Security

DDoS Attacks Will Now Be 'Something You Only Read About In The History Books', Says Cloudflare CEO (vice.com) 95

Louise Matsakis, writing for Motherboard: Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size. Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. "The standard practice in the industry for some time has been to charge more if you come under attack," Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often "fire you as a customer if you're not sort of paying enough and you get a large attack," he explained. "That's kind of gross."
Desktops (Apple)

Apple Releases macOS High Sierra; Ex-NSA Hacker Publishes Zero-Day 51

Apple today released the newest version of its operating system for Macs, macOS High Sierra, to the public. macOS High Sierra is a free download, and offers a range of new features and improvements including the new Apple File System, and support for High Efficiency Video Encoding (HEVC) for better compression without loss of quality, and HEIF for smaller photo sizes. Zack Whittaker, reporting for ZDNet: Patrick Wardle, a former NSA hacker who now serves as chief security researcher at -- Synack, posted a video of the hack -- a password exfiltration exploit -- in action. Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault. But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
Patents

Cloudflare Pays First $7,500 Bounties In War Against Patent Troll (cloudflare.com) 35

Cloudflare declared war on a group of lawyers that files patent lawsuits against tech firms, by offering bounties for the discovery of patent-invalidating "prior art." Now an anonymous reader writes: On Thursday, Cloudflare announced it has paid out the first $7,500 to people who discovered documents that could help invalidate Blackbird's patents. The money is part of a $100,000 war chest the company announced this spring... The company said it is ready to launch individual challenges to specific Blackbird patents. The company believes it has enough examples of prior art on US Patent 7,797,448, "GPS-internet Linkage" and US Patent 6,453,335 (the one asserted against Cloudflare) to lodge a challenge.
"We have received more than 230 submissions so far," Cloudflare reports, "and have only just begun to scratch the surface."
Security

Experian Criticized Over Credit-Freeze PIN Security and 'Dark Web' Scans (theverge.com) 65

Security researcher Brian Krebs complains that Experian's identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge: Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person's name, address, date of birth, and Social Security number...data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address -- any email -- and answer a few security questions.

That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."

Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.
Government

Spain's Crackdown on Catalonia Includes Internet Censorship (internetsociety.org) 349

Spain's autonomous Catalonia region wants to hold a referendum on independence next weekend. Spain's Constitutional Court insists that that vote is illegal, and has taken control of Catalonia's police force to try to stop the vote. They're deploying thousands of additional police officers and have seized nearly 10 million ballots. And now the Internet Society has gotten involved, according to an announcement shared by Slashdot reader valinor89: Measures restricting free and open access to the Internet related to the independence referendum have been reported in Catalonia. There have been reports that major telecom operators have been asked to monitor and block traffic to political websites, and following a court order, law enforcement has raided the offices of the .cat registry in Barcelona, examining a computer and arresting staff.

We are concerned by reports that this court order would require a top-level domain (TLD) operator such as .cat to begin to block "all domains that may contain any kind of information about the referendum."

Communications

Microsoft and Facebook Just Built a 4,000-Mile Cable Across the Pacfic Ocean (popularmechanics.com) 150

An anonymous reader quotes Popular Mechanics: Microsoft, Facebook and global telecommunication infrastructure company Telxius have completed the Marea subsea cable, the world's most technologically advanced undersea cable. The Marea crosses the Atlantic Ocean over 17,000 feet below the ocean's surface, connecting Virginia Beach with Bilbao, Spain. Over 4,000 miles (6,600 kilometers) long and weighing nearly 10.25 million pounds (4.65 million kilograms), the Marea can transmit up to 160 terabits of data per second, which Microsoft notes is "more than 16 million times faster than the average home internet connection, making it capable of streaming 71 million high-definition videos simultaneously."
The undersea cable -- about 1.5 times the diameter of a garden hose -- contains eight pairs of fiber optic cables encircled by copper, a protective layer of hard plastic, and then waterproof coating. Its 4,000-mile route had to avoid everything from earthquake zones to active volcanoes.

Cables under the Atlantic Ocean carry 55% more data than cables under the Pacific, Microsoft writes, adding that "the project highlights the increasing role of private companies in building the infrastructure of the future."
The Internet

Move Over Connected Cows, the Internet of Bees Is Here (cityam.com) 45

A new project is aiming to bring bees online by putting them in tiny "backpacks" so that scientists can track the threatened insect's behaviour and help its survival. From a report: Bees in Manchester initially will be connected to the internet using technology from Cisco to help researchers track their migration, pollination and movement, and eventually, across the UK. Sensors in hives located at a new 70,000 sq ft tech accelerator hub in the northern city called Mi-Idea, will measure the bee environment such as temperature, while the bees themselves will be tagged with RFID chips that look like tiny backpacks. All the information will be collected and made available to track online giving insight on their habitats, with the bees even providing "status updates" (albeit automated) on their whereabouts. Cisco is working on the project with the Manchester Science Partnership (MSP) and the hub is already home to six startups: Hark, an IoT data company, video platform Wattl, location data analytics startup PlaceDashboard, Steamaco, an energy technology company, IOT platform KMS and software firm Malinko.
DRM

Corporations Just Quietly Changed How the Web Works (theoutline.com) 248

Adrianne Jeffries, a reporter at The Outline, writes on W3C's announcement from earlier this week: The trouble with DRM is that it's sort of ineffective. It tends to make things inconvenient for people who legitimately bought a song or movie while failing to stop piracy. Some rights holders, like Ubisoft, have come around to the idea that DRM is counterproductive. Steve Jobs famously wrote about the inanity of DRM in 2007. But other rights holders, like Netflix, are doubling down. The prevailing winds at the consortium concluded that DRM is now a fact of life, and so it would be be better to at least make the experience a bit smoother for users. If the consortium didn't work with companies like Netflix, Berners-Lee wrote in a blog post, those companies would just stop delivering video over the web and force people into their own proprietary apps. The idea that the best stuff on the internet will be hidden behind walls in apps rather than accessible through any browser is the mortal fear for open web lovers; it's like replacing one library with many stores that each only carry books for one publisher. "It is important to support EME as providing a relatively safe online environment in which to watch a movie, as well as the most convenient," Berners-Lee wrote, "and one which makes it a part of the interconnected discourse of humanity." Mozilla, the nonprofit that makes the browser Firefox, similarly held its nose and cooperated on the EME standard. "It doesn't strike the correct balance between protecting individual people and protecting digital content," it said in a blog post. "The content providers require that a key part of the system be closed source, something that goes against Mozilla's fundamental approach. We very much want to see a different system. Unfortunately, Mozilla alone cannot change the industry on DRM at this point."
Businesses

Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com) 100

Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."
Youtube

More Are Paying To Stream Music, But YouTube Still Holds the Value Gap (theregister.co.uk) 43

An anonymous reader shares a report: With Google's user-generated content loophole firmly in lawmaker's sights, global music trade body IFPI has published new research looking at demand for music streaming. The research confirms YouTube's pre-eminence as the world's de facto jukebox. 46 percent of on-demand music streaming is from Google's video website. 75 percent of internet users use video streaming to hear music. The paid-for picture is bullish: 50 percent of internet users have paid for licensed music in the last six months, in one form or another, of which 53 per are 13- to 15-year-olds. Audio streaming is split between 39 percent who stream for free and 29 percent who pay. [...] So what's the problem? European policy makers have become convinced by the "value gap" argument: compensation doesn't reflect usage. Google finds itself with a unique advantage here, thanks to YouTube's "user-generated content" exception, as we explained last year.
Businesses

Slashdot Asks: Why Does Google Want To Purchase HTC? (bloomberg.com) 101

Rumor has it Google is planning to purchase HTC -- or at least a portion of it. The speculation of this has been doing rounds for weeks now, and it reached a new high today after HTC said its stock will stop trading from Thursday, as it prepares to make a "major announcement" tomorrow. Bloomberg reported today: Alphabet's Google is close to acquiring assets from Taiwan's HTC, according to a person familiar with the situation, in a bid to bolster the internet giant's nascent hardware business. HTC, once ranked among the world's top smartphone makers, is holding a town hall meeting Thursday, according to tech website Venture Beat, which cited a copy of an internal invitation. The shares will also be suspended from trading as of Sept. 21 due to a pending announcement, according to the Taiwan stock exchange. Of course Google has made similar moves in the past. It previously owned Motorola for a brief period of time, but that acquisition didn't materialize much. The company has however, since re-hired the Motorola chief it once had, Rick Osterloh, and founded a separate hardware team under his stewardship. Claude Zellweger, the one-time chief designer of HTC Vive, is also now at Google, working on that company's Daydream virtual reality system.

What reasons could Google have to purchase HTC? Share your thoughts in the comments section below.
The Courts

Pepe the Frog's Creator Is Sending Takedown Notices To Far-Right Sites (vice.com) 332

An anonymous reader quotes a report from Motherboard: Pepe the Frog creator Matt Furie has made good on his threat to "aggressively enforce his intellectual property." The artist's lawyers have taken legal action against the alt-right. They have served cease and desist orders to several alt-right personalities and websites including Richard Spencer, Mike Cernovich, and the r/the_Donald subreddit. In addition, they have issued Digital Millennium Copyright Act takedown requests to Reddit and Amazon, notifying them that use of Pepe by the alt-right on their platforms is copyright infringement. The message is to the alt-right is clear -- stop using Pepe the Frog or prepare for legal consequences. Furie originally created Pepe as a non-political character for his Boy's Club comic, but Pepe later became an internet meme and during the 2016 U.S. presidential election the alt-right movement appropriated the frog in various grotesque and hateful memes.
AI

You Might Use AI, But That Doesn't Mean You're an AI Company, Says a Founder of Google Brain (venturebeat.com) 73

As AI space gets crowded, there are a slew of businesses -- new and old -- looking to market themselves as "AI companies." But according to Andrew Ng, a founder of the Google Brain team and a luminary in the space, there's more to being an AI company than just using a neural net. From a report: In his view, while it's possible to create a website for a shopping mall, that doesn't make it an internet company. In the same way, just implementing basic machine learning does not make a standard technology company (or any other business) an AI company. "You're not an AI company because there are a few people using a few neural networks somewhere," Ng said. "It's much deeper than that." First and foremost, AI companies are strategic about their acquisition of data, which is used as the fuel for machine learning systems. Once an AI company has acquired the data, Ng said that they tend to store it in centralized warehouses for processing. Most enterprises have their information spread across multiple different warehouses, and collating that data for machine learning can prove difficult. AI companies also implement modern development practices, like frequent deployments. That means it's possible to change the product and learn from the changes.
Privacy

In a 'Plot Twist', Wikileaks Releases Documents It Claims Detail Russia Mass Surveillance Apparatus (techcrunch.com) 168

WikiLeaks, believed by many to be a Kremlin front, surprised some observers Tuesday morning (Snowden called it a "plot twist") when it released documents linking a Russian tech company with access to thousands of citizens' telephone and internet communications with Moscow. From a report: Writing a summary of the cache of mostly Russian-language documents, Wikileaks claims they show how a long-established Russian company which supplies software to telcos is also installing infrastructure, under state mandate, that enables Russian state agencies to tap into, search and spy on citizens' digital activity -- suggesting a similar state-funded mass surveillance program to the one utilized by the U.S.'s NSA or by GCHQ in the U.K. (both of which were detailed in the 2013 Snowden disclosures). The documents which Wikileaks has published (there are just 34 "base documents" in this leak) relate to a St. Petersburg-based company, called Peter-Service, which it claims is a contractor for Russian state surveillance. The company was set up in 1992 to provide billing solutions before going on to become a major supplier of software to the mobile telecoms industry.
The Internet

Internet Is Having a Midlife Crisis (bbc.com) 172

An anonymous reader shares a report: The rise of cyber-bullying and monopolistic business practices has damaged trust in the internet, pioneering entrepreneur Baroness Lane-Fox has told the BBC. The Lastminute.com founder also called for a "shared set of principles" to make the web happier and safer. She said the internet had done much good over the last 30 years. But she said too many people had missed out on the benefits and it was time to "take a step back". "The web has become embedded in our lives over the last three decades but I think it's reached an inflexion point, or a sort of midlife crisis," she told Radio 4's Today programme. Baroness Lane-Fox co-founded travel booking site Lastminute.com in 1998 before going on to sell the firm for 577m pound seven years later. She described the early days of the internet as being "full of energy and excitement," and akin to the "wild West". "There was this feeling that suddenly, with this access to this new technology, you could start a business from anywhere," she said. However, she said that while technology had become a hugely important sector of the UK economy, it had not fulfilled its early potential.
Chrome

Google Chrome Most Resilient Against Attacks, Researchers Find (helpnetsecurity.com) 98

Between Google Chrome, Microsoft Edge, and Internet Explorer, Chrome has been found to be the most resilient against attacks, an analysis by security researchers has found. Firefox, Safari, and Opera were not included in the test. From a report: "Modern web browsers such as Chrome or Edge improved security in recent years. Exploitation of vulnerabilities is certainly more complex today and requires a higher skill than in the past. However, the attack surface of modern web browsers is increasing due to new technologies and the increasing complexity of web browsers themselves," noted Markus Vervier, Managing Director of German IT security outfit X41 D-Sec (and one of the researchers involved in the analysis). The researchers' aim was to determine which browser provides the highest level of security in common enterprise usage scenarios.
United States

Americans Plan Massive 'Net Neutrality' Protest Next Week (theguardian.com) 110

An anonymous reader quotes the Guardian: A coalition of activists, consumer groups and writers are calling on supporters to attend the next meeting of the Federal Communications Commission on September 26 in Washington DC. The next day, the protest will move to Capitol Hill, where people will meet legislators to express their concerns about an FCC proposal to rewrite the rules governing the internet... The activist groups are encouraging internet users to meet their lawmakers and tell them how a free and open internet is vital to their lives and their livelihoods...

"The FCC seems dead set on killing net neutrality, but they have to answer to Congress, and Congress has to answer to us, their constituents," said Evan Greer, campaign director for Fight for the Future, one of the protest's organisers. "With this day of advocacy, we're harnessing the power of the web to make it possible for ordinary internet users to meet directly with their senators and representatives to tell their stories, and make sure that lawmakers hear from the public, not just lobbyists for AT&T and Verizon," she said.

Monday Mozilla and the Internet Archive are also inviting the public to a free panel discussion featuring former FCC Chairman Tom Wheeler on ways the American public can act to preserve net neutrality.
Security

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com) 86

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full

Youtube

PewDiePie Is Inexcusable But DMCA Takedowns Are Not the Way To Fight Him (vice.com) 506

An anonymous reader quotes a report from Motherboard: Felix Kjellberg, better known as PewDiePie, is the most popular YouTuber in the world. He's gotten himself into another controversy, this time for shouting the n-word while livestreaming a video game. The 27-year-old Swede has repeatedly been criticized for hate speech, and just last month said he would no longer make Nazi jokes after a white supremacist rally in Charlottesville, Virginia turned violent. But while playing PlayerUnknown's Battlegrounds on Sunday, Kjellberg, who has over 57 million subscribers on YouTube, called another player the n-word before erupting into laughter. "What a fucking n****r," he said. "Jeez, oh my god. What the fuck? Sorry, but what the fuck? What a fucking asshole. I don't mean that in a bad way." Kjellberg did not immediately respond to a request for comment, and has yet to publicly acknowledge the incident.

In response to Kjellberg's use of a racial slur, a number of video game players and developers have condemned the creator. Sean Vanaman, the co-founder of video game company Campo Santo, decided to use copyright law to push back against Kjellberg. On Twitter, he said he was filing a Digital Millennium Copyright Act (DMCA) takedown request against the famous YouTuber regarding a video in which Kjellberg plays Campo Santo's game Firewatch. There are compelling reasons to [remove hate speech from major internet platforms] by any means necessary, but DMCA overreach is among the least compelling options, considering that it unilaterally puts power into the hands of what are essentially uninvolved parties and allows for little arbitration or defense on the part of those who have their content removed.

Security

ISPs Claim a Privacy Law Would Weaken Online Security, Increase Pop-Ups (arstechnica.com) 86

An anonymous reader quotes a report from Ars Technica: The country's biggest Internet service providers and advertising industry lobby groups are fighting to stop a proposed California law that would protect the privacy of broadband customers. AT&T, Comcast, Charter, Frontier, Sprint, Verizon, and some broadband lobby groups urged California state senators to vote against the proposed law in a letter Tuesday. The bill would require Internet service providers to obtain customers' permission before they use, share, or sell the customers' Web browsing and application usage histories. California lawmakers could vote on the bill Friday of this week, essentially replicating federal rules that were blocked by the Republican-controlled Congress and President Trump before they could be implemented. The text and status of the California bill, AB 375, are available here.

The letter claims that the bill would "lead to recurring pop-ops to consumers that would be desensitizing and give opportunities to hackers" and "prevent Internet providers from using information they have long relied upon to prevent cybersecurity attacks and improve their service." The Electronic Frontier Foundation picked apart these claims in a post yesterday. The proposed law won't prevent ISPs from taking security measures because the bill "explicitly says that Internet providers can use customer's personal information (including things like IP addresses and traffic records) 'to protect the rights or property of the BIAS [Broadband Internet Access Service] provider, or to protect users of the BIAS and other BIAS providers from fraudulent, abusive, or unlawful use of the service,'" EFF Senior Staff Technologist Jeremy Gillula wrote.

Slashdot Top Deals