Subscribe: Slashdot: ITSearch Slashdot
http://rss.slashdot.org/Slashdot/slashdotit
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
anonymous reader  code  government  internet  malware  read story  read  report  security researcher  security  slashdot  story slashdot  story 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Slashdot: ITSearch Slashdot

Slashdot: ITSearch Slashdot



News for nerds, stuff that mattersSearch Slashdot stories



Published: 2017-12-18T11:16:13+00:00

 



What's The Best TV Show About Working in Tech?

2017-12-17T20:52:00+00:00

An anonymous reader writes: Recently Gizmodo hailed "the best show ever made about Silicon Valley", asking its readers one question: why didn't you watch it? They're talking about AMC's Halt and Catch Fire, which their Senior Reviews Editor says "discovered the fascinating, frustrating human side to the soulless monsters who built Silicon Valley." Unfortunately, "nobody watched it. The show never cracked a million live viewers after the pilot episode. It sat firmly on the bubble every season, getting greenlit only by the grace of AMC." Today Netflix is making that show's fourth (and final) season available -- but is it the best show about working in tech? What about Mr. Robot, Silicon Valley, or The IT Crowd -- or that short-lived X-Files spin-off, The Lone Gunmen? Has there ever been a good show about geeks -- besides those various PBS documentaries? Leave your own answers in the comments. What's the best TV show about working in tech?

Read more of this story at Slashdot.

(image)



Microsoft Releases a Preview of OpenSSH Client and Server For Windows 10

2017-12-17T17:34:00+00:00

kriston (Slashdot user #7,886) writes: Microsoft released a preview of the OpenSSH server and client for Windows 10. Go to Settings, Apps & Features, and click "Manage optional features" to install them. The software only supports AES-CTR and chacha20 ciphers and supports a tiny subset of keys and KEXs, but, on the other hand, a decent set of MACs. It also says that it doesn't use the OpenSSL library. That's the really big news, here. I understand leaving out arcfour/RC4 and IDEA, but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES? At least they chose the CTR versions of these ciphers. (Blowfish isn't compromised in any practical way, by the way). I prefer faster and less memory- and CPU-intensive ciphers. Still, it's a good start. The SSH server is compelling enough to check out especially since I just started using X2GO for remote desktop access which requires an SSH server for its file sharing feature.

Read more of this story at Slashdot.

(image)



Windows 10 Bundled a Password Manager with a Security Flaw

2017-12-17T15:24:00+00:00

An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code. Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer. The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.

Read more of this story at Slashdot.

(image)



Here's the Letter Alleging Uber Spied on Individuals For Competitive Intelligence

2017-12-16T15:30:00+00:00

The judge in the $1.9 billion civil suit between Google-parent company Alphabet's self-driving car unit Waymo and Uber released the letter of a disgruntled former employee -- former Uber security officer Richard Jacobs -- on Friday, laying bare a number of explosive allegations against the ride-hailing company that include corporate espionage, unlawful surveillance, illegal wiretapping, bribery of foreign officials, and illicit hacking. From a report: The letter read: "This program, formerly known as the Strategic Services Group, under Nick Gicinto, collected intelligence and conducted unauthorized surveillance, including unauthorized recording of private conversations against executives from competitor firms, such as DiDi Chuxing and against its own employees and contractors at the Autonomous Technologies Group in Pittsburgh." Jacobs testified in court and walked back some of the allegations made in the letter, which was written by his attorney, Clayton Halunen. Days later, Uber's new chief legal officer Tony West issued a directive to employees to stop surveilling individuals, which Recode first reported. In a separate note to staff Khosrowshahi (current CEO of Uber) said the letter detailed enough to "merit serious concern." While Jacobs, Padilla (Uber's general counsel) and other employees addressed some of the claims made within the letter -- confirming the use of Wickr for business-related communications -- the letter itself had not been made public before Friday evening. The document prepared by Jacobs' attorney also claimed Uber was using some of these surveillance tactics on Alphabet's self-driving arm, Waymo. However, during his testimony, Jacobs walked that allegation back.

Read more of this story at Slashdot.

(image)



Mozilla Slipped a 'Mr. Robot'-Promo Plugin Into Firefox and Users Are Pissed

2017-12-16T00:45:00+00:00

MarcAuslander shares a report from Gizmodo: Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox -- and managed to piss off a bunch of its privacy-conscious users in the process. The extension, called Looking Glass, is intended to promote an augmented reality game to "further your immersion into the Mr. Robot universe," according to Mozilla. It was automatically added to Firefox users' browsers this week with no explanation except the cryptic message, "MY REALITY IS JUST DIFFERENT THAN YOURS," prompting users to worry on Reddit that they'd been hit with spyware. Without an explanation included with the extension, users were left digging around in the code for Looking Glass to find answers. Looking Glass was updated for some users today with a description that explains the connection to Mr. Robot and lets users know that the extension won't activate without explicit opt-in. Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. "The Mr. Robot series centers around the theme of online privacy and security," the company said in an explanation of the mysterious extension. "One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy."

Read more of this story at Slashdot.

(image)



Lock Out: the Austrian Hotel That Was Hacked Four Times

2017-12-15T19:20:00+00:00

AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.

Read more of this story at Slashdot.

(image)



CIA Captured Putin's 'Specific Instructions' To Hack the 2016 Election, Says Report

2017-12-15T13:00:00+00:00

An anonymous reader quotes a report from The Daily Beast: When Director of National Intelligence James R. Clapper Jr., CIA Director John Brennan and FBI Director James B. Comey all went to see Donald Trump together during the presidential transition, they told him conclusively that they had "captured Putin's specific instructions on the operation" to hack the 2016 presidential election, according to a report in The Washington Post. The intel bosses were worried that he would explode but Trump remained calm during the carefully choreographed meeting. "He was affable, courteous, complimentary," Clapper told the Post. Comey stayed behind afterward to tell the president-elect about the controversial Steele dossier, however, and that private meeting may have been responsible for the animosity that would eventually lead to Trump firing the director of the FBI.

Read more of this story at Slashdot.

(image)



A Cryptocurrency Without a Blockchain Has Been Built To Outperform Bitcoin

2017-12-15T03:30:00+00:00

An anonymous reader quotes a report from MIT Technology Review: Bitcoin isn't the only cryptocurrency on a hot streak -- plenty of alternative currencies have enjoyed rallies alongside the Epic Bitcoin Bull Run of 2017. One of the most intriguing examples is also among the most obscure in the cryptocurrency world. Called IOTA, it has jumped in total value from just over $4 billion to more than $10 billion in a little over two weeks. But that isn't what makes it interesting. What makes it interesting is that it isn't based on a blockchain at all; it's something else entirely. The rally began in late November, after the IOTA Foundation, the German nonprofit behind the novel cryptocurrency, announced that it was teaming up with several major technology firms to develop a "decentralized data marketplace." Though IOTA tokens can be used like any other cryptocurrency, the protocol was designed specifically for use on connected devices, says cofounder David Sonstebo. Organizations collect huge amounts of data from these gadgets, from weather tracking systems to sensors that monitor the performance of industrial machinery (a.k.a. the Internet of things). But nearly all of that information is wasted, sitting in siloed databases and not making money for its owners, says Sonstebo. IOTA's system can address this in two ways, he says. First, it can assure the integrity of this data by securing it in a tamper-proof decentralized ledger. Second, it enables fee-less transactions between the owners of the data and anyone who wants to buy it -- and there are plenty of companies that want to get their hands on data. The report goes on to note that instead of using a blockchain, "IOTA uses a 'tangle,' which is based on a mathematical concept called a directed acyclic graph." The team decided to research this new alternative after deciding that blockchains are too costly. "Part of Sonstebo's issue with Bitcoin and other blockchain systems is that they rely on a distributed network of 'miners' to verify transactions," reports MIT Technology Review. "When a user issues a transaction [with IOTA], that individual also validates two randomly selected previous transactions, each of which refer to two other previous transactions, and so on. As new transactions mount, a 'tangled web of confirmation' grows, says Sonstebo."

Read more of this story at Slashdot.

(image)



Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment

2017-12-14T23:10:00+00:00

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

Read more of this story at Slashdot.

(image)



Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks

2017-12-14T19:30:00+00:00

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.

Read more of this story at Slashdot.

(image)



Internet Traffic To Major Tech Firms Mysteriously Rerouted To Russia

2017-12-14T17:46:00+00:00

wiredmikey writes: Internet traffic to some of the world's largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack. Internet monitoring service BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS). It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC. Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries. The incident is rather suspicious, as the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren't normally seen on the Internet.

Read more of this story at Slashdot.

(image)



Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices

2017-12-14T03:30:00+00:00

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.

Read more of this story at Slashdot.

(image)



Trump Administration Calls For Government IT To Adopt Cloud Services

2017-12-14T02:10:00+00:00

According to Reuters, The White House said Wednesday the U.S. government needs a major overhaul of information technology systems and should take steps to better protect data and accelerate efforts to use cloud-based technology. The report outlined a timeline over the next year for IT reforms and a detailed implementation plan. One unnamed cloud-based email provider has agreed to assist in keeping track of government spending on cloud-based email migration. From the report: The report said the federal government must eliminate barriers to using commercial cloud-based technology. "Federal agencies must consolidate their IT investments and place more trust in services and infrastructure operated by others," the report found. Government agencies often pay dramatically different prices for the same IT item, the report said, sometimes three or four times as much. A 2016 U.S. Government Accountability Office report estimated the U.S. government spends more than $80 billion on IT annually but said spending has fallen by $7.3 billion since 2010. In 2015, there were at least 7,000 separate IT investments by the U.S. government. The $80 billion figure does not include Defense Department classified IT systems and 58 independent executive branch agencies, including the Central Intelligence Agency. The GAO report found some agencies are using systems that have components that are at least 50 years old.

Read more of this story at Slashdot.

(image)



Avast Launches Open-Source Decompiler For Machine Code

2017-12-14T01:30:00+00:00

Greg Synek reports via TechSpot: To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS. As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service. Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software. For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

Read more of this story at Slashdot.

(image)



Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters

2017-12-13T20:49:00+00:00

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."

Read more of this story at Slashdot.

(image)