ago and our current standard. "Think about in the 1960s and 1970s, what we said to women in the workplace," says Citron. "'This is just flirting.' That a sexually hostile environment was just a perk for men to enjoy, it's just what the environment is like. If you don't like it, leave and get a new job." It took years of activism, court cases, and Title VII protection to change that. "Here we are today, and sexual harassment in the workplace is not normal," said Citron. "Our norms and how we understand it are different now."

According to Swearingen, the likely solution to internet trolls will be a combination of things. The expansion of laws like the one currently on the books in California, which expands what constitutes online harassment, could help put the pressure on harassers. The upcoming Supreme Court case, Elonis v. The United States, looks to test the limits of free speech versus threatening comments on Facebook. "Can a combination of legal action, market pressure, and societal taboo work together to curb harassment?" asks Swearingen. "Too many people do too much online for things to stay the way they are."

An anonymous reader writes Every day my gmail account receives 30-50 spam emails. Some of it is UCE, partially due to a couple dingbats with similar names who apparently think my gmail account belongs to them. The remainder looks to be spambot or Nigerian 419 email. I also run my own MX for my own domain, where I also receive a lot of spam. But with a combination of a couple DNSBL in my sendmail config, SpamAssassin, and procmail, almost none of it gets through to my inbox. In both cases there are rare false positives where a legit email ends up in my spam folder, or in the case of my MX, a spam email gets through to my Inbox, but these are rare occurrences. I'd think with all the Oompa Loompas at the Chocolate Factory that they could do a better job rejecting the obvious spam emails. If they did it would make checking for the occasional false positives in my spam folder a teeny bit easier. For anyone who's responsible for shunting Web-scale spam toward the fate it deserves, what factors go into the decision tree that might lead to so much spam getting through?

Today at a press conference in San Francisco, Microsoft announced the new version of their flagship operating system, called Windows 10. (Yes, t-e-n. I don't know.) With the new version of the operating system, they'll be unifying the application platform for all devices: desktops, laptops, consoles, tablets, and phones. As early leaks showed, the Start Menu is back — it's a hybrid of old and new, combining a list of applications with a small group of resizable tiles that can include widgets. Metro-style apps can now each operate inside their own window (video). There's a new, multiple-desktop feature, which power users have been demanding for years, and also a feature that lets users easily grab objects from one desktop and transfer it to another. The command line is even getting some love. The Technical Preview builds for desktops and laptops will be available tomorrow through the Windows Insider Program. They're requesting feedback from customers. Windows 10 will launch in late 2015.

New submitter Wylde Stile writes with an interesting case that shows just how pervasive social networking connections have become, including in the eyes of the law. A Staten Island, NY family court support magistrate allowed a Noel Biscoch to serve his ex-wife legal papers via Facebook. Biscoch tried to serve his ex-wife Anna Maria Antigua the old-fashioned way — in person and via postal mail — but his ex-wife had moved with no forwarding address. Antigua maintains an active Facebook account, though, and had even liked some photos on the Biscoch's present wife's Facebook page days before the ruling. The magistrate concluded that the ex-wife could be served through Facebook. If this catches on, I bet a lot of people will end up with legally binding notices caught by spam filters or in their Facebook accounts' "Other" folders.

snydeq writes Desktop workloads and server workloads have different needs, and it's high time Linux consider a split to more adequately address them, writes Deep End's Paul Venezia. You can take a Linux installation of nearly any distribution and turn it into a server, then back into a workstation by installing and uninstalling various packages. The OS core remains the same, and the stability and performance will be roughly the same, assuming you tune they system along the way. Those two workloads are very different, however, and as computing power continues to increase, the workloads are diverging even more. Maybe it's time Linux is split in two. I suggested this possibility last week when discussing systemd (or that FreeBSD could see higher server adoption), but it's more than systemd coming into play here. It's from the bootloader all the way up. The more we see Linux distributions trying to offer chimera-like operating systems that can be a server or a desktop at a whim, the more we tend to see the dilution of both. You can run stock Debian Jessie on your laptop or on a 64-way server. Does it not make sense to concentrate all efforts on one or the other?"

itwbennett writes Five Nigerian criminal gangs are behind most scams targeting sellers on Craigslist, and they've taken new measures to make their swindles appear legitimate, according to a study by George Mason University researchers Damon McCoy and Jackie Jones. In a new innovation, they're using professional check-writing equipment plus U.S.-based accomplices to not raise suspicions among their victims. McCoy and Jones will present their paper on Sept. 24 at the IEEE eCrime Research Summit in Birmingham, Alabama.

An anonymous reader writes The secret of how the FBI pinpointed the servers allegedly used by the notorious Silk Road black market website has been revealed: repeated login attempts. In a legal rebuttal, the FBI claims that repeatedly attempting to login to the marketplace revealed its host location. From the article: "As they typed 'miscellaneous' strings of characters into the login page's entry fields, Tarbell writes that they noticed an IP address associated with some data returned by the site didn't match any known Tor 'nodes,' the computers that bounce information through Tor's anonymity network to obscure its true source. And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared, the garbled-letter image designed to prevent spam bots from entering the site. 'This indicated that the Subject IP Address was the IP address of the SR Server,' writes Tarbell in his letter, 'and that it was "leaking" from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.'"