Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
United States

America Uses Stealthy Submarines To Hack Other Countries' Systems (washingtonpost.com) 39

When the Republican presidential nominee Donald Trump asked Russia -- wittingly or otherwise -- to launch hack attacks to find Hillary Clinton's missing emails, it caused a stir of commotion. Russia is allegedly behind DNC's leaked emails. But The Washington Post is reminding us that U.S.'s efforts in the cyber-security world aren't much different. (could be paywalled; same article syndicated elsewhere From the report: The U.S. approach to this digital battleground is pretty advanced. For example: Did you know that the military uses its submarines as underwater hacking platforms? In fact, subs represent an important component of America's cyber strategy. They act defensively to protect themselves and the country from digital attack, but -- more interestingly -- they also have a role to play in carrying out cyberattacks, according to two U.S. Navy officials at a recent Washington conference. "There is a -- an offensive capability that we are, that we prize very highly," said Rear Adm. Michael Jabaley, the U.S. Navy's program executive officer for submarines. "And this is where I really can't talk about much, but suffice to say we have submarines out there on the front lines that are very involved, at the highest technical level, doing exactly the kind of things that you would want them to do."

The so-called "silent service" has a long history of using information technology to gain an edge on America's rivals. In the 1970s, the U.S. government instructed its submarines to tap undersea communications cables off the Russian coast, recording the messages being relayed back and forth between Soviet forces. (The National Security Agency has continued that tradition, monitoring underwater fiber cables as part of its globe-spanning intelligence-gathering apparatus. In some cases, the government has struck closed-door deals with the cable operators ensuring that U.S. spies can gain secure access to the information traveling over those pipes.) These days, some U.S. subs come equipped with sophisticated antennas that can be used to intercept and manipulate other people's communications traffic, particularly on weak or unencrypted networks. "We've gone where our targets have gone" -- that is to say, online, said Stewart Baker, the National Security Agency's former general counsel, in an interview. "Only the most security-conscious now are completely cut off from the Internet." Cyberattacks are also much easier to carry out than to defend against, he said.

Security

Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security (theintercept.com) 31

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."

The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.
The Military

Russian Government Gets 'Hacked Back', Attacks Possibly Launched By The NSA (bbc.com) 113

An anonymous reader write: Russian government bodies have been hit by a "professional" cyber attack, according to the country's intelligence service, which said the attack targeted state organizations and defense companies, as well as Russia's "critically important infrastructures". The agency told the BBC that the powerful malware "allowed those responsible to switch on cameras and microphones within the computer, take screenshots and track what was being typed by monitoring keyboard strokes."
ABC News reports that the NSA "is likely 'hacking back' Russia's government-linked cyber-espionage teams "to see once and for all if they're responsible for the massive breach at the Democratic National Committee, according to three former senior intelligence officials... Robert Joyce, chief of the NSA's shadowy Tailored Access Operations, declined to comment on the DNC hack specifically, but said in general that the NSA has technical capabilities and legal authorities that allow the agency to 'hack back' suspected hacking groups, infiltrating their systems to gather intelligence about their operations in the wake of a cyber attack... In some past unrelated cases...NSA hackers have been able to watch from the inside as malicious actors conduct their operations in real time."
The Gimp

After New GIMP Release, Core Developer Discusses Future of GIMP and GEGL (girinstud.io) 49

GIMP 2.9.4 was released earlier this month, featuring "symmetry painting" and the ability to remove holes when selecting a region, as well as improvements to many of its other graphics-editing tools. But today core developer Jehan Pages discussed the vision for GIMP's future, writing that the Generic Graphics (GEGL) programming library "is a hell of a cool project and I think it could be the future of Free and Open Source image processing": I want to imagine a future where most big graphics programs integrate GEGL, where Blender for instance would have GEGL as the new implementation of nodes, with image processing graphs which can be exchanged between programs, where darktable would share buffers with GIMP so that images can be edited in one program and updated in real time in the other, and so on. Well of course the short/mid-term improvements will be non-destructive editing with live preview on high bit depth images, and that's already awesomely cool right...?

[C]ontributing to Free Software is not just adding any random feature, that's also about discussing, discovering others' workflow, comparing, sometimes even compromising or realizing that our ideas are not always perfect. This is part of the process and actually a pretty good mental builder. In any case we will work hard for a better GIMP

Sci-Fi

Babylon 5 Actor Jerry Doyle Dies (dailymail.co.uk) 70

Slashdot reader tiqui writes: Jerry Doyle, best known for playing Security Chief Michael Garibaldi on Babylon 5 has passed away in Las Vegas at only 60 years of age. His B5 character was often paired-up with G'Kar (played by Andreas Katsulas who died in 2006 at age 59) and with Jeffrey Sinclair (played by Michael O'Hare who died in 2012, also at age 60) He seems to have lead an interesting life. Cause of death not yet known.
Slashdot reader The Grim Reefer quotes the BBC: Fellow Babylon 5 actor Bruce Boxleitner tweeted that he was "so devastated at the news of the untimely death of my good friend", while astronaut Scott Kelly said the news was "very sad to hear".
Robotics

Open Source Gardening Robot 'FarmBot' Raises $560,000 59

Slashdot reader Paul Fernhout writes: FarmBot is an open-source gantry-crane-style outdoor robot for tending a garden bed. The project is crowdfunding a first production run and has raised US$561,486 of their US$100,000 goal -- with one day left to go... The onboard control system is based around a Raspberry Pi 3 computer and an Arduino Mega 2560 Microcontroller. Many of the parts are 3D printable.
Two years ago Slashdot covered the genesis of this project, describing its goal as simply "to increase food production by automating as much of it as possible."
United States

Google Wi-Fi Kiosks in New York Promise No Privacy, 'Can Collect Anything' (observer.com) 53

Here's the thing about those wi-fi kiosks replacing New York City's public payphones. They're owned by Google/Alphabet company Sidewalk Labs, they're covered with ads, and if you read the privacy policy on its web site, "it's not that one." An anonymous Slashdot reader quotes an article from the Observer: Columbia professor Benjamin Read got a big laugh at this weekend's Hackers on Planet Earth XI conference in Manhattan when he pointed out that the privacy policy on LinkNYC's website only applies to the website itself, not to the actual network of kiosks.
The web page points out that it has two separate privacy policies in an easily-missed section near the top, and for their real-world kiosks, "They essentially have a privacy policy that says, 'we can collect anything and do anything' and that sets the outer bound'," says New York Civil Liberties Union attorney Mariko Hirose.

The Observer reports that the policy "promises not to use facial recognition... however, nothing stops the company from retracting that guarantee. In fact, Hirose said that she's been told by the company that the kiosk's cameras haven't even been turned on yet, but it is also under no obligation to tell the public when the cameras go live." The article concludes that in general the public's sole line of defense is popular outrage, and that privacy policies "have been constructed primarily to guard companies against liability and discourage users from reading closely."
Android

Android Stagefright Bug Required 115 Patches, Millions Still At Risk (eweek.com) 35

eWeek reports that "hundreds of millions of users remain at risk" one year after Joshua Drake discovered the Stagefright Android flaw. Slashdot reader darthcamaro writes: A year ago, on July 27, 2015 news about the Android Stagefright flaw was first revealed with the initial reports claiming widespread impact with a billion users at risk. As it turns out, the impact of Stagefright has been more pervasive...over the last 12 months, Google has patched no less than 115 flaws in Stagefright and related Android media libraries. Joshua Drake, the researcher who first discovered the Stagefright flaw never expected it to go this far. "I expected shoring up the larger problem to take an extended and large effort, but I didn't expect it to be ongoing a year later."
Drake believes targeted attacks use Stagefright vulnerabilities on unpatched systems, but adds that Android's bug bounty program appears to be working, paying out $550,000 in its first year.
Operating Systems

Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host (itnews.com.au) 55

Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update the dom0 operating system to the latest version.
"A malicious, paravirtualized guest administrator can raise their system privileges to that of the host on unpatched installations," according to an article in IT News, which quotes Xen as saying "The bits considered safe were too broad, and not actually safe." IT News is also reporting that Qubes will move to full hardware memory virtualization in its next 4.0 release. Xen's hypervisor "is used by cloud giants Amazon Web Services, IBM and Rackspace," according to the article, which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"
Crime

Cisco Finds $34 Million Ransomware Industry (networkworld.com) 15

Ransomware is "generating huge profits," says Cisco. Slashdot reader coondoggie shares this report from Network World: Enterprise-targeting cyber enemies are deploying vast amounts of potent ransomware to generate revenue and huge profits -- nearly $34 million annually, according to Cisco's Mid-Year Cybersecurity Report out this week. Ransomware, Cisco wrote, has become a particularly effective moneymaker, and enterprise users appear to be the preferred target.
Many of the victims were slow to patch their systems, according to the article. One study of Cisco devices running on fundamental infrastructure discovered that 23% had vulnerabilities dating back to 2011, and 16% even had vulnerabilities dating back to 2009. Popular attack vectors included vulnerabilities in JBoss and Adobe Flash, which was responsible for 80% of the successful attacks for one exploit kit. The article also reports that attackers are now hiding their activities better using HTTPS and TLS, with some even using a variant of Tor.
United States

The Chip Card Transition In the US Has Been a Disaster (qz.com) 494

Ian Kar, writing for Quartz: Over the last year or so in the U.S., a lot of the plastic credit cards we carry around every day have been replaced by new one with chips embedded in them. The chips are supposed to make your credit and debit cards more secure -- a good thing! -- but there's one little secret no one wants to admit: The U.S.'s transition to chip cards has been an utter disaster. They're confusing to use, painstakingly slow, less secure than the alternatives, and aren't even the best solution for consumers. If you've shopped in a store and used a credit card, you've noticed the change. Retailers have likely asked you to insert the chip into the card reader, instead of swiping. But reading the chip seems to take much longer than just swiping. And on top of that, even though many retailers now have chip reading machines, some of them ask us just the opposite -- they say not to insert the card, and just swipe. It seems like there's no rhyme or reason to the whole thing.
The Military

Russia's Rise To Cyberwar Superpower (dailydot.com) 72

"The Russians are top notch," says Chris Finan, an ex-director at DARPA for cyberwar research, now a CEO at security firm Manifold Technology, and a former director of cybersecurity legislation in the Obama administration. "They are some of the best in the world... " Slashdot reader blottsie quotes an article which argues the DNC hack "may simply be the icing on the cyberwar cake": In a flurry of action over the last decade, Russia has established itself as one of the world's great and most active cyber powers. The focus this week is on the leak of nearly 20,000 emails from the Democratic National Committee... The evidence -- plainly not definitive but clearly substantial -- has found support among a wide range of security professionals. The Russian link is further supported by U.S. intelligence officials, who reportedly have "high confidence" that Russia is behind the attack...

Beyond the forensic evidence that points to Russia, however, is the specter of President Vladimir Putin. Feeling encircled by the West and its expanding NATO alliance, the Kremlin's expected modus operandi is to strike across borders with cyberwar and other means to send strong messages to other nations that are a real or perceived threat.

The article notes the massive denial of service attack against Estonia in 2007 and the "historic and precedent-setting" cyberattacks during the Russian-Georgian War. "Hackers took out Georgian news and government websites exactly in locales where the Russian military attacked, cutting out a key communication mode between the Georgian state and citizens directly in the path of the fight."
Stats

Uber Doesn't Decrease Drunk Driving, Finds New Study (washingtonpost.com) 67

"A new study casts doubt on Uber's claim that ride-sharing has reduced drunken driving," reports the Washington Post. An anonymous Slashdot reader quotes their report: Researchers at Oxford University and the University of Southern California who examined county-level data in the United States before and after the arrival of Uber and its competitors in those markets found that ride-sharing had no effect on drinking-related or holiday- and weekend-related fatalities. One reason could be that, despite the soaring popularity of Uber and other ride-sharing services, there still may not be enough ride-share drivers available yet to make a dent on drunken driving, the authors said.

They also suggest that the tipsy riders who now call Uber are the ones who formerly would have called a taxi. For others, the odds of getting a DUI are still so low that many would prefer to gamble rather than lay out money for a ride-sharing service. Drunks, after all, are just not rational.

One reason for the low number of Uber drivers may be that the 10-year study only examined data through 2014. While other studies have found a decrease in drunk driving arrests associated with Uber -- for example, in California -- the Post's article suggests that ridesharing drivers may just be a drop in the bucket. "Although approximately 450,000 people now drive for Uber, there are 210 million licensed drivers in the United States -- and an estimated 4.2 million adults who drive impaired, the study says."
Security

Bruce Schneier: Our Election Systems Must Be Secured If We Want To Stop Foreign Hackers (schneier.com) 176

Okian Warrior writes: Bruce Schneier notes that state actors are hacking our political system computers, intending to influence the results. For example, U.S. intelligence agencies have concluded that Russia was behind the release of DNC emails before the party convention, and WikiLeaks is promising more leaked dirt on Hillary Clinton. He points out, quite rightly, that the U.S. needs to secure its electronic voting machines, and we need to do it in a hurry lest outside interests hack the results. From the article: "Over the years, more and more states have moved to electronic voting machines and have flirted with internet voting. These systems are insecure and vulnerable to attack. But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified. We no longer have time for that. We must ignore the machine manufacturers' spurious claims of security, create tiger teams to test the machines' and systems' resistance to attack, drastically increase their cyber-defenses and take them offline if we can't guarantee their security online."
Earth

World's Largest Solar Power Plant Planned For Chernobyl Nuclear Wasteland (electrek.co) 126

An anonymous reader writes from a report via Electrek: Chernobyl, the world's most famous and hazardous nuclear meltdown, is being considered for the world's largest solar power plant. Even though nearly 1,600 square miles of land around Chernobyl has radiation levels too high for human health, Ukraine's ecology minister has said in a recent interview that two U.S. investment firms and four Canadian energy companies have expressed interest in Chernobyl's solar potential. Electrek reports: "According to PVTech, the Ukrainian government is pushing for a 6 month construction cycle. Deploying this amount of solar power within such a time frame would involve significant resources being deployed. The proposed 1GW solar plant, if built today, would be the world's largest. There are several plans for 1GW solar plants in development (Egypt, India, UAE, China, etc) -- but none of them have been completed yet. One financial benefit of the site is that transmission lines for Chernobyl's 4GW nuclear reactor are still in place. The European Bank for Reconstruction and Development has stated they would be interested in participating in the project, 'so long as there are viable investment proposals and all other environmental matters and risks can be addressed to the bank's satisfaction.'"

Slashdot Top Deals