Privacy

'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com) 27

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

Security

RedDawn Android Malware Is Harvesting Personal Data of North Korean Defectors (theinquirer.net) 20

According to security company McAfee, North Korea uploaded three spying apps to the Google Play Store in January that contained hidden functions designed to steal personal photos, contact lists, text messages, and device information from the phones they were installed on. "Two of the apps purported to be security utilities, while a third provided information about food ingredients," reports The Inquirer. All three of the apps were part of a campaign dubbed "RedDawn" and targeted primarily North Korean defectors. From the report: The apps were promoted to particular targets via Facebook, McAfee claims. However, it adds that the malware was not the work of the well-known Lazarus Group, but another North Korean hacking outfit that has been dubbed Sun Team. The apps were called Food Ingredients Info, Fast AppLock and AppLockFree. "Food Ingredients Info and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components."

"AppLockFree is part of the reconnaissance stage, we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted Food Ingredients Info," according to McAfee security researcher Jaewon Min. "After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team."

Government

Cops Will Soon ID You Via Your Roof Rack (arstechnica.com) 98

An anonymous reader quotes a report from Ars Technica: On Tuesday, one of the largest license plate reader (LPR) manufacturers, ELSAG, announced a major upgrade to "allow investigators to search by color, seven body types, 34 makes, and nine visual descriptors in addition to the standard plate number, location, and time." Such a vast expansion of the tech now means that evading such scans will be even more difficult.

"Using advanced computer vision software, ELSAG ALPR data can now be processed to include the vehicle's make, type -- sedan, SUV, hatchback, pickup, minivan, van, box truck -- and general color -- red, blue, green, white and yellow," ELSAG continued. "The solution actively recognizes the 34 most-common vehicle brands on US roads." Plus, the company says, the software is now able to visually identity things like a "roof rack, spare tire, bumper sticker, or a ride-sharing company decal."

Google

Google Will Make Its Paid Storage Plans Cheaper (theverge.com) 69

An anonymous reader shares a report:Google is rolling out new changes to its storage plans that include a new, low-cost storage plan and half off the price of its 2TB storage option, the company announced today. It's also converting all Google Drive paid storage plans to Google One, perhaps in part because you'll now have one-tap access to Google's live customer service.

Google One will get a new $2.99 a month option that gets you 200GB of storage. The 2TB plan, which usually costs $19.99 per month, will now cost $9.99 a month. Finally, the 1TB plan that costs $9.99 a month is getting removed. The other plans for 10, 20, or 30TB won't see any changes.

Microsoft

Microsoft Turned Customers Against the Skype Brand (bloomberg.com) 135

An anonymous reader quotes a report from Bloomberg: Since acquiring Skype from private equity investors, Microsoft has refocused the online calling service on the corporate market, a change that has made Skype less intuitive and harder to use, prompting many Skypers to defect to similar services operated by Apple, Google, Facebook and Snap. The company hasn't updated the number of Skype users since 2016, when it put the total at 300 million. Some analysts suspect the numbers are flat at best, and two former employees describe a general sense of panic that they're actually falling. The ex-Microsofters, who requested anonymity to discuss confidential statistics, say that as late as 2017 they never heard a figure higher than 300 million discussed internally.

Chief Executive Officer Satya Nadella has repeatedly said he wants the company's products to be widely used and loved. By turning Skype into a key part of its lucrative Office suite for corporate customers, Microsoft is threatening what made it appealing to regular folks in the first place. [...] Focusing on corporations was a reasonable strategy and one shared by Skype's prior management. Originally [former Microsoft CEO Steve Ballmer] and company pledged to let Skype operate independently from Lync, Microsoft's nascent internet phone service for corporations. But two years later the company began merging the two into Skype for Business and folded that into Office. Today, Microsoft is using Skype for Business to help sell subscriptions to its cloud-based Office 365 and steal customers from Cisco. Microsoft has essentially turned Skype into a replacement for a corporate telephone system -- with a few modern features borrowed from instant messaging, artificial intelligence and social networking.
In closing, Bloomberg argues "the complexity of the corporate software (security, search, and the ability to host town halls) crowds out the simplicity consumers prefer (ease-of-use and decent call quality)."
Space

One of the Milky Way's Fastest Stars Is an Invader From Another Galaxy (sciencemag.org) 92

sciencehabit writes from a report via Science Magazine: On April 25, the European Space Agency released a data set gathered by the Gaia satellite containing the motions, and much more, of 1.3 billion stars. Astronomers have immediately sifted the data for fast-moving stars. They are prized as forensic tools: When rewound, their trajectories point back to the violent events that launched them. Last week, one team reported the discovery of three white dwarfs -- the dying embers of sunlike stars -- hurtling through the galaxy at thousands of kilometers per second, perhaps flung out from supernovae explosions. Another group reported more than two dozen fast-moving stars, some apparently kicked out by our galaxy's central black hole. And a third has confirmed that a star blazing through the outskirts of the Milky Way actually hails from another galaxy altogether, the Large Magellanic Cloud. The flood of discoveries has sent astronomers racing to their telescopes to check and classify the swift objects, says Harvard University astronomer James Guillochon. The findings have been reported in the journal Science.
Chrome

You Can Now Run Linux Apps On Chrome OS (venturebeat.com) 106

Google today announced Chrome OS is getting Linux support. "As a result, Chromebooks will soon be able to run Linux apps and execute Linux commands," reports VentureBeat. "A preview of Linux on the Pixelbook will be released first, with support for more devices coming soon." From the report: "Just go to wherever you normally get those apps, whether it's on the websites or through apt-get in the Linux terminal, and seamless get those apps like any other Linux distribution," Chrome OS director of product management Kan Liu told VentureBeat.

Support for Linux apps means developers will finally be able to use a Google device to develop for Google's platforms, rather than having to depend on Windows, Mac, or Linux machines. And because Chrome OS doesn't just run Chrome OS-specific apps anymore, developers will be able to create, test, and run any Android or web app for phones, tablets, and laptops all on their Chromebooks. Without having to switch devices, you can run your favorite IDE -- as long as there is a Debian Linux version (for the curious, Google is specifically using Debian Stretch here -- code in your favorite language and launch projects to Google Cloud with the command line.

AI

Google Assistant Will Call Businesses For You Via 'Duplex' (qz.com) 103

At its I/O developer conference today, Google debuted "Duplex," an AI system for accomplishing real world tasks over the phone. "To show off its capabilities, CEO Sundar Pichai played two recordings of Google Assistant running Duplex, scheduling a hair appointment and a dinner reservation," reports Quartz. "In each, the person picking up the phone didn't seem to realize they were talking to a computer. The conversations proceed back-and-forth to find the right time, and confirm what the customer wanted. Even when conversations didn't go as expected, the assistant understood the context, responded appropriately, and carried on the task. (You can listen to the recordings here.)" From the report: It's a far more natural conversation than consumers may be used to with digital assistants. The AI's voice lacks a stilted cadence and comes complete with "ums" and natural pauses (which also helps cover up the fact that it is still processing). It uses the phone's on-board processing, as well as the cloud, to deliver the right response with just the right amount of pause.

Google is taking advantage of its primary asset: data. It trained Duplex on a massive body of "anonymized phone conversations," according to a release. Every scheduling task will have its own problems to solve when arranging a specific type of appointment, but all will be underpinned by Google's massive volume of data from searches and recordings that will help the AI hold a conversation. Still, the technology cannot carry on just any conversation. Even though Duplex can seemingly handle far more context than other systems, it only works within a narrow set of queries (Google hasn't listed all of them yet). And despite releasing six new more natural sounding voices for the Assistant product available today, none approached the humanity of its Duplex example.

Cloud

Nintendo Switch Online Service Will Launch With 20 NES Games, Cloud Saves, More (polygon.com) 51

An anonymous reader quotes a report from Polygon: Nintendo's online service for the Switch will include access to a selection of classic video games from the NES era as part of the subscription service. Today, Nintendo announced some of the games that will be included as part of the Nintendo Switch Online classic games selection. The 10 NES titles confirmed for the service, which Nintendo refers to as "Nintendo Entertainment System -- Nintendo Switch Online" in a press release, are: Soccer, Tennis, Donkey Kong, Mario Bros., Super Mario Bros., Balloon Fight, Ice Climber, Dr. Mario, The Legend of Zelda, and Super Mario Bros. 3. Nintendo promises 20 NES games will be available when Nintendo Switch Online goes live in September, meaning 10 classic NES games are still to be announced. New games for the service will be added regularly, Nintendo says.

Those NES games will include some sort of online play as part of Nintendo Switch Online. That includes online competitive or cooperative multiplayer, or simply taking turns controlling the game. "Friends can even watch each other play single-player games online, and 'pass the controller' at any time," Nintendo said in a release. "Every classic NES game will support voice chat via the Nintendo Switch Online smartphone app. It will also be possible to play these games offline."
Some other details of the service, as reported by Nintendo Life, include the option for cloud save data backups and a four tiered pricing plan. In the U.S., the pricing is as follows: one month is $3.99; three months is $7.99; twelve months is $19.99; twelve month family membership is $34.99 (with up to eight Nintendo accounts on different systems that will be able to use the service).
Cloud

Edge Computing: Explained (theverge.com) 159

An anonymous reader shares a report from The Verge, written by Paul Miller: In the beginning, there was One Big Computer. Then, in the Unix era, we learned how to connect to that computer using dumb (not a pejorative) terminals. Next we had personal computers, which was the first time regular people really owned the hardware that did the work. Right now, in 2018, we're firmly in the cloud computing era. Many of us still own personal computers, but we mostly use them to access centralized services like Dropbox, Gmail, Office 365, and Slack. Additionally, devices like Amazon Echo, Google Chromecast, and the Apple TV are powered by content and intelligence that's in the cloud -- as opposed to the DVD box set of Little House on the Prairie or CD-ROM copy of Encarta you might've enjoyed in the personal computing era. As centralized as this all sounds, the truly amazing thing about cloud computing is that a seriously large percentage of all companies in the world now rely on the infrastructure, hosting, machine learning, and compute power of a very select few cloud providers: Amazon, Microsoft, Google, and IBM.

The advent of edge computing as a buzzword you should perhaps pay attention to is the realization by these companies that there isn't much growth left in the cloud space. Almost everything that can be centralized has been centralized. Most of the new opportunities for the "cloud" lie at the "edge." The word edge in this context means literal geographic distribution. Edge computing is computing that's done at or near the source of the data, instead of relying on the cloud at one of a dozen data centers to do all the work. It doesn't mean the cloud will disappear. It means the cloud is coming to you.
Miller goes on to "examine what people mean practically when they extoll edge computing," focusing on latency, privacy and security, and bandwidth.
Cloud

Microsoft Is Moving Kinect to the Cloud (theverge.com) 37

At the annual Build conference, Microsoft's CEO Satya Nadella announced that Kinect is moving to the cloud. "Kinect, when we first launched it in 2010, was a speech-first, gaze-first, vision-first device. It was used in gaming, and then, later on, it came to the PC, and it was used in many applications: medical, industrial, robotics, education," said Nadella. "We've been inspired by what developers have done, and since Kinect, we've made a tremendous amount of progress when it comes to some of the foundational technologies in HoloLens. So we're taking those advances and packaging them up as Project Kinect for Azure." The Verge reports: It's big news after the depth camera and microphone accessory that originally debuted on the Xbox 360 was basically declared dead last October when Microsoft stopped manufacturing it. Alex Kipman, a technical fellow at Microsoft, explained in a LinkedIn blog post that Project Kinect for Azure would combine the depth sensor with Azure AI services that could help developers make devices that will be more precise "with less power consumption." Kipman also notes that AI deep learning on depth images could lead to "cheaper-to-deploy AI algorithms" that require smaller networks to operate.
Cloud

Google Releases Open Source Framework For Building 'Enclaved' Apps For Cloud (arstechnica.com) 21

An anonymous reader quotes a report from Ars Technica: Today, Google is releasing an open source framework for the development of "confidential computing" cloud applications -- a software development kit that will allow developers to build secure applications that run across multiple cloud architectures even in shared (and not necessarily trusted) environments. The framework, called Asylo, is currently experimental but could eventually make it possible for developers to address some of the most basic concerns about running applications in any multi-tenant environment. Container systems like Docker and Kubernetes are designed largely to allow untrusted applications to run without exposing the underlying operating system to badness. Asylo (Greek for "safe place") aims to solve the opposite problem -- allowing absolutely trusted applications to run "Trusted Execution Environments" (TEEs), which are specialized execution environments that act as enclaves and protect applications from attacks on the underlying platform they run on.
Google

Amazon Web Services Starts Blocking Domain-Fronting (theverge.com) 27

Earlier this month, Google announced it is discontinuing domain fronting, a practice that lets developers disguise their traffic to evade network blocks. Now, Amazon Web Services has announced a similar move to implement a new set of enhanced domain protections specifically designed to stop domain fronting. The Verge reports: In the post, Amazon characterized the change as an effort to stamp out malware. "Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer," the post explained. "No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain." Domain-fronting works by using major cloud providers as a kind of proxy, making a data request seem like it's heading to a major service like Google or Amazon only to be forwarded along to a third party once it reaches the broader internet. Unfortunately for circumvention tools, neither Amazon nor Google will let them pull that trick anymore. Amazon will still allow domain fronting within domains owned by the same customer (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where data is going, making it far less useful for blocked apps.
Operating Systems

Ubuntu 18.04 Focuses On Security and AI Improvements (sdtimes.com) 89

Canonical has announced the release of its open-source Linux operating system, Ubuntu 18.04, which features security, multi-cloud, containers, and AI improvements. From a report: "Multi-cloud operations are the new normal," said Mark Shuttleworth, CEO of Canonical and founder of Ubuntu, in a statement. "Boot-time and performance-optimized images of Ubuntu 18.04 LTS on every major public cloud make it the fastest and most efficient OS for cloud computing, especially for storage and compute intensive tasks like machine learning." On-premises and on-cloud AI development within Ubuntu will be improved by the integration of Kubeflow and a range of CI/CD tools into Canonical Kubernetes. Kubeflow is a machine learning library built on Kubernetes.
Education

A Well-Known Expert On Student Loans Is Not Real (chronicle.com) 173

mi shares a report from The Chronicle of Higher Education: Drew Cloud is everywhere. The self-described journalist who specializes in student-loan debt has been quoted in major news outlets, including The Washington Post, The Boston Globe, and CNBC, and is a fixture in the smaller, specialized blogosphere of student debt. But he's a fiction, and "his" site -- an invention of a student-loan refinancing company.

"Drew Cloud is a pseudonym that a diverse group of authors at Student Loan Report, LLC use to share experiences and information related to the challenges college students face with funding their education," wrote Nate Matherson, CEO of LendEDU (the company that owns Cloud's website, The Student Loan Report). Before that admission, however, Cloud had corresponded at length with many journalists, pitching them stories and offering email interviews, many of which were published. When The Chronicle attempted to contact him through the address last week, Cloud said he was traveling and had limited access to his account. He didn't respond to additional inquiries. And on Monday, as The Chronicle continued to seek comment, Cloud suddenly evaporated. His once-prominent placement on The Student Loan Report had been removed. His bylines were replaced with "SLR Editor." Matherson confirmed on Tuesday that Cloud was an invention. Pressed on whether he regretted deceiving news organizations with a fake source, Matherson said Cloud "was created as a way to connect with our readers (ex. people struggling to repay student debt) and give us the technical ability to post content to the Wordpress website."

Security

Suspicious Event Hijacks Amazon Traffic For 2 hours, Steals Cryptocurrency (arstechnica.com) 67

Amazon lost control of some of its widely used cloud services for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that allowed them to redirect traffic to rogue destinations, according to media reports. ArsTechnica: The attackers appeared to use one server masquerading as cryptocurrency website MyEtherWallet.com to steal digital coins from unwitting end users. They may have targeted other customers of Amazon's Route 53 service as well. The incident, which started around 6am California time, hijacked roughly 1,300 IP addresses, Oracle-owned Internet Intelligence said on Twitter. The malicious redirection was caused by fraudulent routes that were announced by Columbus, Ohio-based eNet, a large Internet service provider that is referred to as autonomous system 10297. Once in place, the eNet announcement caused some of its peers to send traffic over the same unauthorized routes. [...] Tuesday's event may also have ties to Russia, because MyEtherWallet traffic was redirected to a server in that country, security researcher Kevin Beaumont said in a blog post. The redirection came by rerouting domain name system traffic and using a server hosted by Chicago-based Equinix to perform a man-in-the-middle attack. MyEtherWallet officials said the hijacking was used to send end users to a phishing site. Participants in this cryptocurrency forum appear to discuss the scam site. Further reading: Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000 (BleepingComputer).
AI

AI Will Wipe Out Half the Banking Jobs In a Decade, Experts Say 111

Experts in the industry say that current advances in artificial intelligence and automation could replace as many as half the nation's financial services workers over the next decade, though it will take a big investment to make that happen. The Mercury News reports: "Unless banks deal with the performance issues that AI will cause for ultra-large databases, they will not be able to take the money gained by eliminating positions and spend it on the new services and products they will need in order to stay competitive," James D'Arezzo, CEO of Glendale-based Condusiv Technologies, said. Intensive hardware upgrades are often cited as an answer to the problem, but D'Arezzo said that's prohibitively expensive.

Speaking to an audience last year in Frankfurt, Germany, Deutsche Bank CEO John Cryan predicted a "bonfire" of industry jobs as automation moves forward. "In our bank we have people doing work like robots," he said. "Tomorrow we will have robots behaving like people. It doesn't matter if we as a bank will participate in these changes or not, it is going to happen." Increased processing power, cloud storage and other developments are making many tasks possible that once were considered too complex for automation, according to Cryan. D'Arezzo, whose company works to improve existing software performance, said the financial industry is being swamped by "a tsunami of data," including new compliance requirements for customer privacy and constantly changing bank regulations.
Bhagwan Chowdhry, a professor of finance and economics at the UCLA Anderson School of Management, offers a less bleak view of the future. "Technology will eliminate some jobs that are repetitive and require less human judgment," he said, "But I think they will get replaced by other jobs that humans are better at. Anything that requires judgment is something humans will continue to do. We are not good at multiplying 16-digit numbers, but we're good at judging people and detecting if someone is telling the truth."
Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Communications

A Florida Man Has been Accused of Making 97 Million Robocalls (bloomberg.com) 176

A Florida man accused of flooding consumers with 97 million phone calls touting fake travel deals appeared Wednesday before lawmakers to explain how robocalls work and to say, "I am not the kingpin of robocalling that is alleged." From a report: Adrian Abramovich, of Miami, who is fighting a proposed $120 million fine, told senators that open-source software lets operators make thousands of phone calls with the click of a button, in combination with cloud-based computing and "the right long distance company." "Clearly regulation needs to address the carriers and providers and require the major carriers to detect robocalls activity," Abramovich said in testimony submitted in advance to the Senate Commerce Committee. He has asked the Federal Communications Commission to reduce the fine proposed last year, calling it disproportionate, in part because most calls went unanswered or resulted in a quick hang-up by consumers. The panel's chairman, Senator John Thune, a South Dakota Republican, called Abamovich and officials from the FCC and other agencies to discuss ways to stop abusive calls.
Cloud

Microsoft Built Its Own Custom Linux Kernel For Its New IoT Service (techcrunch.com) 199

At a small press event in San Francisco, Microsoft today announced the launch of a secure end-to-end IoT product that focuses on microcontroller-based devices -- the kind of devices that use tiny and relatively low-powered microcontrollers (MCUs) for basic control or connectivity features. TechCrunch reports: At the core of Azure Sphere is a new class of certified MCUs. As Microsoft president and chief legal officer Brad Smith stressed in today's announcement, Microsoft will license these new Azure Sphere chips for free, in hopes to jump-start the Azure Sphere ecosystem. Because it's hard to secure a device you can't update or get telemetry from, it's no surprise that these devices will feature built-in connectivity. And with that connectivity, these devices can also connect to the Azure Sphere Security Service in the cloud. For the first time ever, Microsoft is launching a custom Linux kernel and distribution: the Azure Sphere OS. It's an update to the kind of real-time operating systems that today's MCUs often use.

Why use Linux? "With Azure Sphere, Microsoft is addressing an entirely new class of IoT devices, the MCU," Rob Lefferts, Microsoft's partner director for Windows enterprise and security told me at the event. "Windows IoT runs on microprocessor units (MPUs) which have at least 100x the power of the MCU. The Microsoft-secured Linux kernel used in the Azure Sphere IoT OS is shared under an OSS license so that silicon partners can rapidly enable new silicon innovations." And those partners are also very comfortable with taking an open-source release and integrating that with their products. To get the process started, MediaTek is producing the first set of these new MCUs. These are low-powered, single-core ARM-A7 systems that run at 500MHz and include WiFi connectivity as well as a number of other I/O options.

Slashdot Top Deals