Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Social Networks

Are Your Slack Conversations Really Private and Secure? (fastcompany.com) 61

An anonymous reader writes: "Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property."

The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.

Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?
Google

Google Releases Open Source File Sharing Project 'Upspin' On GitHub (betanews.com) 58

BrianFagioli quotes a report from BetaNews: Today, Google unveiled yet another way to share files. Called "Upspin," the open source project aims to make sharing easier for home users. With that said, the project does not seem particularly easy to set up or maintain. For example, it uses Unix-like directories and email addresses for permissions. While it may make sense to Google engineers, I am dubious that it will ever be widely used. "Upspin looks a bit like a global file system, but its real contribution is a set of interfaces, protocols, and components from which an information management system can be built, with properties such as security and access control suited to a modern, networked world. Upspin is not an "app" or a web service, but rather a suite of software components, intended to run in the network and on devices connected to it, that together provide a secure, modern information storage and sharing network," says Google. The search giant adds: "Upsin is a layer of infrastructure that other software and services can build on to facilitate secure access and sharing. This is an open source contribution, not a Google product. We have not yet integrated with the Key Transparency server, though we expect to eventually, and for now use a similar technique of securely publishing all key updates. File storage is inherently an archival medium without forward secrecy; loss of the user's encryption keys implies loss of content, though we do provide for key rotation."
Security

Netflix Just Announced a User Focused Security Application (netflix.com) 43

Moving beyond movies and TV shows (and their DVDs), Netflix announced on Tuesday Stethoscope, its "first project following a User Focused Security approach." From a company's blog post: The notion of "User Focused Security" acknowledges that attacks against corporate users (e.g., phishing, malware) are the primary mechanism leading to security incidents and data breaches, and it's one of the core principles driving our approach to corporate information security. [...] Stethoscope is a web application that collects information for a given user's devices and gives them clear and specific recommendations for securing their systems. If we provide employees with focused, actionable information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement. The company says Stethoscope tracks disk encryption, firewall, automatic updates, up-to-date OS/software, screen lock, jailbroken/rooted status, security software stack configurations of the device.
Security

RSA Conference Attendees Get Hacked (esecurityplanet.com) 54

The RSA Conference "is perhaps the world's largest security event, but that doesn't mean that it's necessarily a secure event," reports eSecurityPlanet. Scanning the conference floor revealed rogue access points posing as known and trusted networks, according to security testing vendor Pwnie Express. storagedude writes: What's worse, several attendees fell for these dummy Wi-Fi services that spoof well-known brands like Starbucks. The company also found a number of access points using outdated WEP encryption. So much for security pros...
At least two people stayed connected to a rogue network for more than a day, according to the article, and Pownie Express is reminding these security pros that connecting to a rogue network means "the attacker has full control of all information going into and out of the device, and can deploy various tools to modify or monitor the victim's communication."
Encryption

Researchers Discover Security Problems Under the Hood of Automobile Apps (arstechnica.com) 27

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.
Encryption

Republicans Are Reportedly Using a Self-Destructing Message App To Avoid Leaks (theverge.com) 326

An anonymous reader quotes a report from The Verge: Trump administration members and other Republicans are using the encrypted, self-destructing messaging app Confide to keep conversations private in the wake of hacks and leaks, according to Jonathan Swan and David McCabe at Axios. Axios writes that "numerous senior GOP operatives and several members of the Trump administration" have downloaded Confide, which automatically wipes messages after they're read. One operative told Axios that the app "provides some cover" for people in the party. He ties it to last year's hack of the Democratic National Committee, which led to huge and damaging information dumps of DNC emails leading up to the 2016 election. But besides outright hacks, the source also said he liked the fact that Confide makes it difficult to screenshot messages, because only a few words are shown at a time. That suggests that it's useful not just for reducing paper trails, but for stopping insiders from preserving individual messages -- especially given the steady flow of leaks that have come out since Trump took office. As Axios notes, official White House business is subject to preservation rules, although we don't know much about who's allegedly using Confide and what they're doing with it, so it's not clear whether this might run afoul of those laws. It's also difficult to say how much this is a specifically Republican phenomenon, and how much is a general move toward encryption.
Privacy

72% of 'Anonymous' Browsing History Can Be Attached To the Real User (thestack.com) 67

An anonymous reader quotes a report from The Stack: Researchers at Stanford and Princeton have succeeded in identifying 70% of web users by comparing their web-browsing history to publicly available information on social networks. The study "De-anonymizing Web Browsing Data with Social Networks" [PDF] found that it was possible to reattach identities to 374 sets of apparently anonymous browsing histories simply by following the connections between links shared on Twitter feeds and the likelihood that a user would favor personal recommendations over abstract web browsing. The test subjects were provided with a Chrome extension that extracted their browsing history; the researchers then used Twitter's proprietary URL-shortening protocol to identify t.co links. 81% of the top 15 results of each enquiry run through the de-anonymization program contained the correct re-identified user -- and 72% of the results identified the user in first place. Ultimately the trail only leads as far as a Twitter user ID, and if a user is pseudonymous, further action would need to be taken to affirm their real identity. Using https connections and VPN services can limit exposure to such re-identification attempts, though the first method does not mask the base URL of the site being connected to, and the second does not prevent the tracking cookies and other tracking methods which can provide a continuous browsing history. Additionally UTM codes in URLs offer the possibility of re-identification even where encryption is present. Further reading available via The Atlantic.
Social Networks

Kaspersky Lab Promises New Backup Tool To Help Unhappy Social Media Users Quit (kaspersky.com) 54

Kaspersky Lab surveyed 16,750 people and concluded that often negative experiences on social experience overpower their positive effects -- and they're doing something about it. JustAnotherOldGuy pointed us to their latest announcement. 59% have felt unhappy when they have seen friends' posts from a party they were not invited to, and 45% revealed that their friends' happy holiday pictures have had a negative influence on them. Furthermore, 37% also admitted that looking at past happy posts of their own can leave them with the feeling that their own past was better than their present life. Previous research has also demonstrated peoples' frustration with social media as 78% admitted that they have considered leaving social networks altogether. The only thing that makes people stay on social media is the fear of losing their digital memories, such as photos, and contacts with their friends.

To help people decide more freely if they want to stay in social media or leave without losing their digital memories, Kaspersky Lab is developing a new app -- FFForget will allow people to back up all of their memories from the social networks they use and keep them in a safe, encrypted memory container and will give people the freedom to leave any network whenever they want, without losing what belongs to them -- their digital lives.

The FFForget app will be released in 2017, but there's already a web page where you can sign up for early access. Kaspersky plans to monetize this by creating both a free version of the app -- limited to one social network -- and a $1.99-per-month version which automatically backs up social content from Facebook, Google, Twitter, and Instagram in real-time with a fancier interface and more powerful encryption.
Facebook

Facebook's New Tool Looks To Replace Traditional Two-Factor Authentication (thenextweb.com) 75

Facebook today unveiled a new feature to let its 1.79 billion users reset passwords for other websites using its platform, an effort to further entrench the social network in people's digital lives. From a report: Delegated Recovery, as it's being called, looks to be a step forward for those afraid of losing their devices when using two-factor authentication (2FA) -- which, should be most of us. The security feature addresses the common concern of losing the device tied to your account. With Delegated Recovery, Facebook lets users set up an encrypted recovery token for sites like GitHub, and stores it at Facebook. If you lose the login information for GitHub, you'd simply log in to Facebook and send the stored token to the site to prove your identity and regain access. The token is encrypted, and Facebook can't access the information stored on it. Facebook also promises not to share it with third-party websites (aside from those you authorize).
Iphone

iPhone 7 Ousts Samsung Galaxy Note 4 As 'Device of Choice' For UK Defense Officials (thestack.com) 55

An anonymous reader quotes a report from The Stack: Apple is to offer its iPhone 7 as the "device of choice" for the UK military's secure communications. British telecom giant BT is said to be hardening the Apple device in order for it to be able to handle the Ministry of Defense's military communications, including state secrets and highly-sensitive data. While BT has not provided further details on the development, due to security reasons, the telco is reportedly in the process of upgrading the iPhone 7 to support various modes of operation and to add secure apps or "storage containers," as well as military-grade encryption features among other enhancements. The iPhone 7 will now replace Samsung's Galaxy Note 4 smartphone, which was originally selected for the project, as security in the Samsung model was found to be inadequate.
Australia

Australia Plans Biometric Border Control (bbc.com) 94

The Australian government is planning to allow 90% of travellers to pass through passport control without human help by 2020. From a report: With a $100m budget, it has begun the search for technology companies that could provide biometric systems, such as facial, iris and fingerprint recognition. Head of border security John Coyne said it could be a "world first." But critics have questioned the privacy implications of such a system. "Biometrics are now going in leaps and bounds, and our ability to harness the power of big data is increasing exponentially," Mr Coyne told the Sydney Morning Herald. The department of border security hopes to pilot the "Seamless Traveller" project in Canberra this summer, with rollout to larger airports scheduled to be completed by spring 2019.
Electronic Frontier Foundation

Three States Propose DMCA-Countering 'Right To Repair' Laws (ifixit.org) 225

Automakers are using the Digital Millennium Copyright Act to shut down tools used by car mechanics -- but three states are trying to stop them. An anonymous reader quotes IFixIt.Org: in 2014, Ford sued Autel for making a tool that diagnoses car trouble and tells you what part fixes it. Autel decrypted a list of Ford car parts, which wound up in their diagnostic tool. Ford claimed that the parts list was protected under copyright (even though data isn't creative work) -- and cracking the encryption violated the DMCA. The case is still making its way through the courts. But this much is clear: Ford didn't like Autel's competing tool, and they don't mind wielding the DMCA to shut the company down...

Thankfully, voters are stepping up to protect American jobs. Just last week, at the behest of constituents, three states -- Nebraska, Minnesota, and New York -- introduced Right to Repair legislation (more states will follow). These 'Fair Repair' laws would require manufacturers to provide service information and sell repair parts to owners and independent repair shops.

Activist groups like the EFF and Repair.org want to "ensure that repair people aren't marked as criminals under the DMCA," according to the site, arguing that we're heading towards a future with many more gadgets to fix. "But we'll have to fix copyright law first."
Encryption

Lavabit Is Relaunching (theintercept.com) 54

The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.
Security

ProtonMail Adds Tor Onion Site To Fight Risk Of State Censorship (techcrunch.com) 26

ProtonMail now has a home on the dark web. The encrypted email provider announced Thursday it will allow its users to access the site through the Tor anonymity service. From a report: Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network -- in what it describes as an active measure aimed at defending against state-sponsored censorship. The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago, says it's worried about an increased risk of state-level blocking of pro-privacy tools -- pointing to recent moves such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation that mandates tracking of web activity and can also require companies to eschew e2e encryption and backdoor products. The service also saw a bump in sign ups after the election of Donald Trump as US president, last fall -- with web users apparently seeking a non-US based secure email provider in light of the incoming commander-in-chief's expansive digital surveillance powers.
Privacy

Tor Onion Browser's Creator Explains Free Version For iOS (mike.tig.as) 26

The free iOS version of the Tor browser "sparked a tidal wave of interest" after its release in December, according to Silicon.co. Mickeycaskill writes: The cost has been scrapped due to developer Mike Tigas' worries that the price was limiting access to anonymous browsing for those who need it most. "Given recent events, many believe it's more important than ever to exercise and support freedom of speech, privacy rights, and digital security," Tigas wrote in a blog post. "I think now is as good a time as ever to make Onion Browser more accessible to everyone."
"I'm still a little terrified that I've made this change," Tigas adds. For four years the Tor Onion browser was available on the Apple App Store for $0.99, the lowest non-free price allowed by Apple, providing a "reliable" income to Tigas which helped him move to New York for a new job while allowing him "the economic freedom to continue working on side projects that have a positive impact in the world." Tigas also writes that "there's now a Patreon page and other ways to support the project."

Last month the Tor Project also released the first alpha version of the sandboxed Tor Browser.
Security

Security Experts Rebut The Guardian's Report That Claimed WhatsApp Has a Backdoor (gizmodo.com) 114

William Turton, writing for Gizmodo: This morning, the Guardian published a story with an alarming headline: "WhatsApp backdoor allows snooping on encrypted messages." If true, this would have massive implications for the security and privacy of WhatsApp's one-billion-plus users. Fortunately, there's no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian's story is a "major league fuckwittage." [...] Fredric Jacobs, who was the iOS developer at Open Whisper Systems, the collective that designed and maintains the Signal encryption protocol, and who most recently worked at Apple, said, "Nothing new. Of course, if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications." "I characterize the threat posed by such reportage as being fear and uncertainty and doubt on an 'anti-vaccination' scale," Muffett, who previously worked on Facebook's engineering security infrastructure team, told Gizmodo. "It is not a bug, it is working as designed and someone is saying it's a 'flaw' and pretending it is earth shattering when in fact it is ignorable." The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do. "There's a feature in WhatsApp that -- when you swap phones, get a new phone, factory reset, whatever -- when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone," Muffett told Gizmodo. Other security experts and journalists have also criticized The Guardian's story.
Bug

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com) 33

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.
Bitcoin

Bitcoin Was 2016's Best-Performing Currency (newsweek.com) 104

The co-founder of Blockchain published an opinion piece in Newsweek today mocking predictions about the death of bitcoin, saying "each is more wrong than the last... Bitcoin was again declared the world's best performing currency in 2016 by Bloomberg. In fact, it's held that title every year since 2010, with the notable exception of 2014, when it was the worst." An anonymous reader writes: Bitcoin president Nicolas Cary writes that bitcoin has become more stable than many of the world's top currencies, while the British pound "has dropped by more than 17% in a colossal collapse of confidence... In Africa, the Egyptian pound dropped 59% and the Nigerian naira fell 37%. In South America, the Argentine peso plummeted over 17% and the Venezuelan bolivar tumbled so far off a cliff it's difficult to measure -- even bricks of cash are worthless for everyday purchases there. Perhaps most dramatically of all, India, the world's second most populated country, introduced a stunning policy of demonetization declaring banknotes illegal overnight...

"During this time period, and partially in response to it, the price of bitcoin surged... Bitcoin also trounced the stock market from a performance perspective. Brand names like McDonald's, Home Depot and Disney grew at a paltry 1.6% or less; bitcoin outpaced them by over 70 times."

In 2009 one man in Norway bought $27 worth of bitcoin while writing a thesis on encryption, then forgot about them. Six years later, he discovered they were worth nearly $500,000.
Encryption

Koolova Ransomware Decrypts For Free If You Read Two Articles About Ransomware (bleepingcomputer.com) 80

An anonymous reader quotes a report from BleepingComputer: We have a new in-development variant of the Koolova Ransomware that will decrypt your files for free if you educate yourself about ransomware by reading two articles. Discovered by security researcher Michael Gillespie, this in-development ransomware is not ready for prime time. In fact, I had to mess with it a bit and setup a local http server to even get it to display the ransom screen. In its functional state, Koolova will encrypt a victim's files and then display a screen similar to the Jigsaw Ransomware where the text is slowly shown on the screen. This text will tell the victim that they must read two articles before they can get a decryption key. It then tells you that if you are too lazy to read two articles before the countdown gets to zero, like Jigsaw, it will delete the encrypted files. This is not an idle threat as it actually does delete the files. The articles that Koolova wants you to read are an article from Google Security Blog called Stay safe while browsing and BleepingComputer's very own Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom article. Once you read both articles, the Decripta i Miei File, or Decrypt My Files, button becomes available. Once you click on this button, Koolova will connect to the Command and Control server and retrieve the victim's decryption key. It will then display it in a message box labeled "Nice Jigsaw," in reference to the Jigsaw Ransomware, that displays your decryption key. A victim will then be able to take that key and enter it into the key field in order to decrypt files.
Electronic Frontier Foundation

2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org) 91

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.

Slashdot Top Deals