×
Windows

Microsoft Knew of Exchange Autodiscover Flaw Five Years Ago (theregister.com) 22

Thomas Claburn writes via The Register: Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016. Though aware of this, Microsoft's advice continues to be that customers should communicate only with servers they trust. On August 10, 2016, Marco van Beek, managing director at UK-based IT consultancy Supporting Role, emailed the Microsoft Security Response Center to disclose an Autodiscover exploit that worked with multiple email clients, including Microsoft Outlook. "Basically, I have discovered that it is extremely easy to get access to Exchange (and therefore Active Directory) user passwords in plain text," he wrote. "It doesn't necessarily require any breach of corporate security, and at its most secure, is only as secure as file level access to the corporate website." His proof-of-concept exploit code, which affected Outlook (both Mac and PC), default email apps for Android and iOS, Apple Mail for Mac OS X, and others, consisted of 11 lines of PHP, though he insisted the exploit probably could have been reduced to three lines.

Microsoft acknowledged on August 11, 2016, that it had reproduced the issue in van Beek's report. Then on August 30, 2016, the Windows titan responded to van Beek by saying the report doesn't describe a genuine vulnerability: "Our security engineers and product team have reviewed this report and determined that it is not a security issue to be serviced as part of our monthly Patch Tuesday process. 'Never accept an SSL certificate without a matching host name' is already recommended for clients in the doc cited by your report: [link]. Before you send a request to a candidate, make sure it is trustworthy. Remember that you're sending the user's credentials, so it's important to make sure that you're only sharing them with a server you can trust. At a minimum, you should verify: That the endpoint is an HTTPS endpoint. Client applications should not authenticate or send data to a non-SSL endpoint. That the SSL certificate presented by the server is valid and from a trusted authority."

"This response casually forgets to consider that a hacked web server still retains a perfectly valid certificate -- it just happens to use that trusted tunnel to serve up problems," said van Beek. "Also, I have only found one Exchange client so far which actually checks the hostname against the certificate, which is Microsoft's own test tool." Van Beek said he thought it was incredible that Microsoft confirmed the behavior he reported within hours but does not consider it to be a problem. He suggested three mitigations: changing the order of operations so that DNS gets checked first; never accepting an SSL certificate without a matching host name; and reviewing why and when clients respond to authentication requests.
When asked if the company plans to take any steps to address credential exposure and whether it believes its guidance adequately addresses the problem, a Microsoft spokesperson said: "We are continuing to investigate the specific scenario shared by the researcher."
Google

Google Tells Judges It's So Popular It's Bing's Top Search Term (bloomberg.com) 75

Google is so successful that it's the most searched for term on Microsoft's Bing search engine, the company's lawyer told a European Union court on Tuesday. From a report: "We have submitted evidence showing that the most common search query on Bing is by far Google," Alfonso Lamadrid, a lawyer for the Alphabet unit, said at the EU's General Court in Luxembourg. The tech giant has asked EU judges to overturn a record $5 billion fine and strike down a 2018 antitrust order that said Google unfairly pushed its search app on mobile phones running its Android software.
Google

Google, in Fight Against Record EU Fine, Slams Regulators for Ignoring Apple (reuters.com) 44

Alphabet unit Google on Monday blasted EU antitrust regulators for ignoring rival Apple as it launched a bid to get Europe's second-highest court to annul a record 4.34-billion euro ($5.1 billion) fine related to its Android operating system. From a report: Far from holding back rivals and harming users, Android has been a massive success story of competition at work, representatives of Google told a panel of five judges at the General Court at the start of a five-day hearing. The European Commission fined Google in 2018, saying that it had used Android since 2011 to thwart rivals and cement its dominance in general internet search. Regardless of how the court rules, Google, Apple, Amazon and Facebook will have to change their business models in the coming years to ensure a level playing field for rivals following tough new rules proposed by European Union antitrust chief Margrethe Vestager.

"The Commission shut its eyes to the real competitive dynamic in this industry, that between Apple and Android," Google's lawyer Meredith Pickford told the court. "By defining markets too narrowly and downplaying the potent constraint imposed by the highly powerful Apple, the Commission has mistakenly found Google to be dominant in mobile operating systems and app stores, when it was in fact a vigorous market disrupter," he said. Pickford said Android "is an exceptional success story of the power of competition in action."

Google

Google Sues India's Competition Commission - For Sharing Its Findings About Google (msn.com) 18

Google used its "huge financial muscle" to illegally hurt competitors, the Competition Commission of India found after an antitrust investigation. But now Reuters says Google is suing the commission — for leaking the results of that investigation to the press: "We cooperated fully and maintained confidentiality throughout the investigative process, and we hope and expect the same level of confidentiality from the institutions we engage with," Google's statement added...

India's antitrust authority ordered a probe in 2019, saying Google appeared to have leveraged its dominance to reduce device makers' ability to opt for alternate versions of its mobile operating system and force them to pre-install Google apps. Its 750-page report subsequently found the mandatory pre-installation of apps "amounts to imposition of unfair condition on the device manufacturers" in violation of India's competition law. The report, which has been seen by Reuters but which is not public, also found the company leveraged the position of its Play Store app store to protect its dominance.

Privacy

Google Photos' Nude-Friendly Folders Coming To All Android Phones Soon (theverge.com) 61

Google Photos' Locked Folder feature, which lets you hide sensitive photos and videos from your main library and secure them in a passcode- or biometric-protected folder, is coming to all devices running Android 6 and above. The Verge reports: The feature was released exclusively on newer Pixel phones in June. Google hasn't provided an exact date for when the feature is releasing more widely, noting only that it's "rolling out soon." When it announced the feature onstage at Google I/O in May, Google gave the wholesome example of the feature being used by parents hiding photos of a newly purchased puppy from their children. But I think it's fair to say that most people are going to have very different photos stored in their Locked Folder. I don't know about you, but in all the times I've had to wrench my phone out of someone's hand to stop them scrolling through my photos, it's never been because of a puppy picture.
Privacy

A Stalkerware Firm Is Leaking Real-Time Screenshots of People's Phones Online (vice.com) 11

A stalkerware company that's designed to let customers spy on their spouses's, children's, or employees' devices is exposing victims' data, allowing anyone on the internet to see screenshots of phones simply by visiting a specific URL. From a report: The news highlights the continuing lax security practices that many stalkerware companies use; not only do these companies sometimes market their tools specifically for illegal surveillance, but the targets are re-victimized by these breaches. In recent years the Federal Trade Commission (FTC) has acted against stalkerware companies for exposing victim data. The stalkerware company, called pcTattleTale, offers the malware for Windows computers and Android phones. "Discover their secret online lives right from your phone or computer," a Facebook post from pcTattleTale reads. "pcTattletale is a popular keylogger and montoring [sic] app that you can use to see what you [sic] kids, spouse, or employees are doing online." Security researcher Jo Coscia showed Motherboard that pcTattleTale uploads victim data to an AWS server that requires no authentication to view specific images.
Cellphones

Microsoft Debuts Surface Duo 2 Dual-Screen Android Phone With Larger Displays and 5G (yahoo.com) 27

At Microsoft's Surface event today, the company announced its Surface Duo 2 dual-screen Android smartphone, featuring a trio of new cameras, a faster processor, larger displays, and support for 5G. The company also unveiled a successor to the Surface Book line of laptops, the Surface Laptop Studio, as well as the Surface Pro 8. From a report: The first-generation of the Duo made a splash thanks to its unique design. While the original Duo had no exterior screen at all, the Duo 2 now has a sliver of screen called the Glance Bar that peeks out from where its displays come together and provides you with the time and notifications when the Duo is closed. Microsoft has seemingly addressed a number of the original Duo's shortcomings with its Duo 2. One of the biggest issues with the first-generation version was its lack of any truly capable camera. [...] This time around, Microsoft has outfitted the Surface Duo 2 with a trio of external cameras. Like Apple's iPhone and Samsung's Galaxy line of smartphones, the Duo 2 gets a wide-angle camera, an ultra-wide angle camera, and a telephoto camera. There's also a dedicated night photography mode, 2x optical zoom with the telephoto lens, and the ability to record 4K video at 60 frames per second.

As for the occasionally sluggish performance, the Duo 2 should have that sorted out. This time around, Microsoft has dropped Qualcomm's latest Snapdragon 888 processor into the Duo 2, which means the phone should run as smoothly and quickly as any of the leading smartphones on the market. What's more, the Duo 2 gets 8GB of RAM and 128GB, 256GB, or 512GB of storage. On top of that, the Surface Duo 2 gets 5G connectivity, something that was conspicuously absent from the first-generation Duo.

The Duo 2 also gets two larger displays this time around. Rather than two 5.1-inch panels, the Duo 2 gets two 5.3-inch screens that open up to an 8.3-inch display that you can use to move your apps across or as a single canvas for more expansive apps. [...] The gist of the Surface Duo 2 is that two screens are better than one. To that end, Microsoft has combined two panels with a hinge to make an Android-powered device that lets you not only use both displays at the same time, but also seamlessly move apps and content between them. That capability will cost you a pricey $1,499 when the Duo 2 hits store shelves. It's available for pre-order today.

Google

Google Finally Shifting To 'Upstream First' Linux Kernel Approach For Android Features (phoronix.com) 9

Phoronix reports: Google's Android had been notorious for all of its downstream patches carried by the mobile operating system as well as various vendor/device kernel trees while in recent years more of that code has been upstreamed. Google has also been shifting to the Android Generic Kernel Image (GKI) as the basis for all their product kernels to further reduce the fragmentation. Looking ahead, Google is now talking of an "upstream first" approach for pushing new kernel features into mainline Linux before deploying them on Android. Google's Todd Kjos talked today during Linux Plumbers Conference (LPC2021) around their Generic Kernel Image initiative. With Android 12 and their Linux 5.10 based GKI image they have further cut down the fragmentation to the extent that it's "nearly eliminated."

With the Android 12 GKI, most of the vendor/OEM kernel features have now either been upstreamed into the Linux kernel, isolated to vendor modules/hooks, or merged into the Android Common Kernel. They are making good progress on the GKI front and also ensuring vendors adapt to the new approach to cut down on the kernel mess. But perhaps most exciting is their outlook for 2023 to 2024 for further reducing technical debt. They are going to pursue an "upstream first development model for new features" in making sure new code first lands into the mainline Linux kernel rather than aiming straight for lodging within the Android source tree.

Television

Netflix Launches Free Plan in Kenya To Boost Growth (techcrunch.com) 30

Netflix said on Monday it is launching a free mobile plan in Kenya as the global streaming giant looks to tap the East African nation that is home to over 20 million internet users. From a report: The free plan, which will be rolled out to all users in Kenya in the coming weeks, won't require them to provide any payment information during the sign-up, the company said. The new plan is available to any user aged 18 or above with an Android phone, the company said. It will also not include ads. The company told Reuters that it is making about one quarter of its movies and television shows catalog available to users in the free plan in the East African nation.
Chrome

Is 2021 The Year of the Linux Desktop? (pcmag.com) 192

"2021 Is the Year of Linux on the Desktop," writes PC Magazine. "No, really..." Walk into any school now, and you'll see millions of Linux machines. They're called Chromebooks. For a free project launched 30 years ago today by one man in his spare time, it's an amazing feat.... Linux found its real niche — not as a political statement about "free software," but as a practical way to enable capable, low-cost machines for millions...

Chrome OS and Android are both based on the Linux kernel. They don't have the extra GNU software that distributions like Ubuntu have, but they're descended from Linus Torvalds' original work. Chromebooks are the fastest growing segment of the traditional PC market, according to Canalys. IDC points out that Canalys' estimates of 12 million Chromebooks shipped in Q1 2021 are only a fraction of the 63 million notebooks sold that quarter, but once again, they're where the growth is. Much of that is driven by schools, where Chromebooks dominate now. Schoolkids don't generally need a million apps' worth of generic computing power. They need inexpensive, rugged ways to log into Google Classroom. Linux came to the rescue, enabling cheap, light, easy-to-manage PCs that don't have the Swiss Army Knife cruft of Windows or the premium price of Macs...

One great thing about open-source hacker projects is that they can be taken in unexpected directions. Linux isn't controlled, so it can adapt, Darwinian-style. It was a little scurrying mammal in the time of the dinosaurs, and then the mobile-computing asteroid hit. Linux could evolve. Windows couldn't. When you're building something that fits in your hand and has to sip battery, you can't just keep throwing processors and storage at it. Microsoft had a tough time adapting its monstrous megakernel OS to the new, tiny world. But *nix platforms thrive there: Android (based on Linux) and iOS.

"Android and Chrome water down the Linux philosophy," the article argues, "but they are Linux..."

Does this make any long-time geeks feel vindicated? In the original submission wiredog (Slashdot reader #43,288) looks back to 1995, remembering that "my first Linux was RedHat 2.0 in the beige box, running the 0.95(?) kernel and the F Virtual Window Manager...

"It came with 2 books, a CD, and a boot floppy disk."
Android

Google Will Extend Permission Auto-Reset Feature To Older Android Versions (therecord.media) 21

Google announced plans today to port its Permission Auto-Reset feature from Android 11 to older versions of its mobile operating system, as far back as Android 6. From a report: Launched last fall, the Permission Auto-Reset feature works by automatically withdrawing user permissions from an app that hasn't been opened and used for a few months. "Starting in December 2021, we are expanding this [feature] to billions more devices," Google said today. "This feature will automatically be enabled on devices with Google Play services that are running Android 6.0 (API level 23) or higher." Exempt from this new feature will be device admin apps and enterprise apps where the permissions have been fixed through a general enterprise policy.
Google

South Korea's Antitrust Regulator Fines Google $177 Million for Abusing Mobile Market Dominance (cnbc.com) 27

South Korea's competition regulator on Tuesday announced it will fine Google 207.4 billion Korean won ($176.9 million) for allegedly using its dominant market position in the mobile operating system space to stifle competition. From a report: Google's Android operating system currently holds the lion's share of the smartphone market, ahead of Apple's iOS platform. The U.S. tech giant allegedly used its market position to block smartphone makers like Samsung from using operating systems developed by rivals, according to the Korea Fair Trade Commission. Yonhap News added that the regulator, which published its decision in Korean, said the tech giant required smartphone makers to agree to an "anti-fragmentation agreement (AFA)" when signing key contracts with Google over app store licenses and early access to the operating system. That agreement prevented device makers from installing modified versions of the Android operating system, known as "Android forks," on their handsets, Yonhap reported. The regulator alleged that Google's practice stifled innovation in the development of new operating systems for smartphones, the news site added. The KFTC has asked the tech giant to stop forcing companies to sign AFAs and ordered it to take corrective steps, according to Yonhap.
Android

Facebook Unveils Superpack, a New Compression Technique (fb.com) 54

An anonymous reader writes: Facebook unveiled a new compression technique they call 'Superpack compression.' In a blog post written by software engineer Sapan Bhatia, they claim that their compression improves Android app size by 20% over the default Zip compression used by Android. The post gives an overview of the compression ideas. The basis of these ideas is called out to be a key insight in Kolmogorov Complexity, that any data can be represented in the form of programs that generate that data. Facebook's tool, Superpack, mines out such small programs and optimizes them using compiler techniques.
Businesses

Sonos Announces 10% Price Hikes On Most Speakers (cepro.com) 58

CIStud writes: Sonos announces price hikes for Arc, Amp, Roam, Sub, Five, One and One SL speakers citing chip shortage and supply chain. Sonos Arc's price is leaping by $100 from $799 to $899. Not every product will be seeing a large jump in price, as some products like the Sonos Roam are seeing increases of just $10. Other products receiving only small price increases include the Sonos One and Sonos One SL ($20 increase), while others are not seeing pricing changes whatsoever like the Sonos Move and Sonos Port. Speaking of the far-reaching impact of the global chip shortage, Google and Indian telecom operator Jio announced this week they are delaying the launch of their affordable smartphone aimed at 300 million users.
Encryption

WhatsApp Will Finally Let Users Encrypt Their Chat Backups in the Cloud (techcrunch.com) 12

WhatsApp said on Friday it will give its two billion users the option to encrypt their chat backups to the cloud, taking a significant step to put a lid on one of the tricky ways private communication between individuals on the app can be compromised. From a report: The Facebook-owned service has end-to-end encrypted chats between users for more than a decade. But users have had no option but to store their chat backup to their cloud -- iCloud on iPhones and Google Drive on Android -- in an unencrypted format. [...] Now WhatsApp says it is patching this weak link in the system.

The company said it has devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups, and the feature is optional. In the "coming weeks," users on WhatsApp will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based "backup key vault" that WhatsApp has developed.

Facebook

Facebook Debuts Its Ray-Ban Stories Smart Sunglasses (techcrunch.com) 118

Facebook announced their long-awaited foray into the smart glasses space Thursday morning, launching the Ray-Ban Stories smart glasses in partnership with eyewear giant EssilorLuxottica. From a report: The svelte frames are some of the most low-profile yet available to consumers and will allow users to snap photos and videos with the two onboard 5 MP cameras, listen to music with in-frame speakers and take phone calls. The glasses need to be connected to an iOS or Android device for full functionality, though users can take and store hundreds of photos or dozens of videos on the glasses before transferring media to their phones via Facebook's new View app. The twin cameras will allow users to add 3D effects to their photos and videos once they upload them to the app.

The lightweight glasses weigh less than 50 grams and come with a leather hardshell charging case. The battery lift is advertised as "all-day" which TechCrunch found to be accurate during our review of the frames. Users will be able to control the glasses with a couple physical buttons including a "capture" button to record media and an on-off switch. A touch pad on the right arm of the glasses will allow users to perform functions like swiping to adjust the volume or answering a phone call. An onboard white LED will glow to indicate to the people around the wearer that a video is being recorded.
The glasses will start at $299, with polarized and transition lens options coming in at a higher price point.
Privacy

After Chiding Apple On Privacy, Germany Says It Uses Pegasus Spyware (appleinsider.com) 38

"Germany's Federal Criminal Police Office (BKA) purchased access to NSO Group's Pegasus spyware in 2019 after internal efforts to create similar iOS and Android surveillance tools failed," reports AppleInsider. The news comes less than a month after the Digital Agenda committee chairman of Germany's federal parliament, Manual Hoferlin, declared Apple to be on a "dangerous path" with plans to enact on-device child sexual assault material monitoring. He said the system undermines "secure and confidential communication" and represents the "biggest breach of the dam for the confidentiality of communication that we have seen since the invention of the Internet." From the report: The federal government revealed the agreement with NSO in a closed-door session with the German parliament's Interior Committee on Tuesday, reports Die Zeit. When the BKA began to use Pegasus is unclear. While Die Zeit says the tool was purchased in 2019 and is currently used in concert with a less effective state-developed Trojan, a separate report from Suddeutsche Zeitung, via DW.com, cites BKA Vice President Martina Link as confirming an acquisition in late 2020 followed by deployment against terrorism and organized crime suspects in March.

Officials made the decision to adopt Pegasus in spite of concerns regarding the legality of deploying software that can grant near-unfettered access to iPhone and Android handsets. As noted in the report, NSO's spyware exploits zero-day vulnerabilities to gain access to smartphones, including the latest iPhones, to record conversations, gather location data, access chat transcripts and more. Germany's laws state that authorities can only infiltrate suspects' cellphone and computers under special circumstances, while surveillance operations are governed by similarly strict rules.

BKA officials stipulated that only certain functions of Pegasus be activated in an attempt to bring the powerful tool in line with the country's privacy laws, sources told Die Zeit. It is unclear how the restrictions are implemented and whether they have been effective. Also unknown is how often and against whom Pegasus was deployed. According to Die Zeit, Germany first approached NSO about a potential licensing arrangement in 2017, but the plan was nixed due to concerns about the software's capabilities. Talks were renewed after the BKA's attempts to create its own spyware fell short.

Microsoft

Microsoft Start is a Personalized News Feed Designed for Windows 11, Mobile, and More (theverge.com) 57

Microsoft is launching Microsoft Start today, a personalized news feed that integrates into Windows 11 and is accessible online and on iOS and Android. Microsoft Start is very similar to the MSN feed that exists today and to Microsoft News. Microsoft is rebranding these into Microsoft Start and integrating the feed into the Windows 11 widgets section and the Windows 10 taskbar. From a report: Much like Microsoft News, Microsoft Start includes news and media channels from more than 1,000 publishers. Microsoft uses AI and machine learning algorithms to sort through which news is presented to users and to personalize content based on interests and how you engage with content. There's also some "human moderation" involved, but Microsoft did layoff dozens of journalists and editorial workers at its Microsoft News and MSN organizations last year, so it's not clear how involved editors will be. Microsoft Start will surface top stories, personalized recommendations, and sports scores or the weather in its feed.
Hardware

The Strange Tale of the Freedom Phone (nytimes.com) 171

A 22-year-old Bitcoin millionaire wants Republicans to ditch their iPhones for a low-end handset that he hopes to turn into a political tool. From a report: It was a pitch tuned for a politically polarized audience. Erik Finman, a 22-year-old who called himself the world's youngest Bitcoin millionaire, posted a video on Twitter for a new kind of smartphone that he said would liberate Americans from their "Big Tech overlords." His splashy video, posted in July, had stirring music, American flags and references to former Presidents Abraham Lincoln and Donald J. Trump. Conservative pundits hawked Mr. Finman's Freedom Phone, and his video amassed 1.8 million views. Mr. Finman soon had thousands of orders for the $500 device. Then came the hard part: Building and delivering the phones. First, he received bad early reviews for a plan to simply put his software on a cheap Chinese phone. And then there was the unglamorous work of shipping phones, hiring customer-service agents, collecting sales taxes and dealing with regulators.

"I feel like practically I was prepared for anything," he said in a recent interview. "But I guess it's kind of like how you hope for world peace, in the sense you don't think it's going to happen." For even the most lavishly funded start-ups, it is hard to compete with tech industry giants that have a death grip on their markets and are valued in the trillions of dollars. Mr. Finman was part of a growing right-wing tech industry taking on the challenge nonetheless, relying more on their conservative customers' distaste for Silicon Valley than expertise or experience. [...] To make a smartphone, however, he had to rely on Google. The company's Android software already works with millions of apps, and Google makes a free, open version of the software for developers to modify. So Mr. Finman hired engineers to strip it of any sign of Google and load it with apps from conservative social networks and news outlets. Then he uploaded the software on phones he bought from China. To unveil the phone, he recorded an infomercial in which he cast the tech companies as enemies of the American way. "Imagine if Mark Zuckerberg banned MLK or Abraham Lincoln," he said in the video. "The course of history would have been altered forever."

[...] Thousands of people bought the $500 phone. Others, including some conservatives, quickly panned the animated pitch. Quickly, news outlets reported that the Freedom Phone was based on a low-cost handset from Umidigi, a Chinese manufacturer that had used chips shown to be vulnerable to hacks. Mr. Finman, who marketed the device as "the best phone in the world," was on the defensive. In an interview in July, Mr. Finman admitted that Umidigi made the phone but still said he was "100 percent" sure it was more secure than the latest iPhone. Apple has tens of thousands of engineers. Mr. Finman said he employed 15 people in Utah and Idaho.

Android

Pixel 3 and 3 XL Phones Are Getting Stuck In EDL Mode and Seemingly Bricked (androidpolice.com) 72

New submitter throx shares a report from Android Police: For months users of the three-year-old Pixel 3 series have been complaining of a common and dreadful problem: seemingly random shutdowns that completely lock their devices. The Pixel 3 and 3 XL have been plagued by the "EDL Mode" bug, which locks the device with no screen or button inputs and makes it more or less impossible to use. To date there's no clear solution to this problem, at least not one that's easily available to even advanced users.

Google's official support channels are aware of the issue, and that it seems to be accelerating in terms of users in the last few months. But since more or less every Pixel 3 and 3 XL sold is out of warranty at this point, options are limited. You can start an official support ticket with Google and pay for a repair, or (as one volunteer on the Google support forums suggests) take it into an authorized repair shop to see if their Qualcomm tools can get the phone to wake up. At the time of writing there doesn't seem to be any indication of a user-accessible fix for the EDL issues.

Slashdot Top Deals