Security

Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure 35

Posted by Soulskill
from the what-year-is-this dept.
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
Android

Google Can't Ignore the Android Update Problem Any Longer 215

Posted by Soulskill
from the i-bet-they-can dept.
An anonymous reader writes: An editorial at Tom's Hardware makes the case that Google's Android fragmentation problem has gotten too big to ignore any longer. Android 5.0 Lollipop and its successor 5.1 have seen very low adoption rates — 9.0% and 0.7% respectively. Almost 40% of users are still on KitKat. 6% lag far behind on Gingerbread and Froyo. The article points out that even Microsoft is now making efforts to both streamline Windows upgrades and adapt Android (and iOS) apps to run on Windows.

If Google doesn't adapt, "it risks having users (slowly but surely) switch to more secure platforms that do give them updates in a timely manner. And if users want those platforms, OEMs will have no choice but to switch to them too, leaving Google with less and less Android adoption." The author also says OEMs and carriers can no longer be trusted to handle operating system updates, because they've proven themselves quite incapable of doing so in a reasonable manner.
Portables

Ask Slashdot: Most Chromebook-Like Unofficial ChromeOS Experience? 76

Posted by Soulskill
from the get-your-company-to-pay-for-it-wink-wink dept.
An anonymous reader writes: I am interested in Chromebooks, for the reasons that Google successfully pushes them: my carry-around laptops serve mostly as terminals, rather than CPU-heavy workhorses, and for the most part the whole reason I'm on my computer is to do something that requires a network connection anyhow. My email is Gmail, and without particularly endorsing any one element, I've moved a lot of things to online services like DropBox. (Some offline capabilities are nice, but since actual Chromebooks have been slowly gaining offline stuff, and theoretically will gain a lot more of that, soon, I no longer worry much about a machine being "useless" if the upstream connection happens to be broken or absent. It would just be useless in the same way my conventional desktop machine would be.) I have some decent but not high-end laptops (Core i3, 2GB-4GB of RAM) that I'd enjoy repurposing as Chromebooks without pedigree: they'd fall somewhat short of the high-end Pixel, but at no out-of-pocket expense for me unless I spring for some cheap SSDs, which I might.

So: how would you go about making a Chromebook-like laptop? Yes, I could just install any Linux distro, and then restrain myself from installing most apps other than a browser and a few utilities, but that's not quite the same; ChromeOS is nicely polished, and very pared down; it also seems to do well with low-memory systems (lots of the current models have just 2GB, which brings many Linux distros to a disk-swapping crawl), and starts up nicely quick.

It looks like the most "authentic" thing would be to dive into building Chromium OS (which looks like a fun hobby), but I'd like to find something more like Cr OS — only Cr OS hasn't been updated in quite a while. Perhaps some other browser-centric pared-down Linux would work as well. How would you build a system? And should I go ahead and order some low-end 16GB SSDs, which I now see from online vendors for less than $25?
Privacy

Researchers Detect Android Apps That Connect to User Tracking and Ad Sites 68

Posted by samzenpus
from the don't-track-me-bro dept.
An anonymous reader writes: A group of European researchers has developed software that tracks the URLs to which cellphone apps connect. After downloading 2,000+ free apps from Google Play, they indexed all the sites those apps connected to, and compared them to a list of known advertising and user tracking sites. "In total, the apps connect to a mind-boggling 250,000 different URLs across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific. Vigneri and co give as an example "Music Volume Eq," an app designed to control volume, a task that does not require a connection to any external urls. And yet the app makes many connections. 'We find the app Music Volume EQ connects to almost 2,000 distinct URLs,' they say. [Another major offender] is an app called Eurosport Player which connects to 810 different user tracking sites." The researchers plan to publish their software for users to try out on Google Play soon.
AI

AI Experts In High Demand 74

Posted by Soulskill
from the skynet-attempting-to-bootstrap-itself dept.
An anonymous reader writes: The field of artificial intelligence is getting hotter by the moment as Google, Facebook, Amazon, Microsoft and other tech companies snap up experts and pour funding into university research. Commercial uses for AI are still limited. Predictive text and Siri, the iPhone's voice-recognition feature, are early manifestations. But AI's potential has exploded as the cost of computing power drops and as the ability to collect and process data soars. Big tech companies like Facebook and Google now vacuum up the huge amount of data that needs to be processed to help machines make "intelligent" decisions. The relationship between tech giants and academia can be difficult to navigate. Some faculty members complain tech companies aren't doing enough in the many collaborative efforts now under way. One big gripe: Companies aren't willing to share the vast data they are able to collect.
Facebook

Facebook Wants to Skip the Off-Site Links, Host News Content Directly 51

Posted by timothy
from the a-few-seconds-a-few-seconds-there dept.
The Wall Street Journal, in a report also cited by The Next Web and others, reports that Facebook is to soon begin acting not just as a conduit for news links pasted onto users' timelines (and leading to articles hosted elsewhere) but also as a host for the articles themselves. From the WSJ article: To woo publishers, Facebook is offering to change its traditional revenue-sharing model. In one of the models under consideration, publishers would keep all of the revenue from ads they sell on Facebook-hosted news sites, the people familiar with the matter said. If Facebook sells the advertisement, it would keep roughly 30% of the revenue, as it does in many other cases. Another motivation for Facebook to give up some revenue: It hopes the faster-loading content will encourage users to spend more time on its network. It is unclear what format the ads might take, or if publishers will be able to place or measure the ads they sell within Facebook. It seems likely Facebook would want publishers to use its own advertising-technology products, such as Atlas and LiveRail, as opposed to those offered by rivals such as Google Inc.
Chrome

Chrome Passes 25% Market Share, IE and Firefox Slip 234

Posted by timothy
from the none-of-them-are-perfect dept.
An anonymous reader writes: In April 2015, we saw the naming of Microsoft Edge, the release of Chrome 42, and the first full month of Firefox 37 availability. Now we're learning that Google's browser has finally passed the 25 percent market share mark. Hit the link for some probably unnecessarily fine-grained statistics on recent browser trends. Have your browser habits shifted recently? Which browsers do you use most often?
Security

Researcher Bypasses Google Password Alert For Second Time 34

Posted by timothy
from the if-you-watch-everything-you-lose-perspective dept.
Trailrunner7 writes with this excerpt: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they're about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

"The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you've entered the correct password, Password Alert throws a warning advising the user to change their password," Moore said.
Graphics

My High School CS Homework Is the Centerfold 609

Posted by timothy
from the awfully-thin-skin dept.
theodp writes: To paraphrase the J. Geils Band, Maddie Zug's high school computer science homework is the centerfold. In a Washington Post op-ed, Zug, a student at the top-ranked Thomas Jefferson High School for Science and Technology, argues that a centerfold does not belong in the classroom. "I first saw a picture of Playboy magazine's Miss November 1972 a year ago as a junior at TJ," Zug explains. "My artificial intelligence teacher told our class to search Google for Lena Soderberg (not the full image, though!) and use her picture to test our latest coding assignment...Soderberg has a history with computer science. In the 1970s, male programmers at the University of Southern California needed to test their image-processing algorithm. They scanned what they had handy: the centerfold of a Playboy magazine. Before long, the image became a convention in industry and academia." (Wikipedia has a nice background, too.)
Spam

Want 30 Job Offers a Month? It's Not As Great As You Think 226

Posted by timothy
from the zippy-the-pinhead-is-always-hiring dept.
An anonymous reader writes: Software engineers suffer from a problem that most other industries wish they had: too much demand. There's a great story at the Atlantic entitled Imagine Getting 30 Job Offers a Month (It Isn't as Awesome as You Might Think). This is a problem that many engineers deal with: place your resume on a job board and proceed to be spammed multiple times per day for jobs in places that you would never go to (URGENT REQUIREMENT IN DETROIT!!!!!, etc). Google "recruiter spam" and there are many tales of engineers being overwhelmed by this. One engineer, fed up by a lack of a recruiting spam blackhole, set up NoRecruitingSpam.com with directions on how to stop this modern tech scourge. Have you been the victim of recruiting spam?
Mozilla

Mozilla Begins To Move Towards HTTPS-Only Web 320

Posted by Soulskill
from the driving-web-privacy dept.
jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.
Security

Once a Forgotten Child, OpenSSL's Future Now Looks Bright 76

Posted by samzenpus
from the shot-in-the-arm dept.
Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

"Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed," says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. "OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it." To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn't healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.
Education

White House Outsources K-12 CS Education To Infosys Charity 88

Posted by timothy
from the perhaps-someone-besides-mama-cass-is-getting-fat dept.
theodp writes: In December, the White House praised the leadership of Code.org for their efforts to get more computer science into K-12 schools, which were bankrolled by $20 million in philanthropic contributions from the likes of Google, Microsoft, Bill Gates, Steve Ballmer, and Mark Zuckerberg. On Monday, it was announced that Infosys Foundation USA will be partnering with Code.org to bring CS education to millions of U.S. students. Infosys Foundation USA Chair Vandana Sikka, who joins execs from Microsoft, Google, and Amazon execs on Code.org's Board, is the spouse of Infosys CEO Vishal Sikka. The announcement from the tax-deductible charity comes as India-based Infosys finds itself scrutinized by U.S. Senators over allegations of H-1B visa program abuses.
Google

Google Announces "Password Alert" To Protect Against Phishing Attacks 71

Posted by samzenpus
from the protect-ya-neck dept.
HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.
Advertising

How Google Searches Are Promoting Genocide Denial 216

Posted by Soulskill
from the revising-history-through-seo dept.
merbs writes: If you use Google Turkey to search for "Ermeni Krm", which means "Armenian genocide" in Turkish, the first thing you'll see is a sponsored link to a website whose purpose is to deny there was any genocide at all. If you Google "Armenia genocide" in the U.S., you'll see the same thing. FactCheckArmenia.com may reflect Turkey's longstanding position that the Ottoman Empire's systematic effort to "relocate" and exterminate its Armenian population does not qualify as a genocide, but it certainly does not reflect the facts. The sponsored link to a credible-looking website risks confusing searchers about the true nature of the event. Worse, it threatens to poison a nascent willingness among Turkish citizens to recognize and discuss the horrors of its past.
Cellphones

Meet the Firmware Lead For Google's Project Ara Modular Smartphone (Video) 25

Posted by Roblimo
from the build-it-one-piece-at-a-time dept.
According to Wikipedia, 'Project Ara is the codename for an initiative that aims to develop an open hardware platform for creating highly modular smartphones.' Google is the sponsor, and the project seems to be moving faster than some people expect it to. There's a Project Ara website, of course, a GitHub repository, a Facebook page, even an Ara subreddit. During his conversation with Timothy Lord, Ara firmware project lead (and spokesman) Marti Bolivar said it won't be long before prototype Ara modular phones start user testing. Meanwhile, if you want to see what Marti and his coworkers have been up to lately, besides this interview, you can read a transcription of his talk (including slides) from the January Project Ara Developers Conference in Singapore.
China

China's Tencent Launches Smart Hardware OS To Rival Alibaba 22

Posted by timothy
from the diversity-in-approach dept.
An anonymous reader writes: Chinese internet and media giant Tencent Holdings has today launched an operating system for mobile devices such as internet-connected phones, TVs, smartwatches and other IoT products. Tencent Operating System (OS) TOS+ is open to all developers and manufacturers free of charge should they agree to share their revenue – a framework similar to Google's popular Android mobile OS. The new Tencent OS offering, which provides voice recognition and mobile payment systems, will rival other home-grown operating systems looking to conquer the smart hardware arena with connected wearables, TVs and smart homeware technology. These competitors include smartphone maker Xiaomi and Asia's largest internet company Alibaba, who hopes to see its recently launched Yun OS eventually installed on tens of millions of smartphones. The Chinese systems for mobile and hardware products provide an alternative to Google's services, which constantly face challenges across the country due to strict censorship and licensing laws.
China

Alibaba Looks To Rural China To Popularize Its Mobile OS 20

Posted by samzenpus
from the taking-it-to-the-country dept.
itwbennett writes: E-commerce giant Alibaba Group hasn't given up on its YunOS mobile operating system, and is taking the software to China's rural markets through a series of low-cost phones, which will be built by lesser-known Chinese brands and will range from 299 yuan ($49) to 699 yuan. Slashdot readers may remember that in 2012, Google claimed it was a variant of its Android OS, sparking a clash that threatened to derail Alibaba's effort to popularize the mobile OS.
Privacy

Supreme Court To Consider Data Aggregation Suit Against Spokeo 62

Posted by samzenpus
from the getting-the-numbers-right dept.
BUL2294 writes: Consumerist and Associated Press are reporting that the Supreme Court has taken up the case of Spokeo, Inc. v. Robins — a case where Spokeo, as a data aggregator, faces legal liability and Fair Credit Reporting Act violations for providing information on Thomas Robins, an individual who has not suffered "a specific harm" directly attributable to the inaccurate data Spokeo collected on him.

From SCOTUSblog: "Robins, who filed a class-action lawsuit, claimed that Spokeo had provided flawed information about him, including that he had more education than he actually did, that he is married although he remains single, and that he was financially better off than he actually was. He said he was unemployed and looking for work, and contended that the inaccurate information would make it more difficult for him to get a job and to get credit and insurance." So, while not suffering a specific harm, the potential for harm based on inaccurate data exists. Companies such as Facebook and Google are closely watching this case, given the potential of billions of dollars of liability for selling inaccurate information on their customers and other people.
Google

Google Launches a Marketplace To Buy Patents From Interested Sellers 40

Posted by samzenpus
from the fighting-the-trolls dept.
An anonymous reader writes: Google has announced an experimental marketplace called the Patent Purchase Promotion, which aims to keep patents out of the hands of patent trolls. From the announcement: "By simplifying the process and having a concentrated submission window, we can focus our efforts into quickly evaluating patent assets and getting responses back to potential sellers quickly. Hopefully this will translate into better experiences for sellers, and remove the complications of working with entities such as patent trolls."