Bridgefy, a popular messaging app for conversing with one another when internet connections are heavily congested or completely shut down, is a privacy disaster that can allow moderately-skilled hackers to take a host of nefarious actions against users, according to a paper published on Monday. The findings come after the company has for months touted the app as a safe and reliable way for activists to communicate in large gatherings. Ars Technica reports: By using Bluetooth and mesh network routing, Bridgefy lets users within a few hundred meters -- and much further as long as there are intermediary nodes -- to send and receive both direct and group texts with no reliance on the Internet at all. Bridgefy cofounder and CEO Jorge Rios has said he originally envisioned the app as a way for people to communicate in rural areas or other places where Internet connections were scarce. And with the past year's upswell of large protests around the world -- often in places with hostile or authoritarian governments -- company representatives began telling journalists that the app's use of end-to-end encryption (reiterated here, here, and here) protected activists against governments and counter protesters trying to intercept texts or shut down communications.

[R]esearchers said that the app's design for use at concerts, sports events, or during natural disasters makes it woefully unsuitable for more threatening settings such as mass protests. They wrote: "Though it is advertised as 'safe' and 'private' and its creators claimed it was secured by end-to-end encryption, none of aforementioned use cases can be considered as taking place in adversarial environments such as situations of civil unrest where attempts to subvert the application's security are not merely possible, but to be expected, and where such attacks can have harsh consequences for its users. Despite this, the Bridgefy developers advertise the app for such scenarios and media reports suggest the application is indeed relied upon."

The researchers are: Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Marekova from Royal Holloway, University of London. After reverse engineering the app, they devised a series of devastating attacks that allow hackers -- in many cases with only modest resources and moderate skill levels -- to take a host of nefarious actions against users. The attacks allow for: deanonymizing users; building social graphs of users' interactions, both in real time and after the fact; decrypting and reading direct messages; impersonating users to anyone else on the network; completely shutting down the network; and performing active man-in-the-middle attacks, which allow an adversary not only to read messages, but to tamper with them as well. "The key shortcoming that makes many of these attacks possible is that Bridgefy offers no means of cryptographic authentication, which one person uses to prove she's who she claims to be," the report adds. "Instead, the app relies on a user ID that's transmitted in plaintext to identify each person. Attackers can exploit this by sniffing the ID over the air and using it to spoof another user."

The app also uses PKCS #1, an outdated way of encoding and formatting messages so that they can be encrypted with the RSA cryptographic algorithm. "This encoding method, which was deprecated in 1998, allows attackers to perform what's known as a padding oracle attack to derive contents of an encrypted message," reports Ars.

According to a report from the New York Post, Amazon may bring the cashierless tech at its Go convenience stores to Whole Foods as early as next year. The Verge reports: Amazon may start implementing the tech in Whole Foods sometime during the second quarter of 2021, according to the New York Post's source. This technology, which is currently available in more than 20 Amazon Go convenience store locations, uses cameras, sensors, and computer vision to let customers walk out the store with groceries in hand and avoid cashier checkout lines. The New York Post's source claims the rollout of the new technology into Whole Foods is one of two final projects that Jeff Wilke, CEO of Amazon's worldwide consumer division, is focusing on before he retires early next year.

Facebook's French subsidiary has agreed to pay more than $118 million in back taxes, including a penalty, after a ten-year audit of its accounts by French tax authorities, the company said on Monday. Reuters reports: France, which is pushing hard to overhaul international tax rules on digital companies such as Facebook, Alphabet's Google, Apple and Amazon, has said the big tech groups pay too little tax in the country where they have significant sales. Current international tax rules legally allow companies to funnel sales generated in local markets in Europe to their regional headquarters. Some of the tech companies, including Facebook, have European or international headquarters based in countries with comparatively low corporate tax rates, such as Ireland.

A Facebook spokesman said French tax authorities carried out an audit on Facebook's accounts over 2009-2018 period, which resulted in an agreement by the subsidiary to pay a total 106 million euros. Facebook's spokesman also said that since 2018 the company had decided to include its advertising sales in France in its annual accounts covering France. As a result, Facebook's total net revenue almost doubled in 2019 from a year earlier to 747 million euros, a copy of Facebook France's 2019 annual accounts, filed with France's companies registry and seen by Reuters, showed. Facebook France, which employs 208 people, refers to the French tax audit report in its 2019 annual accounts, saying it amounted to a tax adjustment of about 105 million euros. This includes a penalty of about 22 million, the annual accounts showed.

An anonymous reader quotes a report from BuzzFeed News: When Mxolosi saw a Tecno W2 smartphone in a store in Johannesburg, South Africa, he was attracted to its looks and functionality. But what really drew him in was the price, roughly $30 -- far less than comparable models from Samsung, Nokia, or Huawei, Africa's other top brands. It was another sale for Transsion, the Chinese company that makes Tecno and other low-priced smartphones, as well as basic handsets, for the developing world. Since releasing its first smartphone in 2014, the upstart has grown to become Africa's top handset seller, beating out longtime market leaders Samsung and Nokia. But its success can come at a price. Mxolosi, an unemployed 41-year-old, became frustrated with his Tecno W2. Pop-up ads interrupted his calls and chats. He'd wake up to find his prepaid data mysteriously used up and messages about paid subscriptions to apps he'd never asked for.

He thought it might be his fault, but according to an investigation by Secure-D, a mobile security service, and BuzzFeed News, software embedded in his phone right out of the box was draining his data while trying to steal his money. Mxolosi's Tecno W2 was infected with xHelper and Triada, malware that secretly downloaded apps and attempted to subscribe him to paid services without his knowledge. Secure-D's system, which mobile carriers use to protect their networks and customers against fraudulent transactions, blocked 844,000 transactions connected to preinstalled malware on Transsion phones between March and December 2019. Secure-D Managing Director Geoffrey Cleaves told BuzzFeed News that Mxolosi's data was used up by the malware as it attempted to subscribe him to paid services. Along with South Africa, Tecno W2 phones in Ethiopia, Cameroon, Egypt, Ghana, Indonesia, and Myanmar were infected.

Nintendo has targeted the developer of an open-source Switch payload injector with a cease and desist notice (PDF). Faced with copyright infringement threats, the DragonInjector developer decided to shut the project down. While he doesn't agree with the allegations, an expensive legal battle is not an option. TorrentFreak reports: DragonInjector is a small piece of hardware that fits in the Switch game card slot. It allows users to install and load custom firmware on their console. While it's not advertised as a pirate tool, with third-party code it can be used to play pirated games on older Switch models. A few days ago, DragonInjector's developer formally announced the end of the project. In a message on Discord, a Nintendo cease-and-desist order is cited as the main reason. MatinatorX doesn't agree with the gaming company's copyright infringement claims but he doesn't want to fight them either.

"While I don't believe the project was or is unlawful in any way, I do not have the resources to go to court to prove that for a hobby, especially considering the project netted a loss of a few thousand dollars overall," he writes. The cease-and-desist notice was sent by Nintendo's Canadian lawyers a few weeks ago. It accuses the developer of copyright infringement by advertising and selling the DragonInjector. According to the notice, this breaks the Switch's technical protection measures. "Your unlawful manufacture, advertisement, distribution, offering for sale and sale of the DragonInjector via the Dragon Injector Website infringes our client's rights," the lawyers write.

The developer was urged to immediately stop any infringing activities. If not, Nintendo reserves the right to take further action, the notice warns, adding that the company previously won $12 million CAD in damages in a 'similar' case. The threat comes with a list of additional requests. Among other things, MatinatorX must hand over all related accounting, including the number of devices sold as well as any profits that were made. The report notes that while Dragoninjector.com is gone, the developer registered Draconicmods.com to sell a custom Switch kickstand and other legitimate accessories.

theodp writes: That was then: Lamenting a dire shortage of U.S. computer science grads, tech investors Ali and Hadi Partovi launched Code.org in 2013 with backing from the world's largest tech firms to push coding into America's K-12 classrooms.

This is now: CS graduation can wait. Bloomberg News' Ellen Huet reports that some Silicon Valley startups, hungry for young talent, are making lemonade from COVID-19 lemons, presenting pandemic-weary CS students with an alternative to school: remote gap-year internships aimed specifically at young people looking for alternatives to a dismal school year.

Huet writes: "Dozens of Silicon Valley startups are looking to hire fall interns, according to a list assembled by startup accelerator Y Combinator. This month, venture firm Neo organized a virtual career fair for 120 students and a range of startups (including Code.org), hoping to match pairs for internships during the upcoming academic year. And venture firm Contrary Capital is offering to invest $100,000 in five teams of entrepreneurs if they take a gap year from school to build a company. Such arrangements allow interns to get paid and learn on the job, while avoiding paying tens of thousands of dollars for Zoom University. It also means that companies willing to improvise on hiring and gamble on younger workers may get new access to fresh talent. Ali Partovi, Neo's chief executive officer, said the firm surveyed 120 students who are part of its mentorship programs and found that 46% of them are interested in taking a gap semester and 21% are interested in taking a gap year."

So, is now a good time for CS majors to turn on, tune in, drop out?

An anonymous reader quotes a report from Reuters: Taiwan-based electronics manufacturers Foxconn and Pegatron are among companies eyeing new factories in Mexico, people with direct knowledge of the matter said, as the U.S.-China trade war and coronavirus pandemic prompt firms to reexamine global supply chains. The plans could usher in billions of dollars in badly needed fresh investments over the next few years for Latin America's second-largest economy, which is primed for its worst recession since the 1930s Great Depression.

According to two of the sources, Foxconn has plans to use the factory to make Apple iPhones. However, one of the sources said, there had been no sign of Apple's direct involvement in the plan yet. Foxconn is likely to make a final decision on a new factory later this year, and work will commence after that, the two people said, adding there was no certainty the company would stick to the plan. Pegatron is also in early discussions with lenders about an additional facility in Mexico mainly to assemble chips and other electronic components, said the people, who declined to be identified as the talks are confidential. Pegatron declined to comment. Foxconn has five factories in Mexico mainly making televisions and servers. Its possible expansion would underscore a broader and gradual shift of global supply chains away from China amid a Sino-U.S. trade war and the coronavirus crisis.

NoMoreACs shares a report: On Friday, the internet erupted in a small way to learn that Apple had successfully forced WordPress to monetize its free app -- forcing it to sell premium plans and custom domain names seemingly just so that Apple could get its traditional 30 percent cut. But one afternoon and evening of surprise and outrage later, Apple is backing off. The company is issuing a rare on-the-record apology, and it says that WordPress will no longer have to add in-app purchases now that all is said and done.

Here's Apple's full statement: "We believe the issue with the WordPress app has been resolved. Since the developer removed the display of their service payment options from the app, it is now a free stand-alone app and does not have to offer in-app purchases. We have informed the developer and apologize for any confusion that we have caused." You'll notice that Apple is positioning this as the developer -- WordPress -- having done the right thing and removed the "display of their service payment options from the app," and to my knowledge that is technically true. But as far as I'm aware, that didn't happen today: it happened weeks or months ago.

Back in 2012, a team of Japanese and Belgian researchers in Antarctica found a golf ball-sized space rock resting in the snow. Now, NASA astronauts have had a chance to study a piece of that meteorite, Asuka 12236, and they say it may hold new clues about the development of life. From a report: Inside the meteorite, astrobiologists from NASA's Goddard Space Flight Center found a high concentration of amino acids, particularly aspartic and glutamic acids. Those are two of the 20 amino acids that make millions of proteins, which are essential for the bodily functions of animals. Researchers have found amino acids in other space rocks, but not at such a high concentration. Perhaps most surprisingly, Asuka 12236 contains more left-handed versions of some amino acids. While there are right-handed and left-handed versions of each amino acid, life as we know it uses only left-handed amino acids to build proteins. Researchers want to know why there was an imbalance toward left-handed amino acids and what kinds of space conditions might have led to that. They believe Asuka 12236 was exposed to very little heat or water -- two important clues.

phalse phace writes: Researchers in Hong Kong on Monday reported what appears to be the first confirmed case of Covid-19 reinfection, a 33-year-old man who was first infected by SARS-CoV-2 in late March and then, four and a half months later, seemingly contracted the virus again while traveling in Europe. The case raises questions about the durability of immune protection from the coronavirus.

There have been scattered reports of cases of Covid-19 reinfection. Those reports, though, have been based on anecdotal evidence and largely attributed to flaws in testing. But in this case, researchers at the University of Hong Kong sequenced the virus from the patient's two infections and found that they did not match, indicating the second infection was not tied to the first. There was a difference of 24 nucleotides -- the 'letters' that make up the virus' RNA -- between the two infections. Experts cautioned that this patient's case could be an outlier among the tens of millions of cases around the world and that immune protection may generally last longer than just a few months.

Videoconferencing software Zoom experienced a widespread outage Monday morning with many users unable to join or launch video meetings. From a report: Why it matters: During the coronavirus pandemic, Zoom has become the go-to solution for many businesses and schools trying to function remotely. What they're saying: "We have identified the issue causing users to be unable to start and join Zoom Meetings and Webinars and are working on a fix for this issue," Zoom said in a statement to Axios. "We sincerely apologize for any inconvenience." The issue has been resolved.

Facebook on Monday blocked access within Thailand to a group with 1 million members that discusses the country's king, after the Thai government threatened legal action over failure to take down content deemed defamatory to the monarchy. From a report: The move comes amid near daily youth-led protests against the government led by the former military junta chief and unprecedented calls for reforms of the monarchy. The "Royalist Marketplace" group was created in April by Pavin Chachavalpongpun, a self-exiled academic and critic of the monarchy. On Monday night, the group's page brought up a message: "Access to this group has been restricted within Thailand pursuant to a legal request from the Ministry of Digital Economy and Society." Pavin, who lives in Japan, said Facebook had bowed to the military-dominated government's pressure. "Our group is part of a democratisation process, it is a space for freedom of expression," Pavin told Reuters.

Unity Software, a San Francisco-based company known for its popular video game engine, has filed to go public on the New York Stock Exchange under the ticker symbol "U." An interesting point it raised in its filing: In particular, operating system platform providers or application stores such as Apple or Google may change their technical requirements or policies in a manner that adversely impacts the way in which we or our customers collect, use and share data from end-user devices. Restrictions in our ability to collect and use data as desired could negatively impact our Operate Solutions as well as our resource planning and feature development planning for our software. Similarly, at any time, these platform providers or application stores can change their policies on how our customers or we operate on their platform or in their application stores by, for example, applying content moderation for applications and advertising or imposing technical or code requirements. Actions by operating system platform providers or application stores such as Apple or Google may affect the manner in which we or our customers collect, use and share data from end-user devices. In June 2020, Apple announced plans to require applications using its mobile operating system, iOS, to affirmatively (on an opt-in basis) obtain an end-user's permission to "track them across apps or websites owned by other companies" or access their device's advertising identifier for advertising and advertising measurement purposes, as well as other restrictions. We expect that Apple may implement these changes as early as fall of 2020.

Microsoft has stepped into the brewing legal battle between Apple and Epic Games over the former's policies with regard to its ubiquitous App Store. From a report: In a declaration filed on Sunday, a senior Microsoft engineer said that allowing Apple to block Epic Games' developer account would deal a significant blow to game makers including Microsoft by making them unable to use Epic's Unreal Engine. The Unreal Engine, a type of gaming engine, is a widely used set of technologies that provides a framework for the creation of three dimensional graphics. Epic licenses the engine to companies that use the technology for a fee. "If Unreal Engine cannot support games for iOS or macOS, Microsoft would be required to choose between abandoning its customers and potential customers on the iOS and macOS platforms or choosing a different game engine when preparing to develop new games," Kevin Gammill, Microsoft's general manager for Gaming Developer Experiences, said in the declaration.

He added that "Apple's discontinuation of Epic's ability to develop and support Unreal Engine for iOS or macOS will harm game creators and gamers." While there are alternative gaming engines, Gammill said that "very few" are available with as many features and the same functionality. The declaration came as part of a lawsuit brought by Epic against Apple over the iPhone maker's rules guaranteeing itself a 30% cut of in-app purchases. The suit is filed in U.S. District Court for the Northern District of California. Epic Games tested Apple's policy by sidestepping the rule in an update to its hit game Fortnite, and then sued after Apple removed the game from the App Store. The company has brought a similar suit against Google over its Play Store.