aafrn writes: Microsoft is sending users who search for Office 2019 download links via its Bing search engine to a website that teaches them the basics about pirating the company's Office suite. This happens every time users search for the term "office 2019 download" on Bing. The result is a Bing search card (highlighted search results) that links to a piracy tutorial that teaches users how to install uTorrent, download a torrent file, and install an Office crack file. Fortunately, the torrent download links are down, but experts believe the link was used to spread malware.

Louisiana is rolling out a new digital driver's license app, called LA Wallet, that will let retailers digitally verify the age of their customers, if required. "According to IEEE Spectrum, Louisiana's Office of Alcohol and Tobacco Control is expected to announce that bars, restaurants, grocery stores and other retails are allowed to accept LA Wallet as proof of age, according to the app's developer, Envoc." From the report: The Baton Rouge-based company launched LA Wallet in June, after two years of collaboration with state officials. But so far only law enforcement officers making routine traffic stops are required to accept the digital driver's license. Next week's announcement would greatly broaden the scope of the app's use. About 71,000 people have downloaded LA Wallet so far, says Calvin Fabre, founder and president of Envoc. The app costs $5.99 in the Google Play and Apple App stores. Users buy it, create an account with some basic information from their physical driver's license, and create a password. That's it. No biometric security -- like iris scans or facial recognition -- required. The app links back to Louisiana's Office of Motor Vehicles database, which completes the digital license with the user's photo and additional information. Any changes to the license, like a suspension or renewal, are updated immediately in the app with a wireless network connection.

To present the license -- say, to a cop during a traffic stop -- the driver (hoping his phone battery isn't dead) opens the app with a password, shows the cop the digital license image, and authenticates it by pressing and holding the screen to reveal a security seal. The license can be flipped over to show a scannable bar code on the back. There's also a handy security feature that allows anyone with the LA Wallet app to authenticate another person's Louisiana digital driver's license. It allows the bar patron to select which information she would like to reveal to the bartender -- in this case, simply the fact that she is over 21. That information is displayed on the phone with a photo and embedded QR code. The bartender scans the code with her app, which tells her that the woman seated on the other side of the bar is indeed over 21. None of the customer's personal information, such as her name, birth date, or address, is displayed or stored on the bartender's phone.

An anonymous reader shares a report: Celebrity physicians often catapult to fame via their mastery of traditional media, like television or radio or books or magazines, and we're used to seeing medical advice and expertise there. What you may have yet to encounter, or haven't fully noticed yet, is the growing group of current medical students who are perhaps on track to achieve even greater fame, through their prodigious and aggressive use of social media, particularly Instagram. Even before receiving their medical degrees, these future doctors are hard at work growing their audiences (many have well into the thousands of followers), arguably in ways even more savvy than the physicians on social media today.

I first learned of the medical student Instagram influencer community a few months ago, when a friend shared links to a few of these accounts with me, asking if this is what medical school was really like. Curated and meticulously organized, these accounts posted long reflections after anatomy lab sessions, video stories of students huddled around a defibrillator during a CPR training session, pictures of neat study spaces featuring board-prep textbooks next to cups of artisan coffee, and 5 a.m. selfies taken in the surgery locker-room before assisting with a C-section. Initially, I cringed. Sure, they looked vaguely familiar -- they were (literally) rose-tinted, glamorized snapshots of relatable moments dispersed over the past few years of my life. But interspersed, and even integrated, into those relatable moments were advertisements and discount codes for study materials and scrub clothing brands. Something about that, in particular, felt impulsively antithetical to my (perhaps wide-eyed) interpretation of medicine's ideals, of service to others over self-promotion.

Sufficiently intrigued, I fell into a digital rabbit hole that surfaced dozens of fellow med students moonlighting as social media influencers, and the partnerships grew ever more questionable. Some accounts featured sponsored posts advertising watches and clothes from Lululemon; another linked back to a personal blog that included a page that allowed followers to "shop my Instagram." A popular fitness-oriented account, hosted by an aspiring M.D., promoted protein powder and pre-workout supplements. A future dermatologist showcased skin care products. Another future M.D.'s account highlights the mattresses, custom maps, furniture rental services, and food brand that, according to the posts, help her seamlessly live the life of a third-year med student.

A reminder that Internet Archive's Wayback Machine, which many people assume keeps a permanent trail and origin of web-content, has little feasible choice but to comply with DMCA takedown notices. As a result of which, a portion of the archive of things people submit to the website continues to quietly fade away. Gizmodo: Over the last few years, there has been a change in how the Wayback Machine is viewed, one inspired by the general political mood. What had long been a useful tool when you came across broken links online is now, more than ever before, seen as an arbiter of the truth and a bulwark against erasing history. That archive sites are trusted to show the digital trail and origin of content is not just a must-use tool for journalists, but effective for just about anyone trying to track down vanishing web pages. With that in mind, that the Internet Archive doesn't really fight takedown requests becomes a problem. That's not the only recourse: When a site admin elects to block the Wayback crawler using a robots.txt file, the crawling doesn't just stop. Instead, the Wayback Machine's entire history of a given site is removed from public view.

In other words, if you deal in a certain bottom-dwelling brand of controversial content and want to avoid accountability, there are at least two different, standardized ways of erasing it from the most reliable third-party web archive on the public internet. For the Internet Archive, like with quickly complying with takedown notices challenging their seemingly fair use archive copies of old websites, the robots.txt strategy, in practice, does little more than mitigating their risk while going against the spirit of the protocol. And if someone were to sue over non-compliance with a DMCA takedown request, even with a ready-made, valid defense in the Archive's pocket, copyright litigation is still incredibly expensive. It doesn't matter that the use is not really a violation by any metric. If a rightsholder makes the effort, you still have to defend the lawsuit.

Early last year, YouTube announced that it would be retiring annotations, those boxes that pop up during a video with links and additional information. It discontinued the annotations editor in May of last year and soon all existing annotations will be going away as well. From a report: The company added an update to the help page announcing the end of its annotations editor, saying, "We will stop showing existing annotations to viewers starting January 15, 2019. All existing annotations will be removed."

A group of Google employees have put their name to a public letter calling on the company to abandon its plans for a Chinese search product that censors results. From a report: Project Dragonfly, as the initiative is known, would enable state surveillance at a time when the Chinese government is expanding controls over the population, according to the letter signed by at least 10 workers, predominately software engineers and researchers. The document also called on management to commit to transparency, be accountable and provide clear communication.

Ever since plans for Dragonfly emerged in August, Google parent Alphabet has been riven by internal dissent at the prospect of a search engine bending to Beijing's censorship. It was that sort of government control that prompted co-founders Larry Page and Sergey Brin to effectively pull out of China in 2010 when it decided to stop removing controversial links from web queries. "We refuse to build technologies that aid the powerful in oppressing the vulnerable, wherever they may be," the Google workers wrote in the letter. "Dragonfly in China would establish a dangerous precedent, one that would make it harder for Google to deny other countries similar concessions."

Google's top news executive has refused to rule out shutting down Google News in EU countries, as the search engine faces a battle with Brussels over plans to charge a "link tax" for using news stories. The Guardian reports: Richard Gingras, the search engine's vice-president of news, said while "it's not desirable to shut down services" the company was deeply concerned about the current proposals, which are designed to compensate struggling news publishers if snippets of their articles appear in search results. He told the Guardian that the future of Google News could depend on whether the EU was willing to alter the phrasing of the legislation. "We can't make a decision until we see the final language," he said. He pointed out the last time a government attempted to charge Google for links, in 2014 in Spain, the company responded by shutting down Google News in the country. Spain passed a law requiring aggregation sites to pay for news links, in a bid to prop up struggling print news outlets. Google responded by closing the service for Spanish consumers, which he said prompted a fall in traffic to Spanish news websites. "We would not like to see that happen in Europe," said Gingras. "Right now what we want to do is work with stakeholders."

A new study has found that more than half of the top free mobile VPN returned by Play Store and App Store searches are from developers based in China or with Chinese ownership, raising serious concerns about data privacy. "Our investigation uncovered that over half of the top free VPN apps either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the internet within its borders," said Simon Migliano, Head of Research at Metric Labs, a company that runs the Top10VPN portal. ZDNet reports: The researcher says he analyzed the top 20 free VPN apps that appear in searches for VPN apps on the Google and Apple mobile app stores, for both the US and UK locales. He says that 17 of the 30 apps he analyzed (10 apps appeared on both stores) had formal links to China, either being a legally registered Chinese entity or by having Chinese ownership, based on business registration and shareholder information Migliano shared with ZDNet.

The expert says that 86 percent of the apps he analyzed had "unacceptable privacy policies." For example, some apps didn't say if they logged traffic, some apps appeared to use generic privacy policies that didn't even mention the term VPN, while some apps didn't feature a privacy policy at all. On top of this, other apps admitted in their policies to sharing data with third-parties, tracking users, and sending and sharing data with Chinese third-parties. Almost half of the free VPN apps also appeared to take the privacy policy as a joke, with some hosting the policy as a plain text file on Pastebin, AWS servers, or raw IP addresses, with no domain name. In addition, 64 percent of the apps also didn't bother setting up a dedicated website for their VPN service, operating strictly from the Play Store.

Antivirus has been around for more than 20 years. But do you still need it to protect yourself today? From a report: In general, you probably do. But there are caveats. If you are worried about your iPhone, there's actually no real antivirus software for it, and iOS is engineered to make it extremely difficult for hackers to attack users, especially at scale. In the case of Apple's computers, which run MacOS, there are fewer antiviruses, but given that the threat of malware on Mac is increasing ever so slightly, it can't hurt to run an AV on it. If you have an Android phone, on the other hand, an antivirus does not hurt -- especially because there have been several cases of malicious apps available on the Google Play Store. So, on Android, an antivirus will help you, according to Martijn Grooten, the editor of trade magazine Virus Bulletin.

When it comes to computers running Windows, Grooten still thinks you should use an AV. "What antivirus is especially good at is making decisions for you," Grooten told Motherboard, arguing that if you open attachments, click on links, and perhaps you're not too technically savvy, it's good to have an antivirus that can prevent the mistakes you may make in those situations. For Grooten and Simon Edwards, the founder of SE Labs, a company that tests and ranks antivirus software, despite the fact that Windows' own antivirus -- called Defender -- is a good alternative, it's still worth getting a third-party one. "Even if [Defender] wasn't the best and it isn't the best, it's is still a lot better than having nothing," Edwards told Motherboard. Yet, "we do see a benefit in having paid for AV product."

The Firefox Test Pilot team on Monday rolled out two new experimental features, one of which is aimed to make this year's holiday shopping a bit easier on your wallet. It's called Price Wise, and it's an online shopping comparison tool that lets you add items from across several retailers to a Price Watcher list. From a report: When a price drops, a notification is automatically sent to your browser, and you can click regardless of what web page you are currently on. For now, Price Wise tracks just five retailers -- Amazon, Best Buy, eBay, Walmart, and the Home Depot -- but the company said it's planning on expanding to cover more outlets in the future.

Elsewhere, Mozilla is also rolling out a new feature called Email Tabs as part of its early adopter program. While Mozilla already offers a service for bookmarking content to read later via Pocket, Email Tabs enables users to choose multiple tabs and send links to one or more of them to their Gmail address. There are a number of options here. Users can choose to send links with screenshots, just links, or links with full articles. Price Wise is only available to users in the U.S. for now.

Weather forecasting is impressively accurate given how changeable and chaotic Earth's climate can be. It's not unusual to get 10-day forecasts with a reasonable level of accuracy. But there is still much to be done. One challenge for meteorologists is to improve their "nowcasting," the ability to forecast weather in the next six hours or so at a spatial resolution of a square kilometer or less. From a report: In areas where the weather can change rapidly, that is difficult. And there is much at stake. Agricultural activity is increasingly dependent on nowcasting, and the safety of many sporting events depends on it too. Then there is the risk that sudden rainfall could lead to flash flooding, a growing problem in many areas because of climate change and urbanization. That has implications for infrastructure, such as sewage management, and for safety, since this kind of flooding can kill. So meteorologists would dearly love to have a better way to make their nowcasts. Enter Blandine Bianchi from EPFL in Lausanne, Switzerland, and a few colleagues, who have developed a method for combining meteorological data from several sources to produce nowcasts with improved accuracy.

Their work has the potential to change the utility of this kind of forecasting for everyone from farmers and gardeners to emergency services and sewage engineers. Current forecasting is limited by the data and the scale on which it is gathered and processed. For example, satellite data has a spatial resolution of 50 to 100 km and allows the tracking and forecasting of large cloud cells over a time scale of six to nine hours. By contrast, radar data is updated every five minutes, with a spatial resolution of about a kilometer, and leads to predictions on the time scale of one to three hours. Another source of data is the microwave links used by telecommunications companies, which are degraded by rainfall.

An anonymous reader quotes a report from Motherboard: This week, U.S. Cyber Command (CYBERCOM), a part of the military tasked with hacking and cybersecurity focused missions, started publicly releasing unclassified samples of adversaries' malware it has discovered. CYBERCOM says the move is to improve information sharing among the cybersecurity community, but in some ways it could be seen as a signal to those who hack U.S. systems: we may release your tools to the wider world. On Friday, CYBERCOM uploaded multiple files to VirusTotal, a Google-owned search engine and repository for malware. Once uploaded, VirusTotal users can download the malware, see which anti-virus or cybersecurity products likely detect it, and see links to other pieces of malicious code.

One of the two samples CYBERCOM distributed on Friday is marked as coming from APT28, a Russian government-linked hacking group, by several different cybersecurity firms, according to VirusTotal. Those include Kaspersky Lab, Symantec, and Crowdstrike, among others. APT28 is also known as Sofacy and Fancy Bear. The malware itself does not appear to still be active.

An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history.

The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."

Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier. From a story: Security experts have been talking about the potential security vulnerabilities in Trump's cellphone use since he became president. And President Barack Obama bristled at -- but acquiesced to -- the security rules prohibiting him from using a "regular" cellphone throughout his presidency. Three broader questions obviously emerge from the story. Who else is listening in on Trump's cellphone calls? What about the cellphones of other world leaders and senior government officials? And -- most personal of all -- what about my cellphone calls?

There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet's major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing "target selectors": phone numbers the NSA searches for and records. These included senior government officials of Germany -- among them Chancellor Angela Merkel -- France, Japan, and other countries.

Other countries don't have the same worldwide reach that the NSA has, and must use other methods to intercept cellphone calls. We don't know details of which countries do what, but we know a lot about the vulnerabilities. Insecurities in the phone network itself are so easily exploited that 60 Minutes eavesdropped on a U.S. congressman's phone live on camera in 2016. Back in 2005, unknown attackers targeted the cellphones of many Greek politicians by hacking the country's phone network and turning on an already-installed eavesdropping capability. The NSA even implanted eavesdropping capabilities in networking equipment destined for the Syrian Telephone Company. Alternatively, an attacker could intercept the radio signals between a cellphone and a tower. Encryption ranges from very weak to possibly strong, depending on which flavor the system uses. Don't think the attacker has to put his eavesdropping antenna on the White House lawn; the Russian Embassy is close enough.

U.S. researchers from FireEye have linked a Russian research lab to a cyberattack on a Saudi petrochemical plant. The malware strain called Triton -- or Trisis -- "was designed to either shut down a production process or allow SIS-controlled machinery to work in an unsafe state," reports ZDNet, citing technical reports from FireEye, Dragos, and Symantec. From the report: The group behind the malware, which FireEye has been tracking under the codename of TEMP.Veles, nearly succeeded last year, when it almost caused an explosion at a Saudi petrochemical plant owned by Tasnee, a privately owned Saudi company, according to a New York Times report. The malware's origins were a mystery when FireEye first discovered Triton in 2017 and remained a mystery even after the New York Times report in March 2018.

But in a report published today, FireEye says that following further research into incidents where the Triton malware was deployed, it can now assess with "high confidence" that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a government-owned technical research institution located in Moscow, was involved in these attacks. FireEye's report does not link the Triton malware itself to CNIIHM, but the secondary malware strains used by TEMP.Veles and deployed during the incidents where Triton was deployed. Clues in these secondary malware strains used to aid the deployment of the main Triton payloads contained enough artifacts that allowed researchers to identify their source.

An academic study published last month shows that despite years worth of research into the woeful state of network traffic inspection equipment, vendors are still having issues in shipping appliances that don't irrevocably break TLS encryption for the end user. From a report: Encrypted traffic inspection devices (also known as middleware), either special hardware or sophisticated software, have been used in enterprise networks for more than two decades. System administrators deploy such appliances to create a man-in-the-middle TLS proxy that can look inside HTTPS encrypted traffic, to scan for malware or phishing links or to comply with law enforcement or national security requirements.

[...] In the last decade, security researchers have looked closely at the issue of TLS inspection appliances that break or downgrade encryption. There has been much research on the topic, from research teams from all over the world. But despite years worth of warnings and research, some vendors still fail at keeping the proper security level of a TLS connection when relaying traffic through their equipment/software. Academic research [PDF] published at the end of September by three researchers from Concordia University in Montreal, Canada, shows that network traffic inspection appliances still break TLS security, even today.

Mark Graham, the Director of Wayback Machine at Internet Archive, announces: As part of the Internet Archive's aim to build a better Web, we have been working to make the Web more reliable -- and are pleased to announce that 9 million formerly broken links on Wikipedia now work because they go to archived versions in the Wayback Machine.

For more than 5 years, the Internet Archive has been archiving nearly every URL referenced in close to 300 wikipedia sites as soon as those links are added or changed at the rate of about 20 million URLs/week. And for the past 3 years, we have been running a software robot called IABot on 22 Wikipedia language editions looking for broken links (URLs that return a '404', or 'Page Not Found'). When broken links are discovered, IABot searches for archives in the Wayback Machine and other web archives to replace them with. Restoring links ensures Wikipedia remains accurate and verifiable and thus meets one of Wikipedia's three core content policies: 'Verifiability.'

Last year, Apple co-founder Steve Wozniak announced a coding program called Woz U that's designed with the goal of offering an affordable education. "Our goal is to educate and train people in employable digital skills without putting them into years of debt," Wozniak said last fall. "People often are afraid to choose a technology-based career because they think they can't do it. I know they can, and I want to show them how."

Now that a round of students have been through the 33-week program, a number of problems have appeared. Former student, Bill Duerr, called the program "broken," and that "lots of times there's just hyperlinks to Microsoft documents, to Wikipedia." 9to5Mac reports: "Duerr said typos in course content were one of many problems. So-called 'live lectures' were pre-recorded and out of date, student mentors were unqualified, and at one point, one of his courses didn't even have an instructor," reports CBS. CBS heard from over 24 current and former students and employees that reiterated Duerr's experiences. Instead of a quality program, Duerr said Woz U was comparable to an ultra expensive e-book: "'I feel like this is a $13,000 e-book,' Duerr said. While it was supposed to be a program written by one of the greatest tech minds of all time, 'it's broken, it's not working in places, lots of times there's just hyperlinks to Microsoft documents, to Wikipedia,' he said."

A former Woz U enrollment counselor said that at times he had to do things that didn't feel right: "Asked whether he regrets working for Woz U, Mionske said, 'I regret in the aspect to where they're spending this money for, it's like rolling the dice. [...] But on the reverse side, I have to support my family.'" According to Business Insider, Steve Wozniak said that he's "not involved" in the "operational aspects" of Woz U and doesn't know anything about the report this morning.

An anonymous reader shares a report: In 2014, in a bid to replace the more than 11,000 aging payphones scattered across New York City's pedestrian walkways with more functional fixtures, Mayor Bill de Blasio launched a competition -- the Reinvent Payphones initiative -- calling on private enterprises, residents, and nonprofits to submit designs for replacements. In the end, LinkNYC -- a plan proposed by consortium CityBridge -- secured a contract from the city, beating out competing proposals with electricity-generating piezoelectric pressure plates and EV charging stations. The plan was to spend $200 million installing as many as 10,000 kiosks, or Links, that would supply free, encrypted gigabit Wi-Fi to passers-by within 150 feet. They would have buttons that link directly to 911 and New York's 311 service and free USB charging stations for smartphones, plus wired handsets that would allow free calls to all 50 states and Washington, D.C. And perhaps best of all, they wouldn't cost the city a dime; advertising would subsidize expansion and ongoing maintenance.

The Links wouldn't just get urbanites online and let them juice their phones, though. The idea was to engage users, too, principally with twin 55-inch high-definition displays and tethered Android tablets with map functions. Mike Gamaroff, head of innovation at Kinetic, characterized the Links in 2016 as "first and foremost a utility for the people of the city, that also doubles up as an advertising network." Two years after the deployment of prototypical kiosks in Manhattan, Intersection -- a part of the aforementioned CityBridge, which with Qualcomm and CIVIQ Smartscapes manages the kiosks -- is ready to declare them a success. The roughly 1,600 Links recently hit three milestones: 1 billion sessions, 5 million users, and 500,000 phone calls a month. Recommended reading: Free Municipal Wi-Fi May Be the Next Front In the War Against Privacy.

An anonymous reader quotes Microsoft's Developer blog: In March 2014, Microsoft released the source code to MS-DOS 1.25 and 2.0 via the Computer History Museum. The announcement also contains a brief history of how MS-DOS came to be for those new to the subject, and ends with many links to related articles and resources for those interested in learning more. Today, we're re-open-sourcing MS-DOS on GitHub. Why? Because it's much easier to find, read, and refer to MS-DOS source files if they're in a GitHub repo than in the original downloadable compressed archive file.... Enjoy exploring the initial foundations of a family of operating systems that helped fuel the explosion of computer technology that we all rely upon for so much of our modern lives!
While non-source modifications are welcome, "The source will be kept static," reads a note on the GitHub repo, "so please don't send Pull Requests suggesting any modifications to the source files."

"But feel free to fork this repo and experiment!"