Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Google

Google Preparing 'Invisible ReCAPTCHA' System For No User Interaction (bleepingcomputer.com) 34

An anonymous reader quotes a report from BleepingComputer: Google engineers are working on an improved version of the reCAPTCHA system that uses a computer algorithm to distinguish between automated bots and real humans, and requires no user interaction at all. Called "Invisible reCAPTCHA," and spotted by Windows IT Pro, the service is still under development, but the service is open for sign-ups, and any webmaster can help Google test its upcoming technology. Invisible reCAPTCHA comes two years after Google has revolutionized CAPTCHA technologies by releasing the No CAPTCHA reCAPTCHA service that requires users to click on one checkbox instead of solving complex visual puzzles made up of words and numbers. The service helped reduce the time needed to fill in forms, and maintained the same high-level of spam detection we've become accustomed from the reCAPTCHA service. The introduction of the new Invisible reCAPTCHA technology is unlikely to make the situation better for Tor users since CloudFlare will likely force them to solve the same puzzle if they come from IPs seen in the past performing suspicious actions. Nevertheless, CloudFlare started working on an alternative.
Security

Dailymotion Hack Exposes Millions of Accounts (zdnet.com) 9

Millions of accounts associated with video sharing site Dailymotion, one of the biggest video platforms in the world, have been stolen. From a ZDNet report: A hacker extracted 85.2 million unique email addresses and usernames from the company's systems, but about one-in-five accounts -- roughly 18.3 million-- had associated passwords, which were scrambled with the bcrypt hashing function, making the passwords difficult to crack. The hack is believed to have been carried out on October 20 by a hacker, whose identity isn't known, according to LeakedSource, a breach notification service, which obtained the data. Dailymotion launched in 2005, and is currently the 113rd most visited website in the world, according to Alexa rankings.
The Almighty Buck

Interns At Tech Companies Are Better Paid Than Most American Workers (qz.com) 122

According to a survey conducted by Jesse Collins, a senior at Purdue University and former Yelp intern, interns at tech companies make much more money on an annualized basis than workers in the vast majority of other occupations. From a report on Quartz: About 300 of the nearly 600 people who responded to the survey said they had received internship offers from big companies like Facebook, Twitter, Yelp, and Goldman Sachs for 2017. On average, the internship recipients said they would be paid $6,500 per month, the equivalent of $78,000 per year (the survey is still open, so results may change). Many also said they would receive more than $1,000 worth of stipends per month for housing and travel or signing bonuses. Internships typically run for a summer, but we've annualized the numbers. If the average intern who responded to Collins' survey were to work for a year, he would make $30,000 more than the average annual income for all occupations in the U.S., which is $48,000. Of the 1,088 occupation categories within which the Bureau of Labor Statistics tracks average income, workers in only about 200 of them on average make more money in a year than the intern would.
AI

Many CEOs Believe Technology Will Make People Largely Irrelevant (betanews.com) 318

An anonymous reader shares a report on BetaNews:Although artificial intelligence (AI), robotics and other emerging technologies may reshape the world as we know it, a new global study has revealed that the many CEOs now value technology over people when it comes to the future of their businesses. The study was conducted by the Los Angeles-based management consultant firm Korn Ferry that interviewed 800 business leaders across a variety of multi-million and multi-billion dollar global organizations. The firm says that 44 percent of the CEOs surveyed agreed that robotics, automation and AI would reshape the future of many work places by making people "largely irrelevant." The global managing director of solutions at Korn Ferry Jean-Marc Laouchez explains why many CEOs have adopted this controversial mindset, saying: "Leaders may be facing what experts call a tangibility bias. Facing uncertainty, they are putting priority in their thinking, planning and execution on the tangible -- what they can see, touch and measure, such as technology instruments."
Media

Netflix Keeping Bandwidth Usage Low By Encoding Its Video With VP9 and H.264/AVC Codecs (slashgear.com) 68

Netflix announced last week that it is getting offline video downloads support. The company has since shared that it is using VP9 video compression codec to ensure that the file sizes don't weigh a lot. An anonymous reader shares an article on Slashgear (edited): For streaming content, Netflix largely relies on H.264/AVC to reduce the bandwidth, but for downloading content, it uses VP9 encoding. VP9 can allow better quality videos for the same amount of data needed to download. The challenge is that VP9 isn't supported by all streaming providers -- it is supported on Android devices and via the Chrome browser. So to get around that lack of support on iOS, Netflix is offering downloads in H.264/AVC High whereas streams are encoded in H.264/AVC Main on such devices. Netflix chooses the optimal encoding format for each title on its service after finding, for instance, that animated films are easier to encode than live-action. Netflix says that H.264 High encoding saves 19% bandwidth compared to other encoding standards while VP9 saves 36%.
The Courts

Embedding Isn't Copyright Infringement, Says Italian Court (arstechnica.co.uk) 23

The appeal court of Rome has overturned one of the 152 website blocks another court imposed last month, and ruled that embedding does not constitute a copyright infringement. From an ArsTechnica report: The order against the Italian site Kisstube is annulled, but the other websites remain blocked. Kisstube is a YouTube channel, which also exists as a standalone website that does not host any content itself, linking instead to YouTube. Both the channel and website arrange content by categories for the convenience of users. The Italian court's decision was informed by an important ruling by the Court of Justice of the European Union (CJEU). In the BestWater case, the CJEU held that embedding or framing a video or image from another website is not copyright infringement if the latter is already accessible to the general public. However, another CJEU judgment ruled that posting hyperlinks to pirated copies of material is only legal provided it is done without knowledge that they are unauthorised versions, and it is not carried out for financial gain.
Microsoft

Does Windows 10's Data Collection Trade Privacy For Microsoft's Security? (pcworld.com) 158

jader3rd shares an article from PC World arguing that Windows 10's data collection "trades your privacy for Microsoft's security." [Anonymized] usage data lets Microsoft beef up threat protection, says Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security. The information collected is used to improve various components in Windows Defender... For example, Windows Defender Application Guard for Microsoft Edge will put the Edge browser into a lightweight virtual machine to make it harder to break out of the browser and attack the operating system. With telemetry, Microsoft can see when infections get past Application Guard defenses and improve the security controls to reduce recurrences.

Microsoft also pulls signals from other areas of the Windows ecosystem, such as Active Directory, with information from the Windows 10 device to look for patterns that can indicate a problem like ransomware infections and other attacks. To detect those patterns, Microsoft needs access to technical data, such as what processes are consuming system resources, hardware diagnostics, and file-level information like which applications had which files open, Lefferts says. Taken together, the hardware information, application details, and device driver data can be used to identify parts of the operating system are exposed and should be isolated into virtual containers.

The article points out that unlike home users, enterprise users of Windows 10 can select a lower level of data-sharing, but argues that enterprises "need to think twice before turning off Windows telemetry to increase corporate privacy" because Windows Update won't work without information about whether previous updates succeeded or failed.
Security

70 Laptops Got Left Behind At An Airport Security Checkpoint In One Month (bravotv.com) 162

America's Transportation Security Administration has been making some surprising announcements on social media. An anonymous reader writes: A TSA spokesperson says 70 laptops were left behind in just one month at an airport security checkpoint in Newark. "And yes, there are plenty of shiny MacBooks in that pile," reported BravoTV, "which can cost in the $2,000 range new." The TSA shared an image of the 70 laptops on their Instagram page and on Twitter, prompting at least one mobile project designer to reclaim his laptop. "The most common way laptops are forgotten is when traveler's stack a bin on top of the bin their laptop is in," the TSA warns. "Out of sight out of mind."
The TSA is also sharing pictures on social media of the 70 guns they confiscated at security checkpoints in one week in November, reporting they've also confiscated a blowtorch, batarangs, and a replica of that baseball bat from "The Walking Dead". They're reporting they found 33 loaded firearms in carry-on luggage in one week, and remind readers that gun-carrying passengers "can face a penalty as high as $11,000. This is a friendly reminder to please leave these items at home."
United States

Sysadmin Gets Two Years In Prison For Sabotaging ISP (bleepingcomputer.com) 128

After being let go over a series of "personal issues" with his employer, things got worse for 26-year-old network administrator Dariusz J. Prugar, who will now have to spend two years in prison for hacking the ISP where he'd worked. An anonymous reader writes: Prugar had used his old credentials to log into the ISP's network and "take back" some of the scripts and software he wrote... "Seeking to hide his tracks, Prugar used an automated script that deleted various logs," reports Bleeping Computer. "As a side effect of removing some of these files, the ISP's systems crashed, affecting over 500 businesses and over 5,000 residential customers."

When the former ISP couldn't fix the issue, they asked Prugar to help. "During negotiations, instead of requesting money as payment, Prugar insisted that he'd be paid using the rights to the software and scripts he wrote while at the company, software which was now malfunctioning, a week after he left." This tipped off the company, who detected foul play, contacted the FBI and rebuilt its entire network.

Six years later, Prugar was found guilty after a one-week jury trial, and was ordered by the judge to pay $26,000 in restitution to the ISP (which went out of business in October of 2015). Prugar's two-year prison sentence begins December 27.
Security

Crooks Need Just Six Seconds To Guess A Credit Card Number (independent.co.uk) 107

schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found... Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...

According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.

One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."
Iphone

iOS's 'Activation Lock' For Stolen iPads And iPhones Can Be Easily Bypassed (computerworld.com) 54

An anonymous reader quotes ComputerWorld: Two researchers claim to have found a way to bypass the activation lock feature in iOS that's supposed to prevent anyone from using an iPhone or iPad marked as lost by its owner... One of the few things allowed from the activation lock screen is connecting the device to a Wi-Fi network, including manually configuring one. [Security researcher] Hemanth had the idea of trying to crash the service that enforces the lock screen by entering very long strings of characters in the WPA2-Enterprise username and password fields.

The researcher claims that, after awhile, the screen froze, and he used the iPad smart cover sold by Apple to put the tablet to sleep and then reopen it... "After 20-25 seconds the Add Wifi Connection screen crashed to the iPad home screen, thereby bypassing the so-called Find My iPhone Activation Lock," he said in a blog post.

There's also a five-minute video on YouTube which purports to show a newer version of the same attack.
Encryption

Encryption Backdoor Sneaks Into UK Law (theregister.co.uk) 134

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
Security

The 'USB Killer' Has Been Mass Produced -- Available Online For About $50 (arstechnica.com) 235

New submitter npslider writes: The "USB Killer," a USB stick that fries almost everything that it is plugged into, has been mass produced -- available online for about $50. Ars Technica first wrote about this diabolical device that looks like a fairly humdrum memory stick a year ago. From the report: "The USB Killer is shockingly simple in its operation. As soon as you plug it in, a DC-to-DC converter starts drawing power from the host system and storing electricity in its bank of capacitors (the square-shaped components). When the capacitors reach a potential of -220V, the device dumps all of that electricity into the USB data lines, most likely frying whatever is on the other end. If the host doesn't just roll over and die, the USB stick does the charge-discharge process again and again until it sizzles. Since the USB Killer has gone on sale, it has been used to fry laptops (including an old ThinkPad and a brand new MacBook Pro), an Xbox One, the new Google Pixel phone, and some cars (infotainment units, rather than whole cars... for now). Notably, some devices fare better than others, and there's a range of possible outcomes -- the USB Killer doesn't just nuke everything completely." You can watch a video of EverythingApplePro using the USB Killer to fry a variety of electronic devices. It looks like the only real defense from the USB Killer is physically capping your ports.
Security

Hackers Steal $31 Million at Russia's Central Bank (cnn.com) 78

The Bank of Russia has confirmed Friday that hackers have stolen 2 billion rubles ($31 million) from correspondent accounts at the Russian central bank. Central bank security executive Artiom Sychev said it could've been much worse as hackers tried to steal 5 billion rubles, but the central banking authority managed to stop them. CNNMoney reports: Hackers also targeted the private banks and stole cash from their clients, the central bank reported. The central bank did not say when the heist occurred or how hackers moved the funds. But so far, the attack bears some similarity to a recent string of heists that has targeted the worldwide financial system. Researchers at the cybersecurity firm Symantec have concluded that the global banking system has been under sustained attack from a sophisticated group -- dubbed "Lazarus" -- that has been linked to North Korea. But it's unclear who has attacked Russian banks this time around. Earlier Friday, the Russian government claimed it had foiled an attempt to erode public confidence in its financial system. Russian's top law enforcement agency, the FSB, said hackers were planning to use a collection of computer servers in the Netherlands to attack Russian banks. Typically, hackers use this kind of infrastructure to launch a "denial of service" attack, which disrupts websites and business operations by flooding a target with data. The FSB said hackers also planned to spread fake news about Russian banks, sending mass text messages and publishing stories on social media questioning their financial stability and licenses to operate.
Technology

Fake Apple Chargers Fail Safety Tests (bbc.com) 118

Investigators have warned consumers they face potentially fatal risks after 99% of fake Apple chargers failed a basic safety test. From a report on BBC: Trading Standards, which commissioned the checks, said counterfeit electrical goods bought online were an "unknown entity." Of 400 counterfeit chargers, only three were found to have enough insulation to protect against electric shocks. It comes as Apple has complained of a "flood" of fakes being sold on Amazon. Apple revealed in October that it was suing a third-party vendor, which it said was putting customers "at risk" by selling power adapters masquerading as those sold by the Californian tech firm.
Security

Russia Says Foreign Spies Plan Cyber Attack On Banking System (reuters.com) 88

Russia said on Friday it had uncovered a plot by foreign spy agencies to sow chaos in Russia's banking system via a coordinated wave of cyber attacks and fake social media reports about banks going bust. From a report on Reuters: Russia's domestic intelligence agency, the Federal Security Service (FSB), said that the servers to be used in the alleged cyber attack were located in the Netherlands and registered to a Ukrainian web hosting company called BlazingFast. The attack, which was to target major national and provincial banks in several Russian cities, was meant to start on Dec. 5, the FSB said in a statement. "It was planned that the cyber attack would be accompanied by a mass send-out of SMS messages and publications in social media of a provocative nature regarding a crisis in the Russian banking system, bankruptcies and license withdrawals," it said. "The FSB is carrying out the necessary measures to neutralize threats to Russia's economic and information security."
United Kingdom

UK Homes Lose Internet Access After Cyber-Attack (theguardian.com) 33

More than 100,000 people in the UK have had their internet access cut after a string of service providers were hit by what is believed to be a coordinated cyber-attack, taking the number affected in Europe up to about a million. From a report on The Guardian, shared by reader JoshTops: TalkTalk, one of Britain's biggest service providers, the Post Office and the Hull-based KCom were all affected by the malware known as the Mirai worm, which is spread via compromised computers. The Post Office said 100,000 customers had experienced problems since the attack began on Sunday and KCom put its figure at about 10,000 customers since Saturday. Earlier this week, Germany's Deutsche Telekom said up to 900,000 of its customers had lost their internet connection as part of the same incident.
Android

Multiple Vulnerabilities In AirDroid Opens At Least 10 Million Android Users To MITM Attacks, Hijackings (androidpolice.com) 30

AirDroid is a popular Android application that allows users to send and receive text messages and transfer files and see notifications from their computer. Zimperium, a mobile security company, recently released details of several major security vulnerabilities in the application, allowing attackers on the same network to access user information and execute code on a user's device. Since there are between 10 and 50 million installations of the app, many users may be imperiled by AirDroid. Android Police reports: The security issues are mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. The request is encrypted, but uses a hardcoded key in the AirDroid application (so essentially, everyone using AirDroid has the same key). Attackers on the same network an intercept the authentication request (commonly known as a Man-in-the-middle attack) using the key extracted from any AirDroid APK to retrieve private account information. This includes the email address and password associated with the AirDroid account. Attackers using a transparent proxy can intercept the network request AirDroid sends to check for add-on updates, and inject any APK they want. AirDroid would then notify the user of an add-on update, then download the malicious APK and ask the user to accept the installation. Zimperium notified AirDroid of these security flaws on May 24, and a few days later, AirDroid acknowledged the problem. Zimperium continued to follow up until AirDroid informed them of the upcoming 4.0 release, which was made available last month. Zimperium later discovered that version 4.0 still had all these same issues, and finally went public with the security vulnerabilities today.
Botnet

International Authorities Take Down Massive 'Avalanche' Botnet, Sinkhole Over 800,000 Domains (arstechnica.com) 53

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."
Communications

'Fatal' Flaws Found in Medical Implant Software (bbc.com) 38

Security researchers have warned of flaws in medical implants in what they say could have fatal consequences. The flaws were found in the radio-based communications used to update implants, including pacemakers, and read data from them. From a BBC report:By exploiting the flaws, the researchers were able to adjust settings and even switch off gadgets. The attacks were also able to steal confidential data about patients and their health history. A software patch has been created to help thwart any real-world attacks. The flaws were found by an international team of security researchers based at the University of Leuven in Belgium and the University of Birmingham.

Slashdot Top Deals