Security

Lock Out: the Austrian Hotel That Was Hacked Four Times (bbc.com) 35

AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.
Bitcoin

A Cryptocurrency Without a Blockchain Has Been Built To Outperform Bitcoin (technologyreview.com) 175

An anonymous reader quotes a report from MIT Technology Review: Bitcoin isn't the only cryptocurrency on a hot streak -- plenty of alternative currencies have enjoyed rallies alongside the Epic Bitcoin Bull Run of 2017. One of the most intriguing examples is also among the most obscure in the cryptocurrency world. Called IOTA, it has jumped in total value from just over $4 billion to more than $10 billion in a little over two weeks. But that isn't what makes it interesting. What makes it interesting is that it isn't based on a blockchain at all; it's something else entirely. The rally began in late November, after the IOTA Foundation, the German nonprofit behind the novel cryptocurrency, announced that it was teaming up with several major technology firms to develop a "decentralized data marketplace."

Though IOTA tokens can be used like any other cryptocurrency, the protocol was designed specifically for use on connected devices, says cofounder David Sonstebo. Organizations collect huge amounts of data from these gadgets, from weather tracking systems to sensors that monitor the performance of industrial machinery (a.k.a. the Internet of things). But nearly all of that information is wasted, sitting in siloed databases and not making money for its owners, says Sonstebo. IOTA's system can address this in two ways, he says. First, it can assure the integrity of this data by securing it in a tamper-proof decentralized ledger. Second, it enables fee-less transactions between the owners of the data and anyone who wants to buy it -- and there are plenty of companies that want to get their hands on data.
The report goes on to note that instead of using a blockchain, "IOTA uses a 'tangle,' which is based on a mathematical concept called a directed acyclic graph." The team decided to research this new alternative after deciding that blockchains are too costly. "Part of Sonstebo's issue with Bitcoin and other blockchain systems is that they rely on a distributed network of 'miners' to verify transactions," reports MIT Technology Review. "When a user issues a transaction [with IOTA], that individual also validates two randomly selected previous transactions, each of which refer to two other previous transactions, and so on. As new transactions mount, a 'tangled web of confirmation' grows, says Sonstebo."
America Online

PSA: AIM Will Be Discontinued Tomorrow (fortune.com) 104

Cutting_Crew writes: Along with Yahoo Messenger, MSN Messenger and ICQ, I used AIM extensively (without an AOL subscription of course). AIM will finally come to a halt on December 15th, 2017, as reported a few months ago and explained in AOL fashion over on their website. I remember using AIM to keep in touch with friends, co-workers and yes, even tried dating back in the day using the "looking for love" feature not only available to AOL subscribers but also extended to AIM users as well. Any memories you want to share? Speak now, or forever hold your peace.
Security

Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks (bleepingcomputer.com) 31

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.
Security

Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com) 146

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
Open Source

Avast Launches Open-Source Decompiler For Machine Code (techspot.com) 105

Greg Synek reports via TechSpot: To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS. As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service.

Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software. For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

Software

T-Mobile Is Becoming a Cable Company (engadget.com) 92

T-Mobile has revealed that it's launching a TV service in 2018, and that is has acquired Layer3 TV (a company that integrates TV, streaming and social networking) to make this happen. The company thinks people are ditching cable due to the providers, not TV itself. Engadget reports: It claims that it can "uncarrier" TV the way it did with wireless service, and has already targeted a few areas it thinks it can fix: it doesn't like the years-long contracts, bloated bundles, outdated tech and poor customer service that are staples of TV service in the U.S. T-Mobile hasn't gone into detail about the functionality of the service yet. How will it be delivered? How much will it cost? Where will it be available? And will this affect the company's free Netflix offer? This is more a declaration of intent than a concrete roadmap, so it's far from certain that the company will live up to its promises. Ultimately, the move represents a big bet on T-Mobile's part: that people like TV and are cutting the cord based on a disdain for the companies, not the service. There's a degree of truth to that when many Americans are all too familiar with paying ever-increasing rates to get hundreds of channels they don't watch. However, there's no guarantee that it'll work in an era when many people (particularly younger people) are more likely to use Netflix, YouTube or a streaming TV service like Sling TV.
Robotics

Robots Are Being Used To Shoo Away Homeless People In San Francisco (qz.com) 413

An anonymous reader quotes a report from Quartz: San Francisco's Society for the Prevention of Cruelty to Animals (SPCA) has been ordered by the city to stop using a robot to patrol the sidewalks outside its office, the San Francisco Business Times reported Dec. 8. The robot, produced by Silicon Valley startup Knightscope, was used to ensure that homeless people didn't set up camps outside of the nonprofit's office. It autonomously patrols a set area using a combination of Lidar and other sensors, and can alert security services of potentially criminal activity.

In a particularly dystopian move, it seems that the San Francisco SPCA adorned the robot it was renting with stickers of cute kittens and puppies, according to Business Insider, as it was used to shoo away the homeless from near its office. San Francisco recently voted to cut down on the number of robots that roam the streets of the city, which has seen an influx of small delivery robots in recent years. The city said it would issue the SPCA a fine of $1,000 per day for illegally operating on a public right-of-way if it continued to use the security robot outside its premises, the San Francisco Business Times said.

AI

Google To Open AI Center In China Despite Search Ban (bbc.com) 38

An anonymous reader quotes a report from BBC: Google is deepening its push into artificial intelligence (AI) by opening a research center in China, even though its search services remain blocked in the country. Google said the facility would be the first its kind in Asia and would aim to employ local talent. In a blog post on the company's website, Google said the new research center was an important part of its mission as an "AI first company." "Whether a breakthrough occurs in Silicon Valley, Beijing or anywhere else, [AI] has the potential to make everyone's life better for the entire world," said Fei-Fei Li, chief scientist at Google Cloud AI and Machine Learning. The research center, which joins similar facilities in London, New York, Toronto and Zurich, will be run by a small team from its existing office in Beijing. The tech giant operates two offices in China, with roughly half of its 600 employees working on global products, company spokesperson Taj Meadows told the AFP news agency. But Google's search engine and a number of other services are banned in China. The country has imposed increasingly strict rules on foreign companies over the past year, including new censorship restrictions.
Android

Andy Rubin's Essential Phone Considered Anything But (theregister.co.uk) 149

An anonymous reader shares a report: Andy Rubin's ambitions to create a new consumer electronics ecosystem are floundering at base camp. Sales of Essential's phone, which forms a key part of the strategy, are tepid. Google Play reports a mere 50,000 download of Essential's Camera app so far, the Android Police blog notes. This doesn't paint the full picture, but it can be assumed a fairly complete one, barring a few brush strokes. Essential launched in the US with support from Sprint, at a recommended SIM-free retail price of $699. After reported sales of just five thousand in the first month, this was slashed to $499 and could be grabbed for $399 in the post-Thanksgiving sales. As devices from different manufacturers proliferate in the home, Rubin has alluded to "a new operating system so it can speak all those protocols and it can do it securely and privately." But rather than launching a new software platform he's had to launch hardware.
AI

What Does Artificial Intelligence Actually Mean? (qz.com) 129

An anonymous reader writes: A new bill (pdf) drafted by senator Maria Cantwell asks the Department of Commerce to establish a committee on artificial intelligence to advise the federal government on how AI should be implemented and regulated. Passing of the bill would trigger a process in which the secretary of commerce would be required to release guidelines for legislation of AI within a year and a half. As with any legislation, the proposed bill defines key terms. In this, we have a look at how the federal government might one day classify artificial intelligence. Here are the five definitions given:

A) Any artificial systems that perform tasks under varying and unpredictable circumstances, without significant human oversight, or that can learn from their experience and improve their performance. Such systems may be developed in computer software, physical hardware, or other contexts not yet contemplated. They may solve tasks requiring human-like perception, cognition, planning, learning, communication, or physical action. In general, the more human-like the system within the context of its tasks, the more it can be said to use artificial intelligence.
B) Systems that think like humans, such as cognitive architectures and neural networks.
C) Systems that act like humans, such as systems that can pass the Turing test or other comparable test via natural language processing, knowledge representation, automated reasoning, and learning.
D) A set of techniques, including machine learning, that seek to approximate some cognitive task.
E) Systems that act rationally, such as intelligent software agents and embodied robots that achieve goals via perception, planning, reasoning, learning, communicating, decision-making, and acting.

Businesses

Trump Signs Into Law US Government Ban on Kaspersky Lab Software (reuters.com) 138

President Donald Trump signed into law on Tuesday legislation that bans the use of Kaspersky Lab within the U.S. government, capping a months-long effort to purge the Moscow-based antivirus firm from federal agencies amid concerns it was vulnerable to Kremlin influence. From a report: The ban, included as part of a broader defense policy spending bill that Trump signed, reinforces a directive issued by the Trump administration in September that civilian agencies remove Kaspersky Lab software within 90 days. The law applies to both civilian and military networks. "The case against Kaspersky is well-documented and deeply concerning. This law is long overdue," said Democratic Senator Jeanne Shaheen, who led calls in Congress to scrub the software from government computers. She added that the company's software represented a "grave risk" to U.S. national security.
Twitter

Twitter Officially Launches 'Threads,' a New Feature For Easily Posting Tweetstorms (techcrunch.com) 46

New submitter FatdogHaiku writes: For those people that must use multiple tweets to rant (or educate) on Twitter, a feature called "Threads" is being rolled out to aid in creating "tweetstorms" (i.e. gang tweets). Given how tweetstorms are normally used, how about we call them twitphoons? TechCrunch explains just how easy to use the new threads feature is: "There's now a new plus ('+') button in the composer screen where you can type out your series of tweets. Each line represents one tweet, with a character limit of 280 as per usual. You can also add the same amount of media -- like GIFs, images, videos, and more -- to any individual tweet in the thread, as you could on Twitter directly. When you're finished with one tweet, you just tap in the space below to continue your thread. While writing out your tweetstorm, you can go back and edit the tweets at any time as they're still in draft format. When you're ready to post, you tap the 'Tweet all' button at the top to send the stream to Twitter. (Twitter will pace the tweets' posting a bit so they don't all hit at once.)"

"In addition, another handy feature allows you to go back and update a thread by adding new tweets after it already posted," adds TechCrunch. "To do so, you'll write out the new tweet after tapping the 'Add another Tweet' button. This lets you continue to update a thread forever -- something Twitter CEO Jack Dorsey already does with his own threads, for example. Twitter tells us there's currently a limit of 25 entries in a thread, but that number may be subject to change depending on how the feature is adopted by the wider user base."
IT

Tech Support Scammers Invade Spotify Forums To Rank in Search Engines (bleepingcomputer.com) 33

Tech support scammers have been aggressively posting on Spotify forums to inject their phone numbers in a bid to vastly improve their odds of showing up on Google and Bing search results, a new report claims. And that bet seems to be working. From the report: They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google. While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software. BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.
Microsoft

Microsoft Releases Free Preview of Its Quantum Development Kit (zdnet.com) 31

Microsoft is releasing a free preview version of its Quantum Development Kit. "The kit includes the Q# programming language and compiler and a local quantum computing simulator, and is fully integrated with Visual Studio," reports ZDNet. "There's also an Azure-based simulator that allows developers to simulate more than 40 logical qubits of computing power, plus documentation libraries, and sample programs, officials said in their December 11 announcement." From the report: Quantum computers are designed to process in parallel, thus enabling new types of applications across a variety of workloads. They are designed to harness the physics of subatomic particles to provide a different way to store data and solve problems compared to conventional computers, as my ZDNet colleague Tony Baer explains. The result is that quantum computers could solve certain high-performance-computing problems more efficiently. Microsoft officials have said applications that developers create for use with the quantum simulator ultimately will work on a quantum computer, which Microsoft is in the process of developing. Microsoft's goal is to build out a full quantum computing system, including both the quantum computing hardware and the related full software stack.
AI

AI-Assisted Fake Porn Is Here and We're All Screwed (vice.com) 289

New submitter samleecole shares a report from Motherboard: There's a video of Gal Gadot having sex with her stepbrother on the internet. But it's not really Gadot's body, and it's barely her own face. It's an approximation, face-swapped to look like she's performing in an existing incest-themed porn video. The video was created with a machine learning algorithm, using easily accessible materials and open-source code that anyone with a working knowledge of deep learning algorithms could put together. It's not going to fool anyone who looks closely. Sometimes the face doesn't track correctly and there's an uncanny valley effect at play, but at a glance it seems believable. It's especially striking considering that it's allegedly the work of one person -- a Redditor who goes by the name 'deepfakes' -- not a big special effects studio that can digitally recreate a young Princess Leia in Rouge One using CGI. Instead, deepfakes uses open-source machine learning tools like TensorFlow, which Google makes freely available to researchers, graduate students, and anyone with an interest in machine learning. Anyone could do it, and that should make everyone nervous.
Music

Apple Buys Shazam To Boost Apple Music (bloomberg.com) 36

An anonymous reader quotes a report from Bloomberg: Apple agreed to acquire music-identification service Shazam, taking ownership of one of the first apps to demonstrate the power of the iPhone, recognizing songs after hearing just a few bars of a tune. Terms of the deal weren't disclosed, but a person familiar with the situation said Apple is paying about $400 million for the U.K.-based startup. That would be one of Apple's largest acquisitions ever, approaching the size of its 1996 purchase of Next Computer Inc. which brought co-founder Steve Jobs back to the company. That transaction would be worth more than $600 million in today's dollars. The Shazam app uses the microphone on a smartphone or computer to identify almost any song playing nearby, then points users to places they can listen to it in future, such as Apple Music or Google's YouTube.

"Apple Music and Shazam are a natural fit, sharing a passion for music discovery and delivering great music experiences to our users," Apple said in an emailed statement on Monday. "We have exciting plans in store, and we look forward to combining with Shazam upon approval of today's agreement. Since the launch of the App Store, Shazam has consistently ranked as one of the most popular apps for iOS," Apple also said. "Today, it's used by hundreds of millions of people around the world, across multiple platforms." The acquisition would help Apple embed that capability more deeply into its music offerings. The company's digital assistant Siri gained Shazam integration in 2014, so users could ask it what song is playing in the background.

Google

Google Releases Tool To Help iPhone Hackers (vice.com) 52

Lorenzo Franceschi-Bicchierai, writing for Motherboard: Google has released a powerful tool that can help security researchers hack and find bugs in iOS 11.1.2, a very recent version of the iPhone operating system. The exploit is the work of Ian Beer, one of the most prolific iOS bug hunters, and a member of Google Project Zero, which works to find bugs in all types of software, including that not made by Google. Beer released the tool Monday, which he says should work for "all devices." The proof of concept works only for those devices he tested -- iPhone 7, 6s and iPod touch 6G -- "but adding more support should be easy," he wrote. Last week, Beer caused a stir among the community of hackers who hack on the iPhone -- also traditionally known as jailbreakers -- by announcing that he was about to publish an exploit for iOS 11.1.2. Researchers reacted with excitement as they realized the tool would make jailbreaking and security research much easier.
HP

HP Laptops Found To Have Hidden Keylogger (bbc.com) 114

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models, BBC reported on Monday citing the findings of a security researcher. From the report: Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work. HP said more than 460 models of laptop were affected by the "potential security vulnerability." It has issued a software patch for its customers to remove the keylogger. The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012. Mr Myng discovered the keylogger while inspecting Synaptics Touchpad software, to figure out how to control the keyboard backlight on an HP laptop. He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing. According to HP, it was originally built into the Synaptics software to help debug errors. It acknowledged that could lead to "loss of confidentiality" but it said neither Synaptics nor HP had access to customer data as a result of the flaw.
Debian

Does Systemd Makes Linux Complex, Error-Prone, and Unstable? (ungleich.ch) 742

"Systemd developers split the community over a tiny detail that decreases stability significantly and increases complexity for not much real value." So argues Nico Schottelius, talking about his experiences as the CEO of a Swiss company providing VM hosting, datacenters, and high-speed fiber internet. Long-time Slashdot reader walterbyrd quotes Nico's essay: While I am writing here in flowery words, the reason to use Devuan is hard calculated costs. We are a small team at ungleich and we simply don't have the time to fix problems caused by systemd on a daily basis. This is even without calculating the security risks that come with systemd. Our objective is to create a great, easy-to-use platform for VM hosting, not to walk a tightrope...

[W]hat the Devuan developers are doing is creating stability. Think about it not in a few repeating systemd bugs or about the insecurity caused by a huge, monolithic piece of software running with root privileges. Why do people favor Linux on servers over Windows? It is very easy: people don't use Windows, because it is too complex, too error prone and not suitable as a stable basis. Read it again. This is exactly what systemd introduces into Linux: error prone complexity and instability. With systemd the main advantage to using Linux is obsolete.

The essay argues that while Devuan foisted another choice into the community, "it is not their fault. Creating Devuan is simply a counteraction to ensure Linux stays stable. which is of high importance for a lot of people."

Slashdot Top Deals