What's the story with these ads on Slashdot? Check out our new blog post to find out. ×
Open Source

Mutt 1.5.24 Released 37

kthreadd writes: Version 1.5.24 of the Mutt email client has been released. New features in this release includes among other things terminal status-line (TS) support, a new color object 'prompt', the ability to encrypt postponed messages and opportunistic encryption which automatically enables/disables encryption based on message recipients. SSLv3 is now also disabled by default.
Encryption

Browser Makers To End RC4 Support In Early 2016 40

msm1267 writes: Google, Microsoft and Mozilla today announced they've settled on an early 2016 timeframe to permanently deprecate the shaky RC4 encryption algorithm in their respective browsers. Mozilla said Firefox's shut-off date will coincide with the release of Firefox 44 on Jan. 26. Google and Microsoft said that Chrome and Internet Explorer 11 (and Microsoft Edge) respectively will also do so in the January-February timeframe. Attacks against RC4 are growing increasingly practical, rendering the algorithm more untrustworthy by the day.
Encryption

Turkey Arrests Journalists For Using Encryption 144

An anonymous reader sends news that three employees of Vice News were arrested in Turkey because one of them used an encryption system on his personal computer. That particular type of encryption has been used by the terrorist organization known as the Islamic State, so the men were charged with "engaging in terrorist activity." The head of a local lawyers association said, "I find it ridiculous that they were taken into custody. I don't believe there is any accuracy to what they are charged for. To me, it seems like an attempt by the government to get international journalists away from the area of conflict." The Turkish government denied these claims: "This is an unpleasant incident, but the judiciary is moving forward with the investigation independently and, contrary to claims, the government has no role in the proceedings."
Bitcoin

Beyond Bitcoin: How Business Can Capitalize On Blockchains 68

snydeq writes: Bitcoin's widely trusted ledger offers intriguing possibilities for business use beyond cryptocurrency, writes InfoWorld's Peter Wayner. "From the beginning, bitcoin has assumed a shadowy, almost outlaw mystique," Wayner writes. "Even the mathematics of the technology are inscrutable enough to believe the worst. The irony is that the mathematical foundations of bitcoin create a solid record of legitimate ownership that may be more ironclad against fraud than many of the systems employed by businesses today. Plus, the open, collaborative way in which bitcoin processes transactions ensures the kind of network of trust that is essential to any business agreement."
Open Source

Linux Kernel 4.2 Released 141

An anonymous reader writes: The Linux 4.2 kernel is now available. This kernel is one of the biggest kernel releases in recent times and introduces rewrites of some of the kernel's Intel Assembly x86 code, new ARM board support, Jitter RNG improvements, queue spinlocks, the new AMDGPU kernel driver, NCQ TRIM handling, F2FS per-file encryption, and many other changes to benefit most Linux users.
Privacy

Tech Nightmares That Keep Turing Award Winners Up At Night 82

itwbennett writes: At the Heidelberg Laureate Forum in Germany this week, RSA encryption algorithm co-inventor Leonard Adelman, "Father of the Internet" Vint Cerf, and cryptography innovator Manuel Blum were asked "What about the tech world today keeps you up at night?" And apparently they're not getting a whole lot of sleep these days. Cerf is predicting a digital dark age arising from our dependence on software and our lack of "a regime that will allow us to preserve both the content and the software needed to render it over a very long time." Adelman worries about the evolution of computers into "their own species" — and our relation to them. Blum's worries, by contrast, lean more towards the slow pace at which computers are taking over: "'The fact that we have brains hasn't made the world any safer,' he said. 'Will it be safer with computers? I don't know, but I tend to see it as hopeful.'"
Encryption

Jeb Bush Comes Out Against Encryption 494

An anonymous reader writes: Presidential candidate Jeb Bush has called on tech companies to form a more "cooperative" arrangement with intelligence agencies. During a speech in South Carolina, Bush made clear his opinion on encryption: "If you create encryption, it makes it harder for the American government to do its job — while protecting civil liberties — to make sure that evildoers aren't in our midst." He also indicated he felt the recent scaling back of the Patriot Act went too far. Bush says he hasn't seen any indication the bulk collection of phone metadata violated anyone's civil liberties.
Intel

Intel's Collaborative Cancer Cloud, an Open Platform For Genome-Based Treatments 16

Lucas123 writes: Intel and the Knight Cancer Institute have announced what will be an open-source service platform, called the Collaborative Cancer Cloud. The platform will enable healthcare facilities to securely share patient genomic data, radiological imagery and other healthcare-related information for precision treatment analysis. Key to averting HIPAA privacy issues will be Intel's Trusted Execution Technology, its embedded server encryption hardware that tests the authenticity of a platform and its operating system before sharing data. Intel said it will be opening that technology up for use by any clinic that want to take part in the Collaborative Cancer Cloud or to build its own data-sharing network with healthcare partners. Dr. Brian Druker, director of the Knight Cancer Institute, said the Trusted Execution Technology will allow healthcare centers to maintain control of patient data, while also allowing clinics around the world to use it for vastly faster genomic analysis.
Encryption

Engaging Newbies In Email Encryption and Network Privacy 83

reifman writes: All six parts of my series introducing beginners to PGP encryption and network privacy are now freely available. I hope it's useful for Slashdot readers to share with their less-technical acquaintances. There's an introduction to PGP, a guide to email encryption on the desktop, smartphone and in the browser, an introduction to the emerging key sharing and authentication startup, Keybase.io, and an intro to VPNs. There's a lot more work for us to do in the ease of use of communications privacy but this helps people get started more with what's available today.
Businesses

Wuala Encrypted Cloud-Storage Service Shuts Down 128

New submitter craigtp writes: Wuala, one of the more trusted cloud-storage services that employed encryption for your files, is shutting down. Users of the service will have until 15th November 2015 to move all of their files off the service before all of their data is deleted. From the announcement: "Customers who have an active prepaid annual subscription will be eligible to receive a refund for any unused subscription fees. Your refund will be calculated based on a termination date effective from today’s date, even though the full service will remain active until 30 September 2015 and your data will be available until 15 November 2015. Refunds will be automatically processed and issued to eligible customers in coming weeks. Some exceptions apply. Please visit www.wuala.com for more information."
Network

The Network Is Hostile 124

An anonymous reader writes: Following this weekend's news that AT&T was as friendly with the NSA as we've suspected all along, cryptographer Matthew Green takes a step back to look at the broad lessons we've learned from the NSA leaks. He puts it simply: the network is hostile — and we really understand that now. "My take from the NSA revelations is that even though this point was 'obvious' and well-known, we've always felt it more intellectually than in our hearts. Even knowing the worst was possible, we still chose to believe that direct peering connections and leased lines from reputable providers like AT&T would make us safe. If nothing else, the NSA leaks have convincingly refuted this assumption." Green also points out that the limitations on law enforcement's data collection are technical in nature — their appetite for surveillance would be even larger if they had the means to manage it. "...it's significant that someday a large portion of the world's traffic will flow through networks controlled by governments that are, at least to some extent, hostile to the core values of Western democracies."
Communications

Clinton Surrendering Email Server/Data To Feds After Top Secret Mail Found 676

An anonymous reader writes: Hillary Clinton's lawyer has surrendered three thumb drives with copies of emails from her server to the Justice Department, which is also where the controversial Clinton personal email server is destined as well. The FBI determined that Clinton's lawyer could no longer retain the thumb drives after two emails from a small sample were found to contain information classified as "Top Secret/Sensitive Compartmented Information," which would also taint the server. There is no evidence that encryption was used to protect the emails. From the limited reviews to date, Secretary Clinton and her aides exchanged emails containing classified information with at least six people with private email addresses. So far four of Clinton's top aides have turned over emails to the State Department, and there are demands that six more do so. The State Department's inspector general has stated that his office is reviewing "the use of personal communications hardware and software by five secretaries of state and their immediate staffs." Current U.S. Secretary of State John Kerry has stated, "it is very likely" that China and Russia are reading his emails.
Encryption

OpenSSH 7.0 Released 75

An anonymous reader writes: Today the OpenSSH project maintainers announced the release of version 7.0. This release is focusing on deprecating weak and unsafe cryptographic methods, though some of the work won't be complete until 7.1. This release removes support for the following: the legacy SSH v1 protocol, the 1024-bit diffie-hellman-group1-sha1 key exchange, ssh-dss, ssh-dss-cert-* host and user keys, and legacy v00 cert format. There were also several bug fixes, security tweaks, and new features. In the next release, they plan to retire more legacy cryptography. This includes refusing RSA keys smaller than 1024 bits, disabling MD5-based HMAC algorithms, and disabling these ciphers: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES.
Encryption

Prosecutors Op-Ed: Phone Encryption Blocks Justice 392

New submitter DaDaDaaaaa writes: The New York Times features a joint op-ed piece by prosecutors from Manhattan, Paris, London and Spain, in which they decry the default use by Apple and Google of full disk encryption in their latest smartphone OSes (iOS 8 and Android Lollipop, respectively). They talk about the murder scene of a father of six, where an iPhone 6 and a Samsung Galaxy S6 Edge were found.

"An Illinois state judge issued a warrant ordering Apple and Google to unlock the phones and share with authorities any data therein that could potentially solve the murder. Apple and Google replied, in essence, that they could not — because they did not know the user's passcode. The homicide remains unsolved. The killer remains at large."

They make a case for lawmakers to force Apple and Google to include backdoors into their smartphone operating systems. One has to wonder about the legitimate uses of full disk encryption, which can protect good people from harm, and them from having their privacy needlessly intruded upon.
Security

2.4 Million Customer's Records Stolen From Carphone Warehouse 51

AmiMoJo writes: The UK's data watchdog is "making inquiries" after Carphone Warehouse said the personal details of up to 2.4 million of its customers may have been accessed in a cyber-attack. Details taken include names, addresses and bank account details. Additionally, 90,000 people's "encrypted" credit card details were accessed, but there is no word on what type of encryption was used. Customers are advised to contact their banks (who I'm sure will be ready to handle 2.4 million phone calls), keep an eye on credit records and contact Action Fraud, the UK police's outsourced and rather useless fraud reporting centre that last month went bankrupt.
Encryption

Linux Servers' Entropy Pool Too Shallow, Compromising Security 111

The BBC reports that Black Hat presenters Bruce Potter and Sasha Woods described at this year's Black Hat Briefings a security flaw in Linux servers: too few events are feeding the entropy pool from which random numbers are drawn, which leaves the systems "more susceptible to well-known attacks." Unfortunately, [Potter] said, the entropy of the data streams on Linux servers was often very low because the machines were not generating enough raw information for them. Also, he said, server security software did little to check whether a data stream had high or low entropy. These pools often ran dry leaving encryption systems struggling to get good seeds for their random number generators, said Mr Potter. This might meant they were easier to guess and more susceptible to a brute force attack because seeds for new numbers were generated far less regularly than was recommended. Update: 08/10 01:05 GMT by T : Please note that Sasha Woods' name was mis-reported as Sasha Moore; that's now been changed in the text above.
Security

The Internet of Compromised Things 62

An anonymous reader writes: Jeff Atwood has a post about a security threat that's becoming more prevalent every day: spreading malware through a compromised router. "Router malware is the ultimate man-in-the-middle attack. For all meaningful traffic sent through a compromised router that isn't HTTPS encrypted, it is 100% game over." He links to a thorough technical analysis of how even HTTPS encrypted traffic can be subverted. Atwood provides a list of suggestions for keeping your router safe that probably won't be any surprise to people reading this site, and he further recommends only browsing on an unknown router if encryption is available. What I'm curious about are the long-term implications — is there a way forward to re-establish trust in our router infrastructure? What can the open source community do to speed this along?
Communications

How Boing Boing Handled an FBI Subpoena Over Its Tor Exit Node 104

An anonymous reader writes: Cory Doctorow has posted an account of what happened when tech culture blog Boing Boing got a federal subpoena over the Tor exit node the site had been running for years. They received the subpoena in June, and the FBI demanded all logs relating to the exit node: specifically, "subscriber records" and "user information" for everybody associated with the exit node's IP address. They were also asked to testify before a federal grand jury. While they were nervous at first, the story has a happy ending. Their lawyer sent a note back to the FBI agent in charge, explaining that the IP address in question was an exit node. The agent actually looked into Tor, realized no logs were available, and cancelled the request. Doctorow considers this encouraging for anyone who's thinking about opening a new exit node: "I'm not saying that everyone who gets a federal subpoena for running a Tor exit node will have this outcome, but the only Tor legal stories that rise to the public's attention are the horrific ones. Here's a counterexample: Fed asks us for our records, we say we don't have any, fed goes away."
Microsoft

Microsoft Creates a Quantum Computer-Proof Version of TLS Encryption Protocol 128

holy_calamity writes: When (or if) quantum computers become practical they will make existing forms of encryption useless. But now researchers at Microsoft say they have made a quantum-proof version of the TLS encryption protocol we could use to keep online data secure in the quantum computing era. It is based on a mathematical problem very difficult for both conventional and quantum computers to crack. That tougher math means data moved about 20 percent slower in comparisons with conventional TLS, but Microsoft says the design could be practical if properly tuned up for use in the real world.
Communications

Questioning the Dispute Over Key Escrow 82

Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?