Slashdot Mirror

The hacker Guccifer 2.0 today released a large database of information reportedly stolen from the Clinton Foundation. The dump, Engadget reports, includes names, addresses, and emails of both individuals and corporate donors as well as their contribution amounts. From the report: This, of course, isn't the first time Guccifer or his friends at Wikileaks and the Kremlin have attempted to subvert the US political process during this election cycle. Just last month Guccifer released Democratic Vice Presidential nominee, Tim Kaine's personal cell phone number. What's more, nearly half of the country's state voter registration systems have recently come under cyberattack, according to the DHS, though the FBI has not yet determined if those breaches originated in Russia. There are also a number of unanswered questions regarding Republican nominee, Donald Trump's, connection to these attacks. Four House Democrats recently demanded that the FBI investigate the nominee after he "jokingly" suggested that Russia find and release the 33,000 emails reportedly missing from Hillary Clinton's private email server.

Microsoft's Universal Windows Platform, or UWP, approach isn't sitting well with many game developers. Four months after criticising UWP ecosystem for being a walled-garden, curtailing "users' freedom to install full-featured PC software, and subverting the rights of developers and publishers to maintain a direct relationship with their customers," Tim Sweeney, co-founder of Epic Games, the studio behind the Gears of War and Unreal franchises has once again lashed out at the Redmond-based company. He alleges that Microsoft plans to make Steam -- the world's largest PC gaming platform, "progressively worse and more broken." in a move to bolster people's reliance on the Windows Store. From a Gadgets 360 report: "Slowly, over the next five years, they will force-patch Windows 10 to make Steam progressively worse and more broken. They'll never completely break it, but will continue to break it until, in five years, people are so fed up that Steam is buggy that the Windows Store seem like an ideal alternative. That's exactly what they did to their previous competitors in other areas. Now they're doing it to Steam. It's only just starting to become visible. Microsoft might not be competent enough to succeed with their plan but they are certainly trying," Sweeney said. He adds the outcome of this would be forcing every app and game to be sold through the Windows Store alone. "If they can succeed in doing that then it's a small leap to forcing all apps and games to be distributed through the Windows store. Once we reach that point, the PC has become a closed platform. It won't be that one day they flip a switch that will break your Steam library -- what they're trying to do is a series of sneaky manoeuvres. They make it more and more inconvenient to use the old apps, and, simultaneously, they try to become the only source for the new ones," he claims.

"A new lawsuit alleges that the U.S. Department of Justice intentionally conducts inadequate searches of its records using a decades-old computer system when queried by citizens looking for records that should be available to the public," reports The Guardian. Slashdot reader Bruce66423 writes: An MIT PhD student has filed a suit in Federal court alleging that the use of a 21-year-old, IBM green screen controlled search software to search the Department of Justice databases...constitutes a deliberate failure to provide the data that should be being produced.
Ryan Shapiro's lawsuit alleges "failure by design," saying that the Justice Department records are inadequately indexed -- and that they fail to search the full text of their records when responding to requests "When few or no records are returned, Shapiro said, the FBI effectively responds 'sorry, we tried' without making use of the much more sophisticated search tools at the disposal of internal requestors." The FBI has a $425 million software system to handle FOIA requests, but refuses to use it, saying that would be "needlessly duplicative...and wasteful of Bureau resources."

An anonymous reader writes: Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor. The software, called EasyDoc Converter.app, is supposed to be a file converter but doesn't do its advertised functions. Instead it drops complex malware onto the system that subverts the security of the system, allowing it to be used as part of a botnet or to spy on the owner. "This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," said Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab. "For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless." The malware, dubbed Backdoor.MAC.Eleanor, sets up a hidden Tor service and PHP-capable web server on the infected computer, generating a .onion domain that the attacker can use to connect to the Mac and control it. Once installed, the malware grants full access to the file system and can run scripts given to it by its masters.A report on AppleInsider says that malware can also control the FaceTime camera on a victim's computer. But thankfully, Apple's Gatekeeper security prevents the unsigned app from being installed.

itwbennett writes: The Tor Project, which provides more anonymous browsing across the Internet using a customized Firefox Web browser. is fortifying its software so that it can quickly detect if its network is tampered with. To address worries that Tor could either be technically subverted or subject to court orders, Tor developers are now designing the system in such a way that many people can verify if code has been changed and 'eliminate single points of failure,' wrote Mike Perry, lead developer of the Tor Browser, on Monday. 'Even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue,' said Perry.

Nicola Hahn writes: As the Department of Justice exerts legal pressure on Apple in an effort to recover data from the iPhone used by Syed Rizwan Farook, Apple's CEO has publicly stated that "the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone." But, as one Windows rootkit developer has observed, the existing functionality that the FBI seeks to leverage is itself a backdoor. Specifically, the ability to remotely update code on a device automatically, without user intervention, represents a fairly serious threat vector. Update features marketed as a safety mechanism can just as easily be wielded to subvert technology if the update source isn't trustworthy. Something to consider in light of the government's ability to steal digital certificates and manipulate network traffic, not to mention the private sector's lengthy history of secret cooperation. Related: wiredmikey writes: Apple said Monday it would accept having a panel of experts consider access to encrypted devices if US authorities drop efforts to force it to help break into the iPhone of a California attacker. Apple reaffirmed its opposition to the US government's effort to compel it to provide technical assistance to the FBI investigation of the San Bernardino attacks, but also suggested a compromise in the highly charged legal battle.

In his first public remarks since Apple CEO Tim Cook said he would fight the federal magistrate's order, FBI Director James Comey claimed the Justice Department's request is is about "the victims and justice."

An anonymous reader writes: Randall Rothenburg, the president and CEO of the Interactive Advertising Bureau (IAB) has made a speech branding the creators of Adblock Plus (who were banned from the conference where he made this keynote) as "rich and self-righteous," and accused adblockers of subverting freedom of the press. Speaking at the IAB's annual conference, Rothenburg characterized the Adblock Plus team as "operating a business model predicated on censorship of content."

Jason Koebler writes: Toppling a telecom monopoly is the dream of many Americans, but the folks at NYC Mesh are actually doing something about it. On any given weekend, Brian Hall and his fellow organizers can be found around the city, installing directional Wi-Fi routers on rooftops. Anyone in the city who lives near another person on the network is welcome to join, and NYC Mesh volunteers will help you install a rooftop router. The network is still small, but it has partnered with two internet exchanges to install "super nodes" that have a range of several miles and are connected directly to the backbone of the internet.

Advocatus Diaboli sends a report from Glenn Greenwald at The Intercept about the NSA's efforts to subvert encryption. Back in 2013, several major publications reported that the NSA was able to crack encryption surrounding commerce and banking systems. Their reports did not identify which specific technology was affected. The recent backdoor found in Juniper systems has caused the journalists involved to un-redact a particular passage from the Snowden documents indicating the NSA targeted the "two leading encryption chips" in their attempts to compromise encryption. Quoting: The reference to "the two leading encryption chips" provides some hints, but no definitive proof, as to which ones were successfully targeted. Matthew Green, a cryptography expert at Johns Hopkins, declined to speculate on which companies this might reference. But he said that "the damage has already been done. From what I've heard, many foreign purchasers have already begun to look at all U.S.-manufactured encryption technology with a much more skeptical eye as a result of what the NSA has done. That's too bad, because I suspect only a minority of products have been compromised this way."

An anonymous reader writes: Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn't even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they "permitted source code review in controlled environments to meet government requirements." In addition to raising questions about whether a security product can be trusted under such circumstances, it also causes political problems: "Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country."

snydeq writes: Breaking the rules can bring a little thrill — and sometimes produce better, more efficient code. From the article: 'The rules are more often guidelines or stylistic suggestions, not hard-and-fast rules that must be obeyed or code death will follow. Sure, your code might be ridiculed, possibly even publicly, but the fact that you're bucking conventions adds a little bit of the thrill to subverting, even inadvertently, what amounts more often than not to the social mores of pleasant code. To make matters more complex, sometimes it's better to break the rules. (Shhhh!) The code comes out cleaner. It may even be faster and simpler.' What bad programming habits can't you (or won't you) break?

Geoffrey.landis writes: Computerized voting machines are bad news in general, but the WINVote machines used in Virginia might just have earned their reputation as the most insecure voting machine in America. They feature Wi-Fi that can't be turned off (protected, however, with a WEP password of "abcde"), an unencrypted database, and administrative access with a hardcoded password of "admin." According to security researcher Jeremy Epstein, if the machines weren't hacked in past elections, "it was because nobody tried." But with no paper trail, we'll never know.

Well, after ignoring the well-documented problems for over a decade, Virginia finally decided to decommission the machines... after the governor had problems with the machines last election and demanded an investigation. Quoting: "In total, the vulnerabilities investigators found were so severe and so trivial to exploit, Epstein noted that 'anyone with even a modicum of training could have succeeded' in hacking them. An attacker wouldn't have needed to be inside a polling place either to subvert an election... someone 'within a half mile with a rudimentary antenna built using a Pringles can could also have attacked them.'"

An anonymous reader writes: Jeff Atwood has a post about a security threat that's becoming more prevalent every day: spreading malware through a compromised router. "Router malware is the ultimate man-in-the-middle attack. For all meaningful traffic sent through a compromised router that isn't HTTPS encrypted, it is 100% game over." He links to a thorough technical analysis of how even HTTPS encrypted traffic can be subverted. Atwood provides a list of suggestions for keeping your router safe that probably won't be any surprise to people reading this site, and he further recommends only browsing on an unknown router if encryption is available. What I'm curious about are the long-term implications — is there a way forward to re-establish trust in our router infrastructure? What can the open source community do to speed this along?

As reported by The Verge, the rule-makers of New Jersey have relented, and will now allow a slightly freer market for cars. Almost exactly one year after it was banned from selling its cars directly in New Jersey, Tesla will be back in business in the Garden State. Governor Chris Christie signed into law a bill this afternoon that reversed last year's ban. The new legislation comes with some limits. Tesla can only open a total of four direct sale dealerships and has to operate at least one service center. But it's a major win following a heated war of words that saw Tesla CEO Elon Musk compare local dealers to a mafia protection racket subverting the democratic process.

Nicola Hahn writes Yet another news report has emerged detailing how the CIA is actively subverting low-level encryption features in mainstream hi-tech products. Responding to the story, an unnamed intelligence official essentially shrugged his shoulders and commented that "there's a whole world of devices out there, and that's what we're going to do." Perhaps this sort of cavalier dismissal isn't surprising given that leaked classified documents indicate that government intelligence officers view iPhone users as 'Zombies' who pay for their own surveillance.

The past year or so of revelations paints a pretty damning portrait of the NSA and CIA. But if you read the Intercept's coverage of the CIA's subversion projects carefully you'll notice mention of Lockheed Martin. And this raises a question that hasn't received much attention: what role does corporate America play in all of this? Are American companies simply hapless pawns of a runaway national security state? Ed Snowden has stated that mass surveillance is "about economic spying, social control, and diplomatic manipulation. They're about power." A sentiment which has been echoed by others. Who, then, stands to gain from mass surveillance?

alphadogg writes: The contentious debate about net neutrality in the U.S. has sparked controversy over a lack of funding transparency for advocacy groups and think tanks, which critics say subverts the political process. News stories from a handful of publications in recent months have accused some think tanks and advocacy groups of "astroturfing" — quietly shilling for large broadband carriers. In a handful of cases, those criticisms appear to have some merit, although the term is so overused by people looking to discredit political opponents that it has nearly lost its original meaning. An IDG News Service investigation found that major groups opposing U.S. Federal Communications Commission reclassification and regulation of broadband as a public utility tend to be less transparent about their funding than the other side. Still, some big-name advocates of strong net neutrality rules also have limited transparency mechanisms in place.

An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

New submitter chpoot writes: "The Guardian reveals the gender breakdown among Amazon's management 'S Team.' At one end of the team of 132 are 12 secretaries. All are female. At the other end are 12 who report directly to Jeff Bezos. All are male. Of the 119 remaining when Bezos and the secretaries are put to one side, 18 are female. Amazon, of course, grew out of book selling. Book selling, publishing, and writing have all a fairly admirable tradition of employing women. In its attempts to overthrow traditional book selling, Amazon seems to have been particularly successful in subverting that part of the tradition."

An anonymous reader writes "An internal audit conducted by the Los Angeles Police Department (LAPD) in March revealed that 'dozens of the [voice] transmitters worn by officers in Southeast Division were missing or damaged.' In the summer of 2013, this same division was found to have mysteriously lost 45% of the antennae placed on their cars to pick up the signals sent by their voice transmitters. The Southeast Division of the LAPD covers an area that has 'historically been marred by mistrust and claims of officer abuse.' For decades, the LAPD had been closely monitored by the U.S. Department of Justice, but a federal judge in 2013 decided to end that practice after being assured by the LAPD and city officials that the LAPD sufficiently monitors itself via dash-cams and voice transmitters. A formal investigation is currently being conducted to determine whether or not police officers intentionally subverted mandatory efforts to monitor and record their patrols."

Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"