The Defense Department is building a massive information-sharing system detailing national security personnel and individuals cleared for accessing U.S. secrets, to flag who among them might be potential turncoats or other "insider threats."

TRUSTe Privacy Seal

In its default configuration, the CJRS web service (either deployed as an executable jar, or a war file in a servlet container) is configured to use the SLURM JobExecutionService, and directly invokes ‘srun’, ‘sbatch’, and ‘salloc’ commands that are available on the host it is running on.A natural consequence of this is that SLURM jobs are submitted using the same user ID as owner of the CJRS web service process. For the purposes of training and demonstration, it is recommended to deploy the application so that it runs as a single, unprivileged user created specifically for the purpose of training. In theory, however, anybody who obtains the executable jar file may run it on a machine they have access to, bound to some random high port exclusive to that user, allowing it to launch SLURM jobs on their behalf via the REST API.

The Finnish government is currently drawing up plans to introduce a national basic income. A final proposal won’t be presented until November 2016, but if all goes to schedule, Finland will scrap all existing benefits and instead hand out €800 ($870) per month—to everyone.

In Firefox, one can disable Content Security Policy by changing security.csp.enable to false in about:config

Researchers have discovered a potentially catastrophic flaw in one of the Internet's core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them.

Raj: Now, we are back to the feeling of the need for relief, aren’t we, Paul? Which simply means you feel a need to withdraw. We may stop talking in this fashion, but you don’t have to stop checking to see if I am here, and listening for my response. Just notice the feeling of the need for withdrawal into privateness—without judgment. But be aware of it. I will tell you that you can tolerate the active connection longer, and I want you to remember that the reason we are talking is because of your choice. It is not because I am forcing myself upon you. You do not need to withdraw from me. That is the excuse, but the excuse can only make sense if you can be distracted from the fact that you reached out for the connection. You are not, in fact, withdrawing from my embrace of you. You are withdrawing into privateness that does not allow you to experience the fact that you are embracing always! The suggestion is that you are shutting me out. But know that you are shutting yourself in—self-protective withdrawal into isolation for security that doesn’t constitute security, but which constitutes incarceration.

A TOP-SECRET document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks, a leading provider of networking and Internet security gear.

Representatives of the White House seemed to listen attentively, but shared little about their thoughts. They maintained that President Obama’s position has not changed in the last few months. While they seemed well aware of our concerns about the technical infeasibility of inserting backdoors, they didn’t necessarily share them. That worried us a great deal.

"There has always been a tension in the intelligence community between the intel side that wants to exploit the information from social media and the operational or the policy community that wants to do something to shut it down," Mike Flynn, who directed the Defense Intelligence Agency from 2012 to 2014

Apple CEO Tim Cook has repeatedly and strongly criticized those in government who have demanded backdoors, explaining: “You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.” And a representative of many of the large tech companies recently remarked: “Weakening security with the aim of advancing security simply does not make sense.” Eighty-five percent of cybersecurity experts recently surveyed by Politico called backdoors “a bad idea”. (We know, for example, the NSA in particular loves to prey on foreign phone companies’ backdoors.)

The Senate’s recently passed bill, known as the Cybersecurity Information Sharing Act (CISA), is expected to serve as the basis for the finished language. The compromise text will also likely include elements from a bill that originated in the House Intelligence Committee, observers said.This completed product would mostly sideline the privacy advocate-preferred bill from the House Homeland Security Committee. They believe the Homeland Security bill includes the strongest provisions to protect people’s sensitive data from falling into the NSA's hands.Specifically, the Homeland Security bill would give the greatest role to the Department of Homeland Security (DHS) for collecting cyber threat data from the private sector and disseminating it throughout the government.It’s believed the DHS is best suited to scrub data sets of personal information.

"It makes zero sense to lock up this information forever," said Jeremiah Grossman, who founded cybersecurity firm WhiteHat Security. "Certainly there are past breaches that the public should know about, is entitled to know about, and that others can learn from."

It is important to note that the path attribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden iframe element with the path of the cookie, then accessing this iframe's contentDocument.cookie property. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.

The call for backdoors is nothing new. During my career in the private sector, I’ve seen requests to backdoor encryption software so as to please potential investors, and have seen people in the field who appeared to stand for secure software balk under the excuse of “if that’s what the customer wants,” even if it results in irreparable security weaknesses. I’ve had well-intentioned intelligence officers ask me informally, out of honest curiosity, why it is that I would refuse to insert backdoors. The issue is that cryptography depends on a set of mathematical relationships that cannot be subverted selectively. They either hold completely or not at all. It’s not something that we’re not smart enough to do; it’s something that’s mathematically impossible to do. I cannot backdoor software specifically to spy on jihadists without this backdoor applying to every single member of society relying on my software.

All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks.

Another provision of the proposed Investigatory Powers Bill is that internet service providers (ISPs) must retain a record of all the websites you visit (more specifically, all the IP addresses you connect to) for one year. This appears to be another measure to weaken privacy while strengthening security – but in fact, it is harmful to both privacy and security. In order to maintain a record of every website you have visited in the last year, the ISP must store that information somewhere accessible. Information that is stored somewhere accessible will sooner or later be stolen by attackers.

I’ll say it again, to be absolutely clear: any mechanism that can allow law enforcement legitimate access to data can inevitably be abused by hostile foreign intelligence services, and even technically sophisticated individuals, to break into systems and gain unauthorised access to the same data.

If the law enforcement services can remotely break into the device of a suspect, then sooner or later criminals will find ways to use the same mechanism to break into devices and steal or destroy your personal data.

Any method that provides exceptional access immediately exposes the system to attacks by malicious parties, rendering the protection of encryption essentially worthless. Exceptional access would probably require that government departments have some kind of master keys that allowed them to decrypt any communication if required. Those master keys would obviously have to be kept extremely secret: if they were to become public, the entire security infrastructure of the internet would crumble into dust. How good are government agencies at keeping secrets?

Every three years, the Librarian of Congress issues new rules on Digital Millennium Copyright Act exemptions. Acting Librarian David Mao, in an order (PDF) released Tuesday, authorized the public to tinker with software in vehicles for "good faith security research" and for "lawful modification." The decision comes in the wake of the Volkswagen scandal, in which the German automaker baked bogus code into its software that enabled the automaker's diesel vehicles to reduce pollutants below acceptable levels during emissions tests.

Do you have a question or comment that involves "security" and "hashids" in the same sentence? Don't use Hashids. Here are some ways to decode:

RFC 7235 - Access Authentication Framework RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication

It’s primarily from data and not their algorithms that powerful companies currently derive their advantages, and the only way to curb that power is to take the data completely out of the market realm, so that no company can own them. Data would accrue to citizens, and could be shared at various social levels. Companies wanting to use them would have to pay some kind of licensing fee, and only be able to access attributes of the information, not the entirety of it.

But if you turn data into a money-printing machine for citizens, whereby we all become entrepreneurs, that will extend the financialization of everyday life to the most extreme level, driving people to obsess about monetizing their thoughts, emotions, facts, ideas—because they know that, if these can only be articulated, perhaps they will find a buyer on the open market. This would produce a human landscape worse even than the current neoliberal subjectivity. I think there are only three options. We can keep these things as they are, with Google and Facebook centralizing everything and collecting all the data, on the grounds that they have the best algorithms and generate the best predictions, and so on. We can change the status of data to let citizens own and sell them. Or citizens can own their own data but not sell them, to enable a more communal planning of their lives. That’s the option I prefer.

This criterion requires an independent security review has been performed within the 12 months prior to evaluation. This review must cover both the design and the implementation of the app and must be performed by a named auditing party that is independent of the tool's main development team. Audits by an independent security team within a large organization are sufficient. Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place.

AppArmor

http://bouncycastle.org/download/bcprov-jdk16-146.jar

We need an authenticity infrastructure when there is no way to have advance knowledge of what SSL certificate a client should expect to see, but your app knows where it will be connecting, and it knows exactly what it should expect.

Google is already doing this. They have an “app” called Chrome, and when their app makes SSL connections to their own services, it checks to make sure that the certificates it sees are the ones it knows Google is using. They call this “pinning,” and you should do it for your mobile apps.

Much as it is not the criminal defense lawyer's place to judge their client regardless of how guilty they are, it is not the doctor's place to force experimental treatment upon a patient regardless of how badly the research is needed, and it is not the priest's place to pass worldly judgement on their flock, it is not the programmer's place to try and decide whether the user is using the software in a "good" way or not.