Security

Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters 94 94

BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.
Networking

Research Scientists To Use Network Much Faster Than Internet 49 49

nickweller writes with this story from the Times about the Pacific Research Platform, an ultra-high-speed fiber-optic research infrastructure that will link together dozens of top research institutions. The National Science Foundation has just awarded a five-year $5 million dollar grant for the project. The story reports:The network is meant to keep pace with the vast acceleration of data collection in fields such as physics, astronomy and genetics. It will not be directly connected to the Internet, but will make it possible to move data at speeds of 10 gigabits to 100 gigabits among 10 University of California campuses and 10 other universities and research institutions in several states, tens or hundreds of times faster than is typical now.
Communications

In Korea, Smartphones Use Multipath TCP To Reach 1 Gbps 49 49

An anonymous reader writes: Korean users are among the most bandwidth-hungry smartphone users. During the MPTCP WG meeting at IETF'93, SungHoon Seo announced that KT had deployed since mid June a commercial service that allows smartphone users to reach 1 Gbps. This is not yet 5G, but the first large scale commercial deployment of Multipath TCP by a mobile operator to combine fast LTE and fast WiFi to reach up to 1 Gbps. This service is offered on the Samsung Galaxy S6 whose Linux kernel includes the open-source Multipath TCP implementation and SOCKSv5 proxies managed by the network operator. Several thousands of users are already actively using this optional service.
Privacy

Tor Project Pilots Exit Nodes In Libraries 36 36

An anonymous reader writes: The Tor Project has announced a new initiative to open exit relays in public libraries. "This is an idea whose time has come; libraries are our most democratic public spaces, protecting our intellectual freedom, privacy, and unfettered access to information, and Tor Project creates software that allows all people to have these rights on the internet." They point out that this is both an excellent way to educate people on the value of private internet browsing while also being a practical way to expand the Tor network. A test for this initiative is underway at the Kilton Library in Lebanon, New Hampshire, which already has a computing environment full of GNU/Linux machines.
Piracy

Interviews: Kim Dotcom Answers Your Questions 90 90

Kim Dotcom was the founder of Megaupload, its successor Mega, and New Zealand's Internet Party. A while ago you had a chance to ask him about those things as well as the U.S. government charging him with criminal copyright violation and racketeering. Below you'll find his answers to your questions.
Security

Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks 76 76

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."
Security

Tools Coming To Def Con For Hacking RFID Access Doors 27 27

jfruh writes: Next month's Def Con security conference will feature, among other things, new tools that will help you hack into the RFID readers that secure doors in most office buildings. RFID cards have been built with more safeguards against cloning; these new tools will bypass that protection by simply hacking the readers themselves. ITWorld reports that Francis Brown, a partner at the computer security firm Bishop Fox, says: "...his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems."
Advertising

Advertising Companies Accused of Deliberately Slowing Page-load Times For Profit 380 380

An anonymous reader writes: An industry insider has told Business Insider of his conviction that ad-serving companies deliberately prolong the 'auctioning' process for ad spots when a web-page loads. They do this to maximize revenue by allowing automated 'late-comers' to participate beyond the 100ms limit placed on the decision-making process. The unnamed source, a principal engineer at a global news company (whose identity and credentials were confirmed by Business Insider), concluded with the comment: "My entire team of devs and testers mostly used Adblock when developing sites, just because it was so painful otherwise." Publishers use 'daisy-chaining' to solicit bids from the most profitable placement providers down to the 'B-list' placements, and the longer the process is run, the more likely that the web-page will be shown with profitable advertising in place.
Chrome

Chrome Extension Thwarts User Profiling Based On Typing Behavior 61 61

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.
Businesses

LinkedIn (Temporarily) Backs Down After Uproar At Contact Export Removal 42 42

Mark Wilson writes: LinkedIn caused a storm a couple of days ago when it removed the option to instantly download contacts. Many users of the professional social network were more than a little irked to discover that while contact exporting was still available, a wait of up to three days had been put in place. Unsurprisingly, users revolted, having been particularly upset by the fact the change was implemented with no warning or announcement. But the company has managed to turn things around by quickly backtracking on its decision after listening to a stream of complaints on Twitter.
ch

Swiss Researchers Describe a Faster, More Secure Tor 61 61

An anonymous reader writes: Researchers from the Swiss Federal Institute of Technology and University College London published a paper this week describing a faster and more secure version of Tor called HORNET. On one hand, the new onion routing network can purportedly achieve speeds of up to 93 gigabits per second and "be scaled to support large numbers of users with minimal overhead". On the other hand, researchers cannot claim to be immune to "confirmation attacks" known to be implemented on Tor, but they point out that, given how HORNET works, perpetrators of such attacks would have to control significantly more ISPs across multiple geopolitical boundaries and probably sacrifice the secrecy of their operations in order to successfully deploy such attacks on HORNET.
AT&T

FCC Approves AT&T's DirecTV Purchase 100 100

An anonymous reader writes: The U.S. Federal Communications Commission has granted approval to AT&T to purchase DirecTV for $48.5 billion. AT&T will become the largest provider of cable or satellite TV in the U.S., with 26.4 million subscribers. "Adding TV customers gives AT&T more power to negotiate with big media companies over prices for those channels. The deal also combines a nationwide satellite TV service, the country's largest, with the No. 2 nationwide wireless network as time spent on mobile devices increases." The FCC did put conditions on the deal: AT&T must make fiber internet service available to 12.5 million people, offer cheaper internet plans to low-income customers, and not mess with the internet traffic of online video competitors.
Security

Remote Control of a Car, With No Phone Or Network Connection Required 158 158

Albanach writes: Following on from this week's Wired report showing the remote control of a Jeep using a cell phone, security researchers claim to have achieved a similar result using just the car radio. Using off the shelf components to create a fake radio station, the researchers sent signals using the DAB digital radio standard used in Europe and the Asia Pacific region. After taking control of the car's entertainment system it was possible to gain control of vital car systems such as the brakes. In the wild, such an exploit could allow widespread simultaneous deployment of a hack affecting huge numbers of vehicles.
Google

Google Staffers Share Salary Info With Each Other; Management Freaks 429 429

Nerval's Lobster writes: Imagine a couple of employees at your company create a spreadsheet that lists their salaries. They place the spreadsheet on an internal network, where other employees soon add their own financial information. Within a day, the project has caught on like wildfire, with people not only listing their salaries but also their bonuses and other compensation-related info. While that might sound a little far-fetched, that's exactly the scenario that recently played out at Google, according to an employee, Erica Baker, who detailed the whole incident on Twitter. While management frowned upon employees sharing salary data, she wrote, "the world didn't end everything didn't go up in flames because salaries got shared." For years, employees and employers have debated the merits (and drawbacks) of revealing salaries. While most workplaces keep employee pay a tightly guarded secret, others have begun fiddling with varying degrees of transparency, taking inspiration from studies that have shown a higher degree of salary-related openness translates into happier workers. (Other studies (PDF) haven't suggested the same effect.) Baker claims the spreadsheet compelled more Google employees to ask and receive "equitable pay based on data in the sheet."
Open Source

Video Meet OpenDaylight Project Executive Director Neela Jacques (Video) 14 14

The OpenDaylight Project works on Software Defined Networking. Their website says, "Software Defined Networking (SDN) separates the control plane from the data plane within the network, allowing the intelligence and state of the network to be managed centrally while abstracting the complexity of the underlying physical network." Another quote: it's the "largest software-defined networking Open Source project to date." The project started in 2013. It now has an impressive group of corporate networking heavyweights as sponsors and about 460 developers working on it. Their latest release, Lithium, came out earlier this month, and development efforts are accelerating, not slowing down, because as cloud use becomes more prevalent, so does SDN, which is an obvious "hand-in-glove" fit for virtualized computing.

Today's interview is with OpenDaylight Project Executive Director Nicolas "Neela" Jacques, who has held this position since the project was not much more than a gleam in (parent) Linux Foundation's eye. This is one of the more important Linux Foundation collaborative software projects, even if it's not as well known to the public as some of the foundation's other efforts, including -- of course -- GNU/Linux itself.
Facebook

New Facebook Video Controls Let You Limit Viewing By Gender and Age 90 90

Mark Wilson writes: Videos on Facebook are big business. As well as drugged up post-dentist footage, there is also huge advertising potential. Now Facebook has announced a new set of options for video publishers — including the ability to limit who is able to see videos based on their age and gender. A social network might not be the first place you would think of to try to keep something private, but a new 'secret video' option makes it possible to restrict access to those people who have a direct link. Other new options include the ability to prevent embedding on other sites, but it is the audience restriction settings that are particularly interesting. For a long time Facebook has been about reaching out to as many people as possible in one hit — particularly in the case of pages, which are likely to be used for the promotion of businesses and services. But now the social giant provides tools to limit one's audience. It's fairly easy to understand the reasons for implementing age restrictions on video (although there is obviously scope for abuse), but the reasons for gender-based restrictions are less clear.
Google

Google+ Photos To Shut Down August 1 152 152

An anonymous reader writes: Now that Google Photos exists separately from Google+, the company is shutting down the Google+ version of Photos starting on August 1. The Android version will be the first to go, followed shortly thereafter by the iOS and web versions. Fortune calls the old Photos app "a relic of the times when the search giant thought its social network Google Plus could become a huge hit."
Transportation

U. Michigan Opens a Test City For Driverless Cars 76 76

An anonymous reader writes: The University of Michigan has opened Mcity, the world's first controlled environment specifically designed to test the potential of connected and automated vehicle technologies that will lead the way to mass-market driverless cars. Mcity is a 32-acre simulated urban and suburban environment that includes a network of roads with intersections, traffic signs and signals, streetlights, building facades, sidewalks and construction obstacles. The types of technologies that will be tested at the facility include connected technologies – vehicles talking to other vehicles or to the infrastructure, commonly known as V2V or V2I – and various levels of automation all the way up to fully autonomous, or driverless vehicles.
Transportation

Remote Exploit On a Production Chrysler To Be Presented At BlackHat 173 173

Matt_Bennett writes: A scary remote exploit is going to be published that enables someone connected to the the same wireless (mobile data) network to take over many [automobile] systems, including braking. This is an exploit in Chrysler's Uconnect system. Charlie Miller and Chris Valasek also demonstrated exploits in 2013 that could be done via a direct connection to the system, but this is vastly expanded in scope. The pair convinced Wired writer Andy Greenberg to drive around near St. Louis while they picked apart the car's systems from 10 miles away, killing the radio controls before moving on to things like the transmission.