Security

Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com) 75

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
EU

Germany Cracks Down On Illegal Speech On Social Media. (smh.com.au) 438

ArmoredDragon writes: German police have raided 36 homes of people accused of using illegal speech on Facebook and Twitter. Much of it was aimed at political speech. According to the article, "Most of the raids concerned politically motivated right-wing incitement, according to the Federal Criminal Police Office, whose officers conducted home searches and interrogations. But the raids also targeted two people accused of left-wing extremist content, as well as one person accused of making threats or harassment based on someone's sexual orientation."

This comes just as a new law is being debated that can fine social media platforms $53 million for not removing 70% of illegal speech (including political, defamatory, and hateful speech) within 24 hours of it being posted, which Facebook argues will make it obligatory for them to delete posts and ban users for speech that isn't clearly illegal.

United Kingdom

UK Parliament Emails Closed After 'Sustained And Determined' Cyber-Attack (theguardian.com) 44

An anonymous reader quotes the Guardian: Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and their staffers' email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords... The estate's digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails...

The international trade secretary, Liam Fox, told ITV News the attack was a "warning to everyone we need more security and better passwords. You wouldn't leave your door open at night." In an interview with the BBC, he added: "We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails."

One member of Parliament posted on Twitter "Sorry, no parliamentary email access today â" we're under cyber-attack from Kim Jong-un, Putin or a kid in his mom's basement or something." He added later, "I'm off to the pub."
Government

Obama Authorized a Secret Cyber Operation Against Russia, Says Report (engadget.com) 222

Jessica Conditt reports via Engadget: President Barack Obama learned of Russia's attempts to hack U.S. election systems in early August 2016, and as intelligence mounted over the following months, the White House deployed secrecy protocols it hadn't used since the 2011 raid on Osama bin Laden's compound, according to a report by The Washington Post. Apparently, one of the covert programs Obama, the CIA, NSA and other intelligence groups eventually put together was a new kind of cyber operation that places remotely triggered "implants" in critical Russian networks, ready for the U.S. to deploy in the event of a pre-emptive attack. The downed Russian networks "would cause them pain and discomfort," a former U.S. official told The Post. The report says CIA director John Brennan, Obama and other officials had at least four "blunt" conversations with Russian officials about its cyber intrusions beginning August 4th. Obama confronted Vladimir Putin in person during a meeting of world leaders in China this past September, the report says, and his administration even sent Russia a warning through a secure channel originally designed to help the two countries avoid a nuclear strike. Moscow apparently responded one week later -- after the U.S. election -- denying the accusation.
Space

SpaceX Successfully Launches and Lands a Used Rocket For the Second Time (theverge.com) 73

SpaceX has successfully launched and landed a recycled Falcon 9 rocket for the second time. "The rocket's first stage -- the 14-story-tall core that houses the fuel and the rocket's main engines -- touched down on one of the company's autonomous drone ships in the Atlantic Ocean shortly after taking off from a launchpad at nearby Cape Canaveral, Florida," reports The Verge. From the report: This particular rocket previously flew in January, when it was used to put 10 satellites into orbit for communications company Iridium. The rocket then landed on a drone ship in the Pacific Ocean. SpaceX retrieved the rocket and spent the next few months refurbishing it in preparation for today's launch. This afternoon, it was used to launch Bulgaria's first communications satellite for TV service provider Bulsatcom. The landing wasn't easy, though. Because the rocket had to push BulgariaSat-1 to such a high orbit, the first stage experienced more force and heat during reentry than any other Falcon 9, according to a tweet from SpaceX CEO Elon Musk. Musk even warned that there was a "good chance [the] rocket booster doesn't make it back." Shortly after the landing, though, Musk returned to Twitter to add that the rocket booster used "almost all of the emergency crush core," which helps soften the landing.
Apple

Chris Lattner, Poached From Apple To Become Tesla's Top Software Executive, Quits After 6 Months (bizjournals.com) 140

Tesla said last night Chris Lattner, the vice president of Autopilot software, has left the company about six months after the electric car-maker hired him away from Apple. From a report: Lattner had led the software development team in charge of Autopilot. Tesla executive Jim Keller is now in charge of Autopilot hardware and software. The company announced it had also hired OpenAI research scientist Andrej Karpathy, who will serve as Tesla's new director of artificial intelligence and Tesla Vision. "Chris just wasn't the right fit for Tesla, and we've decided to make a change," the company told reporters in a statement. "We wish him the best." Lattner tweeted last night, "Turns out that Tesla isn't a good fit for me after all. I'm interested to hear about interesting roles for a seasoned engineering leader!" Lattner is a widely respected figure in the industry. He is the main author of LLVM as well as Apple's Swift programming language. We interviewed him earlier this year.
Security

Cisco Subdomain Private Key Found in Embedded Executable (google.com) 53

Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/ VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names: drmlocal.cisco.com, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked.
Twitter

Tableau Software Drops Its 'Twitter Crowd Favorite' Data Viz Contests (tableau.com) 21

theodp writes: As part of its 'Iron Viz' data visualization contests that lead up to its annual conferences, Tableau Software ($4.8B market cap) has awarded $500 gift cards to 'Twitter Crowd Favorites', contestants whose data viz draw the most 'votes' (tagged Tweets) on Twitter. But no more. As it expanded Iron Viz eligibility to China, Tableau said it 'just didn't seem fair' to allow popular voting in its worldwide contests since the Chinese government blocks citizens' Twitter use. "As Chinese authors join the contest," the Tableau Public blog explained, "we have to say goodbye to the Twitter Crowd Favorite. Twitter is blocked in mainland China and it wouldn't be fair for our Chinese contestants." And the latest Iron Viz Contest FAQs confirm the change: "Q. I heard there won't be a Crowd Favorite prize, is that true? A. Absolutely true. China is among the new countries who can take part in the Iron Viz, and Twitter doesn't work in mainland China. The usual Twitter Popular Vote just didn't seem fair."
This XKCD comic still has my all-time favorite data visualizations.
Debian

Debian 9 (Stretch) Will Be Released Today (twitter.com) 196

The Debian Project has been liveblogging today's release of Debian 9 (Stretch) using the Twitter hashtag #releasingstretch. Some of the announcements:
  • The oldstable suite (wheezy) has now been renamed to oldoldstable
  • Debian jessie now been renamed to oldstable!
  • The Debian stretch suites have now been renamed to stable!
  • The draft debian-devel-announce post is ready, archive docs are being cleaned up

This release is named after that purple octopus in Toy Story 3, and more tantalizing tidbits of information keep appearing on Debian's micronews site:

  • At least 1436 people and 18 teams contributed to Debian in 2017
  • Stretch has 25,357 source packages with 9,808,465 source files
  • There were 13 different themes proposed to be the official Debian stretch theme
  • Debian Stretch ships with the free mathematical software SageMath, you can install it with apt
  • During the stretch development, 101 contributors became Debian Developers, and 94 more become Debian Maintainers
  • Debian Stretch will ship with the first release of the Debian Astro Pure Blend [for astronomers]
  • Debian Popularity Contest gathers anonymous statistics about Debian packages usage from about 195,000 reports

The Almighty Buck

Air Force Budget Reveals How Much SpaceX Undercuts Launch Prices (arstechnica.com) 97

An anonymous reader quotes a report from Ars Technica: In 2014, the U.S. Government Accountability Office issued a report on cost estimates for the U.S. Air Force's program to launch national security payloads, which at the time consisted of a fleet of rockets maintained and flown entirely by United Launch Alliance (ULA). The report was critical of the non-transparent nature of ULA's launch prices and noted that the government "lacked sufficient knowledge to negotiate fair and reasonable launch prices" with the monopoly. At around the same time, the new space rocket company SpaceX began to aggressively pursue the opportunity to launch national security payloads for the government. SpaceX claimed to offer a substantially lower price for delivering satellites into various orbits around Earth. But because of the lack of transparency, comparing prices was difficult. The Air Force recently released budget estimates for fiscal year 2018, and these include a run out into the early 2020s. For these years, the budget combines the fixed price rocket and ELC contract costs into a single budget line. (See page 109 of this document). They are strikingly high. According to the Air Force estimate, the "unit cost" of a single rocket launch in fiscal year 2020 is $422 million, and $424 million for a year later. SpaceX sells basic commercial launches of its Falcon 9 rocket for about $65 million. But, for military launches, there are additional range costs and service contracts that add tens of millions of dollars to the total price. It therefore seems possible that SpaceX is taking a loss or launching at little or no profit to undercut its rival and gain market share in the high-volume military launch market. Elon Musk retweeted the article, adding "$300M cost diff between SpaceX and Boeing/Lockheed exceeds avg value of satellite, so flying with SpaceX means satellite is basically free."
Security

You Can Hack Some Mazda Cars With a USB Flash Drive (bleepingcomputer.com) 52

An anonymous reader writes: "Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years," reports Bleeping Computer. "The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these 'hacks' to customize their cars' infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer)." Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can't be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago.
Piracy

Alleged KickassTorrents Owner Considers 'Voluntary Surrender' To the US (torrentfreak.com) 59

An anonymous reader quotes a report from TorrentFreak: Earlier this year a Polish court ruled that Artem Vaulin, the alleged owner of the defunct torrent site KickassTorrents, can be extradited to the United States. The decision came as a disappointment to the defense team, which quickly announced an appeal. Vaulin has since been released on bail and currently resides in a Warsaw apartment. His release has made it easier to communicate with his attorneys in the United States, who have started negotiations with the U.S. Government. While the extradition appeal is still ongoing, it now appears that under the right conditions Vaulin might consider traveling to the United States voluntarily, so he can "resolve" the pending charges. This is what the defense team states in a motion for a status conference (pdf), which was submitted earlier this week.
Government

US Intelligence Agencies Tried To Bribe Our Developers To Weaken Encryption, Says Telegram Founder (twitter.com) 135

In a series of tweets, Pavel Durov, the Russian founder of the popular secure messaging app Telegram has revealed that U.S. intelligence agencies tried twice to bribe his company's developers to weaken encryption in the app. The incident, Durov said, happened last year during the team's visit to the United States. "During our team's 1-week visit to the US last year we had two attempts to bribe our devs by US agencies + pressure on me from the FBI," he said. "And that was just 1 week. It would be naive to think you can run an independent/secure cryptoapp based in the US."

Telegram is one of the most secure messaging apps available today, though researchers have pointed flaws in it as well.
It's funny.  Laugh.

Marissa Mayer, Yahoo's Ex-CEO, Says She's Looking 'Forward To Using Gmail Again' 187

Former Yahoo CEO Marissa Mayer, who resigned on Tuesday after running the company for about five years, appeared at a conference in London today. At the conference, Mayer said one of the things she was looking forward to in her post-Yahoo life was using Gmail again. "I am always faster when using a tool I designed myself," she added.
Communications

Someone Built a Tool To Get Congress' Browser History (vice.com) 68

A software engineer in North Carolina has created a new plugin that lets website administrators monitor when someone accesses their site from an IP address associated with the federal government. It was created in part to protest a measure signed by President Trump in April that allows internet service providers to sell sensitive information about your online habits without needing your consent. Motherboard reports: A new tool created by Matt Feld, the founder of several nonprofits including Speak Together, could help the public get a sense of what elected officials are up to online. Feld, a software engineer working in North Carolina, created Speak Together to share "technical projects that could be used to reduce the opaqueness between government and people," he told Motherboard over the phone. "It was born out of just me trying to get involved and finding the process to be confusing." The tool lets website administrators track whether members of Congress, the Senate, White House staff, or Federal Communications Commission (FCC) staff are looking at their site. If you use Feld's plug-in, you'll be able to see whether someone inside government is reading your blog. You won't be able to tell if President Trump viewed a web page, but you will be able to see that it was someone using an IP address associated with the White House. The tool works similarly to existing projects like CongressEdits, an automated Twitter account that tweets whenever a Wikipedia page is edited from IP addresses associated with Congress.
Government

'COVFEFE Act' Would Make Social Media a Presidential Record (thehill.com) 322

An anonymous reader quotes a report from The Hill: Rep. Mike Quigley (D-Ill.) introduced legislation Monday to classify presidential social media posts -- including President Trump's much-discussed tweets -- as presidential records. The Communications Over Various Feeds Electronically for Engagement (COVFEFE) Act, which has the same acronym as an infamous Trump Twitter typo last month, would amend the Presidential Records Act to include "social media." Presidential records must be preserved, according to the Presidential Records Act, which would make it potentially illegal for the president to delete tweets. "President Trump's frequent, unfiltered use of his personal Twitter account as a means of official communication is unprecedented. If the President is going to take to social media to make sudden public policy proclamations, we must ensure that these statements are documented and preserved for future reference. Tweets are powerful, and the President must be held accountable for every post," said Quigley in a statement. Most people took the "covfefe" tweet to be a typo, although press secretary Sean Spicer told the media that the term was used intentionally. "The president and a small group of people know exactly what he meant," he said.
Cellphones

New iOS 11 Settings Will Stop Apps From Tracking Your Location (theverge.com) 50

An anonymous reader quotes The Verge: Apple is giving users the option to enable much stricter location rules with iOS 11, according to MacRumors. The company began this effort last year by adding a new option to iOS 10 that grants apps access to your location only while they're actively being used. But this "while in use" setting is up to developers to actually enable. The vast majority of popular apps did integrate that new feature. Others, however -- Uber chief among them -- still force iPhone users to choose between always or never providing location data. The latter choice breaks the functionality of an app like Uber, leaving customers with really only one option. Apple seems poised to eliminate this false choice in iOS 11 by making the "while in use" restriction available for every app.
Transportation

A Power Outage In Silicon Valley Was Caused By A Drone Crash (mercurynews.com) 218

An anonymous reader quotes the San Jose Mercury News: A drone crashed into a high-voltage wire Thursday night, causing tens of thousands of dollars in damage and knocking out power to roughly 1,600 people for about two hours, police said... "The FAA has rules and regulations in place to prevent this exact type of incident from happening," said Mountain View police spokeswoman Katie Nelson. "We simply ask that people comply with the rules and that they operate drones safely and sensibly."
The town's city hall was without power -- along with the rest of the 1,600 homes -- prompting a Google software engineer to tweet that "drones are fun until someone flies one into high-voltage power lines." They added later that "apparently the owner 'fled in a white hatchback', which is the least dignified way that someone can flee, I think."
The Internet

Pirate Bay Founder: We've Lost the Internet, It's All About Damage Control Now (thenextweb.com) 189

Mar Masson Maack reports via The Next Web: At its inception, the internet was a beautifully idealistic and equal place. But the world sucks and we've continuously made it more and more centralized, taking power away from users and handing it over to big companies. And the worst thing is that we can't fix it -- we can only make it slightly less awful. That was pretty much the core of Pirate Bay's co-founder, Peter Sunde's talk at tech festival Brain Bar Budapest. TNW sat down with the pessimistic activist and controversial figure to discuss how screwed we actually are when it comes to decentralizing the internet.

In Sunde's opinion, people focus too much on what might happen, instead of what is happening. He often gets questions about how a digitally bleak future could look like, but the truth is that we're living it: "Everything has gone wrong. That's the thing, it's not about what will happen in the future it's about what's going on right now. We've centralized all of our data to a guy called Mark Zuckerberg, who's basically the biggest dictator in the world as he wasn't elected by anyone. Trump is basically in control over this data that Zuckerberg has, so I think we're already there. Everything that could go wrong has gone wrong and I don't think there's a way for us to stop it." One of the most important things to realize is that the problem isn't a technological one. "The internet was made to be decentralized," says Sunde, "but we keep centralizing everything on top of the internet."

Power

Tesla Plans To Disconnect 'Almost All' Superchargers From the Grid In Favor of Solar and Battery Power (electrek.co) 230

Only half a dozen Supercharger stations or so out of the over 800 stations have solar arrays and batteries, but that may be about to change. Elon Musk said Tesla plans to deploy more battery and solar systems with the upcoming "Version 3" of the Supercharger, adding that "almost all Superchargers will disconnect from the electricity grid." Electrek reports: Previously, Musk said that Tesla's new Powerpack and solar arrays will power some Supercharger stations in sunny regions to go off-grid -- adding that "the grid won't be needed for moderate use Superchargers in non-snowy regions." While it makes sense to add solar arrays and battery packs, it's not clear why there would be a need to completely disconnect from the grid, which is often still useful -- especially if net metering is available. Even in regions where coal dominates electricity generation, electric cars are still more efficient than some of the most efficient gas-powered cars. Therefore, the argument could have ended here, but Musk apparently wants to take Tesla's Supercharger network off-grid as part of the company's mission to accelerate the advent of sustainable energy. Depending on the size and popularity of a Supercharger station, which generally varies from 6 partly used stalls to 20 stalls in almost constant use, Tesla would need some significantly large solar arrays at some stations -- almost football field in size. Unless there are some impressive advancements in efficiency, it's not clear how they would make it happen.

Slashdot Top Deals