Slashdot Mirror

itwbennett writes: In a complaint (PDF) filed Tuesday with the Federal Trade Commission, the Electronic Frontier Foundation (EFF) claims that "despite publicly promising not to, Google mines students' browsing data and other information, and uses it for the company's own purposes." The EFF says Google's practice of recording everything students do while they're logged into their Google accounts, regardless of the device or browser they're using, puts the company in breach of Section 5 of the Federal Communications Act.

itwbennett writes: This year, women made up 26.8 percent of Microsoft's total workforce, down from 29 percent in 2014, the company reported Monday. In a blog post discussing the numbers, Gwen Houston, Microsoft's general manager of diversity and inclusion, pointed the finger at the thousands of layoffs the company made to restructure its phone hardware business: 'The workforce reductions resulting from the restructure of our phone hardware business ... impacted factory and production facilities outside the U.S. that produce handsets and hardware, and a higher percentage of those jobs were held by women,' she said.

itwbennett writes: This year, women made up 26.8 percent of Microsoft's total workforce, down from 29 percent in 2014, the company reported Monday. In a blog post discussing the numbers, Gwen Houston, Microsoft's general manager of diversity and inclusion, pointed the finger at the thousands of layoffs the company made to restructure its phone hardware business: 'The workforce reductions resulting from the restructure of our phone hardware business ... impacted factory and production facilities outside the U.S. that produce handsets and hardware, and a higher percentage of those jobs were held by women,' she said.

itwbennett writes: As previously discussed here, the World Radiocommunication Conference (WRC) met "for nearly the entire month of November, and one of the hot-button issues [was] what to do about the leap second." But, as they did at the 2012 conference, the WRC voted to postpone the decision — not just until the next WRC in 2019, but until the one after, in 2023, while the International Telecommunication Union conducts further studies into the impact of tinkering with the definition of Coordinated Universal Time.

itwbennett writes: In addition to the decision to spin off the GoTo collaboration products business into a new company, the initial results of Citrix's operations review, also involves a 'realignment of resources' that is expected to eliminate about 1,000 full-time and contract roles, over and above the effect of spinning off the GoTo business. Most of the layoffs and refocusing of resources are expected in November and in January 2016.

itwbennett writes: The main security benefit of Self-Encrypting Drives (SEDs) is that the encryption key is not stored in the OS memory, but on the disk itself, which makes it less exposed to theft. However, some attacks that work against software-based encryption products also affect SEDs, including evil maid attacks and those that bypass Windows authentication. Once a SED is unlocked, it remains in that state until the power to it is cycled or a deauthentication command is sent. When the laptop is put in sleep mode the drive state is locked, but when it resumes from sleep, the pre-boot management software, which is already loaded in memory, unlocks the drive. [A team of] researchers devised three attacks to take advantage of this situation.

itwbennett writes: After 25 years, the Social Security Administration (SSA) has fessed up to giving two Florida women who shared a name and a birthday the same social security number. The women only recently discovered that they shared an SSN, but not before having trouble getting loans and having tax returns rejected. You might think that the SSA would catch something like this, but as it turns out, they are prohibited from trying to verify the legitimate owner of an SSN, except in rare cases, says Ken Meiser, VP of identity solutions at ID Analytics, provider of credit and fraud risk solutions. And the problem isn't as rare as you might think (except for the part about two women with the same name born on the same day in the same state). According to a 2010 study by ID Analytics, some 40 million SSNs are associated with multiple people.

itwbennett writes: In late October, four delivery drivers for the app-based Amazon Prime Now service filed a class-action lawsuit alleging the company misclassifies its workers as contractors. In June, the California Labor Commission ruled that Uber drivers are employees, not contractors. Now, worker advocacy groups, companies offering services through apps (including Lyft, Etsy, Care.com, and Instacart), a variety of policy experts, and venture capitalists are proposing a new model for worker benefits that will be "portable" across the number of jobs they do in the new on-demand economy. "Self-employed workers choosing to engage in flexible work may also encounter unforeseen work disruptions or other hardships without the protections and benefits that may be provided through full time employment," the group said in a statement posted on Medium.

itwbennett writes: The U.S. government is spending way more than it has to on IT outsourcing. That's the finding of a report released in September by the Government Accountability Office that studied IT services outsourcing at three military branches within the Department of Defense, along with the Department of Homeland Security and the National Aeronautics and Space Administration. According to the report, while efforts to better manage their IT outsourcing had improved, most of these agencies' IT spending "continues to be obligated through hundreds of potentially duplicative contracts that diminish the government's buying power."

New submitter joshroberts3388 writes: If Hollywood wanted a script about the inexorable decline of a corporate icon, it might look to Hewlett-Packard for inspiration. Once one of Silicon Valley's most respected companies, HP officially split itself in two on Sunday, betting that the smaller parts will be nimbler and more able to reverse four years of declining sales. HP fell victim to huge shifts in the computer industry that also forced Dell to go private and have knocked IBM on its heels. Pressure from investors compelled it to act. But there are dramatic twists in HP's story, including scandals, a revolving door for CEOs and one of the most ill-fated mergers in tech history, that make HP more than a victim of changing times.

StewBeans writes: Usually when an article references "what keeps IT leaders up at night," it's a chance to talk about "shadow IT," losing control of tech spending, hackers, or some other overly-hyped concept. Adam Dennison, publisher at IDG Enterprise, opposes this interview tactic and says that "reports of pain are greatly exaggerated." IT leaders don't mind shadow IT or sharing control of the IT budget (in fact, they want others in the business to have some skin in the game), and they understand that they are probably being hacked. What they DO care about is talent. Dennison points out gaps in data, security, and app development, based on IDG's recent survey, and he says CIOs tell him that finding the right IT talent that is also able to articulate what the business needs to succeed with technology is very difficult. He says, "They worry that they can't move fast enough to adopt the technology they need because the new IT talent doesn't want to work on the old stuff, and the old talent doesn't understand the new stuff."

Nerval's Lobster writes: Everybody knows that certain technical certifications can boost your career. For developers and others, though, is it worth earning non-technical certifications such as the PMP (Project Management Professional), CRISC (which certifies that you're good at managing risk)? The short answer, of course, might be, 'Yes, if you plan on moving into management, or something highly specialized.' But for everybody else, it's hard to tell whether certain certifications are worth the time and money, on the nebulous hope that they'll pay off at some point in the future, or if you're better off just focusing on the technical certifications for certain hard skills.

An anonymous reader writes: According to Michael Render, principal analyst at market researcher RVA LLC, 83 Internet access providers have joined Google to offer gigabit Internet access service (all priced in the $50-$150 per month range).Render's data shows that new subscribers are signing up at an annualized growth rate of 480 percent each year. That "annualized" is an important thing to note, though; this is early days, and adding a few households, relatively speaking, means an impressive percentage change.

Nerval's Lobster writes: Whether or not certifications have value is a back-and-forth argument that's been going on since before Novell launched its CNE program in the 1990s. Developer David Bolton recently incited some discussion of his own when he wrote an article for Dice in which he claimed that certifications aren't worth the time and money. But there's a lot of evidence that certifications can add as much as 16 percent to a tech professional's base pay; in addition a lot of tech companies use resume-screening software that weeds out any resumes that don't feature certain acronyms. There's also the argument that the cost, difficulty, and annoyance of earning a certification is actually the best reason to go through it, especially if you're looking for a job; it broadcasts that you're serious enough about the technology to invest a serious chunk of your life in it. But others might not agree with that assessment, arguing that all a certification proves is that you're good at taking tests, not necessarily knowing a technology inside and out.

PvtVoid (1252388) writes "In the semiannual report to Congress by the NSF Office of Inspector General, the organization said it received reports of a researcher who was using NSF-funded supercomputers at two universities to mine Bitcoin. The computationally intensive mining took up about $150,000 worth of NSF-supported computer use at the two universities to generate bitcoins worth about $8,000 to $10,000, according to the report. It did not name the researcher or the universities."

Frequent correspondent Bennett Haselton writes with a forward-looking response to a recent ruling that peer-to-peer network participants have little privacy interest in files stored on their computer and that they have made available via P2P. Writes Bennett: "A court rules that law enforcement did not improperly 'search' defendants' computers by downloading files that the computers were sharing via P2P software. This seems like a reasonable ruling, but such cases may become rare if P2P software evolves to the point where all downloads are routed anonymously through other users' computers." Read on for the rest.

The police had used an automated P2P search tool to find evidence that child pornography was being shared from the defendants' computers, and then used that evidence to obtain probable cause warrants for searching their computers (where they subsequently found child porn being stored, and the defendants were charged accordingly). Last Friday, District Court Judge Christina Reiss ruled that the P2P search tool did not violate the defendants' 4th Amendment rights against unreasonable search, as they had argued.

I'm all for strong privacy rights and the right to exclude evidence at trial that was gathered improperly, but it's hard to see how the defendants thought they had a leg to stand on here. When you share a file on a P2P network where other users can download directly from your computer, by definition you are advertising that you have that file. Now, some of the time you might be sharing that file not out of the goodness of your heart, but because you're required to share the file in order to earn "credits" that you can use to continue your own downloads (BitTorrent requires sharing for this reason). But even then, you would still know that you were sharing the file (unless you really never realized how file sharing software works, but since it's actually called "file sharing software", that's kind of on you).

However, as I wrote in January, there's no reason why popular P2P programs couldn't re-route each download through a different user's connection, so that if you were downloading a file from another computer's IP address, you would never know if the file resided on that computer's hard drive. Obviously I'm not endorsing the use of such software by creeps like the ones who were arrested; I'm saying that regardless of how we feel about it, it's inevitable that proxified re-routed connections will become the de facto standard for P2P file sharing, if the following conditions remain true:

• It remains legal to run the software at all. This seems like a reasonable assumption in a mostly-free country like the U.S., where although piracy is illegal, file-sharing programs like BitTorrent are still legal even if they are frequently used for piracy.

• A user cannot be held liable for unknowingly forwarding data packets on behalf of someone else, even if the data packets comprise an illegal file (whether it's child pornography or a pirated movie).

• Bandwidth continues to get faster and cheaper. Today, if you download a 100-megabyte file by routing your download through three other users' computers, it will usually be much slower and more inconvenient than if you'd downloaded the file directly. In a few years, you won't notice the difference.

• If the police raid a suspect's house and seize their computer, if they see that the computer has an encrypted partition, the suspect can invoke their Fifth Amendment right to refuse to give the police the decryption password. You know how I feel about that, but the latest rulings on the question seem to affirm that you can refuse to decrypt your hard drive for law enforcement. So a good P2P client for "illicit" file trading would come with built-in support for an encrypted hard drive partition, where all saved files would be stored. (The software would probably come with a "kill switch" that you could use to instantly dismount your encrypted partition if you heard a knock on your door, and a five-minute inactivity timeout after which the drive would dismount automatically.)

In that previous article, I described a protocol in which any time a P2P user X (the "downloader") downloaded a file from another P2P user Y (the "sharer"), the connection would be routed through the computer of at least one "go-between" user Z (and possibly a chain of users Z1, Z2,... Zn). Each of the go-betweens simply downloads bytes from the next computer "up" the chain and sends those bytes on to the next computer "down" the chain, and none of the go-betweens know how far the chain extends in either direction. Because of the design of the protocol, from the point of view of any of the go-betweens, there is only a 40% chance that the computer they're downloading from, is the original "sharer." (See the January article for details on how this would be achieved.)

Now, does the analysis change if your adversary is the FBI looking for child pornographers, rather than the MPAA looking for movie pirates? Here are the variables that I think matter:

• The standard of proof to punish you is higher. In a civil lawsuit, the MPAA would only have to prove their case against you by a "preponderance of the evidence" (i.e. greater than 50%); to obtain a criminal conviction, the court would have to prove your guilt "beyond a reasonable doubt." However in both cases, if all that the court knows is that the defendant's computer was identified as passing along bits and bytes of an illegal file, and the court understands that there's only a 40% chance that the computer owner actually possessed the illegal file, then this falls below the standard of proof in both cases. (Of course, this is contingent on no other evidence turning up to implicate you. If the police raid your house and find child pornography printouts lying around your desk, then so much for the "40% chance of guilt" figure.)

• In a civil trial, the defendant can be called to the stand and made to answer questions (unlike a criminal trial, where the defendant can refuse to testify under the Fifth Amendment). So even if the MPAA's lawyer knew there was only a 40% chance that they had sued the right defendant, they could ask the defendant under oath, "Did you download this movie?" (Or they could sue 10 defendants at once, and argue, correctly, that on average about 4 of those defendants were probably guilty.) The defendant could invoke their Fifth Amendment rights and refuse to answer, however, in a civil trial, the court is free to consider this refusal to be evidence weighing in favor of the defendant's guilt. In theory, a defendant could simply say "No," and there would be no way to prove they were lying. In practice, the MPAA's lawyer might try to intimidate a defendant into confessing, telling them that the worst that can happen to them if they confess is just a monetary judgment, but if they lie under oath they could go to jail, etc.

• The punishment for getting caught for possession of child pornography is much more severe. I'm not sure if this changes the analysis though. It's not a case of "a 40% chance of losing a lawsuit vs. a 40% chance of going to jail." If the court in both cases can never establish your guilt with a probability of more than 40%, then since that's not enough to get a criminal conviction or a civil judgment, you actually have a 0% chance of losing in either case, provided you don't make any other errors (leaving illegal printouts by your computer), and provided the court actually understands that the "evidence" only establishes about a 40% chance of your guilt.

• The cost of being accused of possessing child pornography is much higher, even if you ultimately win in court. If the MPAA sues you for downloading a pirated movie (even if they know there's only a 40% chance they've got the right person), that would probably just increase your street cred among your friends. If you're a middle-aged computer nerd accused of downloading child pornography, not so much. Even if you're ultimately acquitted, your reputation will probably be ruined.

This last point suggests the only "attack" that I can think of that law enforcement could use successfully against this protocol. The police know in advance that if they arrest someone for transmitting an illegal file from their IP address, and if the defendant refuses to testify and the defendant's hard drive is encrypted, the state won't be able to get a conviction since there's only a 40% chance that the defendant was actually in possession of the file. However, if the defendant's life will be ruined by going to trial anyway, law enforcement could use this as a bludgeon to scare people away from even running the P2P protocol. Saying, in essence, "We're going to go out and do searches for illegal files to download, and we will file charges against any person whose IP address re-transmits an illegal file to us. Even though we know we won't be able to get a conviction, we'll ruin the lives of anyone we can identify in this way, so that's the risk that you're taking by installing this software, even if you yourself don't do anything illegal."

Whether this attack would be effective, depends on whether the courts would tolerate these kinds of "intimidation" prosecutions, where the law enforcement knows going in that they can never establish more than a 40% chance of the defendant's guilt (and hence no chance of conviction unless the defendant "cracks"), but they press charges anyway. I would call that an abuse of state power, and say that any prosecutor who knowingly pursues a losing case should be fired and compensation should be paid to the victim, but the courts might not see it that way, especially if the prosecutor finds a way to work the phrase "child porn" into every sentence.

Frequent correspondent Bennett Haselton writes with a forward-looking response to a recent ruling that peer-to-peer network participants have little privacy interest in files stored on their computer and that they have made available via P2P. Writes Bennett: "A court rules that law enforcement did not improperly 'search' defendants' computers by downloading files that the computers were sharing via P2P software. This seems like a reasonable ruling, but such cases may become rare if P2P software evolves to the point where all downloads are routed anonymously through other users' computers." Read on for the rest.

The police had used an automated P2P search tool to find evidence that child pornography was being shared from the defendants' computers, and then used that evidence to obtain probable cause warrants for searching their computers (where they subsequently found child porn being stored, and the defendants were charged accordingly). Last Friday, District Court Judge Christina Reiss ruled that the P2P search tool did not violate the defendants' 4th Amendment rights against unreasonable search, as they had argued.

I'm all for strong privacy rights and the right to exclude evidence at trial that was gathered improperly, but it's hard to see how the defendants thought they had a leg to stand on here. When you share a file on a P2P network where other users can download directly from your computer, by definition you are advertising that you have that file. Now, some of the time you might be sharing that file not out of the goodness of your heart, but because you're required to share the file in order to earn "credits" that you can use to continue your own downloads (BitTorrent requires sharing for this reason). But even then, you would still know that you were sharing the file (unless you really never realized how file sharing software works, but since it's actually called "file sharing software", that's kind of on you).

However, as I wrote in January, there's no reason why popular P2P programs couldn't re-route each download through a different user's connection, so that if you were downloading a file from another computer's IP address, you would never know if the file resided on that computer's hard drive. Obviously I'm not endorsing the use of such software by creeps like the ones who were arrested; I'm saying that regardless of how we feel about it, it's inevitable that proxified re-routed connections will become the de facto standard for P2P file sharing, if the following conditions remain true:

• It remains legal to run the software at all. This seems like a reasonable assumption in a mostly-free country like the U.S., where although piracy is illegal, file-sharing programs like BitTorrent are still legal even if they are frequently used for piracy.

• A user cannot be held liable for unknowingly forwarding data packets on behalf of someone else, even if the data packets comprise an illegal file (whether it's child pornography or a pirated movie).

• Bandwidth continues to get faster and cheaper. Today, if you download a 100-megabyte file by routing your download through three other users' computers, it will usually be much slower and more inconvenient than if you'd downloaded the file directly. In a few years, you won't notice the difference.

• If the police raid a suspect's house and seize their computer, if they see that the computer has an encrypted partition, the suspect can invoke their Fifth Amendment right to refuse to give the police the decryption password. You know how I feel about that, but the latest rulings on the question seem to affirm that you can refuse to decrypt your hard drive for law enforcement. So a good P2P client for "illicit" file trading would come with built-in support for an encrypted hard drive partition, where all saved files would be stored. (The software would probably come with a "kill switch" that you could use to instantly dismount your encrypted partition if you heard a knock on your door, and a five-minute inactivity timeout after which the drive would dismount automatically.)

In that previous article, I described a protocol in which any time a P2P user X (the "downloader") downloaded a file from another P2P user Y (the "sharer"), the connection would be routed through the computer of at least one "go-between" user Z (and possibly a chain of users Z1, Z2,... Zn). Each of the go-betweens simply downloads bytes from the next computer "up" the chain and sends those bytes on to the next computer "down" the chain, and none of the go-betweens know how far the chain extends in either direction. Because of the design of the protocol, from the point of view of any of the go-betweens, there is only a 40% chance that the computer they're downloading from, is the original "sharer." (See the January article for details on how this would be achieved.)

Now, does the analysis change if your adversary is the FBI looking for child pornographers, rather than the MPAA looking for movie pirates? Here are the variables that I think matter:

• The standard of proof to punish you is higher. In a civil lawsuit, the MPAA would only have to prove their case against you by a "preponderance of the evidence" (i.e. greater than 50%); to obtain a criminal conviction, the court would have to prove your guilt "beyond a reasonable doubt." However in both cases, if all that the court knows is that the defendant's computer was identified as passing along bits and bytes of an illegal file, and the court understands that there's only a 40% chance that the computer owner actually possessed the illegal file, then this falls below the standard of proof in both cases. (Of course, this is contingent on no other evidence turning up to implicate you. If the police raid your house and find child pornography printouts lying around your desk, then so much for the "40% chance of guilt" figure.)

• In a civil trial, the defendant can be called to the stand and made to answer questions (unlike a criminal trial, where the defendant can refuse to testify under the Fifth Amendment). So even if the MPAA's lawyer knew there was only a 40% chance that they had sued the right defendant, they could ask the defendant under oath, "Did you download this movie?" (Or they could sue 10 defendants at once, and argue, correctly, that on average about 4 of those defendants were probably guilty.) The defendant could invoke their Fifth Amendment rights and refuse to answer, however, in a civil trial, the court is free to consider this refusal to be evidence weighing in favor of the defendant's guilt. In theory, a defendant could simply say "No," and there would be no way to prove they were lying. In practice, the MPAA's lawyer might try to intimidate a defendant into confessing, telling them that the worst that can happen to them if they confess is just a monetary judgment, but if they lie under oath they could go to jail, etc.

• The punishment for getting caught for possession of child pornography is much more severe. I'm not sure if this changes the analysis though. It's not a case of "a 40% chance of losing a lawsuit vs. a 40% chance of going to jail." If the court in both cases can never establish your guilt with a probability of more than 40%, then since that's not enough to get a criminal conviction or a civil judgment, you actually have a 0% chance of losing in either case, provided you don't make any other errors (leaving illegal printouts by your computer), and provided the court actually understands that the "evidence" only establishes about a 40% chance of your guilt.

• The cost of being accused of possessing child pornography is much higher, even if you ultimately win in court. If the MPAA sues you for downloading a pirated movie (even if they know there's only a 40% chance they've got the right person), that would probably just increase your street cred among your friends. If you're a middle-aged computer nerd accused of downloading child pornography, not so much. Even if you're ultimately acquitted, your reputation will probably be ruined.

This last point suggests the only "attack" that I can think of that law enforcement could use successfully against this protocol. The police know in advance that if they arrest someone for transmitting an illegal file from their IP address, and if the defendant refuses to testify and the defendant's hard drive is encrypted, the state won't be able to get a conviction since there's only a 40% chance that the defendant was actually in possession of the file. However, if the defendant's life will be ruined by going to trial anyway, law enforcement could use this as a bludgeon to scare people away from even running the P2P protocol. Saying, in essence, "We're going to go out and do searches for illegal files to download, and we will file charges against any person whose IP address re-transmits an illegal file to us. Even though we know we won't be able to get a conviction, we'll ruin the lives of anyone we can identify in this way, so that's the risk that you're taking by installing this software, even if you yourself don't do anything illegal."

Whether this attack would be effective, depends on whether the courts would tolerate these kinds of "intimidation" prosecutions, where the law enforcement knows going in that they can never establish more than a 40% chance of the defendant's guilt (and hence no chance of conviction unless the defendant "cracks"), but they press charges anyway. I would call that an abuse of state power, and say that any prosecutor who knowingly pursues a losing case should be fired and compensation should be paid to the victim, but the courts might not see it that way, especially if the prosecutor finds a way to work the phrase "child porn" into every sentence.

Curseyoukhan writes with a skeptical perspective on the U.S. Cyberwar posturing. From the article: "The first shot was probably the release of Stuxnet sometime during or before 2009. Even though no one has officially claimed responsibility everyone knows who was behind it. Stuxnet hit with a bang and did a whole lot of damage to Iran's uranium-enrichment capabilities. We followed up Stuxnet with Flame — the Ebola virus of spyware. What did the Iranians fire back with? A series of massive, on-going and ineffective DDoS attacks on American banks. This is a disproportionate response but not in the way military experts usually mean that phrase. It's the equivalent of someone stealing your car and you throwing an ever-increasing number of eggs at his house in response. It's fascinating that Iran continues to do nothing more despite the fact that U.S. critical infrastructure currently has the defensive posture of a dog waiting for a belly rub. Keep that in mind the next time you hear that a 'cyber Pearl Harbor' is imminent."

An anonymous reader sends this quote from an IDG News report: "The Dutch government's cyber security center has published guidelines (in Dutch) that it hopes will encourage ethical hackers to disclose security vulnerabilities in a responsible way. The person who discovers the vulnerability should report it directly and as soon as possible to the owner of the system in a confidential manner, so the leak cannot be abused by others. Furthermore, the ethical hacker will not use social engineering techniques, nor install a backdoor or copy, modify or delete data from the system, the NCSC specified. Alternatively a hacker could make a directory listing in the system, the guidelines said. Hackers should also refrain from altering the system and not repeatedly access the system. Using brute-force techniques to access a system is also discouraged, the NCSC said. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization. The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said."

Curseyoukhan writes "Infosec vendor IID (Internet Identity) probably hopes that by the time 2014 rolls around no one will remember the prediction it just made. That is the year it says we will see the first murder via internet connected device. The ability to do this has been around for quite some time but the company won't say why it hasn't happened yet. Probably because that would have screwed up their fear marketing. CIO blogger challenges them to a $10K bet over their claim."

concealment writes "The report evaluates the challenge of curbing online radicalization from the perspective of supply and demand. It concludes that efforts to shut down websites that could serve as incubators for would-be terrorists — going after the supply — will ultimately be self-defeating, and that 'filtering of Internet content is impractical in a free and open society.' 'Approaches aimed at restricting freedom of speech and removing content from the Internet are not only the least desirable strategies, they are also the least effective,' writes Peter Neumann, founding director of the International Centre for the Study of Radicalisation at King's College London and the author of the report."

Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering." Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."

Curseyoukhan writes "Norton released its annual cybercrime report on Wednesday, and the company put the 'direct costs associated with global consumer cybercrime at US $110 billion over the past twelve months.' Last year's report put the total 'at an annual price of $388 billion globally based on financial losses and time lost.' That's more than the estimated value of the global black market in marijuana, cocaine and heroin combined ($288 billion), the report said. But Norton makes no mention of the vast difference in 2011 and 2012 numbers. That's because last year's number was entirely fictitious." Something tells me that the scare-monger number-wavers aren't as embarrassed by this sort of logical deconstruction as they should be.

joabj writes "Expanding beyond math and the physical sciences, Khan Academy has added a set of computer science courses to its popular collection of learn-at-home instructional videos. For the project, Khan tapped jQuery creator John Resig, who chose JavaScript as the first language to teach students. The initial set of tutorials cover drawing, programming basics, animation and user interaction."

joabj writes "Expanding beyond math and the physical sciences, Khan Academy has added a set of computer science courses to its popular collection of learn-at-home instructional videos. For the project, Khan tapped jQuery creator John Resig, who chose JavaScript as the first language to teach students. The initial set of tutorials cover drawing, programming basics, animation and user interaction."

AZA43 writes "After releasing some very ugly financial numbers in late June, BlackBerry-maker RIM went on a media blitz to downplay the significance of its latest earnings and counter increasingly negative media attention. ... But a new Q&A with BlackBerry chief Thorsten Heins offers a unique take on what exactly went wrong at RIM — Heins blames the company's downfall [partly] on LTE in the U.S. — and he actually seems genuine in his answers." A peek into the mind of RIM's upper management.

AZA43 writes "Tokyo police have arrested six men, including two IT executives and one former tech exec, in connection with an Android malware campaign that netted $265,000. The men created a piece of Android malware that they disguised as a video player and distributed through an adult website. The app stole personal information and attempted to extort money for data 'protection services.' The malware doesn't appear to be particularly sophisticated, but it convinced more than 200 horny Japanese dudes to shell out $1200 each. And the arrests are one of, if not the, first time a major police force brought down criminals who used Android malware to extort a significant chunk of cash."

As reported here recently, millions of LinkedIn password hashes have been leaked online. An anonymous reader writes "Now, Poul-Henning Kamp a developer known for work on various projects and the author of the md5crypt password scrambler asks everybody to migrate to a stronger password scrambler without undue delay. From the blog post: 'New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days. The default algorithm for storing password hashes in /etc/shadow is MD5. RHEL / CentOS / FreeBSD user can migrate to SHA-512 hashing algorithms.'" Reader Curseyoukhan was one of several to also point out that dating site eHarmony got the same treatment as LinkedIn. Update: 06/07 20:13 GMT by T : An anonymous reader adds a snippet from Help Net Security, too: "Last.fm has piped up to warn about a leak of their own users' passwords. Users who have logged in to the site were greeted today by a warning asking them to change their password while the site investigates a security problem. Following the offered link to learn more, they landed on another page with another warning."

New submitter Curseyoukhan writes "The phrase 'cyber war' is being used to scare us into coughing up money and liberties, just like 'anarchist' once was, and 'terror' still is. To quote H.L. Mencken, 'The whole aim of practical politics is to keep the populace alarmed (and hence clamorous to be led to safety) by menacing it with an endless series of hobgoblins, all of them imaginary.'"

AZA43 writes "A group of U.S. federal cybersecurity experts recently said the Defense Department's network is totally compromised by foreign spies. The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks."

Hugh Pickens writes "Jay Cline writes that not all privacy issues are created equal and proposes a privacy Richter scale to rank the bad things that could happen to our privacy. A privacy Richter 1 or 2 event is a temporary bad turn for you or a handful of people, but nothing systemic, posing no lasting harm to individuals or society as a whole. Examples include receiving someone else's mail, having someone expose something embarrassing about you to co-workers or friends, or losing your wallet or purse. Privacy events measuring 4 to 7 on the scale are risks that can cause real and lasting damage to a lot of people and include stolen laptops containing thousands of Social Security numbers and credit-card numbers that would allow identity thieves to make fraudulent transactions that could impact credit scores for years. Finally events topping 8 are points of no return for large numbers of people and society as a whole. DARPA's Total Information Awareness program, proposed in 2002 and defunded by Congress in 2003, would have topped the scale. 'The massive collection of data about U.S. citizens could have created a perpetual bureaucracy that put at risk our right of due process and protection against unlawful search and seizure.' So where does Google's plan to consolidate its 60 privacy policies into a single approach rank? 'The current change ranks at a 3,' writes Cline. 'Larry Page's company will weather this change. I don't see irreparable or lasting harm or loss of liberty. If you don't like Google, use Bing. Don't watch weird things on YouTube. You shouldn't be sending confidential things through Gmail in the first place.'"

AZA43 writes "Everybody knows that BlackBerry-maker RIM is hurting these days. But is it hurting enough to try to attract new customers with the promise of porn and/or gambling apps? A new rating system added to RIM's BlackBerry App World store suggests that it just may be that desperate. The new 'Adult' rating covers, 'graphic sexual content, graphic nudity,' 'graphic violence,' and gambling apps 'as permitted by law.' And that suggests RIM will allow this kind of content into App World, in stark contrast to Apple's no-porn-on-the-iPhone stand."

AZA43 writes "Amazon.com has blocked its Instant Video streaming service on BlackBerry PlayBook tablets, in an apparent effort to make its Kindle Fire device more attractive to tablet buyers. And it says Apple is the reason why it blocked the service. But the company hasn't blocked comparable Android tablets from streaming Instant Video, and Android tablets hold a much larger portion of the overall tablet market than PlayBooks. Amazon will likely succeed only in alienating customer with PlayBooks who have already purchased lots of streaming video content."

CelticWhisper writes "H.R. 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PRECISE Act), would allow the U.S. Department of Homeland Security to require improved security practices from those businesses managing systems whose disruption could prove detrimental to critical life-sustaining or national-security initiatives." As the article points out, this is just "one of 30 or so such bills currently percolating on the Hill."

bdcny7927 writes "In an exclusive interview with CIO.com, the FBI official in charge of cybercrime speaks for the first time with the media specifically about hacktivism. Here, Assistant Executive Director Shawn Henry describes the threats hacktivists pose, the challenges associated with investigating them, and the FBI's success disrupting these groups. He also delivers a special message to hacktivists." The so-called special message: "My organization is a believer in civil rights and civil liberties, and the first amendment is something I hold very dear personally and professionally. I have no problem with people picketing and protesting in the street. I get all that. But the freedom for me to swing my arm ends where your nose begins. If you are impinging on others' rights, that's illegal."

AZA43 writes "As if its latest BlackBerry service outage--the worst in company history--and the mass exodus of BlackBerry users to iOS and Android weren't bad enough, RIM is now facing a potential trademark lawsuit over the name of its next generation BlackBerry OS: BBX. The BBX announcement was the most significant news to come from RIM's BlackBerry Developer Conference this week, and now it looks like RIM may have change the upcoming platform's name to something else. RIM just can't seem to do anything right these days."

AZA43 leaps into the ranks of accepted submitters, writing "Russian security software vendor Elcomsoft has released an app that it claims can determine BlackBerry handheld passwords. The software supposedly hacks the BlackBerry password via an advanced handheld security setting that's meant to encrypt data stored on a user's memory card. And a hacker doesn't even need to have the BlackBerry to determine a password, just the media card."

bdcny7927 writes "The U.S. federal government pays outside IT contractors nearly twice as much for computer engineering services as it pays its own computer engineers, and 1.5 times more for IT management work, according to a non-profit watchdog group. 'The study points out that IT specifically "is widely outsourced throughout the federal government because of the assumption that IT companies provide vastly superior skills and cost savings." The Project on Government Oversight says its salary comparisons prove that those cost savings are not being realized. However, the comparisons do not address any cost savings that might be achieved through the skills, processes or systems that private IT services companies might deliver. The POGO researchers say that the federal government itself does not know how much money overall it saves or wastes with its sourcing decisions and has no system for doing so.'"

Batblue writes "Happy anniversary Basit and Amjad! Twenty-five years ago this month (CT: Warning, intrusive interstitial ad), the Alvi brothers of Lahore, Pakistan, gave the world the Brain Virus, the first bit of malware capable of infecting a DOS-based PC. Back in those relatively innocent times, the brothers actually embedded their real names and business address in the code and later told Time magazine they had written the virus to protect their medical software from piracy. Who knows what they were really thinking, but by all accounts the Brain Virus was relatively harmless. Twenty-five years later, most malware is anything but benign and cyber criminals pull off exploits the Alvi brothers never envisioned."

bdcny7927 writes with news that a jury decided to award Oracle $1.3 billion in their lawsuit against SAP after deliberating for less than a day. "The verdict ... is the biggest ever for copyright infringement and the largest US jury award of 2010, according to Bloomberg data. The award is about equal to SAP’s forecasted net income for the fourth quarter, excluding some costs, according to the average estimate of analysts... SAP spokesman Bill Wohl said the German software maker will pursue all available options, including post-trial motions and will appeal if necessary."

kkleiner writes "A student at MIT's Personal Robotics Group is going to put Microsoft's Kinect to a good use: controlling robots. Philipp Robbel has hacked together the Kinect 3D sensor with an iRobot Create platform and assembled a battery-powered bot that can see its environment and obey your gestured commands. Tentatively named KinectBot, Robbel's creation can generate some beautifully detailed 3D maps of its surroundings and wirelessly send them to a host computer. KinectBot can also detect nearby humans and track their movements to understand where they want it to go." In related but less agreeable news, "Dennis Durkin, who is both COO and CFO for Microsoft's Xbox group, told investors this week that Kinect can also be used by advertisers to see how many people are in a room when an ad is on screen, and to custom-tailor content based on the people it recognizes."

Shaneco writes "The hero and the villain. It's the age-old formula that pervades today's reality TV showdowns, the shenanigans of professional wrestling and cinematic classics like Star Wars. Tech is no different, with its passionate heroes who balance profit with innovation and social responsibility, and the money-mad, egomaniac villains who simply cannot be trusted. Here's a slideshow of tech's good guys and bad guys."

theodp writes "Google touts its partnership with the District of Columbia government, presenting it as quite the Google Apps success story. So as part of his coverage of last week's Gmail outage, nextgov's Gautham Nagesh called the DC government, but was told they hadn't heard of any reports of outages among city employees. Nagesh wrote this off to safeguards put in place for the government by Google, but readers tipped him off to another explanation: 'Despite all the press releases trumpeting Google in DC,' an anonymous commenter wrote, 'Exchange is still the city's primary email system.' Nagesh followed up, and was surprised to learn that there is indeed no Gmail in DC government. This all seemed rather strange to Nagesh, considering how much attention former DC CTO and current Federal CIO Vivek Kundra has received for implementing Google Apps for District employees. Reporting separately, CNET's Elinor Mills was told by a DC spokeswoman that while Google Apps is available to 38,000 DC city employees, only 4,000 are actively using it. The spokeswoman added that Gmail could potentially replace Microsoft Exchange, 'but this decision has not been made yet.'"

Shane O'Neill writes "Ronald McDonald and the NBC Peacock may get more TV air time, but today's operating systems have cool logos, too. Google, Apple, Microsoft and the Linux crowd crafted mascots ranging from cute lizards to circles of life. In this slideshow, we look at the origins of the logos and look ahead to their future."

bdcny7927 writes "Just as Bing is gaining popularity, some disturbingly pro-Microsoft and anti-Apple search results are rearing their ugly heads. Case in point: a search on Bing for the phrase, 'Why is Windows so expensive?' returned this as the top link: 'Why are Macs so expensive.' That's right. You're not hallucinating."

bdcny7927 writes "Just as Bing is gaining popularity, some disturbingly pro-Microsoft and anti-Apple search results are rearing their ugly heads. Case in point: a search on Bing for the phrase, 'Why is Windows so expensive?' returned this as the top link: 'Why are Macs so expensive.' That's right. You're not hallucinating."

bdcny7927 writes with an excerpt from CIO.com to inspire some caution before your next job switch: "IT workers have their choice of many great US cities for work and play (Atlanta, Chicago, Seattle), but what are the cities that you probably should avoid? Here's a very unscientific, highly subjective and unapologetically snarky list of our least favorite US tech job locales."

onehitwonder writes "While many recruiters and HR managers are taking advantage of the Web and online social networks to screen candidates for positions inside their organizations, a bank in Texas has decided that using social networking websites in its recruiting process is too risky legally. Amegy Bank of Texas now prohibits internal HR staff and external recruiters from using social networking sites in its hiring process. Amegy's decision to ban the use of social networking sites in its hiring process demonstrates its respect for prospective employees' privacy. It also sends a message to the employers and recruiters using social networks to snoop into job seekers' personal lives that their actions border on discrimination and could get them in a lot of legal trouble."

onehitwonder writes "While many recruiters and HR managers are taking advantage of the Web and online social networks to screen candidates for positions inside their organizations, a bank in Texas has decided that using social networking websites in its recruiting process is too risky legally. Amegy Bank of Texas now prohibits internal HR staff and external recruiters from using social networking sites in its hiring process. Amegy's decision to ban the use of social networking sites in its hiring process demonstrates its respect for prospective employees' privacy. It also sends a message to the employers and recruiters using social networks to snoop into job seekers' personal lives that their actions border on discrimination and could get them in a lot of legal trouble."

theodp writes "After Gov. Tim Kaine intervened on his behalf, Vivek Kundra was quietly reinstated to his Federal CIO post on Tuesday after a brief leave following an FBI raid on Kundra's former DC office (Kundra was not implicated). Now, the Washington Post reports that the City of DC plans to fire 23 Technology Office contractors and place 4 employees on leave in the aftermath of the arrests of a Security manager and contractor on bribery charges last week. Another government employee has since been arrested for his role in the scam, and the mayor has promised that the tech office will undergo a 'full and formal review.'"