Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 6 hours 29 min ago

AWS Rolls Out New Security Feature To Prevent Accidental S3 Data Leaks

Mon, 11/19/2018 - 07:25
Amazon's Web Services division rolled out new security features to AWS account owners last week that are meant to prevent accidental data exposures caused by the misconfiguration of S3 data storage buckets. From a report: Starting today, AWS account owners will have access to four new options inside their S3 dashboards under the "Public access settings for this account" section. These four new options allow the account owner to set a default access setting for all of an account's S3 buckets. These new account-level settings will override any existing or newly created bucket-level ACLs (access control lists) and policies. Account owners will have the ability to apply these new settings for S3 buckets that will be created from now onwards, to apply the new setting retroactively, or both.

More Companies Plan To Implant Microchips Into Their Employees' Hands

Sun, 11/18/2018 - 16:34
"British companies are planning to microchip some of their staff in order to boost security and stop them accessing sensitive areas," reports the Telegraph. "Biohax, a Swedish company that provides human chip implants, told the Telegraph it was in talks with a number of UK legal and financial firms to implant staff with the devices." An anonymous reader quote Zero Hedge: It is really happening. At one time, the idea that large numbers of people would willingly allow themselves to have microchips implanted into their hands seemed a bit crazy, but now it has become a reality. Thousands of tech enthusiasts all across Europe have already had microchips implanted, and now a Swedish company is working with very large global employers.... For security-obsessed corporations, this sort of technology can appear to have a lot of upside. If all of your employees are chipped, you will always know where they are, and you will always know who has access to sensitive areas or sensitive information. According to a top official from Biohax, the procedure to implant a chip takes "about two seconds...." Of course once this technology starts to be implemented, there will be some workers that will object. But if it comes down to a choice between getting the implant or losing their jobs, how many workers do you think will choose to become unemployed? Engadget provides more examples, pointing out that in 2006 an Ohio surveillance firm had two employees in its secure data center implant RFIDs in their triceps, and that just last year 80 employees at Three Square Market in Wisconsin had chips implanted into their hands. Their article also hints that "no one's thinking about the inevitable DEF CON talk 'Chipped employees: Fun with attack vectors'" Dr. Stewart Southey, the Chief Medical Officer at Biohax International, describes the technology as "a secure way of ensuring that a person's digital identity is linked to their physical identity," with a syringe injecting the chip directly between their thumb and forefinger to enable near-field communication. But what do Slashdot's readers think? Would you let your employer microchip you?

Amazon Releases A No-Cost Distribution of OpenJDK

Sun, 11/18/2018 - 10:56
An anonymous reader quotes SD Times: Amazon wants to make sure Java is available for free to its users in the long term with the introduction of Amazon Corretto. The solution is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). "Java is one of the most popular languages in use by AWS customers, and we are committed to supporting Java and keeping it free," Arun Gupta, principal open-source technologist at Amazon, wrote in a blog post. "Many of our customers have become concerned that they would have to pay for a long-term supported version of Java to run their workloads. As a first step, we recently re-affirmed long-term support for Java in Amazon Linux. However, our customers and the broader Java community run Java on a variety of platforms, both on and off of AWS." Amazon Corretto will be available with long-term support and Amazon will continue to make performance enhancements and security fixes to it, the company explained. Amazon plans on making quarterly updates with bug fixes and patches, as well as any urgent fixes necessary outside of its schedule... Corretto 8 is available as a preview with features corresponding to those in OpenJDK 8. General availability for the solution is planned for Q1 2019... "Corretto is designed as a drop-in replacement for all Java SE distributions unless you're using features not available in OpenJDK (e.g., Java Flight Recorder)," Gupta wrote.... According to Gupta, Corretto 8 will be available at no cost until at least June of 2023. The company is working on Corretto 11, which will be available until at least August of 2024. "Amazon has already made several contributions to OpenJDK 8 and we look forward to working closely with the OpenJDK community on future enhancements to OpenJDK 8 and 11," Gupta wrote. "We downstream fixes made in OpenJDK, add enhancements based on our own experience and needs, and then produce Corretto builds. In case any upstreaming efforts for such patches is not successful, delayed, or not appropriate for OpenJDK project, we will provide them to our customers for as long as they add value. If an issue is solved a different way in OpenJDK, we will move to that solution as soon as it is safe to do so."

GitHub's Annual Report Reveals This Year's Top Contributor: Microsoft

Sun, 11/18/2018 - 09:47
GitHub saw more than 67 million pull requests this year -- more than a third of GitHub's "lifetime" total of 200 million pull requests since its launch in 2008. It now hosts 96 million repositories, and has over 31 million contributors -- including 8 million who just joined within the last 12 months. These are among the facts released in GitHub's annual "State of the Octoverse" report -- a surprising number of which involve Microsoft. GitHub's top project this year, by contributor count, was Microsoft's Visual Studio Code (with 19,000 contributors), followed by Facebook's React Native (10,000), TensorFlow (9,300) and Angular CLI (8,800) -- as well as Angular (7,600) -- and the open source documentation for Microsoft Azure (7,800). Microsoft now has more employees contributing to open source projects than any other company or organization (7,700 employees), followed by Google (5,500), Red Hat (3,300), U.C. Berkeley (2,700), and Intel (2,200). The open source documentation for Microsoft Azure is GitHub's fastest-growing open source project, followed by PyTorch (an open source machine learning library for Python). Among the "Cool new open source projects" is an Electron app running Windows 95. But more than 2.1 million organizations are now using GitHub (including public and private repositories) -- which is 40% more than last year -- and the report offers a fun glimpse into the minutiae of life in the coding community. Read on for more details.

Compelling New Suspect For DB Cooper Skyjacking Found By Army Data Analyst

Sun, 11/18/2018 - 06:15
A U.S. Army officer with a security clearance and a "solid professional reputation" believes he's solved the infamous D.B. Cooper skyjacking case -- naming two now-dead men in New Jersey who have never before been suspected, "possibly breaking wide open the only unsolved skyjacking case in U.S. history," according to the Oregonian. The data analyst started his research because, simply enough, he had stumbled upon an obscure old book called "D.B. Cooper: What Really Happened," by the late author Max Gunther. Gunther wrote that he was contacted in 1972 by a man who claimed to be the skyjacker... Using the name "Dan LeClair" and various details from the book, as well as information from the FBI's D.B. Cooper case files that have become public in recent years, Anonymous tracked the bread crumbs to a very real man named Dan Clair, a World War II Army veteran who died in 1990... Continuing his research, our anonymous Army officer eventually determined that Clair probably was not D.B. Cooper. More likely the skyjacker was a friend and co-worker of Clair's, a native New Jerseyan by the name of William J. Smith, who died in January of this year at age 89... Clair and Smith worked together at Penn Central Transportation Co. and one of its predecessors. For a while, they were both "yardies" at the Oak Island rail yard in Newark. It appears they bonded in the 1960s as Penn Central struggled to adapt to a changing economy. The data analyst says the two men's military backgrounds -- Smith served in the Navy -- and long experience in the railroad business would have made it possible for either of them to successfully parachute from a low-flying jetliner, find railroad tracks once they were on the ground, and hop a freight train back to the East Coast. Poring over a 1971 railroad atlas, the hijacked plane's flight path and the skyjacker's likely jump zone, he determined that no matter where D.B. Cooper landed, he would have been no more than 5-to-7 miles from tracks. "I believe he would have been able to see Interstate 5 from the air," he says, adding that one rail line ran parallel to the highway... He believes Smith and Clair may have been in on the skyjacking together. He notes that Clair, who spent his career in relatively low-level jobs, retired in 1973 when he was just 54 years old. Several incriminating coincidences were noted by an article this week in the Oregonian -- including a scar on Smith's hand, his visit to a skydiving facility in 1971, and Smith's strong resemblance to the police artist's sketches. Even the chemicals found on Cooper's clip-on tie in 2017 would be consistent with his job as the manager of a railyard. "[I]n my professional opinion, there are too many connections to be simply a coincidence," the data analyst told the FBI, while telling the Oregonian he believes the pair were "mad at the corporate establishment" in America and determined to do something about it. "If I was on that plane, I wouldn't have thought he was a hero," he says. "But after the fact, I might think, 'OK, this took balls,' especially if I knew he was an ordinary guy, a working man worried about his pension going away. That he wasn't some arch-criminal. I would want to talk to that guy.... he is a kind of folk hero."

Hacker Says They Compromised ProtonMail; ProtonMail Calls BS

Sat, 11/17/2018 - 11:19
A hacker going by the name AmFearLiathMor is claiming to have hacked ProtonMail and stolen "significant" amounts of data. They have posted a ransom demand to an anonymous Pastebin but it reads like a prank, as it states that the alleged hackers have access to underwater drone activity and treaty violations in Antarctica. Lawrence Abrams writes via BleepingComputer: According to the message, a hacker going by the name AmFearLiathMor makes quite a few interesting claims such as hacking ProtonMail's services and stealing user's email, that ProtonMail is sending their user's decrypted data to American servers, and that ProtonMail is abusing the lack of Subresource Integrity (SRI) use to purposely and maliciously steal their user's passwords. After reading the Pastebin message (archive.is link), which is shown in its entirety below minus some alleged keys, and seeing the amount of claims, the first thing that came to mind was a corporate version of the sextortion scams that have been running rampant lately. As I kept reading it, though, it just felt like a joke. ProtonMail posted on Twitter that this is a hoax and that there is no evidence that anything states is true. The encrypted email service provided a statement to BleepingComputer: "We believe this extortion attempt is a hoax, and we have seen zero evidence to suggest otherwise. Not a single claim made is true and many of the claims are unsound from a technical standpoint. We are aware of a small number of ProtonMail accounts that have been compromised as a result of those individual users falling for phishing attempts. However, there is zero evidence of a breach of our infrastructure."

Mark Shuttleworth Reveals Ubuntu 18.04 Will Get a 10-Year Support Lifespan

Sat, 11/17/2018 - 10:18
At the OpenStack Summit in Berlin last week, Ubuntu Linux founder Mark Shuttleworth said in a keynote that Ubuntu 18.04 Long Term Support (LTS) support lifespan would be extended from five years to 10 years. "I'm delighted to announce that Ubuntu 18.04 will be supported for a full 10 years," said Shuttleworth, "In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade." ZDNet reports: Ubuntu 18.04 released in April 2018. While the Ubuntu desktop gets most of the ink, most of Canonical's dollars comes from server and cloud customers. It's for these corporate users Canonical first extended Ubuntu 12.04 security support, then Ubuntu 14.04's support, and now, preemptively, Ubuntu 18.04. In an interview after the keynote, Shuttleworth said Ubuntu 16.04, which is scheduled to reach its end of life in April 2021, will also be given a longer support life span. When it comes to OpenStack, Shuttleworth promised again to support versions of OpenStack dating back to 2014's IceHouse. Shuttleworth said, "What matters isn't day two, what matters is day 1,500." He also doubled-down on Canonical's promise to easily enable OpenStack customers to migrate from one version of OpenStack to another. Generally speaking, upgrading from one version of OpenStack is like a root canal: Long and painful but necessary. With Canonical OpenStack, you can step up all the way from the oldest supported version to the newest one with no more than a second of downtime.

BlackBerry Buys Cybersecurity Firm Cylance For $1.4 Billion

Sat, 11/17/2018 - 07:15
wiredmikey shares a report from SecurityWeek: BlackBerry on Friday announced that it has agreed to acquire endpoint security firm Cylance for $1.4 billion in cash. "We plan on immediately expanding the capabilities across BlackBerry's 'chip-to-edge' portfolio, including QNX, our safety-certified embedded OS that is deployed in more than 120 million vehicles, robot dogs, medical devices, and more," a BlackBerry company spokesperson told SecurityWeek. "Over time, we plan to integrate Cylance technology with our Spark platform, which is at the center of our strategy to ensure data flowing between endpoints (in a car, business, or smart city) is secured, private, and trusted." Cylance has raised roughly $300 million in funding [prior being acquired]. BlackBerry describes the "Spark platform" as a secure chip-to-edge communications platform "designed for ultra-security and industry-specific safety-certifications, such as ISO 26262 in automobiles."

Lock-Screen Bypass Bug Quietly Patched In Handsets

Sat, 11/17/2018 - 02:00
secwatcher shares a report from Threatpost: A design flaw affecting all in-display fingerprint sensors -- that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack -- has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication. In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent's Xuanwu Lab which is credited for first identifying the flaw earlier this year. Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors. That includes current models of Huawei Technologies' Porsche Design Mate RS and Mate 20 Pro model phones. Researchers said that many more cellphone manufacturers are impacted by the issue. The most popular phone in the U.S. that is impacted by this vulnerability is the OnePlus 6T. "[A]ll an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil," reports Threatpost. "By placing the reflective material over a residual fingerprint on the phone's display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint."

A New Senate Bill Would Hit Robocallers With Up To a $10,000 Fine For Every Call

Fri, 11/16/2018 - 18:05
Massachusetts Democratic Senator Ed Markey and South Dakota Republican Senator John Thune have introduced a bill on Friday that aims to ramp up the penalties on illegal robocalls and stop scammers from sending them. Gizmodo reports: The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, raises the penalty for robocalls from $1,500 per call to up to $10,000 per call, and allows the Federal Communications Commission (FCC) to take action on illegal robocalls up to three years after the calls are placed, instead of a year. The Act also aims to push the FCC to work along with the Consumer Financial Protection Bureau, Department of Justice, Department of Homeland Security, Federal Trade Commission (FTC), and other agencies to provide information to Congress about advancements in hindering robocall and prosecuting scammers. Perhaps most importantly for us highly annoyed Americans, the bill would also force phone service providers to use call authentication that filters out illegitimate calls before they go through to consumers.

MiSafes' Child-Tracking Smartwatches Are 'Easy To Hack'

Fri, 11/16/2018 - 16:03
The location-tracking "MiSafe" smartwatch may not be as safe as the name proclaims. According to security researchers from Pen Test Partners, the watches are easy to hack as they do not encrypt the data they use or secure each child's account. The researchers found that they could track children's movements, surreptitiously listen in to their activities and make spoof calls to the watches that appeared to be from parents. The BBC reports: The MiSafes watch was first released in 2015. It uses a global positioning system (GPS) sensor and a 2G mobile data connection to let parents see where their child is, via a smartphone app. In addition, parents can create a "safe zone" and receive an alert if the child leaves the area. The adult can also listen in to what their offspring is doing at any time and trigger two-way calls. Pen Test Partner's Ken Munro and Alan Monie learned of the product's existence when a friend bought one for his son earlier this year. Out of curiosity, they probed its security measures and found that easy-to-find PC software could be used to mimic the app's communications. This software could be used to change the assigned ID number, which was all it took to get access to others' accounts. This made it possible to see personal information used to register the product, including: a photo of the child; their name, gender and date of birth; their height and weight; the parents' phone numbers; and the phone number assigned to the watch's Sim card.

Trump Signs Bill That Creates the Cybersecurity and Infrastructure Security Agency

Fri, 11/16/2018 - 14:40
An anonymous reader quotes a report from ZDNet: U.S. President Donald Trump signed today a bill into law, approving the creation of the Cybersecurity and Infrastructure Security Agency (CISA). The bill, known as the CISA Act, reorganizes and rebrands the National Protection and Programs Directorate (NPPD), a program inside the Department of Homeland Security (DHS), as CISA, a standalone federal agency in charge of overseeing civilian and federal cybersecurity programs. The NPPD, which was first established in 2007, has already been handling almost all of the DHS' cyber-related issues and projects. As part of the DHS, the NPPD was the government entity in charge of physical and cyber-security of federal networks and critical infrastructure, and oversaw the Federal Protective Service (FPS), the Office of Biometric Identity Management (OBIM), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C), and the Office of Infrastructure Protection (OIP). As CISA, the agency's prerogatives will remain the same, and nothing is expected to change in day-to-day operations, but as a federal agency, CISA will now benefit from an increased budget and more authority in imposing its directives. "Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation's critical infrastructure and cyber platforms," said NPPD Under Secretary Christopher Krebs. "The changes will also improve the Department's ability to engage with industry and government stakeholders and recruit top cybersecurity talent."

Most ATMs Can Be Hacked in Under 20 Minutes

Fri, 11/16/2018 - 12:02
An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks. From a report: Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week. The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users' bank cards (also known as skimming). Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to. Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.

A Leaky Database of SMS Text Messages Exposed Password Resets and Two-Factor Codes

Fri, 11/16/2018 - 10:00
A database which contained millions of text messages used to authenticate users signing into websites was left exposed to the internet without a password. From the report: The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn't protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sebastien Kaul, a Berlin-based security researcher, it didn't take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox's own subdomains. Worse, the database -- running on Amazon's Elasticsearch -- was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

'The Internet Needs More Friction'

Fri, 11/16/2018 - 06:00
Justin Kosslyn, who leads product management at Jigsaw, a unit within Alphabet that builds technology to address global security challenges, writes: The Internet's lack of friction made it great, but now our devotion to minimizing friction is perhaps the internet's weakest link for security. Friction -- delays and hurdles to speed and growth -- can be a win-win-win for users, companies, and security. It is time to abandon our groupthink bias against friction as a design principle. Highways have speed limits and drugs require prescriptions -- rules that limit how fast you can drive a vehicle or access a controlled substance -- yet digital information moves limitlessly. The same design philosophy that accelerated the flow of correspondence, news, and commerce also accelerates the flow of phishing, ransomware, and disinformation. In the old days, it took time and work to steal secrets, blackmail people, and meddle across borders. Then came the internet. From the beginning, it was designed as a frictionless communication platform across countries, companies, and computers. Reducing friction is generally considered a good thing: it saves time and effort, and in many genuine ways makes our world smaller. There are also often financial incentives: more engagement, more ads, more dollars. But the internet's lack of friction has been a boon to the dark side, too. Now, in a matter of hours a "bad actor" can steal corporate secrets or use ransomware to blackmail thousands of people. Governments can influence foreign populations remotely and at relatively low cost. Whether the threat is malware, phishing, or disinformation, they all exploit high-velocity networks of computers and people.

Why Sleep Apnea Patients Rely On a Lone, DRM-Breaking CPAP Machine Hacker

Thu, 11/15/2018 - 18:05
Jason Koebler writes: "SleepyHead" is a free, open-source, and definitely not FDA-approved piece of software for sleep apnea patients that is the product of thousands of hours of hacking and development by a lone Australian developer named Mark Watkins, who has helped thousands of sleep apnea patients take back control of their treatment from overburdened and underinvested doctors. The software gives patients access to the sleep data that is already being generated by their CPAP machines but generally remains inaccessible, hidden by DRM and proprietary data formats that can only be read by authorized users (doctors) on proprietary pieces of software that patients often can't buy or download. SleepyHead and community-run forums like CPAPtalk.com and ApneaBoard.com have allowed patients to circumvent medical device manufacturers, who would prefer that the software not exist at all. Medical device manufacturers fought in 2015 to prevent an exemption to the Digital Millennium Copyright Act to legalize hacking by patients who wanted to access their own data, but an exemption was granted, legalizing SleepyHead and software like it.

Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows

Thu, 11/15/2018 - 12:45
schwit1 shares a report: Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper [PDF] presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand. The researchers, led by NYU's Philip Bontrager, say that "the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis." As with much security research, demonstrating flaws in existing authentication systems is considered to be an important part of developing more secure replacements in the future. In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner.

The F-35's Greatest Vulnerability Isn't Enemy Weapons. It's Being Hacked.

Thu, 11/15/2018 - 11:25
schwit1 shares a report: Every F-35 squadron, no matter the country, has a 13-server ALIS package that is connected to the worldwide ALIS network. Individual jets send logistical data back to their nation's Central Point of Entry, which then passes it on to Lockheed's central server hub in Fort Worth, Texas. In fact, ALIS sends back so much data that some countries are worried it could give away too much information about their F-35 operations. Another networking system is the Joint Reprogramming Enterprise, or JRE. The JRE maintains a shared library of potential adversary sensors and weapon systems that is distributed to the worldwide F-35 fleet. For example, the JRE will seek out and share information on enemy radar and electronic warfare signals so that individual air forces will not have to track down the information themselves. This allows countries with the F-35 to tailor the mission around anticipated threats -- and fly one step ahead of them. Although the networks have serious cybersecurity protections, they will undoubtedly be targets for hackers in times of peace, and war. Hackers might try to bring down the networks entirely, snarling the worldwide logistics system and even endangering the ability of individual aircraft to get much-needed spare parts. Alternately, it might be possible to compromise the integrity of the ALIS data -- by, say, reporting a worldwide shortage of F-35 engines. Hackers could conceivably introduce bad data in the JRE that could compromise the safety of a mission, shortening the range of a weapon system so that a pilot thinks she is safely outside the engagement zone when she is most certainly not. Even the F-35 simulators that train pilots could conceivably leak data to an adversary. Flight simulators are programmed to mirror flying a real aircraft as much as possible, so data retrieved from a simulator will closely follow the data from a real F-35.

The Internet Has a Huge C/C++ Problem and Developers Don't Want to Deal With It

Thu, 11/15/2018 - 08:40
What do Heartbleed, WannaCry, and million dollar iPhone bugs have in common? From a report: One bug affects iPhones, another affects Windows, and the third affects servers running Linux. At first glance these might seem unrelated, but in reality all three were made possible because the software that was being exploited was written in programming languages which allow a category of errors called "memory unsafety." By allowing these types of vulnerabilities, languages such as C and C++ have facilitated a nearly unending stream of critical computer security vulnerabilities for years. Imagine you had a program with a list of 10 numbers. What should happen if you asked the list for its 11th element? Most of us would say an error of some sort should occur, and in a memory safe programming language (for example, Python or Java) that's what would happen. In a memory unsafe programming language, it'll look at wherever in memory the 11th element would be (if it existed) and try to access it. Sometimes this will result in a crash, but in many cases you get whatever happens to be at that location in memory, even if that portion of memory has nothing to do with our list. This type of vulnerability is called a "buffer-overflow," and it's one of the most common types of memory unsafety vulnerabilities. HeartBleed, which impacted 17 percent of the secure web servers on the internet, was a buffer-overflow exploit, letting you read 60 kilobytes past the end of a list, including passwords and other users' data.

Minister in Charge of Japan's Cybersecurity Says He Has Never Used a Computer

Thu, 11/15/2018 - 05:50
Futurepower(R) shares a report: A lot of people don't use computers. Most of them aren't in charge of a nation's cybersecurity. But one is. Japanese lawmakers were aghast on Wednesday when Yoshitaka Sakurada, 68, the minister who heads the government's cybersecurity office, said during questioning in Parliament that he had no need for the devices, and appeared confused when asked basic technology questions. "I have been independently running my own business since I was 25 years old," he said. When computer use is necessary, he said, "I order my employees or secretaries" to do it. [Editor's note: the link may be paywalled; alternative source.] "I don't type on a computer," he added. Asked by a lawmaker if nuclear power plants allowed the use of USB drives, a common technology widely considered to be a security risk, Mr. Sakurada did not seem to understand what they were. "I don't know details well," he said. "So how about having an expert answer your question if necessary, how's that?" The comments were immediately criticized. "I can't believe that a person who never used a computer is in charge of cybersecurity measures," said Masato Imai, an opposition lawmaker.