Next: 21:38 Req#995689 HN Q Help Generated 20 Wed 20:39 Size: 228K Articles: 362 Next
If you want to see or try CRiSP, visit http://www.crispeditor.co.uk and try one of the longest established and functional editors on the web! Or subscribe to http://crtags.blogspot.com for a blog on technical articles and joy of computing (sometimes!).
20:39 Leap Motion shows off AR headset with rousing game of ping pong
If you wanted to demonstrate Leap Motion's low-cost augmented reality headset, how would you do it? Create a flashy, action-packed showcase? Leap Motion has a different idea: an invigorating game of ping pong. The company has crafted a demo that comb...
20:39 US lawmakers urge Google to reconsider Huawei partnership
In the wake of national security concerns over Huawei's interest in entering the US market, legislators from both the Senate and the House sent a letter to Google CEO Sundar Pichai urging him to reconsider working with the Chinese phone maker, who ma...
20:39 Volvo's new US-made S60 sedan will be available via subscription
Volvo's new S60 sedan marks a bit of a sea change for the automaker: It's its first of its vehicles not to have a diesel variant, the first manufactured in the United States and the third to be included in the company's car subscription service. Give...
20:39 A first look at Instagram's IGTV
As rumored, Instagram is ready to get into long-form video. And today the company made those plans official with the reveal of IGTV, its new standalone video app geared toward internet creators, like the ones who have made a living out of YouTube. IG...
20:39 The Weather Channel's mixed reality tornado lesson was actually fun
This morning, The Weather Channel debuted the first of its upcoming slate of immersive, mixed reality (IMR) content that's meant to let "viewers truly see the weather like never before". In this segment, meteorologist Jim Cantore explained the Enhanc...
20:38 Oxford English Dictionary Extends Hunt For Regional Words Around the World
The Oxford English Dictionary is asking the public to help it mine the regional differences of English around the world to expand its record of the language, with early submissions ranging from New Zealand's "munted" to Hawaii's "hammajang." From a report: Last year, a collaboration between the OED, the BBC and the Forward Arts Foundation to find and define local English words resulted in more than 100 new regional words and phrases being added to the dictionary, from Yorkshire's "ee bah gum" to the north east's "cuddy wifter," a left-handed person. Now, the OED is widening its search to English speakers around the world, with associate editor Eleanor Maier calling the early response "phenomenal," as editors begin to draft a range of suggestions for inclusion in the dictionary. These range from Hawaii's "hammajang," meaning "in a disorderly or shambolic state," to the Scottish word for a swimming costume, "dookers" or "duckers," and New Zealand's "munted," meaning "broken or wrecked." The OED is also looking to include the word "chopsy," a Welsh term for an overly talkative person; "frog-drowner," which Americans might use to describe a torrential downpour of rain; "brick", which means "very cold" to residents of New Jersey and New York City; and "round the Wrekin", meaning "in a lengthy or roundabout manner" in the Midlands. The dictionary has already found that, depending on location, a picture hanging askew might be described as "agley," "catawampous," "antigodlin" or "ahoo" by an English speaker, while a loved one could be called a "doy," "pet," "dou-dou," "bubele," "alanna" or "babber."
20:38 China Won't Solve the World's Plastics Problem Any More
An anonymous reader shares a report: For a long time, China has been a dumping ground for the world's problematic plastics. In the 1990s, Chinese markets saw that discarded plastic could be profitably recreated into exportable bits and bobs -- and it was less expensive for international cities to send their waste to China than to deal with it themselves. China got cheap plastic and the exporting countries go rid of their trash. But in November 2017, China said enough. The country closed its doors to contaminated plastic, leaving the exports to be absorbed by neighboring countries like Vietnam, South Korea, and Thailand. And without the infrastructure to absorb all the waste that China is rejecting, the plastics are piling up. Between now and 2030, 111 million metric tons of trash -- straws, bags, water bottles -- will have nowhere to go, according to a paper published in Science Advances on Wednesday. That's as if every human on Earth contributed a quarter of their body mass in mostly single-use plastic polymers to a massive, abandoned pile of garbage.
Video surveillance is an insatiable monster, constantly needing more digital storage - and Western Digital is now feeding it 12TB drives....
Israel Cyber Week The UK's National Cyber Security Center, the information assurance division of GCHQ, may be getting a regulatory function or charging for its services before settling into the role of encouraging better cybersecurity....
Tesla has filed suit against the man it claims was behind an effort to sabotage the electric car maker....
19:46 Google's Flutter SDK moves out of beta with Release Preview 1
It's another release milestone for Google's Android and iOS app platform.
19:46 Porsche is getting even more serious about electric, buys stake in Rimac
The Croatian company knows a lot about EVs and will become a development partner.
19:46 Inside Nintendo's ‚úperfect‚Ě method for detecting online Switch piracy
Cryptographic signatures offer much more robust protection than the 3DS.
19:46 Scientists use caffeine to control genes‚Ēand treat diabetic mice with coffee
The proof of concept in mice works with tea, too.
19:46 Ars on your lunch break, part one: Rodney Brooks and robot ethics
Rob Reid returns for a second week, this time focusing on the nature of robot labor.
19:46 The Oppo Find X kills the smartphone notch with a motorized pop-up camera
Hiding the front components in a slide-out top allows for super slim bezels.
19:46 Europe advances copyright law that could filter the Internet
Copyright crackdown on user-uploaded content moves closer to final vote.
19:46 Microsoft staff call on company to end ICE contract
Government's family-separation policy leads to new scrutiny of ICE support.
19:46 Tesla sues employee alleged to have stolen gigabytes of data
CEO: "The actions of a few bad apples will not stop Tesla from reaching its goals."
19:46 Report: World trending to hit 50% renewables, 11% coal by 2050
And falling battery costs are a big part of why.
19:09 Fundraiser to reunite immigrant families is largest in Facebook history
In the last six weeks, the Trump administration's strategy to separate children while criminally prosecuting parents for attempting to cross the southern US border illegally has led the government to take almost 2,000 youth from their families to cam...
19:09 Instagram takes on Snapchat and YouTube with IGTV
Where there's smoke, there's fire. For Instagram, that smoke recently came in the form of rumors about it launching a feature to host curated, long-form videos in its app. And well, there's fire, alright. Today, at an event in San Francisco, Instagra...
19:09 Instagram reaches 1 billion monthly users
After surpassing 800 million monthly active users last September, we knew it was only a matter of time before Instagram would reach that coveted 1 billion mark -- and today is that day. The company has announced its latest milestone at an event in Sa...
19:09 Puzzle platformers 'Inside' and 'Limbo' hit Nintendo Switch June 28th
Good news for fans of creepy, atmospheric games: Playdead is bringing its hit platformers Limbo and Inside to Nintendo Switch June 28th. Both were already available to play on the go, as they're on iOS (Limbo is on the Google Play Store too). But if...
19:09 Facebook is testing paid monthly subscriptions for Groups
Facebook is testing Group subscriptions, which will allow Group admins to charge for exclusive content. Only a few will have access to the feature as of now, but they'll be able to set up a separate, subscriber-only Group and charge members a monthly...
19:09 GM goes full smartphone with its latest infotainment system
Many of us are using CarPlay and Android Auto to essentially replace the infotainment systems in our cars. Automakers like Audi, Mercedes, and really anyone putting metal on four tires is taking notice of this trend and have started working hard to w...
19:08 FTC Will Examine Tech Platforms like Google, Facebook and Amazon as Part of Competition Review
The Federal Trade Commission will examine the questions surrounding powerful tech platforms like Google and Facebook as part of a review of consumer and competition policy issues beginning later this year. From a report: Hearings into these issues, announced by FTC Chairman Joe Simons on Wednesday, could help frame the agency's actions with regards to tech going forward. Simons indicated his examination of tech platforms would be broad and a major part of the review. "It's the network effects," he told reporters on Wednesday. "It's the fact that they're two-sided platforms. It's the interaction between privacy and competition. And it's all new, so it makes it very appropriate to have this be the subject of hearings and for us to get input on that."
19:08 Some Rivers Are So Drug-Polluted, Their Eels Get High on Cocaine
Joshua Rapp Learn, reporting for National Geographic: Critically endangered eels hyped up on cocaine could have trouble making a 3,700-mile trip to mate and reproduce -- new research warns. And while societies have long grappled with ways to cope with the use of illicit drugs, less understood are the downstream effects these drugs might have on other species after they enter the aquatic environment through wastewater. So, in the name of research, scientists pushed cocaine on European eels in labs for 50 days in a row, in an effort to monitor the effects of the experience on the fish. European eels have complex life patterns, spending 15 to 20 years in fresh or brackish water in European waterways before crossing the Atlantic Ocean to spawn in the Sargasso Sea just east of the Caribbean and the U.S. Eastern Seaboard. While the eels are also farmed for food, the wild population is considered critically endangered by the International Union for Conservation of Nature due to dams and other waterway changes that block their migrations, overfishing, and different types of water pollution. The eels are vulnerable to trace concentrations of cocaine, particularly in their early lives, according to the researchers of a study published in Science of the Total Environment.
17:39 Hyundai and Audi team up on hydrogen fuel cell technology
Hyundai and Audi have reached a deal that will allow the two to share their hydrogen car technology, Reuters reports. Both companies will have access to the other's intellectual property and they'll share components, with the goal being to push hydro...
17:39 Tesla sues former employee who allegedly stole confidential data
Today, CNBC reported that Tesla is suing a former employee named Martin Tripp. The lawsuit centers around the alleged theft of gigabytes worth of proprietary information from the electric car company. Tesla had no comment, but did provide Engadget wi...
17:39 White House reportedly considers GDPR-like data protections
Online data privacy is a hot topic right now for a number of reasons. US residents and elected officials alike still have their eyes on Facebook as concerns continue to circulate over the policies that led to the Cambridge Analytica scandal. Further,...
17:39 'Westworld: The Maze' is a choose-your-own-adventure Alexa game
Consider yourself a Westworld superfan? Now you can prove it. Ahead of the season finale, HBO is launching its first full-scale Alexa voice skill with Westworld: The Maze, an immersive voice experience that challenges fans to demonstrate their knowle...
17:39 Microsoft follows Google with its own overhauled news app
Microsoft has overhauled its MSN News app for mobile. As you might expect, it's curated for your interests, offers breaking news alerts, support for widgets on both Android and iOS, continuous scrolling and a dark theme for reading at night. A blog p...
17:38 Submarine Cables Could be Repurposed as Earthquake Detectors
In a paper published in Science, Giuseppe Marra, of Britain's National Physical Laboratory (NPL), proposes to shine a little light into the oceans by co-opting infrastructure built for an entirely different purpose. From a report: Dr Marra and his colleagues hope to use the planet's 1m-kilometre network of undersea fibre-optic cables, which carry the internet from continent to continent (see map), as a giant submarine sensor. Dr Marra is particularly interested in earthquakes. The dry bits of the planet are well-stocked with seismographs. The oceans are much less well covered, with only a handful of permanent sensors on the sea floor. This means that many small earthquakes go unrecorded because the vibrations they cause are too mild to be picked up by distant land-based sensors. The genesis of the idea is a good example of the way in which advances in one field of science can lead to new developments in other, apparently unrelated fields.
17:38 Another Universal Basic Income Experiment is Underway, This Time in Canada
Lindsay, a compact rectangle amid the lakes northeast of Toronto, is at the heart of one of the world's biggest tests of a guaranteed basic income. Technology Review: In a three-year pilot funded by the provincial government, about 4,000 people in Ontario are getting monthly stipends to boost them to at least 75 percent of the poverty line. That translates to a minimum annual income of $17,000 in Canadian dollars (about $13,000 US) for single people, $24,000 for married couples. Lindsay has about half the people in the pilot -- some 10 percent of the town's population. The report outlines that the Canadian province's vision for a basic income -- and the underlying experiment -- differs from that of the one we have seen in Silicon Valley. The report continues: The Canadians are testing it as an efficient antipoverty mechanism, a way to give a relatively small segment of the population more flexibility to find work and to strengthen other strands of the safety net. That's not what Silicon Valley seems to imagine, which is a universal basic income that placates broad swaths of the population. The most obvious problem with that idea? Math. Many economists concluded long ago that it would be too expensive, especially when compared with the cost of programs to create new jobs and train people for them. That's why the idea didn't take off after tests in the 1960s and '70s. It's largely why Finland recently abandoned a basic-income plan after a small test.
16:39 This probably isn't the Samsung Galaxy S10, y'all
A photo said to depict the a Galaxy S10 prototype has emerged online, but it's probably fake. Here's why.
16:39 How to use Android Messages for web to text from your computer
Android Messages for Web lets you pair your computer to your phone, so you can send and receive SMS from either device. Here's how to set up Messages for Web on your computer.
16:39 Unreal Mobile officially launches with plans as low as $10 a month (Update)
The new brand from FreedomPop says its $10 a month plan is "unlimited" but its data speeds are mostly 2G, with just 1 GB of LTE data.
16:39 Spec showdown: Oppo Find X vs the competition
Here's how the Oppo Find X stacks up against the Samsung Galaxy S9 Plus, OnePlus 6, and Huawei P20 Pro.
16:39 Google Flutter receives a bunch of improvements in its first Release Preview
This first release preview version of Flutter includes a number of improvements for Google's cross-platform app development tool.
16:39 How to update your Chromebook: A step-by-step guide
Wondering how you can update your Chromebook? It's easy! Here's a step-by-step guide on how to update your Chromebook.
16:39 Evoland 2, the sequel to one of our favorite RPGs, is now on Android
Evoland 2 ups the ante in a big way, offering way more genres to play through than the original title.
16:39 Pok√©mon Quest for Android launching June 28, pre-register now (Updated)
Pok√©mon Quest is now scheduled to launch on Android June 28, and you can pre-register for it right now!
16:39 Blackberry Key2: Price, availability, deals and release date
The Blackberry KEY2 is now official. But when will you be able to get your hands on it?
Apple has just announced a new iOS 12 feature for the US this fall: automatic location sharing with first responders when you dial 911 from your iPhone. The purpose of this added function is self-evident, as it aims to reduce emergency response times by streamlining the process of information gathering. Apple notes that approximately 80 percent of emergency calls in the United States are now made from a mobile device, however ‚úoutdated‚Ě infrastructure has made it difficult for 911 centers to quickly obtain a caller's location.
This iOS 12 change builds on Apple's Hybridized Emergency Location (HELO) system launched in 2015, and it will be integrated with existing software on ‚úmany‚Ě 911 centers' systems with the help of emergency tech...
Verizon has pledged to stop selling data that can pinpoint the location of its mobile users to third-party intermediaries, according to The Associated Press. Verizon is the first carrier to end the controversial practice after Sen. Ron Wyden (D-OR) revealed that one of the companies that purchased the real-time location-tracking data from carriers wasn't verifying if its users had legal permission to track cellphone users through its service.
In a letter to carriers and the FCC, Sen. Wyden said that Securus Technologies ‚Ē a company that mainly monitors phone calls to inmates in jails and prisons across the country and also sells real-time location data to law enforcement agencies who must upload legal documents such as a warrant stating...
AT&T says it will end its practice of selling real-time user location data to third-party brokers after its primary competitor Verizon agreed to do the same earlier today. ‚úOur top priority is to protect our customers' information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance,‚Ě reads a statement from an AT&T spokesperson given to The Verge. Typically, geolocation data collected by telecoms is shared with third parties for services like fraud prevention and, as Verizon points out, emergency roadside assistance.
Yet following pressure from lawmakers, specifically Sen. Ron Wyden...
T-Mobile and Sprint filed public interest statements to the Federal Communications Commission today. The 700-page filing is part of the companies' bid to merge, which they say will help them deploy a nationwide 5G network through a $40 billion investment.
Highly anticipated, 5G is the next generation of wireless technology that many tech companies are already working on. This version of 5G that both companies are discussing will be built on top of existing LTE networks, and it won't be a standalone 5G network, which is still yet to come. Without the merger, both companies agree that they'll eventually deliver 5G internet, but that the speed of development will be much slower.
The merger would combine T-Mobile's 5G plan to use the 600MHz...
The Oppo Find X, the first smartphone from the Chinese electronics company to be sold in Europe and North America, will cost ‚ā¨999 (about $1,155 at current USD conversation rates). The pricing was announced at the tail end of Oppo's lavish reveal event that was held at the Louvre in Paris today. That price appears to be only for the 256GB configuration, and we don't know whether the phone will be available for less money. The device is slated to ship in August, though we don't know yet whether that time frame is for Europe, North America, or both regions.
Prior to the Find X, Oppo phones were restricted to China, India, Philippines, and a few other Asian countries. This new model, which features an edge-to-edge display, is Oppo's attempt...
Oppo showed off its new Find X smartphone with a pop-up camera earlier today, and now the company has announced a partnership with Lamborghini to create a special version of the device. The smartphone maker says the Lamborghini version of the Oppo Find X will cost 1,699 euros ($1,966), and it's the start of a partnership with the Italian luxury car brand.
The special edition smartphone will have Super VOOC charging, which helps it fast charge its 3,400mAh battery from 0 to 100 percent within 35 minutes, according to Oppo. There hasn't been word on whether the specs will be different from the regular Find X, but we do know that the Lamborghini edition has a carbon fiber texture on the rear with the car brand's logo.
Huawei has its...
According to multiple reports, Instagram is launching a new video venture later today: a new hub for longer-form content that's designed to compete with videos from YouTube creators. TechCrunch reports that the hub will be named ‚úIGTV‚Ě and will be part of the Instagram app's Explore tab. The videos will be vertically orientated, full-screen, up to 4K resolution, and as long as 60 minutes (instead of the current limit of 60 seconds).
There's been talk of Instagram allowing longer videos on its platform since the beginning of June, but new reports have fleshed out those rumors. TechCrunch says that Instagram wants to attract ‚úweb celebrities‚Ě to IGTV, instead of media companies, and has been actively courting individuals to start producing...
Samsung is bringing its gold Galaxy S9 to the United States on June 24th, which marks the first time a new color will be available Stateside for the flagship phone since it was released.
The golden-hued variant ‚Ē officially dubbed ‚úsunrise gold‚Ě ‚Ē was available earlier in June in Australia, Chile, Germany, Hong Kong, Mexico, Russia, South Korea, Spain, Taiwan, the United Arab Emirates, and Vietnam. But now, US customers will be able to pick one up as well, alongside the existing lilac purple, coral blue, and midnight black options.
The gold S9 will be available exclusively at Best Buy for Verizon, Sprint, and AT&T. Unlocked models will also be available from Best Buy and Samsung.com.
There's no word yet on that lovely burgundy model,...
YouTube Music and YouTube Premium have officially launched today in 17 countries. As of today, both services are available to all in the US, Australia, New Zealand, Mexico, South Korea, Austria, Canada, Finland, France, Germany, Ireland, Italy, Norway, Russia, Spain, Sweden, and the United Kingdom. YouTube Music began a soft rollout to some users late last month, but now anyone can try it.
YouTube Music is the company's new, all-encompassing music streaming service, and it comes with both ‚úa reimagined mobile app‚Ě and a new desktop interface designed specifically for music. It features traditional, album versions of songs as well as live performances, tracks from unsigned artists, remixes, covers, and more. It focuses on music...
Google is beginning to roll out desktop browser support for Android Messages, allowing people to use their PC for sending messages and viewing those that have been received on their Android smartphone. Google says the feature is starting to go out to users today and continuing for the rest of the week. Text, images, and stickers are all supported on the web version.
To get started, the Android Messages website has you scan a QR code using the Android Messages mobile app, which creates a link between the two. That's very similar to how the web client for Allo ‚Ē remember Allo? ‚Ē worked. Unfortunately, that section of the Messages app isn't yet live. Hopefully it won't be long before it shows up and you can start chatting across platforms....
Google plans to release a patch sometime in the next few weeks to fix a bug in its Home smart speaker and Chromecast TV streaming stick that lets a website collect precise user location data, according to a report from security reporter Brian Krebs. The bug, disclosed by researcher Craig Young at security firm Tripwire, works by exploiting a loophole in Google's systems to cross-check a list of nearby wireless networks with Google's precise geolocation look-up services.
Essentially, by using the location gleaned by nearby Wi-Fi networks through a Google Home or Chromecast, a malicious website can triangulate a user's location. And because those devices rarely require authentication from third parties to receive data on local networks,...
Driverless vehicles could eliminate millions of jobs in the future, from cabbies to truckers to food delivery workers. But the companies that are hoping to hasten the adoption of this disruptive technology don't want to seem callous to this brewing labor crisis, so they are joining forces to study the ‚úhuman impact‚Ě of robot cars.
The Partnership for Transportation Innovation and Opportunity (PTIO) is a newly formed group comprised of most of the major companies that are building and testing on self-driving cars. This includes legacy automakers like Ford, Toyota, and Daimler; tech giants like Waymo (n√©e Google), Uber, and Lyft; and logistics providers like FedEx and the American Trucking Association. The new organization is being...
Google today is introducing a new standalone podcast app for Android. The app, called simply Google Podcasts, will use Google's recommendation algorithms in an effort to connect people with shows they might enjoy based on their listening habits. While podcasts have previously been available on Android through Google Play Music and third-party apps, Google says the company expects Podcasts to bring the form to hundreds of millions of new listeners around the world. (Google Listen, an early effort to build what was then called a ‚úpodcatcher‚Ě for Android, was killed off in 2012.)
‚úThere's still tons of room for growth when it comes to podcast listening,‚Ě said Zack Reneau-Wedeen, product manager on the app. Creating a native first-party...
Oppo's Find X and Vivo's Nex are the two most recent and exciting Android devices of the year. Why exciting? Well, they bring us closer to the dream of a truly bezel-less phone, and they do it in dramatic style. Instead of putting a notched area at the top of the screen, both of these phones hailing from China give us pop-up selfie camera modules. Vivo's is like a miniature periscope, while Oppo's elevates the entire top of the phone.
Just take a second to appreciate the fluid synchronicity between the on-screen animation when unlocking the Oppo Find X and the physical elevation of its slider. It's a thing of beauty, hardware engineering meeting software design in a harmonious ‚úwhoa‚Ě moment:
There's not a soul among The V...
Serene snowboarding game Alto's Odyssey is finally making its way to Android next month. It was released on iOS back in February.
Once again, Team Alto will be partnering with Noodlecake Studios to handle porting the sequel. And like the Android version of Alto's Adventure before it, it looks like Odyssey will be free on Android and supported by ads and in-app purchases, instead of the one-time purchase offered on iOS. It's yet another indication of the piracy problem that tends to plague premium Android games and apps on the platform.
While a leak last month suggested a Spain launch for the Home and Home Mini was coming soon, there had been no indication of the Google products coming to Austria and Ireland. Still, the Google Assistant on Google Home is only available in English, French, German, Japanese, Italian, and Spanish, and the company makes no mention of adopting Austrian German, Slovenian, Gaelic, or Irish. That means people in Austria or Ireland purchasing a Google Home or Home Mini will have to get by with the languages that are available.
Yesterday Google started rolling out the ability to text from the web with Android Messages. The feature gives users a lot more flexibility in choosing how and where they can carry on conversations. As long as your Android smartphone is powered on, you can text from a desktop computer or even other mobile devices ‚Ē including iOS products like an iPad if you just open up Safari. Aside from text, you can also send emoji, stickers, and images over the web.
Using Android Messages on the web requires using Android Messages as your main texting app on your phone. I like it just fine, and Google is clearly planning big things for the future, but if you prefer, say, Samsung's default messages app or something else, the two don't work together....
Microsoft is launching rebranded Microsoft News apps for both iOS and Android today, alongside using its news engine to power news across a variety of Microsoft products. While the MSN name is going away on Android and iOS, the site itself will remain branded as MSN.com, a portal for news that the software maker launched back in 1995.
‚úMicrosoft News is the new name for our news engine that powers familiar sites like MSN.com, and our newly redesigned Microsoft News app for iOS and Android,‚Ě explains Rob Bennett, editor-in-chief of Microsoft News. ‚úMicrosoft News also powers news on Microsoft Edge, the News app in Windows 10, Skype, Xbox and Outlook.com.‚Ě
Microsoft is combining curated news from more than 1,000 ‚úpremium publishers‚Ě and...
16:37 Pulling the rug out from under an internet protocol
Extracting maximum value from licensing.
16:37 Where is the Seattle BoltBus stop?
Adjacent to the Uwajimaya parking lot on 5th, at least as of this writing.
16:37 Stupid cmd.exe tricks: Entering a directory that doesn’t exist, then immediately leaving
It's as if it never existed. Oh wait, it never existed.
16:37 Why does the CREATOR_OWNER SID sometimes reset itself to the object’s current owner rather than its original owner?
It's a snapshot, but you can ask for a new snapshot.
16:37 Even though the brand is called One A Day, none of them actually should be taken one a day
For large values of one.
16:37 How do I programmatically control the order of my program’s notification icons?
That's not something you can control programmatically.
16:37 Is there a problem with CreateRemoteThread on 64-bit systems?
There's more to injecting code than copying bytes.
16:37 Woodworking, the opposite of software development
According to self-reported data from one person who could have just made it up.
16:37 Microspeak: knobs
Configuration settings, basically.
16:37 When I intentionally create a stack overflow with SendMessage, why do I sometimes not get a stack overflow?
It depends on what overflows first.
So I just finished my first Flutter app and I feel I can safely invest much more of my time long term to the framework. Writing a Flutter app has been a litmus test and Flutter passed the test. It's amazing to now be able to competently write apps for iOS and Android. I also love writing and scaling backends and my wife Irina is a UX so it's a powerful combination.
Assembly programming can be intimidating for people who have never looked into it any deeper than a glance, but giving that it underpins how the computers we use work it can be helpful having context in regards to what is actually being run by the CPU.
For reasons beyond the scope of this entry, today I feel like writing down a broad and simplified overview of how modern Linux systems boot. Due to being a sysadmin who has stubbed his toe here repeatedly, I'm going to especially focus on points of failure.
I always find it fascinating to read about how computers boot - it's often a very intricate process, built atop decades of backwards compatibility.
16:37 The DEC 340 Monitor
My big project this year is to get a DEC 340 monitor working. Here is a picture of one of them. The DEC 340 was a very early and rare computer monitor dating from the mid '60s used of course, on DEC computers, their PDP series. Two cabinets of rack mounted electronics. The 340 is historic and was used in some early work that pioneered modern computer graphic techniques. It is quite a bit different from Cathode Ray Tube (CRT) monitors used by personal computers we were all familiar with a few years ago. In comparison it is alien technology. All circuits are implemented using discrete components and there are no integrated circuits anywhere in the design. The discrete components themselves are unusual dating from the early days of transistor use.
It always amazes me how fast technology has developed over the past few decades.
16:37 Today is FreeBSD Day
We're pleased to announce that June 19 has been declared FreeBSD Day. Join us in honoring The FreeBSD Project's pioneering legacy and continuing impact on technology.
Why today? Well, 25 years ago to the day, the name FreeBSD was chosen as the name for the project. FreeBSD formed the base of all kinds of operating systems we use every day today - like macOS and iOS and the operating systems on the Nintendo Switch and Playstation 3, 4, and Vita - and FreeBSD code can be found in the unlikeliest of places, such as Haiku, which uses FreeBSD network drivers, and even Windows, which, although information is sparse, seemed to at one point use FreeBSD code for command-line networking utilities like ftp, nslookup, rcp, and rsh.
At a small event in San Francisco last night, IBM hosted two debate club-style discussions between two humans and an AI called "Project Debater". The goal was for the AI to engage in a series of reasoned arguments according to some pretty standard rules of debate: no awareness of the debate topic ahead of time, no pre-canned responses. Each side gave a four-minute introductory speech, a four-minute rebuttal to the other's arguments, and a two-minute closing statement. Project Debater held its own.
I'd pay so much money to see prominent political leaders debate this machine.
On June 20, the European Parliament will set in motion a process that could force online platforms like Facebook, Reddit and even 4chan to censor their users' content before it ever gets online. A proposed new European copyright law wants large websites to use "content recognition technologies" to scan for copyrighted videos, music, photos, text and code in a move that that could impact everyone from the open source software community to remixers, livestreamers and teenage meme creators.
Anybody who has ever had any dealings with YouTube's Content ID system will know just how terrible of an idea this is.
Microsoft has ported Windows 10 and Linux to E2, its homegrown processor architecture it has spent years working on mostly in secret. As well as the two operating systems, the US giant's researchers say they have also ported Busybox and FreeRTOS, plus a collection of toolkits for developing and building applications for the processor: the standard C/C++ and .NET Core runtime libraries, the Windows kernel debugger, Visual C++ 2017's command line tools, and .NET's just-in-time compiler RyuJIT. Microsoft has also ported the widely used LLVM C/C++ compiler and debugger, and related C/C++ runtime libraries. The team wanted to demonstrate that programmers do not need to rewrite their software for the experimental chipset, and that instead programs just need to be recompiled - then they are ready to roll on the new technology.
It seems to be a radical departure from the norm, and I'm very interested to see where this will lead.
On the surface, Shortcuts the app looks like the full-blown Workflow replacement heavy users of the app have been wishfully imagining for the past year. But there is more going on with Shortcuts than the app alone. Shortcuts the feature, in fact, reveals a fascinating twofold strategy: on one hand, Apple hopes to accelerate third-party Siri integrations by leveraging existing APIs as well as enabling the creation of custom SiriKit Intents; on the other, the company is advancing a new vision of automation through the lens of Siri and proactive assistance from which everyone - not just power users - can reap the benefits. While it's still too early to comment on the long-term impact of Shortcuts, I can at least attempt to understand the potential of this new technology. In this article, I'll try to explain the differences between Siri shortcuts and the Shortcuts app, as well as answering some common questions about how much Shortcuts borrows from the original Workflow app. Let's dig in.
Workflow was an amazing iOS application, even with the inherent limitations imposed by iOS. Now that Workflow is owned by Apple and properly integrated into iOS, it should provide an even better experience. While I'm not particularly interested in Shortcuts on my iPhone X, I can't wait to dig into it on my iPad Pro.
In a short session at the 2018 Python Language Summit, Steve Dower brought up the shortcomings of Python virtual environments, which are meant to create isolated installations of the language and its modules. He said his presentation was "co-written with Twitter" and, indeed, most of his slides were of tweets. At the end, he also slipped in an announcement of his plans for hosting a core development sprint in September.
16:37 [$] LWN.net Weekly Edition for June 14, 2018
The LWN.net Weekly Edition for June 14, 2018 is available.
16:37 Security updates for Thursday
Security updates have been issued by Arch Linux (chromium and gnupg), Debian (spip), Fedora (pdns-recursor), Gentoo (adobe-flash, burp, quassel, and wget), openSUSE (bouncycastle and taglib), Oracle (kernel), SUSE (java-1_7_0-openjdk, java-1_8_0-openjdk, poppler, and samba), and Ubuntu (file, perl, and ruby1.9.1, ruby2.0, ruby2.3).
16:37 Backdoored images downloaded 5 million times finally removed from Docker Hub(ars technica)
Ars technica has the story of a set of Docker images containing cryptocurrency miners that persisted on Docker Hub for the better part of a year ‚Ē after being discovered. "Neither the Docker Hub account nor the malicious images it submitted were taken down. Over the coming months, the account went on to submit 14 more malicious images. The submissions were publicly called out two more times, once in January by security firm Sysdig and again in May by security company Fortinet. Eight days after last month's report, Docker Hub finally removed the images."
16:37 Cook: security things in Linux v4.17
Kees Cook describes the security-oriented changes included in the 4.17 kernel release. "It was possible that old memory contents would live in a new process's kernel stack. While normally not visible, ‚úuninitialized‚Ě memory read flaws or read overflows could expose these contents (especially stuff ‚údeeper‚Ě in the stack that may never get overwritten for the life of the process). To avoid this, I made sure that new stacks were always zeroed. Oddly, this ‚úpriming‚Ě of the cache appeared to actually improve performance, though it was mostly in the noise."
16:37 Security updates for Friday
Security updates have been issued by CentOS (plexus-archiver), Fedora (chromium, kernel, and plexus-archiver), Mageia (firefox, gifsicle, jasper, leptonica, patch, perl-DBD-mysql, qt3, and scummvm), openSUSE (opencv), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (gpg2, nautilus, and postgresql96), and Ubuntu (gnupg2 and linux-raspi2).
16:37 [$] Toward a fully reproducible Debian
It's been a little over one year since we last covered Debian's reproducible builds project. The effort has not stopped in the interim; progress continues to be made, the message has sharpened up, and word is spreading. Chris Lamb, speaking about this at FLOSS UK in a talk called "You may think you're not a target: a tale of three developers", hinted that the end may be starting to come into sight.
16:37 Kernel prepatch 4.18-rc1
The first 4.18 prepatch is out, and the merge window has closed for this development cycle. "You may think it's still Saturday for me, and that I should give you one more day of merge window to send in some last-minute pull requests, but I know better. I'm in Japan, and it's Sunday here."
16:37 A set of weekend stable kernel updates
The stable update machine continues to crank out releases: 4.17.2, 4.16.16, 4.14.50, 4.9.109, and 4.4.138 are all available with another set of important fixes.
16:37 [$] 4.18 Merge window, part 2
By the time that Linus Torvalds released 4.18-rc1 and closed the merge window for this development cycle, 11,594 non-merge changesets had found their way into the mainline kernel repository. Nearly 4,500 of those were pulled after last week's summary was written. Thus, in terms of commit traffic, 4.18 looks to be quite similar to its predecessors. As usual, the entry of significant new features has slowed toward the end of the merge window, but there are still some important changes on the list.
16:37 Security updates for Monday
Security updates have been issued by CentOS (kernel), Debian (libgcrypt20, redis, and strongswan), Fedora (epiphany, freedink-dfarc, gnupg, LibRaw, nodejs-JSV, nodejs-uri-js, singularity, strongswan, and webkit2gtk3), Mageia (flash-player-plugin, freedink-dfarc, and imagemagick), openSUSE (enigmail, gpg2, java-1_7_0-openjdk, java-1_8_0-openjdk, poppler, postgresql96, python-python-gnupg, and samba), Oracle (kernel), SUSE (gpg2 and xen), and Ubuntu (gnupg and webkit2gtk).
This article describes our findings that connected TCP small queues (TSQ) with the behavior of advanced WiFi protocols and, in the process, solved a throughput regression. The resulting patch is already in the mainline tree, so before continuing, please make sure your kernel is updated. Beyond the fix, it is delightful to travel through history to see how we discovered the problem, how it was tackled, and how it was patched.
Subscribers can read on for the full story by guest authors Carlo Grazia and Natale Patriciello.
16:37 Security updates for Tuesday
Security updates have been issued by Arch Linux (libgcrypt), Fedora (bouncycastle, nodejs, and perl-Archive-Tar), openSUSE (aubio), and Red Hat (chromium-browser, glibc, kernel, kernel-rt, libvirt, pcs, samba, samba4, sssd and ding-libs, and zsh).
16:37 Security updates for Wednesday
Security updates have been issued by Arch Linux (pass), Debian (xen), Fedora (chromium, cobbler, gnupg, kernel, LibRaw, mariadb, mingw-libtiff, nikto, and timidity++), Gentoo (chromium, curl, and transmission), Mageia (gnupg, gnupg2, librsvg, poppler, roundcubemail, and xdg-utils), Red Hat (ansible and glusterfs), Slackware (gnupg), SUSE (cobbler, dwr, java-1_8_0-ibm, kernel, microcode_ctl, pam-modules, salt, slf4j, and SMS3.1), and Ubuntu (libgcrypt11, libgcrypt11, libgcrypt20, and mozjs52).
16:37 Welcome to Fedora CoreOS
Matthew Miller looks at how Red Hat's acquisition of CoreOS will affect the Fedora project. "This isn't the place for technical details ‚Ē see ‚úwhat next?‚Ě at the bottom of this message for more. I expect that over the next year or so, Fedora Atomic Host will be replaced by a new thing combining the best from Container Linux and Project Atomic. This new thing will be ‚úFedora CoreOS‚Ě and serve as the upstream to Red Hat CoreOS."
When Marc Zuckerberg testified before both the House and the Senate last month, it became immediately obvious that few US lawmakers had any appetite to regulate the pervasive surveillance taking place on the Internet.
Right now, the only way we can force these companies to take our privacy more seriously is through the market. But the market is broken. First, none of us do business directly with these data brokers. Equifax might have lost my personal data in 2017, but I can't fire them because I'm not their customer or even their user. I could complain to the companies I do business with who sell my data to Equifax, but I don't know who they are. Markets require voluntary exchange to work properly. If consumers don't even know where these data brokers are getting their data from and what they're doing with it, they can't make intelligent buying choices.
This is starting to change, thanks to a new law in Vermont and another in Europe. And more legislation is coming.
Vermont first. At the moment, we don't know how many data brokers collect data on Americans. Credible estimates range from 2,500 to 4,000 different companies. Last week, Vermont passed a law that will change that.
The law does several things to improve the security of Vermonters' data, but several provisions matter to all of us. First, the law requires data brokers that trade in Vermonters' data to register annually. And while there are many small local data brokers, the larger companies collect data nationally and even internationally. This will help us get a more accurate look at who's in this business. The companies also have to disclose what opt-out options they offer, and how people can request to opt out. Again, this information is useful to all of us, regardless of the state we live in. And finally, the companies have to disclose the number of security breaches they've suffered each year, and how many individuals were affected.
Admittedly, the regulations imposed by the Vermont law are modest. Earlier drafts of the law included a provision requiring data brokers to disclose how many individuals' data it has in its databases, what sorts of data it collects and where the data came from, but those were removed as the bill negotiated its way into law. A more comprehensive law would allow individuals to demand to exactly what information they have about them¬≠ -- and maybe allow individuals to correct and even delete data. But it's a start, and the first statewide law of its kind to be passed in the face of strong industry opposition.
Vermont isn't the first to attempt this, though. On the other side of the country, Representative Norma Smith of Washington introduced a similar bill in both 2017 and 2018. It goes further, requiring disclosure of what kinds of data the broker collects. So far, the bill has stalled in the state's legislature, but she believes it will have a much better chance of passing when she introduces it again in 2019. I am optimistic that this is a trend, and that many states will start passing bills forcing data brokers to be increasingly more transparent in their activities. And while their laws will be tailored to residents of those states, all of us will benefit from the information.
A 2018 California ballot initiative could help. Among its provisions, it gives consumers the right to demand exactly what information a data broker has about them. If it passes in November, once it takes effect, lots of Californians will take the list of data brokers from Vermont's registration law and demand this information based on their own law. And again, all of us -- regardless of the state we live in¬≠ -- will benefit from the information.
We will also benefit from another, much more comprehensive, data privacy and security law from the European Union. The General Data Protection Regulation (GDPR) was passed in 2016 and took effect on 25 May. The details of the law are far too complex to explain here, but among other things, it mandates that personal data can only be collected and saved for specific purposes and only with the explicit consent of the user. We'll learn who is collecting what and why, because companies that collect data are going to have to ask European users and customers for permission. And while this law only applies to EU citizens and people living in EU countries, the disclosure requirements will show all of us how these companies profit off our personal data.
It has already reaped benefits. Over the past couple of weeks, you've received many e-mails from companies that have you on their mailing lists. In the coming weeks and months, you're going to see other companies disclose what they're doing with your data. One early example is PayPal: in preparation for GDPR, it published a list of the over 600 companies it shares your personal data with. Expect a lot more like this.
Surveillance is the business model of the Internet. It's not just the big companies like Facebook and Google watching everything we do online and selling advertising based on our behaviors; there's also a large and largely unregulated industry of data brokers that collect, correlate and then sell intimate personal data about our behaviors. If we make the reasonable assumption that Congress is not going to regulate these companies, then we're left with the market and consumer choice. The first step in that process is transparency. These new laws, and the ones that will follow, are slowly shining a light on this secretive industry.
This essay originally appeared in the Guardian.
Interesting fossils. Note that a poster is available.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it's a harbinger of the sorts of pervasive threats ¬≠ from nation-states, criminals and hackers ¬≠ that we should expect in coming years.
VPNFilter is a sophisticated piece of malware that infects mostly older home and small-office routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. (For a list of specific models, click here.) It's an impressive piece of work. It can eavesdrop on traffic passing through the router ¬≠ specifically, log-in credentials and SCADA traffic, which is a networking protocol that controls power plants, chemical plants and industrial systems ¬≠ attack other targets on the Internet and destructively "kill" its infected device. It is one of a very few pieces of malware that can survive a reboot, even though that's what the FBI has requested. It has a number of other capabilities, and it can be remotely updated to provide still others. More than 500,000 routers in at least 54 countries have been infected since 2016.
Because of the malware's sophistication, VPNFilter is believed to be the work of a government. The FBI suggested the Russian government was involved for two circumstantial reasons. One, a piece of the code is identical to one found in another piece of malware, called BlackEnergy, that was used in the December 2015 attack against Ukraine's power grid. Russia is believed to be behind that attack. And two, the majority of those 500,000 infections are in Ukraine and controlled by a separate command-and-control server. There might also be classified evidence, as an FBI affidavit in this matter identifies the group behind VPNFilter as Sofacy, also known as APT28 and Fancy Bear. That's the group behind a long list of attacks, including the 2016 hack of the Democratic National Committee.
Two companies, Cisco and Symantec, seem to have been working with the FBI during the past two years to track this malware as it infected ever more routers. The infection mechanism isn't known, but we believe it targets known vulnerabilities in these older routers. Pretty much no one patches their routers, so the vulnerabilities have remained, even if they were fixed in new models from the same manufacturers.
On May 30, the FBI seized control of toknowall.com, a critical VPNFilter command-and-control server. This is called "sinkholing," and serves to disrupt a critical part of this system. When infected routers contact toknowall.com, they will no longer be contacting a server owned by the malware's creators; instead, they'll be contacting a server owned by the FBI. This doesn't entirely neutralize the malware, though. It will stay on the infected routers through reboot, and the underlying vulnerabilities remain, making the routers susceptible to reinfection with a variant controlled by a different server.
If you want to make sure your router is no longer infected, you need to do more than reboot it, the FBI's warning notwithstanding. You need to reset the router to its factory settings. That means you need to reconfigure it for your network, which can be a pain if you're not sophisticated in these matters. If you want to make sure your router cannot be reinfected, you need to update the firmware with any security patches from the manufacturer. This is harder to do and may strain your technical capabilities, though it's ridiculous that routers don't automatically download and install firmware updates on their own. Some of these models probably do not even have security patches available. Honestly, the best thing to do if you have one of the vulnerable models is to throw it away and get a new one. (Your ISP will probably send you a new one free if you claim that it's not working properly. And you should have a new one, because if your current one is on the list, it's at least 10 years old.)
So if it won't clear out the malware, why is the FBI asking us to reboot our routers? It's mostly just to get a sense of how bad the problem is. The FBI now controls toknowall.com. When an infected router gets rebooted, it connects to that server to get fully reinfected, and when it does, the FBI will know. Rebooting will give it a better idea of how many devices out there are infected.
Should you do it? It can't hurt.
Internet of Things malware isn't new. The 2016 Mirai botnet, for example, created by a lone hacker and not a government, targeted vulnerabilities in Internet-connected digital video recorders and webcams. Other malware has targeted Internet-connected thermostats. Lots of malware targets home routers. These devices are particularly vulnerable because they are often designed by ad hoc teams without a lot of security expertise, stay around in networks far longer than our computers and phones, and have no easy way to patch them.
It wouldn't be surprising if the Russians targeted routers to build a network of infected computers for follow-on cyber operations. I'm sure many governments are doing the same. As long as we allow these insecure devices on the Internet ¬≠ and short of security regulations, there's no way to stop them ¬≠ we're going to be vulnerable to this kind of malware.
And next time, the command-and-control server won't be so easy to disrupt.
This essay previously appeared in the Washington Post
EDITED TO ADD: The malware is more capable than we previously thought.
iOS 12, the next release of Apple's iPhone operating system, may include features to prevent someone from unlocking your phone without your permission:
The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory everytime the phone has not been unlocked for one hour. That includes the iPhone unlocking devices that companies such as Cellebrite or GrayShift make, which police departments all over the world use to hack into seized iPhones.
"That pretty much kills [GrayShift's product] GrayKey and Cellebrite," Ryan Duff, a security researcher who has studied iPhone and is Director of Cyber Solutions at Point3 Security, told Motherboard in an online chat. "If it actually does what it says and doesn't let ANY type of data connection happen until it's unlocked, then yes. You can't exploit the device if you can't communicate with it."
This is part of a bunch of security enhancements in iOS 12:
Other enhancements include tools for generating strong passwords, storing them in the iCloud keychain, and automatically entering them into Safari and iOS apps across all of a user's devices. Previously, standalone apps such as 1Password have done much the same thing. Now, Apple is integrating the functions directly into macOS and iOS. Apple also debuted new programming interfaces that allow users to more easily access passwords stored in third-party password managers directly from the QuickType bar. The company also announced a new feature that will flag reused passwords, an interface that autofills one-time passwords provided by authentication apps, and a mechanism for sharing passwords among nearby iOS devices, Macs, and Apple TVs.
A separate privacy enhancement is designed to prevent websites from tracking people when using Safari. It's specifically designed to prevent share buttons and comment code on webpages from tracking people's movements across the Web without permission or from collecting a device's unique settings such as fonts, in an attempt to fingerprint the device.
The last additions of note are new permission dialogues macOS Mojave will display before allowing apps to access a user's camera or microphone. The permissions are designed to thwart malicious software that surreptitiously turns on these devices in an attempt to spy on users. The new protections will largely mimic those previously available only through standalone apps such as one called Oversight, developed by security researcher Patrick Wardle. Apple said similar dialog permissions will protect the file system, mail database, message history, and backups.
Internet censors have a new strategy in their bid to block applications and websites: pressuring the large cloud providers that host them. These providers have concerns that are much broader than the targets of censorship efforts, so they have the choice of either standing up to the censors or capitulating in order to maximize their business. Today's Internet largely reflects the dominance of a handful of companies behind the cloud services, search engines and mobile platforms that underpin the technology landscape. This new centralization radically tips the balance between those who want to censor parts of the Internet and those trying to evade censorship. When the profitable answer is for a software giant to acquiesce to censors' demands, how long can Internet freedom last?
The recent battle between the Russian government and the Telegram messaging app illustrates one way this might play out. Russia has been trying to block Telegram since April, when a Moscow court banned it after the company refused to give Russian authorities access to user messages. Telegram, which is widely used in Russia, works on both iPhone and Android, and there are Windows and Mac desktop versions available. The app offers optional end-to-end encryption, meaning that all messages are encrypted on the sender's phone and decrypted on the receiver's phone; no part of the network can eavesdrop on the messages.
Since then, Telegram has been playing cat-and-mouse with the Russian telecom regulator Roskomnadzor by varying the IP address the app uses to communicate. Because Telegram isn't a fixed website, it doesn't need a fixed IP address. Telegram bought tens of thousands of IP addresses and has been quickly rotating through them, staying a step ahead of censors. Cleverly, this tactic is invisible to users. The app never sees the change, or the entire list of IP addresses, and the censor has no clear way to block them all.
A week after the court ban, Roskomnadzor countered with an unprecedented move of its own: blocking 19 million IP addresses, many on Amazon Web Services and Google Cloud. The collateral damage was widespread: The action inadvertently broke many other web services that use those platforms, and Roskomnadzor scaled back after it became clear that its action had affected services critical for Russian business. Even so, the censor is still blocking millions of IP addresses.
More recently, Russia has been pressuring Apple not to offer the Telegram app in its iPhone App Store. As of this writing, Apple has not complied, and the company has allowed Telegram to download a critical software update to iPhone users (after what the app's founder called a delay last month). Roskomnadzor could further pressure Apple, though, including by threatening to turn off its entire iPhone app business in Russia.
Telegram might seem a weird app for Russia to focus on. Those of us who work in security don't recommend the program, primarily because of the nature of its cryptographic protocols. In general, proprietary cryptography has numerous fatal security flaws. We generally recommend Signal for secure SMS messaging, or, if having that program on your computer is somehow incriminating, WhatsApp. (More than 1.5 billion people worldwide use WhatsApp.) What Telegram has going for it is that it works really well on lousy networks. That's why it is so popular in places like Iran and Afghanistan. (Iran is also trying to ban the app.)
What the Russian government doesn't like about Telegram is its anonymous broadcast feature¬≠ -- channel capability and chats -- ¬≠which makes it an effective platform for political debate and citizen journalism. The Russians might not like that Telegram is encrypted, but odds are good that they can simply break the encryption. Telegram's role in facilitating uncontrolled journalism is the real issue.
Iran attempts to block Telegram have been more successful than Russia's, less because Iran's censorship technology is more sophisticated but because Telegram is not willing to go as far to defend Iranian users. The reasons are not rooted in business decisions. Simply put, Telegram is a Russian product and the designers are more motivated to poke Russia in the eye. Pavel Durov, Telegram's founder, has pledged millions of dollars to help fight Russian censorship.
For the moment, Russia has lost. But this battle is far from over. Russia could easily come back with more targeted pressure on Google, Amazon and Apple. A year earlier, Zello used the same trick Telegram is using to evade Russian censors. Then, Roskomnadzor threatened to block all of Amazon Web Services and Google Cloud; and in that instance, both companies forced Zello to stop its IP-hopping censorship-evasion tactic.
Russia could also further develop its censorship infrastructure. If its capabilities were as finely honed as China's, it would be able to more effectively block Telegram from operating. Right now, Russia can block only specific IP addresses, which is too coarse a tool for this issue. Telegram's voice capabilities in Russia are significantly degraded, however, probably because high-capacity IP addresses are easier to block.
Whatever its current frustrations, Russia might well win in the long term. By demonstrating its willingness to suffer the temporary collateral damage of blocking major cloud providers, it prompted cloud providers to block another and more effective anti-censorship tactic, or at least accelerated the process. In April, Google and Amazon banned¬≠ -- and technically blocked¬≠ -- the practice of "domain fronting," a trick anti-censorship tools use to get around Internet censors by pretending to be other kinds of traffic. Developers would use popular websites as a proxy, routing traffic to their own servers through another website¬≠ -- in this case Google.com¬≠ -- to fool censors into believing the traffic was intended for Google.com. The anonymous web-browsing tool Tor has used domain fronting since 2014. Signal, since 2016. Eliminating the capability is a boon to censors worldwide.
Tech giants have gotten embroiled in censorship battles for years. Sometimes they fight and sometimes they fold, but until now there have always been options. What this particular fight highlights is that Internet freedom is increasingly in the hands of the world's largest Internet companies. And while freedom may have its advocates -- ¬≠the American Civil Liberties Union has tweeted its support for those companies, and some 12,000 people in Moscow protested against the Telegram ban¬≠ -- actions such as disallowing domain fronting illustrate that getting the big tech companies to sacrifice their near-term commercial interests will be an uphill battle. Apple has already removed anti-censorship apps from its Chinese app store.
In 1993, John Gilmore famously said that "The Internet interprets censorship as damage and routes around it." That was technically true when he said it but only because the routing structure of the Internet was so distributed. As centralization increases, the Internet loses that robustness, and censorship by governments and companies becomes easier.
This essay previously appeared on Lawfare.com.
For many years, I have said that complexity is the worst enemy of security. At CyCon earlier this month, Thomas Dullien gave an excellent talk on the subject with far more detail than I've ever provided. Video. Slides.
It's Cephalopod Week! "Three hearts, eight arms, can't lose."
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
Tapplock sells an "unbreakable" Internet-connected lock that you can open with your fingerprint. It turns out that:
Regarding the third flaw, the manufacturer has responded that "...the lock is invincible to the people who do not have a screwdriver."
You can't make this stuff up.
EDITED TO ADD: The quote at the end is from a different smart lock manufacturer. Apologies for that.
Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post:
It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective.
I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.)
I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful, this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know.
Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them.
Sounds like a really good idea, but Andreas Gutmann points out an application where this could become a vulnerability: when authenticating transactions:
Transaction authentication, as opposed to user authentication, is used to attest the correctness of the intention of an action rather than just the identity of a user. It is most widely known from online banking, where it is an essential tool to defend against sophisticated attacks. For example, an adversary can try to trick a victim into transferring money to a different account than the one intended. To achieve this the adversary might use social engineering techniques such as phishing and vishing and/or tools such as Man-in-the-Browser malware.
Transaction authentication is used to defend against these adversaries. Different methods exist but in the one of relevance here -- which is among the most common methods currently used -- the bank will summarise the salient information of any transaction request, augment this summary with a TAN tailored to that information, and send this data to the registered phone number via SMS. The user, or bank customer in this case, should verify the summary and, if this summary matches with his or her intentions, copy the TAN from the SMS message into the webpage.
This new iOS feature creates problems for the use of SMS in transaction authentication. Applied to 2FA, the user would no longer need to open and read the SMS from which the code has already been conveniently extracted and presented. Unless this feature can reliably distinguish between OTPs in 2FA and TANs in transaction authentication, we can expect that users will also have their TANs extracted and presented without context of the salient information, e.g. amount and destination of the transaction. Yet, precisely the verification of this salient information is essential for security. Examples of where this scenario could apply include a Man-in-the-Middle attack on the user accessing online banking from their mobile browser, or where a malicious website or app on the user's phone accesses the bank's legitimate online banking service.
This is an interesting interaction between two security systems. Security code AutoFill eliminates the need for the user to view the SMS or memorize the one-time code. Transaction authentication assumes the user read and approved the additional information in the SMS message before using the one-time code.
Data warehousing biz Teradata has flung a complaint">sueball (PDF) at SAP in the District Court for Northern California, alleging the German ERP giant undertook a "decade-long campaign of trade secret misappropriation, copyright infringement and antitrust violations"....
Microsoft emitted a preview of immutable storage for Azure Storage Blobs yesterday in an effort to win the hearts and minds of industries weighed down by regulation....
At the Cyber Week security conference in Israel on Tuesday, chip giant Intel plans to discuss how it is addressing threats to the overexposed tech celebrities known as AI and blockchain....
Microsoft's continued frantic efforts to distance itself from a clumsily worded blog post continued today with the publishing of an email from CEO Satya Nadella....
16:09 EU narrowly passes copyright law requiring internet filtering
Today, the EU parliament's legal affairs committee voted in favor of controversial legislation that requires tech companies to install filters into their software to prevent users from uploading copyrighted content. The law is intended to protect con...
16:09 Facebook will air live PGA Tour coverage on its Watch tab
One of the ways that Facebook has been highlighting its Watch tab is through exclusive streaming deals with sports leagues. Now, the PGA Tour joins the roster of sports that will air coverage on Facebook exclusively. Live competition coverage of eigh...
16:09 LG's G7 and V35 are available for pre-order on Project Fi
You no longer have to spring for a Pixel if you want a high-end smartphone on Project Fi. In the wake of an announcement late last month, Google's wireless service has made LG's G7 ThinQ and V35 ThinQ available for pre-order. The pricing for the de...
16:09 All Amazon Prime members can now try clothes before they buy
Amazon has been testing out a fee-free clothing-box service in the vein of Stitch Fix since last June. Prime Wardrobe allowed customer to try out selected clothing before buying; customers would only be charged for the items they kept. Until now, the...
16:08 GitHub, Medium Remove Public ICE Employee Data Repository
owenferguson shares a report from Obscene Works: Medium.com and GitHub have today quashed the release of a set of data comprising of all the ICE employees who openly list themselves on LinkedIn.com. All the data released was gathered from publicly listed LinkedIn profiles. The data was assembled by Sam Lavigne of http://lav.io/ and was published as a repository on GitHub, and announced via an article on Medium.com. A link is still available on the original article this post is derived from.
16:08 EU Takes First Step in Passing Controversial Copyright Law That Could 'Censor the Internet'
The European Union has taken the first step in passing new copyright legislation that critics say will tear the internet apart. From a report: This morning, the EU's Legal Affairs Committee (JURI) voted in favor of the legislation, called the Copyright Directive. Although most of the directive simply updates technical language for copyright law in the age of the internet, it includes two highly controversial provisions. These are Article 11, a "link tax," which would force online platforms like Facebook and Google to buy licenses from media companies before linking to their stories; and Article 13, an "upload filter," which would require that everything uploaded online in the EU is checked for copyright infringement. (Think of it like YouTube's Content ID system but for the whole internet.) EU lawmakers critical of the legislation say these Articles may have been proposed with good intentions -- like protecting copyright owners -- but are vaguely worded and ripe for abuse.
16:08 Researchers Invent a Way to Speed Intel's 3D XPoint Computer Memory
Memory modules using Intel's 3D XPoint technology are on their way, and researchers in North Carolina have already figured out how to make them better. New submitter mnemotronic writes: At the 45th ICSA (International Symposium on Computer Architecture), a group of researchers from North Carolina State University led by Prof. Yan Solihin proposed a method called lazy consistency to speedup write operations to 3d XPoint memory. XPoint, developed by Intel and Micron, is non-volatile, cheaper and denser than DRAM but requires more power and writing takes longer. The method proposed reduces write overhead times from 9% to 1% by incorporating a checksum to the cache memory system. The researchers were not able to verify their approach on actual XPoint memory, as those products only recently started sampling. They tested using simulations and DRAM and plan to verify when Intel's modules become more widely available.
16:08 San Francisco's City-Wide Fiber Internet Plan is Delayed, Future in Doubt
San Francisco's plan to build a city-wide gigabit fiber Internet service won't go forward this year, as city officials decided they need to do more research before asking voters to approve a ballot initiative. From a report: The universal broadband project "has suffered a setback as outgoing Mayor Mark Farrell will not place a tax measure on the November ballot to fund the project before he leaves office in the coming weeks," the San Francisco Examiner reported Sunday. The deadline for Farrell to submit the ballot initiative passed yesterday. In January, the city issued a Request for Qualifications (RFQ) to find companies that are qualified to build the network. After examining the submissions, the city named three entities (Bay City Broadband Partners, FiberGateway, and Sonic Plenary SF Fiber) as "pre-qualified bidders."
14:56 Widely used D-Link modem/router under mass attack by potent IoT botnet
Satori unleashes worm exploiting 2-year-old vulnerability in DSL-2750B devices.
14:56 There's a slew of ‚úpotential new‚Ě Star Trek shows underway, per report
One series may be set at Starfleet Academy, another exploring Khan Noonien Singh.
14:56 San Francisco's city-wide fiber Internet plan is delayed, future in doubt
City won't put universal broadband plan on the ballot this year.
14:39 Google Podcasts is pretty but basic
Google has a long and disappointing history with podcasts. With Apple and iTunes, they were always an integral part of the experience. For Android, though, it was an afterthought. Google Listen was barely usable, but basically the only option for get...
14:39 HTC U12+ review: Fundamentally flawed
Once a big player in smartphones, HTC is now better known for its Vive VR headsets than anything else. The firm offloaded the team responsible for the Pixel phones to Google earlier this year, shortly before the chief of its smartphone division r...
14:39 Facebook is placing autoplay video ads inside Messenger
Facebook previously admitted that it's running out of places for ads in the News Feed, which doesn't sound good for a company making billions of dollars from them. To solve that issue, the social network turned to its other apps and properties -- las...
14:39 AMC's 'Stubs A-List' subscription is a direct attack on MoviePass
That took.... longer than expected: To compete with MoviePass, AMC Theaters will launch a monthly subscription service starting June 26th. With the AMC Stubs A-List program, in exchange for $19.95 per month folks will be able to see three movies of t...
14:38 AMC is Creating a Rival Service To MoviePass
AMC said on Wednesday it is creating a VIP tier of its loyalty program, a subscription movie theater pass called AMC Stubs A-List, which will allow users to see three movies a week in AMC theaters for $20 a month. From a report: The offering rivals that of MoviePass, a subscription movie service with longstanding tensions in negotiating pricing and theater distribution agreements with AMC. Tensions between AMC and MoviePass had gotten so bad that last year that AMC said it would try to block MoviePass. MoviePass CEO Mitch Lowe told Axios in an interview in January that MoviePass brought in 1 million tickets for AMC in December alone. Like MoviePass, the AMC subscription will let users see a certain number of films for a monthly flat fee, but will only be viewable in AMC theaters.
Toshiba has sent in a SAS SSD hit team to assault SATA SSDs and their slower interface in the shape of its RM5 vSAS drive....
JURI, European Parliament's legal affairs committee, voted today to approve article 11 of the EU Directive on Copyright in the Digital Single Market, which allows news publishers to seek payment for reuse of snippets of articles, in a narrow 13:12 vote....
13:09 Steam lets game developers customize their homepages
Steam has put its new Creator Homepages into open beta, letting developers and publishers customize their homepages to better show off their game catalogs. There's a lot of flexibility -- publishers can divide their portfolios up however they wish, s...
13:09 TouchPal built an AI for its alternative Android keyboard
Over the years, TouchPal has remained one of the most popular Android keyboards with its generous bundle of features, including gesture typing, neural network-powered prediction, multilingual support, GIF search, themes and more; though some of these...
13:09 Up close with the Galaxy S9 in 'Sunrise Gold'
Samsung teased a gold color variant of the Galaxy S9 and S9 Plus two days ago, and now it's officially announced the availability. Starting June 24th, you'll be able to get the "Sunrise Gold" version of the flagship at Best Buy (in stores and online)...
13:09 A closer look at the BlackBerry KEY2's new dual camera
It'll still be a little while yet before the first BlackBerry KEY2s wind up on people's doorsteps, and we're currently putting our review unit through its paces. For now at least, we've grown quite fond of the thing: even a few Engadget staffers who...
13:08 Uber Tests Cheaper Fares For Riders Who Are Willing To Wait Longer
An anonymous reader quotes a report from Quartz: The ride-hailing company has started testing a feature that gives riders the option to trade a shorter wait for a cheaper fare. "Prices are lower at 17:00," Uber recently advised an Uber employee who requested a ride in Berkeley, California, and tweeted a screenshot of the feature. The image showed the Uber employee that he could request a ride "now" (4:56pm local time) for $10.18, or wait until 5pm and pay $8.15, about 25% less. "If you're OK leaving later, we'll request your ride at 17:00 for a lower price," Uber's app stated. The option to wait longer in exchange for a cheaper ride is being tested among all Uber employees in San Francisco and Los Angeles, a company spokeswoman told Quartz in an email. "Affordability is a top reason riders choose shared rides, and we're internally experimenting with a way to save money in exchange for a later pickup," she said.
It's fine to be eccentric, but irrationally stubborn C programmers create real problems for our technology-dependent society. We need to start treating use of C in inappropriate contexts as professional negligence.
I know it's late, but this should make its way into a "quote of the week" or something :-)
The head of GCHQ has publicly called for security co-operation with Britain's EU allies to continue after Brexit....
Brit telco BT has been ordered to pay ¬£77,000 for sending almost 5 million nuisance emails - equivalent to about 1.5p a mail....
The UK will only be able to get a data adequacy decision from the European Union once it has offered up its new legal framework - and won't get access to the bloc's policing and security databases, Michel Barnier has warned....
The spirit of Kenneth Williams* is alive and well in the corridors of Redmond, with staffer Raymond Chen detailing some internal Microsoft jargon in a euphemism-heavy MSDN posting....
11:39 Privacy browser Brave pays 'crypto tokens' for watching its ads
Ad-blocking browser Brave is getting ready to test its Basic Attention Token (BAT) platform, which has been designed to reward users for looking at adverts. The company, founded by Mozilla's controversial former CEO Brendan Eich, launched the first p...
11:39 The Morning After: Another all-screen phone
Hey, good morning! You look fabulous. In case you needed another sign that we're at the height of this console cycle, Sony is rolling out a greatest hits lineup for the PS4. At the same time, GameStop is looking over its options, and Google finally...
11:39 'PUBG' celebrates 50 million sales with first Steam discount
PlayerUnknown's Battlegrounds is now enjoying its first Steam sale since launch. According to a recent Steam update, the price reduction -- a 33% discount which brings the price of admission down to $19.99 -- honors an important milestone: 50 million...
11:39 Ford's future transportation plans include an iconic Detroit train station
As Ford notches its 115th anniversary, the company celebrated its purchase of an iconic Detroit landmark with an eye toward the "smart cities" future we heard about at CES. Michigan Central Station served as a main passenger hub for the city once it...
Analysis Hybrid cloud filer Elastifile's co-founder and CEO Amir Aharoni has stepped aside and the new incumbent of the stretchy hot seat, former Scality man Erwan Menard, has said the firm will offer cloud native product optimised for each public cloud....
Samsung isn't the first name most people would associate with slick user interfaces - but its 2018 Android P overhaul could make rivals Apple and Google look shabby....
10:09 Loupedeck makes welcome improvements to its photo-editing controller
When Loupedeck smashed its Indiegogo target in 2016, the media controller gave both aspiring photographers and professionals a chance to edit pictures on Adobe Lightroom more quickly and intuitively. That formula will be further refined in Loupedeck+...
10:08 Urgent Needs To Prepare For Manmade Virus Attacks, Says US Government Report
A major U.S. government report warns that advances in synthetic biology now allow scientists to have the capability to recreate dangerous viruses from scratch; make harmful bacteria more deadly; and modify common microbes so that they churn out lethal toxins once they enter the body. The Guardian reports: In the report, the scientists describe how synthetic biology, which gives researchers precision tools to manipulate living organisms, "enhances and expands" opportunities to create bioweapons. "As the power of the technology increases, that brings a general need to scrutinize where harms could come from," said Peter Carr, a senior scientist at MIT's Synthetic Biology Center in Cambridge, Massachusetts. The report calls on the U.S. government to rethink how it conducts disease surveillance, so it can better detect novel bioweapons, and to look at ways to bolster defenses, for example by finding ways to make and deploy vaccines far more rapidly. For every bioweapon the scientists consider, the report sets out key hurdles that, once cleared, will make the weapons more feasible. The Guardian references a case 20 years ago where geneticist Eckard Wimmer recreated the poliovirus in a test tube. Earlier this year, a team at the University of Alberta built an infectious horse pox virus. "The virus is a close relative of smallpox, which may have claimed half a billion lives in the 20th century," reports The Guardian. "Today, the genetic code of almost any mammalian virus can be found online and synthesized."
08:39 Instagram could launch its 'IGTV' long-form video hub today
Instagram will launch its long-form video hub very, very soon -- maybe even some time today -- and according to TechCrunch, it will be called IGTV. The hub will reportedly be part of the platform's Explore tab and will feature YouTube-like vlogs arou...
Mellanox has come to terms with the activist investor that's been stalking the company since 2017....
Baidu's AI researchers have built an algorithm that can spot cancerous tumors in breast tissue using a method that doesn't rely solely on neural networks....
OpenBSD has disabled Intel's hyper-threading technology, citing security concerns....
AI developers can now rent Google's Cloud TPU chips in the US, Asia, and Europe by the hour....
BSides Tel Aviv Blockchain technologies might be abused to create a takedown-resistant infrastructure for botnets....
07:09 Porsche invests in EV supercar-maker Rimac
Just recently, luxury automaker Porsche teased its electric Mission E sports car, showing its shadowy silhouette that's not unlike its other non-EV cars. Now, the company has shown that it's getting even more serious about electric vehicles and its M...
07:08 OpenBSD Disables Intel CPU Hyper-Threading Due To Security Concerns
The OpenBSD project announced today plans to disable support for Intel CPU hyper-threading due to security concerns regarding the theoretical threat of more "Spectre-class bugs." Bleeping Computer reports: Hyper-threading (HT) is Intel's proprietary implementation of Simultaneous Multithreading (SMT), a technology that allows processors to run parallel operations on different cores of the same multi-core CPU. The feature has been added to all Intel CPUs released since 2002 and has come enabled by default, with Intel citing its performance boost as the main reason for its inclusion. But today, Mark Kettenis of the OpenBSD project, said the OpenBSD team was removing support for Intel HT because, by design, this technology just opens the door for more timing attacks. Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms. The OpenBSD team is now stepping in to provide a new setting to disable HT support because "many modern machines no longer provide the ability to disable hyper-threading in the BIOS setup."
Microsoft's popped out another preview of Windows Server 2019, Build 17692 to be precise....
Google says Android will no longer require an internet connection to check whether applications are legit or potentially malicious....
05:39 Uber will pay drivers in some cities to use electric cars
Uber would like its drivers to go electric, but it knows that practical realities like high prices and hours of charging time make that difficult. Its solution? Give those drivers a helping hand. It's launching an EV Champions pilot program in sev...
05:17 Air Force ready to work on Trump's Space Force idea, but...
Trump on his Space Force idea: "It is going to be something. So important."
04:39 Oppo Find X specs: Is this the most stacked phone of 2018?
The Oppo Find X is certainly a beastly phone, but it lacks a few features that other flagship phones have.
04:39 Facebook thinks it's a great idea to put video ads next to your private messages
Messenger already featured static ads, though this would be the first time it places autoplay video ads next to your private messages.
04:39 Evie Launcher update adds Google Feed-like news feed and customizable gestures
The latest version of Evie Launcher also allows users to ditch the app's search bar, among other changes and additions.
04:39 AT&T and Verizon to stop selling real-time location info to data brokers
This change comes after it was revealed that one of those third parties did not confirm if its users had permission to track mobile users through its service.
04:39 Oppo Find X Lamborghini Edition revealed with super-fast battery charging
The special version of the Oppo Find X includes SuperVOOC charging tech, which will charge up the phone's battery to 100 percent in just 35 minutes.
04:39 Pre-orders for LG G7 ThinQ and V35 ThinQ on Project Fi go live
The latest flagship phones from LG each come with a $100 service credit on Project Fi.
04:39 PUBG Mobile inches closer to Fortnite with Royale Pass in update 0.6.0
PUBG Mobile version 0.6.0 adds a number of new features, including a Royale Pass that's eerily similar to Fortnite's Battle Pass.
04:39 Beta version of Microsoft Edge natively blocks those annoying ads
The beta version of Microsoft Edge for Android boasts native Adblock Plus support, with the service typically available as an extension.
Shipments of virtual reality kit have plunged, but growth is just around the corner....
PayPal has reminded merchants that they must support TLS 1.2 and HTTP/1.1 by June 30....
04:09 Superhero epic 'Invincible' heads to Amazon as an animated series
Amazon Studios has greenlit an animated series based on the comic Invincible, which was created by artist Cory Walker and writer Robert Kirkman, who made The Walking Dead. The new show's source material tells the story of Mark Grayson, an ordinary te...
04:09 TP-Link squeezed a smart home hub into its new mesh WiFi router
Mesh WiFi routers are no longer all that special, so how do you stand out? If you're TP-Link, you roll in a smart home hub. It just introduced a Deco M9 Plus router that builds on last year's model with a hub for ZigBee- and Bluetooth-based devices l...
04:09 Snapchat Lenses bring coral reefs to your neighborhood
How do you make nature exciting to a generation growing up with Snapchat and Instagram? The California Academy of Sciences has an idea: bring the nature to the apps that generation is using. It just trotted out a series of augmented reality Snapcha...
04:09 MIT uses brain signals and hand gestures to control robots
Robotic technology has a staggering range of applications, but getting it to perform adequately can be a challenge, requiring specific programming based around the way humans communicate with language. But now, researchers from MIT have developed a w...
04:08 GitHub, Medium Willfully Destroy Public ICE Employee Data Repository
owenferguson shares a report from Obscene Works: Medium.com and GitHub have today conspired to quash the release of a set of data comprising of all the ICE employees who openly list themselves on LinkedIn.com. The data was assembled by Sam Lavigne of http://lav.io/ and was published as a repository on GitHub, and announced via an article on Medium.com (link to a copy is available here, as the original has since been deleted by corporate.) GitHub, which was recently acquired by Microsoft, also deleted the shared data, but a copy was made first, and it is available here and also as a single archive here.
Having a changing timestamp in the resulting files makes no sense, as has been mentioned here. But something I've considered important it still recording the build time because that tracks information that is otherwise more difficult to get now. This information is not really relevant for the generated artifacts. But it helps track events that are initiated externally to the contained build-environment. Say, data-corruption in the filesystem, an accidental file removal, etc.
and that's why we still record it out-of-band (see the Build-Date field in <https://manpages.debian.org/sid/deb-buildinfo>).
02:55 SPECK comments
I may be reading this wrong, but what the implication here?
‚úIt may be compromised, but people who can only afford low-end phone don't deserve security/privacy‚Ě?
‚úMost kernel developers can buy higher-end device and won't be affected by this, so don't complain‚Ě?
02:55 SPECK comments
I read it as, compromises have to be made to push out products at this price point.
In my experience supporting users, it's quite useful to have both an actual source "timestamp" (actually, two -- one that is derived from revision control at compile time, and another that is derived and fixed when the source was snapshotted/released) plus a build timestamp.
Saves a lot of going back and forth.
02:55 SPECK comments
That's correct; currently most phones in that price range are unencrypted because AES isn't nearly fast enough, due to the lack of CPU support (ARM CE). Speck-XTS allows getting encryption to those devices now, without waiting years. The belief is that encryption is for everyone, not just people who can afford mid/high-end phones. So Speck is replacing no encryption, not AES.
Also I strongly disagree that Speck doesn't provide any "security/privacy". While I did write in the Kconfig help that "Speck may not be as secure as AES, and should only be used on systems where AES is not fast enough", that's not truly supported by the current academic literature, despite ~70 cryptanalysis papers on Simon and Speck, and even taking into account a certain very vocal person's claims. In fact, currently the best attacks on AES are actually *better* than the best attacks on Speck. I included that conservative statement primarily out of caution, since Speck is a newer algorithm with fewer years of study, so there is probably a greater chance of improved attacks being published on Speck, in comparison to AES; and also to a lesser extent, an understanding that people are using Simon and Speck as an outlet for political activism, so I don't want people unfamiliar with the situation to choose Speck and potentially run into said activism unless they have no other option.
02:55 Stable kernel updates
That said, I ended up reverting back to 4.14.48 after .49 caused a freeze-up and a reboot while the system was under load.
Haven't tried .50 yet. Another day, another "stable" kernel update. :)
The code was changed to do umount -l of anything mounted on the removed directory. However the generic code assumed the directory was empty and so did not umount -l of any files or directories in the removed directory, assuming removed directories
were always empty.
d_invalidate handles the recursive umount -l properly, and is how filesystems like proc with a revalidate handler ultimately
get the job done.
It sounds like there is just a case of some special filesystems that need to call d_invalidate to trigger the unmount instead of leaking things.
02:55 XArray and the mainline
I've asked for the XArray to be added to linux-next now that -rc1 is out:
02:55 Stable kernel updates
Did you report upstream (e.g. at firstname.lastname@example.org)?
How reproducible is it? Can you bisect?
We have migrated literally every Py2-requiring package we've dealt with to Py3, and most of it is done in under a day. We always send those patches upstream, as well.
The only sticking point has been gnome-doc-utils, which has a Py3 port in progress, but there's still some issues with it. I'm hopeful we'll be able to ship docs with our Gnome packages some time in 2019 at their current rate.
We have a tracker bug for software that incorrectly uses /usr/bin/python instead of python3, as well, and that's going to need to be handled eventually: https://bts.adelielinux.org/show_bug.cgi?id=41 Just haven't had the time yet.
My rationale for this has always been that we should not be shipping known-deprecated software, nor should we be "propping up" bad practices such as continuing to rely on known-deprecated software.
Also companies masking their software to ROM typically would like to be able reproduce the builds. I've used a build system for ROM masking that allowed you to fix bugs in EEPROM afterwards, taking into account what's in ROM in the build. I don't know how common that was, but it felt pretty cool at the time.
Reproducible builds aren't a new thing, nor a specifically open source thing.
As to your comment about "activism", well, yeah, of course that comes into it, and justifiably so. Taking research from an institution with a track record of subverting random number generators and lobbying them into NIST standards for public use certainly should be questioned.
Looking at its lack of respect for the civil rights of US citizens is already quite sobering. For a non-US citizen like me, should I consider it anything other than a hostile force? I mean, our very own BKA certainly doesn't make me proud, but at least I don't find their stuff in the Linux kernel.
I cannot validate your technical argument for lack of knowledge, but I do value it. However, unlike you, I'm in the same position as most users: I have to trust crypto gurus. Now the lesson I've learned is to look for open-source implementations of algorithms developed in the open and vetted openly by experts who disclose their methods. You are basically saying, trust me, in this particular case it's ok to get into this nice uncle's car and take the ice cream. Yeah, one kid was never seen again a few years back, but uncle has seen the error of his ways. That is undoing many of the education efforts preached for years by Schneier and others, and goes against the only procedure laypersons have for chosing trustworthy cryptography.
If that's activism, call me an activist.
02:55 SPECK comments
I believe that crypto primitives should never be taken at face value, and the designers should never be trusted. That's why we chose a cipher that, among other things, has undergone extensive independent cryptanalysis (at least in comparison to other AES alternatives), yet still has a security margin similar to AES; has a very simple and straightforward design that is in line with other ARX ciphers found in the literature; where the designers have released extensive design rationale that actually *exceeds* the quality of what is normally found in the literature (if you disagree, I encourage you to actually read the papers and compare them to others); that is naturally resistent to timing attacks; and that supports secure block and key sizes.
Yes, Speck is an NSA-designed algorithm, which given their dual mission I too view as a negative. But I disagree that NSA-designed algorithms should be removed from consideration entirely on principle, any more than you would refuse to consider e.g. Chinese algorithms due to not trusting China, or refuse to use HTTPS, Bitcoin, etc. because their security is dependent on the NSA-designed SHA-256 algorithm. Remember that the NSA's mission also includes "information assurance", they've long had some of the world's best cryptographers, and they've been involved in crypto standards for decades (both designing algorithms, like SHA-1 and SHA-2, and reviewing and strengthening algorithms), with a positive role in all but one case which was actually a very obvious backdoor using public key cryptography. Note that it's impossible for Speck to contain a public key backdoor, as its parameter space is far too tiny. Therefore, any weakness in it can be exploited by anyone, not just the designers. And given that the NSA has approved Speck128/256 for use in U.S. National Security Systems (even up to "Top Secret" stuff, IIUC), it would be *very* awkward for them to know it has a weakness.
I know the field of cryptography has always had a political element, but I really hope that we can retain at least a scrap of technical merit, and not start having to choose algorithms based purely on things like the where the designers work and live; or, even worse, being unable to use crypto at all because all the viable crypto choices are too politically contentious, yet "no crypto" is somehow okay.
BTW, the actual biggest weakness of the encryption used on phones is probably the user's PIN, as it's usually short enough to be brute-forced regardless of which cipher is used; see e.g. https://blog.malwarebytes.com/security-world/2018/03/gray.... I find it silly that people worry about a certain nation-state adversary breaking a *block cipher* (despite pretty solid evidence they can't), when said adversary, and even some less capable adversaries, can almost certainly already "break" the cryptosystem anyway even if the cipher is AES. Of course, this still doesn't make encryption useless; it's still good to make attacks as difficult and costly as possible, and raise the bar to exclude as many adversaries as possible.
Making sure you can rebuild perfectly only helps so much if you don't have any update path to fix problems in your perfectly rebuilt software (it may rebuild perfectly but it is never perfect as a whole). And the natural bend of a dev you're asking to produce anything that can be rebuilt perfectly is to set in stone the versions of all components, make lists over lists of exact git hashes, locking down everything so much:
1. it's a major PITA to update any of the used software components
2. the actual component states used in each software start to drift, since everyone locks down different versions
3. that in turn increases the amount of versions that would need to be audited to make actual used of the perfectly rebuilt software ecosystem
So you end up with something that one could audit in theory (because you're sure the result can be reproducible, making the audit worthwhile) but that no one will audit in practice (too much version drift resulting in too many individual components versions that need actual checking).
02:55 An update on bcachefs
bcache works like charm (rebooted yesterday, usually I have ~80% hit rate ...). It caches my 2TB media hdd on my notebook trough a 80gb SSD partition. I also use it on my home server to cache /home.
I'm looking forward to bcachefs as I'm quite disappointed by btrfs and zfs.
Bcache + ext4 still has proven the most stable and pleasantly fast solution so far, thank you very much for this.
The articles could be more precise. You're right that the images are not the real problem but they are part of the attack. Deleting the account and hence those images would have temporarily stopped the attacks. To be fair, it would have turned into a whack-a-mole as the images could have been uploaded to another account on DockerHub but doing nothing is certainly not the right move to increase or gain trust.
And I'm saying (for a third time) that this "very little" is still quite useful in certain contexts.
> Most of the time a git commit works fine and a + character on the end to show it has
been modified locally. That actually gives you more information than just the time stamps.
That only tells you if something has been modified since the last commit, which is simultaneously more info, and less info, than a simple build timestamp can provide.
02:55 Python virtual environments
Agreed, I feel that Nix shells and guix environment provide similar functionality but are more robust (they make no assumptions about the environment) and not limited to Python.
02:55 Python virtual environments
Yep, it really is this simple. I too do it all the time, which is why I was confident enough to stand up and say it should just be automatic. The only challenge is agreeing on "what magic marker means we should put a certain directory in sys.path", and I think we'll be okay there (likely __pypackages__ - if that directory exists, you can import everything from it and pip will default to installing into it).
Glad our armchair commentary is already addressed.
Sadly, to the best of my knowledge there are no 802.11ac chipsets w/ both open-source drivers & firmware - I believe even the ath10k 802.11ac chipsets have closed firmware blobs. :-( I would love to hear about any I've missed.
Dongles based on this chipset are available
If I remember correctly there was a FOSS enthusiast working for Atheros who convinced them to release the firmware code but he has since left the company
However, that's obviously not sufficient for some problems, so I salute modernizing sys.path setup.
I'd be curious how fast UDP on the other operating system went, to know if it topped out at the same 100Mb/s.
Needless to say I won't be competing with CrashPlan because a) I won't have a wizzy GUI and b) I won't write something that slows the system to an utterly unusable crawl (or that's what the Windows version does, anyway, which I am forced to use on the work laptop I never turn on). Oh also CrashPlan actually exists. Code that doesn't exist has minimal effect on system performance!
currentGentooOnly64Bit50Prod ~ # ls /usr/src
linux linux-4.9.74-grsecurity linux-4.9.95-gentoo
currentGentooOnly64Bit50Prod ~ # rm -rf /usr/src/linux-4.9.95-gentoo
currentGentooOnly64Bit50Prod ~ # ls /usr/src
currentGentooOnly64Bit50Prod ~ # ls /usr/src
currentGentooOnly64Bit50Prod ~ # ls /usr/src
currentGentooOnly64Bit50Prod ~ # ls /usr/src
Personally I've found virtualenvs to be so fragile that I will never use them again. I would advise teaching students a path that doesn't fall over so easily
02:38 New 'Tent' Assembly Line Is 'Way Better' Than Conventional Factory, Says Tesla CEO
A few days ago, Elon Musk announced a "new general assembly line" made with "minimal resources." As Ars Technica reports, this new tented facility "is seemingly the first phase of an entirely new building, dubbed 'Factory 2.0.'" From the report: The tent is easily visible from the nearby Warm Springs BART station platform. When Ars visited on Monday afternoon, there appeared to be cranes and forklifts moving around the site. We could not easily see inside the long white temporary structure, but there did not appear to be any newly completed vehicles rolling off the lines in the adjacent parking lot. Still, one automotive expert that Ars spoke with said that a new temporary manufacturing facility on the same site as conventional automotive factories was unprecedented in the industry. Dave Sullivan, an analyst with Auto Pacific, told Ars that he wondered what was wrong with Tesla's existing facilities, if Musk decided the company needed more capacity. "It's almost a sign of desperation," he said. "It's a sprint to be profitable in the third quarter." Ars notes that "each tent is 53-feet-high by 150-feet-long -- there seem to be several connected in a long line, mounted with aluminum framing." In a tweet, Musk said: "It's actually way better than the factory building. More comfortable & a great view of the mountains."
02:38 Bumbling Hacker 'Bitcoin Baron' Sentenced To 20 Months In Prison
An anonymous reader writes: "A hacker once considered 'the Internet's most inept criminal' received on Monday a prison sentence of 20 months in prison for launching DDoS attacks against the city of Madison, Wisconsin -- attacks which caused delays and outages to various municipality services, including its 911 emergency call center," reports Bleeping Computer. He was sentenced for this attack in particular, part of a plea deal, but his attacks span over two years. The hacker, Randall Charles Tucker, 23, known as Bitcoin Baron, never bothered hiding his attacks, advertised them on Twitter, and used public chats and Skype to brag about his deeds. According to a timeline of events, Tucker carried out all of these hacks -- most of which were downright silly -- as a way to boost his reputation before going to jail for stabbing his father with a prison knife. The plan backfired when authorities linked him to the hacks and received another 20 months in prison on top of the original 18 months.
Hewlett Packard Enterprise will make a US$4bn bet on edge computing, CEO Antonio Neri confirmed at the Discover CIO conference in Las Vegas today....
Australia's dominant telco, Telstra, will cut 8,000 jobs, flatten its structure by slicing up to four layers of management, turn 1,800 consumer products into 20 (with a similar reduction in the number of enterprise products later), and put its infrastructure into a separate division that could be sold off in the future....
01:09 Tiny MIT chip helps bee-sized drones navigate
You may have seen drones that behave like bees, but drones the size of bees are another matter. How do you help it navigate when virtually any conventional computing power would be too heavy and power-hungry? Make it incredibly tiny, that's how. M...
01:09 Superhero epic 'Invincible' heads to Amazon as an animated series
Amazon Studios has greenlit an animated series based on the comic Invincible, which was created by artist Cory Walker and writer Robert Kirkman, who made The Walking Dead. The new show's source material tells the story of Mark Grayson, an ordinary te...
01:08 Portland Kicks Off Smart City Initiative With Traffic Sensor Safety Project
An anonymous reader quotes a report from ZDNet: Portland, Oregon officials claim its city has some of the best bike data in the United States -- data revealing how many people ride bicycles, where they're going and what streets they're using. Their collection of that data, however, has been as low-tech as it gets: city staffers and volunteers stand out on street corners for two hours at a time and count. Now, the city is aiming for more comprehensive, accurate data collection with the installation of 200 sensors installed on street lights on three of Portland's deadliest streets: Southeast Division St., SE Hawthorne Blvd. and 122nd St. The Traffic Sensor Safety Project, for a price tag of just over $1 million, represents the first major milestone for the Smart City PDX initiative. It relies on GE's Current CityIQ sensors, which are powered with Intel IoT technology and use AT&T as the data carrier. GE, Intel and AT&T have already worked together to deploy smart streetlight sensors in San Diego.
01:08 Square Obtains New York State Cryptocurrency License
The payment company Square has obtained a license to offer New York state residents the ability to buy and sell bitcoin through its Cash App, the company announced on Monday. "This makes Square the ninth firm to have obtained a so-called 'BitLicense' by the New York State Department of Financial Services," reports Reuters. From the report: To grant the license, the financial watchdog conducted a comprehensive review of Square's app, including its anti-money laundering, anti-fraud and cybersecurity policies, NYDFS said in statement. Square also holds a money-transmitter license from NYDFS. The San Francisco-based company, best known for selling a device that enables small businesses to accept credit card payments easily, first enabled bitcoin purchases on its app in other states in January.
Facebook has open sourced a binary optimization and layout tool, itself optimized into the acronym BOLT, in the hope it can make large applications faster....
Thomas Barton, CEO of struggling storage array supplier Tintri, has resigned, leaving the California upstart leaderless as it heads toward running out of cash by the end of the month....
Analysis A group claiming to represent the interests of California's tech startups has argued that the US state should allow so-called zero rating services, despite the negative impact it would have on tech startups....
Oracle has capped off a solid fiscal year and is predicting big things to come for its database line in the coming 12 months....
00:27 AT&T is already planning more acquisitions, days after buying Time Warner
AT&T unveils new video service and is buying more companies to boost advertising.
00:27 Audi CEO connected to diesel scandal arrested in Germany after phone taps
The arrest comes a week after Rupert Stadler's home was raided.
00:27 Reminder: macOS still leaks secrets stored on encrypted drives
Thumbnails from encrypted drives live on long after the drives are disconnected.
00:27 New study adds evidence to debate over the only known Clovis burial
New radiocarbon dating methods add evidence to a 20-year-old archaeological debate.
00:27 President Trump makes news at Space Council meeting by going off script
"Stay apart. Stay apart. Don't get together. Stay apart."
00:27 Musk alleges Tesla Model 3 production has been sabotaged, according to CNBC
A disgruntled employee is alleged to have sabotaged the company's systems.
00:27 Man who allegedly gave Vault 7 cache to WikiLeaks busted by poor opsec
FBI used passwords used on suspect's cellphone to also get into his computer.
00:27 Hackers who sabotaged the Olympic games return for more mischief
Olympic Destroyer gang may be planning new destructive hacks, researchers say.
00:27 Air Force tests two turboprops as potential A-10 ‚úreplacements‚Ě
Video: OA-X project's second phase tests Super Tucano, Beechcraft Wolverine.
00:27 The top ten games from E3 2018
Prepare for falling blocks, superheroes, and competitive nuclear apocalypse.
00:27 Senate rejects Trump's plan to lift ZTE export ban
Trump is seeking to lift the export ban as a "personal favor" to China.
00:27 Tesla CEO: New ‚útent‚Ě assembly line is ‚úway better‚Ě than conventional factory
"Not sure we actually need a building. This tent is pretty sweet."
00:27 Alexa for hotels lets guests order room service, control in-room smart devices [Updated]
Do you want Alexa to be your personal concierge?
00:27 Google launches a Web client for Android's SMS app
Yet another Google Web client for yet another Google messaging service.
00:27 Gallery: Take a tour of E3's video game theme park
The cutest, oddest, and most surprising sights from the E3 show floor.
00:27 More than one in three drivers doesn't know when their tires are bald
They're round, black, and the only part of your vehicle to touch the road.
00:27 Microsoft's new diverse avatar editor represents more body types, disabilities
The new editor is coming today to the Xbox Insider program.
00:27 Verizon and AT&T will stop selling your phone's location to data brokers
Carriers forced to make changes after leak of real-time phone location data.
00:27 Dealmaster: Get a Samsung T5 portable SSD for $128
Plus deals on wireless headphones, Roku streamers, Nest thermostats, and more.
00:27 Jurassic World Evolution review: Genetic dead ends
This park management sim starts strong but fails to evolve.
23:39 US regulator blocks sales of device that fools Tesla's Autopilot
The National Highway Traffic Safety Administration (NHTSA) has demanded that the company behind a gadget called the Autopilot Buddy stops selling the device in the US. The gizmo makes Tesla's Autopilot think a driver has their hands on the steering w...
23:39 A tiny Xbox One S is the latest American Girl accessory
As in all children's toys, representation in American Girl's line of dolls is key: The last to be introduced was a Latin American girl destined to reach Mars. But maybe owners just want to see theirs kick back, relax, and play a few rounds of Fortnit...
23:39 Arizona man gets 20 months in prison for emergency system DDoS attacks
Denial of service attacks are serious by themselves, but doubly so when they target vital systems... and one perpetrator is finding that out first-hand. A court has sentenced Arizona resident Randall Charles Tucker (who nicknamed himself the "Bitcoi...
23:38 Facebook Ordered To Explain Deleted Profile
An anonymous reader quotes a report from BBC: Facebook has been ordered by a UK high court judge to reveal who told it to delete the profile of a jazz musician and his band, six months after he died. The Times reports that the firm said it had acted on a request but had declined to reveal to the family who had instructed it. Mirza Krupalija's partner Azra Sabados says she is certain that it was not a family member or friend. She said losing his posts and messages felt like losing him "a second time." Mr Krupalija, who lived in Sarajevo, suffered a fatal heart attack just after his 57th birthday in 2016. Ms Sabados said she spent a year talking to Facebook before pursuing legal action. Ms Sabados' lawyer Greg Callus from the law firm 5BR confirmed to the BBC that Facebook is now required to provide the details under what is legally known as a Norwich Pharmacal Order -- where Facebook is innocent but may have information about a third party who could be involved in wrongdoing. The firm will have 21 days to respond.
23:38 Uber 'Neglected' Simulation Testing For Its Autonomous Vehicles, Says Report
According to a report from The Information, Uber allegedly "neglected" simulation testing for its autonomous vehicles. "The publication's sources claim that there was a dearth of investment in the simulation software, and lots of incompatible code between the autonomous vehicle software and simulation software Uber is developing internally," reports Engadget. "However, the sources said there isn't a direct link between the lack of investment and the fatal accident involving one of Uber's autonomous taxis and a pedestrian." From the report: It's worth noting that the Unreal Engine-powered simulation software is still relatively new. The Information writes that the suite wasn't developed until after self-driving project lead Anthony Levandowski was fired mid-2017. To add insult to injury, initially, there were also differences in pay between simulation engineers and other engineers in the department. The end goal was to release a self-driving car in Arizona this year, codenamed "Roadrunner," to compete with Waymo's offering just outside of Phoenix.
23:38 T-Mobile and Sprint Ask For Merger Approval
According to documents filed Monday, T-Mobile and Sprint have formally asked the FCC to approve their proposed merger. Axios reports: In their filing, the companies said that the deal would "generate substantial public interest benefits for the customers of T-Mobile and Sprint and for U.S. wireless customers as a whole, and do not give rise to any competitive harms." "The merger unlocks the door to new broadband choices and capabilities for consumers across the country while accelerating the arrival of transformative 5G services that will produce innovation, jobs, and economic growth for our country," the companies said. Basically, the two companies have to prove to the FCC that the deal benefits consumers, and avoid antitrust concerns currently being investigated by the Department of Justice.