Lucas123 writes: A report commissioned by the White House involving the Defense, Justice and Homeland Security Departments has begun a process to define, for the first time, the requirements that manufacturers would need to meet for federal, state, and municipal law enforcement agencies to consider purchasing firearms with "smart" safety technology. They've committed to completing that process by October, and will also identify agencies interested in taking part in a pilot program to develop the smart gun technology. The DoD will help manufacturers test smart guns under "real-world conditions" at the U.S. Army Aberdeen Test Center in Maryland. Manufacturers would be eligible to win cash prizes through that program as well. In addition to spurring the adoption of smart gun technology, the report stated that the Social Security Administration has published a proposed rule that would require individuals prohibited from buying a gun due to mental health issues to be included in a background check system.
An anonymous reader writes: The FBI has no idea how the hack used in unlocking the San Bernardino shooter's iPhone 5C works, but it paid a sum less than $1m for the mechanism, according to a report. Reuters, citing several U.S. government sources, note that the government intelligence agency didn't pay a value over $1.3m for purchasing the hack from professional hackers, as previously reported by many outlets. The technique can also be used as many times as needed without further payments, the report adds. The FBI director, James Comey, said last week that the agency paid more to get into the iPhone 5C than he will make in the remaining seven years and four months he has in his job, suggesting the hack cost more than $1.3m, based on his annual salary.
There's no doubt that benchmark apps help you evaluate different aspects of a product, but do they paint a complete picture? Should we utterly rely on benchmark apps to assess the performance and quality of a product or service? Vlad Savov of The Verge makes an interesting point. He notes that DxOMark (a hugely popular benchmark app for testing a camera) rating of HTC 10's camera sensor is equal to that of Samsung's Galaxy S7, however, in real life shooting, the Galaxy S7's shooter offers a far superior result. "I've used both extensively and I can tell you that's simply not the case -- the S7 is outstanding whereas the 10 is merely good." He offers another example: If a laptop or a phone does well in a web-browsing battery benchmark, that only gives an indication that it would probably fare decently when handling bigger workloads too. But not always. My good friend Anand Shimpi, formerly of AnandTech, once articulated this very well by pointing out how the MacBook Pro had better battery life than the MacBook Air -- which was hailed as the endurance champ -- when the use changed to consistently heavy workloads. The Pro was more efficient in that scenario, but most battery tests aren't sophisticated or dynamic enough to account for that nuance. It takes a person running multiple tests, analyzing the data, and adding context and understanding to achieve the highest degree of certainty. The problem is -- more often than not -- gadget reviewers treat these values as the most important signal when judging a product, which in turn, also influences several readers' opinion. What's your take on this?
Joseph Cox, reporting for Motherboard: Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK's signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla. Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS. "So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products," a GCHQ spokesperson told Motherboard in an email. CESG, or the National Technical Authority for Information Assurance, is the information security wing of GCHQ. Those issues include a kernel vulnerability in OS X El Captain v10.11.4, the latest version, that would allow arbitrary code execution, and two in iOS 9.3, one of which would have done largely the same thing, and the other could have let an application launch a denial of service attack.
An anonymous reader cites an article on The Intercept (edited and condensed): The Supreme Court on Thursday approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes, which will take immediate effect in December unless Congress adopts competing legislation, would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant. Previously, under the federal rules on criminal procedures, a magistrate judge couldn't approve a warrant request to search a computer remotely if the investigator didn't know where the computer was -- because it might be outside his or her jurisdiction. The rule change would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor."Unbelievable," said Edward Snowden. "FBI sneaks radical expansion of power through courts, avoiding public debate." Ahmed Ghappour, a visiting professor at University of California Hastings Law School, has described it as "possibly the broadest expansion of extraterritorial surveillance power since the FBI's inception."
An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.
mdsolar quotes a report from Phys.Org: Belgium is to provide iodine pills to its entire population of around 11 million people to protect against radioactivity in case of a nuclear accident, the health minister was quoted as saying Thursday. The move comes as Belgium faces growing pressure from neighboring Germany to shutter two ageing nuclear power plants near their border due to concerns over their safety. Iodine pills, which help reduce radiation build-up in the human thyroid gland, had previously only been given to people living within 20 kilometres (14 miles) of the Tihange and Doel nuclear plants. Health Minister Maggie De Block was quoted by La Libre Belgique newspaper as telling parliament that the range had now been expanded to 100 kilometers, effectively covering the whole country. The health ministry did not immediately respond to AFP when asked to comment. The head of Belgium's French-speaking Green party, Jean-Marc Nollet, backed the measures but added that "just because everyone will get these pills doesn't mean there is no longer any nuclear risk," La Libre reported. Belgium's creaking nuclear plants have been causing safety concerns for some time after a series of problems ranging from leaks to cracks and an unsolved sabotage incident. Yesterday, a nuclear plant in Germany was reportedly infected with a computer virus.
blottsie writes from a report on the Daily Dot: In a Wall Street Journal editorial titled "Encryption Without Tears," Sens. Richard Burr and Dianne Feinstein pushed back on widespread condemnation of their Compliance with Court Orders Act, which would require tech companies to provide authorities with user data in an "intelligible" format if served with a warrant. But security experts Bruce Schneir, Matthew Green, and others say the lawmakers entirely misunderstand the issue. "On a weekly basis we see gigabytes of that information dumped to the Internet," Green told the Daily Dot. "This is the whole problem that encryption is intended to solve." He added: "You can't hold out the current flaws in the Internet as a justification for why the Internet shouldn't be made secure." "These criticisms of Burr and Feinstein's analogy emphasize an important point about digital security: The differences between the levels of encryption protecting certain types of data -- purchase records on Amazon's servers versus photos on an iPhone, for example -- lead to different levels of risk," writes Eric Geller of the Daily Dot.
schwit1 writes: After experimenting with barbed wire, surveillance cameras and even cowbells and camels, India has now reportedly introduced "laser walls" at its border with archenemy Pakistan. Both New Delhi and Islamabad deploy more than half of their 1 million and 600,000-strong armies, respectively, on the border. India is setting up the laser walls to "plug the porous riverine and treacherous terrain and keep an effective vigil against intruders and terrorists" in Punjab state, the state-run Press Trust of India reported. According to the PTI report, around 45 laser walls will be installed in Punjab state. Lasers beamed over rivers and hills will set off an alarm and alert the Indian Border Security Force if someone attempts to pass by, it added.
Reader msm1267 writes: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. "The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote -- depending on what the company has paid for in terms of licensing)," Kakavas and Bratec told Threatpost via email. "And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. )." Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.
Reader wiredmikey writes: Security researchers at Cisco have come across a piece of software that installed backdoors on 12 million computers around the world. Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other tools, such as a known scareware called System Healer, but also of harvesting personal information. The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The "features" have led Cisco Talos to classify the Tuto4PC software as a "full backdoor capable of a multitude of undesirable functions on the victim machine." Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco's systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.Tuto4PC has received flak from many over the years, including French regulators.
An anonymous reader quotes a report from Softpedia: A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner. The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL. Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald's, British Gas, Bose, Adidas, the University of Texas, and many link shortening services. This flawed system has been online since the mid-1990s. The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing, with the registry issuing a statement today denying the incident and calling the allegations "inaccurate, misleading and sexed-up to the max," after previously acknowledging and fixing the security flaws.
An anonymous reader quotes a report from Ars Technica: A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order. The government successfully cited a 1789 law known as the All Writs Act to compel (PDF) the suspect to decrypt two hard drives it believes contain child pornography. The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple.
An anonymous reader quotes a report from TechCrunch: The U.S. House of Representatives has passed H.R. 699, the Email Privacy Act, sending it on to the Senate and from there, hopefully anyhow, to the President. The yeas were swift and unanimous. The bill, which was introduced in the House early last year and quickly found bipartisan support, updates the 1986 Electronic Communications Privacy Act, closing a loophole that allowed emails and other communications to be obtained without a warrant. It's actually a good law, even if it is arriving a couple of decades late. "Under current law, there are more protections for a letter in a filing cabinet than an email on a server," said Congresswoman Suzan Delbene during the debate period. An earlier version of the bill also required that authorities disclose that warrant to the person it affected within 10 days, or 3 if the warrant related to a government entity. That clause was taken out in committee -- something trade groups and some of the Representatives objected to as an unpleasant compromise.
Patrick O'Neill writes: Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago. Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases. The Tor Project has confirmed this report in a statement after being contacted by the Daily Dot, "It has come to out attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware." Maybe Tor users will now be less likely to anonymously check Facebook each month...
An anonymous reader writes: The International Consortium of Investigative Journalists said in an email that on May 9 it would "publish what will likely be the largest-ever release of information about secret offshore companies and the people behind them," based on data from the Panama Papers investigation. "The searchable database will include information about more than 200,000 companies, trusts, foundations, and funds incorporated in 21 tax havens, from Hong Kong to Nevada in the United States." The ICIJ said in the email, "The impact of Panama Papers has been epic." The investigation has caused Icelandic Prime Minister Sigmundur David Gunnlaugsson to resign following revelations about his personal finances. It has caused Putin to point fingers at the West, accusing the U.S. of trying to weaken Russia. It has even created drama in the UK with calls for Prime Minister David Cameron to resign after his connections to offshore companies became evident. In addition, the ICIJ said, "[The Panama Papers investigation] sparked a new sense of urgency among lawmakers and regulators to close loopholes and make information about the owners of shell companies public."
An anonymous reader writes: China's first "intelligent security robot," which reportedly includes an "electrically charged riot control tool" and an SOS button for people to notify police, has been compared to the killer Dalek from Doctor Who after being shown off at a tech fair. Intelligence agency whistleblower Edward Snowden shared the news on Twitter with the caption: "Surely this will end well." The robot, unveiled at the 12th Chongqing Hi-Tech Fair, is 1.49 metres tall, weighs 78 kilograms, has a claimed top speed of 18 kilometres per hour and an operating duration of eight hours between charges, according to a report by People's Daily Online. Dubbed AnBot, it was built by the National Defence University in China and has "sensors that mimic the human brain, eyes and ears." The report said AnBot represented breakthroughs in "key technologies including low-cost autonomous navigation and intelligent video analysis" and would play an important role in anti-terrorism and anti-riot operations. AnBot has an SOS button for people to use to notify police of a problem, but it is unclear what criteria AnBot uses to assess threats autonomously.
blottsie writes: The latest debate over encryption did not begin with a court order demanding Apple help the FBI unlock a dead terrorist's iPhone. The new "Crypto Wars," chronicled in a comprehensive timeline by Eric Geller of the Daily Dot, dates back to at least 2003, with the introduction of "Patriot Act II." The battle over privacy and personal security versus crime-fighting and national security has, however, become a mainstream debate in recent months. The timeline covers a wide-range of incidents where the U.S. and other allied governments have tried to restrict citizens' access to strong encryption. The timeline ends with the director of national intelligence blaming NSA whistleblower Edward Snowden for advancing the spread of user-friendly, widely available strong encryption.
An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.