Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Crime

Tor Project Confirms Sexual Misconduct By Developer Jacob Appelbaum (theverge.com) 305

An anonymous reader quotes a report from The Verge: The Tor Project, a nonprofit known for its online anonymity software, says it has verified claims that former employee Jacob Appelbaum engaged in "sexually aggressive behavior" with people inside and outside of its organization. "We have confirmed that the events did take place as reported," Shari Steele, Tor's executive director, tells The Verge. In a blog post today, Steele says that Tor began an investigation into Appelbaum's behavior after several people came forward with allegations of misconduct in late May. In a statement made in June, he said the allegations were "entirely false." He resigned from the Tor Project in May. "I want to thank all the people who broke the silence around Jacob's behavior," Steele writes. "It is because of you that this issue has now been addressed. I am grateful you spoke up, and I acknowledge and appreciate your courage." Steele says that Tor is now implementing a new anti-harassment policy, as well as a process for submitting complaints and having them reviewed. The changes will be put in place this week. Tor also announced last month that it would replace its entire board of directors.
Businesses

Tesla and Autopilot Supplier Mobileye Split Up After Fatal Crash (usatoday.com) 101

An anonymous reader quotes a report from USA Today: Tesla and Mobileye, one of the top suppliers to its Autopilot partial self-driving system, are parting ways in the wake of the May accident that killed an owner of one of its electric Model S sedans. Mobileye is considered a leader in developing the equipment that will be needed for fully self-driving cars. The Israeli tech company will continue to support and maintain current Tesla products, including upgrades that should help the Autopilot system with crash avoidance and to better allow the car to steer itself, said Chairman Amnon Shashua in releasing the company's second-quarter earnings Tuesday. Shashua said moving cars to higher levels of self-driving capability "is a paradigm shift both in terms of function complexity and the need to ensure an extremely high level of safety." He added there is "much at stake" in terms of Mobileye's reputation, and that it is best to end the relationship with Tesla by the end of the year. Tesla CEO Elon Musk, meeting with reporters at the company's new battery Gigafactory outside Reno, indicated that Tesla can go forward without Mobileye. "Us parting ways was somewhat inevitable. There's nothing unexpected here from our standpoint," Musk said. "We're committed to autonomy. They'll go their way, and we'll go ours."
Iphone

New York DA Wants Apple, Google To Roll Back Encryption (tomsguide.com) 243

An anonymous reader writes: Manhattan District Attorney Cyrus Vance Jr. called on Apple and Google to weaken their device encryption, arguing that thousands of crimes remained unsolved because no one can crack into the perpetrators' phones. Vance, speaking at the International Conference on Cyber Security here, said that law enforcement officials did not need an encryption "backdoor," sidestepping a concern of computer-security experts and device makers alike. Instead, Vance said, he only wanted the encryption standards rolled back to the point where the companies themselves can decrypt devices, but police cannot. This situation existed until September 2014, when Apple pushed out iOS 8, which Apple itself cannot decrypt. "Tim Cook was absolutely right when he told his shareholders that the iPhone changed the world," Vance said. "It's changed my world. It's letting criminals conduct their business with the knowledge we can't listen to them."
Security

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk) 132

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.
HP

Popular Wireless Keyboards From HP, Toshiba and Others Don't Use Encryption, Can Be Easily Snooped On (threatpost.com) 83

Reader msm1267 writes: Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday. If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers -- essentially anything typed on a keyboard, in clear text. Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks who discovered the vulnerability. Bastille gave the manufacturers of the keyboards 90 days to address the vulnerability, but most vendors failed to respond to their findings. Newlin said only Jasco Products, a company that manufactures the affected keyboard (GE 98614) for General Electric, responded and claimed it no longer manufactures wireless devices, like keyboards. As there doesn't appear to be a way to actually fix the vulnerability, it's likely the companies will eventually consider the devices end of life.
Android

Motorola Confirms That It Will Not Commit To Monthly Security Patches (arstechnica.com) 158

If you are planning to purchase the Moto Z or a Moto G4 smartphone, be prepared to not see security updates rolling out to your phone every month -- and in a timely fashion. After Ars Technica called out Motorola's security policy as "unacceptable" and "insecure," in a recent review, the company tried to handle the PR disaster, but later folded. In a statement to the publication, the company said: Motorola understands that keeping phones up to date with Android security patches is important to our customers. We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it's difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade. As we previously stated, Moto Z Droid Edition will receive Android Security Bulletins. Moto G4 will also receive them.Monthy security updates -- or the lack thereof -- remains one of the concerning issues that plagues the vast majority of Android devices. Unless it's a high-end smartphone, it is often rare to see the smartphone OEM keep the device's software updated for more than a year. Even with a flagship phone, the software update -- and corresponding security patches -- are typically guaranteed for only 18 to 24 months. Reports suggest that Google has been taking this issue seriously, and at some point, it was considering publicly shaming its partners that didn't roll out security updates to their respective devices fast enough.
Government

Obama Creates a Color-Coded Cyber Threat 'Schema' After the DNC Hack (vice.com) 131

The White House on Tuesday issued new instructions on how government agencies should respond to major cyber security attacks, in an attempt to combat perceptions that the Obama administration has been sluggish in addressing threats from sophisticated hacking adversaries, Reuters reports. The announcement comes amid reports that hackers working for Russia may have engineered the leak of emails stolen from the Democratic National Committee in an attempt to influence the outcome of the upcoming presidential election. Motherboard adds: George W. Bush's Homeland Security Advisory System -- the color-coded terrorism "threat level" indicator that became a symbol of post-9/11 fear mongering -- is getting its spiritual successor for hacking: the "Cyber Incident Severity Schema." President Obama announced a new policy directive Tuesday that will codify how the federal government will respond to hacking incidents against both the government and private American companies. [...] The Cyber Incident Severity Schema ranges from white (an "unsubstantiated or inconsequential event") to black (a hack that "poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons") , with green, yellow, orange, and red falling in between. Any hack or threat of a hack rated at orange or above is a "significant cyber incident" that will trigger what the Obama administration is calling a "coordinated" response from government agencies. As you might expect, there are many unanswered questions here, and the federal government has announced so many cyber programs in the last few years that it's hard to know which, if any of them, will actually make the US government or its companies any safer from hackers.
Security

'DNC Hacker' Unmasked: He Really Works for Russia, Researchers Say (thedailybeast.com) 681

The hacker who claimed to compromise the DNC swore he was Romanian, but new investigation shows he worked directly for Russia President Vladimir Putin's government in Moscow. The Daily Beast reports: The hacker who claims to have stolen emails from the Democratic National Committee and provided them to WikiLeaks is actually an agent of the Russian government and part of an orchestrated attempt to influence U.S. media coverage surrounding the presidential election, a security research group concluded on Tuesday. The researchers, at Arlington, Va.-based ThreatConnect, traced the self-described Romanian hacker Guccifer 2.0 back to an Internet server in Russia and to a digital address that has been linked in the past to Russian online scams. Far from being a single, sophisticated hacker, Guccifer 2.0 is more likely a collection of people from the propaganda arm of the Russian government meant to deflect attention away from Moscow as the force behind the DNC hacks and leaks of emails, the researchers found. ThreatConnect is the first known group of experts to link the self-proclaimed hacker to a Russian operation, amidst an ongoing FBI investigation and a presidential campaign rocked by the release of DNC emails that have embarrassed senior party leaders and inflamed intraparty tensions turning the Democratic National Convention. The emails revealed that party insiders plotted ways to undermine Sen. Bernie Sanders' presidential bid. The researchers at the aforementioned security firm are basing their conclusion on three signals: the hacker used Russian computers to edit PDF files, he also used Russian VPN -- and other internet infrastructure from the country, and that he was unable to speak Romanian.
Blackberry

BlackBerry Says Its New Android Smartphone DTEK 50 Is the 'World's Most Secure' (theverge.com) 93

BlackBerry, which once assumed the tentpole position in the mobile market, announced on Tuesday the BlackBerry DTEK 50, its second smartphone powered by Google's Android operating system. The Canadean company is marketing the DTEK as the 'world's most secure' phone. It is priced at $300, and will go on sale in select markets on August 8. The Verge adds:The DTEK50 has a 5.2-inch, 1080p display, Qualcomm Snapdragon 617 processor, 3GB RAM, 13-megapixel camera, and 2,610mAh battery. The 8-megapixel front camera also includes a flash for taking selfies. It runs Android 6.0 Marshmallow with BlackBerry's software features, such as the Hub. The software is similar to the software on the Priv released last year. The security features are highlighted right in the device's name, as it has BlackBerry's DTEK software that protects users from malware and other security problems often seen on Android smartphones. The DTEK app lets users quickly get an overview of their device's security and take action on any potential issues. BlackBerry says that it has modified Android with its own technology originally developed for the BB10 platform to make it more secure. The company is also committing to rapid updates to deliver security patches shortly after they are released.
Security

Notorious Group OurMine Hacks TechCrunch (betanews.com) 12

Prominent technology blog TechCrunch -- which is often cited on Slashdot -- has become the latest victim of the OurMine hacking group. The notorious group gained access to Seattle-based writer Devin Coldewey's account, and posted the following message earlier today: "Hello Guys, don't worry we are just testing techcrunch security, we didn't change any passwords, please contact us." The post was then promoted as a ticker, the top banner in red and as the main story on TechCrunch's front page. BetaNews adds: The OurMine website says that the group offers "top notch vulnerability assessment", so it's possible that the hack was little more than a PR stunt touting for business. It did not take TechCrunch long to notice and remove the story (and presumably change a series of passwords...) but the site is yet to issue a statement about what has happened.
Security

Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com) 113

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.
Security

Vine's Source Code Was Accidentally Made Public For Five Minutes (theregister.co.uk) 42

An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."
Transportation

Amazon Partners With UK Government To Test Drone Deliveries (usatoday.com) 44

An anonymous reader quotes a report from USA Today: [Recent rules from the Federal Aviation Administration mean delivery by drone is years away in the United States, but packages may be winging their way to customers sooner rather than later in the United Kingdom, where Amazon just got permission to begin a new trial of its delivery drones.] The U.K. Civil Aviation Authority gave Amazon permission to test several key drone delivery parameters. They include sending drones beyond the line of sight of their operator in rural and suburban areas, testing sensor performance to make sure the drones can identify and avoid obstacles and allowing a single operator to manage multiple highly-automated drones. U.S. rules are outlined in a 624-page rulebook from the Federal Aviation Administration. They allow commercial drones weighing up to 55 pounds to fly during daylight hours. The aircraft must remain within sight of the operator or an observer who is in communication with the operator. The operators must be pass an aeronautics test every 24 months for a certificate as well as a background check by the Transportation Security Administration. The rules govern commercial flights, such as for aerial photography or utilities inspection. Amazon's goal is to use drones to deliver packages up to 5 pound to customers in 30 minutes or less. Amazon released a statement today detailing its partnership with the UK Government that may one day turn its Prime Air drone delivery service into reality.
Censorship

Facebook Admits Blocking WikiLeaks' DNC Email Links, But Won't Say Why (thenextweb.com) 270

An anonymous reader writes: Facebook has admitted it blocked links to WikiLeaks' DNC email dump, but the company has yet to explain why. WikiLeaks has responded to the censorship via Twitter, writing: "For those facing censorship on Facebook etc when trying to post links directly to WikiLeaks #DNCLeak try using archive.is." When SwiftOnSecurity tweeted, "Facebook has an automated system for detecting spam/malicious links, that sometimes have false positives. /cc," Facebook's Chief Security Officer Alex Stamos replied with, "It's been fixed." As for why there was a problem in the first place, we don't know. Nate Swanner from The Next Web writes, "It's possible its algorithm incorrectly identified them as malicious, but it's another negative mark on the company's record nonetheless. WikiLeaks is a known entity, not some torrent dumping ground. The WikiLeaks link issue has reportedly been fixed, which is great -- but also not really the point. The fact links to the archive was blocked at all suggests there's a very tight reign on what's allowed on Facebook across the board, and that's a problem." A Facebook representative provided a statement to Gizmodo: "Like other services, our anti-spam systems briefly flagged links to these documents as unsafe. We quickly corrected this error on Saturday evening."
Security

Researchers Discover 110 Snooping Tor Nodes (helpnetsecurity.com) 45

Reader Orome1 writes: In a period spanning 72 days, two researchers from Northeastern University have discovered at least 110 "misbehaving" and potentially malicious hidden services directories (HSDirs) on the Tor anonymity network. "Tor's security and anonymity is based on the assumption that the large majority of its relays are honest and do not misbehave. Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs)," Professor Guevara Noubir and Ph.D. student Amirali Sanatinia explained. "Bad" HSDirs can be used for a variety of attacks on hidden services: from DoS attacks to snooping on them.
Microsoft

Microsoft Can't Shield User Data From Government, Says Government (bloomberg.com) 190

Microsoft is now arguing in court that their customers have a right to know when the government is reading their e-mail. But "The U.S. said federal law allows it to obtain electronic communications without a warrant or without disclosure of a specific warrant if it would endanger an individual or an investigation," according to Bloomberg. An anonymous reader quotes their report: The software giant's lawsuit alleging that customers have a constitutional right to know if the government has searched or seized their property should be thrown out, the government said in a court filing... The U.S. says there's no legal basis for the government to be required to tell Microsoft customers when it intercepts their e-mail... The Justice Department's reply Friday underscores the government's willingness to fight back against tech companies it sees obstructing national security and law enforcement investigations...

Secrecy orders on government warrants for access to private e-mail accounts generally prohibit Microsoft from telling customers about the requests for lengthy or even unlimited periods, the company said when it sued. At the time, federal courts had issued almost 2,600 secrecy orders to Microsoft alone, and more than two-thirds had no fixed end date, cases the company can never tell customers about, even after an investigation is completed.

Democrats

Clinton Campaign: Russia Leaked Emails to Help Trump (washingtonpost.com) 764

An anonymous Slashdot reader quotes the Washington Post: A top official with Hillary Clinton's campaign on Sunday accused the Russian government of orchestrating the release of damaging Democratic Party records in order to help the campaign of Republican Donald Trump -- and some cyber security experts in the U.S. and overseas agree. The extraordinary charge came as some national security officials have been growing increasingly concerned about possible efforts by Russia to meddle in the election, according to several individuals familiar with the situation.

Late last week, hours before the records were released by the website Wikileaks, the White House convened a high-level security meeting to discuss reports that Russia had hacked into systems at the Democratic National Committee... Officials from various intelligence and defense agencies, including the National Security Council, the Department of Defense, the FBI and the Department of Homeland Security, attended the White House meeting Thursday, on the eve of the email release.

Clinton's campaign manager told ABC News "some experts are now telling us that this was done by the Russians for the purpose of helping Donald Trump." Donald Trump's son later responded, "They'll say anything to be able to win this."
Open Source

Linux Kernel 4.7 Officially Released (iu.edu) 60

An anonymous Slashdot reader writes: The Linux 4.7 kernel made its official debut today with Linus Torvalds announcing, "after a slight delay due to my travels, I'm back, and 4.7 is out. Despite it being two weeks since rc7, the final patch wasn't all that big, and much of it is trivial one- and few-liners." Linux 4.7 ships with open-source AMD Polaris (RX 480) support, Intel Kabylake graphics improvements, new ARM platform/board support, Xbox One Elite Controller support, and a variety of other new features.
Slashdot reader prisoninmate quotes a report from Softpedia: The biggest new features of Linux kernel 4.7 are support for the recently announced Radeon RX 480 GPUs (Graphic Processing Units) from AMD, which, of course, has been implemented directly into the AMDGPU video driver, a brand-new security module, called LoadPin, that makes sure the modules loaded by the kernel all originate from the same file system, and support for generating virtual USB Device Controllers in USB/IP. Furthermore, Linux kernel 4.7 is the first one to ensure the production-ready status of the sync_file fencing mechanism used in the Android mobile operating system, allow Berkeley Packet Filter (BPF) programs to attach to tracepoints, as well as to introduce the long-anticipated "schedutil" frequency governor to the cpufreq dynamic frequency scaling subsystem, which promises to be faster and more accurate than existing ones.
Linus's announcement includes the shortlog, calling this release "fairly calm," though "There's a couple of network drivers that got a bit more loving."
EU

EU To Give Free Security Audits To Apache HTTP Server and Keepass (softpedia.com) 67

An anonymous reader writes: The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The two projects were selected following a public survey that included several open-source projects deemed important for both the EU agencies and the wide public.

The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament. This is only a test pilot program that's funded until the end of the year, but the EU said it would be looking for funding to continue it past its expiration date in December 2016.

Government

Homeland Security Border Agents Can Seize Your Phone (cnn.com) 317

Slashdot reader v3rgEz writes: A Wall Street Journal reporter has shared her experienced of having her phones forcefully taken at the border -- and how the Department of Homeland Security insists that your right to privacy does not exist when re-entering the United States. Indeed, she's not alone: Documents previously released under FOIA show that the DHS has a long-standing policy of warrantless (and even motiveless) seizures at the border, essentially removing any traveler's right to privacy.
"The female officer returned 30 minutes later and said I was free to go," according to the Journal's reporter, adding. "I have no idea why they wanted my phones..."

Slashdot Top Deals