Apparently, there may be yet another reason to be underwhelmed by the iPhone 5s: a lawyer named Marcia Hofmann, writing for Wired, offers the opinion that its fingerprint authentication might end up eroding a long-cherished legal right.

In this case it wouldn’t be the government chipping away at your statutory protections, but technology itself.

The protection that Hofmann thinks might be at risk relates to self-incrimination.

Many jurisdictions give you some sort of “right to silence” – in the USA, it’s usually known as the Fifth, because the Founding Fathers neglected to enshrine it in the original constitution, leaving it to be retrofitted in the so-called Fifth Amendment some three years later.

via Apple’s “Touch ID” fingerprint login – not everyone is cock-a-hoop about it | Naked Security.

At approximately 7:29 AM PDT today, we were notified by several security researchers that a fireeye[.]com/careers HR link was inadvertently serving up a drive-by download exploit. Our internal security, IT operations team, and third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye web infrastructure, but rather, it was hosted on a third-party advertiser (aka “malvertisement”) that was linked via one of our third-party web services. The team then responded and immediately removed links to the malicious code in conjunction with our partners in order to protect our website users. More information on this third-party compromise (of video.js) can be found here.

via Darkleech Says Hello | FireEye Blog.

A long read about the cyber-security industrial complex:

In the eastern New Jersey suburbs, a train carrying radiological material is barreling toward a small town, and it is up to Pentagon cyber-operators to derail it. The town is the kind of idyllic whistle-stop hamlet where residents socialize at a cafe with complimentary Wi-Fi while surfing FaceSpace, a social networking site.

But danger lurks all around. Terrorists are using the open Wi-Fi connection to hack into the laptop of a patron who works at the hospital down the street. They plan to find the hospital codes stored in his computer to access the mayor’s medical records, in which they will change the dosage of a prescription the mayor refills regularly in an effort to poison him.

They have other nefarious future schemes, too: They will cut the power grid with a nasty cybervirus and destroy the local water supply by engineering a program to make it appear as though the reservoir is polluted. When employees dump chemicals into the water to fix the problem, they will inadvertently be doing just what the terrorists want: contaminating the water supply.

This model town – CyberCity – is one of the US military’s premier cyberwar simulators. Situated in a surprisingly unassuming suburban enclave, it is built with hobby shop-supplied model trains, miniature cellphone towers, and streetlights – all attached to a miniature power grid.

CyberCity is just a small town compressed onto an 8-by-10-foot plywood table. But its intricate electronic detail highlights the Pentagon’s growing effort to expand its offensive cyberwarfare skills in a bid to bolster the nation’s cybersecurity, through increasingly sophisticated and aggressive forays that have the potential to revolutionize the way America’s military fights wars

via Cyber security: The new arms race for a new front line –

Note: I still hate the term cyber-security.

Working from home is increasingly common – but few firms address the risks to corporate data, according to new research from storage company Iron Mountain.

Iron Mountain claims that up to two-thirds of employees work from home in Europe at least part of the time – but a mere 18% of firms offer guidance on how to protect information outside the office, or even of what electronic data should not leave the office, according to a survey of 2,000 workers.

Just 17% of films have a formal policy regarding working from home – and more than two thirds (67%) failed to provide secure access to company intranets, according to CBR Online’s report. One in four provide no equipment or training for home workers.

Dealing with sensitive data from home on unsecured machines carries many of the same risks as employees “bringing their own devices” to the workplace – known as BYOD. A recent report found that one in four employees used no security measures whatsoever on “BYOD” devices

via Companies that allow home working “ignore security risks”, report claims – We Live Security.

It’s not that Microsoft doesn’t care. They put tremendous resources into updating their software. I asked about this latest pattern and Dustin Childs, Group Manager, Microsoft Trustworthy Computing, replied: “The quality of security updates is critical to our customers, and it is a high priority for us too. We are actively looking at where improvements can be made with the goal of reducing implantation issues, and we will remain transparent with our customers about security threats, protections and update issue resolution.” Below this article is an embedded video about Microsoft’s security updating process featuring Childs.

via Why all the errors in Microsoft updates lately? | ZDNet.

General Motors Co.’s new data center in Warren has received a unique environmental award for a facility of its kind.

The Detroit-based automaker Friday announced its Enterprise Data Center on its Warren Technical Center campus earned Gold certification by the U.S. Green Building Council’s LEED, or Leadership in Energy and Environmental Design, program.

Fewer than 5 percent of data centers in the U.S. achieve LEED certification, according to the building council. GM’s data hub on its Technical Center campus in the Detroit suburb is the company’s fifth LEED-certified facility and second brownfield project.

via GM’s Warren Enterprise Data Center achieves Gold certification from US Green Building Council |

Good on you, GM. It’s a nice benefit of their in-sourcing moves.

87 percent of IT professionals currently leveraging private cloud solutions indicate that their companies host clouds on-premises rather than with third-party providers, according to Metacloud. Reduced cost (38 percent) topped security (34 percent) as the reason respondents gave for deploying a private cloud.

via Most companies choose on-premise private cloud deployments.

The buzz marketing of public cloud continues at a brisk pace, at least in my anecdotal experience. I find the cost driver the surprise in this report, especially that ranked higher than security. What I’m not surprised about is that people are starting to realizing that there are hidden costs behind the public cloud. I didn’t know that realization had progressed so far, at least according to this one report.

Your mileage may vary.

More interesting is the prediction that phone thieves will lift their victims’ fingerprints and use them to bypass the readers. As German Interior Minister Wolfgang Schauble discovered, you leak your fingerprints all the time, and once your fingerprint has been compromised, you can’t change it. (Schauble was pushing for biometric identity cards; playful Chaos Computer Club hackers lifted his fingerprints off a water-glass after a debate and published 10,000 copies of them on acetate as a magazine insert).

via Why fingerprints make lousy authentication tokens – Boing Boing.

The security of Oracle’s Java software framework, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits, security researchers said.

The most visible sign of deterioration are in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6, Christopher Budd, threat communications manager at antivirus provider Trend Micro, wrote in a blog post published Tuesday. The version, which Oracle stopped supporting in February, is still used by about half of the Java user base, he said. Malware developers have responded by reverse engineering security patches issued for Java 7, and using the insights to craft exploits for the older version. Because Java 6 is no longer supported, the security those same flaws will never be fixed.

via Security of Java takes a dangerous turn for the worse, experts say | Ars Technica.

Interestingly, there are some useful lessons to be learned here – and they’re more about how to deal will technical issues well than they are about surveillance or digital snooping.

So, at the risk of receiving a Royal Rant from Torvalds himself (me for writing this, and you for reading it), let me explain.

Linux has a special file called /dev/random that doesn’t exist as a real file.

If you open it in a program, and read from it, you get a stream of pseudorandom numbers, generated right inside in the kernel.

The idea of doing the work in the kernel is to end up with randomess of a very high quality.

via Rudest man in Linuxdom rants about randomness – “We actually know what we are doing. You don’t.” | Naked Security.

Fascinating read. If you know more about how Linux does random numbers I’d love additional information.

I’ll leave opinions about Mr. Torvalds to the readers.