Battery life is one of the biggest headaches in tech—but while capacity remains a problem, manufacturers are at least making big improvements to charge times. Like Huawei, whose new experimental set-up can take a dead battery to 48 percent change in about five minutes.
Read more of this story at Slashdot.
It would seem counterintuitive for a book entitled The Diary of Anne Frank to have another author besides, well, Anne Frank. But strange things happen in the Year of Our Lord 2015 – and by “strange things,” I mean copyright gymnastics propelled by a yen for profit. In naming Anne’s father, Otto Frank, co-author of the Diary, the Anne Frank Fonds can extend the copyright until 2050, thus preventing others from publishing the book without “paying royalties or receiving permission.”
Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break.…
Google is getting ready to alert Gmail users when messages are received in the clear instead of via encrypted transport, in response both to slow adoption of encryption by some hosts, and apparent hostility to encryption in some countries.…
This is really no surprise: embedded system vendors aren't good at carrying out quality assurance on their firmware images, and their embedded Web server software is what you'd expect from something written in the last 20 minutes of Friday afternoon.…
Read more of this story at Slashdot.
This will not be fun: the graphics processing library libpng has a vulnerability and needs to be patched.…
Friday night, Turkey banned Reddit. Just a day later, "the front page of the internet" was back.
The initial block was confirmed by Turkey’s Telecom Authority (TIB) with the following statement: “After technical analysis and legal consideration based on the Law Nr. 5651, ADMINISTRATION MEASURE has been taken for this website (reddit.com) according to Decision Nr. 490.05.01.2015.-252804 dated 13/11/2015 of the Presidency of Telecommunication and Communication.”
Law 5651, cited above, is Turkey’s unpopular internet censorship law, which allows the country to block sites for a variety of reasons—from terrorism to pornography to piracy. The law, enacted in 2007, gives the TIB the right to block sites and content without requiring any external authorization.
Updates made to the law last year that expanded its scope caused protests in the capital of Ankara as well as in Istanbul, and drew criticism from Human Rights Watch, who said that Turkey “has an abysmal record of protecting free expression online,” and has already “blocked tens of thousands of websites” under Law 5651.
Critics have also noted that the updates were made right as prime minister Recep Tayyip Erdogan found himself embroiled in a corruption scandal. Erdogan of course rejects criticism of the law, saying that it has only made the Internet “safer and freer.”
In the wake of the ban, Turkish redditors shared strategies for circumventing the block and groused about the increasingly restrictive laws in their home country. As one user lamented, “It's sad to see what Erdogan is doing to my country.” As a result of the censorship laws, many Turkish citizens have become well-versed in using VPNs and Tor to circumvent blocks.
Reddit joins a list of sites that Turkey has temporarily banned in the past, a list which includes YouTube and Twitter. Popular image-sharing site Imgur is still banned.
After the Charlie Hebdo massacre in January, France passed its controversial “Intelligence Bill,” allowing it to increase its surveillance powers. Now, in the wake of the devastating terrorist attacks that have left Paris in mourning for the second time this year, it’s worth re-examining how the law might be put into action as intelligence-gathering accelerates.
The legislation, which was passed by French parliament in May, drew such strong opposition from the public that France President François Hollande referred it to the nation’s Constitutional Council, which finally gave it the go-ahead in July. It has been likened to the US Patriot Act, and though French Prime Minister Manuel Valls chafes at the implication, it’s easy to see the basis for the comparison.
Like the Patriot Act, the French law allows the government to monitor phone calls and emails of terrorism suspects without obtaining a warrant. It also requires internet service providers to collect metadata, which is then processed by an algorithm to detect strings of suspicious activity—a page taken right from the NSA’s playbook.
Under the French law, surveillance operations are overseen by a committee led by Valls, but that committee cannot overrule Valls if they disagree with an action he wants to take. This leaves the ability to make security decisions dangerously centralized, according to some critics, like Paris Bar President Pierre-Olivier Sur. Sur publicly objected to the bill on the grounds that it is not subject to judicial control, saying it “seriously threatens civil liberties.”
Amnesty International has also been a vocal detractor. Deputy Director for Europe and Central Asia Gauri van Gulik aid that “French authorities appear to want to mimic their American and British counterparts in allowing the authorities to intercept and access people’s communications at will.” Geneviève Garrigos, head of Amnesty International France, condemned the bill as being “in flagrant violation of the international human rights to privacy and free speech.”
But the law also allows for some activities that go beyond even the provisions laid out by its international relatives. Under the intelligence bill, the French government may use IMSI catchers, which impersonate cell towers and are capable of recording metadata from phones within the catcher’s range as well as tracking the phone’s (and its owner’s) location.
When the law was still up for debate, senator Cécile Cukierman argued that this metadata would prove both unwieldy and intrusive. She said that “information that reveals real threats will be collected—because everything will be collected—but who will find them?” and that the black boxes would create a state of “permanent surveillance.”
There’s also a provision that resembles an aggressive version of the infamous “sneak and peek” Patriot Act searches. As Re/code explains, “the law allows government agents to break into the homes of suspected terrorists for the purpose of planting microphone bugs, surveillance cameras, and to install keyloggers on their computers, devices that capture data on every keystroke and mouse click.”
Valls, meanwhile, has been unmoved by criticism of the law, saying that the existing legislation was severely outdated. “The last intelligence law was done in 1991, when there were neither cellphones nor internet,” Valls said. He celebrated when the law was passed with a tweet: “France now has a secure framework against terrorism that is respectful of freedoms. This is a major breakthrough.”
Historically, governments have often sought to tighten surveillance over their citizens in the wake of tragic attacks, like those Paris has endured this year. As France reels from another senseless catastrophe, it will be well worth tracking how it handles its new intelligence powers.
Android (root ): The awesome Xposed framework, which allows you to roll your own customized version of Android , has now been updated to work with Android Marshmallow.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Weed lovers, rejoice. Snoop Dogg has finally launched his own line of weed products called Leafs by Snoop. Along with 8 different strains of flower, there’s an edibles section called “Dogg Treats,” because, well, of course there is! It has gummies, fruit chews, peanut butter gems and fancy-looking artisan chocolate. Ooh la la.
Mac: Screen savers aren’t exactly the most exciting affair, but if you’ve ever wanted to use a video file as a screensaver, SaveHollywood is a simple, free way to do it.
Physicists have uncovered a hidden connection between a famous 350-year-old mathematical formula for pi, everyone’s favorite irrational number, and quantum mechanics. At least one mathematician has pronounced the discovery “a cunning piece of magic.”
A Facebook feature implemented to help track people after natural disasters has been launched tonight to help people connect with their friends and family after the Paris attacks .
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
You may have read that the European Commission intends to prevent hyperlinks to copyrighted material. The good news is that this isn’t true, but the bad news is that there is a real proposal to change copyright law that could change how we use hyperlinks – the bedrock of the world wide web.
Read more of this story at Slashdot.
"Cyber hygiene" is paramount to keeping medical devices in hospitals safe from hackers and malware, Suzanne Schwartz, director of Emergency Preparedness/Operations and Medical Countermeasures for the Center for Devices and Radiological Health, a division of the Food and Drug Administration, told the mHealth Cybersecurity Summit in Washington earlier this week.
Schwartz’s speech was the latest in a series of talks emphasizing the FDA’s commitment to improving medical device cybersecurity. The issue has been gaining attention recently due to reports that networked medical devices are nearly defenceless against online threats.
“The term ‘cyber hygiene’ is used by the cybersecurity community to refer to controlling a device's operation in a way that is intended to prevent cybersecurity breaches in the first place,” Schwartz explained in an email to Motherboard. “This means safe and proper configuration of available features, the least possible access to functionality and routine cybersecurity servicing.”
While it is important to note that the FDA is unaware of any deaths or injuries resulting from a hacked medical device, recent research indicated that medical devices are extremely vulnerable to opportunistic malware. This summer the FDA took the unprecedented step of warning hospitals to stop using a line of drug pumps because of the cybersecurity risk.
The FBI’s Cyber Division issued a Private Industry Notification (PIN) to the healthcare industry in 2014, warning that the healthcare sector lags behind better-defended industries such as retail and finance. And a cyber attack on America’s second-largest hospital system last year netted the unknown attackers 4.5 million patient records.
Schwartz noted that the FDA’s 2013 Safety Communication on Cybersecurity for Medical Devices and Hospital Networks outlined various cyber hygiene practices that are still relevant for facilities today, and its 2014 Final Guidance on Premarket Cybersecurity laid out cyber hygiene best practices for manufacturers.
“It's important for both manufacturers and healthcare delivery organizations to recognize the new reality today—hospitals and healthcare system networks are under constant attempts at attack and intrusion,” she added. “Protection of these systems, which contain highly sought after personal health information and personal identifying information, means that medical devices need to be better secured as well.”
"Hospitals and healthcare system networks are under constant attempts at attack and intrusion."
Schwartz emphasized that the solution to the “growing cyber threat” hospitals face requires a “whole of community approach,” which the FDA aims to foster.
Medical device cybersecurity has suffered from buck-passing and finger pointing in the past. Security researchers have experienced bullying, lawsuits, and even screaming fits when confronting manufacturers with vulnerabilities in their products.
Schwartz made clear that the FDA will not tolerate such tactics, telling manufacturers, "Respond to and address security vulnerabilities that are identified for your marketed devices."
Some security researchers have criticized the FDA for not enforcing stronger cybersecurity regulations for medical devices. But, Schwartz indicated in her talk, hospitals must also play their part by demanding minimum cybersecurity standards from vendors and outsourcers.
"Where feasible," she told hospitals, "include securability for the lifetime of your device in your procurement specs contract language."
The health care system in the US relies heavily on networked medical devices. Every year there are 35 million hospital discharges every year, plus 100 million hospital outpatient visits, 900 million physician office visits, and a billion prescriptions issued, and "most of these encounters likely include a networked medical device," Schwartz said, quoting estimates from the Centers for Disease Control and Prevention.
Schwartz also called for medical device manufacturers to implement vulnerability disclosure policies, saying "coordinated disclosure and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole."
A vulnerability disclosure policy gives researchers a way to alert manufacturers to vulnerabilities, and publicly commits the manufacturer to dealing with, rather than ignoring, security problems.
Currently only two medical device manufacturers have a published vulnerability disclosure policy, Philips and Dräger—and that’s “2 more than last year," tweeted medical device security researcher Scott Erven.
“This is a culture shift and it will necessitate change in mindsets and behaviors,” Schwartz told the audience. “The FDA...strongly believes the best way to protect patients from cyber threats is to work together to address medical device vulnerabilities using a total product lifecycle approach.”
Read more of this story at Slashdot.
A research project conducted by Carnegie Mellon University's (CMU) Software Engineering Institute (SEI) could have unmasked newly-launched Tor hidden services in just two weeks, according to a source familiar with SEI's work. The method used by the SEI may have also let other observers of the Tor network “hijack” SEI's information and de-anonymize Tor sites or users themselves.
SEI “had the ability to deanonymize a new Tor hidden service in less than two weeks,” the source said. “Existing hidden services required upwards of a month, maybe even two months.”
“The trick is that you have to get your attacking Tor nodes into a privileged position in the Tor network, and this is easier for new hidden services than for existing hidden services,” the source, who asked to remain anonymous for fear of losing his or her job, continued.
On Wednesday, Motherboard reported that a "university-based academic research institute" had been providing information to the FBI, leading to the identification of criminal suspects on the dark web, including those allegedly involved with the now-defunct marketplace Silk Road 2.0, and a man charged with possession of child pornography.
Circumstantial evidence pointed to the SEI and an attack carried out against Tor last year. After the publication of Motherboard's report, the Tor Project claimed that CMU was paid at least $1 million for the project, and several academics who focus on the dark web said they were “livid” and “concerned” over the institute's actions.
Now it has emerged that the SEI submitted a research paper to the 21st ACM Conference on Computer and Communications Security (CCS) last year on deanonymizing Tor hidden services and users. It gave results obtained from simulations of an attack on the Tor network.
“From a [computer science] ethics perspective it looked like perfectly ethical research,” said the source, because it wasn't being carried out on Tor users in the wild. The researchers “found a bug in Tor and ran some simulations to see how effectively” it could be exploited, the source said.
“You would be crazy to run a hidden service given those results.”
The academic submission made no mention of the planned (and ultimately cancelled) BlackHat talk pitched by researchers from SEI, nor an attack being carried out for the behalf of the FBI, although it was funded by a Department of Defense contract, number FA8721-05-C-0003.
Because the paper dealt with simulations, and not “running real experiments on Tor, there would have been no need” for an institutional review board to check the ethical situation around the paper's research, the source said.
The paper was rejected, however. The people who reviewed the paper felt that “the concepts here weren't that different from previous work,” the source said. Indeed, one part of the research, which involved “traffic confirmation attacks,” has been known since at least 2009.
Bearing this in mind, the source said that Tor probably should have been more “aggressive in detecting” malicious nodes that appeared between January 2014 and July 2014, deanonymizing users.
“Tor screwed up,” the source said.
Regardless, the attack detailed in the research “worked really well,” the source added. “You would be crazy to run a hidden service given those results.”
The source said that, because of the way that the attack had been carried out, “anyone who knew about the attack would have been able to hijack that information and use it to do their own deanonymization.”
In essence, it might have been possible for another actor to piggy-back off of SEI's work, so even if the researchers were “careful to only go after bad guys, they could have enabled another attacker (e.g., China, Russia) to go after lots of other people.”
The vulnerability that the researchers took advantage of in this attack has since been patched.
Richard Lynch, the public relations manager for the SEI, told Motherboard in an email that “We are not able to comment on Tor.”
This post has been updated to clarify that Tor has since patched the vulnerability.
Ever feel like an insanely high powered laser could solve your problems? Fusion researchers sure do! And now, they may have the blueprint they’ve been searching for. New theoretical work indicates it could be possible to build a laser that heats materials to temperatures hotter than the center of the sun—within a millionth of a millionth of a second.
"Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client," by Scott Ruoti, Jeff Andersen, Daniel Zappala, and Kent Seamons.
Abstract: This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after Why Johnny Can't Encrypt, modern PGP tools are still unusable for the masses. We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.
I have recently come to the conclusion that e-mail is fundamentally unsecurable. The things we want out of e-mail, and an e-mail system, are not readily compatible with encryption. I advise people who want communications security to not use e-mail, but instead use an encrypted message client like OTR or Signal.
