Networking

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata (helpnetsecurity.com) 21

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."
Bug

Wormable Code-Execution Bug Lurked In Samba For 7 Years (arstechnica.com) 80

Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports: Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."
Security

Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com) 107

A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.
Facebook

How Facebook Flouts Holocaust Denial Laws Except Where It Fears Being Sued (theguardian.com) 308

An anonymous reader quotes a report from The Guardian: Facebook's policies on Holocaust denial will come under fresh scrutiny following the leak of documents that show moderators are being told not to remove this content in most of the countries where it is illegal. The files explain that moderators should take down Holocaust denial material in only four of the 14 countries where it is outlawed. One document says the company "does not welcome local law that stands as an obstacle to an open and connected world" and will only consider blocking or hiding Holocaust denial messages and photographs if "we face the risk of getting blocked in a country or a legal risk." A picture of a concentration camp with the caption "Never again Believe the Lies" was permissible if posted anywhere other than the four countries in which Facebook fears legal action, one document explains. Facebook contested the figures but declined to elaborate. Documents show Facebook has told moderators to remove dehumanizing speech or any "calls for violence" against refugees. Content "that says migrants should face a firing squad or compares them to animals, criminals or filth" also violate its guidelines. But it adds: "As a quasi-protected category, they will not have the full protections of our hate speech policy because we want to allow people to have broad discussions on migrants and immigration which is a hot topic in upcoming elections." The definitions are set out in training manuals provided by Facebook to the teams of moderators who review material that has been flagged by users of the social media service. The documents explain the rules and guidelines the company applies to hate speech and "locally illegal content," with particular reference to Holocaust denial. One 16-page training manual explains Facebook will only hide or remove Holocaust denial content in four countries -- France, Germany, Israel and Austria. The document says this is not on grounds of taste, but because the company fears it might get sued.
Cellphones

Republicans Want To Leave You Voicemail -- Without Ever Ringing Your Cellphone (recode.net) 442

bricko quotes a report from Recode: The GOP's leading campaign and fundraising arm, the Republican National Committee, has quietly thrown its support behind a proposal at the Federal Communications Commission that would pave the way for marketers to auto-dial consumers' cellphones and leave them prerecorded voicemail messages -- all without ever causing their devices to ring. Under current federal law, telemarketers and others, like political groups, aren't allowed to launch robocall campaigns targeting cellphones unless they first obtain a consumer's written consent. But businesses stress that it's a different story when it comes to "ringless voicemail" -- because it technically doesn't qualify as a phone call in the first place. In their eyes, that means they shouldn't need a customer or voter's permission if they want to auto-dial mobile voicemail inboxes in bulk pre-made messages about a political candidate, product or cause. And they want the FCC to rule, once and for all, that they're in the clear. Their argument, however, has drawn immense opposition from consumer advocates.
Advertising

Google Following Your Offline Credit Card Spending To Tell Advertisers If Their Ads Work (consumerist.com) 147

One of the new tools Google has announced for its advertisers today promises to tie your offline credit card data together with all your online viewing to tell advertisers exactly what's working as they try to target you and your wallet. Consumerist reports: That return, for decades, was hard to measure in all but the most vaguely correlative of ways. Did people buy your product after seeing your TV ad? After seeing your billboard? On a whim after seeing neither? Who knows! But in the age of highly targeted, algorithmic advertising, the landscape is completely different. The apps on your phone know what you looked at and when, and can tie that in to what you see on other devices you're also logged into their services on (like your work computer). Meanwhile, you're leaving tracks out in the physical world -- not only the location history of your phone, but also the trail of payments you leave behind you if you pay with a credit card, debit card, or app (as millions of us do). Google also introduced some offline measurements to its online tool suite back in 2014, when it started using phone location data to try to match store visit location data to digital ad views. But a store doesn't make any money when you simply walk into it; you need to buy something. So Google's tracking that very granularly now, too. "In the coming months, we'll be rolling out store sales measurement at the device and campaign levels. This will allow you to measure in-store revenue in addition to the store visits delivered by your Search and Shopping ads," Google explains to advertisers. That's very literally a collection of spending data matched to the people who spent it, matched in turn to people who saw ads.
Programming

Java Creator James Gosling Joins Amazon Web Services (geekwire.com) 90

The legendary computer scientist and founder of Java, James Gosling, is joining forces with Amazon Web Services. Gosling made the announcement today on Facebook saying that he's "starting a new Adventure" with the cloud computing juggernaut as a Distinguished Engineer. GeekWire reports: Gosling wrote Java, one of the most widely used programming languages in the history of computing, while at Sun Microsystems in the early 1990s. After leaving Sun following its acquisition by Oracle, Gosling did a short stint at Google before settling in for almost six years at Liquid Robotics, which is working on an autonomous boat called the Wave Glider. He likely ruffled a few feathers in Seattle last year after speaking out about fears of cloud vendor lock-in. "You get cloud providers like Amazon saying: 'Take your applications and move them to the cloud.' But as soon as you start using them you're stuck in that particular cloud," he said at IP Expo according to The Inquirer, echoing the sentiment of some skeptical IT organizations burned by enterprise vendors in the past.
Networking

Netgear Adds Support For "Collecting Analytics Data" To Popular R7000 Router 110

An anonymous reader writes: Netgear's latest firmware update for the R7000 includes new support for collecting analytics data. The update release notes include this caution:

NOTE:It is strongly recommended that after the firmware is updated to this version, log back in to the router s web GUI and configure the settings for this feature.

An article on Netgear's KB states updated last week that Netgear collects information including IP addresses, MAC, certain WiFi information, and information about connected devices.

AI

The Working Dead: Which IT Jobs Are Bound For Extinction? (infoworld.com) 580

Slashdot reader snydeq shares an InfoWorld article identifying "The Working Dead: IT Jobs Bound For Extinction." Here's some of its predictions.
  • The president of one job leadership consultancy argues C and C++ coders will soon be as obsolete as Cobol programmers. "The entire world has gone to Java or .Net. You still find C++ coders in financial companies because their systems are built on that, but they're disappearing."
  • A data scientist at Stack Overflow "says demand for PHP, WordPress, and LAMP skills are seeing a steady decline, while newer frameworks and languages like React, Angular, and Scala are on the rise."
  • The CEO and co-founder of an anonymous virtual private network service says "The rise of Azure and the Linux takeover has put most Windows admins out of work. Many of my old colleagues have had to retrain for Linux or go into something else entirely."
  • In addition, "Thanks to the massive migration to the cloud, listings for jobs that involve maintaining IT infrastructure, like network engineer or system administrator, are trending downward, notes Terence Chiu, vice president of careers site Indeed Prime."
  • The CTO of the job site Ladders adds that Smalltalk, Flex, and Pascal "quickly went from being popular to being only useful for maintaining older systems. Engineers and programmers need to continually learn new languages, or they'll find themselves maintaining systems instead of creating new products."
  • The president of Dice.com says "Right now, Java and Python are really hot. In five years they may not be... jobs are changing all the time, and that's a real pain point for tech professionals."

But the regional dean of Northeastern University-Silicon Valley has the glummest prediction of all. "If I were to look at a crystal ball, I don't think the world's going to need as many coders after 2020. Ninety percent of coding is taking some business specs and translating them into computer logic. That's really ripe for machine learning and low-end AI."


China

A Tip for Apple in China: Your Hunger for Revenue May Cost You (wsj.com) 57

Li Yuan, writing for the WSJ: Apple's latest predicament centers on its App Store. Last month, Apple told several Chinese social-networking apps, including the wildly popular messaging platform WeChat, to disable their "tip" functions to comply with App Store rules (Editor's note: the link could be paywalled; alternative source), according to executives at WeChat and other companies. That function allows users to send authors and other content creators tips, from a few yuan to hundreds, via transfers from mobile-wallet accounts. Those transfers are offered by the social-networking apps free of charge, as a way to inspire user engagement. Now, those tips will be considered in-app purchases, just like buying games, music and videos, entitling Apple to a 30% cut. For Apple, which has been observing slowing growth in mature markets, China is increasingly becoming important. But the company's my way or high-way approach might hurt the company's image in China. And that image as well as fortunes of local companies, is what the Chinese authorities deeply care about. As Yuan adds, "while it's understandable that Apple wants to tap the App Store for more money, its pressure on the app platforms risks alienating powerful Chinese companies, turning off Chinese iPhone users and drawing unnecessary attention from the regulators." Executives of these IM messaging apps tell WSJ that Apple has threatened that it would kick their apps out of the App Store if they don't comply. The problem is, WeChat is way more popular in China than Apple -- or its iPhones or its services or both combined, analysts say. WeChat is insanely popular in China, and people love to use the app to pay for things they purchase and send money to friends. Apple's greed could end up resulting in millions of new Android users, analysts said.
Republicans

The Republican Push To Repeal Net Neutrality Will Get Underway This Week (washingtonpost.com) 141

An anonymous reader quotes a report from Washington Post: Federal regulators will move to roll back one of the Obama administration's signature Internet policies this week, launching a process to repeal the government's net neutrality rules that currently regulate how Internet providers may treat websites and their own customers. The vote on Thursday, led by Federal Communications Commission Chairman Ajit Pai, will kick off consideration of a proposal to relax regulations on companies such as Comcast and AT&T. If approved by the 2-1 Republican-majority commission, it will be a significant step for the broadband industry as it seeks more leeway under government rules to develop new business models. For consumer advocates and tech companies, it will be a setback; those groups argue that looser regulations won't prevent those business models from harming Internet users and website owners. The current rules force Internet providers to behave much like their cousins in the legacy telephone business. Under the FCC's net neutrality policy, providers cannot block or slow down consumers' Internet traffic, or charge websites a fee in order to be displayed on consumers' screens. The net neutrality rules also empower the FCC to investigate ISP practices that risk harming competition. Internet providers have chafed at the stricter rules governing phone service, which they say were written for a bygone era. Pai's effort to roll back the rules has led to a highly politicized debate. Underlying it is a complex policy decision with major implications for the future of the Web.
Security

Access Codes For United Cockpit Doors Accidentally Posted Online (techcrunch.com) 109

According to the Wall Street Journal, the access codes to United's cockpit doors were accidentally posted on a public website by a flight attendant. "[United Continental Holdings], which owns United Airlines and United Express, asked pilots to follow security procedures already in use, including visually confirming someone's identity before they are allowed onto the flight deck even if they enter the correct security code into the cockpit door's keypad," reports TechCrunch. From the report: The Air Line Pilots Association, a union that represents 55,000 pilots in the U.S. and Canada, told the WSJ on Sunday that the problem had been fixed. The notable thing about this security breach is that it was caused by human error, not a hack, and illustrates how vulnerable cockpits are to intruders despite existing safety procedures. The Air Line Pilots Association has advocated for secondary barriers made from mesh or steel cables to be installed on cockpits doors to make it harder to break into, but airlines have said that they aren't necessary.
Australia

How Australia Bungled Its $36 Billion High-Speed Internet Rollout (nytimes.com) 149

Not very pleased with your internet speeds? Think about the people Down Under. Australia's "bungled" National Broadband Network (NBN) has been used as a "cautionary tale" for other countries to take note of. Despite the massive amount of money being pumped into the NBN, the New York Times reports, the internet speeds still lagged behind the US, most of western Europe, Japan and South Korea -- even Kenya. The article highlights that Australia was the first country where a national plan to cover every house or business was considered and this ambitious plan was hampered by changes in government and a slow rollout (Editor's note: the link could be paywalled; alternative source), partly because of negotiations with Telstra about the fibre installation. From the report: Australia, a wealthy nation with a widely envied quality of life, lags in one essential area of modern life: its internet speed. Eight years after the country began an unprecedented broadband modernization effort that will cost at least 49 billion Australian dollars, or $36 billion, its average internet speed lags that of the United States, most of Western Europe, Japan and South Korea. In the most recent ranking of internet speeds by Akamai, a networking company, Australia came in at an embarrassing No. 51, trailing developing economies like Thailand and Kenya. For many here, slow broadband connections are a source of frustration and an inspiration for gallows humor. One parody video ponders what would happen if an American with a passion for Instagram and streaming "Scandal" were to switch places with an Australian resigned to taking bathroom breaks as her shows buffer. The article shares this anecdote: "Hundreds of thousands of people from around the world have downloaded Hand of Fate, an action video game made by a studio in Brisbane, Defiant Development. But when Defiant worked with an audio designer in Melbourne, more than 1,000 miles away, Mr. Jaffit knew it would be quicker to send a hard drive by road than to upload the files, which could take several days."
Television

HBO's 'Silicon Valley' Joins The Push For A Decentralized Web (ieee.org) 115

Tekla Perry writes: HBO's fictional Silicon Valley character Richard Hendricks sets out to reinvent the Internet into something decentralized. ["What if we used all those phones to build a massive network...we could build a completely decentralized version of our current Internet with no firewalls, no tolls, no government regulation, no spying. Information would be totally free in every sense of the word."] That sound a lot like what Brewster Kahle, Tim Berners-Lee, and Vint Cerf have been calling the decentralized web. Kahle tells IEEE Spectrum about how closely HBO's vision matches his own, and why he's happy to have this light shined on the movement.
In 2015 Kahle pointed out the current web isn't private. "People, corporations, countries can spy on what you are reading. And they do." But in a decentralized web, "the bits will be distributed -- across the net -- so no one can track the readers of a site from a single point or connection."

He tells IEEE Spectrum that though the idea is hard to execute, a lot of people are already working on it. "I recently talked to a couple of engineers working for Mozilla, and brought up the idea of decentralizing the web. They said, 'Oh, we have a group working on that, are you thinking about that as well?'"
The Internet

Cable Lobby Survey Backfires; Most Americans Support Net Neutrality (consumerist.com) 119

New submitter Rick Schumann writes from a report via Consumerist: The NCTA hired polling firm Morning Consult to survey people about their attitudes toward net neutrality. In the results and a blog post about the survey, the organization crows that clearly, everyone thinks regulation is bad. Here's the "TL;DR" version: The NCTA claims Americans want "light touch" regulation of the "internet," but did not ask about regulation of internet service providers. The survey claims most voters believe regulation will harm innovation and investment, but their own numbers show that just as many people believe it won't. Most people don't believe the internet should be regulated like a "public utility," which is good because that's not what net neutrality does. When people were asked their feelings about what neutrality actually does, they overwhelmingly support it.
Government

Trump Signs Executive Order On Cybersecurity (techcrunch.com) 173

President Trump on Thursday signed a long-delayed executive order on cybersecurity that "makes clear that agency heads will be held accountable for protecting their networks, and calls on government and industry to reduce the threat from automated attacks on the internet," reports The Washington Post. From the report: Picking up on themes advanced by the Obama administration, Trump's order also requires agency heads to use Commerce Department guidelines to manage risk to their systems. It commissions reports to assess the country's ability to withstand an attack on the electric grid and to spell out the strategic options for deterring adversaries in cyberspace. [Thomas Bossert, Trump's homeland security adviser] said the order was not, however, prompted by Russia's targeting of electoral systems last year. In fact, the order is silent on addressing the security of electoral systems or cyber-enabled operations to influence elections, which became a significant area of concern during last year's presidential campaign. The Department of Homeland Security in January declared election systems "critical infrastructure." The executive order also does not address offensive cyber operations, which are generally classified. This is an area in which the Trump administration is expected to be more forward-leaning than its predecessor. Nor does it spell out what type of cyberattack would constitute an "act of war" or what response the attack would invite. "We're not going to draw a red line," Bossert said, adding that the White House does not "want to telegraph our punches." The order places the defense secretary and the head of the intelligence community in charge of protecting "national security" systems that operate classified and military networks. But the secretary of homeland security will continue to be at the center of the national plan for protecting critical infrastructure, such as the electric grid and financial sector.
Facebook

Facebook Must Delete Hate Postings Worldwide, Rules Austrian Court (reuters.com) 364

An Austrian court has ruled that Facebook must delete hate speech postings worldwide. "The case -- brought by Austria's Green party over insults to its leader -- has international ramifications as the court ruled the postings must be deleted across the platform and not just in Austria, a point that had been left open in an initial ruling," reports Reuters. From the report: The case comes as legislators around Europe are considering ways of forcing Facebook, Google, Twitter and others to rapidly remove hate speech or incitement to violence. Facebook's lawyers in Vienna declined to comment on the ruling, which was distributed by the Greens and confirmed by a court spokesman, and Facebook did not immediately reply to a request for comment. Strengthening the earlier ruling, the Viennese appeals court ruled on Friday that Facebook must remove the postings against Greens leader Eva Glawischnig as well as any verbatim repostings, and said merely blocking them in Austria without deleting them for users abroad was not sufficient. The court added it was easy for Facebook to automate this process. It said, however, that Facebook could not be expected to trawl through content to find posts that are similar, rather than identical, to ones already identified as hate speech. The Greens hope to get the ruling strengthened further at Austria's highest court. They want the court to demand Facebook remove similar - not only identical - postings, and to make it identify holders of fake accounts. The Greens also want Facebook to pay damages, which would make it easier for individuals in similar cases to take the financial risk of taking legal action.
Bitcoin

ISPs Could Take Down Large Parts of Bitcoin Ecosystem If They Wanted To (bleepingcomputer.com) 72

An anonymous reader writes: A rogue ISP could take down large parts of the Bitcoin ecosystem, according to new research that will be presented in two weeks at the 38th IEEE Symposium on Security and Privacy in San Jose, USA. According to the researchers, there are two types of attack scenarios that could be leveraged via BGP hijacks to cripple the Bitcoin ecosystem: hijacking mining proceeds, causing double-spending errors, and delaying transactions. These two (partition and delay) attacks are possible because most of the entire Bitcoin ecosystem isn't as decentralized as most people think, and it still runs on a small number of ISPs. For example, 13 ISPs host 30% of the entire Bitcoin network, 39 ISPs host 50% of the whole Bitcoin mining power, and 3 ISPs handle 60% of all Bitcoin traffic. Currently, researchers found that around 100 Bitcoin nodes are the victims of BGP hijacks each month.
Government

Oracle And Cisco Both Support The FCC's Rollback Of Net Neutrality (thehill.com) 136

An anonymous reader quotes The Hill: Oracle voiced support on Friday for FCC Chairman Ajit Pai's controversial plan to roll back the agency's net neutrality rules. In a letter addressed to the FCC, the company played up its "perspective as a Silicon Valley technology company," hammering the debate over the rules as a "highly political hyperbolic battle," that is "removed from technical, economic, and consumer reality"... Oracle wrote in their letter [PDF] that they believe Pai's plan to remove broadband providers from the FCC's regulatory jurisdiction "will eliminate unnecessary burdens on, and competitive imbalances for, ISPs [internet service providers] while enhancing the consumer experience and driving investment"... Other companies in support of Pai's plan, like AT&T and Verizon, have made the argument that the rules stifled investment in the telecommunications sector, specifically in broadband infrastructure.
Cisco has also argued that strict net neutrality laws on ISPs "restrict their ability to use innovative network management technology, provide appropriate levels of quality of service, and deliver new features and services to meet evolving consumer needs. Cisco believes that allowing the development of differentiated broadband products, with different service and content offerings, will enhance the broadband market for consumers."
Security

WikiLeaks Reveals A CIA LAN-Attacking Tool From 'Vault 7' (betanews.com) 52

An anonymous reader quotes BetaNews: WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes -- previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use -- or, indeed, if it has actually ever been used -- but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.

The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."

HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."

Slashdot Top Deals