Li Yuan, writing for the WSJ: Apple's latest predicament centers on its App Store. Last month, Apple told several Chinese social-networking apps, including the wildly popular messaging platform WeChat, to disable their "tip" functions to comply with App Store rules (Editor's note: the link could be paywalled; alternative source), according to executives at WeChat and other companies. That function allows users to send authors and other content creators tips, from a few yuan to hundreds, via transfers from mobile-wallet accounts. Those transfers are offered by the social-networking apps free of charge, as a way to inspire user engagement. Now, those tips will be considered in-app purchases, just like buying games, music and videos, entitling Apple to a 30% cut. For Apple, which has been observing slowing growth in mature markets, China is increasingly becoming important. But the company's my way or high-way approach might hurt the company's image in China. And that image as well as fortunes of local companies, is what the Chinese authorities deeply care about. As Yuan adds, "while it's understandable that Apple wants to tap the App Store for more money, its pressure on the app platforms risks alienating powerful Chinese companies, turning off Chinese iPhone users and drawing unnecessary attention from the regulators." Executives of these IM messaging apps tell WSJ that Apple has threatened that it would kick their apps out of the App Store if they don't comply. The problem is, WeChat is way more popular in China than Apple -- or its iPhones or its services or both combined, analysts say. WeChat is insanely popular in China, and people love to use the app to pay for things they purchase and send money to friends. Apple's greed could end up resulting in millions of new Android users, analysts said.

An anonymous reader quotes a report from Washington Post: Federal regulators will move to roll back one of the Obama administration's signature Internet policies this week, launching a process to repeal the government's net neutrality rules that currently regulate how Internet providers may treat websites and their own customers. The vote on Thursday, led by Federal Communications Commission Chairman Ajit Pai, will kick off consideration of a proposal to relax regulations on companies such as Comcast and AT&T. If approved by the 2-1 Republican-majority commission, it will be a significant step for the broadband industry as it seeks more leeway under government rules to develop new business models. For consumer advocates and tech companies, it will be a setback; those groups argue that looser regulations won't prevent those business models from harming Internet users and website owners. The current rules force Internet providers to behave much like their cousins in the legacy telephone business. Under the FCC's net neutrality policy, providers cannot block or slow down consumers' Internet traffic, or charge websites a fee in order to be displayed on consumers' screens. The net neutrality rules also empower the FCC to investigate ISP practices that risk harming competition. Internet providers have chafed at the stricter rules governing phone service, which they say were written for a bygone era. Pai's effort to roll back the rules has led to a highly politicized debate. Underlying it is a complex policy decision with major implications for the future of the Web.

According to the Wall Street Journal, the access codes to United's cockpit doors were accidentally posted on a public website by a flight attendant. "[United Continental Holdings], which owns United Airlines and United Express, asked pilots to follow security procedures already in use, including visually confirming someone's identity before they are allowed onto the flight deck even if they enter the correct security code into the cockpit door's keypad," reports TechCrunch. From the report: The Air Line Pilots Association, a union that represents 55,000 pilots in the U.S. and Canada, told the WSJ on Sunday that the problem had been fixed. The notable thing about this security breach is that it was caused by human error, not a hack, and illustrates how vulnerable cockpits are to intruders despite existing safety procedures. The Air Line Pilots Association has advocated for secondary barriers made from mesh or steel cables to be installed on cockpits doors to make it harder to break into, but airlines have said that they aren't necessary.

Not very pleased with your internet speeds? Think about the people Down Under. Australia's "bungled" National Broadband Network (NBN) has been used as a "cautionary tale" for other countries to take note of. Despite the massive amount of money being pumped into the NBN, the New York Times reports, the internet speeds still lagged behind the US, most of western Europe, Japan and South Korea -- even Kenya. The article highlights that Australia was the first country where a national plan to cover every house or business was considered and this ambitious plan was hampered by changes in government and a slow rollout (Editor's note: the link could be paywalled; alternative source), partly because of negotiations with Telstra about the fibre installation. From the report: Australia, a wealthy nation with a widely envied quality of life, lags in one essential area of modern life: its internet speed. Eight years after the country began an unprecedented broadband modernization effort that will cost at least 49 billion Australian dollars, or $36 billion, its average internet speed lags that of the United States, most of Western Europe, Japan and South Korea. In the most recent ranking of internet speeds by Akamai, a networking company, Australia came in at an embarrassing No. 51, trailing developing economies like Thailand and Kenya. For many here, slow broadband connections are a source of frustration and an inspiration for gallows humor. One parody video ponders what would happen if an American with a passion for Instagram and streaming "Scandal" were to switch places with an Australian resigned to taking bathroom breaks as her shows buffer. The article shares this anecdote: "Hundreds of thousands of people from around the world have downloaded Hand of Fate, an action video game made by a studio in Brisbane, Defiant Development. But when Defiant worked with an audio designer in Melbourne, more than 1,000 miles away, Mr. Jaffit knew it would be quicker to send a hard drive by road than to upload the files, which could take several days."

Tekla Perry writes: HBO's fictional Silicon Valley character Richard Hendricks sets out to reinvent the Internet into something decentralized. ["What if we used all those phones to build a massive network...we could build a completely decentralized version of our current Internet with no firewalls, no tolls, no government regulation, no spying. Information would be totally free in every sense of the word."] That sound a lot like what Brewster Kahle, Tim Berners-Lee, and Vint Cerf have been calling the decentralized web. Kahle tells IEEE Spectrum about how closely HBO's vision matches his own, and why he's happy to have this light shined on the movement.
In 2015 Kahle pointed out the current web isn't private. "People, corporations, countries can spy on what you are reading. And they do." But in a decentralized web, "the bits will be distributed -- across the net -- so no one can track the readers of a site from a single point or connection."

He tells IEEE Spectrum that though the idea is hard to execute, a lot of people are already working on it. "I recently talked to a couple of engineers working for Mozilla, and brought up the idea of decentralizing the web. They said, 'Oh, we have a group working on that, are you thinking about that as well?'"

New submitter Rick Schumann writes from a report via Consumerist: The NCTA hired polling firm Morning Consult to survey people about their attitudes toward net neutrality. In the results and a blog post about the survey, the organization crows that clearly, everyone thinks regulation is bad. Here's the "TL;DR" version: The NCTA claims Americans want "light touch" regulation of the "internet," but did not ask about regulation of internet service providers. The survey claims most voters believe regulation will harm innovation and investment, but their own numbers show that just as many people believe it won't. Most people don't believe the internet should be regulated like a "public utility," which is good because that's not what net neutrality does. When people were asked their feelings about what neutrality actually does, they overwhelmingly support it.

President Trump on Thursday signed a long-delayed executive order on cybersecurity that "makes clear that agency heads will be held accountable for protecting their networks, and calls on government and industry to reduce the threat from automated attacks on the internet," reports The Washington Post. From the report: Picking up on themes advanced by the Obama administration, Trump's order also requires agency heads to use Commerce Department guidelines to manage risk to their systems. It commissions reports to assess the country's ability to withstand an attack on the electric grid and to spell out the strategic options for deterring adversaries in cyberspace. [Thomas Bossert, Trump's homeland security adviser] said the order was not, however, prompted by Russia's targeting of electoral systems last year. In fact, the order is silent on addressing the security of electoral systems or cyber-enabled operations to influence elections, which became a significant area of concern during last year's presidential campaign. The Department of Homeland Security in January declared election systems "critical infrastructure." The executive order also does not address offensive cyber operations, which are generally classified. This is an area in which the Trump administration is expected to be more forward-leaning than its predecessor. Nor does it spell out what type of cyberattack would constitute an "act of war" or what response the attack would invite. "We're not going to draw a red line," Bossert said, adding that the White House does not "want to telegraph our punches." The order places the defense secretary and the head of the intelligence community in charge of protecting "national security" systems that operate classified and military networks. But the secretary of homeland security will continue to be at the center of the national plan for protecting critical infrastructure, such as the electric grid and financial sector.

An Austrian court has ruled that Facebook must delete hate speech postings worldwide. "The case -- brought by Austria's Green party over insults to its leader -- has international ramifications as the court ruled the postings must be deleted across the platform and not just in Austria, a point that had been left open in an initial ruling," reports Reuters. From the report: The case comes as legislators around Europe are considering ways of forcing Facebook, Google, Twitter and others to rapidly remove hate speech or incitement to violence. Facebook's lawyers in Vienna declined to comment on the ruling, which was distributed by the Greens and confirmed by a court spokesman, and Facebook did not immediately reply to a request for comment. Strengthening the earlier ruling, the Viennese appeals court ruled on Friday that Facebook must remove the postings against Greens leader Eva Glawischnig as well as any verbatim repostings, and said merely blocking them in Austria without deleting them for users abroad was not sufficient. The court added it was easy for Facebook to automate this process. It said, however, that Facebook could not be expected to trawl through content to find posts that are similar, rather than identical, to ones already identified as hate speech. The Greens hope to get the ruling strengthened further at Austria's highest court. They want the court to demand Facebook remove similar - not only identical - postings, and to make it identify holders of fake accounts. The Greens also want Facebook to pay damages, which would make it easier for individuals in similar cases to take the financial risk of taking legal action.

An anonymous reader writes: A rogue ISP could take down large parts of the Bitcoin ecosystem, according to new research that will be presented in two weeks at the 38th IEEE Symposium on Security and Privacy in San Jose, USA. According to the researchers, there are two types of attack scenarios that could be leveraged via BGP hijacks to cripple the Bitcoin ecosystem: hijacking mining proceeds, causing double-spending errors, and delaying transactions. These two (partition and delay) attacks are possible because most of the entire Bitcoin ecosystem isn't as decentralized as most people think, and it still runs on a small number of ISPs. For example, 13 ISPs host 30% of the entire Bitcoin network, 39 ISPs host 50% of the whole Bitcoin mining power, and 3 ISPs handle 60% of all Bitcoin traffic. Currently, researchers found that around 100 Bitcoin nodes are the victims of BGP hijacks each month.

An anonymous reader quotes The Hill: Oracle voiced support on Friday for FCC Chairman Ajit Pai's controversial plan to roll back the agency's net neutrality rules. In a letter addressed to the FCC, the company played up its "perspective as a Silicon Valley technology company," hammering the debate over the rules as a "highly political hyperbolic battle," that is "removed from technical, economic, and consumer reality"... Oracle wrote in their letter [PDF] that they believe Pai's plan to remove broadband providers from the FCC's regulatory jurisdiction "will eliminate unnecessary burdens on, and competitive imbalances for, ISPs [internet service providers] while enhancing the consumer experience and driving investment"... Other companies in support of Pai's plan, like AT&T and Verizon, have made the argument that the rules stifled investment in the telecommunications sector, specifically in broadband infrastructure.
Cisco has also argued that strict net neutrality laws on ISPs "restrict their ability to use innovative network management technology, provide appropriate levels of quality of service, and deliver new features and services to meet evolving consumer needs. Cisco believes that allowing the development of differentiated broadband products, with different service and content offerings, will enhance the broadband market for consumers."

An anonymous reader quotes BetaNews: WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes -- previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use -- or, indeed, if it has actually ever been used -- but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.

The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."

An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.

A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday. From the article: For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors. But on Wednesday, German newspaper The Suddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts. This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.

sombragris writes: WhatsApp, a proprietary instant messaging platform owned by Facebook and used by millions of users, is currently down according to user reports from various parts of the world. There's no official word yet on the cause but I'm among the many affected by the outages. UPDATE 5/3/17: "Earlier today, WhatsApp users in all parts of the world were unable to access WhatsApp for a few hours. We have now fixed the issue and apologize for the inconvenience," WhatsApp said in an email late Wednesday afternoon.

An anonymous reader quotes a report from The Hill: Sen. Mike Lee (R-Utah) introduced a bill Monday to nullify the Federal Communications Commission's net neutrality rules. "Few areas of our economy have been as dynamic and innovative as the internet," Lee said in a statement. "But now this engine of growth is threatened by the Federal Communications Commission's 2015 Open Internet Order, which would put federal bureaucrats in charge of engineering the Internet's infrastructure." Sens. John Cornyn (R-Texas), Tom Cotton (R-Ark.), Ted Cruz (R-Texas), Ron Johnson (R-Wis.), Rand Paul (R-Ky.), Thom Tillis (R-N.C.), Ben Sasse (R-Neb.), and James Inhofe (R-Okla.) co-sponsored Lee's bill. FCC Chairman Ajit Pai introduced his own plan last week to curb significant portions of the 2015 net neutrality rules that Lee's bill aims to abolish. Pai's more specific tack is focused on moving the regulatory jurisdiction of broadband providers back to the Federal Trade Commission, instead of the FCC, which currently regulates them.

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.
Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"

An anonymous reader quotes Sopho's Naked Security blog: In a column in The West Australian, Dan Tehan, Australia's cybersecurity minister, wrote: "Just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies to protect our information from threats." A companion news article in the same newspaper cited Tehan as arguing that "the onus is on telecommunications companies to develop products to stop their customers being infected with viruses"...

Tehan's government roles include assisting the prime minister on cybersecurity, so folks throughout Australia perked up when he said all this. However, it's not clear if there's an actual plan behind Tehan's observations -- or if there is, whether it will be backed by legal mandates... Back home in Australia, some early reactions to the possibility of any new government interference weren't kind. In iTWire, Sam Varghese said, "Dan Tehan has just provided the country with adequate reasons as to why he should not be allowed anywhere near any post that has anything to do with online security."
The West Australian also reports Australia's prime minister met telecommunications companies this week, "where he delivered the message the Government expected them to do more to shut dodgy sites and scams," saying the government will review current legislation to "remove any roadblocks that may be preventing the private sector and government from delivering such services."

An anonymous reader wants to start a grassroots effort to build a self-organizing global radio mesh network where every device can communicate with every other device -- and without any central authority. There is nothing in the rules of mathematics or laws of physics that prevents such a system. But how would you break the problem up so it could be crowdfunded and sourced? How would you build the radios? And what about government spectrum rules... How would you persuade governments to allow for the use of say, 1%, of the spectrum for an unlicensed mesh experiment? In the U.S. it would probably take an Act of Congress to overrule the FCC but a grassroots effort with potential for major technology advances backed by celebrity scientists might be enough to tilt the issue but would there be enough motivation?
Is this feasible? Would it amass enough volunteers, advocates, and enthusiastic users? Would it become a glorious example of geeks uniting the world -- or a doomed fantasy with no practical applications. Leave your best thoughts in the comments. Could we build a global wireless mesh network?

An anonymous reader quotes the security editor at Ars Technica: On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

Anomalies in the border gateway protocol -- which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks -- are common and usually the result of human error. While it's possible Wednesday's five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident "curious" to engineers at network monitoring service BGPmon. What's more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.

sciencehabit quotes a report from Science Magazine: Your wireless router may be giving you away in a manner you never dreamed of. For the first time, physicists have used radio waves from a Wi-Fi transmitter to encode a 3D image of a real object in a hologram similar to the image of Princess Leia projected by R2D2 in the movie Star Wars. In principle, the technique could enable outsiders to "see" the inside of a room using only the Wi-Fi signals leaking out of it, although some researchers say such spying may be easier said than done. Their experiment relies on none of the billions of digital bits of information encoded in Wi-Fi signals, just the fact that the signals are clean, "coherent" waves. However, instead of recording the key interference pattern on a photographic plate, the researchers record it with a Wi-Fi receiver and reconstruct the object in a computer. They placed a Wi-Fi transmitter in a room, 0.9 meters behind the cross. Then they placed a standard Wi-Fi receiver 1.4 meters in front of the cross and moved it slowly back and forth to map out a "virtual screen" that substituted for the photographic plate. Also, instead of having a separate reference beam coming straight to the screen, they placed a second, stationary receiver a few meters away, where it had a direct view of the emitter. For each point on the virtual screen, the researchers compared the signals arriving simultaneously at both receivers, and made a hologram by mapping the delays caused by the aluminum cross. The virtual hologram isn't exactly like a traditional one, as researchers can't recover the image of the object by shining more radio waves on it. Instead, the scientists used the computer to run the radio waves backward in time from the screen to the distance where wave fronts hit the object. The cross then popped out.