Desktops (Apple)

Users Complain About Installation Issues With macOS 10.13.4 (theregister.co.uk) 81

An anonymous reader shares a report: The 10.13.4 update for macOS High Sierra is recommended for all users, and was emitted at the end of March promising to "improve stability, performance, and security of your Mac." But geek support sites have started filling up with people complaining that it had the opposite effect: killing their computer with messages that "the macOS installation couldn't be completed."

The initial install appears to be working fine, but when users go to shutdown or reboot an upgraded system, it goes into recovery mode. According to numerous reports, there doesn't appear to be anything wrong with users' Macs -- internal drives report that they're fine. And the issue is affecting a range of different Apple-branded computers from different years. Some have been successful in getting 10.13.4 to install by launching from Safe Mode, but others haven't and are deciding to roll back and stick with 10.13.3 until Apple puts out a new update that will fix whatever the issue is while claiming it has nothing to do with it.

Government

Palantir Knows Everything About You (bloomberg.com) 104

Palantir, a data-mining company created by Peter Thiel, is aiding government agencies by tracking American citizens using the War on Terror, Bloomberg reports. From the report: The company's engineers and products don't do any spying themselves; they're more like a spy's brain, collecting and analyzing information that's fed in from the hands, eyes, nose, and ears. The software combs through disparate data sources -- financial documents, airline reservations, cellphone records, social media postings -- and searches for connections that human analysts might miss. It then presents the linkages in colorful, easy-to-interpret graphics that look like spider webs.

[...] The U.S. Department of Health and Human Services uses Palantir to detect Medicare fraud. The FBI uses it in criminal probes. The Department of Homeland Security deploys it to screen air travelers and keep tabs on immigrants. Police and sheriff's departments in New York, New Orleans, Chicago, and Los Angeles have also used it, frequently ensnaring in the digital dragnet people who aren't suspected of committing any crime.

The Internet

The 'Terms and Conditions' Reckoning Is Coming (bloomberg.com) 117

Everyone from Uber to PayPal is facing a backlash against their impenetrable legalese. From a report: Personal finance forums online are brimming with complaints from hundreds of PayPal customers who say they've been suspended because they signed up before age 18. PayPal declined to comment on any specific cases, but says it's appropriate to close accounts created by underage people "to ensure our customers have full legal capacity to accept our user agreement." While that may seem "heavy-handed," says Sarah Kenshall, a technology attorney with law firm Burges Salmon, the company is within its rights because the users clicked to agree to the rules -- however difficult the language might be to understand.

Websites have long required users to plow through pages of dense legalese to use their services, knowing that few ever give the documents more than a cursory glance. In 2005 security-software provider PC Pitstop LLC promised a $1,000 prize to the first user to spot the offer deep in its terms and conditions; it took four months before the reward was claimed. The incomprehensibility of user agreements is poised to change as tech giants such as Uber Technologies and Facebook confront pushback for mishandling user information, and the European Union prepares to implement new privacy rules called the General Data Protection Regulation, or GDPR. The measure underscores "the requirement for clear and plain language when explaining consent," British Information Commissioner Elizabeth Denham wrote on her blog last year.

AI

AI Can Scour Code To Find Accidentally Public Passwords (qz.com) 46

An anonymous reader shares a report: Researchers at software infrastructure firm Pivotal have taught AI to locate this accidentally public sensitive information in a surprising way: By looking at the code as if it were a picture. Since modern artificial intelligence is arguably better than humans at identifying minute differences in images, telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat. The best way to check whether private passwords or sensitive information has been left public today is to use hand-coded rules called "regular expressions." These rules tell a computer to find any string of characters that meets specific criteria, like length and included characters.
The Internet

Cloudflare: FOSTA Was a 'Very Bad Bill' That's Left the Internet's Infrastructure Hanging (vice.com) 191

Last week, President Donald Trump signed the Fight Online Sex Trafficking Act (FOSTA) into law. It's a bill that penalizes any platform found "facilitating prostitution," and has caused many advocacy groups to come out against the bill, saying that it undermines essential internet freedoms. The most recent entity to decry FOSTA is Cloudflare, which recently decided to terminate its content delivery network services for an alternative, decentralized social media platform called Switter. Motherboard talked to Cloudflare's general counsel, Doug Kramer, about the bill and he said that FOSTA was an ill-consider bill that's now become a dangerous law: "[Terminating service to Switter] is related to our attempts to understand FOSTA, which is a very bad law and a very dangerous precedent," he told me in a phone conversation. "We have been traditionally very open about what we do and our roles as an internet infrastructure company, and the steps we take to both comply with the law and our legal obligations -- but also provide security and protection, let the internet flourish and support our goals of building a better internet." Cloudflare lobbied against FOSTA, Kramer said, urging lawmakers to be more specific about how infrastructure companies like internet service providers, registrars and hosting and security companies like Cloudflare would be impacted. Now, he said, they're trying to figure out how customers like Switter will be affected, and how Cloudflare will be held accountable for them.

"We don't deny at all that we have an obligation to comply with the law," he said. "We tried in this circumstance to get a law that would make sense for infrastructure companies... Congress didn't do the hard work of understanding how the internet works and how this law should be crafted to pursue its goals without unintended consequences. We talked to them about this. A lot of groups did. And it was hard work that they decided not do." He said the company hopes, going forward, that there will be more clarity from lawmakers on how FOSTA is applied to internet infrastructure. But until then, he and others there are having to figure it out along with law enforcement and customers. "Listen, we've been saying this all along and I think people are saying now, this is a very bad law," Kramer said. "We think, for now, it makes the internet a different place and a little less free today as a result. And there's a real-world implication of this that people are just starting to grapple with."

Security

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com) 24

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."
Chrome

Millions of Chrome Users Have Installed Malware Posing as Ad Blockers (vice.com) 42

Kaleigh Rogers, writing for Motherboard: Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google's popular browser Chrome. These extensions were deliberately styled to look like legitimate, well-known ad blockers, but Meshkov wondered why they existed at all, so he downloaded one and took a look at the code. "Basically I downloaded it and checked what requests the extension was making," Meshkov told me over the phone. "Some strange requests caught my attention."

Meshkov discovered that the AdRemover extension for Chrome -- which had over 10 million users -- had code hidden inside an image that was loaded from the remote command server, giving the extension creator the ability to change its functions without updating. This alone is against Google's policy, and after Meshkov wrote about a few examples on AdGuard's blog, many of which had millions of downloads, Chrome removed the extensions from the store. I reached out to Google, and a spokesperson confirmed that these extensions had been removed.

Government

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com) 94

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

The Internet

4.9% of Websites Use Flash, Down From 28.5% in 2011 (bleepingcomputer.com) 128

Web makers continue to ditch the infamous Flash for other safer, improved technologies. In 2011, more than 28.5 percent of websites used Flash in their code, a figure technology survey site W3Techs estimates to have dropped to 4.9 percent today. BleepingComputer: The number confirms Flash's decline, and a reason why Adobe has decided to retire the technology at the end of 2020. A decline from 28.5 percent to 4.9 percent doesn't look that bad, but we're talking about all Internet sites, not just a small portion of Top 10,000 or Top 1 Million sites. Taking into account the sheer number of abandoned sites on today's Internet, the decline is quite considerable, and W3Techs' findings confirm similar statistics put out by a Google security engineer in February.
Businesses

Finland Is Killing Its Basic Income Experiment (businessinsider.com) 547

tomhath shares a report: Since the beginning of last year, 2000 Finns are getting money from the government each month -- and they are not expected to do anything in return. The participants, aged 25-58, are all unemployed, and were selected at random by Kela, Finland's social-security institution. Instead of unemployment benefits, the participants now receive $690 per month, tax free. Should they find a job during the two-year trial, they still get to keep the money. While the project is praised internationally for being at the cutting edge of social welfare, back in Finland, decision makers are quietly pulling the brakes, making a U-turn that is taking the project in a whole new direction. "Right now, the government is making changes that are taking the system further away from a basic income," Kela researcher Miska Simanainen told the Swedish daily Svenska Dagbladet.
Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Microsoft

Microsoft Ports Edge Anti-Phishing Technology To Google Chrome (bleepingcomputer.com) 75

An anonymous reader writes: Microsoft has released a Chrome extension named "Windows Defender Browser Protection" that ports Windows Defender's -- and inherently Edge's -- anti-phishing technology to Google Chrome. The extension works by showing bright red-colored pages whenever users are tricked into accessing malicious links. The warnings are eerily similar to the ones that Chrome natively shows via the Safe Browsing API, but are powered by Microsoft's database of malicious links —also known as the SmartScreen API.

Chrome users should be genuinely happy that they can now use both APIs for detecting phishing and malware-hosting URLs. The SmartScreen API isn't as known as Google's more famous Safe Browsing API, but works in the same way, and possibly even better. An NSS Labs benchmark revealed that Edge (with its SmartScreen API) caught 99 percent of all phishing URLs thrown at it during a test last year, while Chrome only detected 87 percent of the malicious links users accessed.

Security

Data Firm Leaks 48 Million User Profiles it Scraped From Facebook, LinkedIn, Others (zdnet.com) 56

Zack Whittaker, reporting for ZDNet: A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent. Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

Communications

Iran Bans State Bodies From Using Telegram App, Khamenei Shuts Account (reuters.com) 38

Iran banned government bodies on Wednesday from using the popular Telegram instant messaging app as Supreme Leader Ayatollah Ali Khamenei's office said his account would shut down to protect national security, Iranian media reported. From a report: ISNA news agency did not give a reason for the government ban on the service which lets people send encrypted messages and has an estimated 40 million users in the Islamic Republic. The order came days after Russia -- Iran's ally in the Syrian war -- started blocking the app in its territory following the company's repeated refusal to give Russian state security services access to users' secret messages. Iran's government banned "all state bodies from using the foreign messaging app," according to ISNA.
The Internet

Chrome 66 Arrives With Autoplaying Content Blocked By Default (venturebeat.com) 88

An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 66 for Windows, Mac, Linux, and Android. The desktop release includes autoplaying content muted by default, security improvements, and new developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. In our tests, autoplaying content that is muted still plays automatically. Autoplaying content with sound, whether it has visible controls or not, and whether it is set to play on loop or not, simply does not start playing. Note that this is all encompassing -- even autoplaying content you are expecting or is the main focus of the page does not play. YouTube videos, for example, no longer start playing automatically. And in case that's not enough, or if a page somehow circumvents the autoplaying block, you can still mute whole websites.
China

Huawei To Back Off US Market Amid Rising Tensions (nytimes.com) 91

Huawei is reportedly going to give up on selling its products and services in the United States (Warning: source may be paywalled; alternative source) due to Washington's accusations that the company has ties to the Chinese government. The change in tactics comes a week after the company laid off five American employees, including its biggest American lobbyist. The New York Times reports: Huawei's tactics are changing as its business prospects in the United States have darkened considerably. On Tuesday, the Federal Communications Commission voted to proceed with a new rule that could effectively kill off what little business the company has in the United States. Although the proposed rule does not mention Huawei by name, it would block federally subsidized telecommunications carriers from using suppliers deemed to pose a risk to American national security. Huawei's latest moves suggest that it has accepted that its political battles in the United States are not ones it is likely to win. "Some things cannot change their course according to our wishes," Eric Xu, Huawei's deputy chairman, said at the company's annual meeting with analysts on Tuesday. "With some things, when you let them go, you actually feel more at ease."
Bitcoin

New York's Attorney General Is Investigating Bitcoin Exchanges (theverge.com) 42

The office of New York Attorney General Eric Schneiderman announced today that it has launched an investigation into bitcoin exchanges. He's reportedly looking into thirteen major exchanges, including Coinbase, Gemini Trust, and Bitfinex, requesting information on their operations and what measures they have in place to protect consumers. The Verge reports: "Too often, consumers don't have the basic facts they need to assess the fairness, integrity, and security of these trading platforms," Schneiderman said in a statement. His office sent detailed questionnaires to the thirteen exchanges, asking them to disclose who owns and controls them, and how their basic operation and transaction fees work. The questionnaire also asks for specific details on how exchanges might suspend trading or delay orders, indicating Schneiderman is particularly concerned with exchanges manipulating the timing of public orders. The investigation will attempt to shed more transparency on how platforms combat market manipulation attempts and suspicious trading, as well as bots, theft, and fraud. Many of the exchanges Schneiderman is targeting, such as Beijing-based Huobi, have headquarters located outside the U.S., but the attorney general has jurisdiction over any foreign business operating in New York. Coin Center's director of research Peter Van Valkenburgh tells The Verge that the new investigation might be overkill, given the existing rules already in place for bitcoin exchanges. "Far from being unregulated," he says, "these businesses must contend with state money transmission licensing laws, federal anti-money laundering law, CFTC scrutiny for commodities spot market manipulation, SEC scrutiny for securities trading (should any tokens traded be securities), and in this case, state consumer protection investigations from the several attorneys general."
Security

Windows 10 Update Will Support More Password-Free Logins (engadget.com) 66

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.
Businesses

Cybersecurity Tech Accord: More Than 30 Tech Firms Pledge Not to Assist Governments in Cyberattacks (cybertechaccord.org) 67

Over 30 major technology companies, led by Microsoft and Facebook, on Tuesday announced what they are calling the Cybersecurity Tech Accord, a set of principles that include a declaration that they will not help any government -- including that of the United States -- mount cyberattacks against "innocent civilians and enterprises from anywhere."

The companies that are participating in the initiative are: ABB, Arm, Avast, Bitdefender, BT, CA Technologies, Cisco, Cloudflare, DataStax, Dell, DocuSign, Facebook, Fastly, FireEye, F-Secure, GitHub, Guardtime, HP Inc., HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, Trend Micro, and VMware.

The announcement comes at the backdrop of a growing momentum in political and industry circles to create a sort of Digital Geneva Convention that commits the entire tech industry and governments to supporting a free and secure internet. The effort comes after attacks such as WannaCry and NotPetya hobbled businesses around the world last year, and just a day after the U.S. and U.K. issued an unprecedented joint alert citing the threat of cyberattacks from Russian state-sponsored actors. The Pentagon has said Russian "trolling" activity increased 2,000 percent after missile strikes in Syria.

Interestingly, Amazon, Apple, Google, and Twitter are not participating in the program, though the Tech Accord says it "remains open to consideration of new private sector signatories, large or small and regardless of sector."
Cloud

Microsoft Built Its Own Custom Linux Kernel For Its New IoT Service (techcrunch.com) 199

At a small press event in San Francisco, Microsoft today announced the launch of a secure end-to-end IoT product that focuses on microcontroller-based devices -- the kind of devices that use tiny and relatively low-powered microcontrollers (MCUs) for basic control or connectivity features. TechCrunch reports: At the core of Azure Sphere is a new class of certified MCUs. As Microsoft president and chief legal officer Brad Smith stressed in today's announcement, Microsoft will license these new Azure Sphere chips for free, in hopes to jump-start the Azure Sphere ecosystem. Because it's hard to secure a device you can't update or get telemetry from, it's no surprise that these devices will feature built-in connectivity. And with that connectivity, these devices can also connect to the Azure Sphere Security Service in the cloud. For the first time ever, Microsoft is launching a custom Linux kernel and distribution: the Azure Sphere OS. It's an update to the kind of real-time operating systems that today's MCUs often use.

Why use Linux? "With Azure Sphere, Microsoft is addressing an entirely new class of IoT devices, the MCU," Rob Lefferts, Microsoft's partner director for Windows enterprise and security told me at the event. "Windows IoT runs on microprocessor units (MPUs) which have at least 100x the power of the MCU. The Microsoft-secured Linux kernel used in the Azure Sphere IoT OS is shared under an OSS license so that silicon partners can rapidly enable new silicon innovations." And those partners are also very comfortable with taking an open-source release and integrating that with their products. To get the process started, MediaTek is producing the first set of these new MCUs. These are low-powered, single-core ARM-A7 systems that run at 500MHz and include WiFi connectivity as well as a number of other I/O options.

Slashdot Top Deals