Slashdot Mirror

lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.

Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."

CowboyRobot writes "A Tripwire survey of 1,320 IT personnel from the U.S. and U.K. showed that most staff 'don't communicate security risk with senior executives or only communicate when a serious security risk is revealed.' The reason is that staff have resigned themselves to staying mum due to an environment in which 'collaboration between security risk management and business is poor, nonexistent or adversarial,' or at best, just isn't effective at getting risk concerns up to senior management."

bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."

Deagol asks "I work for a good-sized University. I've heard that Tripwire and our software licensing department is negotiating for a site-license. I was asked to comment on whether our department would like to buy in. I personally lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. Seeing how their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version can really do for me. Does anyone know the value (if any) of commercial Tripwire over the free one; Are there open source packages that have made Tripwire obsolete?"

Deagol asks "I work for a good-sized University. I've heard that Tripwire and our software licensing department is negotiating for a site-license. I was asked to comment on whether our department would like to buy in. I personally lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. Seeing how their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version can really do for me. Does anyone know the value (if any) of commercial Tripwire over the free one; Are there open source packages that have made Tripwire obsolete?"

Deagol asks "I work for a good-sized University. I've heard that Tripwire and our software licensing department is negotiating for a site-license. I was asked to comment on whether our department would like to buy in. I personally lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. Seeing how their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version can really do for me. Does anyone know the value (if any) of commercial Tripwire over the free one; Are there open source packages that have made Tripwire obsolete?"

Long time sysadmins who are accustom to using Tripwire might find this interesting. Tripwire and Covalent have released a version of Tripwire's intrusion detection software product integreated into Apache.

Long time sysadmins who are accustom to using Tripwire might find this interesting. Tripwire and Covalent have released a version of Tripwire's intrusion detection software product integreated into Apache.

Brian McLaughlin writes: "Tripwire posted the source code to their integrity checking tool at SourceForge today. The press release can be consumed here."

Johnath writes: "Maybe it's a little early to break out the party hats, but after noticing that a new version of Tripwire had been released, I checked up on their site and noticed they are going to open source it. Supposed to open it up this fall, and under the GPL no less." There are a lot of people who swear by Tripwire, it'll be nice to see this come to fruition. One thing that's odd - This only applies to Tripwire for Linux.