Facebook

European Lawmakers Asked Mark Zuckerberg Why They Shouldn't Break Up Facebook (theverge.com) 212

European lawmakers questioned Mark Zuckerberg in Brussels today for almost an hour and a half, asking him to address concerns about the Cambridge Analytica data leak and Facebook's potential monopoly. German MEP Manfred Weber asked whether the Facebook CEO could name a single European alternative to his "empire," which includes apps like WhatsApp and Instagram in addition to Facebook. "I think it's time to discuss breaking up Facebook's monopoly, because it's already too much power in only one hand," said Weber. "So I ask you simple, and that is my final question: can you convince me not to do so?" Belgian MEP Guy Verhofstadt then chimed in and asked whether Facebook would cooperate with European antitrust authorities to determine whether the company was indeed a monopoly, and if it was, whether Facebook would accept splitting off WhatsApp or Messenger to remedy the problem. The Verge reports: The panel's format let Zuckerberg selectively reply to questions at the end of the session, and he didn't address Verhofstadt's points. Instead, he broadly outlined how Facebook views "competition" in various spaces. "We exist in a very competitive space where people use a lot of different tools for communication," said Zuckerberg. "From where I sit, it feels like there are new competitors coming up every day" in the messaging and social networking space. He also said that Facebook didn't hold an advertising monopoly because it only controlled 6 percent of the global advertising market. (It's worth noting: this is still a huge number.) And he argued that Facebook promoted competition by making it easier for small businesses to reach larger audiences -- which is basically unrelated to the question of whether Facebook itself is a monopoly.
Wireless Networking

Ask Slashdot: Which Is the Safest Router? 381

MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?
Communications

Wi-Fi Alliance's Wi-Fi EasyMesh Certification Aims To Standardize Mesh Networks (pcworld.com) 39

The Wi-Fi Certified EasyMesh program that the Wi-Fi Alliance announced today promises to do for mesh networks what the Alliance has long done for wireless networking gear in general: Assure consumers that they can build out wireless home networks without worrying if one brand of device will be compatible with another. From a report: The emergence of mesh networking somewhat undermined that effort, because every manufacturer pursued its own path. Wi-Fi is still Wi-Fi, so you don't need to worry that your smartphone, or media streamer, or home security camera will connect to your wireless router, regardless of brand. But if you buy a Linksys Velop router today, for example, you can buy only Linksys Velop access points if you want to expand your network to cover more areas of your home later. EasyMesh promises to bring to mesh networks the same interoperability assurances that conventional routers have long offered.
Microsoft

Microsoft Turned Customers Against the Skype Brand (bloomberg.com) 135

An anonymous reader quotes a report from Bloomberg: Since acquiring Skype from private equity investors, Microsoft has refocused the online calling service on the corporate market, a change that has made Skype less intuitive and harder to use, prompting many Skypers to defect to similar services operated by Apple, Google, Facebook and Snap. The company hasn't updated the number of Skype users since 2016, when it put the total at 300 million. Some analysts suspect the numbers are flat at best, and two former employees describe a general sense of panic that they're actually falling. The ex-Microsofters, who requested anonymity to discuss confidential statistics, say that as late as 2017 they never heard a figure higher than 300 million discussed internally.

Chief Executive Officer Satya Nadella has repeatedly said he wants the company's products to be widely used and loved. By turning Skype into a key part of its lucrative Office suite for corporate customers, Microsoft is threatening what made it appealing to regular folks in the first place. [...] Focusing on corporations was a reasonable strategy and one shared by Skype's prior management. Originally [former Microsoft CEO Steve Ballmer] and company pledged to let Skype operate independently from Lync, Microsoft's nascent internet phone service for corporations. But two years later the company began merging the two into Skype for Business and folded that into Office. Today, Microsoft is using Skype for Business to help sell subscriptions to its cloud-based Office 365 and steal customers from Cisco. Microsoft has essentially turned Skype into a replacement for a corporate telephone system -- with a few modern features borrowed from instant messaging, artificial intelligence and social networking.
In closing, Bloomberg argues "the complexity of the corporate software (security, search, and the ability to host town halls) crowds out the simplicity consumers prefer (ease-of-use and decent call quality)."
Security

Equifax's Data Breach By the Numbers: 146 Million Social Security Numbers, 99 Million Addresses, and More (theregister.co.uk) 69

Several months after the data breach was first reported, Equifax has published the details on the personal records and sensitive information stolen in the cybersecurity incident. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant's ongoing audit of the security breach," reports The Register. From the report: Late last week, the company gave the numbers in letters to the various U.S. congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America's financial watchdog. As well as the -- take a breath -- 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too.

The further details emerged after Mandiant's investigators helped "standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen." The extra data elements, the company said, didn't involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

Network

Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attack (bleepingcomputer.com) 27

Two vulnerabilities affecting over one million routers, and disclosed earlier this week, are now under attack by botnet herders, who are trying to gather the vulnerable devices under their control. From a report: Attacks started yesterday, Thursday, May 3, according to Netlab, the network security division of Chinese cyber-security vendor Qihoo 360. Exploitation of these two flaws started after on Monday, April 30, an anonymous researcher published details of the two vulnerabilities via the VPNMentor blog. His findings detail two flaws -- an authentication bypass (CVE-2018-10561) and a remote code execution vulnerability (CVE-2018-10562). The most ludicrous of these two flaws is the first, which basically allows anyone to access the router's internal settings by appending the "?images" string to any URL, effectively giving anyone control over the router's configuration.
Twitter

Twitter Says Glitch Exposed 'Substantial' Number of Users' Passwords In Plain Text (reuters.com) 107

Twitter is urging its more than 330 million users to change their passwords after a glitch exposed some in plain text on its internal computer network. Reuters is first to report the news: The social network said an internal investigation had found no indication passwords were stolen or misused by insiders, but that it urged all users to consider changing their passwords "out of an abundance of caution." The blog did not say how many passwords were affected. Here's what Twitter has to say about the bug: "We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

The social networking service is asking users to change their password "on all services where you've used this password." You can do so via the password settings page.
Communications

Iran Bans Use of Telegram Messaging App To Protect 'National Security' (reuters.com) 44

Iran has banned all use of the popular Telegram messaging app. The ban had been introduced to protect "national security," said a statement aired on state television. From a report: Iran had been considering the ban since January when protests over economic grievances erupted in more than 80 cities and later turned into demonstrations against the clerical and security elite of the Islamic Republic. Some hardline officials said protesters used Telegram to organize the rallies, which were ultimately contained by the Revolutionary Guards and their affiliated volunteer Basij militia. The app was temporarily blocked in January. "Considering various complaints against the Telegram social networking app by Iranian citizens, and based on the demand of security organizations to confront the illegal activities of Telegram, the judiciary has banned its usage in Iran," state TV reported. "All Internet providers in Iran must take steps to block Telegram's website and app as of April 30," the judiciary website Mizan quoted a court order as saying.
Network

On This Day 25 Years Ago, the Web Became Public Domain (popularmechanics.com) 87

On April 30, 1993, CERN -- the European Organization for Nuclear Research -- announced that it was putting a piece of software developed by one of its researchers, Tim Berners-Lee, into the public domain. That software was a "global computer networked information system" called the World Wide Web, and CERN's decision meant that anyone, anywhere, could run a website and do anything with it. From a report: While the proto-internet dates back to the 1960s, the World Wide Web as we know it had been invented four year earlier in 1989 by CERN employee Tim Berners-Lee. The internet at that point was growing in popularity among academic circles but still had limited mainstream utility. Scientists Robert Kahn and Vinton Cerf had developed Transmission Control Protocol and Internet Protocol (TCP/IP), which allowed for easier transfer of information. But there was the fundamental problem of how to organize all that information.

In the late 80s, Berners-Lee suggested a web-like system of mangement, tied together by a series of what he called hyperlinks. In a proposal, Berners-Lee asked CERN management to "imagine, then, the references in this document all being associated with the network address of the thing to which they referred, so that while reading this document you could skip to them with a click of the mouse."

Four years later, the project was still growing. In January 1993, the first major web browser, known as MOSAIC, was released by the National Center for Supercomputing Applications at the University of Illinois Urbana-Champaign. While there was a free version of MOSAIC, for-profit software companies purchased nonexclusive licenses to sell and support it. Licensing MOSAIC at the time cost $100,000 plus $5 each for any number of copies.

Businesses

SmugMug Buys Flickr, Vows To Revitalize the Photo Service (usatoday.com) 61

On Friday, Silicon Valley photo-sharing and storage company SmugMug announced it had acquired Flickr, the photo-sharing site created in 2004 by Ludicorp and acquired in 2005 by Yahoo. SmugMug CEO Don MacAskill told USA TODAY he's committed to revitalizing the faded social networking site, which hosted photos and videos long before it became trendy. Flickr will reportedly continue to operate separately, and SmugMug and Flickr accounts will "remain separate and independent for the foreseeable future." From the report: He declined to disclose the terms of the deal, which closed this week. "Flickr is an amazing community, full of some of the world's most passionate photographers. It's a fantastic product and a beloved brand, supplying tens of billions of photos to hundreds of millions of people around the world," MacAskill said. "Flickr has survived through thick-and-thin and is core to the entire fabric of the Internet." The surprise deal ends months of uncertainty for Flickr, whose fate had been up in the air since last year when Yahoo was bought by Verizon for $4.5 billion and joined with AOL in Verizon's Oath subsidiary.
Network

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks (bleepingcomputer.com) 22

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.
Operating Systems

'Fuchsia Is Not Linux': Google Publishes Documentation Explaining Their New OS (xda-developers.com) 245

An anonymous reader quotes a report from XDA Developers: You've probably seen mentions of the Fuchsia operating system here and there since it has been in development for almost 2 years. It's Google's not-so-secretive operating system which many speculate will eventually replace Android. We've seen it grow from a barely functional mock-up UI in an app form to a version that actually boots on existing hardware. We've seen how much importance Google places on the project as veteran Android project managers are starting to work on it. But after all of this time, we've never once had either an official announcement from Google about the project or any documentation about it -- all of the information thus far has come as a result of people digging into the source code.

Now, that appears to be changing as Google has published a documentation page called "The Book." The page aims to explain what Fuchsia, the "modular, capability-based operating system" is and is not. The most prominent text on that page is a large section explaining that Fuchsia is NOT Linux, in case that wasn't clear already. Above that are several readme pages explaining Fuchsia's file systems, boot sequence, core libraries, sandboxing, and more. The rest of the page has sections explaining what the Zircon micro-kernel is and how the framework, storage, networking, graphics, media, user interface, and more are implemented.

Security

'Vigilante Hackers' Strike Routers In Russia and Iran, Reports Motherboard (vice.com) 121

An anonymous reader quotes Motherboard: On Friday, a group of hackers targeted computer infrastructure in Russia and Iran, impacting internet service providers, data centres, and in turn some websites. "We were tired of attacks from government-backed hackers on the United States and other countries," someone in control of an email address left in the note told Motherboard Saturday... "We simply wanted to send a message...." In addition to disabling the equipment, the hackers left a note on affected machines, according to screenshots and photographs shared on social media: "Don't mess with our elections," along with an image of an American flag...

In a blog post Friday, cybersecurity firm Kaspersky said the attack was exploiting a vulnerability in a piece of software called Cisco Smart Install Client. Using computer search engine Shodan, Talos (which is part of Cisco) said in its own blog post on Thursday it found 168,000 systems potentially exposed by the software. Talos also wrote it observed hackers exploiting the vulnerability to target critical infrastructure, and that some of the attacks are believed to be from nation-state actors...

Reuters reported that Iran's IT Minister Mohammad Javad Azari-Jahromi said the attack mainly impacted Europe, India, and the U.S.... The hackers said they did scan many countries for the vulnerable systems, including the U.K., U.S., and Canada, but only "attacked" Russia and Iran, perhaps referring to the post of an American flag and their message. They claimed to have fixed the Cisco issue on exposed devices in the US and UK "to prevent further attacks... As a result of our efforts, there are almost no vulnerable devices left in many major countries," they claimed in an email.

Their image of the American flag was a black-and-white drawing done with ASCII art.
Education

Schools Are Giving Up on Smartphone Bans (gizmodo.com) 117

Bans on phones in schools are increasingly becoming a thing of the past, new research shows. From a report: A survey from the National Center for Education Statistics exploring crime and safety at schools indicates that there is a trend toward relaxing student smartphone bans. The survey reports that the percentage of public schools that banned cell phones and other devices that can send text messages dropped from nearly 91 percent in 2009 through 2010 to nearly 66 percent in 2015 through 2016.

This drop did not coincide, however, with more lenient rules around social media. In 2009 and 2010, about 93 percent of public schools limited student access to social networking sites from school computers, compared to 89 percent from 2015 through 2016. That's likely because these bans aren't lifted in response to student demands to use their electronics during school hours -- they are bending to the pressure of parents who want to be able to reach their kids.

Network

Cloudflare Launches 1.1.1.1 Consumer DNS Service With a Focus On Privacy (betanews.com) 225

BrianFagioli writes: Today, Cloudflare announces a new consumer DNS service with a focus on privacy. Called '1.1.1.1.' it quite literally uses that easy-to-remeber IP address as the primary DNS server. Why announce on April Fool's Day? Because the IP is four ones and today's date is 4/1 -- clever. The secondary server is 1.0.0.1 -- also easy to remember.

The big question is why? With solid offerings from Google and Comodo, for instance, does the world need another DNS service? The answer is yes, because Cloudflare intends to focus on both speed, and more importantly, privacy.

Businesses

Foxconn Announces Purchase of Belkin, Wemo, and Linksys (androidpolice.com) 80

Foxconn, the Taiwan-based company best-known for manufacturing Apple products announced that one of its subsidiaries (Foxconn Interconnect Technology) is purchasing U.S.-based Belkin for $866 million in cash. "Belkin owns a number of major brands, including Linksys and Wemo," notes Android Police. From the report: The buyout would make Foxconn a major player in consumer electronics, instead of just a contract manufacturing company. Belkin primarily sells phone/tablet accessories, but also manufactures networking equipment like routers and Wi-Fi range extenders. The company also sells a range of smart home products under the Wemo brand. According to The Financial Times, the purchase is subject to approval from the U.S. Committee on Foreign Investment. In other words, there is a very real chance the acquisition could be blocked. President Trump blocked Broadcom's acquisition of Qualcomm earlier this month, based on advice from the committee.
Facebook

Facebook Scraped Call, Text Message Data For Years From Android Phones (arstechnica.com) 158

An anonymous reader quotes a report from Ars Technica: This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us -- my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata. In response to an email inquiry about this data gathering by Ars, a Facebook spokesperson replied, "The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts." The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

If you granted permission to read contacts during Facebook's installation on Android a few versions ago -- specifically before Android 4.1 (Jelly Bean) -- that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 -- the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data.
You are able to have Facebook delete the data it collects from you, "but it's not clear if this deletes just contacts or if it also purges call and SMS metadata," reports Ars. Generally speaking, if you're concerned about privacy, you shouldn't share your contacts and call-log data with any mobile application.
Databases

Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys (fossbytes.com) 41

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.

Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
Networking

Ask Slashdot: How Can I Prove My ISP Slows Certain Traffic? 203

Long-time Slashdot reader GerryGilmore is "a basically pretty knowledgeable Linux guy totally comfortable with the command line." But unfortunately, he lives in north Georgia, "where we have a monopoly ISP provider...whose service overall could charitably be described as iffy." Sometimes, I have noticed that certain services like Netflix and/or HBONow will be ridiculously slow, but -- when I run an internet speed test from my Linux laptop -- the basic throughput is what it's supposed to be for my DSL service. That is, about 3Mbps due to my distance from the nearest CO. Other basic web browsing seems to be fine... I don't know enough about network tracing to be able to identify where/why such severe slowdowns in certain circumstances are occurring.
Slashdot reader darkharlequin has also noticed a speed decrease on Comcast "that magickally resolves when I run internet speed tests." But if the original submitter's ultimate goal is delivering evidence to his local legislators so they can pressure on his ISP -- what evidence is there? Leave your best answers in the comments. How can he prove his ISP is slowing certain traffic?
Security

1 in 3 Michigan Workers Tested Opened A Password-Phishing Email (go.com) 119

An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

Slashdot Top Deals