Slashdot

christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."

Ponca City, We love you writes "The EFF has warned Texas Instruments not to pursue legal threats against calculator hobbyists who perform modifications to the company's programmable graphing calculators. TI's calculators perform a 'signature check' that allows only approved operating systems to be loaded, but researchers have reverse-engineered signing keys, allowing tinkerers to install custom operating systems and unlock new functionality in the calculators' hardware. In response, TI has unleashed a torrent of demand letters claiming that the anti-circumvention provisions of the Digital Millennium Copyright Act require the hobbyists to take down commentary about and links to the keys. 'This is not about copyright infringement. This is about running your own software on your own device — a calculator you legally bought,' says EFF Civil Liberties Director Jennifer Granick. 'Yet TI still issued empty legal threats in an attempt to shut down discussion of this legitimate tinkering. Hobbyists are taking their own tools and making them better, in the best tradition of American innovation.'"

plover writes "Kim Zetter of Wired documents an extensive hack of Wal-Mart that took place in 2005-2006. She goes into great detail about the investigation and what the investigators found, including that the hackers made copies of their point-of-sale source code, and that they ran l0phtCrack on a Wal-Mart server. 'Wal-Mart uncovered the breach in November 2006, after a fortuitous server crash led administrators to a password-cracking tool that had been surreptitiously installed on one of its servers. Wal-Mart's initial probe traced the intrusion to a compromised VPN account, and from there to a computer in Minsk, Belarus.' Wal-mart has long since fixed the flaws that allowed the compromise, and confirmed that no customer data was lost in the hack — which is why they did not need to report the breach publicly earlier." This intrusion happened around the same time that Albert Gonzalez's gang was breaking into Marshall's and its parent company, TJX. The MO was quite similar: researching and closely targeting the point-of-sale systems in use. But the article notes that "There's no evidence Wired.com has seen linking Gonzalez to the Wal-Mart breach."

Icemaann writes "Pingdom and Network World are reporting that the SE tld dropped off the internet yesterday due to a bug in the script that generates the SE zone file. The SE tld has close to one million domains that all went down due to missing the trailing dot in the SE zone file. Some caching nameservers may still be returning invalid DNS responses for 24 hours."

inglishmayjer was one of several readers to send in the news of a major bug in Apple's new OS, 10.6 Snow Leopard, that can wipe out all user data for the administrator account. It is said to be triggered — not every time — by logging in to the Guest account and then back in to the admin account. Some users are reporting that all settings have been reset and most data is gone. The article links to a number of Apple forum threads up to a month old bemoaning the problem. MacFixIt suggests disabling login on the Guest account and, if you need that functionality, creating a non-administrative account named something like Visitor. (The Guest account is special in that its settings are wiped clean after logout.) CNet reports that Apple has acknowledged the bug and is working on a fix.

An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"

Expanding on the T-Mobile data loss mentioned in an update to an earlier story, reader stigmato writes "T-Mobile's popular Sidekick brand of devices and their users are facing a data loss crisis. According to the T-Mobile community forums, Microsoft/Danger has suffered a catastrophic server failure that has resulted in the loss of all personal data not stored on the phones. They are advising users not to turn off their phones, reset them or let the batteries die in them for fear of losing what data remains on the devices. Microsoft/Danger has stated that they cannot recover the data but are still trying. Already people are clamoring for a lawsuit. Should we continue to trust cloud computing content providers with our personal information? Perhaps they should have used ZFS or btrfs for their servers."

storagedude points to this article at Enterprise Storage Forum which argues that cloud-based storage options have fatal limitations for both businesses and individuals: "The article makes the argument that high volumes of data and bandwidth limitations make external cloud storage all but useless for enterprises because it could take months to restore the data in a disaster. It also appears to be a consumer problem — the author spent three months replicating 1TB of home data via cable modem to an online backup service." Seems like those off-site incremental storage firms could dispatch a station wagon full of tapes, for enough money. Update: Here's another reason, for Sidekick users: reader 1ini was one of several to point out an alert from T-Mobile that "...personal information stored on your device — such as contacts, calendar entries, to-do lists or photos — that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger."

Darren Ginter writes "A group of Samba v4 developers recently spent a week in Redmond to work with Microsoft on Active Directory interoperability(?!). The result? Windows Server will now join, trust and replicate a Samba-based Active Directory using Microsoft-native protocols. Although Samba v4 is still in the alpha stages, this is a huge step for open source. Or it could be a trap."

Captain Sarcastic writes "I have been a contract programmer for a few years (with some time off when a contract-for-hire paid off and made me a full-time employee). Currently, I'm between projects, but I'm a little worried about one of the contracting companies who's helping me. First off, a little history. "Zeke" (not his real name) was with ABC Contractors (not their real name) when I first met him, and he took my resume and started processing me through the jobs that ABC had available. A bit later, Zeke left, and his replacement Yvonne (standard disclaimer) submitted me to a company (call them "Acme") for a contract-for-hire. Everything looked like a good fit, and she E-mailed me a copy of the resume they submitted to Acme. Came the interview, I realized that Zeke had left out part of my history and had mis-dated other aspects, to keep me from appearing unemployed. Like an idiot, I tried to correct this at the interview, to find out that Acme had decided that I had fabricated all of my experience, and chewed out the rep for ABC for sending an unqualified applicant. Fine, learning experience for me — double-check what the contracting company says about you, and don't try to correct things in the middle of the interview." Read below for the rest of the story. What other difficulties have others gone through with headhunters and when is it time to leave one behind?