http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

According to a top-secret accounting dated Jan. 9, 2013, the NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, the Government Communications Headquarters . From undisclosed interception points, the NSA and the GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.
...
In a statement, Google’s chief legal officer, David Drummond, said the company has “long been concerned about the possibility of this kind of snooping” and has not provided the government with access to its systems.
...
At Yahoo, a spokeswoman said, “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.

So, if you knew someone could do it (man in the middle), why did you allow (encourage?) them to do it?

---

Martin's many eyeballs theory debunked ...
http://www.pcworld.com/article/2059580/opensource-software-projects-need-to-improve-vulnerability-handling-practices-researchers-say.html

Many open-source software developers need to improve the way in which they handle vulnerability reports, according to researchers from security firm Rapid7, who recently found and reported vulnerabilities in seven popular open-source software applications.

There’s a line of thought among some users that open-source software is more secure than commercial software because there are more people looking at the source code and providing feedback or because open-source projects can patch issues faster.

Rapid7 worked with Brandon Perry, an application security engineer and regular contributor to the Metasploit penetration testing framework, to test that theory, said Christian Kirsch, product marketing manager at Rapid7, in an interview Wednesday at the RSA Europe security conference in Amsterdam.

At the beginning of August, Perry selected seven of the most popular open-source web applications hosted on SourceForge.net and started looking for vulnerabilities in them. Within two weeks he found security flaws in all of them, Kirsch said.

The researcher found an issue that could allow remote-authenticated attackers to execute commands on the underlying operating system in six applications:

---

But did he find any within the O/S itself? That is the question.

---

Martin's many eyeballs theory debunked ...
http://www.pcworld.com/article/2059580/opensource-software-projects-need-to-improve-vulnerability-handling-practices-researchers-say.html

Many open-source software developers need to improve the way in which they handle vulnerability reports, according to researchers from security firm Rapid7, who recently found and reported vulnerabilities in seven popular open-source software applications.

There’s a line of thought among some users that open-source software is more secure than commercial software because there are more people looking at the source code and providing feedback or because open-source projects can patch issues faster.

Rapid7 worked with Brandon Perry, an application security engineer and regular contributor to the Metasploit penetration testing framework, to test that theory, said Christian Kirsch, product marketing manager at Rapid7, in an interview Wednesday at the RSA Europe security conference in Amsterdam.

At the beginning of August, Perry selected seven of the most popular open-source web applications hosted on SourceForge.net and started looking for vulnerabilities in them. Within two weeks he found security flaws in all of them, Kirsch said.

The researcher found an issue that could allow remote-authenticated attackers to execute commands on the underlying operating system in six applications:

So... In comparison, what does that say about proprietary software where all the warts are hidden behind a shield of "don't look" and there is never enough time and resource to ever do the development properly? Or worse, with the Marketing compromises often imposed of shove it out the door before ready/finished...


In FLOSS, the predominant driver for anything 'of interest' is for excellence. There is also a lot of 'try and see' stuff. Anything 'important' does get the eyeballs to make it all secure and robust. As proven by the main projects.


Cherry-picking is easy for any story you wish to conjure up... What's important is what works well...

IT is very much what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Anything 'important' does get the eyeballs to make it all secure and robust. As proven by the main projects.

"Main projects?" Top 7 projects here and 100% fail.

What were you saying? That the "main projects" are the bottom 7 projects?

Sorry, Martin. People are people. FLOSS or proprietary doesn't make any difference. Still human.

The reality you refuse to confront is a project is no better than its worst coder. Toss more people at it and the likely-hood of bad code actually goes up, not down.

---

The reality you refuse to confront is a project is no better than its worst coder.

Or put another way, a chain is only as strong as its weakest link.

Hence the great power of open peer review.


Despite your banal troll protestations, the power of peer review has made Linux world beating and world leading.

IT is very much what we make it,
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Careful what you watch.....

Smart TV's spy on you

---

Careful what you watch.....

Smart TV's spy on you

Ive often wonderd if the DVR from my cable company knows what show Im watching or have recorded. I beleive they do know.
You dont hear anything about Neilson ratings anymore. So the networks must have a deal with the TV show studios on what is going down.

---

[/quote]

Old James

Can we really trust the muppets that use I.T. in retail business'es?

Zavvi threatens "legal action"

Totally agree that the items should be returned but if I got a letter like that, I would return it, but only after getting them to turn up for collection on XXXXXX amount of times before I "suddenly became" available for home collection!

"A heavy handed approach to ensure mistakenly delivered goods are returned will at best bring out a Machiavellian streak in a small group of people and at worst damage the reputation of the business to loyal honest customers - its core source of profit - who are now being told by the business that 'we don't trust you'"."

Wonder how much profit they'll make this Xmas?

---