Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

BHU's 'Tiger Will Power' Wi-Fi Router May Be The Most Insecure Router Ever Made (softpedia.com) 62

An anonymous reader writes from a report via Softpedia: A Wi-Fi router manufactured and sold only in China can easily run for the title of "most insecure router ever made." The BHU router, whose name translates to "Tiger Will Power," has a long list of security problems that include: four authentication bypass flaws (one of which is just hilarious); a built-in backdoor root account that gets created on every boot-up sequence; the fact that it opens the SSH port for external connections after every boot (somebody has to use that root backdoor account right?); a built-in proxy server that re-routes all traffic; an ad injection system that adds adverts to all the sites you visit; and a backup JS file embedded in the router firmware if the ad script fails to load from its server. For techies, there's a long technical write-up, which gets funnier and scarier at the same time as you read through it. "An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges," reports Softpedia. "If he misspells the SID and drops a zero, that's no problem. The BHU router will accept any value and still grant the user admin rights."
Crime

Turkish Journalist Jailed For Terrorism Was Framed, Forensic Report Shows (vice.com) 96

An anonymous reader quotes a report from Motherboard: Turkish investigative journalist Baris Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive. The attackers also attempted to control the journalist's machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it's been seen in the wild. Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey. A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware. Spencer said no other forensics expert noticed the Ahtapot trojan in the OdaTV case, nor has determined accurately how those documents showed up on the journalist's computer. However, almost all the reports have concluded that the incriminating files were planted. "We are not guilty," Baris Pehlivan told Andrada Fiscutean via Motherboard. "The files were put into our computers by a virus and by [attackers] entering the OdaTV office secretly. None of us has seen those documents before the prosecutor showed them to us." (OdaTV is the website Pehlivan works for and "has been critical of the government and the Gulen Movement, which was accused by Turkish president Recep Tayyip Erdogan of orchestrating the recent attempted coup.") In regard to the report, senior security consultant at F-Secure, Taneli Kaivola, says, "Yes, [the report] takes an impressive level of conviction to locally attack a computer four times, and remotely attack it seven times [between January 1, 2011, and February 11, 2011], as well as a certain level of technical skill to set up the infrastructure for those attacks, which included document forgery and date and time manipulation."
Piracy

Cox Denies Liability for Pirating Subscribers, Appeals $25 Million Verdict (torrentfreak.com) 97

Cox Communications insists that it is not responsible for copyright infringements carried out by its subscribers, challenging the ruling by a Virginia federal jury late last year. The court had found Cox Communications guilty and had asked it to pay music publisher BMG Rights Management a sum of $25 in damages. TorrentFreak reports: The verdict was a massive victory for the music company and a disaster for Cox, but the case is not closed yet. After a failed motion for judgment as a matter of law earlier this month, the ISP has now informed the court that it will take the case to the U.S. Court of Appeals for the Fourth Circuit. Cox denies any wrongdoing and hopes to get a judgment in its favor at the appeals court. Considering the gravity of the case, Cox's move is not surprising. The liability verdict has come as a shock to the Internet provider industry, as it suggests that providers have to actively disconnect repeat infringers. At the moment, many ISPs don't have a solid policy in place where repeat copyright infringers lose their subscription. In fact, the law doesn't prescribe when and based on what evidence an ISP has to terminate an account.
Democrats

FBI Finds 14,900 More Documents From Hillary Clinton's Email Server (go.com) 525

An anonymous reader quotes a report from ABC News: The FBI uncovered nearly 15,000 more emails and materials sent to or from Hillary Clinton as part of the agency's investigation into her use of private email at the State Department. The documents were not among the 30,000 work-related emails turned over to the State Department by her attorneys in December 2014. The State Department confirmed it has received "tens of thousands" of personal and work-related email materials -- including the 14,900 emails found by the FBI -- that it will review. At a status hearing Monday before federal Judge Emmett Sullivan, who is overseeing that case, the State Department presented a schedule for how it would release the emails found by the FBI. The first group of 14,900 emails was ordered released, and a status hearing on Sept. 23 "will determine the release of the new emails and documents," Sullivan said. "As we have previously explained, the State Department voluntarily agreed to produce to Judicial Watch any emails sent or received by Secretary Clinton in her official capacity during her tenure as secretary of state which are contained within the material turned over by the FBI and which were not already processed for FOIA by the State Department," said State Department spokesman Mark Toner in a statement issued Monday. "We can confirm that the FBI material includes tens of thousands of non-record (meaning personal) and record materials that will have to be carefully appraised at State," it read. "State has not yet had the opportunity to complete a review of the documents to determine whether they are agency records or if they are duplicative of documents State has already produced through the Freedom of Information Act" said Toner, declining further comment.
Government

Nuclear Waste Accident 2 Years Ago May Cost More Than $2 Billion To Clean Up (arstechnica.com) 20

An anonymous reader writes: The Los Angeles Times is estimating that an explosion that occurred at a New Mexico nuclear waste dumping facility in 2014 could cost upwards of $2 billion to clean up. Construction began on the Waste Isolation Pilot Plant (WIPP) in New Mexico's Carlsbad desert in the 1980s. The site was built to handle transuranic waste from the US' nuclear weapons program. The WIPP had been eyed to receive nuclear waste from commercial power-generating plants as well. According to the LA Times, the 2014 explosion at the WIPP was downplayed by the federal government, with the Department of Energy (DoE) putting out statements indicating that cleanup was progressing quickly. Indeed, a 2015 Recovery Plan insisted that "limited waste disposal operations" would resume in the first quarter of 2016. Instead, two years have passed since the incident without any indication that smaller nuclear waste cleanup programs around the US will be able to deliver their waste to the New Mexico facility any time soon. The 2014 explosion apparently occurred when engineers at the Los Alamos National Laboratory were preparing a drum of plutonium and americium waste -- usually packed with kitty litter (yes, kitty litter) -- and decided to "substitute an organic material for a mineral one."
Businesses

Massachusetts Will Tax Ride-Sharing Companies To Subsidize Taxis (reuters.com) 444

Massachusetts will tax ride-sharing services -- 20 cents for each ride -- with 25% of the money raised going into a special fund for the taxi industry (according to an article shared by schwit1 ). Reuters reports: Ride services are not enthusiastic about the fee. "I don't think we should be in the business of subsidizing potential competitors," said Kirill Evdakov, the chief executive of Fasten, a ride service that launched in Boston last year and also operates in Austin, Texas. Some taxi owners wanted the law to go further, perhaps banning the start-up competitors unless they meet the requirements taxis do, such as regular vehicle inspection by the police...

The fee may raise millions of dollars a year because Lyft and Uber alone have a combined 2.5 million rides per month in Massachusetts... The 5-cent fee will be collected through the end of 2021. Then the taxi subsidy will disappear and the 20 cents will be split by localities and the state for five years. The whole fee will go away at the end of 2026.

Republican Governor Charlie Baker signed the law, which specifically bans ride-sharing services from passing those costs on to their drivers or riders. And the article notes that Taiwan has also hit Uber with a $6.4 million tax bill, while Seattle has passed a new law allowing ride-sharing drivers to unionize.
Education

Four Code Bootcamps Are Now Eligible For Government Financial Aid (hackeducation.com) 85

Long-time Slashdot reader theodp notes a pilot program for improving computer science education which includes financial aid for students at four code bootcamps: In this week's Hack Education Weekly News, Audrey Watters writes, "The US Department of Education has selected eight higher ed institutions and eight 'non-traditional providers' that will work as partners to pilot the DoE's new EQUIP experiment, meaning that students will be able to receive federal financial aid for coding bootcamps, MOOCs, and the like...

"Good thing there haven't been any problems with for-profit higher ed and exploitation of financial aid, otherwise this would all seem like a terrible idea."

The original submission has more details on the participants (including the four code bootcamps). Ultimately the program involves pairing "non-traditional" providers with higher education institutions -- and then monitoring their results with a third-party "quality assurance entity" -- to improve the ways we measure a school's performance, but also testing new ways to fund training for computer careers. (I'm curious how Slashdot's readers feel about government loans for attendees at code bootcamps...)
Government

Group Wants To Shut Down Tor For a Day On September 1 (softpedia.com) 228

An anonymous reader writes: An internal group at the Tor Project is calling for a full 24-hour shutdown of the Tor network to protest the way the Tor Project dealt with the Jake Applebaum sexual misconduct accusations, and because of recent rumors it might be letting former government agents in its ranks. Two Tor members, also node operators, have shut down their servers as well, because of the same reason. They explained their motivations here and here.
"The protesters have made 16 demands," according to the article, six related to related to supposed infiltration of Tor by government agents, and 10 regarding the Appelbaum ruling and investigation -- including "asking all Tor employees that participated in this investigation to leave" and "the persons behind the JacobAppelbaum.net and the @JakeMustDie and @VictimsOfJake Twitter accounts to come forward and their identities made public."
Security

Software Exploits Aren't Needed To Hack Most Organizations (darkreading.com) 57

The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading: Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.

Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
Government

Will Internet Voting Endanger The Secret Ballot? 219

MIT recently identified the states "at the greatest risk of having their voting process hacked". but added this week that "Maintaining the secrecy of ballots returned via the Internet is 'technologically impossible'..." Long-time Slashdot reader Presto Vivace quotes their article: That's according to a new report from Verified Voting, a group that advocates for transparency and accuracy in elections. A cornerstone of democracy, the secret ballot guards against voter coercion. But "because of current technical challenges and the unique challenge of running public elections, it is impossible to maintain the separation of voters' identities from their votes when Internet voting is used," concludes the report, which was written in collaboration with the Electronic Privacy Information Center and the anticorruption advocacy group Common Cause.
32 states are already offering some form of online voting, apparently prompting the creation of Verified Voting's new site, SecretBallotAtRisk.org.
Security

German Minister Wants Facial Recognition Software At Airports and Train Stations (www.rte.ie) 111

An anonymous Slashdot reader quotes a surprising report from Ireland's National Public Service Broadcaster (based on a report in the German newspaper Bild am Sonntag): Germany's Interior Minister wants to introduce facial recognition software at train stations and airports to help identify terror suspects following two Islamist attacks in the country last month... "Then, if a suspect appears and is recognised, it will show up in the system," he told the paper. He said a similar system was already being tested for unattended luggage, which the camera reports after a certain number of minutes. The article reports that other countries are also considering the technology.
Twitter

Twitter Announces New Blocking and Filtering Features (wired.co.uk) 117

Twitter just began rolling out "new ways to control your experience," promising the two new features "will give you more control over what you see and who you interact with on Twitter." An anonymous Slashdot reader quotes a report from Wired UK: First up, notification settings will allow those using Twitter on the web or on desktop to limit the notifications they receive for @ mentions, RTs, and other interactions to just be from people they follow. The feature can be turned on through the notifications tab. Twitter is also expanding its quality filter -- also accessible through notifications. "When turned on, the filter can improve the quality of Tweets you see by using a variety of signals, such as account origin and behavior," the company's product manager Emil Leong said in a blog post.

In December 2015, the company changed its rules to explicitly ban "hateful conduct" for the first time, while back in February last year, Twitter's then-CEO Dick Costolo admitted the network needed to improve how it handled trolls and abuse. In a leaked memo he said: "I'm frankly ashamed of how poorly we've dealt with this issue during my tenure as CEO. It's absurd. There's no excuse for it. I take full responsibility for not being more aggressive on this front. It's nobody else's fault but mine, and it's embarrassing."

Meanwhile, the Twitter account of Wikipedia co-founder Jimmy Wales was hacked on Saturday.
Piracy

India Threatens 3-Year Jail Sentences For Viewing Blocked Torrents (intoday.in) 95

"It is official now. The punishment for rape is actually less..." writes an anonymous Slashdot reader, who adds that "Some users think that this is all the fault of Bollywood/Hollywood movie studios. They are abusing power, court and money..." India Today reports: The Indian government, with the help of internet service providers, and presumably under directives of court, has banned thousands of websites and URLs in the last five odd years. But until now if you somehow visited these "blocked URLs" all was fine. However, now if you try to visit such URLs and view the information, you may get a three-year jail sentence as well as invite a fine...

This is just for viewing a torrent file, or downloading a file from a host that may have been banned in India, or even for viewing an image on a file host like Imagebam. You don't have to download a torrent file, and then the actual videos or other files, which might have copyright. Just accessing information under a blocked URL will land you in jail and leave your bank account poorer.

While it's not clear how this will be enforced, visiting a blocked URL in India now leads to a warning that "Viewing, downloading, exhibiting or duplicating an illicit copy of the contents under this URL is punishable as an offence under the laws of India, including but not limited to under Sections 63, 63-A, 65 and 65-A of the Copyright Act, 1957 which prescribe imprisonment for 3 years and also fine of up to Rs. 3,00,000..."
AI

Chicago's Experiment In Predictive Policing Isn't Working (theverge.com) 191

The U.S. will phase out private prisons, a move made possible by fewer and shorter sentences for drug offenses, reports the BBC. But when it comes to reducing arrests for violent crimes, police officers in Chicago found themselves resorting ineffectively to a $2 million algorithm which ultimately had them visiting people before any crime had been committed. schwit1 quotes Ars Technica: Struggling to reduce its high murder rate, the city of Chicago has become an incubator for experimental policing techniques. Community policing, stop and frisk, "interruption" tactics --- the city has tried many strategies. Perhaps most controversial and promising has been the city's futuristic "heat list" -- an algorithm-generated list identifying people most likely to be involved in a shooting.

The hope was that the list would allow police to provide social services to people in danger, while also preventing likely shooters from picking up a gun. But a new report from the RAND Corporation shows nothing of the sort has happened. Instead, it indicates that the list is, at best, not even as effective as a most wanted list. At worst, it unnecessarily targets people for police attention, creating a new form of profiling.

The police argue they've updated the algorithm and improved their techniques for using it. But the article notes that the researchers began following the "heat list" when it launched in 2013, and "found that the program has saved no lives at all."
Security

Has WikiLeaks Morphed Into A Malware Hub? (backchannel.com) 125

Slashdot reader mirandakatz writes: In releasing an unredacted database of emails from the Turkish party AKP, WikiLeaks exposed the public to a collection of malware -- and even after a Bulgarian security expert pointed this out publicly, the organization only removed the select pieces of malware that he identified, leaving well over a thousand malicious files on the site.

That AKP leak also included the addresses and other personal details of millions of Turkish women, not unlike the recent DNC leak, which included the personal data of many private individuals. WikiLeaks says this is all in the name of its "accuracy policy," but the organization seems to be increasingly putting the public at risk.

The article opens with the question, "What the hell happened to WikiLeaks?" then argues that "Once an inspiring effort at transparency, WikiLeaks now seems more driven by personal grudges and reckless releases of information..."
Security

New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware (softpedia.com) 63

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

Crime

Want To Hunt Bank Robbers? There's an App For That, Says The FBI (networkworld.com) 67

Long-time Slashdot reader coondoggie quotes an article from Network World: The FBI today said it released a new application making it easier for the public -- as well as financial institutions, law enforcement agencies, and others -- to view photos and information about bank robberies in different geographic areas of the country.
The FBI's new "Bank Robbers" application runs on both Android and iOS, according to the article, "and lets users sort bank robberies by the date they occurred, the category they fall under (i.e., armed serial bank robber), the FBI field office working the case, or the state where the robbery occurred." The app ties into BankRobbers.fbi.gov, which overlays FBI information about bank robberies onto Google Maps.

The app's users "can also select push notifications to be informed when a bank robbery has taken place near their location," according to the FBI's site, which adds innocently that "If the location services on your device are enabled, you can view a map that shows the relevant bank robberies that took place in your geographic area..."
Businesses

How the H-1B Visa Program Impacts America's Tech Workers (computerworld.com) 332

Computerworld is running an emotional report by their national correspondent Patrick Thibodeau -- complete with a dramatic video -- arguing that America's H-1B Visa program "has also become a way for companies to outsource jobs." An anonymous Slashdot reader quotes the article accompanying the video: The vast majority of people who work in IT did everything right: They invested in their education, studied difficult subjects, kept their skills updated... But no job is safe, no future entirely secure -- something IT workers know more than most. Given their role, they are most often the change agents, the people who deploy technologies and bring in automation that can turn workplaces upside down. To survive, they count on being smart, self-reliant and one step ahead...

Over the years, Computerworld reporter Patrick Thibodeau has interviewed scores of IT workers who trained their visa-holding replacements. Though details each time may differ, they all tell the same basic story. There are many issues around high-skilled immigration, but to grasp the issue fully you need to understand how the H-1B program can affect American workers.

Security

Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com) 179

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.

If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
Oracle

Oracle Is Funding a New Anti-Google Group (fortune.com) 154

An anonymous reader writes from a report via Fortune: Oracle says it is funding a new non-profit called "Campaign for Accountability," which consists of a campaign called "The Google Transparency Project" that claims to expose criminal behavior carried out by Google. "Oracle is absolutely a contributor (one of many) to the Transparency Project. This is important information for the public to know. It is 100 percent public records and accurate," said Ken Glueck, Senior Vice President of Oracle. Fortune reports: "Oracle's hidden hand is not a huge surprise since the company has a history of sneaky PR tactics, and is still embroiled in a bitter intellectual property lawsuit with Google." One would think Microsoft may be another contributor, but the company said it is not. Daniel Stevens, the deputy director of the CfA, declined to name the group's other donors, or to explain why it does not disclose its funders. Why does this matter? "When wealthy companies or individuals pose as a grass-roots group like the so-called 'campaign for accountability' project, [it] can confuse news and public relations, and foster public cynicism," writes Jeff John Roberts via Fortune.

Slashdot Top Deals