By BeauHD from Slashdot's come-out-come-out-wherever-you-are department
Trailrunner7 quotes a report from On the Wire: Google has released a new set of tests it uses to probe cryptographic libraries for vulnerabilities to known attacks. The tests can be used against most kinds of crypto algorithms and the company already has found 40 new weaknesses in existing algorithms. The tests are called Project Wycheproof, and Google's engineers designed them to help developers implement crypto libraries without having to become experts. Cryptographic libraries can be quite difficult to implement and making errors can lead to serious security problems. Attackers often will look for weak crypto implementations as a means of circumventing strong encryption in a target app. Among the issues that Google's engineers found with the Project Wycheproof tests is one in ECDH that allows an attacker to recover the private key in some circumstances. The bug is the result of some libraries not checking the elliptic curve points that they get from outside sources. "In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means," Daniel Bleichenbacher and Thai Duong, security engineers at Google, said in a post announcing the tool release. "Encodings of public keys typically contain the curve for the public key point. If such an encoding is used in the key exchange then it is important to check that the public and secret key used to compute the shared ECDH secret are using the same curve. Some libraries fail to do this check," Google's documentation says.Read Replies (0)
By BeauHD from Slashdot's fun-for-the-whole-family department
An anonymous reader quotes a report from TechCrunch: Facebook Messenger is launching its own split-screen group video chat feature. Six users can appear in split-screen at the time and don Snapchat-style selfie masks, while 50 total can listen and talk over voice while sending text, stickers, emojis, and GIFs. Group video chat starts rolling out worldwide on iOS, Android, and web, today, though Android will have to wait for the MSQRD-powered selfie masks that might not ever come to desktop. It's free on wi-fi but standard data charges will apply on cellular connections. The launch makes Messenger the first popular western messaging app with group video chat. It's managed to beat FaceTime/iMessage, Google Duo, and Snapchat to the punch. U.S. teens might be most familiar with the format from the recent rise of Houseparty, the new app from the makers of Meerkat. Messenger group video chat works a little differently, but with a similar design. Instead of simply logging into an ever-present video chat room that notifies friends like on Houseparty, you deliberately select friends or a group text thread to invite to a video call. Once in, up to 4 Messenger users can share big slices of the screen, while Houseparty accommodates 8. Between 4 and 6 callers, the Messenger screen switches to a gallery format, with whoever is speaking taking up the bulk of the screen with little thumbnails of everyone else at the bottom. And everyone beyond the first 6 up to 50 callers will only be able to listen, speak, and send content but won't appear in the video gallery.Read Replies (0)
By msmash from Slashdot's taking-a-stand department
Reader Presto Vivace shares a report on The Intercept: IBM employees are taking a public stand following a personal pitch to Donald Trump from CEO Ginni Rometty and the company's initial refusal to rule out participating in the creation of a national Muslim registry. In November, Rometty wrote Trump directly, congratulating him on his electoral victory and detailing various services the company could sell his administration. The letter was published on an internal IBM blog along with a personal note from Rometty to her enormous global staff. "As IBMers, we believe that innovation improves the human condition. ... We support, tolerance, diversity, the development of expertise, and the open exchange of ideas," she wrote in the context of lending material support to a man who won the election by rejecting all of those values. Employee comments were a mix of support and horror. Now, some of those who were horrified are going public, denouncing Rometty's letter and asserting "our right to refuse participation in any U.S. government contracts that violate constitutionally protected civil liberties." The IBMPetition.org effort has been spearheaded in part by IBM cybersecurity engineer Daniel Hanley, who told The Intercept he started organizing with his coworkers after reading Rometty's letter. "I was shocked, of course," Hanley said, "because IBM has purported to espouse diversity and inclusion, and yet here's Ginni Rometty in an unqualified way reaching out to an admin whose electoral success was based on racist programs."Read Replies (0)
By msmash from Slashdot's very-nice department
A bipartisan House Oversight and Government Reform Committee report released today urges Congress to pass legislation to regulate cell-site simulation surveillance devices like the Stingray. From a report: The devices, used by local and federal law enforcement agencies around the country, have been controversial, both for their power to track mobile devices and the secrecy often accompanying their use. As the report notes, the devices are still often used by local law enforcement agencies without warrants, instead relying on various lower standards of evidence. The committee's investigation, which last year prompted the Justice Department and Department of Homeland Security to change their policies on when to require a warrant before using the devices, found that the Justice Department uses 310 of the devices and spent $71 million on them between fiscal years 2010 and 2014. Homeland Security has 124 devices and spent $24 million in the same period. [...] The committee recommends that agencies become more "candid" about the devices, and urges states to pass legislation that would "require, with limited exceptions, issuance of a probable cause based warrant prior to law enforcement's use of these devices."Read Replies (0)
By msmash from Slashdot's mere-hacking department
A 'mere' 10.8% phishing success rate has forced Los Angeles County to notify approximately 756,000 individuals that their personal information may have been compromised. The attack occurred on May 13, 2016 when 1,000 County employees received phishing emails. 108 employees were successfully phished. A Nigerian national has been charged in connection with the hack. From a report on The Guardian: Many large organizations would welcome a 10% success rate in their internal anti-phishing training sessions, with 30% and above being common. The 2016 Verizon DBIR suggests that 30% of all phishing emails are opened. The high number of individuals affected from a relatively low number of successes in LA County demonstrates how dangerous phishing attacks can be. The nature of the potentially compromised information is also concerning. "That information may have included first and last names, dates of birth, Social Security numbers, driver's license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history, or medical record numbers," said the County of Los Angeles Chief Executive Office in a statement.Read Replies (0)
By msmash from Slashdot's expectations-vs-reality department
Microsoft is pushing hard for Windows 10 to become the operating system of choice for everyone across the world, but this isn't happening just yet, as Windows 7 keeps dominating the desktop market. From a report on Softpedia: The Firefox Hardware Report published recently by Mozilla shows that Windows 7 is the number one browser for users running the company's browser, with a share of 44.86 percent, followed by Windows 10 with 25.67 percent. Seeing Windows 7 dominating the desktop OS charts is not surprising, but on the other hand, it's living proof that Microsoft will really have a hard time moving users to Windows 10 before 2020 when it reaches end of support. Microsoft's Windows 10, however, already improved substantially since its launch in 2015, mostly thanks to the free upgrade offer targeting Windows 7 and 8.1 users, but this still isn't enough to become the number one choice for PC users.Read Replies (0)
By EditorDavid from Slashdot's Santa's-little-helpers department
Every year more than 10 million packages are stolen off doorsteps, according to a study by August Home Inc. -- a company which sells a "smart" door lock that's controlled by your cellphone so you can remotely let a delivery person into your house. But that's just one of the weird ways consumers are using technology to try to fight package thieves. An anonymous reader reports:
Some online shopping sites will now also text you when one of their packages gets left on your doorstep, according to GeekWire, which reports that for a thousand bucks you can also just buy a lockable iBin parcel-delivery box. But there's also a startup selling an odd new product called Package Guard, "a Frisbee sized, wi-fi-enabled device that alerts a user when a package has been delivered and set on top of it. Package Guard sets off a loud alarm if anyone unauthorized tries to remove the package."
GeekWire details the frustration of one Seattle police detective. "Bach knows the crimes are happening, he knows it all spikes during the holiday season and he knows that the few thieves who are caught are likely to see little if any jail time." (Though Bach admits "We do a wide variety of undercover stings," including a recent operation involving mobile surveillance with a "major delivery company.") One Seattle man even attempted to stop thieves by installing a Ring smart doorbell to film activity on his doorstep, only to discover that this only enabled him to watch helplessly as a thief opened his package, and then successfully stole all of its contents.
Though he yelled at the video "Bring my package back now!" that thief was never caught.Read Replies (0)
By EditorDavid from Slashdot's BlackBerry-mobiles department
BlackBerry's Unix-like OS, QNX, is already in millions of cars. But today they're expanding their facility in Ottawa "to focus on developing advanced driver assistance and autonomous vehicle technology," according to Reuters. And one analyst says "If they can prove that they have the whole package and the security, they could absolutely dominate the market."
After a detour where QNX's industrial-focused software was used to reinvent the now-discarded BlackBerry phone operating system, BlackBerry is focused on how its embedded software interacts with the explosion of sensors, cameras and other components required for a car to drive itself... "What QNX is doing is providing the infrastructure that allows you to build higher-level algorithms and to also acquire data from the sensors in a reliable manner," said Sebastian Fischmeister, a University of Waterloo associate professor who has worked with QNX since 2009.
Instead of focussing on AI, BlackBerry wants "a niche role as a trusty sidekick," Reuters reports, adding that besides a recent deal with Ford, BlackBerry is also holding advanced discussions with "more than one or two" major automakers, according to the head of the company.Read Replies (0)
By EditorDavid from Slashdot's embracing-and-extending department
An anonymous reader quote InfoWorld:
Two years ago Microsoft did the unthinkable: It declared it would open-source its .NET server-side cloud stack with the introduction of .NET Core... Thus far, the move has paid off. Microsoft has positioned .NET Core as a means for taking .NET beyond Windows. The cross-platform version extends .NET's reach to MacOS and Linux...
Developers are buying in, says Scott Hunter, Microsoft partner director program manager for .NET. "Forty percent of our .NET Core customers are brand-new developers to the platform, which is what we want with .NET Core," Hunter says. "We want to bring new people in." Thanks in considerable part to .NET Core, .NET has seen a 61% uptick in the number of developers engaged with the platform in the past year.
The article includes an interesting quote from Microsoft-watching analyst Rob Sanfilippo. "It could be argued that the technology generates indirect revenue by incenting the use of Azure services or Microsoft developer tools."Read Replies (0)