Slashdot Mirror

An anonymous reader shares a report: Microsoft announced in October previews of new Edge browser apps for iOS and Android. On November 30, Microsoft officials are announcing that these apps are no longer in preview and are generally available for users in select markets. By making Edge apps available on non-Windows operating systems, Microsoft is hoping to do more than give Windows 10 users who use Edge a more convenient way to sync their bookmarks, tabs, etc., across devices. Microsoft also is doing this to improve its "Continue on PC" feature that it's been touting for Windows 10. With "Continue on PC," users will be able to share a web site, app, photo, and other information from their phones to their Windows 10 PCs in a faster and more seamless way. Microsoft is looking to Continue on PC to help keep Windows PCs relevant in a world where more and more computing is done on mobile devices.

Armand Winter shares a report from ZDNet: Microsoft president Brad Smith said the company will spend $150 million in transport infrastructure, public spaces, sports fields and green space. It expects the project will create 2,500 construction and development jobs. Microsoft's renovation budget is modest compared with the $5 billion Apple spent on its new spaceship headquarters in Cupertino, while Microsoft's Washington neighbor and cloud rival, Amazon, will spend $5 billion on a second North American headquarters, which will offer space for 50,000 people. "We are not only creating a world-class work environment to help retain and attract the best and brightest global talent, but also building a campus that our neighbors can enjoy, and that we can build in a fiscally smart way with low environmental impact," said Smith in a blog post.

Zack Whittaker, reporting for ZDNet: The contents of a highly sensitive hard drive belonging to a division of the National Security Agency have been left online. The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." The disk image belongs to the US Army's Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA. The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.

An anonymous reader quotes a report from ZDNet: Imgur, one of the world's most visited websites, has confirmed a hack dating back to 2014. The company confirmed to ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers. Imgur said the breach didn't include personal information because the site has "never asked" for real names, addresses, or phone numbers. The stolen accounts represent a fraction of Imgur's 150 million monthly users. The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the company on Thursday, a US national holiday observing Thanksgiving, when most businesses are closed. A day later, the company started resetting the passwords of affected accounts, and published a public disclosure alerting users of the breach.

Liam Tung, writing for ZDNet: Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code. The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.

Freshly Exhumed shares a report from ZDnet: Linux rules supercomputing. This day has been coming since 1998, when Linux first appeared on the TOP500 Supercomputer list. Today, it finally happened: All 500 of the world's fastest supercomputers are running Linux. The last two non-Linux systems, a pair of Chinese IBM POWER computers running AIX, dropped off the November 2017 TOP500 Supercomputer list. When the first TOP500 supercomputer list was compiled in June 1993, Linux was barely more than a toy. It hadn't even adopted Tux as its mascot yet. It didn't take long for Linux to start its march on supercomputing.

From when it first appeared on the TOP500 in 1998, Linux was on its way to the top. Before Linux took the lead, Unix was supercomputing's top operating system. Since 2003, the TOP500 was on its way to Linux domination. By 2004, Linux had taken the lead for good. This happened for two reasons: First, since most of the world's top supercomputers are research machines built for specialized tasks, each machine is a standalone project with unique characteristics and optimization requirements. To save costs, no one wants to develop a custom operating system for each of these systems. With Linux, however, research teams can easily modify and optimize Linux's open-source code to their one-off designs. The semiannual TOP500 Supercomputer List was released yesterday. It also shows that China now claims 202 systems within the TOP500, while the United States claims 143 systems.

sqorbit writes: Apple is working on a fix for the newly release iPhone X. It appears that the touch screen can become unresponsive when the iPhone is subjected to cold weather. Users are reporting that locking and unlocking the phone resolves the issue. Apple stated that it is aware of the issue and it will be addressed in a future update.

Microsoft is partnering with other security vendors to integrate their macOS, Linux, iOS, and Android security wares with its Windows Defender Advanced Threat Protection (ATP) service From a report: Microsoft has announced the first three such partners: Bitdefender, Lookoutm and Ziften. These companies will feed any threats detected into the single Windows Defender ATP console. With Defender ATP, every device has its own timeline with event history dating back up to six months. According to Microsoft, no additional infrastructure is needed to onboard events from macOS, Linux, iOS and/or Android devices. Integration with Bitdefender's GravityZone Cloud -- which allows users to get macOS and Linux threat intelligence on malware and suspicious files -- is in public preview as of today. A trial version is available now. Integration with Lookout's Mobile Endpoint Security for iOS and Android and Ziften's Zenith systems and security operations platform for macOS and Linux will be in public preview "soon," Microsoft's blog post says.

YouTuber Tom Scott was invited to visit Cloudflare's San Francisco headquarters to check out the company's wall of lava lamps. These decorative novelty items -- while neat to look at -- serve a special purpose for the internet security company. Cloudflare takes pictures and video of the lava lamps to turn them into "a stream of random, unpredictable bytes," which is used to help create the keys that encrypt the traffic that flow through Cloudflare's network. ZDNet reports: Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services. Cloudflare is known for providing good standards of encryption, but it seems the secret is out -- this reputation is built in part on lava lamps. Roughly 10 percent of the Internet's traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required. According to Nick Sullivan, Cloudfare's head of cryptography, this is where the lava lamps shine. Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken. The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic. "Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data." Cloudflare also reportedly uses a "chaotic pendulum" in its London office to generate randomness, and in Singapore, they use a radioactive source.

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.

An anonymous reader quotes ZDNet: Stories have been circulating that the Linux desktop had jumped in popularity and was used more than macOS. Alas, it's not so... These reports have been based on NetMarketShare's desktop operating system analysis, which showed Linux leaping from 2.5 percent in July, to almost 5 percent in September. But unfortunately for Linux fans, it's not true... It seems to be merely a mistake. Vince Vizzaccaro, NetMarketShare's executive marketing share of marketing told me, "The Linux share being reported is not correct. We are aware of the issue and are currently looking into it"...

For the most accurate, albeit US-centric operating system and browser numbers, I prefer to use data from the federal government's Digital Analytics Program (DAP). Unlike the others, DAP's numbers come from billions of visits over the past 90 days to over 400 US executive branch government domains... DAP gets its raw data from a Google Analytics account. DAP has open-sourced the code, which displays the data on the web and its data-collection code... In the US Analytics site, which summarizes DAP's data, you will find desktop Linux, as usual, hanging out in "other" at 1.5 percent. Windows, as always, is on top with 45.9 percent, followed by Apple iOS, at 25.5 percent, Android at 18.6 percent, and macOS at 8.5 percent.
The article does, however, acknowledge that Linux's real market share is probably a little higher simply because "no one, not even DAP, seems to do a good job of pulling out the Linux-based Chrome OS data."

Ed Bott, writing for ZDNet: If you've been waiting to claim your free Windows 10 upgrade using the "assistive technologies" exception, you need to act soon. In a quiet change to an obscure web page, Microsoft announced this week that those exceptions will end on December 31, 2017. On July 29, 2016, Microsoft officially ended the Get Windows 10 program, which offered free Windows 10 upgrades to anyone currently running a supported earlier version of Windows. But the company left a giant loophole in a separate announcement at the same time. Under the terms of that announcement, individuals who use "assistive technologies" received an automatic extension of the free upgrade offer. Sometime in the past week, Microsoft quietly edited that page, to add "The accessibility upgrade offer expires on December 31, 2017."

A reader shares a ZDNet report: Microsoft has shaken off claims that its Surface range is unreliable and said that fewer than 1 in 100,000 of new Surface devices have gone wrong. The ratings service Consumer Reports raised a question mark over the reliability of the Surface line as a whole earlier this year. At the time, Consumer Reports surveyed 90,000 subscribers and found that 25 percent of Microsoft laptops and tablets will give owners problems by the end of the second year of ownership. Ryan Gavin, Microsoft's general manager for Surface, challenged the finding and said that the Surface devices are getting more reliable with each new generation. "One of the things you're seeing is the reliability of our products over time, with every generation getting better and better and better." Reliability issues among newer devices, such as the Surface Laptop and Studio, had been reported for only a fraction of devices, he said. "We're talking about incidents per device of less than 0.001%."

A reader shares a report: Continuous improvement and continuous delivery (CI/CD) and DevOps may be on many peoples' minds these days, but there's nothing particularly new about the concept -- software shops should have put these concepts into action years ago. Instead, technology leaders should be now worrying about the futures of their businesses. That's the view of Kelsey Hightower, staff developer advocate at Google Cloud Platform, who says too many IT leaders are debating how to manage IT operations and workflows, when their businesses are being hit with unprecedented disruption. "CI/CD is a done deal -- like 10 years ago it was a done deal," he said in a recent podcast with CTO Advisor's Keith Townsend. "There is nothing to figure out in that domain. A lot of people talk about DevOps, and there may be some culture changes, in number of people who can do it or are allowed to do it. For me, that is the table stakes. CI/CD, DevOps; we have to say, listen, figure it out, or go work with another team outside this company to figure it out."

Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional. From a report: In October, a report from the Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency's hacking tools and software. The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky's antivirus software. Once these secretive files were identified -- through an avenue carved by the antivirus -- the Russian government was then able to obtain this information. Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks. There was a number of theories relating to what actually took place -- was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky's antivirus, or were the files detected and pulled by accident? According to Kaspersky, the latter is true. On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place. It was actually a year earlier than the WSJ believed, in 2014, that code belonging to the NSA's Equation Group was taken.

Toshiba has announced a forecast net loss of $970 million due to the tax impact of selling its memory chip business, which was itself sold to make up for losses incurred from its nuclear energy business. ZDNet reports: The loss will come instead of its previously forecast net profit of 230 billion yen due to taxes incurred during the sale of the chip business, although its revenue forecast remains unchanged, Reuters reported. Toshiba had last month announced that it would be selling its memory chip business for 2 trillion yen to a consortium led by Bain Capital that includes Seagate and is backed by the Japanese government. As part of the sale, Toshiba said it would be investing 350.5 billion yen into the memory chip unit, maintaining some ownership over it, and last month said that it expected to close the deal "within days."

The tech company had originally named Bain as its preferred bidder back in June, although the sale had been slowed down after joint venture partner Western Digital had struggled to submit a competing bid alongside KKR after its original bid was rejected. As a result, Toshiba announced in June that it was planning to sue Western Digital for 120 billion yen, claiming the latter had interfered in the sale of the memory chip business. Western Digital had "continually interfered with the bid process" and "exaggerated" the power it had in relation to a potential sale, Toshiba claimed, and also made moves to prevent Western Digital employees in its Yokkaichi plant from accessing information pertaining to their partnership. Reuters said the delayed sale could potentially lead to Toshiba "not getting anti-trust clearance before the end of the financial year," which could in turn result in the Tokyo Stock Exchange delisting the company.

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.

Sales of traditional PCs continue to decline, although the overall PC market is likely to grow slightly next year. From a report: Traditional PC shipments are forecast to drop by nearly eight percent this year, and another 4.4 percent in 2018, predicts analyst firm Gartner. Which means that, by 2019, 16 million fewer traditional PCs and notebooks will be sold than were shipped this year. However, much of this will be offset by the rise in spending on high-end notebooks like Microsoft's Surface and Apple's MacBook, so that the overall PC market will by 2019 be at pretty much the same level it was last year. Tablets -- defined by Gartner as basic and utility ultramobile devices -- will also decline over the period to 2019.

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.

Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

HostAP: The Linux driver provider has issued several patches in response to the disclosure.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

MikroTik: The vendor has already released patches that fix the vulnerabilities.

OpenBSD: Patches are now available.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.

Wi-Fi Standard: A fix is available for vendors but not directly for end users.

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.

Mary Jo Foley, reporting for ZDNet: Microsoft soon will be adding a new edition of Windows 10 to its lineup. That edition, Windows 10 Pro for Workstations, may include more than just a new name and feature set. It also may come with a change to the way Microsoft licenses and prices Windows 10 for its PC maker partners -- who potentially could pass on these changes to end-user customers. I've heard from a couple of customers recently who've been contacted by different OEMs about the coming changes. One said that Microsoft will begin licensing the Windows 10 Desktop operating system by processor family, and all PCs sold with Intel Xeon workstation processors will be affected by this change. One customer said he was told there could be a price increase of roughly $70 per operating system for use on systems with processors with four or fewer cores. For machines with Xeon processors with more than four cores, there could be a price increase of roughly $230 per operating system, I was told. Windows 10 Pro for Workstations is going to be available around the time Windows 10 Fall Creators Update starts rolling out, which is October 17.

Disqus, a company that builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012. "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers," reports ZDNet. From the report: Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google. The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach. The company said in a blog post, posted less than a day after Hunt's private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach. Users whose passwords were exposed will have their passwords force-reset. The company warned users who have used their Disqus password on other sites to change the password on those accounts.

AMD is releasing a new embedded Radeon GPU, the first to be based on the Polaris architecture. From a report: But this one isn't aimed at the desktop or laptop markets, but instead it expands AMD's offerings in the digital casino games, thin clients, medical displays, retail and digital signage, and industrial systems markets. The AMD Embedded Radeon E9173 GPU, based on the Polaris architecture, uses an optimized 14-nanometer FinFET manufacturing process to provide up to three times the performance-per-watt over previous generations of AMD Embedded GPUs. And the Radeon E9170 is quite a powerhouse, delivering up to 1.25 TFLOPS at sub-40W TDP board power, and includes 4K HEVC/H.265 and AVC/H.264 decode and encode support, 4K and 3D support, and is capable of driving up to five 4K displays using HDMI 2.0 and/or DisplayPort 1.4. AMD is planning for the Radeon E9173 to have a long lifecycle -- which high-end customers demand -- and plans for it to be available through to 2024.

Adrian Kingsley-Hughes, writing for ZDNet: A week later than planned, AMD has released a free driver update for the X399 platform to support NVMe RAID. The driver allows X399 motherboards to combine multiple NVMe SSDs together into a RAID 0, 1, or 10 array, which will greatly enhance disk performance or data integrity. Benchmarking carried out by AMD shows that the platform allows for a throughput of 21.2GB/s from six 512GB Samsung 960 Pro NVMe SSDs in RAID0. But there are a couple of caveats. The first is that X399 motherboards will require BIOS updates before they will support NVMe RAID, so when it will be available for your system will depend on your motherboard vendor. The second -- and perhaps more important -- is that currently the NVMe RAID driver is in beta, and as such things may go wrong, so you might want to test this before rolling it out onto systems you rely on.

ZDNet's editor-in-chief warns that Amazon has ambitious plans for its new Echo Plus: Amazon is making an explicit play to be the home hub because it can automatically discover and set up lights, locks, plugs, and switches without the need for additional hubs or apps. And the Alexa 'routines' feature will be able to tie all of this together by allowing you to automate a series of actions with a single voice command: saying "Alexa, good night," and having it turn off the lights, lock the door, and turn off the TV, for example. A platform that other apps and devices can connect into? This starts to sound a lot like an operating system for the home to me.

It's not just the home, either; Amazon announced a deal to make Alexa available in BMW and Mini vehicles from the middle of next year, allowing drivers to use the digital assistant to get directions, play music or control smart home devices while travelling, without having to use a separate app. Travellers will also have access to Alexa skills from third-party developers like Starbucks, allowing them to order their coffee while driving and thus skip the line. Back in January, Amazon and Ford said they were working together to allow voice commands to turn on the engine, lock or unlock the doors as well as play music and use other skills...

It's still early days but I think Alexa has a good shot at becoming one of the standard interfaces, certainly for consumers -- an operating system for the home, if not more, if the automotive tie-ups take off too. All of this will make Amazon a serious force to be reckoned with. Windows has the desktop, and Android and iOS can fight it out for the smartphone, but right now Alexa has a lock on the smart home.

Apple today released the newest version of its operating system for Macs, macOS High Sierra, to the public. macOS High Sierra is a free download, and offers a range of new features and improvements including the new Apple File System, and support for High Efficiency Video Encoding (HEVC) for better compression without loss of quality, and HEIF for smaller photo sizes. Zack Whittaker, reporting for ZDNet: Patrick Wardle, a former NSA hacker who now serves as chief security researcher at -- Synack, posted a video of the hack -- a password exfiltration exploit -- in action. Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault. But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.

An anonymous reader shares a ZDNet report, which also has some clarification from Intel: It looks like you can add WiGig wireless docking to Intel's dustbin (along with IoT products axed earlier this summer), as the company has discontinued existing products using the 802.11ad wireless standard, according to Anandtech. [Since publishing this report, we've received a statement from Intel clarifying its WiGig support: "We continue to offer current versions of our 802.11ad products, such as the Intel Tri-band Wireless AC 18265 and Gigabit Wireless 10101R antenna module. We remain committed to WiGig and think it has exciting potential for a number of applications, including enabling VR to become wireless, mesh networking and as part of Intel's leading products for 5G."] WiGig was developed several years ago with faster speeds than then-current Wi-Fi standards, but because it relied on the 60GHz channel, its high throughput could only travel over short distances. As a result, it eventually became marketed as a feature for wireless laptop docking stations, and while it received some support from enterprise laptop manufactures like Dell and Lenovo, the technology didn't make a big dent against standard wired laptop docks.

AmiMoJo shares a report from Schneier on Security: The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines: "Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information. UNITEDRAKE, described as a 'fully extensible remote collection system designed for Windows targets,' also gives operators the opportunity to take complete control of a device. The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed."

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.

An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.

Qualcomm has introduced a new Cellular Vehicle-to-Everything (C-V2X) chipset and reference design that aims to bring automakers one step closer to deploying the communications systems necessary for fully autonomous vehicles. Ford, Audi, the PSA Group and SAIC are all endorsing the new chipset. ZDNet reports: The Qualcomm 9150 C-V2X chipset, expected to be available for commercial sampling in the second half of 2018, is based on specs from the 3rd Generation Partnership Project (3GPP), a collaboration between groups of telecommunications associations. Meanwhile, Qualcomm's C-V2X reference design will feature the 9150 C-V2X chipset, an application processor running the Intelligent Transportation Systems (ITS) V2X stack, as well as a Hardware Security Module (HSM). C-V2X technology encompasses two transmission modes: direct communications and network-based communications. It's key for both safety features and for implementing autonomous driving capabilities.

For instance, its direct communications capabilities improve a vehicle's situational awareness by detecting and exchanging information using low latency transmissions. Relying on the globally harmonized 5.9 GHz ITS band, the 9150 C-V2X chipset can relay information on vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I) and vehicle-to-pedestrian (V2P) scenarios without the need for a Subscriber Identity Module (SIM), cellular subscription or network assistance. On top of that, C-V2X network-based communications (designed for 4G and emerging 5G wireless networks) supports telematics, connected infotainment and a growing number of advanced informational safety use cases.

In what may be a first, patients with heart conditions that are using particular pacemaker brands will have to visit their doctors for firmware updates to keep their embedded devices safe from tampering. From a report: It seems such an odd concept at first, but with many kinds of pacemakers now "smarter," with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose. In particular, Abbott's pacemakers, formerly of St. Jude Medical, have been "recalled" by the US Food and Drug Administration (FDA) on a voluntary basis. The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device. On Tuesday, the FDA issued a security advisory, warning that the pacemakers must be recalled -- and as they are embedded within the chests of their users, this requires a home visit or trip to the hospital to have the software patch applied.

An anonymous reader quotes ZDNet: It's being called the world's first robot tax. If it goes into effect, South Korea will be the first country to change its tax laws in recognition of the coming burden of mass robotic automation on low and middle-skill workers. The change proposed by the Moon Jae-in administration isn't a direct tax on robots. Rather, policymakers have proposed limiting tax incentives on investments in automation... Under existing law, South Korean companies that buy automation equipment, such as warehouse and factory robots, can deduct between three and seven percent of their investment. The current proposal, which seems likely to advance, is to reduce the deduction rate by up to two percentage points.

The move is evidently not an attempt to staunch companies from adopting automation technology. Rather, it is a kind of formal acknowledgment that unemployment is coming on a big enough scale to eat into South Korea's tax revenue. Policymakers are hoping that reducing the deduction incentives by a couple percentage points will offset the lost income tax and help keep the country's social services and welfare coffers filled.
The Korea Times, which broke the story, reminds readers that former U.S. treasury secretary Lawrence Summers has called robot taxes "profoundly misguided... A sufficiently high tax on robots would prevent them from being produced."

An anonymous reader quotes ZDNet: A huge spambot ensnaring 711 million email accounts has been uncovered. A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands, which stores dozens of text files containing a huge batch of email addresses, passwords, and email servers used to send spam. Those credentials are crucial for the spammer's large-scale malware operation to bypass spam filters by sending email through legitimate email servers.

The spambot, dubbed "Onliner," is used to deliver the Ursnif banking malware into inboxes all over the world. To date, it's resulted in more than 100,000 unique infections across the world, Benkow told ZDNet. Troy Hunt, who runs breach notification site Have I Been Pwned, said it was a "mind-boggling amount of data." Hunt, who analyzed the data and details his findings in a blog post, called it the "largest" batch of data to enter the breach notification site in its history... Those credentials, he explained, have been scraped and collated from other data breaches, such as the LinkedIn hack and the Badoo hack, as well also other unknown sources.
The data includes information on 80 million email servers, and it's all used to identify which recipients have Windows computers, so they can be targeted in follow-up emails delivering Windows-specific malware.

As in past years, "Open source is professionalizing, and employers are seeking staff with demonstrable skills," says the executive director of the Linux Foundation, describing the results of a new study with Dice.com. An anonymous reader quotes ZDNet: According to the two groups' 2017 Open Source Jobs Survey and Report, "Not only do 89 percent of hiring managers report difficulty in finding qualified talent for open source roles, but 58 percent report needing to hire more open source professionals in the next six months than in the six months prior"... Seventy percent of employers, up from 66 percent in 2016, are hunting for workers with cloud experience. Web technologies placed second, with 67 percent of hiring managers hunting for workers with JavaScript and related skills. This is up five percent from last year's 62 percent. The demand for Linux talent remains strong. Sixty-five percent of hiring managers are looking for Linux experts. That's down slightly from 2016's 71 percent.
The three most common positions that they're looking to fill are developer, DevOps engineer, and systems administrator, according to the study, and "a growing number of companies (60 percent) are looking for full-time hires, compared with 53 percent last year.

"Nearly half (47 percent) of companies will pay for employees to become open-source certified."

Billly Gates writes: Microsoft recently released Visual Studio 15.3 for Windows and Visual Studio 7.1 for Mac with .NET core 2.0. In addition to porting Microsoft Code and SQL Server to Linux, they have ported .NET. Redhat will bundle .NET in their software offerings instead of relying on Mono. .NET core is Microsoft's open-source .NET platform which is not based off Mono and available for Linux, Mac, and Windows here.

Zack Whittaker, reporting for ZDNet: Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission. Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device. We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.

An anonymous reader writes: Sonos has confirmed that existing customers will not be given an option to opt out of its new privacy policy, leaving customers with sound systems that may eventually "cease to function". It comes as the home sound system maker prepares to begin collecting audio settings, error data, and other account data before the launch of its smart speaker integration in the near future. A spokesperson for the home sound system maker told ZDNet that, "if a customer chooses not to acknowledge the privacy statement, the customer will not be able to update the software on their Sonos system, and over time the functionality of the product will decrease. The customer can choose to acknowledge the policy, or can accept that over time their product may cease to function."

An anonymous reader quotes CyberScoop: The FBI has been briefing private sector companies on intelligence claiming to show that the Moscow-based cybersecurity company Kaspersky Lab is an unacceptable threat to national security, current and former senior U.S. officials familiar with the matter tell CyberScoop... The FBI's goal is to have U.S. firms push Kaspersky out of their systems as soon as possible or refrain from using them in new products or other efforts, the current and former officials say.

The FBI's counterintelligence section has been giving briefings since beginning of the year on a priority basis, prioritizing companies in the energy sector and those that use industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. In light of successive cyberattacks against the electric grid in Ukraine, the FBI has focused on this sector due to the critical infrastructure designation assigned to it by the Department of Homeland Security... The U.S. government's actions come as Russia is engaged in its own push to stamp American tech giants like Microsoft out of that country's systems.
Meanwhile Bloomberg Businessweek claims to have seen emails which "show that Kaspersky Lab has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted" -- and that Kaspersky Lab "confirmed the emails are authentic."

Kaspersky Lab told ZDNet they have not confirmed the emails' authenticity. A representative for Kaspersky Lab says that the company does not have "inappropriate" ties with any government, adding that "the company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime."

An anonymous reader quotes InfoWorld: Oracle wants to end its leadership in the development of enterprise Java and is looking for an open source foundation to take on the role. The company said Thursday that the upcoming Java EE (Enterprise Edition) 8 presents an opportunity to rethink how the platform is developed. Although development is done via open source with community participation, the current Oracle-led process is not seen as agile, flexible, or open enough. "We believe that moving Java EE technologies to an open source foundation may be the right next step, to adopt more agile processes, implement more flexible licensing and change the governance process," Oracle said in a statement...

Despite its desire to retreat from Java EE leadership, Oracle said it plans to continue participating in the evolution of Java EE technologies. "But we believe a more open process, that is not dependent on a single vendor as platform lead, will encourage greater participation and innovation, and will be in best interests of the community"... Oracle's goals for offloading Java EE would have Oracle not lead the project as it still effectively does with Java SE.
Red Hat's senior principal product manager called this "a very positive move," while Eclipse's executive director said that moving Java EE to a vendor-neutral open source foundation "would be great for both the platform and the community," adding "If asked to so, the Eclipse Foundation would be pleased to serve as the host organization."

Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.

Soon, neither Internet Explorer nor Edge will recognize new security certificates from Chinese Certificate Authorities WoSign and its subsidiary StartCom. ZDNet reports: A CA is a trusted entity that issues X.509 digital certificates that verify a digital entity's identity on the internet. Certificates include its owner's public key and name, the certificate's expiration date, encryption method, and other information about the public key owner. Typically, these are used to secure websites with the https protocol, lock down internet communications with Secure Sockets Layer and Transport Layer Security (SSL/TLS), and secure virtual private networks (VPNs). A corrupted certificate is barely better than no protection at all. It can be used to easily hack websites and "private" internet communications.

Microsoft has joined [Mozilla, Google and Apple] in abandoning trust in their certificates. A Microsoft representative wrote: "Microsoft has concluded that the Chinese CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) [issuance and management rules for public certificates] violations." Microsoft will start "the natural deprecation of WoSign and StartCom certificates by setting a 'NotBefore' date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017."

Zack Whittaker, reporting for ZDNet: A security researcher who in May stopped an outbreak of the WannaCry ransomware has been arrested and detained after attending the Def Con conference in Las Vegas. Marcus Hutchins, 23, a British national, was arrested at Las Vegas airport on Wednesday by US Marshals, several close friends confirmed to ZDNet. A friend told ZDNet that he was "was pulled by Marshals at the lounge" after clearing security. He was briefly detained in a federal facility in Nevada until he was moved. "We went to see him this morning and we had already been moved," said the friend. Hutchins is now understood to be in custody at an FBI field office in the state. Motherboard first broke the story on Thursday. Update: A Motherboard reporter tweets, "Here's the indictment accusing @MalwareTechBlog of running the Kronos banking malware."
Update 2: New DOJ statement: Gregory J. Haanstad, United States Attorney for the Eastern District of Wisconsin, announced that on July 11, 2017, following a two-year long investigation, a federal grand jury returned a six-count indictment against Marcus Hutchins, also known as "Malwaretech," for his role in creating and distributing the Kronos banking Trojan.

An anonymous reader quotes BleepingComputer: A petition is asking Adobe to release Flash into the hands of the open-source community. Finnish developer Juha Lindstedt started the petition a day after Adobe announced plans to end Flash support by the end of 2020. "Flash is an important piece of Internet history and killing Flash means future generations can't access the past," Lindstedt explains in the petition's opening paragraph. "Games, experiments and websites would be forgotten." The developer wants Adobe to open-source Flash or parts of its technology so the open-source community could take on the job of supporting a minimal version of the Flash plugin or at least create a tool to accurately convert old SWF and FLA files to modern HTML5, canvas data, or WebAssembly code... Lindstedt is asking users to sign the petition by starring the project on GitHub. At the time of writing, the petition has garnered over 3,000 stars.
A reporter at ZDNet counters that "the only way to really secure Flash is to get rid of it... If Flash lives, people will continue to use it, and without security support, it will be even more insecure than ever." He points out there's already several programs that convert Flash into other formats -- and that Adobe already open sourced its Flex framework for building Flash applications back in 2008 (now supported by the Apache Software Foundation as Apache Flex). "In other words, we don't need the Flash source code to convert or create Flash files. Just let Flash go already...!

"Usually, I'm favor with open-sourcing everything and anything. Not this time. Flash has proven to be a net of endless security holes. It's time to let it go for once and for all.

It's been a challenging week for iRobot, the company behind the popular Roomba robotic vacuums. From a report: It started with an interview in Reuters, in which the company's chief executive Colin Angle gave the clear impression that iRobot was selling consumers' home mapping data (Editor's note: the chief executive said the company intended to explore the opportunity). Last night, Angle and iRobot got back to me on this issue. They provided the following response to the concerns I and others shared. "First things first, iRobot will never sell your data. Our mission is to help you keep a cleaner home and, in time, to help the smart home and the devices in it work better. There's no doubt that a robot can help your home be smarter. It's the data it collects to do its job, and the trusted relationship between you, your robot and iRobot, that is critical for that to happen. Information that is shared needs to be controlled by the customer and not as a data asset of a corporation to exploit. That is how data is handled by iRobot today. Customers have control over sharing it. I want to make very clear that this is how data will be handled in the future."

An anonymous reader quotes ZDNet: If you know anything about Linus Torvalds, you know he's the mastermind and overlord of Linux. If you know him at all well, you know he's also an enthusiastic scuba diver and author of SubSurface, a do-it-all dive log program. And, if you know him really well, you'd know, like many other developers, he loves gadgets. Now, he's starting his own gadget review site on Google+: Working Gadgets...

"[W]hile waiting for my current build to finish, I decided to write a note about some of the gadgets I got that turned out to work, rather than all the crazy crap that didn't. Because while 90% of the cool toys I buy aren't all that great, there's still the ones that actually do live up to expectations. So the rule is: no rants. Just good stuff. Because this is about happy gadgets."
So far Linus has reviewed an automatic cat litter box, a scuba diving pressure regulator, and a Ubiquiti UniFi Wi-Fi access point that complements his Google WiFi mesh network.

Linus will be great at this. Just last week I saw him recommending a text editor.

Google is adding a set of features to its security roster to prevent a second run of last month's massive phishing attack. From a report: The company is adding warnings and interstitial screens to warn users that an app they are about to use is unverified and could put their account data at risk. This so-called "unverified app" screen will land on all new web apps that connect to Google user accounts to prevent a malicious app from appearing legitimate. Any Google Chrome user landing on a hacked or malicious website will recognize the prompt as the red warning screen. Some existing apps will also have to go through the same verification process as new apps, Google said. Google also said it will add those warnings to its Apps Scripts, which let Google use custom macros and add-ons for its productivity apps, like Google Docs.

Windows PCs with Intel's Clover Trail Atom chips will not upgrade to the Windows 10 Creators Update, which could wind up being trouble in the future. PCWorld reports: Owners of some Windows 10 laptops and tablets are crashing into a worrying roadblock when they try to install the Windows 10 Creators Update. Windows Update initially says the notebooks are compatible with the upgrade, but fails to install it after downloading the setup files, instead displaying the following message: "Windows 10 is no longer supported on this PC. Uninstall this app now because it isn't compatible with Windows 10." That sounds ominous, but you don't need to uninstall your existing version of Windows 10, and there's no app to uninstall. Instead, the message means your PC's hardware isn't compatible with the Creators Update.

A recent ZDNet article thrust this issue into the spotlight, but Microsoft laid out details about the error in an April forum post. Microsoft won't let affected hardware install the Creators Update because "Icons and/or text throughout the Windows interface may not appear at all, or may appear as solid color blocks on some devices." Can I install the Windows 10 Creators Update? Nope. But you might be able to in the future, according to the April forum post. "Microsoft is working with our partners to provide compatible drivers for these processors. Until then, Windows Update will prevent devices containing one of the processors listed above from installing the Creators Update." [Devices with these Intel "Clover Trail" processors are impacted: Atom Z2760; Atom Z2520; Atom Z2560; Atom Z2580.]

Zack Whittaker, reporting for ZDNet: An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61. From a report: According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which has "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months. The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases. Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.