An anonymous reader writes "Peter Eckersley at the EFF reports that the 'App Ops' privacy feature added to Android in 4.3 has been removed as of 4.4.2. The feature allowed users to easily manage the permission settings for installed apps. Thus, users could enjoy the features of whatever app they liked, while preventing the app from, for example, reporting location data. Eckersley writes, 'When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it. We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it.1 The disappearance of App Ops is alarming news for Android users. The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.'"
Check out SlashCloud for the latest in cloud computing.
An anonymous reader writes "Wired reports that the chat logs between Bradley Manning and Julian Assange that were used as evidence in Manning's trial have made it onto the web, at least briefly. One of those logs contained something very interesting on page 4, which was picked up on by the News of Iceland, which reports, '"Jesus Christ. I think that we have recordings of all phone calls to and from the Icelandic parliament during the past four months". This text can be found in documents that the US military published on its website and is said to be part of the conversations between Julian Assange and Bradley Manning. According to the documents, Assange claims to have phone call recordings from Althingi, the Icelandic parliament, but this is the first time that the existence of such data is mentioned publicly. ... According to Icelandic laws, it is required to inform the person you are speaking with if the phone call is being recorded. Given that the parliament is not violating laws it is clear that Assange or his associates would have to have installed recording devices or wiretaps in the parliament.' — What makes it even more interesting is that Wired also reports in this recent story: Someone's Been Siphoning Data Through a Huge Security Hole in the Internet."
codeusirae writes "A study by Incapsula suggests 61.5% of all website traffic is now generated by bots. The security firm said that was a 21% rise on last year's figure of 51%. From the article: 'Some of these automated software tools are malicious - stealing data or posting ads for scams in comment sections. But the firm said the biggest growth in traffic was for 'good' bots. These are tools used by search engines to crawl websites in order to index their content, by analytics companies to provide feedback about how a site is performing, and by others to carry out other specific tasks - such as helping the Internet Archive preserve content before it is deleted.'"
Frequent contributor Bennett Haselton writes: "Google has fixed a vulnerability, first discovered by researcher Gergely Kalman, which let users search for credit card numbers by using hex number ranges. However, Google should have acknowledged or at least responded to the original bug finder (and possibly even paid him a bounty for it), and should have been more transparent about the process in general." Read on for the rest of the story.
First time accepted submitter LibbyMC writes "Google's approach to bringing older C software to the browser is demonstrated in bringing the '80s-era AmigaOS to Chrome. 'The Native Client technology runs software written to run on a particular processor at close to the speeds that native software runs. The approach gives software more direct access to a computer's hardware , but it also adds security restrictions to prevent people from downloading malware from the Web that would take advantage of that power.'" Chrome users can go straight to the demo.
An anonymous reader writes "A New Zealand backpacker stripped of all electrical equipment at Auckland airport suggests attending a London talk on cyber-security following the Edward Snowden leaks may be to blame. Samuel Blackman was returning home for Christmas on 11 December from London Heathrow to Auckland via San Francisco when a customs officer at his final destination took the law graduate's two smartphones, iPad, external hard drive and laptop, demanding the passwords for all devices." For a quieter version, see also The New Zealand Herald.
wiredmikey writes "Business for Switzerland's 55 data centers is booming. They benefit from the Swiss reputation for security and stability, and some predict the nation already famous for its super-safe banks will soon also be known as the world's data vault. For example, housed in one of Switzerland's numerous deserted Cold War-era army barracks, one high-tech data center is hidden behind four-ton steel doors built to withstand a nuclear attack — plus biometric scanners and an armed guard. Such tight security is in growing demand in a world shaking from repeated leaks scandals and fears of spies lurking behind every byte."
New submitter srobert writes "An article at Ars Technica explains how, following stories of NSA leaks, FreeBSD developers will not rely solely on Intel's or Via's chip-based random number generators for /dev/random values. The values will first be seeded through another randomization algorithm known as 'Yarrow.' The changes are effective with the upcoming FreeBSD 10.0 (for which the first of three planned release candidates became available last week)."
First time accepted submitter ConstantineM writes "Inspired by a recent Google initiative to adopt ChaCha20 and Poly1305 for TLS, OpenSSH developer Damien Miller has added a similar protocol to ssh, email@example.com, which is based on D. J. Bernstein algorithms that are specifically optimised to provide the highest security at the lowest computational cost, and not require any special hardware at doing so. Some further details are in his blog, and at undeadly. The source code of the protocol is remarkably simple — less than 100 lines of code!"
alphatel writes "The Swedish company Resarchgruppen has discovered a flaw in the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites."
Hugh Pickens DOT Com writes "For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them. Now the Washington Post reports that the NSA secretly piggybacks on the tools that enable Internet advertisers to track consumers, using 'cookies' and location data to pinpoint targets for government hacking and to bolster surveillance. The agency uses a part of a Google-specific tracking mechanism known as the 'PREF' cookie to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer. 'On a macro level, "we need to track everyone everywhere for advertising" translates into "the government being able to track everyone everywhere,"' says Chris Hoofnagle. 'It's hard to avoid.' Documents reviewed by the Post indicate cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. Google declined to comment for the article, but chief executive Larry Page joined the leaders of other technology companies earlier this week in calling for an end to bulk collection of user data and for new limits on court-approved surveillance requests."
MightyMait writes "There's a plan underway to build a space agency run by African nations, and there is a (non-fictional) George Clooney connection. This BBC article details the history of space exploration in Africa as well as current efforts. Quoting: 'To Western eyes, it may seem rather inappropriate to launch space programs in sub-Saharan Africa, where nearly 70% of the population still lives on less $2 a day. Yet Joseph Akinyede, director of the African Regional Center for Space Science and Technology Education in Nigeria, an education center affiliated with the United Nations Office for Outer Space Affairs, says that the application of space science technology and research to "basic necessities" of life – health, education, energy, food security, environmental management – is critical for the development of the continent.'"
New submitter fierman writes "In a work to be presented at the Network and Distributed System Security Symposium (ISOC NDSS'14), INRIA researchers show the privacy risks of Real-Time Bidding (PDF) and High-Frequency Trading for selling advertisement spaces. Combining Real-Time Bidding and Cookie Matching, advertisers can significantly improve their tracking and profiling capabilities. Both technologies are already prevalent on the Web. The research discusses the value of users' private data (browsing history) retrieved directly from the advertisers, leveraging an exposed information leak in RTB systems. Advertisers will pay about $0.0005 to display a targeted ad to a single user, while at the same time acquiring information about them. The research also shows evidence of price variation with users' profiles, physical location, time of day and content of visited sites."
An anonymous reader writes with news that even Canada is getting its hands dirty in the international dragnet fiasco. From the article: "The leaked NSA document being reported exclusively by CBC News reveals Canada is involved with the huge American intelligence agency in clandestine surveillance activities in 'approximately 20 high-priority countries.' ... Wesley Wark, a Canadian security and intelligence expert at the University of Ottawa, says the document makes it clear Canada can take advantage of its relatively benign image internationally to covertly amass a vast amount of information abroad. 'I think we still trade on a degree of an international brand as an innocent partner in the international sphere,' Wark said. 'There's not that much known about Canadian intelligence.'"
sfcrazy writes "People are now more concerned regarding their privacy after discovering about efforts made by governments to spy on their communications. The most practical solution to keep messages, emails and calls secure is to use a cryptographic encryption mechanism. However, just like the name of the method, the installation process is complex for most users. To solve this, CyanogenMod will come equipped with built in encryption system for text messages." Whisper System has integrated their TextSecure protocol into the SMS/MMS provider, so even third party sms apps benefit. Better yet, it's Free Software, licensed under the GPLv3+. Support will debut in Cyanogenmod 11, but you can grab a 10.2 nightly build to try it out now.
An anonymous reader writes in with news that some NSA agents were trying to dig up info by joining the horde. "To the National Security Agency analyst writing a briefing to his superiors, the situation was clear: their current surveillance efforts were lacking something. The agency's impressive arsenal of cable taps and sophisticated hacking attacks was not enough. What it really needed was a horde of undercover Orcs. That vision of spycraft sparked a concerted drive by the NSA and its UK sister agency GCHQ to infiltrate the massive communities playing online games, according to secret documents disclosed by whistleblower Edward Snowden.....The agencies, the documents show, have built mass-collection capabilities against the Xbox Live console network, which has more than 48 million players. Real-life agents have been deployed into virtual realms, from those Orc hordes in World of Warcraft to the human avatars of Second Life. There were attempts, too, to recruit potential informants from the games' tech-friendly users."
Hugh Pickens DOT Com writes "Ellen Nakashima reports at the Washington Post that morale has taken a hit at the National Security Agency in the wake of controversy over the agency's surveillance activities and officials are dismayed that President Obama has not visited the agency to show his support. 'It is not clear whether or when Obama might travel the 23 miles up the Baltimore-Washington Parkway to visit Fort Meade, the NSA's headquarters in Maryland,' writes Nakashima, 'but agency employees are privately voicing frustration at what they perceive as White House ambivalence amid the pounding the agency has taken from critics.' Though Obama has asserted that the NSA's collection of virtually all Americans' phone records is lawful and has saved lives, the administration has not endorsed legislation that would codify it. And his recent statements suggest Obama thinks some of the NSA's activities should be constrained. 'The agency, from top to bottom, leadership to rank and file, feels that it is had no support from the White House even though it's been carrying out publicly approved intelligence missions,' says Joel Brenner, NSA inspector general from 2002 to 2006. 'They feel they've been hung out to dry, and they're right.' Former officials note how President George W. Bush paid a visit to the NSA in January 2006, in the wake of revelations by the New York Times that the agency engaged in a counterterrorism program of warrantless surveillance on U.S. soil beginning after the Sept. 11, 2001, terrorist attacks. 'Bush came out and spoke to the workforce, and the effect on morale was tremendous,' Brenner said. 'There's been nothing like that from this White House.' Morale is 'bad overall' says another former NSA official. 'It's become very public and very personal. Literally, neighbors are asking people, 'Why are you spying on Grandma?'"
An anonymous reader writes "The Hackaday writer Mathieu Stephan (alias limpkin) has just launched a new open source/hardware project together with the Hackaday community. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating long and complex random passwords for the different websites people use daily. It consists of a main device where users' credentials are encrypted, and a PIN locked smartcard containing the encryption key. Simply visit a website and the device will ask for confirmation to enter your credentials when you need to login. All development steps will be documented and all resources available for review."
tsu doh nimh writes "In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as 'Paunch,' the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: 'The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.'"
An anonymous reader writes "Michael Nielsen has written a detailed article describing the nuts and bolts of a Bitcoin transaction. He builds the concepts from the ground up, starting with a basic, no-frills digital currency. He then examines it for flaws and tweaks the currency to patch up areas where we run into technical or security problems. Eventually, he ends up with Bitcoin, and explains how a transaction works. It's an interesting, technical read; much more in-depth than any explanation I've heard. Here's a brief snippet from a walkthrough of the transaction data: 'One thing to note about the input is that there's nothing explicitly specifying how many bitcoins from the previous transaction should be spent in this transaction. In fact, all the bitcoins from the n=0th output of the previous transaction are spent. So, for example, if the n=0th output of the earlier transaction was 2 bitcoins, then 2 bitcoins will be spent in this transaction. This seems like an inconvenient restriction – like trying to buy bread with a 20 dollar note, and not being able to break the note down. The solution, of course, is to have a mechanism for providing change. This can be done using transactions with multiple inputs and outputs...'" Bitcoin is going through another period of heavy fluctuation: it fell from a high of around $1,200 per bitcoin to roughly half that, and as of this writing trades around $760 per bitcoin.