Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Bitcoin Can Be Bought With Cash At Swiss Railway Ticket Machines ( 37

In what is seen as a move that could help boost the spread of Bitcoin, the cryptocurrency will be available to purchase from Swiss railway ticket machines starting next month. Reader Mickeycaskill writes: Swiss Federal Railways (SBB) has more than 1,000 ticket machines and has partnered with regulated financial intermediary SweePay to distribute Bitcoin. Customers need to select mobile top up on the machines, scan the QR code on their Bitcoin digital wallet and enter the number of Swiss Francs, up to 500 CHF, in to the machine, confirm the offer of Bitcoins they receive then identify themselves using a mobile number and a security code sent to their smartphone. While the machine can pay out Bitcoin, for the time being, it will not accept payments made with the cryptocurrency. Furthermore, credit card cannot be used with the machines to buy Bitcoins, SBB is effectively providing a way to swap local currency for a digital version that can be used anywhere around the world, thereby bypassing unfavourable exchange rates"From 11 November 2016, customers will be able to obtain Bitcoin at all SBB ticket machines. Until now, there have only been limited opportunities to purchase Bitcoin in Switzerland," the company was quoted as saying.

Red Cross Blood Service Admits To Personal Data Breach Affecting Half a Million Donors ( 26

The personal data of 550,000 blood donors that includes information about "at-risk sexual behaviour" has been leaked from the Red Cross Blood Service in what has been described as Australia's largest security breach. From an ABC report:The organisation said it was told on Wednesday that a file containing donor information was placed on an "insecure computer environment" and "accessed by an unauthorised person." The file contained the information of blood donors from between 2010 and 2016. The data came from an online application form and included "personal details" and identifying information including names, gender, addresses and dates of birth, a Red Cross statement said. Red Cross Blood Service chief executive Shelly Park said "due to human error" the unsecured data had been posted on a website by a contractor who maintains and develops the Red Cross website.

Feds Charge 61 People In Indian-Based IRS Phone Scam Case ( 110

BUL2294 writes: Following the arrests earlier this month in India of call center employees posing as IRS or immigration agents, USA Today and Consumerist are reporting that the U.S. Department of Justice has charged 61 people in the U.S. and India of facilitating the scam, bilking millions from Americans thinking they were facing immediate arrest and prosecution. "According to the indictment (PDF) -- which covers 20 individuals in the U.S. and 32 people and five call centers in India -- since about 2012 the defendants used information obtained from data brokers and other sources to call potential victims impersonating officers from the IRS or U.S. Citizenship and Immigration Services," reports Consumerist. The report adds: "To give the calls an air of authenticity, the organization was able to 'spoof' phone numbers, making the calls appear to have really come from a federal agency. The callers would then allegedly threaten potential victims with arrest, imprisonment, fines, or deportation if they did not pay supposed taxes or penalties to the government. In instances when the victims agreed to pay, the DOJ claims that the call centers would instruct them to go to banks or ATMs to withdraw money, use the funds to purchase prepaid stored value cards from retail stores, and then provide the unique serial number to the caller. At this point, the operations U.S.-based counterparts would use the serial numbers to transfer the funds to prepaid reloadable cards. The cards would then be used to purchase money orders that were transferred into U.S. bank accounts of individuals or businesses. To make matters worse, the indictment claims that the prepaid debit cards were often registered using personal information of thousands of identity theft victims, and the wire transfers were directed by the organizations using fake names and fraudulent identifications. The operation would then use 'hawalas' -- a system in which money is transferred internationally outside of the formal banking system -- to direct the pilfered funds to accounts belonging to U.S.-based individuals.

FCC Imposes ISP Privacy Rules and Takes Aim At Mandatory Arbitration ( 48

An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission today imposed new privacy rules on Internet service providers, and the Commission said it has begun working on rules that could limit the use of mandatory arbitration clauses in the contracts customers sign with ISPs. The new privacy rules require ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The rules apply both to home Internet service providers like Comcast and mobile data carriers like Verizon Wireless. The commission's Democratic majority ensured the rules' passage in a 3-2 vote, with Republicans dissenting. Democratic Commissioner Mignon Clyburn was disappointed that the rules passed today did not include any action on mandatory arbitration clauses that prevent consumers from suing ISPs. But Chairman Tom Wheeler said that issue will be addressed in a separate rule-making. In the case of privacy rules, the FCC passed the NPRM in March and the final rules today. Clyburn argued that the FCC could have imposed mandatory arbitration restrictions today, because the privacy NPRM sought public comment about whether to ban mandatory arbitration. Under the FCC rules, ISPs that want to share consumer data with third parties such as advertisers must obtain opt-in consent for the most sensitive information and give customers the ability to opt out of sharing less sensitive information. Here's how the FCC describes the new opt-in and opt-out requirements: "Opt-in: ISPs are required to obtain affirmative 'opt-in' consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children's information, Social Security numbers, Web browsing history, app usage history, and the content of communications. Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer 'opts-out.' All other individually identifiable customer information -- for example, e-mail address or service tier information -- would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations. Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship." ISPs must clearly notify customers about the types of information they collect, specify how they use and share the information, and identify the types of entities they share the information with.

Web Bluetooth Opens New Abusive Channels ( 81

An anonymous reader writes: Recently, browsers are starting to ship Web Bluetooth API, soon to become a component of Web of Things. Web Bluetooth will allow to connect local user devices with remote web sites. While offering new development and innovation possibilities, it may also open a number of frightening security and privacy risks such as private data leaks, abuses and complexity. Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data. "There are numerous examples of data processing methods possible of extracting insight previously seemingly hidden," said Steve Hegenderfer, director of Developer Programs at the Bluetooth Special Interest Group. "With Web Bluetooth, core security and privacy responsibility is delegated to the already powerful Web browser. Browsers should consider the types of information made available to websites and act accordingly in designing their data privacy layers." Is pairing kettles with web sites a good idea?

AI-Powered Body Scanners Could Soon Speed Up Your Airport Check-in ( 109

An anonymous reader shares a report on the Guardian:A startup bankrolled by Bill Gates is about to conduct the first public trials of high-speed body scanners powered by artificial intelligence (AI), the Guardian can reveal. According to documents filed with the US Federal Communications Commission (FCC), Boston-based Evolv Technology is planning to test its system at Union Station in Washington DC, in Los Angeles's Union Station metro and at Denver international airport. Evolv uses the same millimetre-wave radio frequencies as the controversial, and painfully slow, body scanners now found at many airport security checkpoints. However, the new device can complete its scan in a fraction of second, using computer vision and machine learning to spot guns and bombs. This means passengers can simply walk through a scanning gate without stopping or even slowing down -- like the hi-tech scanners seen in the 1990 sci-fi film Total Recall. A nearby security guard with a tablet is then shown either an "all-clear" sign, or a photo of the person with suspicious areas highlighted. Evolv says the system can scan 800 people an hour, without anyone having to remove their keys, coins or cellphones.

How Vigilante Hackers Could Stop the Internet of Things Botnet ( 62

An anonymous reader quotes a report from Motherboard: Some have put forth a perhaps desperate -- and certainly illegal -- solution to stop massive internet outages, like the one on Friday, from happening: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals. Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same. The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same. The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated. The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back. The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning. The real challenge of this whole scenario, however, is that despite being for good, this is still illegal. "No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time...can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.

Dyn DNS DDoS Likely The Work of Script Kiddies, Says FlashPoint ( 83

While nobody knows exactly who was responsible for the internet outrage last Friday, business risk intelligence firm FlashPoint released a preliminary analysis of the attack agains Dyn DNS, and found that it was likely the work of "script kiddies" or amateur hackers -- as opposed to state-sponsored actors. TechCrunch reports: Aside from suspicion falling on Russia, various entities have also claimed or implied responsibility for the attack, including a hacking group called the New World Hackers and -- bizarrely -- WikiLeaks, which put a (perhaps joke) tweet suggesting some of its supporters might be involved. FlashPoint dubs these claims "dubious" and "likely to be false," and instead comes down on the side of the script kidding theory. Its reasoning is based on a few factors, including a detail it unearthed during its investigation of the attack: namely that the infrastructure used in the attack also targeted a well-known video game company. The attack on Dyn DNS was powered in part by a botnet of hacked DVRs and webcams known as Mirai. The source code for the malware that controls this botnet was put on Github earlier this month. And FlashPoint also notes that the hacker who released Mirai is known to frequent a hacking forum called hackforums[.]net. That circumstantial evidence points to a link between the attack and users and readers of the English-language hacking community, with FlashPoint also noting the forum has been known to target video games companies. It says it has "moderate confidence" about this theory. The firm also argues that the attacks do not seem to have been financially or politically motivated -- given the broad scope of the targets, and the lack of any attempts to extort money. Which just leaves the most likely being motivation to show off skills and disrupt stuff. Aka, script kiddies.

Intel Announces Atom E3900 Series - Goldmont for the Internet of Things ( 68

Intel has announced the Atom E3900 series. Based upon the company's latest generation Goldmont Atom CPU core, the E3900 series will be Intel's most serious and dedicated project yet for the IoT market. AnandTech adds: So what does an IoT-centric Atom look like? By and large, it's Broxton and more. At its core we're looking at 2 or 4 Goldmont CPU cores, paired with 12 or 18 EU configurations of Intel's Gen9 iGPU. However this is where the similarities stop. Once we get past the CPU and GPU, Intel has added new features specifically for IoT in some areas, and in other areas they've gone and reworked the design entirely to meet specific physical and technical needs of the IoT market. The big changes here are focused on security, determinism, and networking. Security is self-evident: Intel's customers need to be able to build devices that will go out into the field and be hardened against attackers. Bits and pieces of this are inerieted from Intel's existing Trusted Execution Technology, while other pieces, such as boot time measuring, are new. The latter is particularly interesting, as Intel is measuring the boot time of a system as a canary for if it's been compromised. If the boot time suddenly and unexpectedly changes, then there's a good chance the firmware and/or OS has been replaced.

Nuclear Plants Leak Critical Alerts In Unencrypted Pager Messages ( 75

mdsolar quotes a report from Ars Technica: A surprisingly large number of critical infrastructure participants -- including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers -- rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage. Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory and control data acquisition system belonging to one of the world's biggest chemical companies sent a page containing a complete "stack dump" of one of its devices. Other unencrypted alerts sent by or to "several nuclear plants scattered among different states" included:

-Reduced pumping flow rate
-Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
-Fire accidents in an unrestricted area and in an administration building
-Loss of redundancy
-People requiring off-site medical attention
-A control rod losing its position indication due to a data fault
-Nuclear contamination without personal damage
Trend Micro researchers wrote in their report titled "Leaking Beeps: Unencrypted Pager Messages in Industrial Environments": "We were surprised to see unencrypted pages coming from industrial sectors like nuclear power plants, substations, power generation plants, chemical plants, defense contractors, semiconductor and commercial manufacturers, and HVAC. These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations. Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages. Though we are not well-versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information. The power generation sector is overseen by regulating bodies like the North American Electric Reliability Corporation (NERC). The NERC can impose significant fines on companies that violate critical infrastructure protection requirements, such as ensuring that communications are encrypted. Other similar regulations also exist for the chemical manufacturing sector."

Yahoo Scanning Order Unlikely To Be Made Public: Reuters ( 59

An anonymous reader quotes a report from Reuters: Obama administration officials briefed key congressional staffers last week about a secret court order to Yahoo that prompted it to search all users' incoming emails for a still undisclosed digital signature, but they remain reluctant to discuss the unusual case with a broader audience. Executive branch officials spoke to staff for members of the Senate and House of Representatives committees overseeing intelligence operations and the judiciary, according to people briefed on the events, which followed Reuters' disclosure of the massive search. But attempts by other members of Congress and civil society groups to learn more about the Yahoo order are unlikely to meet with success anytime soon, because its details remain a sensitive national security matter, U.S. officials told Reuters. Release of any declassified version of the order is unlikely in the foreseeable future, the officials said. The decision to keep details of the order secret comes amid mounting pressure on the U.S. government to be more transparent about its data-collection activities ahead of a congressional deadline next year to reauthorize some foreign intelligence authorities. On Tuesday, more than 30 advocacy groups will send a letter to Director of National Intelligence James Clapper asking for declassification of the Yahoo order that led to the search of emails last year in pursuit of data matching a specific digital symbol. The groups say that Title I of the Foreign Intelligence Surveillance Act, under which sources said the order was issued, requires a finding that the target of such a wiretap is probably an agent of a foreign power and that the facility to be tapped is probably going to be used for a transmission. An entire service, such as Yahoo, has never publicly been considered to be a "facility" in such a case: instead, the word usually refers to a phone number or an email account.

The Phone Hackers At Cellebrite Have Had Their Firmware Leaked Online ( 29

An anonymous reader quotes a report from Motherboard: Cellebrite, an Israeli company that specializes in digital forensics, has dominated the market in helping law enforcement access mobile phones. But one apparent reseller of the company's products is publicly distributing copies of Cellebrite firmware and software for anyone to download. Although Cellebrite keeps it most sensitive capabilities in-house, the leak may still give researchers, or competitors, a chance to figure out how Cellebrite breaks into and analyzes phones by reverse-engineering the files. The apparent reseller distributing the files is McSira Professional Solutions, which, according to its website, "is pleased to serve police, military and security agencies in the E.U. And [sic] in other parts of the world." McSira is hosting software for various versions of Cellebrite's Universal Forensic Extraction Device (UFED), hardware that investigators can use to bypass the security mechanisms of phones, and then extract data from them. McSira allows anyone to download firmware for the UFED Touch, and a PC version called UFED 4PC. It is also hosting pieces of Cellebrite forensic software, such as the UFED Cloud Analyzer. This allows investigators to further scrutinize seized data. McSira is likely offering downloads so customers can update their hardware to the latest version with as little fuss as possible. But it may be possible for researchers to take those files, reverse-engineer them, and gain insight into how Cellebrite's tools work. That may include what sort of exploits Cellebrite uses to bypass the security mechanisms of mobile phones, and weaknesses in the implementation of consumer phones that could be fixed, according to one researcher who has started to examine the files, but was not authorised by his employer to speak to the press about this issue.

Wi-Fi Alliance Begins Certification Process For Short-Range Wireless Standard WiGig (802.11ad) ( 69

The stars have finally aligned for WiGig, an ultra-fast, short-range wireless network. The Wi-Fi Alliance has launched a certification process for WiGig products, which it claims, can go as fast as 8Gbps. The technology was first announced in 2009, and it is based on IEEE 802.11ad standard that is supported by many new products. CNET adds:That speed is good enough to replace network cables today. And tomorrow, WiGig should be good for beaming high-resolution video from your phone to your 4K TV or linking a lightweight virtual-reality headset to its control computer. VR and its cousin, augmented reality, work better when you don't have a thick cable tethering your head to a PC. New speed is especially helpful when conventional wireless networks clog up. We're all streaming video at higher resolutions, hooking up new devices like cars and security cameras to the network, and getting phones for our kids. Another complication: Phones using newer mobile data networks can barge in on the same radio airwaves that Wi-Fi uses. Saturation of regular Wi-Fi radio channels "will create a demand for new spectrum to carry this traffic," said Yaron Kahana, manager of Intel's WiGig product line. "In three years we expect WiGig to be highly utilized for data transfer." WiGig and Wi-Fi both use unlicensed radio spectrum available without government permission -- 2.4 gigahertz and 5GHz in the case of Wi-Fi. Unlicensed spectrum is great, but airwaves are already often crowded. WiGig, though, uses the 60GHz band that's unlicensed but not so busy. You will want to check for WiGig sticker in the next gear you purchase.

Alibaba Founder To Chinese Government: Use Big Data To Stop Criminals ( 46

An anonymous reader quotes a report from Bloomberg: Chinese billionaire Jack Ma proposed that the nation's top security bureau use big data to prevent crime, endorsing the country's nascent effort to build unparalleled online surveillance of its billion-plus people. China's data capabilities are virtually unrivaled among its global peers, and policing cannot happen without the ability to analyze information on its citizens, the co-founder of Alibaba Group Holding Ltd. said in a speech published Saturday by the agency that polices crime and runs the courts. Ma's stance resonates with that of China's ruling body, which is establishing a system to collect and parse information on citizens in a country where minimal safeguards exist for privacy. "Bad guys in a movie are identifiable at first glance, but how can the ones in real life be found?" Ma said in his speech, which was posted on the official WeChat account of the Commission for Political and Legal Affairs. "In the age of big data, we need to remember that our legal and security system with millions of members will also face change." In his speech, Ma stuck mainly to the issue of crime prevention. In Alibaba's hometown of Hangzhou alone, the number of surveillance cameras may already surpass that of New York's, Ma said. Humans can't handle the sheer amount of data amassed, which is where artificial intelligence comes in, he added. "The future legal and security system cannot be separated from the internet and big data," Ma said. Ma's speech also highlights the delicate relationship between Chinese web companies and the government. The ruling party has designated internet industry leaders as key targets for outreach, with President Xi Jinping saying in May last year that technology leaders should "demonstrate positive energy in purifying cyberspace."

China Electronics Firm To Recall Some US Products After Hacking Attack ( 67

An anonymous reader writes:Chinese firm Hangzhou Xiongmai said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday. Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world's best known websites in a stunning breach of global internet stability. The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year. It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false. "Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.

Slashdot Asks: How Can We Prevent Packet-Flooding DDOS Attacks? ( 349

Just last month Brian Krebs wrote "What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale," warning that countless ISPs still weren't implementing the BCP38 security standard, which was released "more than a dozen years ago" to filter spoofed traffic. That's one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen: PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding... Rather than attempting to prevent attack packets, instead PEIP provides a way to rate-limit all packets based on their router path to a destination.
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?

A New Attack Allows Intercepting Or Blocking Of Every LTE Phone Call And Text ( 79

All LTE networks and devices are vulnerable to a new attack demonstrated at the Ruxon security conference in Melbourne. mask.of.sanity shared this article from The Register: It exploits LTE fall-back mechanisms designed to ensure continuity of phone services in the event of emergency situations that trigger base station overloads... The attacks work through a series of messages sent between malicious base stations spun up by attackers and targeted phones. It results in attackers gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM networks where only voice and basic data services are available...

[Researcher Wanqiao] Zhang says the attacks are possible because LTE networks allow users to be handed over to underused base stations in the event of natural disasters to ensure connectivity. "You can create a denial of service attack against cellphones by forcing phones into fake networks with no services," Zhang told the conference. "You can make malicious calls and SMS and...eavesdrop on all voice and data traffic."


Who Should We Blame For Friday's DDOS Attack? ( 190

"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune: Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."

VeraCrypt Security Audit Reveals Many Flaws, Some Already Patched ( 73

Orome1 quotes Help Net Security: VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report [which has mitigations for the still-unpatched vulnerabilities].
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."
United States

American 'Vigilante Hacker' Defaces Russian Ministry's Website ( 205

An anonymous Slashdot reader quotes CNN Money: An American vigilante hacker -- who calls himself "The Jester" -- has defaced the website of the Russian Ministry of Foreign Affairs in retaliation for attacks on American targets... "Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message," he wrote. "Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed."
In early 2015, CNN Money profiled The Jester as "the vigilante who hacks jihadists," noting he's a former U.S. soldier who now "single-handedly taken down dozens of websites that, he deems, support jihadist propaganda and recruitment efforts. He stopped counting at 179." That article argues that "the fact that he hasn't yet been hunted down and arrested says a lot about federal prosecutors and the FBI. Several cybersecurity experts see it as tacit approval."

"In an exclusive interview with CNNMoney this weekend, Jester said he chose to attack Russia out of frustration for the massive DNS cyberattack that knocked out a portion of the internet in the United States on Friday... 'I'm not gonna sit around watching these f----rs laughing at us.'"

Slashdot Top Deals