http://www.osnews.com/ Exploring the Future of Computing en-us Copyright 2001-2013, David Adams OSNews version 4 donotreply@osnews.com (Adam Scheinberg) donotreply@osnews.com (Thom Holwerda) Sun, 19 May 2013 21:36:14 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com/ 120 http://www.osnews.com/story/26490/Dutch_gov_proposes_cyberattacks_against_Everyone/ http://www.osnews.com/story/26490/Dutch_gov_proposes_cyberattacks_against_Everyone/ "Last week, the Dutch Minister of Safety and Justice asked the Parliament of the Netherlands to pass a law allowing police to obtain warrants to do the following: install malware on targets’ private computers, conduct remote searches on local and foreign computers to collect evidence, and delete data on remote computers in order to disable the accessibility of 'illegal files'. Requesting assistance from the country where the targetted computer(s) were located would be 'preferred' but possibly not required. These proposals are alarming, could have extremely problematic consequences, and may violate European human rights law." You get true net neutrality with one hand, but this idiocy with another. This reminds me a lot of how some of our busy intersections are designed; by people who bike to city hall all their lives and have no clue what it's like to drive a car across their pretty but extremely confusing and hence dangerous intersections. Tue, 23 Oct 2012 18:24:52 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 19 http://www.osnews.com/topics/33 News Jane Doe http://www.osnews.com/story/26476/Kaspersky_Labs_preps_its_own_operating_system/ http://www.osnews.com/story/26476/Kaspersky_Labs_preps_its_own_operating_system/ Kaspersky is working on its own secure operating system for highly specialised tasks. "We're developing a secure operating system for protecting key information systems (industrial control systems) used in industry/infrastructure. Quite a few rumors about this project have appeared already on the Internet, so I guess it's time to lift the curtain (a little) on our secret project and let you know (a bit) about what's really going on." More here. Wed, 17 Oct 2012 23:48:20 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 12 http://www.osnews.com/topics/33 News poundsmack http://www.osnews.com/story/26452/Verizon_AT_T_sell_users_browsing_location_histories_to_marketers/ http://www.osnews.com/story/26452/Verizon_AT_T_sell_users_browsing_location_histories_to_marketers/ As it turns out, new Verizon customers (although there are reports existing customers are getting notified too) have 30 days to opt out of something really nasty: Verizon will sell your browsing history and location history to marketers. Apparently, AT&T does something similar. Doesn't matter what phone - iOS, Android, anything. Incredibly scummy and nasty. I quickly checked my own Dutch T-Mobile terms, and they don't seem to be doing this. Tue, 09 Oct 2012 21:18:39 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 33 http://www.osnews.com/topics/33 News http://www.osnews.com/story/26364/Apple_ID_code_leak_sourced_to_US_firm_BlueToad_/ http://www.osnews.com/story/26364/Apple_ID_code_leak_sourced_to_US_firm_BlueToad_/ Following the leak of a million Apple UDIDs, a US app developer has come forward saying it is the source of the leak. It says the FBI never had the data, and the full set is "only" 2 million entries rather than the 12 million AntiSec claimed. Tue, 11 Sep 2012 18:25:01 GMT donotreply@osnews.com (OSNews Staff) Privacy, Security, Encryption 4 http://www.osnews.com/topics/33 News MrWeeble http://www.osnews.com/story/26094/ClamAV_leader_leaves_the_project/ http://www.osnews.com/story/26094/ClamAV_leader_leaves_the_project/ "It is time for us to make a change. ClamAV is now mature software and we are confident that Sourcefire will successfully continue its development, move it forward and maintain the integrity of its infrastructure. Matt Watchinski, who has headed Sourcefire's Vulnerability Research Team for 10 years, will continue to lead this project. Joel Esler, the company's Open Source community manager, will also be your main point of contact and advocate." Tue, 19 Jun 2012 22:38:07 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 8 http://www.osnews.com/topics/33 News Jean Turner http://www.osnews.com/story/26044/LinkedIn_passwords_stolen_published_online/ http://www.osnews.com/story/26044/LinkedIn_passwords_stolen_published_online/ Bad day for LinkedIn: not only did 6 million of their passwords get stolen and published online (as SHA1 hashes, but still), their iOS and Android applications uploaded your calendars to LinkedIn (after opting in, though). The Sensationalist Headline of the Day Award goes to Ars Technica. I guess everyone's starting to feel the sting of The Verge's fully deserved success. Wed, 06 Jun 2012 22:30:36 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 14 http://www.osnews.com/topics/33 News http://www.osnews.com/story/26027/US_Israel_created_Stuxnet_lost_control_over_it/ http://www.osnews.com/story/26027/US_Israel_created_Stuxnet_lost_control_over_it/ "Mr. Obama decided to accelerate the attacks - begun in the Bush administration and code-named Olympic Games - even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran's Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet." And we're letting these people have unmanned drones. Seems legit. Fri, 01 Jun 2012 22:53:33 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 39 http://www.osnews.com/topics/33 News http://www.osnews.com/story/26008/Flame_massive_malware_infiltrating_Iranian_computers/ http://www.osnews.com/story/26008/Flame_massive_malware_infiltrating_Iranian_computers/ "A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years. Dubbed 'Flame' by Kaspersky, the malicious code dwarfs Stuxnet in size." Since I'm not particularly well-versed in the subject, maybe someone can answer this question for me: if country A creates a malware infection like this to spy on and/or harm computers in country B, can it be construed as an act of war under existing international law? Mon, 28 May 2012 23:32:03 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 44 http://www.osnews.com/topics/33 News http://www.osnews.com/story/25850/Free_security_e-books/ http://www.osnews.com/story/25850/Free_security_e-books/ OSNews sponsor Tradepub has a special offer for our readers: Normally $9.95, the "Scrappy Information Security Kit", containing: "Scrappy Information Security", "Best Practices and Applications of TLS/SSL," "A Window into Mobile Device Security", and "The Cloud: Promises and Realities" (registration required). Fri, 20 Apr 2012 01:32:03 GMT donotreply@osnews.com (David Adams) Privacy, Security, Encryption 8 http://www.osnews.com/topics/33 News http://www.osnews.com/story/25706/Duqu_trojan_contains_unknown_programming_language/ http://www.osnews.com/story/25706/Duqu_trojan_contains_unknown_programming_language/ "And just when you thought the whole Stuxnet/Duqu trojan saga couldn't get any crazier, a security firm who has been analyzing Duqu writes that it employs a programming language that they've never seen before." Pretty crazy, especially when you consider what some think the mystery language looks like "The unknown c++ looks like the older IBM compilers found in OS400 SYS38 and the oldest sys36.The C++ code was used to write the tcp/ip stack for the operating system and all of the communications." Mon, 12 Mar 2012 19:00:21 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 29 http://www.osnews.com/topics/33 News yoni http://www.osnews.com/story/25671/Trusting_Your_Hardware/ http://www.osnews.com/story/25671/Trusting_Your_Hardware/ When was the last time you reverse-engineered all the PCI devices on your motherboard?. . . Enters the game-changer: IOMMU (known as VT-d on Intel). With proper OS/VMM design, this technology can address the very problem of most of the hardware backdoors. A good example of a practical system that allows for that is Xen 3.3, which supports VT-d and allows you to move drivers into a separate, unprivileged driver domain(s). This way each PCI device can be limited to DMA only to the memory region occupied by its own driver. Fri, 02 Mar 2012 16:03:20 GMT donotreply@osnews.com (David Adams) Privacy, Security, Encryption 16 http://www.osnews.com/topics/33 News http://www.osnews.com/story/25629/Google_Facebook_circumvent_P3P_standard/ http://www.osnews.com/story/25629/Google_Facebook_circumvent_P3P_standard/ According to Microsoft, Google is circumventing the P3P third party cookie standard. P3P is kind of an odd standard (complex, not user-friendly, and it requires some serious computer knowledge to know what the heck it actually does and means), but hey, what the heck. Of course, Microsoft rides on the coattails of what happened over the weekend, and it's clear PR because not only has this been known for years, Google is - again - not the only one doing this; Facebook, for instance, does the same thing (and heck, Microsoft's own sites were found guilty). Still, this is not acceptable, and even if it takes Microsoft PR to get there, let's hope this forces Google and Facebook to better their ways. Mon, 20 Feb 2012 22:44:28 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 9 http://www.osnews.com/topics/33 News http://www.osnews.com/story/25622/Facebook_Google_others_circumvent_Safari_privacy_restrictions/ http://www.osnews.com/story/25622/Facebook_Google_others_circumvent_Safari_privacy_restrictions/ Well, paint me red and call me a girl scout: Facebook, Google, and several other advertising networks are using a loophole to make sure third party cookies could still be installed on Safari and Mobile Safari, even though those two browsers technically shouldn't allow such cookies. Google has already ceased the practice, and in fact, closed the loophole in WebKit itself months ago. Fri, 17 Feb 2012 15:36:31 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 31 http://www.osnews.com/topics/33 News bowkota http://www.osnews.com/story/25610/_Cancel_or_allow_overload/ http://www.osnews.com/story/25610/_Cancel_or_allow_overload/ "A hybrid solution that takes the best parts of iOS's one-by-one acceptance and Android's expressed and obvious intents seems like a proper model here. In fact, Apple has many of the pieces in place elsewhere." This is a big issue. Nor Android's model (just list a bunch of confusing permissions), nor Apple's model (individual modal dialogs for each permission) is particularly workable - I doubt regular users check them on Android before installing an application, and in the case of iOS, Apple didn't think it was necessary to secure the address book, so every application has access to it without alerting users. Justin Williams proposes a hybrid solution. Mon, 13 Feb 2012 23:51:52 GMT donotreply@osnews.com (Thom Holwerda) Privacy, Security, Encryption 17 http://www.osnews.com/topics/33 News http://www.osnews.com/story/25424/Security_Flaw_In_Windows_Phone_Signs_of_Things_to_Come_/ http://www.osnews.com/story/25424/Security_Flaw_In_Windows_Phone_Signs_of_Things_to_Come_/ A malicious message sent to Windows Phone's message hub can disable the handset in a manner reminiscent of the "nuking" attack from the Windows 95 days. At the point the bad message is received, the phone reboots, and worst of all, it appears that the message hub application is permanently disabled. Back when people used to only use their phones to call and text, you'd perhaps think that having your phone reboot on you would be no big deal. But these days I find myself often as not composing some important missive. Wed, 14 Dec 2011 15:41:33 GMT donotreply@osnews.com (David Adams) Privacy, Security, Encryption 30 http://www.osnews.com/topics/33 News bowkota