Techmeology writes "In response to declining utility of CALEA mandated wiretapping backdoors due to more widespread use of cryptography, the FBI is considering a revamped version that would mandate wiretapping facilities in end users' computers and software. Critics have argued that this would be bad for security (PDF), as such systems must be more complex and thus harder to secure. CALEA has also enabled criminals to wiretap conversations by hacking the infrastructure used by the authorities. I wonder how this could ever be implemented in FOSS."

msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."

An anonymous reader writes "The Australian government has secretly censored over 1,000 web sites through a hitherto-unused internet censorship law. In April the Melbourne Free University was blocked without any explanation. Section 313 of the Telecommunications Act allows the government to close web sites without warning to "uphold laws, protect public revenue and safeguard national security". This is open to abuse as Australians only have limited free speech rights which already make it difficult for the press to report corruption."

Today eight members of the U.S. Congress have sent a letter to Google's Larry Page, asking him to address a number of privacy concerns about Google Glass. In the letter (PDF), they brought up the company's notorious Street View data collection incident, and asked how the company was planning to avoid a similar privacy breach with Glass. They also ask how Google is going to build Glass to protect the privacy of non-users who may not want their every public move to be recorded. Further, they ask about the security of recordings once they are made: "Will Google Glass have the capacity to store any data on the device itself? If so, will Google Glass implement some sort of user authentication system to safeguard stored data? If not, why not?" Google has until July 14th to respond.

hypnosec writes "Mozilla is not going ahead with its plans to block third-party cookies by default in the Beta version of its upcoming Firefox 22. Mozilla needs more time to analyze the outcome of blocking these cookies. The non-profit organization released Firefox Aurora on April 5 with a patch by Jonathan Mayer built into it which would only allow cookies from those websites which the user has visited. The patch would block the ones from sites which hadn't been visited yet. The reason for Mozilla's change in plans is that they're currently looking into 'false positives.' If a user visits one part of a group of site, cookies from that part will be allowed, but cookies from related sites in the group may be blocked, and they're worried it will create a poor user experience. On the other side of the coin, there are 'false negatives.' Just because a user may have visited a particular site doesn't mean she is comfortable with the idea of being tracked."

msm1267 writes "Conpot, short for Control Honeypot, is one of the first publicly available honeypots for industrial control systems (ICS) and SCADA gear. Built by two researchers from the Honeynet Project, the hope is that others will take what they started, deploy it on their own critical infrastructure networks and share the findings. 'The main goal is to make this kind of technology available for a general audience,' said Lukas Rist, one of the developers. 'Not just for security researchers, but also for people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger.'" Unlike previous ICS Honeypots, this one simulates the control systems rather than requiring that you happen to own an actual industrial control system.

An anonymous reader writes "Andy Oram reports on the quality, security, and community driving open source adoption. 'All too often, the main force uniting competitors is the fear of another vendor and the realization that they can never beat a dominant vendor on its own turf. Open source becomes a way of changing the rules out from under the dominant player. OpenStack, for instance, took on VMware in the virtualization space and Amazon.com in the IaaS space. Android attracted phone manufacturers and telephone companies as a reaction to the iPhone.'"

Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.

msm1267 writes "There are a lot of echoes of the disclosure debate in the current discussions about vulnerability exploit sales. The commercial exploit market has developed relatively quickly, at least the public portion of it. Researchers have been selling vulnerabilities to a variety of buyers – government agencies, contractors, other researchers and third-party brokers – for years. But it was done mostly under cover of darkness. Now, although the transactions themselves are still private, the fact that they're happening, and who's buying (and in some cases, selling) is out in the open. As with the disclosure debate, there are intelligent people lining up on both sides of the aisle and the discussion is generating an unprecedented level of malice."

wiredmikey tips this AFP report: "Russia on Tuesday said it had detained an alleged American CIA agent working undercover at the U.S. embassy who was discovered with a large stash of money as he was trying to recruit a Russian intelligence officer. Russia's Federal Security Service (FSB, ex-KGB) identified the man as Ryan C. Fogle — third secretary of the political section of Washington's embassy in Moscow — and said he had been handed back to the embassy after his detention. Photographs published show his alleged espionage equipment including wigs, a compass, torch and even a mundane atlas of Moscow as well as a somewhat old fashioned mobile phone. Russia's Federal Security Service (FSB) said Fogle was carrying 'special technical equipment, written instructions for recruiting a Russian citizen, a large sum of money and means for changing a person's appearance.' The FSB also said the U.S. intelligence service has made repeated attempts to recruit the staff of Russian law enforcement agencies and special services. The incident comes amid a new chill in Russian-U.S. relations sparked by the Syrian crisis and concern in Washington over what it sees as President Vladimir Putin's crackdown on human rights."

An anonymous reader sends this excerpt from BetaBeat: "The Department of Homeland Security appears to have shut down the ability to use Dwolla, a mobile payment service, to withdraw and deposit money into Mt. Gox, a Bitcoin trading platform. ... A representative for Dwolla told Betabeat that the company is 'not party' to this matter and encourages those with questions to reach out to Mt. Gox or the DHS. 'The Department of Homeland Security and U.S. District Court for the District of Maryland issued a 'Seizure Warrant' for the funds associated with Mutum Sigillium's Dwolla account (a.k.a. Mt. Gox),' he said. 'In light of the court order, procured by the Department of Homeland Security, Dwolla has ceased all account activities associated with Dwolla services for Mutum Sigillum while Dwolla's holding partner transferred Mutum Sigillium's balance, per the warrant.'"

An anonymous reader writes "A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and phishing URLs."

An anonymous reader sent in this excerpt from Moxie Marlinspike's weblog: "Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they're working on in that country. Having published two reasonably popular MITM tools, it's not uncommon for me to get emails requesting that I help people with their interception projects. I typically don't respond, but this one (an email titled 'Solution for monitoring encrypted data on telecom') caught my eye. ... The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup. ... When they eventually asked me for a price quote, and I indicated that I wasn't interested in the job for privacy reasons, they responded with this: ' I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that's why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.'"

mask.of.sanity writes "While Hollywood often fails to portray hacking, one researcher has made the art of exploitation look more like the big screen. Kinectasploit is hacking in the form of a first-person shooter that melds Microsoft's Kinect controls with 20 hacking tools including Metasploit, Snort, Nessus, John the Ripper and Ettercap. The work in progress can be downloaded from github."

Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."

First time accepted submitter llebeel writes "Kaspersky Lab has signed an agreement with chip designer Qualcomm to improve security at 'the lower level' of a smartphone's mobile operating system. The Russian security firm told The Inquirer that it has agreed to offer 'special terms' for preloading Kaspersky Mobile Security and Kaspersky Tablet Security products on Android devices powered by Qualcomm Snapdragon processors."

bennyboy64 writes "An Australian university appears to be excelling at cultivating some of Australia's best computer hackers. Following the University of NSW's students recently placing first, second and third in a hacking war game (the first place winners also won first place last year), The Sydney Morning Herald reports on what exactly about the NSW institution is breeding some of Australia's best hackers. It finds that a lecturer and mentor to the students with controversial views on responsible disclosure appears to the be the reason for their success."

An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"

New submitter mha writes "In a response that truly seems to be from a core Microsoft developer, we are told about why Windows kernel development continues to fall further and further behind that of the Linux kernel. He says, 'The cause of the problem is social. There's almost none of the improvement for its own sake, for the sake of glory, that you see in the Linux world. ... There's no formal or informal program of systemic performance improvement. We started caring about security because pre-SP3 Windows XP was an existential threat to the business. Our low performance is not an existential threat to the business. See, component owners are generally openly hostile to outside patches: if you're a dev, accepting an outside patch makes your lead angry (due to the need to maintain this patch and to justify in in shiproom the unplanned design change), makes test angry (because test is on the hook for making sure the change doesn't break anything, and you just made work for them), and PM is angry (due to the schedule implications of code churn). There's just no incentive to accept changes from outside your own team. You can always find a reason to say "no," and you have very little incentive to say "yes."'"

Mobile photo-sharing app SnapChat has one claim to fame, compared to other ways people might share photos from their cellphones: the photos, once viewed, disappear from view, after a pre-set length of time. However, it turns out they don't disappear as thoroughly as users might like. New submitter nefus writes with this excerpt from Forbes: "Richard Hickman of Decipher Forensics found that it's possible to pull Snapchat photos from Android phones simply by downloading data from the phone using forensics software and removing a '.NoMedia' file extension that was keeping the photos from being viewed on the device. He published his findings online and local TV station KSL has a video showing how it's done."