Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

It's Scary How Much Personal Data People Leave on Used Laptops and Phones, Researcher Finds

Wed, 03/20/2019 - 06:40
A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. From a report: For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII) -- the bread and butter of identity theft. Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you'd imagine. "I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600," he said. Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good. The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver's license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.

Trump Blockade of Huawei Fizzles In European 5G Rollout

Tue, 03/19/2019 - 16:10
An anonymous reader quotes a report from Bloomberg: Last summer, the Trump administration started a campaign to convince its European allies to bar China's Huawei from their telecom networks. Bolstered by the success of similar efforts in Australia and New Zealand, the White House sent envoys to European capitals with warnings that Huawei's gear would open a backdoor for Chinese spies. The U.S. even threatened to cut off intelligence sharing if Europe ignored its advice. So far, not a single European country has banned Huawei. Europe, caught in the middle of the U.S.-China trade war, has sought to balance concerns about growing Chinese influence with a desire to increase business with the region's second-biggest trading partner. With no ban in the works, Huawei is in the running for contracts to build 5G phone networks, the ultra-fast wireless technology Europe's leaders hope will fuel the growth of a data-based economy. The U.K.'s spy chief has indicated that a ban on Huawei is unlikely, citing a lack of viable alternatives to upgrade British telecom networks. Italy's government has dismissed the U.S. warnings as it seeks to boost trade with China. In Germany, authorities have proposed tighter security rules for data networks rather than outlawing Huawei. France is doing the same after initially flirting with the idea of restrictions on Huawei. Governments listened to phone companies such as Vodafone Group Plc, Deutsche Telekom AG, and Orange SA, who warned that sidelining Huawei would delay the implementation of 5G by years and add billions of euros in cost. While carriers can also buy equipment from the likes of Ericsson AB, Nokia Oyj, and Samsung Electronics Co., industry consultants say Huawei's quality is high, and the company last year filed 5,405 global patents, more than double the filings by Ericsson and Nokia combined. And some European lawmakers have been wary of Cisco Systems Inc., Huawei's American rival, since Edward Snowden leaked documents revealing the National Security Agency's use of U.S.-made telecom equipment for spying.

Norsk Hydro, One of the World's Largest Aluminum Producers, Switches To Manual Operations After Ransomware Infection

Tue, 03/19/2019 - 08:15
Norsk Hydro, one of the world's largest aluminum producers, said today it has "became victim of an extensive cyber-attack" that has crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. From a report: The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference. News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges. "Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company's business areas," the company said. "IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible."

Firefox 66 Arrives With Autoplaying Blocked by Default, Smoother Scrolling, and Better Search

Tue, 03/19/2019 - 06:54
An anonymous reader writes: Mozilla today launched Firefox 66 for Windows, Mac, Linux, and Android. The release includes autoplaying content (audio and video) blocked by default, smoother scrolling, better search, revamped security warnings, WebAuthn support for Windows Hello, and improved extensions. The company says its main goal with this release is to reduce irritating experiences such as auto-playing videos, pop-ups, and page jumps. Firefox 66 for desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play.

Hacked Tornado Sirens Taken Offline In Two Texas Cities Ahead of Major Storm

Tue, 03/19/2019 - 05:00
An anonymous reader quotes a report from ZDNet: A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area. The false alarm caused quite the panic in the two towns, as locals were already on the edge of their seats regarding incoming storms. The city had run tests of the tornado alarm sirens a week before, but the tests were set during the middle of the day and had long concluded. The two hacked systems were taken offline the next morning, and remained offline ever since. Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.

New Mirai Malware Variant Targets Signage TVs and Presentation Systems

Mon, 03/18/2019 - 15:40
An anonymous reader quotes a report from ZDNet: Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices -- smart signage TVs and wireless presentation systems. This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year. The botnet's author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits. Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. Furthermore, the botnet operator has also expanded Mirai's built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default creds, researchers said in a report published earlier today. The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices. The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems. The new Mirai botnet is specifically targeting LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.

Education and Science Giant Elsevier Left Users' Passwords Exposed Online

Mon, 03/18/2019 - 15:00
The world's largest scientific publisher, Elsevier, left a server open to the public internet, exposing user email addresses and passwords. "The impacted users include people from universities and educational institutions from across the world," reports Motherboard. "It's not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials." From the report: "Most users are .edu [educational institute] accounts, either students or teachers," Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. "They could be using the same password for their emails, iCloud, etc." Motherboard verified the data exposure by asking Hussein to reset his own password to a specific phrase provided by Motherboard before hand. A few minutes later, the plain text password appeared on the exposed server. Elsevier secured the server after Motherboard approached the company for comment. Hussein also provided Elsevier with details of the security issue. An Elsevier spokesperson told Motherboard in an emailed statement that "The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts."

Google, Microsoft Work Together For a Year To Figure Out New Type of Windows Flaw

Mon, 03/18/2019 - 13:40
Google researcher James Forshaw discovered a new class of vulnerability in Windows before any bug had actually been exploited. The involved parts of the flaw "showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so," reports Ars Technica. Thankfully, Microsoft said that the flaw was never actually exposed in any public versions of Windows, but said that it will ensure future releases of Windows will not feature this class of elevation of privilege. Peter Bright explains in detail how the flaw works. Here's an excerpt from his report: The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file. As well as this security check, there's a second distinction made: calls from user mode require strict parameter validation to ensure that any memory addresses being passed in to the function represent user memory rather than kernel memory. Calls from kernel mode don't need that same strict validation, since they're allowed to use kernel memory addresses. Accordingly, the kernel API used for opening files in NT's I/O Manager component looks to see if the caller is calling from user mode or kernel mode. Then the API passes this information on to the next layer of the system: the Object Manager, which examines the file name and figures out whether it corresponds to a local filesystem, a network filesystem, or somewhere else. The Object manager then calls back in to the I/O Manager, directing the file-open request to the specific driver that can handle it. Throughout this, the indication of the original source of the request -- kernel or user mode -- is preserved and passed around. If the call comes from user mode, each component should perform strict validation of parameters and a full access check; if it comes from kernel mode, these should be skipped. Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split. Both kinds of exceptions are allowed: kernel code can force drivers to perform a permissions check even if the attempt to open the file originated from kernel mode, and contrarily, kernel code can tell drivers to skip the parameter check even if the attempt to open the file appeared to originate from user mode. This behavior is controlled through additional parameters passed among the various kernel functions and into filesystem drivers: there's the basic user-or-kernel mode parameter, along with a flag to force the permissions check and another flag to skip the parameter validation...

Slack Hands Over Control of Encryption Keys To Regulated Customers

Mon, 03/18/2019 - 07:30
Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app. He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.

Wells Fargo Sued By 63-Year-Old Pastor They Wrongfully Accused of Forging Checks

Sun, 03/17/2019 - 23:34
Wells Fargo has been hit with a lawsuit from a 63-year-old pastor at the United Methodist Church of Parsippany. Wells Fargo sent his ATM photos to the police, which he says led to false arrest, malicious prosecution -- and humiliation. NJ.com reports: In the lawsuit filed Thursday in Morris County Superior Court, attorneys for the 63-year-old pastor sought unspecified damages against Wells Fargo, which has come under fire over a series of scandals in recent years. Also named were the State Police detectives who originally brought the charges against him last year after bank security officials allegedly mistakenly identified a photo of Edwards taken at an ATM machine as a suspect in a series of fraudulent check deposits.... In the lawsuit, Edwards' attorney wrote that Wells Fargo notified the State Police when it discovered the bogus transactions, and the bank was asked to provide any still photos or video images taken from the ATM at Parsippany where some of the checks were deposited and later cashed out. The bank sent photos of Edwards, who had made his own deposit of checks at the same ATM the very same day, according to the complaint... The pastor said he first discovered he was the focus of a criminal investigation last year after a parishioner texted him a State Police Facebook posting requesting the public's help identifying a man suspected of depositing fraudulent checks at an ATM... In an interview, Edwards said after seeing the post, he called the detectives and shared a copy of his banking transactions to show he had not deposited the fraudulent checks. "I thought it would clear things up," he said. "They said all their information was from Wells Fargo..." Last September, Edwards said he was asked to come down to the State Police station in Holmdel. After he got there, he said he was shocked to find out he was being arrested and charged with third degree forgery. When he protested and said somebody made an error, he said one of the investigators asked him if the case did go to trial, who would the jury believe -- a bank security expert or him? "They fingerprinted me. Took my mug shot and gave me a court date," he said. The case fell apart, but the 63-year-old pastor says he never received an apology from the police, or from Wells Fargo. "The carelessness of both Wells Fargo and the State Police is kind of appalling, and I wonder what happens to somebody who might not have the resources to defend themselves," the pastor told NJ.com. "I told them yes that was my picture and yes I was in the bank that day. That's all they needed to arrest me." A spokesman for Wells Fargo told the reporter they'd be unable to comment "since this is a pending legal matter." But the story was submitted to Slashdot by someone claiming to be pastor Jeff Edwards. "Wells Fargo carelessly provided ATM pictures [of] me to the state police in a fraudulent check investigation that led to my arrest," reads the original submission. "The case was dismissed when it was demonstrated that Wells Fargo had been grossly irresponsible."

BBC Visits 'Hated and Hunted' Ransomware Expert

Sun, 03/17/2019 - 19:34
In "Hated and hunted," a BBC reporter describes visiting a ransomware expert "who has devoted himself, at huge personal cost, to helping victims of ransomware around the world." They hate him so much that they leave him angry threats buried deep inside the code of their own viruses... "I was shocked but I also felt a real sense of pride," says Fabian. "Almost like, a little bit cocky. I'm not going to lie, yeah, it was nice...." He works remotely for a cyber security company, often sitting for hours at a time working with colleagues in different countries. When he's "in the zone", the outside world becomes even less important and his entire existence focuses on the code on his screen. He once woke up with keyboard imprints all over his face after falling asleep during a 35-hour session. All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes for each virus, follow the instructions and get their files back... According to research from Emsisoft, the cyber security company Fabian works for, a computer is attacked every two seconds. Their network has managed to prevent 2,584,105 infections in the past 60 days -- and that's just one anti-virus firm of dozens around the world.... "It's pretty much an arms race," says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back. Then the criminals release a new version which they hope I can't break... It escalates with them getting more and more angry with me...." Fabian accepts that moving around and restricting his life and circle of friends is just a part of the sacrifice for his hobby-turned-profession... He earns a very good salary but looking around his home and at his life it's hard to see how he spends it. He estimates that he's "upset or angered" 100 different ransomware gangs (based on his analysis of the Bitcoin wallets where they collect their ransoms.) One group had collected about $250,000 (£191,000) in three months -- until Fabian created a countering anti-ransomware program -- which is one reason he carefully hids his identity. "I know how much money they make and it would be literally nothing for them to drop 10 or 20,000 for like some Russian dude to turn up to my house and beat the living hell out of me."

F5 Acquired NGINX For $670M

Sun, 03/17/2019 - 06:04
Long-time Slashdot reader skdffff quotes ZDnet: F5 Networks on Monday announced that it will acquire NGINX, which provides popular open-source software of the same name, for $670 million. The deal advances F5's aim of capitalizing on the trend toward multi-cloud deployments. F5 plans to enhance NGINX's current offerings with F5 security solutions and will integrate F5 cloud-native technology with NGINX's software load balancing technology. This should accelerate F5's time to market of application services for containerized applications. Meanwhile, NGINX will benefit from F5's global salesforce, channel infrastructure and partner ecosystem. The acquisition adds "the power of NGINX's open source innovation to F5's ADC leadership and enterprise reach," NGINX CEO Gus Robertson said in a statement

19-Year-Old WinRAR Vulnerability Leads To Over 100 Malware Exploits

Sat, 03/16/2019 - 15:34
"Last month it was discovered that WinRAR, software used to open .zip archive files, has been vulnerable for the last 19 years to a bug that's easily exploited by hackers and malware distributors," writes SlashGear. Slashdot reader Iwastheone quotes their report: Check Point, the security researchers that revealed the WinRAR bug, explain that the software is exploited by giving malicious files a RAR extension, so that when opened they can automatically extract malware programs. These programs are installed in a PC's startup folder, allowing them to start running anytime the computer is turned on, all without the user's knowledge. Once the bug was disclosed, however, hacker groups really began using it to their advantage, with various nations becoming the target of state-backed cyber-espionage campaigns attempting to collect intelligence. The latest comes from McAfee, the software security firm, which notes that it has identified over 100 unique exploits that use the WinRAR bug, most of them targeting the U.S. WinRar 5.70, released in late January, patches the behavior, but "it must be manually downloaded and installed from the website, leaving most users unaware of the critical update," the article warns. It also estimates that during the last 19 years WinRar has been downloaded over 500 million times.

Is Amazon's AWS Approaching 'War' for Control of Elasticsearch?

Sat, 03/16/2019 - 09:34
Long-time Slashdot reader jasenj1 and Striek both shared news of a growing open source controversy. "Amazon Web Services on Monday announced that it's partnering with Netflix and Expedia to champion a new Open Distro for Elasticsearch due to concerns of proprietary code being mixed into the open source Elasticsearch project," reports Datanami. "Elastic, the company behind Elasticsearch, responded by accusing Amazon of copying code, inserting bugs into the community code, and engaging with the company under false pretenses..." In a blog post, Adrian Cockcroft, the vice president of cloud architecture strategy for AWS, says the new project is a "value added" distribution that's 100% open source, and that developers working on it will contribute any improvements or fixes back to the upstream Elasticsearch project. "The new advanced features of Open Distro for Elasticsearch are all Apache 2.0 licensed," Cockroft writes. "With the first release, our goal is to address many critical features missing from open source Elasticsearch, such as security, event monitoring and alerting, and SQL support...." Cockroft says there's no clear documentation in the Elasticsearch release notes over what's open source and what's proprietary. "Enterprise developers may inadvertently apply a fix or enhancement to the proprietary source code," he wrote. "This is hard to track and govern, could lead to breach of license, and could lead to immediate termination of rights (for both proprietary free and paid)." Elastic CEO Shay Banon responded Tuesday to AWS in a blog post, in which he leveled a variety of accusations at the cloud giant. "Our products were forked, redistributed and rebundled so many times I lost count," Banon wrote. "There was always a 'reason' [for the forks, redistributions, and rebundling], at times masked with fake altruism or benevolence. None of these have lasted. They were built to serve their own needs, drive confusion, and splinter the community." Elastic's commercial code may have provided an "inspiration" for others to follow, Banon wrote, but that inspiration didn't necessarily make for clean code. "It has been bluntly copied by various companies and even found its way back to certain distributions or forks, like the freshly minted Amazon one, sadly, painfully, with critical bugs," he wrote.

Linux Foundation Launches New Tools Supporting The Open Source Community

Sat, 03/16/2019 - 07:34
"The Linux Foundation is launching a new platform designed to sustain open-source communities," reports SD Times: CommunityBridge was announced at this week's Open Source Leadership Summit. The Linux Foundation plans to launch a number of tools to the open-source community throughout the next two years. The platform is currently being released with Community Bridge Funding to help developers raise and spend funding; CommunityBridge Security for potential vulnerabilities and fixes; and CommunityBridge People for networking and making connections with mentors and mentees. "In making the announcement, Jim Zemlin, executive director of the Linux Foundation, said on stage at the conference that the Linux Foundation would match funding for any organization that donated funds to CommunityBridge projects," reports FierceTelecom. "Following up on those announcements, Microsoft-owned GitHub said it would donate $100,000 to CommunityBridge and invited maintainers of CommunityBridge projects to take part in GitHub's maintainer program."

Stanford Unveils New AI Institute, Built To Create 'A Better Future For All Humanity'

Sat, 03/16/2019 - 05:00
An anonymous reader quotes a report from Mercury News: Amid a worldwide race for supremacy in artificial intelligence, Stanford University on Monday will unveil a new institute dedicated to using AI to build the best-possible future (Warning: source may be paywalled; alternative source). The Stanford Institute for Human-Centered Artificial Intelligence is co-directed by Fei-Fei Li, a former chief scientist for AI at Google, now a Stanford computer science professor. The institute will take advantage of Stanford's strength in a variety of disciplines, including AI, computer science, engineering, robotics, business, economics, genomics, law, literature, medicine, neuroscience and philosophy, according to promotional materials. Microsoft co-founder Bill Gates is scheduled to deliver the keynote speech at Monday's official launch. Stanford's AI institute will work in partnership with a number of other university facilities and initiatives, including the Center on AI Safety, the Center for Ethics in Society, the Center for International Security and Cooperation, and the Stanford Institute for Economic Policy Research, plus AI4ALL, which aims to boost diversity in AI fields. The 78 faculty members assigned to the institute reflect the diversity of fields the university intends to cover in its research and teaching, coming from disciplines including computer science, medicine, law, business, economics, environmental science, linguistics, political science and philosophy. Although the institute highlights the importance of AI being "broadly representative of humanity" across gender, ethnicity, nationality, culture and age, its faculty also reflect the gender gap in technology -- only 18 percent are women. About three quarters of the faculty are white. Courses will include "The Politics of Algorithms," "Theoretical Neuroscience," "AI-assisted Health Care" and "Regulating Artificial Intelligence."

Google Play Apps With 150 Million Installs Contain Aggressive Adware

Fri, 03/15/2019 - 14:50
Researchers from Checkpoint Software have identified a massive adware campaign that invaded the Google Play Store with more than 200 highly aggressive apps that were collectively downloaded almost 150 million times. "The 210 apps discovered by researchers from security firm Checkpoint Software bombarded users with ads, even when an app wasn't open," reports Ars Technica. "The apps also had the ability to carry out spearphishing attacks by causing a browser to open an attacker-chosen URL and open the apps for Google Play and third-party market 9Apps with a specific keyword search or a specific application's page. The apps reported to a command-and-control server to receive instructions on which commands to carry out." From the report: Once installed, the apps installed code that allowed them to perform actions as soon as the device finished booting or while the user was using the device. The apps also could remove their icon from the device launcher to make it harder for users to uninstall the nuisance apps. The apps all used a software development kit called RXDrioder, which Checkpoint researchers believe concealed its abusive capabilities from app developers. The researchers dubbed the campaign SimBad, because many of the participating apps are simulator games. "With the capabilities of showing out-of-scope ads, exposing the user to other applications, and opening a URL in a browser, SimBad acts now as an Adware, but already has the infrastructure to evolve into a much larger threat," Checkpoint researchers wrote. The top 14 apps were collectively downloaded a whopping 75 million times, with the No. 1 app receiving 10 million installs and the next 13 getting 5 million downloads each. The next 53 each received 1 million downloads. The remainder received 500,000 or fewer downloads each. Checkpoint has a full list of all the apps here.

The Intercept Shuts Down Access To Snowden Trove

Fri, 03/15/2019 - 13:30
An anonymous reader quotes a report from The Daily Beast: First Look Media announced Wednesday that it was shutting down access to whistleblower Edward Snowden's massive trove of leaked National Security Agency documents. Over the past several years, The Intercept, which is owned by First Look Media, has maintained a research team to handle the large number of documents provided by Snowden to Intercept journalists Laura Poitras and Glenn Greenwald. But in an email to staff Wednesday evening, First Look CEO Michael Bloom said that as other major news outlets had "ceased reporting on it years ago," The Intercept had decided to "focus on other editorial priorities" after expending five years combing through the archive. "The Intercept is proud of its reporting on the Snowden archive, and we are thankful to Laura Poitras and Glenn Greenwald for making it available to us," Bloom wrote. He added: "It is our hope that Glenn and Laura are able to find a new partner -- such as an academic institution or research facility -- that will continue to report on and publish the documents in the archive consistent with the public interest." Poitras reprimanded First Look Media for its decision to shut down its archives, and lay off 4 percent of its staff who had maintained them. "This decision and the way it was handled would be a disservice to our source, the risks we've all taken, and most importantly, to the public for whom Edward Snowden blew the whistle," she wrote. "Late Thursday evening, Greenwald tweeted that both he and Poitras had full copies of the archives, and had been searching for a partner to continue research," reports The Daily Beast.

Beto O'Rourke's Secret Membership in America's Oldest Hacking Group

Fri, 03/15/2019 - 08:50
One thing you might not know about Beto O'Rourke, the former Texas congressman who just entered the race for president is that while a teenager, O'Rourke acknowledged in an exclusive interview to Reuters, he belonged to the oldest group of computer hackers in U.S. history. From the report: The hugely influential Cult of the Dead Cow, jokingly named after an abandoned Texas slaughterhouse, is notorious for releasing tools that allowed ordinary people to hack computers running Microsoft's Windows. It's also known for inventing the word "hacktivism" to describe human-rights-driven security work. Members of the group have protected O'Rourke's secret for decades, reluctant to compromise his political viability. Now, in a series of interviews, CDC members have acknowledged O'Rourke as one of their own. Slashdot interviewed members of the Cult of the Cow in 1999 -- which gave bizarre answers.

A Worry For Some Pilots: Their Hands-On Flying Skills Are Lacking

Thu, 03/14/2019 - 10:48
An anonymous reader shares a report: Pilots now spend more time learning automated systems than practicing hands-on flying, so newer pilots are less comfortable with taking manual control when the computer steers them wrong, according to interviews with a dozen pilots and pilot instructors at major airlines and aviation universities around the world. "The automation in the aircraft, whether it's a Boeing or an Airbus, has lulled us into a sense of security and safety," said Kevin Hiatt, a former Delta Air Lines pilot who later ran flight safety for JetBlue. Pilots now rely on autopilot so often, "they become a systems operator rather than a stick-and-rudder pilot." As a result, he said, "they may not exactly know or recognize quickly enough what is happening to the aircraft, and by the time they figure it out, it may be too late." [...] While automation has contributed to the airline industry's stellar safety record in recent years, it has also been a factor in many of the crashes that have still occurred around the world. A 2011 study by a federal task force found that in about 60 percent of 46 recent accidents, pilots had trouble manually flying the plane or handling the automated controls. Complicated automation systems can also confuse pilots and potentially cause them to take action they shouldn't, pilots said.