Encryption

Encrypted Messaging App Signal Uses Google To Bypass Censorship (pcworld.com) 87

Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too. From a report on PCWorld: Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked. The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon. The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.
Social Networks

After Insisting For Years That Facebook Is Not a Media Company, Zuckerberg Says Just Not a 'Traditional' One (cnet.com) 52

Mark Zuckerberg is still trying to explain what his company does. The Facebook CEO said in August that the social-networking giant had no ambitions of being a content provider, insisting that Facebook is "a tech company, not a media company." On Wednesday, he appeared to retreat a bit on that statement, painting a slightly different portrait of his company during a Live video chat with Facebook COO Sheryl Sandberg. From a report on CNET: "Facebook is a new kind of platform," Zuckerberg said during the video chat. "It's not a traditional technology company. It's not a traditional media company. You know, we build technology and we feel responsible for how it's used. We don't write the news that people read on the platform, but at the same time we also know that we do a lot more than just distribute the news, and we're an important part of the public discourse." His comments come amid increased criticism that Facebook's news feed algorithms -- the software that picks the first posts you see -- sometimes fan the flames of "fake news" and allow misinformation to thrive. Numerous allegations have been made that fake news shared on Facebook helped Trump win -- a suggestion Zuckerberg initially called "a pretty crazy idea."
Crime

Hotbed of Cybercrime Activity Tracked Down To ISP In Region Where Russia Is Invading Ukraine (bleepingcomputer.com) 70

An anonymous reader writes: Last week, WordPress security firm WordFence revealed it detected over 1.65 million brute-force attacks originating from an ISP in Ukraine that generated more malicious traffic than GoDaddy, OVH, and Rostelecom, put together. A week later, after news of WordFence's findings came to light, Ukrainian users have tracked down the ISP to a company called SKS-Lugan in the city of Alchevs'k, in an area controlled by pro-Russian forces in eastern Ukraine. All clues point to the fact that the ISP's owners are using the chaos created by the Russian military intervention in Ukraine to host cyber-crime operations on their servers. Some of the criminal activities the ISP hosts, besides servers for launching brute-force attacks, include command-and-control servers for the Locky ransomware, [email, comment, and forum] spam botnets, illegal streaming sites, DDoS stressers, carding sites, several banking trojans (Vawtrack, Tinba), and infostealers (Pony, Neurevt). UPDATE 12/22/16: The headline and summary have been updated to reflect the fact that Ukraine is fighting a Russian invasion, and is not in a "civil war," as mentioned in the source.
Canada

Canada's CRTC Declares Broadband Internet Access a Basic Service (www.cbc.ca) 48

New submitter jbwiebe quotes a report from CBC.ca: The Canadian Radio-television and Telecommunications Commission (CRTC) has declared broadband internet a basic telecommunications service. In a ruling handed down today, the national regulator ordered the country's internet providers to begin working toward boosting internet service and speeds in rural and isolated areas. With today's ruling, CRTC has set new targets for internet service providers to offer customers in all parts of the country download speeds of at least 50 megabits per second (Mbps) and upload speeds of at least 10 Mbps, and to also offer the option of unlimited data. The CRTC estimates two million Canadian households, or roughly 18 per cent, don't have access to those speeds or data. The CRTC's goal is to reduce that to 10 per cent by 2021. To achieve that, the CRTC will require providers pay into a fund that's set to grow to $750 million over five years. The companies will be able to dip into that fund to help pay for the infrastructure needed to extend high-speed service to areas where it is not currently available. The fund is similar to one that subsidized the expansion of local landline telephone service in years past. Providers used to pay 0.53 per cent of their revenues, excluding broadband, into that fund. Now they'll pay the same rate on all revenues, including broadband.
Software

A Ham Radio Software Company Has Been Blacklisting Users For Leaving Negative Reviews (theregister.co.uk) 177

Gandalf_the_Beardy quotes a report from The Register: The Register reports on the story of Jim Giercyk, an amateur radio enthusiast who had his copy of the popular Ham Radio Deluxe (HRD) software revoked after posting a negative review. Other radio hams have followed up with us regarding claims that this was not an isolated incident and others may have had their license keys blacklisted for being publicly critical of the company. And just to be clear: by blackballing keys, installed copies of the software stop working. Giercyk, a professional musician in South Carolina, U.S., says that after his dealings with HRD Software (which has since reinstated his software key) and the statement made by the developer's co-owner Dr Michael Carper, he takes issue with claims made by the company. Giercyk, aka N2SUB, told us on Tuesday: "The issue is not the refusal of service, the issue is that HRD disabled my software, and then offered to enable it in exchange for the removal of an online review of their product. It's extortion, not refusal of service." Giercyk also said that since he went public about his blacklisting last week, he has received messages from other users who have stories of their software keys being revoked by HRD without their knowledge for speaking up about having a bad support experience. A number of other readers pointed out a collection of bad reviews posted on hobbyist site eHam by customers who had their license keys blacklisted. HRD told us some of those users could have written their assessments after requesting a refund and deactivating their software, thus their licenses will appear revoked. Meanwhile, Reddit threads and follow-up discussions to Giercyk's catalyst forum post reveal similar stories of keys being revoked after critical comments about Ham Radio Deluxe have appeared online. Other sources allege some amateur radio forums have in the past deleted posts critical of HRD.
Social Networks

Using Multiple Social Networks May Lead To Depression and Anxiety, Says Study (dailydot.com) 119

An anonymous reader quotes a report from Daily Dot: The more social media you use, the higher the likelihood that you'll be anxious or depressed. At least according to the University of Pittsburgh Center for Research on Media, Technology and Health. In a study published online this month with more than 1,700 millennial adults, it found people who report using seven to 11 social media platforms had more than three times the risk of depression or anxiety than millennials who use zero to two platforms. The participants were asked about the most popular social media platforms in 2014, the year the study was conducted, which included Facebook, YouTube, Twitter, Google Plus, Instagram, Snapchat, Reddit, Tumblr, Pinterest, Vine, and LinkedIn. Those who used more than seven platforms showed higher levels of depressive symptoms, even when researchers controlled for factors like race, gender, relationship status, household income, education, and total time spent on social media. Brian A. Primack, lead author of the study, notes that the correlation is not certain. He told PsyPost: "It may be that people who suffer from symptoms of depression or anxiety, or both, tend to subsequently use a broader range of social media outlets. For example, they may be searching out multiple avenues for a setting that feels comfortable and accepting. However, it could also be that trying to maintain a presence on multiple platforms may actually lead to depression and anxiety. More research will be needed to tease that apart."
Blackberry

BlackBerry Unveils Autonomous Vehicle Hub In Canada (venturebeat.com) 37

BlackBerry's Unix-like OS, QNX, is already in millions of cars. But today they're expanding their facility in Ottawa "to focus on developing advanced driver assistance and autonomous vehicle technology," according to Reuters. And one analyst says "If they can prove that they have the whole package and the security, they could absolutely dominate the market." After a detour where QNX's industrial-focused software was used to reinvent the now-discarded BlackBerry phone operating system, BlackBerry is focused on how its embedded software interacts with the explosion of sensors, cameras and other components required for a car to drive itself... "What QNX is doing is providing the infrastructure that allows you to build higher-level algorithms and to also acquire data from the sensors in a reliable manner," said Sebastian Fischmeister, a University of Waterloo associate professor who has worked with QNX since 2009.
Instead of focussing on AI, BlackBerry wants "a niche role as a trusty sidekick," Reuters reports, adding that besides a recent deal with Ford, BlackBerry is also holding advanced discussions with "more than one or two" major automakers, according to the head of the company.
Networking

Ubuntu Survey Discovers 'Consumers Are Terrible' About Updating Their IoT Devices (ubuntu.com) 181

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.

They'll be publishing their complete findings in a new paper in January.
Education

The Linux Foundation Offers 50% Discounts On Training (linuxfoundation.org) 39

An anonymous reader writes: The non-profit association that sponsors Linus Torvalds' work on Linux also offers self-paced online training and certification programs. And now through December 22, they're available at a 50% discount. "Make learning Linux and other open source technologies your New Year's Resolution this holiday season," reads a special page at LinuxFoundation.org. There's training in Linux security, networking, and system administration, as well as software-defined networking and OpenStack administration. (Plus a course called "Fundamentals Of Professional Open Source Management," and two certification programs that can make you a Linux Foundation-certified engineer or system administrator.)
And if you order right now, they'll also give you a free mug with a penguin on it.
Security

Netgear Releases 'Beta' Patches For Additional Routers Found With Root Vulnerability (netgear.com) 26

The Department of Homeland Security's CERT issued a warning last week that users should "strongly consider" not using some models of NetGear routers, and the list expanded this week to include 11 different models. Netgear's now updated their web page, announcing eight "beta" fixes, along with three more "production" fixes. chicksdaddy writes: The company said the new [beta] firmware has not been fully tested and "might not work for all users." The company offered it as a "temporary solution" to address the security hole. "Netgear is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible," the company said in a post to its online knowledgebase early Tuesday.

The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious "arbitrary command injection" vulnerability in the latest version of firmware used by a number of Netgear wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site... The vulnerability was discovered by an individual...who says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.

Facebook

Germany Threatens To Fine Facebook Over Hate Speech (go.com) 321

An anonymous reader quotes a report from ABC News: German officials are stepping up their criticism of Facebook, saying the social network is doing too little to stop hate speech and could face stiff fines unless it deletes illegal content faster. In an interview published Friday, Justice Minister Heiko Maas said his ministry was checking whether it would be possible to make social networking sites legally liable for illegal posts. Germany has seen a sharp increase in vitriolic posts on social media in recent years amid a heated public debate over the influx of more than a million migrants since the start of 2015. The country has laws against speech deemed to be racist, defamatory or inciting violence -- a response to Germany's Nazi legacy. But authorities have struggled with the deluge of often anonymous postings on foreign-owned websites. Thomas Oppermann, a senior lawmaker in Maas' Social Democratic Party, told German weekly Der Spiegel that dominant social media sites like Facebook could be required to delete illegal posts within 24 hours or face fines up to 500,000 euros ($522,000). Facebook also could be compelled to distribute corrections that reach the same number of people as the original post, Oppermann suggested, something traditional media companies in Germany are already required to do.
Data Storage

Dropbox Kills Public Folders, Users Rebel (ndtv.com) 158

New submitter rkagerer writes: Dropbox unleashed a tidal wave of user backlash yesterday when it announced plans to eradicate its Public folder feature in 2017. Criticism from users whose links will break surfaced on Reddit, HackerNews and its own forums. Overnight, customers up-voted a feature request to reverse the decision, skyrocketing it to a "Top 10" position on the company's tracker. joemck explains: "There are countless users who have been using the public folder to post images and files in blogs and forums. These aren't just worthless jokes and memes that nobody will miss if you flip the switch and break all of them. These are often valuable resources that users have created and entrusted to you to retain and keep online." One user even created a comic strip for the occasion, with another concerned the URL he registered with the Coast Guard containing potentially lifesaving information will go dark. Although the feature was deprecated in 2012, it remained in place for existing users. The company provides an alternative sharing method, but some users claim it's not as convenient and doesn't provide direct links. According to the announcement, free accounts have until March 15 to update their links, while the lights will go out for paid accounts on September 1. UPDATE 12/17/16: Slashdot reader rkagerer notes, "Dropbox quietly killed the feature request after this story hit the front page, but the original content can still be found interleaved in the forum discussion."
AT&T

AT&T's DirecTV Now Plagued With Outages and Sports Blackouts (arstechnica.com) 42

An anonymous reader quotes a report from Ars Technica: Barely two weeks after ATT launched DirecTV Now, the online streaming service's customers have already been hit by multiple outages, unexpected blackouts of live local sports games, and missing channels. There was an outage of about three hours last night and a two-hour outage Friday night, TVPredictions reported today. "DirecTV Now's customers said they couldn't log onto the streaming service, or they were suddenly met with a blank screen if already watching," the report said. The "Error Message 30" article tells customers that they may be suffering from "an intermittent or weak Internet connection," but in this case the problem was on DirecTV's end. "Tuesday evening we experienced an issue that prevented some customers from streaming on DirecTV Now," ATT told Ars today. "The issue has since been resolved and we're seeing normal streaming levels at this time. We thank our customers for their patience." Even when DirecTV Now works, availability of live sports games hasn't lived up to what the company promised. There appear to be technical problems affecting local games, but licensing restrictions may be limiting availability as well. This past Sunday, some DirecTV Now subscribers in cities such as San Francisco, Tampa Bay, and Atlanta could not watch NFL games on local Fox channels due to a technical problem, TVPredictions reported in another article.
Software

Windows 10 Update Broke DHCP, Knocked Users Off the Internet (arstechnica.com) 256

Microsoft has quietly fixed a software update it released last week, which effectively prevented Windows 10 users from connecting to the Internet or joining a local network. From a report on ArsTechnica: It's unclear exactly which automatic update caused the problem or exactly when it was released -- current (unconfirmed) signs point to KB3201845 released on December 9 -- but whatever it was appeared to break DHCP (Dynamic Host Configuration Protocol), preventing Windows 10 from automatically acquiring an IP address from the network. There's also little detail on how many people were affected or why, but multiple cases have been confirmed across Europe by many ISPs. A Microsoft spokesperson has meanwhile confirmed that "some customers" had been experiencing "difficulties" getting online, but that's about it for public statements at present. However, a moderator on the company's forums has said the fix was included in a patch released on Tuesday called KB3206632.
Wireless Networking

Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers (securityledger.com) 147

"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT. Slashdot reader chicksdaddy quotes Security Ledger's story about certain models of Netgear's routers: Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited "community reports" that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable... The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned.

With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.

Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
Botnet

A 'Turkish Hacker' Is Giving Out Prizes For DDoS Attacks (csoonline.com) 33

Security firm Forcepoint has discovered a DDoS competition which requires participants install a DDoS software which contains a backdoor. An anonymous reader quotes CSO: A hacker in Turkey has been trying to encourage distributed denial-of-attacks by making it into a game, featuring points and prizes for attempting to shut down political websites... Users that participate will be given a tool known as Balyoz, the Turkish word for Sledgehammer, that can be used to launch DDoS attacks against a select number of websites... The attack tool involved is designed to only harass 24 political sites related to the Kurds, the German Christian Democratic Party -- which is led by Angela Merkel -- and the Armenian Genocide, and others... Forcepoint noticed that the DDoS attack tool given to the participants also contains a backdoor that will secretly install a Trojan on the computer.
Windows

New Bug In Windows 10 Anniversary Update Brings Wi-Fi Disconnects (infoworld.com) 191

Some Windows 10 PCs are now experiencing sudden drops in their Wi-Fi connections, with the Network Diagnostics tool reporting "Wi-Fi doesn't have a valid IP configuration." An anonymous reader quotes InfoWorld's Woody Leonhard: I've heard from many people who blame the Wi-Fi disconnect on Friday's KB 3201845, the patch (which still isn't documented on the Win10 update history site) that brings version 1607 up to build 14393.479. It's unlikely that the new patch brought on the bug because the large influx of complaints started on December 7 -- two days before the patch...

Speculation at this point says the disconnect results when a machine performs a fast startup, setting the machine's IP address to 169.x.x.x. It's an old problem, but somehow it's come back in spades in the past two days. I have no idea what triggered the sudden outbreak, as there were no Win10 1607 patches issued on December 6, 7 or 8.

Microsoft acknowledged the problem Thursday, recommending customers try restarting their PCs (or performing a clean start). Woody writes that it looks like Microsoft's latest Windows 10 patch "didn't cause the bug. But the patch didn't fix it, either."
Wireless Networking

AirPods Delay Attributed To Apple Ensuring Both Earpieces Receive Audio At Same Time (macrumors.com) 189

An anonymous reader quotes a report from Mac Rumors: AirPods were originally slated to launch in October, but the wireless earphones were later delayed. Apple said it needed "a little more time" before they are ready for customers, and it has yet to provide an official update since. While the exact reason for the delay remains unclear, a person familiar with the development of AirPods told The Wall Street Journal that Apple's troubles appear to be related to its "efforts to chart a new path for wireless headphones," in addition to resolving what happens when users lose one of the earpieces or the battery dies. The Wall Street Journal reports: "A person familiar with the development of the AirPod said the trouble appears to stem from Apple's effort to chart a new path for wireless headphones. In most other wireless headphones, only one earpiece receives a signal from the phone via wireless Bluetooth technology; it then transmits the signal to the other earpiece. Apple has said AirPod earpieces each receive independent signals from an iPhone, Mac or other Apple device. But Apple must ensure that both earpieces receive audio at the same time to avoid distortion, the person familiar with their development said. That person said Apple also must resolve what happens when a user loses one of the earpieces or the battery dies."
Transportation

Transportation Department Proposes Allowing In-Flight Phone Calls (go.com) 103

Yesterday, France's Le Monde newspaper issued a report, citing documents from NSA whistleblower Edward Snowden, that says American and British spies have since 2005 been working on intercepting phone calls and data transfers made from aircraft. Assuming the report is accurate, national security agencies may soon have their hands full if a new proposal by the Department of Transportation becomes official, which would allow each airline to decide whether its passengers will be permitted to make in-flight phone calls using the aircraft's onboard Wi-Fi system. ABC News reports: The Department of Transportation's proposal leaves it up to airlines whether to allow the calls. But carriers would be required to inform passengers at the time they purchase a ticket if the calls are allowed. That would give passengers the opportunity to make other travel arrangements if they don't want to risk the possibility of sitting near passengers making phone calls. The Federal Communications Commission prohibits using mobile phones to make calls during flights, but not Wi-Fi calls. There is a minimum 60-day comment period and the proposal leaves the door open to an outright ban. The Wall Street Journal first reported on the proposal.
Microsoft

Microsoft Officially Closes Its $26.2B Acquisition of LinkedIn (techcrunch.com) 53

After getting its final European Commission approvals earlier this week, Microsoft and LinkedIn today announced that Microsoft's $26.2 billion acquisition of LinkedIn, the social networking site, has officially closed. From a report on TechCrunch: The news comes six months after news first broke of the deal. In an internal memo, LinkedIn CEO Jeff Weiner went through the areas where the two companies would be working together, and how they will in other ways remain independent. LinkedIn today has over 400 million registered users, making it the largest social networking site focused on the working world. People use the service both to make work connections with other people in their fields, but also to look for jobs and hire people. As we reported earlier this week, the fact that LinkedIn essentially has a dominant position in this area meant that Microsoft had to make concessions to the EC about how it would work to allow other social networking sites to integrate on its platforms.

Slashdot Top Deals