An anonymous reader shares a report: In case you were living under a rock this past week, it was hard to miss Samsung's big reveal for the Galaxy Note10. It was all over social media, news sites, televisions, and... notification trays. That's right, Samsung is once again spamming Galaxy phones with advertisements, this time for the Note10. This time around, push notifications advertising the Note10 are being sent out by at least three pre-installed applications -- Samsung Pay, Bixby, and the Samsung Push Service. Bixby wants you to ask it about the Note10, Samsung Pay is offering points when you look at the phone's product page, and Samsung Push Service just gives you a banner ad with no indication of where it came from. I received the Bixby ad on my international Galaxy S10e, but I haven't personally seen the others. To make matters even worse, Samsung has blocked disabling these alerts by holding down on them, at least for the Bixby app (again, I can't verify the other types of alerts). To disable the Bixby notifications, you have to open Bixby, tap the menu icon at the top-right, select Settings, and set 'Marketing notifications' to off.

Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be? From a report: One security researcher said many of these apps can violate your privacy as soon as they are opened. Dan Hastings, a senior security consultant cybersecurity firm NCC Group, analyzed some of the most popular robocall-blocking apps -- including TrapCall, Truecaller, and Hiya -- and found egregious privacy violations. [...] Many of these apps, said Hastings, send user or device data to third-party data analytics companies -- often to monetize your information -- without your explicit consent, instead burying the details in their privacy policies. One app, TrapCall, sent users' phone numbers to a third-party analytics firm, AppsFlyer, without telling users -- either in the app nor in the privacy policy. He also found Truecaller and Hiya uploaded device data -- device type, model and software version, among other things -- before a user could accept their privacy policies.

An anonymous reader shares a post: Like many things that starts out as a mere annoyance, though eventually growing into somewhat of an affliction. One particularly dark and insidious thing has more than reared its ugly head in recent years, and now far more accurately described as an epidemic disease. I'm talking about the filth that is reCAPTCHA. Yes that seemingly harmless question of "Are you a human?" Truly I wish all this called for were sarcastic puns of 'The Matrix' variety but the matter is far more serious. Google describes reCAPTCHA as: "[reCAPTCHA] is a free security service that protects your websites from spam and abuse." However, this couldn't be further from the truth, as reCAPTCHA is actually something that causes abuse. In fact, I would go so far as to say that being subjected to constant reCAPTCHAs is actually an act of human torture and disregard for a person's human right of mental comfort. The author goes on to make several points.

An anonymous reader quotes a report from ZDNet: For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn't encrypt files but instead it rewrites their content with zeroes, permanently destroying users' data. As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files. Unless users had created offline backups of their data, their files are most likely gone for good. For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily.

According to German security researcher Marius Genheimer and CERT-Bund, Germany's Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns. These emails claim to be job applications from a person named "Lena Kretschmer." A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware. When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc.. After it "encrypts" all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user's default browser. The ransom note looks like the one below. A video of the infection process is also available here. Victims are given seven days to pay the ransom demand. It is important to remember that paying the ransom note won't help users recover their files.

Representative Tulsi Gabbard, the long-shot presidential candidate from Hawaii, is suing Google for infringing on her free speech (alternative source) when it briefly suspended her campaign's advertising account after the first Democratic debate in June. The lawsuit, filed on Thursday in a federal court in Los Angeles, is seeking damages of at least $50 million. It's believed to be the first time a presidential candidate has sued a major technology firm. The New York Times reports: Tulsi Now Inc., the campaign committee for Ms. Gabbard, said Google suspended the campaign's advertising account for six hours on June 27 and June 28, obstructing its ability to raise money and spread her message to potential voters. After the first Democratic debate, Ms. Gabbard was briefly the most searched-for candidate on Google. Her campaign wanted to capitalize on the attention she was receiving by buying ads that would have placed its website at the top of search results for her name. The lawsuit also said the Gabbard campaign believed its emails were being placed in spam folders on Gmail at "a disproportionately high rate" when compared with emails from other Democratic candidates. Ms. Gabbard and her campaign are seeking an injunction against Google from further meddling in the election and damages of at least $50 million.

AT&T will start automatically blocking fraud calls and issuing suspected spam call alerts for new phone customers at no extra cost. "You'll have to opt out if you don't want the company to screen calls this way," reports Engadget. "Existing customers, meanwhile, will see the feature automatically reach their accounts in the 'coming months.'" From the report: If you like the capabilities, you can turn it on right now either by downloading the AT&T Call Protect app or enabling it through your myAT&T account settings. Although AT&T isn't charging extra, the FCC rules don't prevent it or others from using the auto-blocking as an opportunity to raise subscription rates. It may take a while to learn whether or not there are any pitfalls to what otherwise seems like a promising upgrade.

The Microsoft security team has issued a warning today about ongoing malware campaigns that are distributing the Astaroth malware using fileless and living-off-the-land techniques that make it harder for traditional antivirus solutions to spot the ongoing attacks. From a report: The attacks were detected by the team behind Windows Defender ATP, the commercial version of the company's Windows Defender free antivirus. Andrea Lelli, a member of the Windows Defender ATP team said alarms bells sounded at Microsoft's offices when they detected a huge and sudden spike in usage of the Windows Management Instrumentation Command-line (WMIC) tool. This is a legitimate tool that ships with all modern versions of Windows, but the sudden spike in usage suggested a pattern specific to malware campaigns. When Microsoft looked closer, it discovered a malware campaign that consisted of a massive spam operation that was sending out emails with a link to a website hosting a .LNK shortcut file.

Federal Communications Commission Chairman Ajit Pai has proposed another set of robocall rules, this time to ban malicious calls that spoof caller IDs in text messages and international calls. From a report: The anti-spoofing rules will be voted on by the FCC Aug. 1, and they already have the support of more than 40 state attorneys general, Pai said Monday. These new rules would close the loopholes in targeting international callers, including one-way interconnected VoIP calls, and scammers using text messaging. They are part of the FCC's "multi-pronged approach to battle the noxious intrusion of illegal robocalls, as well as malicious caller ID spoofing," Pai said. Last month, the FCC voted unanimously on a proposal to give mobile phone companies greater power to "aggressively block" unwanted robocalls.

Trailrunner7 quotes Duo.com's Decipher blog: There's an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.

The attack is quite simple and doesn't exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that's used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with whom they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another...

Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures -- one has nearly 150,000 -- in an apparent effort to render them useless. The attack targeted [OpenPGP project developers] Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too...

Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure.

"PGP is old and kind of falling apart. There's not enough people maintaining it and it's full of legacy code. There are some people doing the lord's work in keeping it up, but it's not enough," Green said. "Think about like an old hospital that's crumbling and all of the doctors have left but there's still some people keeping the emergency room open and helping patients. At some point you have to ask whether it's better just to let it close and let something better come along.

"I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem."

On Thursday ZDNet quoted a disturbing blog post from OpenPGP project developer Robert "rjh Hansen, who warned that "given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned."

A bipartisan pair of House lawmakers on Thursday unveiled a compromise bill aimed at thwarting the scourge of robocalls dialing up U.S. consumers, about one month after the Senate adopted its own anti-robocall bill. From a report: House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) and ranking member Greg Walden (R-Ore.) on Thursday announced the legislation, which differs from the Senate's version on some points but seems to have significant overlap. Pallone and Walden's Stopping Bad Robocalls Act would require phone carriers to implement technology to authenticate whether calls are real or spam, and allow carriers to offer call-blocking services. The legislation specifies the carriers should make sure that legal calls, such as those from doctors offices or creditors, are not blocked, while opening the door for the government to broaden its definition of what constitutes a "robocall."

An anonymous reader shares a report: Truecaller, an app best known for helping users screen calls from strangers and spammers, is adding yet another feature to its service as it bolsters its super app status. The Stockholm-based firm said today that its app can now be used to place free VoIP-powered voice calls. The company told TechCrunch on Tuesday that it has started to roll out the free voice calling feature to its Android users. It expects the rollout to reach all Android users in the coming days. The feature, which currently only supports calls between two users, will arrive on its iOS app soon. In emerging markets such as India, where 100 million of Truecaller's 140 million users live, free voice calls has been a long-sought after feature. Until late 2016, voice calls were fairly expensive in India, with telecom operators counting revenue from traditional calls as their biggest profit generator.

An anonymous reader shares a report: In the heart of Boston, Tufts Medical Center treats scores of health conditions, from administering measles vaccines for children to pioneering next-generation tools that can eradicate the rarest of cancers. But doctors, administrators and other hospital staff struggled to contain a much different kind of epidemic one April morning last year: a wave of thousands of robocalls that spread, like a virus, from one phone line to the next, disrupting communications for hours to come.

For most Americans, such robocalls represent an unavoidable digital-age nuisance, resulting in constant interruptions targeting their phones each month. For hospitals, though, the spam calls amount to a literal life-or-death challenge, one that increasingly is threatening doctors and patients in a setting where every second can count. At Tufts Medical Center, administrators registered more than 4,500 calls between about 9:30 and 11:30 a.m. on April 30, 2018, said Taylor Lehmann, the center's chief information security officer. Many of the messages seemed to be the same: Speaking in Mandarin, an unknown voice threatened deportation unless the person who picked up the phone provided their personal information.

Such calls are common, widely documented scams that seek to swindle vulnerable foreigners, who may surrender their private data out of fear their families and homes are at risk. But it proved especially troubling at Tufts, which is situated amid Boston's Chinatown neighborhood, Lehmann said. Officials there couldn't block the calls through their telecom carrier, Windstream, which provides phone and web services to consumers and businesses. "There's nothing we could do," Lehmann said Windstream told them.

Tired of taking the flak for helping spread fake news, WhatsApp will start suing parties it finds flouting its rules. Till now, it was only using machine learning to flag accounts that were abusing its anti-spam policies. From a report: The messaging platform, used by more than 1.5 billion users, confirmed on Tuesday that starting December 7 it will start considering signals off its platform to pursue legal actions against those who are abusing its system. The company will also go after individuals who -- or firms that -- falsely claim to have found ways to cause havoc on the service.

Microsoft cloud chief Scott Guthrie says the company wasn't ready to acquire GitHub in 2014. "We would have screwed it up," he tells Bloomberg. But as he sees it, there was also another problem.

"The open-source world would've rightly looked at us at the time as the antichrist. We didn't have the credibility that we have now around open source..."

An anonymous reader quotes Bloomberg's report: Since then, Microsoft has turned itself into one of the biggest developers of open-source software and has persuaded customers to trust applications built using rival tools and programs to Microsoft's Azure cloud-computing service, boosting Azure revenue and usage. More than 60 percent of the company's team that works with cloud-app developers were hired for their expertise in non-Microsoft programming tools or cloud services. A full version of the open-source Linux operating system is even being added to Windows. The efforts are bringing new software builders to the Microsoft camp.

Last June, Guthrie and Microsoft Chief Executive Officer Satya Nadella finally unveiled an agreement to acquire GitHub. While there was still some initial agita in the developer community and rivals gained some refugee users from GitHub, one year later the deal is noteworthy mainly for how little drama it's caused. Most GitHub users just continued putting their code there. "Some people were upset, but few, because Microsoft had spent years building up goodwill with the open-source community," said Matt Asay, an Adobe Inc. senior director who is a longtime open-source developer and previous Microsoft opponent. "There was a knee-jerk sort of 'remember, they're the Great Satan' reaction, but it was halfhearted."
The article also notes that after Microsoft acquired GitHub, 113,000 code repositories moved to GitLab.

Apple is taking a new step to combat spam calls in iOS 13. Today, you can already install third-party spam call screeners on your iPhone, but if that's not good enough (or something you don't want to do), iOS 13 will add a new solution this fall. From a report: iOS 13 will be able to automatically silence any calls coming in from an unknown number. Even better, it'll automatically send them to voicemail. The new "silence unknown callers" option can be toggled on or off based on your preference, but I'm thinking most people will enable it right after updating and leave it that way. The feature is explained on this page of what's new in iOS 13. So many of the spam calls we're bombarded with on a daily basis are spoofed to look like a local number. But Apple says that iOS 13 will "use Siri intelligence to allow calls to ring your phone from numbers in Contacts, Mail, and Messages." Any number that can't be found in one of those places will be routed to voicemail.

"It has become too easy to take Linux and FOSS for granted," warns a Linux Journal editorial by Doc Searls, complaining, for example, that today "We collaborate inside proprietary environments, such as Slack and Google Hangouts."

Long-time Slashdot reader whh3 wants to live differently -- and to model a different set values: After reading the recent Doc Searls article in Linux Journal, I realized that I need to get back to my roots. The first step will be to build/setup/run my own email server for my vanity domain.

The problem is, I haven't run my own email server since the 90s. It was easy back then -- there was much less SPAM and self-hosted email servers didn't have to jump through hoops to make sure that they weren't blacklisted as senders.

So, I am reaching out to this great community to find out if there are any good tutorials on modern-day best-practices for self hosting an email server. Any tips/tricks/pointers would be great appreciated!
A lot's changed in 20 years -- but for such a basic form of online communication, is it still possible to roll your own? Or are we trapped in a world where private conversations about valuing open source software take place inside Google's proprietary Gmail client.

Leave your own suggestions in the comments. How would you host your own email server?

Google is combining several technologies, including virtual phone numbers, audio transcriptions, automated reporting and analytics, in a new effort to help small business owners better manage their inbound phone calls. From a report: The company's latest project from its in-house incubator is CallJoy, launching today. Aimed at the U.S.'s 30.2 million small business owners, the system offers a low-cost customer service agent that helps block spam calls, provide callers with basic business information and redirect customers to complete their requests -- like appointment booking or placing a to-go order -- over SMS. Any other calls or questions would be directed to the main business phone number. Typically, customer service phone agents like this are out of reach for small business owners, but CallJoy is priced at a flat monthly fee of $39 to make the technology affordable.

GoDaddy removed a cluster of more than 15,000 fraudulent websites discovered by a researcher at Palo Alto Networks' Unit 42 analysis team. From a report: The scam, which sold products like weight loss pills, used breached websites to add legitimacy to its sales and involved using fake celebrity endorsements. Jeff White, the researcher at Unit 42, started researching the network of sites more than 2 years ago when he noticed spam messages that looked visually similar and used similar language. The products were sold on commission as part of an affiliate marketing program and used low initial pricing and tiny print to get people signed up for costly subscriptions. The sales took place on hacked GoDaddy websites, where hackers had set up subdomains on legitimate websites.

A "limited" number of users of Microsoft's webmail services -- which include Hotmail, Outlook.com, and MSN -- "had their accounts compromised, TechCrunch reports. "We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access," said a Microsoft spokesperson in an email. According to an email Microsoft has sent out to affected users, malicious hackers were potentially able to access an affected user's e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with -- "but not the content of any e-mails or attachments," nor -- it seems -- login credentials like passwords. Microsoft is still recommending that affected users change their passwords regardless.

The breach occurred between January 1 and March 28, Microsoft's letter to users said. The hackers got into the system by compromising a customer support agent's credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn't know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result.

arnieswap quotes TFIR's report on the black hole image: Free and Open Source software was at the heart of this image. The team used three different imaging software libraries to achieve the feat. Out of the three, two were fully open source libraries. The source code of the software is publicly available on GitHub.

Richard M Stallman, the founder of the GNU Project will be glad to see that both libraries (Sparselab and ehtim) are released under GNU GPL v3. Yes, you read it right – GNU GPL v3.