Slashdot Mirror

Zack Whittaker, reporting for ZDNet: Millions of Xiaomi phones are vulnerable to a flaw that could allow an attacker to remotely install malware. The vulnerability, now fixed, was found in the analytics package in Xiaomi's custom-built Android-based operating system. Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a man-in-the-middle attack -- one of which would allow an attacker to run arbitrary code at the system-level. In other words, an attacker could inject a link to a malicious Android app package, which is extracted and executed at the system level.

Reader wiredmikey writes: Facebook announced Friday it would roll out optional "end to end encryption" for its Messenger application, following a trend aimed at stronger security and protection against snooping. The new feature will be known as "secret conversations" which can be read only by the sender and recipient. Facebook shared technical details about its implementation of the security in a technical white paper (PDF). Facebook earlier this year began implementing this end-to-end encryption on its WhatsApp messaging service.ZDNet's Zack Whittaker, however, warns about a catch in Facebook's effort. He writes: But already the company has faced some criticism for not encrypting messages by default, instead making the service opt-in, like Apple's iMessage, or even Facebook's other chat app, WhatsApp, which recently switched on default end-to-end encryption earlier this year. Cryptographer and Johns Hopkins professor Matthew Green, who reviewed an early version of the system, said in a tweet that though you "have to turn on encryption per thread," he added that providing encryption to almost a billion people makes it hard to "put that genie back in the bottle."

An anonymous reader shares a ZDNet report:Those persistent Get Windows 10 pop-ups are going away soon, after Microsoft's free upgrade offer for Windows 10 expires on July 29. During those final days and hours, anyone still running Windows 7 or Windows 8.1 should brace for one last round of upgrade prods from Redmond, including a full-screen message, as the GWX program moves into its final phase. The details are in a new Knowledge Base article, "Windows 8.1 and Windows 7 SP1 end of free upgrade offer notification," which includes a screenshot of the message as well as some helpful hints on how to avoid seeing it more than once. Two noteworthy additions are visible in the lower left corner of that screen. Instead of merely dismissing the reminder, you can ask to be notified up to three more times or specify that you've made your mind up and you don't want any more notifications.

An anonymous reader writes: A file named "UpgradeSubscription.exe" is found buried in the System32 folder of Windows 10 build 14376, alongside 590 other .exe files. ZDNet reports the file has been part of other recent preview builds, but just recently uncovered. "In the file's properties, it's described as the Windows Upgrade to Subscription Tool, and its date and time stamp corresponds to other administrative tools in the same build," reports ZDNet. You can view the screenshot here. Microsoft responded to ZDNet saying: "The Windows Upgrade to Subscription tool, found in the latest Windows Insider builds, helps to manage certain volume licensing upgrades from Windows 10 Pro Anniversary Update to Windows 10 Enterprise. This binary file is not associated with the free consumer upgrade offering nor is it applicable to consumer Windows editions." When pressed for additional details, Microsoft responded with, "No further comment." While the file does nothing, it does appear to confirm that it's related to licensing, referencing a registry value called AllowWindowsSubscription. Build 14376 reveals a few references to servicing packages named Microsoft-Client-License-Platform-Upgrade-Subscription-Package. Last year, there was some talk about Windows 10 being the last version of Windows as Microsoft is pushing a "Windows as a service" vision. When news broke in April about Windows Phone's sharp revenue declines, PCWorld reported that CEO Satya Nadella's strategy is to grow Microsoft's revenues by convincing customers to adopt its paid subscription services.

Less than a week after a California-based woman won $10,000 lawsuit against Microsoft over Windows 10 upgrades, the Redmond-based company has announced it will make it easier for users to say no to Windows 10 updates. The company plans to change the Windows 10 update prompt to make it clearer and easier for Windows 7 and Windows 8.x users to schedule or reject upgrading to Windows 10. ZDNet reports:Microsoft officials said late on June 27 that the new update experience -- with clearer "upgrade now, schedule a time, or decline the free offer" -- will start rolling out this week. Microsoft also will revert to making clicking on the Red X at the corner of the Windows 10 update box dismiss the update, rather than initiate it, as it has done for the past several weeks. Microsoft officials said they are making the change "in response to customer feedback."

"Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit," warns ZDNet's blog Zero Day, adding "the severe flaw allows attackers to remotely execute code." Slashdot reader msm1267 writes: A serious parameter injection vulnerability exists in the Swagger Code Generator that could allow an attacker to embed executable code in a Swagger JSON file. The flaw affects NodeJS, Ruby, PHP, Java and likely other programming languages. Researchers at Rapid7 who found the flaw disclosed details...as well as a Metasploit module and a proposed patch for the specification. The matter was privately disclosed in April, but Rapid7 said it never heard a response from Swagger's maintainers.

Swagger produces and consumes RESTful web services APIs; Swagger docs can be consumed to automatically generate client-server code. As of January 1, the Swagger specification was donated to the Open API Initiative and became the foundation for the OpenAPI Specification. The vulnerability lies in the Swagger Code Generator, and specifically in that parsers for Swagger documents (written in JSON) don't properly sanitize input. Therefore, an attacker can abuse a developer's trust in Swagger to include executable code that will run once it's in the development environment.

If you're on the fence on whether or not should you spring for learning how to code, Google is willing to offer a helping hand. The company has partnered with Udacity to offer a "nanodegree" class designed for people with no programming experience at all. The program costs $199 per month. ZDNet reports:The course material, developed by Google, is hosted on learning platform Udacity and builds on earlier programs such as the Android Nanodegree for Beginners. The basics course takes around four weeks if the student commits six hours a week and upon completion they'll have created two basic apps built in Android Studio."Google, in partnership with Udacity, is making Android development accessible and understandable to everyone, so that regardless of your background, you can learn to build apps that improve the lives of people around you," Google announced on its developer blog.

Zack Whittaker, reporting for ZDNet:An amendment designed to allow the government warrantless access to internet browsing histories has been narrowly defeated in the Senate. The amendment fell two votes short of the required 60 votes to advance. Mitch McConnell (R-KY) switched his vote at the last minute. He submitted a motion to reconsider the vote following the defeat. A new vote may be set for later on Wednesday. Sen. John McCain (R-AZ) introduced the amendment as an add-on to the commerce, justice, and science appropriations bill earlier this week. McCain said in a statement on Monday that the amendment would "track lone wolves" in the wake of the Orlando massacre, in which Omar Mateen, who authorities say radicalized himself online, killed 49 people at a gay nightclub in the Florida city. The amendment, which may be reconsidered in the near future, aims to broaden the rules governing national security letters, which don't require court approval. These letters allow the FBI to demand records associated with Americans' online communications -- so-called electronic communications transactional records.

An anonymous reader writes from a report via ZDNet: OpenAI, the artificial-intelligence non-profit backed by Elon Musk, Amazon Web Services, and others, is working on creating a physical robot that performs household chores. In a blog post Monday, OpenAI leaders said they don't want to manufacture the robot itself, but "enable a physical robot [...] to perform basic housework." The company says it is "inspired" by DeepMind's work in the deep learning and reinforcement learning field of AI, as displayed by its AlphaGo victory over human Go masters. OpenAI says it wants to "train an agent capable enough to solve any game," noting that significant advances in AI will be required in order for that to happen. In May, the company released a public beta of a new Open Source gym for computer programmers working on AI. They also have plans to build an agent that can understand natural language and seek clarification when following instructions to complete a task. OpenAI plans to build new algorithms that can advance this field. Finally, OpenAI wants to measure its progress across games, robotics, and language-based tasks, which is where OpenAI's Gym Beta will come into play.

Mary Jo Foley, reporting for ZDNet: Microsoft's self-professed Linux love is helping the company in the cloud. During his keynote at DockerCon 2016 in Seattle today, Azure Chief Technology Officer Mark Russinovich showed off some of the new and upcoming ways Microsoft is adding more container support to its cloud and server products. He also revealed a couple of new interesting datapoints. In the past year, Russinovich said, Microsoft has gone from one in four of its Azure virtual machines running Linux to nearly one in three. The other two-thirds of Azure customers are running Windows Server in their virtual machines. Russinovich showed off the promised Windows Server support that officials said would be coming at some point to the company's Azure Container Service (ACS). Microsoft made Azure Container Service generally available in April 2016, but for Linux containers only. Last year, company execs said Microsoft also would bring Windows Server support to ACS.

Reader itwbennett writes: A person nicknamed AppleJ4ck, who has been previously been linked to Lizard Squad, a group notorious for DDoS attacks against gaming platforms, including the PlayStation Network and Xbox Live, has taken credit for server outages affecting gaming giant Blizzard (Alternate source: ZDNet) Monday morning. The outages led to authentication lockouts for gamers attempting to access Overwatch, Hearth Stone, World of Warcraft, Diablo, Heroes of the Stone, and others. During the outage, AppleJ4ck said Monday's problems were just a test, promising more outages in the future.

An anonymous reader quotes a report from ZDNet: A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr. The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."

An anonymous reader quotes a report from ZDNet: A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr. The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."

An anonymous reader shares a ZDNet report: User accounts for iMesh, a now-defunct file sharing service, are for sale on the dark web. The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the "dotcom" boom. LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database. The group's analysis of the database shows it contains a little over 51 million accounts. The database, of which a portion was shared with ZDNet for verification, contains user information that dates back to late-2005 when the site launched, including email addresses, passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack), usernames, a user's location and IP address, registration date, and other information -- such as if the account is disabled, or if the account has inbox messages.

An anonymous reader writes: The hacker who has links to the recent Myspace, LinkedIn, and Tumblr data breaches, is claiming to have obtained a database of millions of Twitter accounts. The data reportedly includes addresses, usernames, and plain-text passwords of 379 million Twitter accounts. The hacker, Tessa88, wants 10 bitcoins, or about $5,820 for the cache. On Wednesday, LeakedSource claimed that the real number of accounts was just under 33 million, which is more than 10 percent of Twitter's monthly active accounts. This follows the hacking of Mark Zuckerberg's Twitter and Pinterest accounts.

Firefox is finally getting multi-process support. Mozilla has announced that Electrolysis (e10s) will be available to users starting Firefox 48. The foundation finds it the most significant Firefox change since the browser's inception. From a ZDNet report: With Electrolysis, Firefox can use child processes for content (tabs), media playback and legacy plug-ins. This is some way short of Google Chrome, which uses a different process for each tab. However, the result is that Chrome is a huge resource hog: Chrome uses roughly twice as much memory as Firefox on Windows and Linux. Eric Rahm has run some browser tests with Electrolysis, and says: "Overall we see a 10-20 percent increase in memory usage for the 1 content process case (which is what we plan on shipping initially). This seems like a fair trade-off for potential security and performance benefits." With 8 content processes, Rahm says: "we see roughly a doubling of memory usage on the TabsOpenSettled measurement. It's a bit worse on Windows, a bit better on OS X, but it's not 8 times worse."The aforementioned feature will be available in Firefox 48 Beta shortly.

An anonymous reader writes: The Daily Beast is investigating internal emails, contracts, and new information provided by a former accounting employee at Mt. Gox for clues about how and why the world's largest bitcoin exchange failed in 2014. They conclude that CEO Mark Karpeles "bought a company already missing tens of thousands of bitcoins" in 2011, leading to an email exchange a few months later where the previous owner suggested ways to make up the $800,000 shortfall. Unfortunately, Karpeles "had signed a non-disclosure agreement that left him unable to discuss the loss," and after a second larger hack, he moved the majority of bitcoins offline into "cold storage," leaving only enough online to complete transactions.

According to the article, former Mt. Gox employees "claim rogue U.S. government agents seized $5 million of Mt. Gox funds in summer 2013 in retaliation for Karpeles's refusal to cooperate with them. This seizure supposedly cut into the firm's operating reserves, which may have been the beginning of the end, at least according to the former Mt. Gox accountant."
While $450 million eventually disappeared, Thursday ZDNet reported that a class-action lawsuit brought against the bitcoin exchange by investors "has been dismissed."

A group of bipartisan senators introduced a bill on Thursday that blocks a pending judicial rule change allowing U.S judges to issue search warrants for remote access to computers in any jurisdiction, even overseas. Associated Press reports: Justice Department officials say that requirement is not practical in complex computer crime cases where investigators don't know the physical location of the device they want to search. In instances when cybercriminals operate on networks that conceal their identity and location, the government wants to ensure that any magistrate in a judicial district where a crime may have occurred can sign off on a search warrant that gives investigators remote access to the computer. The Obama administration says that authority is especially critical in cases involving botnets, which are networks of computers infected with a virus that spill across those districts. As it now stands, federal officials say, they might have to apply for nearly identical warrants in 94 different courthouses to disrupt a botnet.The U.S. Justice Department has pushed for the rule change since 2013. It has assumed it as a "procedural tweak" needed to modernize the criminal code to pursue sophisticated 21st century criminals, reports Reuters. Congress has until Dec 1 to vote to reject, amend or postpone the changes to Rule 41 of the federal rules of criminal procedure. If lawmakers fail to act, the change will automatically take effect, a scenario seen as likely given the short timeline. ZDNet has more details.

An anonymous reader cites a ZDNet report: Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users. The company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent. Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident. However, a hacker called "Peace" told the publication that this information is being sold on the dark web for roughly $2,200, and paid hacker data search engine LeakedSource also claims to have the data. Both sources say there are approximately 167 million accounts in the data dump, 117 million of which have both emails and encrypted passwords.LinkedIn has acknowledged the breach. In a blog post, the company writes: Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.

Microsoft has released a "convenience rollup" update for Windows 7 computers. The update to the nearly seven-year-old operating system brings with it a number of security fixes and patches that Microsoft labels as "recommended." Mary Jo Foley, reporting for ZDNet: The convenience rollup -- officially known as Windows 7 SP1 convenience rollup -- isn't Service Pack 2 for Windows 7, but it's the next best thing. The new Windows 7 convenience rollup is cumulative back to Service Pack 1, which Microsoft released in 2011. (Editor's note, the convenience rollup consists of all security and non-security fixes all through April 2016.) It doesn't include updates to IE 11 (which are released separately) or updates to .NET releases. But it does include core Windows fixes, security fixes and hot fixes.Microsoft says that convenience rollup package is completely optional. "Install this one update, and then you only need new updates released after April 2016."

An anonymous reader writes: Tavis Ormandy of Google's Project Zero team has discovered a vulnerability in Symantec Antivirus Engine. The said engine is vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files, reports ZDNet. "Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said. "No user interaction is required to trigger the parsing of the malformed file." For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, Ormandy said in the Project Zero issue tracker. "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get," he said.The vulnerability, if exploited, results in kernel memory corruption without user action and instant blue-screening on Windows.

Pikoro quotes this report from Tom's Hardware: Windows 10 has been with us for a little over eight months now, which means there are only about four months remaining to get a free upgrade from an older Windows operating system. As the clock counts down, Microsoft has begun to auto-schedule PCs to upgrade to Windows 10 with or without consent from end users.

Now, as we near the end of the free upgrade period, Microsoft's malware-like upgrade system is becoming even more intrusive by autoscheduling upgrades to Windows 10. I noticed that the Windows 10 upgrade reminder pop-up on a Windows 7 PC was no longer asking me to upgrade; instead, it's now informing me that it has already scheduled an update for May 17.
Meanwhile, the U.S. Marine Corps has discovered half their computers unexpectedly can't remotely upgrade to Windows 10, slowing their transition to what they expect to be a much more secure operating system.

Here's the thing, regardless of one's stand on self-driving cars, they are no longer a futuristic idea. Major car companies such as Tesla, BMW, and Mercedes have already released an autonomous vehicle or plan to release one soon. Sergio Marchionne, an Italian-Canadian executive who is currently the CEO of Fiat Chrysler Automobiles, recently said: It isn't pie in the sky. People are talking about 20 years. I think we will have it in five years. ZDNet has published its interview of Jim McBride, technical leader in Ford's autonomous vehicles team, who thinks self-driving cars are five years away from changing the world. At the same time, we must acknowledge the talks about these smart vehicles killing many jobs, and the security vulnerabilities we read every once in a while. What's your take on this?

schwit1 quotes a report from ZDNet: A botnet and cyberattack campaign is infecting victims across the globe and appears to be tracking the actions of specially selected targets in sectors ranging from government to engineering. Researchers from Forcepoint Security Labs have warned that the campaign it has dubbed 'Jaku' -- after a planet in the Star Wars universe because of references to the sci-fi saga in the malware code -- is different to and more sophisticated than many botnet campaigns. Rather than indiscriminately infecting victims, this campaign is capable of performing "a separate, highly targeted operation" used to monitor members of international non-governmental organizations, engineering companies, academics, scientists and government employees, the researchers said. The findings are set out in Forcepoint's report on Jaku, which outlines how of the estimated 19,000 unique victims, 42 percent are in South Korea and a further 31 percent in Japan. Both are countries and neighbors of North Korea. A further nine percent of Jaku victims are in China, six percent in the US, with the remainder spread across 130 other countries.

If you're an administrator, you will no longer be able to block Windows 10 Pro users on your watch from accessing the Windows Store. Mary Jo Foley reports for ZDNet: Up until a month ago, admins could use Group Policy to shut off employees' access to Windows Store if they were running Windows 10 Pro. Controlling this access is a requirement for some businesses. But last month, Microsoft changed that option, claiming that Store access was required for all versions of Windows 10 except Enterprise and Education "by design." Admins still can use AppLocker or Group Policy to block access to the Windows Store if their employees (or students) are running Enterprise or Education.

Reader wiredmikey writes: Researchers from FireEye have disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models (Editor's note: the link could have pop-up ads, here's an alternate source). The vulnerability is in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information. While the flaw could expose millions of Android devices, the vulnerability has limited impact on devices running Android 4.4 and later, which include significant security enhancements, and also does not affect Nexus devices. FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March and started reaching out to OEMs to let them know about the issue. Now it's up to the device manufacturers to push out the patch to customers.FireEye said: "The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched."

schwit1 shares news from ZDNet's security blog: In more than three decades years, the FISA Court has only rejected 12 requests. A secret court that oversees the US government's surveillance requests accepted every warrant that was submitted last year, according to new figures.The Washington DC.-based Foreign Intelligence Surveillance Court received 1,457 requests from the National Security Agency and the Federal Bureau of Investigation to intercept phone calls and emails. In long-standing fashion, the court did not reject a single warrant, entirely or in part.

The FBI also issued 48,642 national security letters, a subpoena-like power that compels a company to turn over data on national security grounds without informing the subject of the letter. The memo said the majority of these demands sought data on foreigners, but almost one-in-five were requests for data on Americans.
It'll be interesting to see if the numbers go down any in 2016, since in November the court appointed five new lawyers to push back against government requests. Meanwhile, a new report shows an increase in the number of government requests to Facebook about their users, more than half of which contained a non-disclosure order prohibiting Facebook from notifying those users.

An anonymous reader writes: Yesterday Amazon CEO Jeff Bezos earned $5 billion in one afternoon when the company's stock price jumped 9.6%. Amazon reported an actual profit of $513 million (nearly double the amount expected), and next year Amazon's sales are projected by analysts to be 63% higher than Microsoft's, which USA Today calls "a good illustration of how growth in the sector has moved from hardware, software and chip companies to Internet firms selling goods or advertising online... [W]hile Bill Gates helped put Seattle area on the map as a U.S. tech hub, Bezos now runs the largest tech company in the State of Washington, by far, in terms of sales."

Amazon's Echo and Alexa devices are believed to be outselling their Kindles (and Alexa will soon make her first appearance on a non-Amazon device). But Amazon attributed their surprise jump in revenue to a 51% annual increase in the "tens of millions" of subscribers paying for their Amazon Prime shipping service (which in San Francisco now even includes delivery from restaurants), as well as a 64% increase from their AWS cloud service, which recently announced a new automated security assessment tool.
Amazon ultimately reported more than twice as much new business as Google and three times as much as Facebook, according to USA Today, which notes that now of all the tech companies, only Apple has more revenue than Amazon, and because of the jump in their stock price, Jeff Bezos is now the fourth-richest person in the world. But with all that money floating around, Seattle tech blogger Jeff Reifman is now wondering why Amazon's local home delivery vehicles in Seattle seem to be operating with out of state plates.

Samuel Gibbs, reporting for The Guardian: Hackers have again demonstrated that no matter how many security precautions someone takes, all a hacker needs to track their location and snoop on their phone calls and texts is their phone number. The hack, first demonstrated by German security researcher Karsten Nohl in 2014 at a hacker convention in Hamburg, has been shown to still be active by Nohl over a year later for CBS's 60 Minutes. The hack uses the network interchange service called Signalling System No. 7 (SS7), also known as C7 in the UK or CCSS7 in the US, which acts as a broker between mobile phone networks. When calls or text messages are made across networks SS7 handles details such as number translation, SMS transfer, billing and other back-end duties that connect one network or caller to another. By hacking into or otherwise gaining access to the SS7 system, an attacker can track a person's location based on mobile phone mast triangulation, read their sent and received text messages, and log, record and listen into their phone calls, simply by using their phone number as an identifier.Also from the report, "60 Minutes contacted the cellular phone trade association to ask about attacks on the SS7 network. They acknowledged there have been reports of security breaches abroad, but assured us that all U.S. cellphone networks were secure." Update: 04/18 16:51 GMT by M :Reader blottsie writes: U.S. Rep. Ted Lieu (D-Cali.) on Monday called for a full congressional investigation into the aforementioned widespread flaw in global phone networks.

An anonymous reader writes: MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) says that while many 'analyst-driven solutions' rely on rules created by human experts and therefore may miss attacks which do not match established patterns, a new artificial intelligence platform changes the rules of the game. The platform, dubbed AI Squared (AI2), is able to detect 85 percent of attacks -- roughly three times better than current benchmarks -- and also reduces the number of false positives by a factor of five, according to MIT. The latter is important as when anomaly detection triggers false positives, this can lead to lessened trust in protective systems and also wastes the time of IT experts which need to investigate the matter. AI2 was tested using 3.6 billion log lines generated by over 20 million users in a period of three months. The AI trawled through this information and used machine learning to cluster data together to find suspicious activity. Anything which flagged up as unusual was then presented to a human operator and feedback was issued.Fast Co Design has an interesting take on this.

An anonymous reader quotes a report from ZDNet: One reason Ubuntu is increasing its lead is that Jujo, Canonical's application modeling and deployment DevOps tool, has been gaining in popularity. In the latest OpenStack user survey, we see that OpenStack is finally gaining real momentum in private clouds. We also see that Ubuntu Linux is continuing to dominate OpenStack. As Canonical cloud marketing manager Bill Bauman said, "Ubuntu OpenStack continues to dominate the majority of deployments with 55 percent of production OpenStack clouds. The previous survey showed Ubuntu OpenStack at 33 percent of production clouds. Ubuntu has seen almost 67 percent growth in an area where Ubuntu was already the market leader. These numbers are a huge testament to the community support Ubuntu OpenStack receives every day." The Cloud Market's latest analysis of operating systems on the Amazon Elastic Compute Cloud (EC2) shows Ubuntu with just over 215,000 instances. Ubuntu is followed by Amazon's own Amazon Linux Amazon Machine Image (AMI), with 86,000 instances. Further back, you'll find Windows with 26,000 instances. In fourth and fifth place, respectively, you'll find Red Hat Enterprise Linux (RHEL) with 16,500 instances and then CentOS with 12,500 instances.

An anonymous reader quotes a report from ZDNet: GoPro quietly announced its Developer Program on Thursday as it looks to incorporate its action sports cameras into third-party products. The GoPro Developer Program provides toolkits, technical information and support to enable companies to add GoPro camera connectivity into their products. There is a camera toolkit for iOS and Android apps to control a GoPro camera and manage media, along with a mechanical toolkit to attach GoPro cameras to third-party products. It announced there are more than 100 companies partnering with GoPro, including brands from BMW, Fisher-Price, and Polar. GoPro showed off potential third-party integration ideas in a video showing a gesture-based camera control system.

An anonymous reader writes: Google has launched a new beta app called Voice Access, which lets people control their Android phone with voice commands. The company took the wraps off Voice Access as an accessibility tool to help people who have difficulties using the touch interface, such as those with tremors or paralysis. Once installed, items in Settings and apps on the Homepage are numbered. The user can tell the device, "Go Home", which is transcribed at the top of the page, and then say, "Open one", to launch the app numbered one. Twitter and Facebook also recently took some steps to make some of their services more accessible to people.

An anonymous reader shares a report on ZDNet: Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are harboring a dark secret -- malware. Olsen said in a blog post that while scouring Amazon for a decent set of outdoor surveillance cameras for a friend, he came across a deal for 6 PoE cameras and recording equipment. The seller, Urban Security Group, had generally good reviews and was offering a particular Sony setup on sale. After purchasing the kit, Olsen started setting up the surveillance system, logging into the administrator panel to configure it. [...] Upon investigation, Olsen found that the device was talking to a server with hostname Brenz.pl, which is linked to malware distribution. If the device's firmware links to this domain, malware can be downloaded and installed, potentially leading to unlawful surveillance and data theft.Perhaps the company which made the device didn't realize its source code was compromised. While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.

schwit1 quotes a report from ZDNet: [More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.] The problem lies with how a widely-used router, the ArrisSurfBoard SB6141, handles authentication and cross-site requests. Arris (formerly Motorola) said that it has sold more than 135 million of the SurfBoard SB6141 routers. That means the millions of Comcast, Time Warner Cable, or Charter customers who are shipped one of these routers when they subscribe are vulnerable. The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email. Security researcher David Longenecker, who found the flaws and posted the write-up on the Full Disclosure list earlier this week, released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process. There's no practical fix for the flaw, according to Longenecker. "The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said. But even if Arris released a fix, he said that the cable modems are not upgradable by their owners, meaning the internet provider would have to roll out the fix.

An anonymous reader quotes a report from ZDNet: Apple will not pursue legal action against the US government to discover how federal agents broke into an iPhone used by one of the San Bernardino shooters. Attorneys for Apple speaking on background during a media briefing call on Friday said that it believed the method used to unlock the iPhone 5c would be short lived. It follows similar comments by FBI director James Comey who said in a speech on Thursday that the hack used to unlock the encrypted phone works on a "narrow slice" of devices. Apple attorneys said that the company is "confident" that the security weakness that the government alleges to have found will have a "short shelf life." The FBI's hack in the San Bernardino case would not help agents access a newer iPhone 5s used by a drug dealer in New York, where Apple faces a similar case against the government.

An anonymous reader writes: Wim Coekaerts, formerly Oracle's Senior VP of Linux and Virtualization Engineering, has left Oracle for Microsoft. Many of you may know of Coekaerts as "Mr. Linux" as he delivered the first Linux products, transitioned Oracle's programming staff from Windows to Linux desktops, and turned Oracle into a Linux distributor with the launch of its Red Hat Enterprise Linux (RHEL) clone, Oracle Linux. Mike Neil, Microsoft's Corporate Vice President of the Enterprise Cloud, told ZDNet, "Wim Coekaerts has joined Microsoft as Corp VP of Open Source in our Enterprise Cloud Group. As we continue to deepen our commitment to open source, Wim will focus on deepening our engagement, contributions and innovation to the open-source community."

Steven J. Vaughan-Nichols reports for ZDNet: According to sources at Canonical, Ubuntu Linux's parent company, and Microsoft, you'll soon be able to run Ubuntu on Windows 10. This will be more than just running the Bash shell on Windows 10. After all, thanks to programs such as Cygwin or MSYS utilities, hardcore Unix users have long been able to run the popular Bash command line interface (CLI) on Windows. With this new addition, Ubuntu users will be able to run Ubuntu simultaneously with Windows. This will not be in a virtual machine, but as an integrated part of Windows 10. [...] Microsoft and Canonical will not, however, sources say, be integrating Linux per se into Windows. Instead, Ubuntu will primarily run on a foundation of native Windows libraries. Update: 03/30 16:16 GMT by M : At its developer conference Build 2016, Microsoft on Wednesday confirmed that it is bringing native support for Bash on Windows 10. Scott Hanselman writes: This isn't Bash or Ubuntu running in a VM. This is a real native Bash Linux binary running on Windows itself. It's fast and lightweight and it's the real binaries. This is a genuine Ubuntu image on top of Windows with all the Linux tools I use like awk, sed, grep, vi, etc. It's fast and it's lightweight. The binaries are downloaded by you - using apt-get - just as on Linux, because it is Linux. You can apt-get and download other tools like Ruby, Redis, emacs, and on and on. This is brilliant for developers that use a diverse set of tools like me.

An anonymous reader writes: IT staff at multiple hospitals have been forced to stop all routine and net new operations and perform an all hands on deck emergency malware control effort in the last several weeks. The latest instance of this can be seen at MedStar Hospital. From a ZDNet report, "Malware has infected the computer network of MedStar Health, forcing the healthcare provider to shut down large portions of its electronic operations. A statement by the health system said that all facilities remain open, and that there was "no evidence of compromised information." The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system's website, it has more than 31,000 employees and serves hundreds of thousands of patients annually." This outbreak appears to be fairly widespread and not limited to the single story listed. A similar story appeared on Slashdot several weeks ago and a quick search on Google provides multiple hits that indicate that this type of incident is much more commonplace than I would have believed. Hospitals provide round the clock service to patients and many of these services are critical to the health of the hospital clients. Most hospitals invest significant resources into security. Vendors may limit local IT staff in terms of how well a turnkey solution is designed to prevent infection. In short, hospital IT staff seem to be in the position of having to respond to rather than prevent these types of incidents. IT analysts predicted that 2015 would be the year that hospitals became targets for hackers. It appears that 2015 was just the first wave of the potential storm coming that is headed directly towards our healthcare IT infrastructure. How can hospitals guard themselves against these attacks when perpetrators can adapt almost instantly to new security measures while hospitals are constrained by operating concerns?

insitus quotes a report from Speier.House.Gov: Congresswoman Jackie Speier (D-San Francisco/San Mateo) introduced the Closing the Pre-Paid Mobile Device Security Gap Act of 2016, which would require people to present identification when purchasing "burner phones" and other pre-paid mobile devices, as well as requiring merchants to keep records of those purchases. "Burner phones" are pre-paid phones that terrorists, human traffickers, and narcotics dealers often use to avoid scrutiny by law enforcement because they can be purchased without identification and record-keeping requirements. This bill would close that legal gap. "This bill would close one of the most significant gaps in our ability to track and prevent acts of terror, drug trafficking, and modern-day slavery," said Speier. "The 'burner phone' loophole is an egregious gap in our legal framework that allows actors like the 9/11 hijackers and the Times Square bomber to evade law enforcement while they plot to take innocent lives. The Paris attackers also used 'burner phones.' As we've seen so vividly over the past few days, we cannot afford to take those kinds of risks. It's time to close this 'burner phone' loophole for good."

An anonymous reader quotes a report from ZDNet: Red Hat just became the first open-source company to make a cool 2 billion bucks. Not bad considering Red Hat became the first billion dollar Linux company only four years ago. Red Hat did it the old-fashioned way: They earned the money instead of playing upon the gullibility of venture capitalists. Red Hat's total revenue for its fourth quarter was $544 million. That's up 17 percent in U.S. dollars year-over-year, or 21 percent measured constant currency. Subscription revenue for the quarter was $480 million, up 18 percent in U.S. dollars year-over-year, or 22 percent measured in constant currency. Subscription revenue in the quarter was 88 percent of total revenue. Analysts estimated Red Hat would make $534 million. Looking ahead for its 2016 FY Red Hat expects to see between $2.380 billion to $2.420 billion. At this rate, Red Hat should easily become the first $3 billion open-source company.
While Red Hat's president and CEO Jim Whitehurst credits the "hybrid cloud infrastructures," Red Hat's subscription revenue can largely be ascribed to Red Hat's flagship product: Red Hat Enterprise Linux. Still, RHEL, which is now available on Microsoft Azure, is becoming a prominent cloud operating system.

An anonymous reader quotes a report from ZDNet: Red Hat just became the first open-source company to make a cool 2 billion bucks. Not bad considering Red Hat became the first billion dollar Linux company only four years ago. Red Hat did it the old-fashioned way: They earned the money instead of playing upon the gullibility of venture capitalists. Red Hat's total revenue for its fourth quarter was $544 million. That's up 17 percent in U.S. dollars year-over-year, or 21 percent measured constant currency. Subscription revenue for the quarter was $480 million, up 18 percent in U.S. dollars year-over-year, or 22 percent measured in constant currency. Subscription revenue in the quarter was 88 percent of total revenue. Analysts estimated Red Hat would make $534 million. Looking ahead for its 2016 FY Red Hat expects to see between $2.380 billion to $2.420 billion. At this rate, Red Hat should easily become the first $3 billion open-source company.
While Red Hat's president and CEO Jim Whitehurst credits the "hybrid cloud infrastructures," Red Hat's subscription revenue can largely be ascribed to Red Hat's flagship product: Red Hat Enterprise Linux. Still, RHEL, which is now available on Microsoft Azure, is becoming a prominent cloud operating system.

An anonymous reader quotes a report from ZDNet: Red Hat just became the first open-source company to make a cool 2 billion bucks. Not bad considering Red Hat became the first billion dollar Linux company only four years ago. Red Hat did it the old-fashioned way: They earned the money instead of playing upon the gullibility of venture capitalists. Red Hat's total revenue for its fourth quarter was $544 million. That's up 17 percent in U.S. dollars year-over-year, or 21 percent measured constant currency. Subscription revenue for the quarter was $480 million, up 18 percent in U.S. dollars year-over-year, or 22 percent measured in constant currency. Subscription revenue in the quarter was 88 percent of total revenue. Analysts estimated Red Hat would make $534 million. Looking ahead for its 2016 FY Red Hat expects to see between $2.380 billion to $2.420 billion. At this rate, Red Hat should easily become the first $3 billion open-source company.
While Red Hat's president and CEO Jim Whitehurst credits the "hybrid cloud infrastructures," Red Hat's subscription revenue can largely be ascribed to Red Hat's flagship product: Red Hat Enterprise Linux. Still, RHEL, which is now available on Microsoft Azure, is becoming a prominent cloud operating system.

An anonymous reader cites ZDNet's Zack Whittaker report: William Binney, a former NSA official who spent more than three decades at the agency, said the US government's mass surveillance programs have become so engorged with data that they are no longer effective, losing vital intelligence in the fray. That, he said, can -- and has -- led to terrorist attacks succeeding. Binney said that an analyst today can run one simple query across the NSA's various databases, only to become immediately overloaded with information. With about four billion people -- around two-thirds of the world's population -- under the NSA and partner agencies' watchful eyes, according to his estimates, there is too much data being collected. Perhaps that's one of the reasons why NSA wants to dump the phone records it gathered over the past 14 years.

An anonymous reader writes from a ZDNet story: Microsoft is softening its stance on how long and how completely it will continue to support Windows 7 and Windows 8.1 users running Skylake-based devices. Instead of cutting off full, extended support for Windows 7 and Windows 8.1 on Skylake on July 17, 2017, Microsoft will now guarantee full extended support to July 17, 2018. Microsoft also tightened up the wording as to what kinds of security updates Windows 7 and Windows 8.1 users will get once that date comes. "After July 2018, all critical Windows 7 and Windows 8.1 security updates will be addressed for Skylake systems until extended support ends for Windows 7, January 14, 2020 and Windows 8.1 on January 10, 2023," it said. Many users weren't pleased with Microsoft's initial decision. And it appears OEMs weren't thrilled about it, either. Adrienne Mueller, Product Manager at Lenovo said earlier this month, "The thought here is that Microsoft is really just pushing customers to move to Windows 10. A lot of reactions from our customers...is can we influence Microsoft and tell them they're not ready to transition and try to get them to prolong support on that? We've tried, and Microsoft's not really willing to do that."

An anonymous reader writes: Apple isn't the only company that has been asked to hand over the source code of its operating system. In an effort to find security flaws that could be used for surveillance or investigations, the U.S. government has made numerous attempts to obtain the source code from other tech companies. From the ZDNet report, "The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. The Justice Department wanted to draw outrage, painting Apple as the criminal. With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing 'most of the time.'"

Esther Schindler writes: They're trying, honest they are. In 2016 alone, writes Steven Vaughan-Nichols, Microsoft announced SQL Server on Linux; integrated Eclipse and Visual Studio, launched an open-source network stack on Debian Linux; and it's adding Ubuntu Linux to its Azure Stack hybrid-cloud offering. That's all well and good, he says, but it's not enough. There's one thing Microsoft could do to gain real open-source trust: Stop forcing companies to pay for its bogus Android patents. But, there's too much money at stake, writes sjvn, for this to ever happen. For instance, in its last quarter, volume licensing and patents, accounted for approximately 9% of Microsoft's total revenue.

Esther Schindler writes: They're trying, honest they are. In 2016 alone, writes Steven Vaughan-Nichols, Microsoft announced SQL Server on Linux; integrated Eclipse and Visual Studio, launched an open-source network stack on Debian Linux; and it's adding Ubuntu Linux to its Azure Stack hybrid-cloud offering. That's all well and good, he says, but it's not enough. There's one thing Microsoft could do to gain real open-source trust: Stop forcing companies to pay for its bogus Android patents. But, there's too much money at stake, writes sjvn, for this to ever happen. For instance, in its last quarter, volume licensing and patents, accounted for approximately 9% of Microsoft's total revenue.

Esther Schindler writes: They're trying, honest they are. In 2016 alone, writes Steven Vaughan-Nichols, Microsoft announced SQL Server on Linux; integrated Eclipse and Visual Studio, launched an open-source network stack on Debian Linux; and it's adding Ubuntu Linux to its Azure Stack hybrid-cloud offering. That's all well and good, he says, but it's not enough. There's one thing Microsoft could do to gain real open-source trust: Stop forcing companies to pay for its bogus Android patents. But, there's too much money at stake, writes sjvn, for this to ever happen. For instance, in its last quarter, volume licensing and patents, accounted for approximately 9% of Microsoft's total revenue.

Esther Schindler writes: They're trying, honest they are. In 2016 alone, writes Steven Vaughan-Nichols, Microsoft announced SQL Server on Linux; integrated Eclipse and Visual Studio, launched an open-source network stack on Debian Linux; and it's adding Ubuntu Linux to its Azure Stack hybrid-cloud offering. That's all well and good, he says, but it's not enough. There's one thing Microsoft could do to gain real open-source trust: Stop forcing companies to pay for its bogus Android patents. But, there's too much money at stake, writes sjvn, for this to ever happen. For instance, in its last quarter, volume licensing and patents, accounted for approximately 9% of Microsoft's total revenue.