Slashdot Mirror

An anonymous reader writes: Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. The vulnerability is a bypass of the NoScript extension that's included by default with all Tor Browser distributions. Once bypassed, an attacker can run malicious code inside the Tor Browser, code that under certain circumstances would have been stopped by NoScript.

"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers," Zerodium CEO Chaouki Bekrar told ZDNet in an interview. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week." The NoScript extension released a patch in record time today to fix the vulnerability, two hours after Zerodium dropped its code on Twitter.

An anonymous reader writes: Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. The vulnerability is a bypass of the NoScript extension that's included by default with all Tor Browser distributions. Once bypassed, an attacker can run malicious code inside the Tor Browser, code that under certain circumstances would have been stopped by NoScript.

"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers," Zerodium CEO Chaouki Bekrar told ZDNet in an interview. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week." The NoScript extension released a patch in record time today to fix the vulnerability, two hours after Zerodium dropped its code on Twitter.

Ahead of Apple's big iPhone event later this week, the company appears to be grappling with a PR problem: Third-party apps on both its desktop and mobile app stores have been caught doing shady stuff. Last week, Apple pulled a top selling app from the App Store, a month after it was alerted about it, but only hours after it started making headlines. Since then, tens of new iOS apps have been caught indulging in a similar offense -- collecting and selling users data such as GPS coordinates, WiFi network IDs and more. Amid all of this, more desktop apps, curiously all from security service provider Trend Micro -- have been caught collecting browser history and information about users' computers. Apple has pulled Trend Micro's apps from the store. Do note that Trend Micro still has some apps -- both for desktop and mobile -- listed on the store. Would be interesting to learn what sort of conversations Trend Micro and Apple have had in the recent days. BleepingComputer: The apps are Dr. Antivirus, Dr. Cleaner, and Dr. Unarchiver, all under the developer account Trend Micro, Incorporated. Until removal, all products were top-sellers, with thousands of positive reviews that averaged their ratings between 4.6 and 4.9. The first public report of a Trend Micro product in the App Store engaging in shady activities came in late 2017 when user PeterNopSled told Malwarebytes forum members that "that his Mac was taken over by Open Any Files: RAR Support," and it did not let him open Word or Excel files. Trend Micro's privacy and data collection disclosure.

Researchers have uncovered vulnerabilities in popular virtual private network (VPN) software, ProtonVPN and NordVPN, which can lead to the execution of arbitrary code by attackers. From a report: Last week, Cisco Talos security researchers said the security flaws, CVE-2018-3952 and CVE-2018-4010, permit code execution by attackers on Microsoft Windows machines. The vulnerabilities are similar to a Windows privilege escalation security flaw uncovered by VerSprite, which is tracked as CVE-2018-10169. Security patches were applied in April by both clients to resolve the original security hole, but according to Talos, "despite the fix, it is still possible to execute code as an administrator on the system." The initial vulnerability was caused by similar design issues in both clients. The interface for both NordVPN and ProtonVPN execute binaries with the permission of a logged-in user, and this includes the selection of a VPN configuration option, such as a desired VPN server location. This information is sent to a service when "connect" is clicked by way of an OpenVPN configuration file. However, VerSprite was able to create a crafted OpenVPN file which could be sent to the service, loaded, and executed.

An anonymous reader writes: "A team of security researchers has raised the alarm about some cryptography-related issues with the newly released WebAuthn passwordless authentication protocol," reports ZDNet. "The new WebAuthn protocol will allow users of a device -- such as a computer or a smartphone -- to authenticate on a website using a USB security key, a biometric solution, or his computer or smartphone's password." But researchers say that because WebAuthn uses weak algorithms for the operations of registering a new device, they can pull off some attacks against it.

"If converted into a practical exploit, the ECDAA attacks discussed in the article would allow attackers to steal the key from a [server's] TPM, which would allow attackers to effectively clone the user's hardware security token remotely," Arciszewski, one of the researchers, told ZDNet. "The scenarios that follow depend on how much trust was placed into the hardware security token," he added. "At minimum, I imagine it would enable 2FA bypasses and re-enable phishing attacks. However, if companies elected to use hardware security tokens to obviate passwords, it would allow direct user impersonation by attackers." Attacks aren't practical, and experts say the root cause relies in badly written documentation that may fool some implementers into supporting the old algorithms instead of newer and more solid ones. The FIDO Alliance was notified and has started work on updating its docs so it won't look like it's recommending ECDAA or RSASSA-PKCS1-v1_5. "PKCS1v1.5 is bad. The exploits are almost old enough to legally drink alcohol in the United States," Arciszewski said.

An anonymous reader quotes ZDNet: With the Windows 7 end-of-support clock slowly winding down to January 14, 2020, Microsoft is announcing it will offer, for a fee, continuing security updates for the product through January 2023. This isn't the first time Microsoft has done this for a version of Windows, but it may be the first time it has been so public about its plans to do so.

The paid Windows 7 Extended Security Updates (ESUs) will be sold on a per-device basis, with the price increasing each year. These ESUs will be available to any Windows 7 Professional and Windows 7 Enterprise users with volume-licensing agreements, and those with Windows Software Assurance and/or Windows 10 Enterprise or Education subscriptions will get a discount. Office 365 ProPlus will continue to work on devices with Windows 7 Extended Security Updates through January 2023.

Speaking at the TechCrunch Disrupt tech conference this week, former Facebook chief security officer Alex Stamos reflected on his time dealing with fake news and Russian intelligence interference ahead and after the 2016 US presidential election. From a report: The former Facebook security head said "it [was] pretty clear the GRU's goal was to weaken a future Hillary presidency. Putin has a [you know, it's been well-documented] like a personal antipathy towards her and believes that she was behind the protests against him in the 2012 Russian election, and so, the GRU activity was specifically focused on weakening her."

"I think it was less about actually electing Trump," Stamos added. "I find it unlikely that the Russians are better than Nate Silver at predicting elections." What kind of attacks could we expect in the near future? Per Stamos, "Throwing an election one way or another is going to be very difficult for a foreign adversary but throwing any election into chaos is totally doable right now."

Since the release of Chrome 69 earlier this week, countless of users have gone on social media and Google Product Forums to complain about "blurry" or "fuzzy" text inside Chrome. ZDNet: The blurred font issue isn't only limited to text rendered inside a web page, users said, but also for the text suggestions displayed inside the address bar search drop-down, and Chrome's Developer Tools panel. [...] According to reports, the issue only manifests for Chrome 69 users on Windows. Those who rolled back to Chrome 68 stopped having problems. Users said that changing Chrome, operating system, or screen DPI settings didn't help. "Our team is investigating reports of this behavior. You can find more information in this public bug report," a Google spokesperson said last night after first user complaints started surfacing online. Some users have also expressed concerns over Chrome not showing "trivial subdomains" including www and secure lock sign in the address bar.

The Tor Browser has rolled out a new interface with the release of v8. From a report: The Tor Browser has always been based on the Firefox codebase, but it lagged behind a few releases. Mozilla rolled out a major overhaul of the Firefox codebase in November 2017, with the release of Firefox 57, the first release in the Firefox Quantum series. Firefox Quantum came with a new page rendering engine, a new add-ons API, and a new user interface called the Photon UI. Because these were major, code-breaking changes, it took the smaller Tor team some time to integrate all of them into the Tor Browser codebase and make sure everything worked as intended. The new Tor Browser 8, released yesterday, is now in sync with the most recent version of Firefox, the Quantum release, and also supports all of its features. This means the Tor Browser now uses the same modern Photon UI that current Firefox versions use, it supports the same speed-optimized page rendering engine and has also dropped support for the old XUL-based add-ons system for the new WebExtensions API system used by Chrome, Opera, Vivaldi, Brave, and the rest of the Chromium browsers.

The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet reports. From the report: The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today. Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users. According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform. The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.

Catalin Cimpanu, reporting for ZDNet: The plaintiffs of a class-action lawsuit against health insurance provider Premera Blue Cross are accusing the organization of "willfully destroying" evidence that was crucial for establishing accurate details in a security breach incident. In court documents filed last week obtained by ZDNet, plaintiffs claim that Premera intentionally destroyed a computer that was in a key position to reveal more details about the breach, but also software logs from a security product that may have shown evidence of data exfiltration. Establishing if hackers stole data from Premera's systems is crucial for the legal case. Breach victims part of the class-action will be to claim a right for monetary compensation, while Premera may argue that since hackers did not steal data from its servers, there is no tangible harm to victims. The class-action lawsuit is in connection to a March 2015 announcement. Back then, Premera announced that hackers breached its systems and gained access to computers holding the personal and medical data of over 11 million Americans.

On November 12th, WhatsApp users on Android will be able to back up their messages to Google Drive for free and it won't count towards Google Drive storage quotas. But, as WhatsApp warns, those messages will no longer be protected by end-to-end encryption. ZDNet reports: While Apple iOS users may elect to use iCloud backup storage options, Android users store theirs through Google Drive -- but alongside the changes, WhatsApp has reminded users that once communication, chat, and media is transferred away from the app, end-to-end encryption is no longer in place.

Some users may think that backup services will have the same level of protection as the app. However, this is not the case and the reminder is important for those interested in protecting their privacy. In WhatsApp support documents, this separation is now explicitly mentioned. "Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive," WhatsApp says.

Google's curvy tab Material Design update for Chrome will arrive in version 69 of the browser due out in September. From a report: Google flags the upcoming changes in its Enterprise release notes for Chrome 69, which gives a brief mention under browser interface changes to a "new design across all operating systems." Chrome 69, penciled in for stable release on September 4, will also get native Windows 10 notifications, which have been rolling out to users over the past month. Chrome 69 will also progress the long-running project to deprecate Flash Player, which Adobe has announced will reach end of life in 2020. Microsoft, Mozilla, and Apple have similar deprecation timelines for Flash on their desktop browsers. Once ubiquitous, Flash content is now hardly used at all by Chrome users, though Google won't fully remove support until Chrome 87 in 2020. At present, if a user enables Flash for a particular site, they don't need to approve it if they visit the site again. However, in Chrome 69, every time users restart Chrome, they'll need to give permission for sites to use Flash.

Programmers may love hot newer languages like Kotlin and Rust, but according to a Cloud Foundry Foundation (CFF) recent survey of global enterprise developers and IT decision makers, Java and Javascript are the top enterprise languages. ZDNet: That said, the CFF also found [PDF] that, "More and more, businesses are employing a polyglot and a multi-platform strategy to meet their exact needs." The CFF discovered 77 percent of enterprises are using or evaluating Platforms-as-a-Service (PaaS); 72 percent are using or considering containers; and 46 percent are using or thinking about serverless computing. Simultaneously, more than a third (39 percent) are using all three technologies together. For companies this "flexibility of cloud-native practices enables [companies to move] away from a monolithic approach and towards a world of computing that is flexible, portable and interoperable." That means, while Java and JavaScript are only growing ever more popular, the larger the company, the more languages are used. After the Java twins, C++, C#, Python, and PHP are the most popular languages.

Google is putting an artificial intelligence system in charge of its data center cooling after the system proved it could cut energy use. From a report: Now Google and its AI company DeepMind are taking the project further; instead of recommendations being implemented by human staff, the AI system is directly controlling cooling in the data centers that run services including Google Search, Gmail and YouTube. "This first-of-its-kind cloud-based control system is now safely delivering energy savings in multiple Google data centers," Google said. Data centers use vast amount of energy and as the demand for cloud computing rises even small tweaks to areas like cooling can produce significant time and cost savings. Google's decision to use its own DeepMind-created system is also a good plug for its AI business. Every five minutes, the AI pulls a snapshot of the data center cooling system from thousands of sensors. This data is fed into deep neural networks, which predict how different choices will affect future energy consumption.

Google has rolled out its 'confidential mode' for setting a self-destruct date on email to mobile devices. From a report: Confidential mode came with the search company's big redesign of Gmail announced earlier this year and became the default for consumer Gmail users in July, while G Suite business customers still have a few months to make the switch. The data-protection feature is now available on mobile devices, Google announced via a tweet. Google promotes the Gmail feature as a way to protect sensitive information by allowing users to set an expiration date for individual messages or revoke access to messages already sent. The feature also prevents recipients from forwarding, copying, printing or downloading its content and allows users to require recipients to enter a one-time code sent via SMS to view the email. The authentication feature is intended to protect information in the event of the recipient's email account being hijacked. Further reading: Does Gmail's 'Confidential Mode' Go Far Enough?

According to the Department of Defense, China is looking to narrow the gap with the U.S. in terms of cyberwarfare capabilities. "The Pentagon report said that in recent years the Chinese army has emphasized the importance of cyberspace for national security because of the country's increasing reliance on its digital economy," reports ZDNet. "It said Chinese military strategists see cyber operations as a low-cost deterrent that can demonstrate capabilities and challenge an adversary." From the report: The DoD's annual report to congress (PDF) points to a Chinese international cyberspace cooperation strategy in March 2017, which called for the expedited development of a military "cyber force" as an important aspect of the country's defense strategy. However, the U.S. report said that China also believes its cyber capabilities and personnel lag behind those of the U.S. and that China "is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations."

The report lists "cyber activities" directed against the DoD by China and said: "Computer systems around the world, including those owned by the U.S. government, continued to be targeted by China-based intrusions through 2017." It said these intrusions focused on accessing networks and extracting information, and said China uses its cyber capabilities to support intelligence collection against U.S. diplomatic, economic, academic, and defense sectors.

Internal information belonging to hosting provider GoDaddy has been exposed via an error in Amazon's AWS bucket configuration. According to cybersecurity firm UpGuard, a set of documents were left in an Amazon S3 bucket which was available to the public. ZDNet reports: The information involved in the security breach appeared to describe GoDaddy's architecture, as well as "high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios," according to UpGuard. Configuration files for hostnames, operating systems, workloads, AWS regions, memory, CPU specifications, and more were included in the exposed cache, which described at least 24,000 systems.

"Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields," the cybersecurity firm said. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential.

Intel has unveiled its new 3D NAND solid-state drive (SSD) "ruler" form factor storage for data-center servers. From a report: The chip giant first set out this form factor a year ago, based on the Enterprise & Datacenter Storage Form Factor (EDSFF) standard for server makers to cut cooling costs and offer a more efficient format than SSDs in the classic 2.5 inch size. Intel describes the new ruler-shaped Intel SSD DC P4500, which is 12 inches by 1.5 inches, and a third of an inch thick, as the world's densest SSD. Server makers can jam up to one petabyte (PB) -- or a thousand terabytes (TB) -- of data into 1U server racks by lining up 32 of these 32TB Intel rulers together. So, instead of the decades-old 2.5-inch square SSD drives inherited from and designed for disk-based storage, Intel now has long and skinny sticks, thanks to flash. The new shape allows it to optimize SSD storage density, cooling, and power for data centers.

An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."

Microsoft has declined to comment on an expert's many complaints about the quality of its recent patches and cadence of Windows 10 feature updates. Earlier, Susan Bradley, a Microsoft MVP who for the past 18 years has volunteered her time helping Windows users, took a survey of over 1,800 respondents regarding the Windows 10 Update experience. She then sent an open letter to Microsoft executives summarizing the results of this survey and providing thoroughly researched material regarding the poor update experience Windows 10 users have been experiencing. In return, Microsoft argued in a blog that it gives admins all the tools they need to test and provide feedback before it releases Patch Tuesday updates. From a report: Microsoft's John Wilcox, who helps promote why organizations should move to Windows 10's Windows-as-a-service model has, at the behest of Windows pros, offered an explanation of its monthly Windows 10 quality update servicing cadence and terminology.

As noted by ZDNet's Ed Bott recently, IT admins who'd spent years learning about Windows Update needed to "prepare to do some unlearning" due to the many changes introduced by Microsoft's shift to a Windows 10-as-a-service model. "With Windows 10, Microsoft has completely rewritten the Windows Update rulebook. For expert users and IT pros accustomed to having fine-grained control over the update process, these changes might seem wrenching and even draconian," he noted. [...]

Wilcox outlines that Microsoft's guiding principles to its monthly Windows service updates are built around being "simple and predictable", "agile", and "transparent." Wilcox doesn't directly address patching expert Bradley's major complaints about Microsoft's patches of late, but said Microsoft's predictability meant IT managers should be able to handle its "simple, regular and consistent patching cadence."

Microsoft has declined to comment on an expert's many complaints about the quality of its recent patches and cadence of Windows 10 feature updates. Earlier, Susan Bradley, a Microsoft MVP who for the past 18 years has volunteered her time helping Windows users, took a survey of over 1,800 respondents regarding the Windows 10 Update experience. She then sent an open letter to Microsoft executives summarizing the results of this survey and providing thoroughly researched material regarding the poor update experience Windows 10 users have been experiencing. In return, Microsoft argued in a blog that it gives admins all the tools they need to test and provide feedback before it releases Patch Tuesday updates. From a report: Microsoft's John Wilcox, who helps promote why organizations should move to Windows 10's Windows-as-a-service model has, at the behest of Windows pros, offered an explanation of its monthly Windows 10 quality update servicing cadence and terminology.

As noted by ZDNet's Ed Bott recently, IT admins who'd spent years learning about Windows Update needed to "prepare to do some unlearning" due to the many changes introduced by Microsoft's shift to a Windows 10-as-a-service model. "With Windows 10, Microsoft has completely rewritten the Windows Update rulebook. For expert users and IT pros accustomed to having fine-grained control over the update process, these changes might seem wrenching and even draconian," he noted. [...]

Wilcox outlines that Microsoft's guiding principles to its monthly Windows service updates are built around being "simple and predictable", "agile", and "transparent." Wilcox doesn't directly address patching expert Bradley's major complaints about Microsoft's patches of late, but said Microsoft's predictability meant IT managers should be able to handle its "simple, regular and consistent patching cadence."

The reviews for Microsoft's Surface Go tablet are in, and they're all over the place. While the press generally agrees that the processor is slow and can only handle light tasks, such as browsing and mail, there are mixed conclusions as to whether or not the 10-inch, $399 tablet is worth buying. Ars Technica's Peter Bright summarizes: So, should you buy one? That's hard to say. Mashable was a fairly unequivocal "no:" for light productivity, a Chromebook or iPad does the job for less money, and the performance is too problematic for anything much beyond that. On the other side of the coin, Windows Central reckoned that "as a mini-PC [Surface Go] is about as good as you can get," and Ed Bott said, "It's the best cheap PC I've ever used." Gizmodo called it the "perfect representation of what laptops at this price should be." For everyone else, it depends. TechCrunch says that it's worth a look, but there's no shortage of competition around this price point. Acer and Lenovo, among others, offer decent systems that are a bit cheaper. PCWorld concludes that, if you want a tablet, get an honest-to-god tablet (which is to say, an iPad) rather than a system with Windows 10. But if you want something small and light and might just need the full flexibility of a PC, Go is the system to go for. Engadget acknowledged that the Go is "full of compromises" but that, as a "secondary device," the keyboard and software compatibility give it the edge over other tablets. The Verge concludes similarly: it's "probably not the right thing to be your only computer," but it could have a "real place" as a secondary machine. And VentureBeat took a similar line: if you really want the flexibility of a two-in-one, "you're unlikely to find anything better," but if you want either a laptop or a tablet, "you'll find better options for less." As a refresher, the Surface Go features a 10-inch touchscreen display with a 1800x1200 (217 PPI) resolution and 3:2 aspect ratio, an Intel Pentium Gold 4415Y Kaby Lake processor with up to 8GB of RAM and 128GB storage via a SSD (the 64GB eMMC variant features 4GB of RAM), integrated Intel HD Graphics 615, and "up to 9 hours" of battery life. The base model is just $399, compared to the $549 model with 128GB/8GB RAM.

hyperclocker shares a report: HP hopes to entice researchers with a $10,000 reward for finding vulnerabilities in printers. The tech giant revealed the new bug bounty program on Tuesday. The scheme, which is launching as a private bug bounty, is tailored specifically for HP printer hardware. While many of us use home printers simply for printing the occasional document or photo, in the enterprise, these devices are often found in a network. If there is a weak link in business networks, a single device -- whether it be a printer or smart air conditioning system -- can be exploited to compromise a wider network system.

Printers, especially if they are overlooked when it comes to firmware updates or upgrades, can become such avenues to exploit. According to research undertaken by Bugcrowd, "2018 State of Bug Bounty Report," endpoint devices are becoming a tantalizing target for threat actors, with a 21 percent increase in total endpoint bugs reported over the past 12 months. In partnership with bug bounty platform Bugcrowd, HP says it is the "only vendor" to launch a printer-only vulnerability disclosure scheme. Under the terms of the program, researchers can earn between $500 and $10,000 per legitimate find.

An anonymous reader quotes ZDNet: The German state of Lower Saxony is set to follow Munich in migrating thousands of official computers away from Linux to Microsoft's Windows. As initially reported by Heise, the state's tax authority has 13,000 workstations running OpenSuse -- which it adopted in 2006 in a well-received migration from Solaris -- that it now wants to migrate to a "current version" of Windows, presumably Windows 10.

The authority reasons that many of its field workers and telephone support services already use Windows, so standardisation makes sense. An upgrade of some kind would in any case be necessary soon, as the PCs are running OpenSuse versions 12.2 and 13.2, neither of which is supported anymore.

According to the Lower Saxony's draft budget, €5.9m is set aside for the migration in the coming year, with a further €7m annually over the following years; it's not yet clear how many years the migration would take... Munich's shift away from LiMux -- the city's own Ubuntu-based distribution -- is expected to cost more than €50m overall, involving the deployment of around 29,000 Windows-based computers.

LinkedIn has been trying to make its business networking platform more like Facebook of late, with features like presence, and Google-like smart replies. Now, it's introducing voice messages just like Facebook and Facebook-owned WhatsApp. From a report: "Whether you're responding while walking or multitasking, or need to give an in-depth explanation, voice messages let you more easily and quickly communicate in your own voice with your connections," LinkedIn said in a blog. Personally, I loathe having to open voice messages on WhatsApp and have never received one on Facebook Messenger, but for the sender, at least, such services can be helpful if they're on the go and can't stop to type a message. And that's LinkedIn's justification for releasing the feature. LinkedIn thinks its new option will be a time-saver for users who find typing laborious in some situations. On the downside, this feature could rapidly become a real pain for those who already get bombarded with written messages from strangers promoting products and services on LinkedIn Messages.

Microsoft has price increases in store for some of its Office and Windows customers as of October 1, 2018. From a report: In a July 25 blog post, Microsoft officials acknowledged the coming increases. Office 2019, the next on-premises version of Office clients and servers which Microsoft is currently testing ahead of its launch later this year, will see increases of 10 percent over current on-premises pricing. This price increase is for commercial (business) customers) and will affect Office client, Enterprise Client Access License (CAL), Core CAL and server products, officials said.

Microsoft also is rejiggering how it refers to Windows 10 Enterprise E3 and related pricing. As of October, Microsoft will be using the E3 name for the per-user version (not the per-device one). Windows 10 Enterprise E3 per User will be rechristened "Windows 10 Enterprise E3." And the current Windows 10 Enterprise E3 per Device will be renamed "Windows 10 Enterprise." According to Microsoft's blog post, the price of Windows 10 Enterprise will be raised to match the price of Windows 10 Enterprise E3. Windows 10 Enterprise E3 costs $84 per user per year.

A recently discovered bug in many Bluetooth firmware and OS drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices. Researchers at the Israel Institute of Technology discovered the flaw, which was flagged today by Carnegie Mellon University CERT. It affects Bluetooth's Secure Simple Pairing and Low Energy Secure Connections. ZDNet reports: As the CERT notification explains, the vulnerability is caused by some vendors' Bluetooth implementations not properly validating the cryptographic key exchange when Bluetooth devices are pairing. The flaw slipped into the Bluetooth key exchange implementation which uses the elliptic-curve Diffie-Hellman (ECDH) key exchange to establish a secure connection over an insecure channel. This may allow a nearby but remote attacker to inject a a bogus public key to determine the session key during the public-private key exchange. They could then conduct a man-in-the-middle attack and "passively intercept and decrypt all device messages, and/or forge and inject malicious messages." Thankfully, patches are on the way. "Intel recommended users upgrade to the latest support driver and to check with vendors if they have provided one in their respective updates," reports ZDNet. "Dell has released a new driver for the Qualcomm driver it uses while Lenovo's update is for the flaw in Intel software. LG and Huawei have referenced fixes for CVE-2018-5383 in their respective July updates for mobile devices." It is not yet known if Android, Google, or the Linux kernel are affected. Apple has released a patch for the flaw earlier this month.

On Tuesday, Chrome started marking sites that don't use HTTPS as "not secure." From a report: First announced two years ago, Google said it would flag any site that still uses unencrypted HTTP to deliver its content in the latest version of Chrome, out Tuesday. It's part of the company's years-long effort effort to gradually nudge more webmasters and site owners into adopting HTTPS, a secure encryption standard for data in transit. Any site that doesn't load with green padlock or a "secure" message in the browser's address bar will be flagged -- and shamed -- as insecure.

[...] According to nightly data compiled by security experts Troy Hunt and Scott Helme, roughly 100 of the top 500 websites are still serving their pages over unencrypted HTTP -- all of which will today be flagged as "insecure." Many of those sites -- like Baidu, JD.com, and Google.cn -- are Chinese language sites, but many popular Western sites -- including BBC.com, DailyMail.co.uk, and Fedex.com -- are HTTP. Of the top million sites, a little over half do not redirect to HTTPS. Chrome 68 also brings with it Page Lifecycle API, and the Payment Handler API. From a report: The Payment Handler API builds on the Payment Request API, which helped users check out online. The new API enables web-based payment apps to facilitate payments directly within the Payment Request experience, as seen above. As with every version, Chrome 68 includes an update to the V8 JavaScript engine: version 6.8. It reduces memory consumption as well as includes improvements to array destructuring, Object.assign, and TypedArray.prototype.sort. Check out the full list of changes for more information.

A report from AccessNow has asked Australia to change its course and lead the way in serving as a champion for human rights instead of against. From a report: Global human rights, public policy, and advocacy group AccessNow has called out Australia for its lack of focus on human rights as it adapts to the challenges of the digital era, with a report from the non-profit saying the country should instead be leading the way in serving as a champion for human rights. "Australia should be a global leader in serving as a champion for human rights, such as the right to privacy and rights to freedoms of expression and association," AccessNow said. "Unfortunately, Australia has taken actions that indicate the nation is willing to undermine human rights as it adapts to the challenges of the digital era."

In Human Rights in the Digital Era: An International Perspective on Australia [PDF], AccessNow says that as the digital world continues to develop, and technology increasingly becomes an "intimate part" of daily lives, Australians are facing a choice. "The country can either continue to be a testing ground for policies that undermine privacy and security in the digital era, or it can be a champion for human rights in the digital age, leveraging its relationships in the world to raise the standards for the next generation," the report says.

Are virtual machines (VM) more secure than containers? You may think you know the answer, but IBM Research has found containers can be as secure, or more secure, than VMs. From a report: James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, writes: "One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors 'feel' more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison." To meet this need, Bottomley created Horizontal Attack Profile (HAP), designed to describe system security in a way that it can be objectively measured. Bottomley has discovered that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

Venmo, the mobile payments app, won't say why it exposes users' data to the world whenever they make a transaction. ZDNet: Hang Do Thi Duc, a Berlin-based privacy researcher found that every time someone sent or received money using the PayPal-owned mobile app (which had over seven million users in 2017), the transaction was "public" by default and was broadcast on Venmo's API. In other words, everyone can see your transactions -- even without the app. The company did not respond to ZDNet's queries, but in a blanket statement said it takes privacy of users seriously.

Further reading: People Are Using Venmo To Spy On Cheating Spouses.

It's not a secret that Microsoft hasn't been winning the hearts and minds of consumers lately. Killing off products like the Groove Music service, Microsoft Band fitness tracker, and Windows Phone have left many questioning whether Microsoft's grand plan is to simply focus on business users and leave consumers to its competitors. But at the company's Inspire partner show this week, Microsoft execs told partners that Redmond isn't giving up on consumers. From a report: Yusuf Mehdi -- whose new title as of June 2018 became corporate vice president of Modern Life and Devices -- led a session at the partner show in Las Vegas, Nev., where he outlined the company's vision for what officials plan to christen "Modern Life Services." Microsoft's core value proposition is productivity, he said. Microsoft is targeting so-called "professional consumers" with these services, Mehdi said. Microsoft officials believe because the company already "owns the work calendar with Outlook," that it has a foothold in working to blur the line between consumer and commercial activities. What, exactly, will qualify as a Modern Life Service? Mostly they will be apps, services, and features that Microsoft already makes available or soon will in Windows, Outlook, and PowerPoint, but which officials will attempt to position as well suited to the needs of professional consumers on Windows PCs, iPhones and Android phones.

Chinese web search company Baidu is ending its operations in Brazil, five years after it set up shop in the country. From a report: The company will be handling the Brazilian user base for its web services from China. There are currently two employees working on formal procedures related to the firm's local shutdown, according to local newspaper Valor Economico. A representative for the company said there is no formal statement for Baidu's departure from Brazil. It is also unclear whether Yan Di, the Chinese executive responsible for the Brazil operation, will still work for the company. Baidu's plans for the country changed as part of a shift in the company's global strategy. As part of the new plan, the firm started to spin out business units responsible for apps and mobile advertising, as well as financial services, to sharpen its focus on artificial intelligence.

Thousands of credentials for accounts associated with New Zealand-based file storage service Mega have been published online, ZDNet reports. From the report: The text file contains over 15,500 usernames, passwords, and files names, indicating that each account had been improperly accessed and file names scraped. Patrick Wardle, chief research officer and co-founder at Digita Security, found the text file in June after it had been uploaded to malware analysis site VirusTotal some months earlier by a user purportedly in Vietnam. Wardle passed the data to ZDNet. We verified that the data belonged to Mega, the file-sharing site formerly owned by internet entrepreneur Kim Dotcom by contacting several users, who confirmed that the email address, password, and some of the files we showed them were used on Mega.

ZDNet reports of a new mobile malware campaign that is "gaining access to iPhones by tricking users to download an open-source mobile device management (MDM) software package." From the report: Once in control, the unidentified hackers can steal various forms of sensitive information from infected devices, including the phone number, serial number, location, contact details, user's photos, SMS, and Telegram and WhatsApp chat messages. Thirteen users -- all in India -- have been been compromised in the attacks, which have been detailed by Cisco Talos. Those infected use a range of iPhone models and are running iOS versions ranging from 10.2.1 to 11.2.6. The campaign has been active since August 2015. The attackers take control by using the MDM package, which can give attackers complete control of the device and the ability to install fake versions of real apps.

Two different MDM services are used in the campaign, enabling system-level control of multiple devices from one location and the ability to install, remove and exfiltrate data from apps. One method of stealing data comes via malicious versions of messaging services like Telegram and WhatsApp being pushed onto the compromised device via fake updates. The apps look legitimate to the user, but malicious code sends information -- including messages, photos and contacts -- to a central command and control server. Deploying these apps requires a side-loading injection technique, which allows for the ability to ask for additional permissions, execute code and steal information from the original application.

After almost 30 years of overseeing the development of the world's most popular language, Python, its founder and "Benevolent Dictator For Life" (BDFL), Guido van Rossum, has decided to remove himself entirely from the decision process. From a report: Van Rossum isn't leaving Python entirely. He said, "I'll still be there for a while as an ordinary core dev, and I'll still be available to mentor people -- possibly more available." It's clear from van Rossum's note he's sick and tired of running the organization. He wrote, "I don't ever want to have to fight so hard for a PEP (Python Enhancement Proposals) [PEP 572 Assignment Expressions] and find that so many people despise my decisions." In addition, van Rossum hints he's not been well. "I'm not getting younger... (I'll spare you the list of medical issues.)" So, "I'm basically giving myself a permanent vacation from being BDFL, and you all will be on your own." From the email: I am not going to appoint a successor. So what are you all going to do? Create a democracy? Anarchy? A dictatorship? A federation? I'm not worried about the day to day decisions in the issue tracker or on GitHub. Very rarely I get asked for an opinion, and usually it's not actually important. So this can just be dealt with as it has always been. At Slashdot, we had the privilege of interviewing Guido van Rossum, a Computer History Museum honoree, in 2013.

If you've noticed that the battery life on your iPhone is not what it used to be, it's likely that the problem isn't with your iPhone or some setting or app, but a bug in iOS 11.4. From a report: Apple's support forum has been blowing up with complaints from users that battery life has been seriously curtailed since installing iOS 11.4. The problems seems to be reasonably widespread and affects the iPhone line up across the board. I've seen this issue on the iPhones that I use. It seems to be accompanied by the device running unusually hot.

Web monoculture is well and truly alive when Google cannot be bothered to make a full-featured cross-browser mobile search page. From a report: It has been over five years since Firefox really turned a corner and started to morph from its bloated memory-munching ways into the lightning-quick browser it is today. Buried in Mozilla's issue tracker is a bug that kicked off in February 2014, and is yet to be resolved: Have Google treat Firefox for Android as a first-class citizen and serve up comparable content to what the search giant hands Chrome and Safari. After years of requests, meetings, and to and fro, it has hit a point where the developers of Firefox are experimenting by manipulating the user agent string in its nightly development builds to trick Google into thinking that Firefox Mobile is a Chrome browser. Not only does Google's search page degrade for Firefox on Android, but some new properties like Google Flights have occasionally taken to outright blocking of the browser.

An anonymous reader writes: A popular fitness app that tracks the activity data on millions of users has inadvertently revealed the locations of personnel working at military bases and intelligence services. The app, Polar Flow, built by its eponymous company Polar, a Finnish-based fitness tracking giant with offices in New York, allowed anyone to access a user's fitness activities over several years -- simply by modifying the browser's web address. Although the existence of many government installations are widely known, the identities of their employees were not.

Not only was it possible to see exactly where a user had exercised, it was easy to pinpoint exactly where a user lived, if they started or stopped their fitness tracking as soon as they left their house. Because there were no limits on how many requests the reporters could make, coupled with easily enumerable user ID numbers, it was possible for anyone -- including malicious actors or foreign intelligence services -- to scrape the fitness activity data on millions of users. But they also found they could trick the API into retrieving fitness tracking data on private profiles.

An anonymous reader quotes a report from ZDNet: Arm is teaming up with Samsung's foundry to manufacture the recently announced Cortex-A76 CPU, which the pair say will run at speeds above 3GHz. At that speed the Cortex-A76 will be more powerful than Qualcomm's best Cortex-A75 SoC, the Snapdragon 845, which tops out at 2.8GHz. At launch, Arm said Cortex-A76 chips would even challenge Intel's Core i7 on performance, meaning it could benefit not just smartphones but laptops too, such as "always connected" Windows 10 on Arm devices from HP and Lenovo, which use Qualcomm's Snapdragon 835.

The collaboration will involve the Arm-designed chips being manufactured on Samsung's 7LPP (7nm Low Power Plus) and 5LPE (5nm Low Power Early) process technologies, combined with Arm's Artisan physical IP platform. However, it could still be some time before consumers see these high-powered Arm CPUs in devices. Initial production on the 7LPP process is set to begin in the second half of 2018. Samsung says 5LPE, the process technology after 7LPP, will allow greater area scaling and ultra-low power.

An anonymous reader shares a report: Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data. The New Zealand national, whose name isn't known but goes by the handle Flash Gordon, revealed the subpoena in a tweet last month. The pseudonymous data breach finder regularly tweets about leaked data, found on exposed and unprotected servers. Last year, he found a trove of almost a million patients' data leaking from a medical telemarketing firm. A recent find included an exposed cache of law enforcement data by ALERRT, a Texas State University-based organization, which trains police and civilians against active shooters. The database, secured in March but reported last week, revealed that several police departments were under-resourced and unable to respond to active shooter situations.

Homeland Security's export control agency, Immigration and Customs Enforcement (ICE), served the subpoena to Twitter on April 24, demanding information about the data breach finder's account. ICE demanded Twitter turn over his screen name, address, phone number -- and any other identifying information about the account, including credit cards on the account. The subpoena also demanded the account's IP address history, member lists, and any complaints filed against the Twitter account.

Zack Whittaker, reporting for ZDNet: A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University. The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection. ZDNet obtained a copy of the database, which was first found by a New Zealand-based data breach hunter, who goes by the pseudonym Flash Gordon.

A popular betting platform left a password list for its internal systems on its website for anyone to find. From a report: BetVictor, a Gibraltar-based betting site, has since removed the two-page document containing a list of links to back office systems, including usernames and passwords. Chris Hogben found the document through the customer support search box on the company's homepage. The customer support pop-up allowed users to search the site's knowledge base of questions and answers. "Logins/Links to Back Offices - Internal," read the document's title, which contained over two-dozen passwords to the company's trading platform, ticketing system, and Experian's identity verification service, Hogben told ZDNet.

Steven J. Vaughan-Nichols, writing for ZDNet: Google couldn't exist without Linux and open-source software. While you may not think of Google as a Linux company in the same way as you do Canonical, Red Hat, or SUSE, it wouldn't be the search and advertising giant it is today without Linux. So, it makes sense that Google is moving up from its Silver membership in The Linux Foundation, to the Platinum level. With this jump in status, Google gets a seat on the Foundation's board of directors. This position will be filled by Sarah Novotny, the head of open source strategy for Google Cloud Platform. Earlier this week, Chinese tech giant Tencent joined the Linux Foundation as a platinum member.

Beeftopia writes: From ZDNet: "The latest TOP500 Supercomputer list is out. What's not surprising is that Linux runs on every last one of the world's fastest supercomputers. Linux has dominated supercomputing for years. But, Linux only took over supercomputing lock, stock, and barrel in November 2017. That was the first time all of the TOP500 machines were running Linux. Before that IBM AIX, a Unix variant, was hanging on for dear life low on the list."

An interesting architectural note: "GPUs, not CPUs, now power most of supercomputers' speed."

A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.

An anonymous reader quotes ZDNet: When leading Linux company Red Hat announces that -- from here on out -- all new Red Hat-initiated open-source projects that use the GNU General Public License (GPLv2) or GNU Lesser General Public License (LGPL) v2.1 licenses will be expected to supplement the license with GPL version 3 (GPLv3)'s cure commitment language, it's a big deal. Both older open-source licenses are widely used.

When the GPLv3 was released, it came with an express termination approach that offered developers the chance to cure license compliance errors. This termination policy in GPLv3 provided a way for companies to repair licensing errors and mistakes... Other companies -- CA Technologies, Cisco, HPE, Microsoft, SAP, and SUSE -- have taken similar GPL positions... In its new position statement, Red Hat explained that the GPLv2 and LGPL, as written, has led to the belief that automatic license termination and copyright infringement claims can result from a single act of inadvertent non-compliance.
"We hope that others will also join in this endeavor," says Red Hat's senior commercial counsel, Richard Fontana, "to reassure the open source community that good faith efforts to fix noncompliance will be embraced."

ZDNet points out that the move to new licenses "doesn't apply, of course, to Linux itself. Linus Torvalds has made it abundantly clear that Linux has been, will now, and always shall be under the GPLv2."

An anonymous reader quotes a report from ZDNet: Portland, Oregon officials claim its city has some of the best bike data in the United States -- data revealing how many people ride bicycles, where they're going and what streets they're using. Their collection of that data, however, has been as low-tech as it gets: city staffers and volunteers stand out on street corners for two hours at a time and count. Now, the city is aiming for more comprehensive, accurate data collection with the installation of 200 sensors installed on street lights on three of Portland's deadliest streets: Southeast Division St., SE Hawthorne Blvd. and 122nd St.

The Traffic Sensor Safety Project, for a price tag of just over $1 million, represents the first major milestone for the Smart City PDX initiative. It relies on GE's Current CityIQ sensors, which are powered with Intel IoT technology and use AT&T as the data carrier. GE, Intel and AT&T have already worked together to deploy smart streetlight sensors in San Diego.

Amazon is finally bringing Alexa to the hotel room. The e-commerce giant announced Tuesday the launch of Alexa for Hospitality, a specialized version of the voice assistant that integrates into popular hotel software systems for guest services. From a report: Housed inside of an Echo device, Alexa for Hospitality is functionally identical to the Alexa used in homes, except tailored to a hotel's service options. Guests can tell Alexa to order room service, book a spa appointment, call for housekeeping, provide directions, or play music in their room, for example. On the privacy side, Amazon said hotels will not have access to voice recordings of Alexa interactions or responses, and recordings of Alexa commands are remotely wiped when the guest checks out of the hotel. However, hotels can use Alexa for Hospitality to "measure engagement through analytics and adapt services based on guest feedback," Amazon said. Alexa for Hospitality is available to hotels, vacation rentals, and other hospitality providers starting today, with Marriott International signed up to deploy the service across its hotel portfolio this summer.