Skype's redesign launched last year was met with mixed reviews, but the company is forging ahead by rolling out a number of its new features to other platforms, including the desktop. From a report: Microsoft today is launching Skype version 8.0 that will replace version 7.0 (aka Skype classic), the latter which will no longer function after September 1, 2018. The new release introduces a variety of features, including HD video and screen-sharing in calls, support for @mentions in chats, a chat media gallery, file and media sharing up to 300 MB, and more. It will also add several more features this summer, including most notably, supported for encrypted audio calls, texts, and file sharing as well as built-in call recording. The 8.0 release follows on the update to Skype desktop that rolled out last fall, largely focusing on upgrading the visual elements of new design, like the color-coding in chat messages and "reaction" emojis. This release also included the chat media gallery and file sharing support, which are touted as new today, but may have already hit your desktop.

You asked questions, we've got the answers!

Christine Peterson is a long-time futurist who co-founded the nanotech advocacy group the Foresight Institute in 1986. One of her favorite tasks has been contacting the winners of the institute's annual Feynman Prize in Nanotechnology, but she also coined the term "Open Source software" for that famous promotion strategy meeting in 1998.

Christine took some time to answer questions from Slashdot readers.

An anonymous reader quotes a report from The Verge: Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone's passcode and evade Apple's usual encryption safeguards.

If you go to Settings and check under Face ID (or Touch ID) & Passcode, you'll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device -- shutting out cracking tools like GrayKey as a result. If you've got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit. Apple's wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.

Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes: A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....

If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.

• The web is an open platform, not a corporate platform.

• It is defined by its stability. 25-plus years and it's still going strong.

• Google is a guest on the web, as we all are. Guests don't make the rules.

"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."

Senator Ron Wyden (D-OR) has managed to get Tinder to encrypt the photos sent between its servers and its app. The 69-year-old Senator wrote a letter to Tinder back in February requesting that the company encrypt photos. They apparently already implemented the feature, but "waited to write back to Wyden until it also adjust a separate security feature that makes all swipe data the same size," reports The Verge. "The size of the swipe data was used by security researchers to differentiate actions from one another. That change wasn't implemented until June 19th."

wiredmikey writes: The Wi-Fi Alliance, the organization responsible for maintaining Wi-Fi technology, announced the launch of the WPA3 security standard. The latest version of the Wi-Fi Protected Access (WPA) protocol brings significant improvements in terms of authentication and data protection.

WPA3 has two modes of operation: Personal and Enterprise. WPA3-Personal's key features include enhanced protection against offline dictionary attacks and password guessing attempts. WPA3-Enterprise provides 192-bit encryption for extra security, improved network resiliency, and greater consistency when it comes to the deployment of cryptographic tools.

Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says. iTWire reports: The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs. Former NSA hacker Jake Williams said on Twitter that a fix would probably need changes to the core operating system and were likely to involve "a ton of work to mitigate (mostly app recompile)." But de Raadt was not so sanguine. "There are people saying you can change the kernel's process scheduler," he told iTWire on Monday. "(It's) not so easy."

He said that Williams was lacking all the details and not thinking it through. "They actually have sufficient detail to think it through: the article says the TLB is shared between hyperthreading CPUs, and it is unsafe to share between two different contexts. Basically you can measure evictions against your own mappings, which indicates the other process is touching memory (you can determine the aliasing factors)." De Raadt said he was still not prepared to say more, saying: "Please wait for the paper [which is due in August]."

Mark Wilson writes: When it comes to messaging tools, people have started to show greater interest in whether encryption is used for security, and the same for websites -- but not so much with email. Thanks to the work of the Electronic Frontier Foundation, however, email security is being placed at the top of the agenda. The privacy group today announces STARTTLS Everywhere, its new initiative to improve the security of the email ecosystem. STARTTLS is an addition to SMTP, and while it does not add end-to-end encryption, it does provide hop-to-hop encryption, which is very much a step in the right direction. In a blog post, EFF elaborates SMARTTLS for the uninitiated, and outlines how it worked around some of the tech's underlying challenges: There are two primary security models for email transmission: end-to-end, and hop-to-hop. Solutions like PGP and S/MIME were developed as end-to-end solutions for encrypted email, which ensure that only the intended recipient can decrypt and read a particular message. Unlike PGP and S/MIME, STARTTLS provides hop-to-hop encryption (TLS for email), not end-to-end. Without requiring configuration on the end-user's part, a mailserver with STARTTLS support can protect email from passive network eavesdroppers. For instance, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won't be able to see the contents of messages, and will need more targeted, low-volume methods. In addition, if you are using PGP or S/MIME to encrypt your emails, STARTTLS prevents metadata leakage (like the "Subject" line, which is often not encrypted by either standard) and can negotiate forward secrecy for your emails.

A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.

An anonymous reader writes: Linux 4.18 development is going strong with recent 4.18-rc1 release. This kernel cycle has dropped 107,210 lines of code so far but Linux 4.18 is adding many new features. The kernel is coming in lighter as a result of the LustreFS code being removed and other code cleanups. On the feature front, Phoronix reports, "ew AMDGPU support improvements, mainlining of the V3D DRM driver, initial open-source work on NVIDIA Volta GV100 hardware, merging of the Valve Steam Controller kernel driver, merging of the BPFILTER framework, ARM Spectre mitigation work, Speck file-system encryption support, removal of the Lustre file-system, the exciting restartable sequences system call was merged, the new DM writecache target, and much more."

Steven J. Vaughan-Nichols, writing for ZDNet: The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system. Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "it allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

This vulnerability exists because modern CPUs include many registers (internal memory) that represent the state of each running application. Saving and restoring this state when switching from one application to another takes time. As a performance optimization, this may be done "lazily" (i.e., when needed) and that is where the problem hides. This vulnerability exploits "lazy state restore" by allowing an attacker to obtain information about the activity of other applications, including encryption operations. Further reading: Twitter thread by security researcher Colin Percival, BleepingComputer, and HotHardware.

Digital IDs should be brought in to end online anonymity that permits "mob rule" and lawlessness online, the security minister of United Kingdom has said. From a report: Ben Wallace said authentication used by banks could also by employed by internet firms to crack down on bullying and grooming, as he warned that people had to make a choice between "the wild west or a civilised society" online. He also took aim at the "phoniness" of Silicon Valley billionaires, and called for companies such as WhatsApp to contribute to society over the negative costs of their technology, such as end-to-end encryption. It comes after Theresa May took another step against tech giants, saying they would be ordered to clamp down on vile attacks against women on their platforms. The prime minister will target firms such as Facebook and Twitter as she makes the pitch at the G7 summit this weekend, where she will urge social media firms to treat violent misogyny with the same urgency as they do terror threats. Mr Wallace told The Times: "A lot of the bullying on social media and the grooming is because those people know you cannot identify them. It is mob rule on the internet. You shouldn't be able to hide behind anonymity."

The Russian government is asking Apple to help it block Telegram by removing it from the country's App Store. Mac Rumors reports: A Russian court in April ordered carriers and internet providers in the country to block Telegram back in April, after Telegram refused to provide Russia with backdoor access to user messages. Despite issuing the block order back in April, Russia has only been able to disrupt Telegram's operations in the country by 15 to 30 percent. Given the government's inability to block the app, Roskomnadzor, the division of the government that controls media and telecommunications, has demanded that Apple remove the Telegram app from the Russian App Store. The group first asked Apple to remove the app in April, but is appealing to Apple again.

"In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company's further actions to resolve the problematic issue," the regulator wrote. Roskomnadzor has given Apple one month to remove the Telegram app from the App Store. Roskomnadzor's director Alexander Zharov said he did not want to "forecast further actions" should Apple not comply with the request following the 30 day period.

An anonymous reader writes: Back in 2013, the halcyon days of at-home Bitcoin mining, staffers in the WIRED San Francisco office turned on one of Butterfly Labs' mining machines and let it whir away, amassing a horde of 13 bitcoins -- now worth $100,000. But today we have nothing to show for our efforts. What happened to our loot?

The same thing that has happened to millions of other unfortunate miners, actually: We lost our private key, a 64-digit string of random numbers that not one of us remembers. And we've got basically no chance of recovering it: "Originally I was going to say that the closest metaphor I have is that we dropped a car key somewhere in the Atlantic," says Stefan Antonowicz, WIRED's then-head of engineering. "But I think it's closer for me to say we dropped the key somewhere between here and the Alpha Centauri."

Shaun Nichols, reporting for The Register: A group of German researchers have devised a method to thwart the VM security in AMD's server chips. Dubbed SEVered (PDF), the attack would potentially allow an attacker, or malicious admin who had access to the hypervisor, the ability to bypass AMD's Secure Encrypted Virtualization (SEV) protections.

The problem, say Fraunhofer AISEC researchers Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, is that SEV, which is designed to isolate VMs from the prying eyes of the hypervisor, doesn't fully isolate and encrypt the VM data within the physical memory itself.

It has been nearly two weeks since researchers unveiled "EFAIL," a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. The Intercept reports that developers of email clients and encryption plugins are still scrambling to come up with a permanent fix. From the report: Apple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content. Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was "easy to mitigate" by disabling the loading of remote content in GPGTools. But even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL.

I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote content loading is disabled (German security researcher Hanno Bock also deserves much of the credit for this exploit, more on that below). I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon.

mi shares a report from The Washington Post (Warning: source may be paywalled; alternative source): The FBI has repeatedly provided grossly inflated statistics to Congress and the public about the extent of problems posed by encrypted cellphones, claiming investigators were locked out of nearly 7,800 devices connected to crimes last year when the correct number was much smaller, probably between 1,000 and 2,000.

Over a period of seven months, FBI Director Christopher A. Wray cited the inflated figure as the most compelling evidence for the need to address what the FBI calls "Going Dark" -- the spread of encrypted software that can block investigators' access to digital data even with a court order. "The FBI's initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,'' the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.

Long-time Slashdot reader CrtxReavr shares a report from ZDNet: Quantum computers will be able to instantly break the encryption of sensitive data protected by today's strongest security, warns the head of IBM Research. This could happen in a little more than five years because of advances in quantum computer technologies. "Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," said Arvind Krishna, director of IBM Research... Quantum computers can solve some types of problems near-instantaneously compared with billions of years of processing using conventional computers... Advances in novel materials and in low-temperature physics have led to many breakthroughs in the quantum computing field in recent years, and large commercial quantum computer systems will soon be viable and available within five years...

In addition to solving tough computing problems, quantum computers could save huge amounts of energy, as server farms proliferate and applications such as bitcoin grow in their compute needs. Each computation takes just a few watts, yet it could take several server farms to accomplish if it were run on conventional systems.
The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"

An anonymous reader quotes a report from Wired: The ubiquitous email encryption schemes PGP and S/MIME are vulnerable to attack, according to a group of German and Belgian researchers who posted their findings on Monday. The weakness could allow a hacker to expose plaintext versions of encrypted messages -- a nightmare scenario for users who rely on encrypted email to protect their privacy, security, and safety. The weakness, dubbed eFail, emerges when an attacker who has already managed to intercept your encrypted emails manipulates how the message will process its HTML elements, like images and multimedia styling. When the recipient gets the altered message and their email client -- like Outlook or Apple Mail -- decrypts it, the email program will also load the external multimedia components through the maliciously altered channel, allowing the attacker to grab the plaintext of the message.

The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks -- even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.

The three biggest PC OEMs -- Dell, HP, and Lenovo -- are now offering AMD Ryzen PRO mobile and desktop accelerated processing units (APUs) with built-in Radeon Vega graphics in a variety of commercial systems. There are a total of seven new APUs -- three for the mobile space and four for the desktop. As AMD notes in its press release, the first desktops to ship with these latest chips include: the HP Elitedesk G4 and 285 Desktop, the Lenovo ThinkCentre M715, and the Dell Optiplex 5055. ZDNet's Adrian Kingsley-Hughes writes about what makes Ryzen PRO so appealing: Ryzen PRO has been built from the ground up to focus on three pillars -- power, security and reliability. Built-in security means integrated GuardMI technology, an AES 128-bit encryption engine, Windows 10 Enterprise Security support, and support for fTPM/TPM 2.0 Trusted Platform Module. One of the features of Ryzen PRO that AMD hopes will appeal to commercial users is the enterprise-grade reliability that the chips come backed with, everything from 18-moths of planned software availability, 24-months processor availability, a commercial-grade QA process, 36-moth warranty, and enterprise-class manageability.

There are no worries on the performance front either, with the Ryzen PRO with Vega Graphics being the world's fastest processor currently available for ultrathin commercial notebooks, with the AMD Ryzen 7 PRO 2700U offering up to 22 percent more productivity performance than Intel's 8th-generation Core i7-8550U in testing carried out by AMD. AMD has also designed the Ryzen PRO processors to be energy-efficient, enabling up to 16 hours of battery life in devices, or 10.5 hours of video playback. The Ryzen PRO with Vega Graphics desktop processors are also no slouches, opening up a significant performance gap when compared to Intel Core i5 8400 and Core i3 8100 parts. AMD also announced that it is sampling its second-generation Threadripper 2900X, 2920X and 2950X products. "For Threadripper Gen2 you can expect a refresh of the current line-up; an 8-core Threadripper 2900X, a 12-core Threadripper 2920X and of course a 16-core Threadripper 2950X," reports Guru3D.com. "AMD will apply the same Zen+ tweaks to the processors; including memory latency optimizations and higher clock speeds."

AMD has something for the datacenter enthusiasts out there too. Epyc, AMD's x86 server processor line based on the company's Zen microarchitecture, has a new promo video, claiming more performance, more security features, and more value than Intel Xeon. The company plans to market Epyc in an aggressive head-to-head format similar to how T-Mobile campaigns against Verizon and AT&T. Given Intel Xeon's 99% market share, they sort of have to...