Security

Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities (bleepingcomputer.com) 42

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.
Facebook

'Why I Decided To Disable AMP On My Site' (alexkras.com) 127

Web developer Alex Kras on Monday listed a number of reasons why he dislikes Google's AMP project, and why he pulled support for it on his website. From his post: Back in the day we used to have WAP pages -- specific web pages that were presented only to mobile devices. Opting into AMP, for publishers, is kind of like going back to those days. Instead of using responsive design (making sure that one version of the site works well on all devices) publishers are forced to maintain two versions of each page -- their regular version for larger devices and mobile phones that don't use Google and the AMP version. The benefit of AMP is that it imposes tough restrictions on content, making it load fast. The issue with this approach is that AMP becomes a subset of the original content. For example, user comments are often removed. I also find the way images load in AMP to be buggy. AMP tries to load an image only when it becomes visible to the user, rendering a white square instead of the image. In my experience I've seen it fail fairly regularly, leaving the article with an empty white square instead of the image. [...] It's up to publishers to decide if they want to add AMP support on their site. Users, however, don't have an option to turn AMP off. It would be nice if Google provided a user level setting to turn results rendered as AMP off. Unfortunately, even if they were to add this option, it wouldn't help much when Twitter of Facebook would decide to server AMP. Further reading: Kill Google AMP before it KILLS the web - The Register, The Problem With Google AMP, 2 Billion Pages On Web Now Use Google's AMP, Pages Now Load Twice As Fast. John Gruber on open web: Fuck Facebook.
Security

Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com) 75

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
EU

Germany Cracks Down On Illegal Speech On Social Media. (smh.com.au) 509

ArmoredDragon writes: German police have raided 36 homes of people accused of using illegal speech on Facebook and Twitter. Much of it was aimed at political speech. According to the article, "Most of the raids concerned politically motivated right-wing incitement, according to the Federal Criminal Police Office, whose officers conducted home searches and interrogations. But the raids also targeted two people accused of left-wing extremist content, as well as one person accused of making threats or harassment based on someone's sexual orientation."

This comes just as a new law is being debated that can fine social media platforms $53 million for not removing 70% of illegal speech (including political, defamatory, and hateful speech) within 24 hours of it being posted, which Facebook argues will make it obligatory for them to delete posts and ban users for speech that isn't clearly illegal.

United Kingdom

UK Parliament Emails Closed After 'Sustained And Determined' Cyber-Attack (theguardian.com) 44

An anonymous reader quotes the Guardian: Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and their staffers' email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords... The estate's digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails...

The international trade secretary, Liam Fox, told ITV News the attack was a "warning to everyone we need more security and better passwords. You wouldn't leave your door open at night." In an interview with the BBC, he added: "We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails."

One member of Parliament posted on Twitter "Sorry, no parliamentary email access today â" we're under cyber-attack from Kim Jong-un, Putin or a kid in his mom's basement or something." He added later, "I'm off to the pub."
Government

Obama Authorized a Secret Cyber Operation Against Russia, Says Report (engadget.com) 226

Jessica Conditt reports via Engadget: President Barack Obama learned of Russia's attempts to hack U.S. election systems in early August 2016, and as intelligence mounted over the following months, the White House deployed secrecy protocols it hadn't used since the 2011 raid on Osama bin Laden's compound, according to a report by The Washington Post. Apparently, one of the covert programs Obama, the CIA, NSA and other intelligence groups eventually put together was a new kind of cyber operation that places remotely triggered "implants" in critical Russian networks, ready for the U.S. to deploy in the event of a pre-emptive attack. The downed Russian networks "would cause them pain and discomfort," a former U.S. official told The Post. The report says CIA director John Brennan, Obama and other officials had at least four "blunt" conversations with Russian officials about its cyber intrusions beginning August 4th. Obama confronted Vladimir Putin in person during a meeting of world leaders in China this past September, the report says, and his administration even sent Russia a warning through a secure channel originally designed to help the two countries avoid a nuclear strike. Moscow apparently responded one week later -- after the U.S. election -- denying the accusation.
Space

SpaceX Successfully Launches and Lands a Used Rocket For the Second Time (theverge.com) 74

SpaceX has successfully launched and landed a recycled Falcon 9 rocket for the second time. "The rocket's first stage -- the 14-story-tall core that houses the fuel and the rocket's main engines -- touched down on one of the company's autonomous drone ships in the Atlantic Ocean shortly after taking off from a launchpad at nearby Cape Canaveral, Florida," reports The Verge. From the report: This particular rocket previously flew in January, when it was used to put 10 satellites into orbit for communications company Iridium. The rocket then landed on a drone ship in the Pacific Ocean. SpaceX retrieved the rocket and spent the next few months refurbishing it in preparation for today's launch. This afternoon, it was used to launch Bulgaria's first communications satellite for TV service provider Bulsatcom. The landing wasn't easy, though. Because the rocket had to push BulgariaSat-1 to such a high orbit, the first stage experienced more force and heat during reentry than any other Falcon 9, according to a tweet from SpaceX CEO Elon Musk. Musk even warned that there was a "good chance [the] rocket booster doesn't make it back." Shortly after the landing, though, Musk returned to Twitter to add that the rocket booster used "almost all of the emergency crush core," which helps soften the landing.
Apple

Chris Lattner, Poached From Apple To Become Tesla's Top Software Executive, Quits After 6 Months (bizjournals.com) 140

Tesla said last night Chris Lattner, the vice president of Autopilot software, has left the company about six months after the electric car-maker hired him away from Apple. From a report: Lattner had led the software development team in charge of Autopilot. Tesla executive Jim Keller is now in charge of Autopilot hardware and software. The company announced it had also hired OpenAI research scientist Andrej Karpathy, who will serve as Tesla's new director of artificial intelligence and Tesla Vision. "Chris just wasn't the right fit for Tesla, and we've decided to make a change," the company told reporters in a statement. "We wish him the best." Lattner tweeted last night, "Turns out that Tesla isn't a good fit for me after all. I'm interested to hear about interesting roles for a seasoned engineering leader!" Lattner is a widely respected figure in the industry. He is the main author of LLVM as well as Apple's Swift programming language. We interviewed him earlier this year.
Security

Cisco Subdomain Private Key Found in Embedded Executable (google.com) 53

Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/ VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names: drmlocal.cisco.com, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked.
Twitter

Tableau Software Drops Its 'Twitter Crowd Favorite' Data Viz Contests (tableau.com) 21

theodp writes: As part of its 'Iron Viz' data visualization contests that lead up to its annual conferences, Tableau Software ($4.8B market cap) has awarded $500 gift cards to 'Twitter Crowd Favorites', contestants whose data viz draw the most 'votes' (tagged Tweets) on Twitter. But no more. As it expanded Iron Viz eligibility to China, Tableau said it 'just didn't seem fair' to allow popular voting in its worldwide contests since the Chinese government blocks citizens' Twitter use. "As Chinese authors join the contest," the Tableau Public blog explained, "we have to say goodbye to the Twitter Crowd Favorite. Twitter is blocked in mainland China and it wouldn't be fair for our Chinese contestants." And the latest Iron Viz Contest FAQs confirm the change: "Q. I heard there won't be a Crowd Favorite prize, is that true? A. Absolutely true. China is among the new countries who can take part in the Iron Viz, and Twitter doesn't work in mainland China. The usual Twitter Popular Vote just didn't seem fair."
This XKCD comic still has my all-time favorite data visualizations.
Debian

Debian 9 (Stretch) Will Be Released Today (twitter.com) 196

The Debian Project has been liveblogging today's release of Debian 9 (Stretch) using the Twitter hashtag #releasingstretch. Some of the announcements:
  • The oldstable suite (wheezy) has now been renamed to oldoldstable
  • Debian jessie now been renamed to oldstable!
  • The Debian stretch suites have now been renamed to stable!
  • The draft debian-devel-announce post is ready, archive docs are being cleaned up

This release is named after that purple octopus in Toy Story 3, and more tantalizing tidbits of information keep appearing on Debian's micronews site:

  • At least 1436 people and 18 teams contributed to Debian in 2017
  • Stretch has 25,357 source packages with 9,808,465 source files
  • There were 13 different themes proposed to be the official Debian stretch theme
  • Debian Stretch ships with the free mathematical software SageMath, you can install it with apt
  • During the stretch development, 101 contributors became Debian Developers, and 94 more become Debian Maintainers
  • Debian Stretch will ship with the first release of the Debian Astro Pure Blend [for astronomers]
  • Debian Popularity Contest gathers anonymous statistics about Debian packages usage from about 195,000 reports

The Almighty Buck

Air Force Budget Reveals How Much SpaceX Undercuts Launch Prices (arstechnica.com) 97

An anonymous reader quotes a report from Ars Technica: In 2014, the U.S. Government Accountability Office issued a report on cost estimates for the U.S. Air Force's program to launch national security payloads, which at the time consisted of a fleet of rockets maintained and flown entirely by United Launch Alliance (ULA). The report was critical of the non-transparent nature of ULA's launch prices and noted that the government "lacked sufficient knowledge to negotiate fair and reasonable launch prices" with the monopoly. At around the same time, the new space rocket company SpaceX began to aggressively pursue the opportunity to launch national security payloads for the government. SpaceX claimed to offer a substantially lower price for delivering satellites into various orbits around Earth. But because of the lack of transparency, comparing prices was difficult. The Air Force recently released budget estimates for fiscal year 2018, and these include a run out into the early 2020s. For these years, the budget combines the fixed price rocket and ELC contract costs into a single budget line. (See page 109 of this document). They are strikingly high. According to the Air Force estimate, the "unit cost" of a single rocket launch in fiscal year 2020 is $422 million, and $424 million for a year later. SpaceX sells basic commercial launches of its Falcon 9 rocket for about $65 million. But, for military launches, there are additional range costs and service contracts that add tens of millions of dollars to the total price. It therefore seems possible that SpaceX is taking a loss or launching at little or no profit to undercut its rival and gain market share in the high-volume military launch market. Elon Musk retweeted the article, adding "$300M cost diff between SpaceX and Boeing/Lockheed exceeds avg value of satellite, so flying with SpaceX means satellite is basically free."
Security

You Can Hack Some Mazda Cars With a USB Flash Drive (bleepingcomputer.com) 52

An anonymous reader writes: "Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years," reports Bleeping Computer. "The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these 'hacks' to customize their cars' infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer)." Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can't be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago.
Piracy

Alleged KickassTorrents Owner Considers 'Voluntary Surrender' To the US (torrentfreak.com) 59

An anonymous reader quotes a report from TorrentFreak: Earlier this year a Polish court ruled that Artem Vaulin, the alleged owner of the defunct torrent site KickassTorrents, can be extradited to the United States. The decision came as a disappointment to the defense team, which quickly announced an appeal. Vaulin has since been released on bail and currently resides in a Warsaw apartment. His release has made it easier to communicate with his attorneys in the United States, who have started negotiations with the U.S. Government. While the extradition appeal is still ongoing, it now appears that under the right conditions Vaulin might consider traveling to the United States voluntarily, so he can "resolve" the pending charges. This is what the defense team states in a motion for a status conference (pdf), which was submitted earlier this week.
Government

US Intelligence Agencies Tried To Bribe Our Developers To Weaken Encryption, Says Telegram Founder (twitter.com) 135

In a series of tweets, Pavel Durov, the Russian founder of the popular secure messaging app Telegram has revealed that U.S. intelligence agencies tried twice to bribe his company's developers to weaken encryption in the app. The incident, Durov said, happened last year during the team's visit to the United States. "During our team's 1-week visit to the US last year we had two attempts to bribe our devs by US agencies + pressure on me from the FBI," he said. "And that was just 1 week. It would be naive to think you can run an independent/secure cryptoapp based in the US."

Telegram is one of the most secure messaging apps available today, though researchers have pointed flaws in it as well.
It's funny.  Laugh.

Marissa Mayer, Yahoo's Ex-CEO, Says She's Looking 'Forward To Using Gmail Again' 187

Former Yahoo CEO Marissa Mayer, who resigned on Tuesday after running the company for about five years, appeared at a conference in London today. At the conference, Mayer said one of the things she was looking forward to in her post-Yahoo life was using Gmail again. "I am always faster when using a tool I designed myself," she added.
Communications

Someone Built a Tool To Get Congress' Browser History (vice.com) 68

A software engineer in North Carolina has created a new plugin that lets website administrators monitor when someone accesses their site from an IP address associated with the federal government. It was created in part to protest a measure signed by President Trump in April that allows internet service providers to sell sensitive information about your online habits without needing your consent. Motherboard reports: A new tool created by Matt Feld, the founder of several nonprofits including Speak Together, could help the public get a sense of what elected officials are up to online. Feld, a software engineer working in North Carolina, created Speak Together to share "technical projects that could be used to reduce the opaqueness between government and people," he told Motherboard over the phone. "It was born out of just me trying to get involved and finding the process to be confusing." The tool lets website administrators track whether members of Congress, the Senate, White House staff, or Federal Communications Commission (FCC) staff are looking at their site. If you use Feld's plug-in, you'll be able to see whether someone inside government is reading your blog. You won't be able to tell if President Trump viewed a web page, but you will be able to see that it was someone using an IP address associated with the White House. The tool works similarly to existing projects like CongressEdits, an automated Twitter account that tweets whenever a Wikipedia page is edited from IP addresses associated with Congress.
Government

'COVFEFE Act' Would Make Social Media a Presidential Record (thehill.com) 322

An anonymous reader quotes a report from The Hill: Rep. Mike Quigley (D-Ill.) introduced legislation Monday to classify presidential social media posts -- including President Trump's much-discussed tweets -- as presidential records. The Communications Over Various Feeds Electronically for Engagement (COVFEFE) Act, which has the same acronym as an infamous Trump Twitter typo last month, would amend the Presidential Records Act to include "social media." Presidential records must be preserved, according to the Presidential Records Act, which would make it potentially illegal for the president to delete tweets. "President Trump's frequent, unfiltered use of his personal Twitter account as a means of official communication is unprecedented. If the President is going to take to social media to make sudden public policy proclamations, we must ensure that these statements are documented and preserved for future reference. Tweets are powerful, and the President must be held accountable for every post," said Quigley in a statement. Most people took the "covfefe" tweet to be a typo, although press secretary Sean Spicer told the media that the term was used intentionally. "The president and a small group of people know exactly what he meant," he said.
Cellphones

New iOS 11 Settings Will Stop Apps From Tracking Your Location (theverge.com) 50

An anonymous reader quotes The Verge: Apple is giving users the option to enable much stricter location rules with iOS 11, according to MacRumors. The company began this effort last year by adding a new option to iOS 10 that grants apps access to your location only while they're actively being used. But this "while in use" setting is up to developers to actually enable. The vast majority of popular apps did integrate that new feature. Others, however -- Uber chief among them -- still force iPhone users to choose between always or never providing location data. The latter choice breaks the functionality of an app like Uber, leaving customers with really only one option. Apple seems poised to eliminate this false choice in iOS 11 by making the "while in use" restriction available for every app.
Transportation

A Power Outage In Silicon Valley Was Caused By A Drone Crash (mercurynews.com) 218

An anonymous reader quotes the San Jose Mercury News: A drone crashed into a high-voltage wire Thursday night, causing tens of thousands of dollars in damage and knocking out power to roughly 1,600 people for about two hours, police said... "The FAA has rules and regulations in place to prevent this exact type of incident from happening," said Mountain View police spokeswoman Katie Nelson. "We simply ask that people comply with the rules and that they operate drones safely and sensibly."
The town's city hall was without power -- along with the rest of the 1,600 homes -- prompting a Google software engineer to tweet that "drones are fun until someone flies one into high-voltage power lines." They added later that "apparently the owner 'fled in a white hatchback', which is the least dignified way that someone can flee, I think."

Slashdot Top Deals