By BeauHD from Slashdot's insecure-home-automation-deployment department
jones_supa writes: The hotel in which Matthew Garrett was staying at, had decided that light switches are unfashionable and replaced them with a series of Android tablets. In his tour to the system, one was quickly met with a glitch message "UK_bathroom isn't responding." Anyway, two of the tablets had convenient-looking ethernet cables plugged into the wall, so MacGyver began hacking. He managed to borrow a couple of USB ethernet adapters, set up a transparent bridge and then stick his laptop between the tablet and the wall. Tcpdump showed traffic, and Wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and does not implement authentication. The Pymodbus tool could be used to control lights, turn the TV on/off, and even close and open the curtains. Then he noticed something. His room number was 714. The IP address he was communicating with was 172.16.207.14. They wouldn't, would they? Indeed, he could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that he could control them as well.Read Replies (0)
By manishs from Slashdot's government-vs-open-source department
An anonymous reader points to an official announcement made by TP-Link, which confirms a report from last month that it is blocking open source firmware: The FCC requires all manufacturers to prevent users from having any direct ability to change RF parameters (frequency limits, output power, country codes, etc.) In order to keep our products compliant with these implemented regulations, TP-LINK is distributing devices that feature country-specific firmware. Devices sold in the United States will have firmware and wireless settings that ensure compliance with local laws and regulations related to transmission power. As a result of these necessary changes, users are not able to flash the current generation of open-source, third-party firmware. We are excited to see the creative ways members of the open-source community update the new firmware to meet their needs. However, TP-LINK does not offer any guarantees or technical support for customers attempting to flash any third-party firmware to their devices.
Don't lose all your hopes yet. Developer Sebastian Gottschall, who works on DD-WRT Linux-based firmware, believes that TP-Link hasn't blocked third-party firmware. He adds, "Just the firmware header has been a little bit changed and a region code has been added. This has been introduced in September 2015. DD-WRT for instance does still provide compatible images... in fact it's no lock." Furthermore, Cisco insists that FCC's existing or proposed rules doesn't limit or eliminate the ability of a developer to use open source software.Read Replies (0)
By BeauHD from Slashdot's violent-expectations department
dcblogs writes: About 300 Hertz IT employees, most located in Oklahoma City, are being impacted [by] a decision to expand its outsourcing to IBM. About 75 will be hired by IBM and those workers [are expected] to receive offers this week while others are facing layoffs. The news was a shock for IT employees. There was "anger, resentment," especially by employees who "sacrificed that work/life balance to keep things going here," said one employee. Hertz took precautions. On the day that IT employees learned that their work was shifting to IBM, employees noticed Oklahoma sheriff patrol vehicles in the building's parking lot. They believed plainclothes officers were inside the building.
"We consider the safety and security of our people whenever there are circumstances or events that could increase the risk of a disturbance or some form of workplace violence," said Bill Masterson, a Hertz spokesman. "Knowing that this was a difficult announcement, we had additional security on hand," said Masterson. "Going forward, Hertz IT resources will be focused on development of future products and services for customers," he said. The majority of services will be cloud-based. According to the Computerworld article, along with severance pay, benefits also include three months of outplacement assistance. IT employees can receive up to $4,000 toward retraining or skill certification, said Masterson. IBM India Private Limited, a IBM subsidiary, has filed paper for H-1B visa workers for Hertz Technology offices.Read Replies (0)
By BeauHD from Slashdot's new-and-improved department
An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only $5,000 on underground hacking forums. Taking advantage of his new found glory, the coder behind that malware has now released a second version, three times the price of the first, complete with 3 exploits that can guarantee root access on older versions of Android (which are plenty thanks to [ignorant] OEMs and carriers). Some of the malware that originated from GM Bot includes: SimpleLocker (first crypto-ransomware for Android), AceCard (considered the most sophisticated Android malware to date), Bankosy and SlemBunk (banking trojan and backdoor), and Mazar Bot (banking trojan, backdoor and ransomware). To make things worse, GM Bot v1's source code also got leaked online, making it available to any halfwit developer that wants a crack at a cybercrime career.Read Replies (0)
By timothy from Slashdot's or-is-that-have-been-released department
Burz writes: Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS are Salt management, the Odyssey abstraction layer, and UEFI boot support. The 3.x series also lays the groundwork for distributed verifiable builds, Whonix VMs for Tor isolation, split-GPG key management, USB sandboxing, and a host of others.
Qubes has recently gained a following among privacy advocates, notable among them journalist J.M. Porup, Micah Lee at The Intercept and Edward Snowden.
Embodying a shift away from complex kernel-based security and towards bare metal hypervisors and IOMMUs for strict isolation of hardware components, Qubes seals off the usual channels for 'VM breakout' and DMA attacks. It isolates NICs and USB hardware within unprivileged VMs which are themselves are a re-working of the usual concept, each booting from read-only OS 'templates' which can be shared. Graphics are also virtualized behind a simple, hardened interface. Some of the more interesting attacks mitigated by Qubes are Evil Maid, BadBIOS, BadUSB and Mousejack.Read Replies (0)
By BeauHD from Slashdot's gelatinous-binge-watching-humans department
mmoorebz writes: Netflix is known as a place to binge watch television, but behind the scenes, there's a lot that goes on before everyone's favorite show can be streamed. The first step to deploying an application or service is building. Netflix created Nebula, a set of plugins for the Gradle build system, that "help with the heavy-lifting around building applications," said the engineers. Once the code has been built and tested locally using Nebula, the team pushes the updated source code to a Git repository. Every deployment at Neflix begins with the creation of an Amazon Machine Image, and to generate them from source, Netflix created what it calls "the Bakery." It exposes an API that facilitates the creation of AMIs globally, according to the blog. When it comes time to deploy and after the "baking" is complete, teams will use Spinnaker to manage multi-region deployments, canary releases, and red/black deployments. Netflix is continuing to look at the developer experience and determine how it can improve.Read Replies (0)
By BeauHD from Slashdot's not-to-be-taken-literally department
JoeyRox writes: President Obama said Friday that smartphones -- like the iPhone the FBI is trying to force Apple to help it hack -- can't be allowed to be "black boxes," inaccessible to the government. He believes technology companies should work with the government on encryption rather than leaving the issue for Congress to decide. He went on to say, "If your argument is strong encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance we have lived with for 200, 300 years, and it's fetishizing our phones above every other value." Obama's appearance on Friday at the event known as SXSW, the first by a sitting president, comes as the FBI tries to force Apple to help investigators access an iPhone used by one of the assailants in December's deadly San Bernardino, California, terror attack. "The question we now have to ask is, if technologically it is possible to make an impenetrable device or system, where the encryption is so strong there's no key, there's no door at all, then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot?" Obama said. "If in fact you can't crack that at all, government can't get in, then everybody's walking around with a Swiss bank account in their pocket." He said compromise is possible and the technology industry must help design it.Read Replies (0)
By BeauHD from Slashdot's private-conversations department
An anonymous reader writes: A group of former Skype technologists, backed by the co-founder of the messaging platform, has introduced a new version of its own messaging service that promises end-to-end encryption for all conversations, including by video. Wire, a 50-person start-up mostly made up of engineers, is stepping into a global political debate over encryption that pits privacy against security advocates, epitomized by the standoff between the U.S. government and Apple. Wire, which is headquartered in Switzerland and Germany, two of the most privacy-friendly countries in the world, relays communications through its network of cloud computers where user communications are stored, in encrypted form, on their own devices. It delivers privacy protections that are always on, even when callers use multiple devices, such as a phone or desktop PC simultaneously. For voice and video calls, Wire uses the same DTLS and SRTP encryption standards found in the peer-to-peer WebRTC protocol. Rivals such as Facebook's Messenger and WhatsApp or Telegram offer encryption on only parts of a message's journey or for a specific set of services, the company said. "Everything is end-to-end encrypted: That means voice and video calls, texts, pictures, graphics -- all the content you can send," Wire Executive Chairman Janus Friis told Reuters.Read Replies (0)
By BeauHD from Slashdot's machine-learning-as-a-service department
An anonymous reader writes: Hewlett Packard Enterprise has announced its HPE Haven OnDemand machine learning service to bring Big Data analytics to mainstream developers. "HPE Haven OnDemand democratizes Big Data by bringing the power of machine learning, traditionally reserved for high-end, highly trained data scientists, to the mainstream developer community," said exec Colin Mahony. "Now, anyone can leverage our easy to use cloud-based service to harness the rich variety of data available today to build applications that produce new insights, differentiate businesses, delight customers and deliver competitive advantage." The platform, which is hosted on Microsoft's Azure platform, features more than 60 advanced ML APIs and services to help developers build data-driven applications including mobile, enterprise, consumer, desktop and Internet of Things projects. The APIs provide capabilities such as "prediction, face-detection, speech-to-text, and knowledge graph analysis for a wide range of data formats, including text, audio, image, social, web and video," the company said.Read Replies (0)