On Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from the EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."

Schneier has also added the words "This story is wrong" to his original blog post. "The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference." But that Forbes contributor has also responded, saying that he'd first asked Facebook three times about when they'd deploy the backdoor in WhatsApp -- and never received a response.

Asked again on July 25th the company's plans for "moderating end to end encrypted conversations such as WhatsApp by using on device algorithms," a company spokesperson did not dispute the statement, instead pointing to Zuckerberg's blog post calling for precisely such filtering in its end-to-end encrypted products including WhatsApp [apparently this blog post], but declined to comment when asked for more detail about precisely when such an integration might happen... [T]here are myriad unanswered questions, with the company declining to answer any of the questions posed to it regarding why it is investing in building a technology that appears to serve little purpose outside filtering end-to-end encrypted communications and which so precisely matches Zuckerberg's call. Moreover, beyond its F8 presentation, given Zuckerberg's call for filtering of its end-to-end encrypted products, how does the company plan on accomplishing this apparent contradiction with the very meaning of end-to-end encryption?

The company's lack of transparency and unwillingness to answer even the most basic questions about how it plans to balance the protections of end-to-end encryption in its products including WhatsApp with the need to eliminate illegal content reminds us the giant leap of faith we take when we use closed encryption products whose source we cannot review... Governments are increasingly demanding some kind of compromise regarding end-to-end encryption that would permit them to prevent such tools from being used to conduct illegal activity. What would happen if WhatsApp were to receive a lawful court order from a government instructing it to insert such content moderation within the WhatsApp client and provide real-time notification to the government of posts that match the filter, along with a copy of the offending content?

Asked about this scenario, Carl Woog, Director of Communications for WhatsApp, stated that he was not aware of any such cases to date and noted that "we've repeatedly defended end-to-end encryption before the courts, most notably in Brazil." When it was noted that the Brazilian case involved the encryption itself, rather than a court order to install a real-time filter and bypass directly within the client before and after the encryption process at national scale, which would preserve the encryption, Woog initially said he would look into providing a response, but ultimately did not respond.

Given Zuckerberg's call for moderation of the company's end-to-end encryption products and given that Facebook's on-device content moderation appears to answer directly to this call, Woog was asked whether its on-device moderation might be applied in future to its other end-to-end encrypted products rather than WhatsApp. After initially saying he would look into providing a response, Woog ultimately did not respond.
Here's the exact words from Zuckerberg's March blog post. It said Facebook is "working to improve our ability to identify and stop bad actors across our apps by detecting patterns of activity or through other means, even when we can't see the content of the messages, and we will continue to invest in this work. "

simpz writes: Does anyone know of a fairly inexpensive webcam that doesn't depend on a cloud service? A few years ago, you could buy a cheap webcam (with the usual pan/tilt and IR) for about $50 that was fully manageable from a web browser. Nowadays the web interfaces are limited in functionality (or non-existent), or you need a phone app that doesn't work well (maybe only working through a cloud service). I've even seen a few cheap ones that still need ActiveX to view the video in a web browser, really people!

I'd like to avoid a cloud service for privacy and to allow this to operate on the LAN with no internet connection present. Even a webcam where you can disable the cloud connection outbound would be fine and allow you to use it fully locally. I guess the issue is this has become a niche thing that the ease of a cloud service connection probably wins for most people, and other considerations don't really matter to them.

I had a brief look at a Raspberry Pi solution, but didn't see anything like a small webcam form factor (with pan/tilt etc). Alternatively, are there any third-party firmwares for commercial webcams (sort of a OpenWRT-, DD-WRT-, or LineageOS-style project for webcams) that could provide direct local access only via a web browser (and things like RTSP)?

An anonymous reader quotes a report from Ars Technica: About 200 million Internet-connected devices -- some that may be controlling elevators, medical equipment, and other mission-critical systems -- are vulnerable to attacks that give attackers complete control, researchers warned on Monday. In all, researchers with security firm Armis identified 11 vulnerabilities in various versions of VxWorks, a slimmed-down operating system that runs on more than 2 billion devices worldwide. Billed collectively as Urgent 11, the vulnerabilities consist of six remote code flaws and five less-severe issues that allow things like information leaks and denial-of-service attacks. None of the vulnerabilities affects the most recent version of VxWorks or any of the certified versions of the OS, including VxWorks 653 or VxWorks Cert Edition.

For the 200 million devices Armis estimated are running a version that's susceptible to a serious attack, however, the stakes may be high. Because many of the vulnerabilities reside in the networking stack known as IPnet, they can often be exploited by little more than boobytrapped packets sent from outside the Internet. Depending on the vulnerability, exploits may also be able to penetrate firewalls and other types of network defenses. The most dire scenarios are attacks that chain together multiple exploits that trigger the remote takeover of multiple devices. "Such vulnerabilities do not require any adaptations for the various devices using the network stack, making them exceptionally easy to spread," Armis researchers wrote in a technical overview. "In most operating systems, such fundamental vulnerabilities in the crucial networking stacks have become extinct, after years of scrutiny unravelled and mitigated such flaws." VxWorks-maker Wind River says the latest release of VxWorks "is not affected by the vulnerability, nor are any of Wind Rivers' safety-critical products that are designed for safety certification, such as VxWorks 653 and VxWorks Cert Edition used in critical infrastructure."

Wind River issued patches last month and is in the process of notifying affected customers of the threat.

An anonymous reader shares a report: For the better part of two years, the folks at Mozilla have been diligently chipping away at Mozilla WebThings, an open implementation of the World Wide Web Consortium's (W3C) Web of Things standard for monitoring and controlling connected devices. In April, it gained a number of powerful logging, alarm, and networking features, and this week, a revamped component of WebThings -- WebThings Gateway, a privacy- and security-focused software distribution for smart home gateways -- formally debuted. Experimental builds of WebThings Gateway 0.9 are available on GitHub for the Turris Omnia router, with expanded support for routers and developer boards to come down the line. (Separately, there's a new build compatible with the recently announced Raspberry Pi 4.) Mozilla notes that it currently only offers "extremely basic" router configuration and cautions against replacing existing firmware, but the company says that it's a noteworthy milestone in its path to creating a full software distribution for wireless routers.

The Federal Trade Commission plans to allege that Facebook misled users' about its handling of their phone numbers as part of a wide-ranging complaint that accompanies a settlement ending the government's privacy probe, Washington Post reported Tuesday, citing two people familiar with the matter. From the report: In the complaint, which has not yet been released, federal regulators take issue with Facebook's earlier implementation of a security feature called two-factor authentication. It allows users to request one-time password, sent by text message, each time they log onto the social-networking site. But some advertisers managed to target Facebook users who uploaded those contact details, perhaps without the full knowledge of those who provided them, the two sources said. The misuse of the phone numbers was first identified in media reports and by academics last year [PDF]. The FTC also plans to allege that Facebook had provided insufficient information to users -- roughly 30 million -- about their ability to turn off a tool that would identify and offer tag suggestions for photos, the sources added. The sources spoke on the condition of anonymity. The facial recognition issue appears to have first been publicized earlier this year by Consumer Reports.

There are now upward of 700,000 podcasts, according to the podcast production and hosting service Blubrry, with between 2,000 and 3,000 new shows launching each month. From a report: The frequency with which podcasts start (and then end, or "podfade," as it's coming to be known in the trade) has produced a degree of cultural exhaustion. We're not necessarily sick of listening to interesting programs; but we're definitely tired of hearing from every friend, relative and co-worker who thinks they're just an iPhone recording away from creating the next "Serial." "Anyone can start one and so anyone who thinks they can start one will do it," said Nicholas Quah, who runs an industry newsletter called Hot Pod. "It's like the business of me." "Being a podcast host plays into people's self-importance," said Karen North, a clinical professor of communication at the Annenberg School for Communication and Journalism at the University of Southern California. And it projects that importance to others. Public speaking and consulting gigs now often go to "the person who's the expert and has the podcast," she said.

People use all kinds of metrics to tout the popularity of their shows, whether it's the number of iTunes reviews they get or the total downloads they receive per month. These metrics mean different things and don't necessarily connote success. And as recent social media scandals have shown, popularity can be purchased. But Dr. North said that having a big audience doesn't necessarily matter. "When people interview experts, even if nobody ever listens to the podcast, hosts get the benefit of learning from and networking with the guest," she said. "It's a great stunt." Call him cynical, but Jordan Harbinger, host of "The Jordan Harbinger Show" podcast, thinks there is a "podcast industrial complex." Hosts aren't starting shows "because it's a fun, niche hobby," he said. "They do it to make money or because it will make them an influencer."

Microsoft and AT&T on Wednesday said they reached a deal under which the telecommunications company will tap Microsoft's Azure cloud service for its computing needs and use Microsoft 365, which includes Office productivity software, for much of its 268,000-strong workforce. From a report: Under the deal, Microsoft and AT&T will also work together on so-called edge computing, which will see Microsoft technology deployed alongside AT&T's coming 5G network for applications that need extremely small delays in passing data back and forth, such as air traffic control systems for drones. The multi-year deal is worth more than $2 billion, according to a person familiar with the matter. The agreement is a major win for Microsoft, which will become AT&T's "preferred" cloud vendor and is fighting to gain market share from Amazon Web Services, the biggest provider of public cloud services. Cloud service customers run their software applications in data centers managed by the cloud provider. AT&T will remain responsible for its own core networking operations for cell phones and other devices. But John Donovan, chief executive of AT&T Communications, told Reuters the deal is a fundamental shift for the telecommunications provider to become "public cloud first," meaning that it will predominately rely on data centers built by others to power the rest of its business.

What's Google working on after shuttering Google+ ?

An anonymous reader quotes The Verge: Google's in-house incubator, Area 120, is working on a new social networking app called Shoelace which is aimed at organizing local events and activities. You use it by listing your interests in the app, allowing it to recommend a series of "hand-picked" local activities which it calls "Loops." You can also organize your own events, and there's a map interface to view and RSVP to other people's Loops.

Shoelace's soft-launch comes just months after Google shut down Google+, its most prominent attempt at building a social media platform. However, rather than trying to create a new all-encompassing social network to rival the likes of Facebook, Shoelace seems to have much more modest ambitions that take aim at Facebook's ubiquitous Events functionality...

[I]t's also only available in New York City at the moment; the team says it's hoping to expand to more cities across the US soon.

Apple has opened a design and development accelerator in Shanghai -- its first for China -- to help local developers create better apps as the iPhone maker looks to scale its services business in one of its key overseas markets. From a report: At the accelerator, Apple has begun to hold regular lectures, seminars and networking sessions for developers, the company said this week. It is similar to an accelerator it opened in Bangalore about two years ago. In India, where Apple has about half a million app developers, the accelerator program has proven crucially useful, more than three dozen developers who have enrolled for the program have told TechCrunch over the years. Participation in the accelerator is free of cost. Apple said more than 2.5 million developers from greater China, which includes Taiwan and Hong Kong, actively build apps for its platform. These developers have earned more than $29 billion through App Store sales. More than 15% of Apple's revenue comes from greater China, according to official figures.

D-Link has agreed to a settlement with the US Federal Trade Commission in regards to a 2017 lawsuit in which the US government agency accused the Taiwanese hardware maker of misrepresenting the security of its devices and ignoring vulnerability reports. From a report: As part of the settlement, D-Link has promised to implement a new software security program for its routers and Internet-connected cameras. The company has also agreed to subject itself to ten years of biennial security audits from a third-party, independent auditor. The FTC gets to choose the auditor, while D-Link got to decide the certifications the auditor must obtain before allowing it to review its security program.

Google's bet on balloons to deliver cell service soon faces a crucial test amid doubts about the viability of the technology by some potential customers. From a report: The company behind the effort, Loon says its balloons will reach Kenya in the coming weeks for its first commercial trial. The test with Telkom Kenya, the nation's No. 3 carrier, will let mountain villagers buy 4G service at market-rate prices for an undefined period. Kenya's aviation authority said its final approval would be signed this month. Hatched in 2011, Loon aims to bring connectivity to remote parts of the world by floating solar-powered networking gear over areas where cell towers would be too expensive to build.

Its tennis-court-sized helium balloons have demonstrated utility. Over the last three years, Loon successfully let wireless carriers in Peru and Puerto Rico use balloons for free to supplant cell phone towers downed by natural disasters. Kenyan officials are enthusiastic as they try to bring more citizens online. But executives at five other wireless carriers courted by Loon across four continents told Reuters that Loon is not a fit currently, and may never be. Those companies, including Telkom Indonesia, Vodafone New Zealand and French giant Orange, say Loon must demonstrate its technology is reliable, safe and profitable for carriers.

Nokia's CTO Marcus Weldon "told the BBC that the UK should be wary of using the Chinese hardware" -- though Nokia rushed to assure the BBC that Weldon's remarks do "not reflect the official position of Nokia."

Forbes reports: On the security front, Weldon referred to analysis suggesting Huawei equipment was far more likely to have vulnerabilities than technology from Nokia or Ericsson. "We read those reports and we think okay, we're doing a much better job than they are," Weldon said, describing Huawei's failings as serious and claiming Nokia's alternatives to be a safer bet. "Some of it seems to be just sloppiness, honestly, that they haven't patched things, they haven't upgraded. But some of it is real obfuscation, where they make it look like they have the secure version when they don't...."

The comments from Nokia's CTO came in light of research from Finite State, which published a scathing report claiming that "Huawei devices quantitatively pose a high risk to their users. In virtually all categories we examined, Huawei devices were found to be less secure than those from other vendors making similar devices." And this included the potential backdoors that lie at the heart of the U.S. government's security case against the Chinese company. "Out of all the firmware images analyzed, 55% had at least one potential backdoor," Finite State found. "These backdoor access vulnerabilities allow an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log into the device."
Nokia's later statement insisted that their company "is focused on the integrity of its own products and services and does not have its own assessment of any potential vulnerabilities associated with its competitors."

In honor of FreeDOS's 25th birthday, project founder and coordinator Jim Hall agreed to answer the 10 best questions submitted by Slashdot readers. You asked and he answered! Read on for Jim's interview.

Government officials from Germany and the Netherlands have signed an agreement this week to build the first-ever joint military internet. From a report: The accord was signed on Wednesday in Brussels, Belgium, where NATO defense ministers met this week. The name of this new Dutch-German military internet is the Tactical Edge Networking, or TEN, for short. This is the first time when two nations merge parts of their military network, and the project is viewed as a test for unifying other NATO members' military networks in the future. The grand master plan is to have NATO members share military networks, so new and improved joint standards can be developed and deployed across all NATO states. TEN will be headquartered in Koblenz, Germany, and there will also be a design and prototype center at the Bernard Barracks in Amersfoort, the Netherlands.

Several Huawei employees have collaborated on research projects with Chinese armed forces personnel, indicating closer ties to the country's military than previously acknowledged by the smartphone and networking powerhouse, Bloomberg reported Thursday. From the report: Over the past decade, Huawei workers have teamed with members of various organs of the People's Liberation Army on at least 10 research endeavors spanning artificial intelligence to radio communications. They include a joint effort with the investigative branch of the Central Military Commission -- the armed forces' supreme body -- to extract and classify emotions in online video comments, and an initiative with the elite National University of Defense Technology to explore ways of collecting and analyzing satellite images and geographical coordinates. Those projects are just a few of the publicly disclosed studies that shed light on how staff at China's largest technology company teamed with the 'People's Liberation Army on research into an array of potential military and security applications.

An anonymous reader quotes a report from CBS News: A college education is still considered a pathway to higher lifetime earnings and gainful employment for Americans. Nevertheless, two-thirds of employees report having regrets when it comes to their advanced degrees, according to a PayScale survey of 248,000 respondents this past spring that was released Tuesday. Student loan debt, which has ballooned to nearly $1.6 trillion nationwide in 2019, was the No. 1 regret among workers with college degrees. About 27% of survey respondents listed student loans as their top misgiving, PayScale said. College debt was followed by chosen area of study (12%) as a top regret for employees, though this varied greatly by major. Other regrets include poor networking, school choice, too many degrees, time spent completing education and academic underachievement. "Those with science, technology, engineering and math majors, who are typically more likely to enjoy higher salaries, reported more satisfaction with their degrees," the report adds. "About 42% of engineering grads and 35% of computer science grads said they had no regrets."

Those with the most regrets include humanities majors, who are least likely to earn higher pay post-graduation. "About 75% of humanities majors said they regretted their college education," report says. "About 73% of graduates who studied social sciences, physical and life sciences, and art also said the same." Somewhere in the middle were 66% of business graduates, 67% of health sciences graduates and 68% of math graduates who said they regretted their education.

Cloudflare issued a blog post explaining how Verizon sent a large chunk of the internet offline this morning after it wrongly accepted a network misconfiguration from a small ISP in Pennsylvania. The outages affected Cloudflare, Facebook, Amazon, and others. The Register reports: For nearly three hours, network traffic that was supposed to go to some of the biggest online names was instead accidentally rerouted through a steel giant based in Pittsburgh. More than 20,000 prefixes -- roughly two per cent of the internet -- were wrongly announced by regional U.S. ISP DQE Communications: this announcement informed the sprawling internet's backbone equipment to thread netizens' traffic through one of DQE's clients, steel giant Allegheny Technologies, a rerouting that was then, mindbogglingly, accepted and passed on to the world by Verizon, a trusted major authority on the internet's highways and byways. And so, systems around the planet automatically updated, and connections destined for Facebook, Cloudflare, and others, ended up going to Allegheny, which black holed the traffic.

Internet engineers suspect that a piece of automated networking software -- a BGP optimizer called Noction -- used by DQE was to blame for the problem. But even though these kinds of misconfigurations happen every day, there is significant frustration and even disbelief that a U.S. telco as large as Verizon would pass on this amount of incorrect routing information. The sudden, wrong, change should have been caught by filters and never accepted. [...] One key industry group called Mutually Agreed Norms for Routing Security (MANRS) has four main recommendations: two technical and two cultural for fixing the problem. The two technical approaches are filtering and anti-spoofing, which basically check announcements from other network operators to see if they are legitimate and remove any that aren't; and the cultural fixes are coordination and global validation -- which encourage operators to talk more to one another and work together to flag and remove any suspicious looking BGP changes. Verizon is not a member of MANRS.

The Trump administration is examining whether to require that next-generation 5G cellular equipment used in the U.S. be designed and manufactured outside China [Editor's note: the link may be paywalled; alternative source], WSJ reports, citing people familiar with the matter. The move could reshape global manufacturing and further fan tensions between the countries. From the report: A White House executive order last month to restrict some foreign-made networking gear and services due to cybersecurity concerns started a 150-day review of the U.S. telecommunications supply chain. As part of that review, U.S. officials are asking telecom-equipment manufacturers whether they can make and develop U.S.-bound hardware, which includes cellular-tower electronics as well as routers and switches, and software outside of China, the people said. The conversations are in early and informal stages, they said. The executive order calls for a list of proposed rules and regulations by the 150-day deadline, in October; so, any proposals may take months or years to adopt.

The proposals could force the biggest companies that sell equipment to U.S. wireless carriers, Finland's Nokia and Sweden's Ericsson, to move major operations out of China to service the U.S., which is the biggest market in the $250 billion-a-year global industry for telecom equipment and related services and infrastructure. There is no major U.S. manufacturer of cellular equipment. U.S. officials have long worried that Beijing could order Chinese engineers to insert security holes into technology made in China. They worry those security holes could be exploited for spying, or to remotely control or disable devices.

Raspberry Pi today introduced a new version of its popular line of single-board computer. The Raspberry Pi 4 Model B is the fastest Raspberry Pi ever, with the company promising "desktop performance comparable to entry-level x86 PC systems." The specifications are: A 1.5GHz quad-core 64-bit ARM Cortex-A72 CPU (~3x performance); 1GB, 2GB, or 4GB of LPDDR4 SDRAM; full-throughput Gigabit; Ethernet; dual-band 802.11ac wireless networking; Bluetooth 5.0; two USB 3.0 and two USB 2.0 ports; dual monitor support, at resolutions up to 4K; VideoCore VI graphics, supporting OpenGL ES 3.x; 4Kp60 hardware decode of HEVC video; and complete compatibility with earlier Raspberry Pi products. It starts at $35.

Raphael Satter, writing for AP: Katie Jones sure seemed plugged into Washington's political scene. The 30-something redhead boasted a job at a top think tank and a who's-who network of pundits and experts, from the centrist Brookings Institution to the right-wing Heritage Foundation. She was connected to a deputy assistant secretary of state, a senior aide to a senator and the economist Paul Winfree, who is being considered for a seat on the Federal Reserve. But Katie Jones doesn't exist, The Associated Press has determined.

Instead, the persona was part of a vast army of phantom profiles lurking on the professional networking site LinkedIn. And several experts contacted by the AP said Jones' profile picture appeared to have been created by a computer program. Experts who reviewed the Jones profile's LinkedIn activity say it's typical of espionage efforts on the professional networking site, whose role as a global Rolodex has made it a powerful magnet for spies.