Twitter is now blocking state-run media outlets from advertising on its platform. The new policy was announced just hours after the company was criticized for running promoted tweets by China's largest state agency that paint pro-democracy demonstrations in Hong Kong as violent, even though the rallies, including one that drew an estimated 1.7 million people this weekend, have been described as mostly peaceful by international media. TechCrunch reports: State-funded media enterprises that do not rely on taxpayer dollars for their financing and don't operate independently of the governments that finance them will no longer be allowed to advertise on the platform, Twitter said in a statement. That leaves a big exception for outlets like the Associated Press, the British Broadcasting Corp., Public Broadcasting Service and National Public Radio, according to reporting from BBC reporter, Dave Lee. The affected accounts will be able to use Twitter, but can't access the company's advertising products, Twitter said in a statement.

The policy applies to news media outlets that are financially or editorially controlled by the state, Twitter said. The company said it will make its policy determinations on the basis of media freedom and independence, including editorial control over articles and video, the financial ownership of the publication, the influence or interference governments may exert over editors, broadcasters and journalists, and political pressure or control over the production and distribution process. Twitter said the advertising rules wouldn't apply to entities that are focused on entertainment, sports or travel, but if there's news in the mix, the company will block advertising access. Affected outlets have 30 days before they're removed from Twitter and the company is halting all existing campaigns.

Futurepower(R) shares a report: A lot of people don't use computers. Most of them aren't in charge of a nation's cybersecurity. But one is. Japanese lawmakers were aghast on Wednesday when Yoshitaka Sakurada, 68, the minister who heads the government's cybersecurity office, said during questioning in Parliament that he had no need for the devices, and appeared confused when asked basic technology questions. "I have been independently running my own business since I was 25 years old," he said. When computer use is necessary, he said, "I order my employees or secretaries" to do it. [Editor's note: the link may be paywalled; alternative source.] "I don't type on a computer," he added.

Asked by a lawmaker if nuclear power plants allowed the use of USB drives, a common technology widely considered to be a security risk, Mr. Sakurada did not seem to understand what they were. "I don't know details well," he said. "So how about having an expert answer your question if necessary, how's that?" The comments were immediately criticized. "I can't believe that a person who never used a computer is in charge of cybersecurity measures," said Masato Imai, an opposition lawmaker.

secwatcher shares a report from Threatpost: A passcode bypass vulnerability in Apple's new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone. The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple's latest iOS 12 beta and iOS 12 operating systems. Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and "office clerk" based in Spain who has also found previous iPhone hacks.

Rodriguez posted a video of the bypass on his YouTube channel under the YouTube account Videosdebarraquito, where he walks viewers through a complicated 37-step bypass process in Spanish. Threatpost has independently confirmed that the bypass works on a number of different iPhone models including Apple's newest model iPhone XS. The process involves tricking Siri and Apple's accessibility feature in iOS called VoiceOver to sidestep the device's passcode. The attack works provided the attacker has physical access to a device that has Siri enabled and Face ID either turned off or physically covered (by tape, for instance).

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.

Zack Whittaker, reporting for ZDNet: Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission. Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device. We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.

An anonymous reader quotes a report from the University of California, Davis about the world's first microchip with 1,000 independent programmable processors: The 1,000 processors can execute 115 billion instructions per second while dissipating only 0.7 Watts, low enough to be powered by a single AA battery...more than 100 times more efficiently than a modern laptop processor... The energy-efficient "KiloCore" chip has a maximum computation rate of 1.78 trillion instructions per second and contains 621 million transistors.
Programs get split across many processors (each running independently as needed with an average maximum clock frequency of 1.78 gigahertz), "and they transfer data directly to each other rather than using a pooled memory area that can become a bottleneck for data." Imagine how many mind-boggling things will become possible if this much processing power ultimately finds its way into new consumer technologies.

A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.

Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

An anonymous reader writes: Today Google's online security team publicly disclosed a severe vulnerability in the Gnu C Library's DNS client. Due to the ubiquity of Glibc, this affects an astounding number of machines and software running on the internet, and raises questions about whether Glibc ought to still be the preferred C library when alternatives like musl are gaining maturity. As one example of the range of software affected, nearly every Bitcoin implementation is affected. Reader msm1267 adds some information about the vulnerability, discovered independently by security researchers at Red Hat as well as at Google, which has since been patched: The flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function is used, Google said today in its advisory. "A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches," Red Hat said in an advisory. It's likely that all Linux servers and web frameworks such as Rails, PHP and Python are affected, as well as Android apps running glibc.

Recently you had a chance to ask John McAfee about his presidential run under the newly-formed Cyber Party. John covers a wide variety of topics from education and infrastructure, to gun control and drug legalization. Read below for his answers to your questions.

theodp writes: The NY Times' Natasha Singer files a report on popular and controversial behavior tracking app ClassDojo, which teachers use to keep a running tally of each student's score, award virtual badges for obedience, and to communicate with parents about their child's progress. "I like it because you get rewarded for your good behavior — like a dog does when it gets a treat," was one third grader's testimonial. Some parents, teachers and privacy law scholars say ClassDojo (investors) — along with other unproven technologies that record sensitive information about students — is being adopted without sufficiently considering the ramifications for data privacy and fairness. "ClassDojo," writes Singer, "does not seek explicit parental consent for teachers to log detailed information about a child's conduct. Although the app's terms of service state that teachers who sign up guarantee that their schools have authorized them to do so, many teachers can download ClassDojo, and other free apps, without vetting by school supervisors. Neither the New York City nor Los Angeles school districts, for example, keep track of teachers independently using apps."

A high school teacher interviewed for the article confessed to having not read ClassDojo's policies on handling student data, saying: "I'm one of those people who, when the terms of service are 18 pages, I just click agree." And, if all this doesn't make you parents just a tad nervous, check out this response to the "Has anyone ran a data analysis on their CD data?" question posed to the Class Dojo Community: "I needed to analyze data in regards to a student being placed on ADHD medicine to see whether or not he made any improvements. I have also used it to determine any behavioral changes depending on if a student was with mom/dad for a custody review. I use dojo consistently, so I LOVE getting to use the data to evaluate and share with parents, or even administrators."

Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases.

The NY Times is running a story about Dwarf Fortress, an independently produced, ASCII-rendered fantasy game that thrives on its own uniqueness and has influenced countless other game developers (and runs on Linux). Quoting: "Though it may seem ungainly at first, the game’s interface — rendered in what are known as extended ASCII characters — has a sparse elegance. As seasons change, trees, represented by various symbols, shift from green to yellow. Goblins’ eyes appear as red quotation marks; if you shoot out an eye with an arrow, the symbol becomes an apostrophe. On a message board, one fan likened the ASCII experience in Dwarf Fortress to the immersive pleasures of reading a book: 'You can let your imagination fill in the gaps.' The community that has arisen around Dwarf Fortress is remarkable. Fans maintain an extensive wiki, which remains the game’s best (and, effectively, only) instruction manual, and which even Tarn and Zach admit to consulting. ... Perhaps most fascinating are the stories that fans share online, recounting their dwarven travails in detailed and sometimes illustrated narratives. In a 2006 saga, called Boatmurdered, fans passed around a single fortress — one player would save a game, send the file to another player and so on, relay-race style — while documenting its colorful descent into oblivion."

Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."

geek4 sends in an analysis indicating that Microsoft may have the most to lose if hedge-fund operator Elliot buys Novell. (The eWeekEurope piece is based on a longer and geekier writeup by Andy Updegrove on how the mechanics of unsolicited tender offers can play out in the tech world.) To avoid meltdown or asset-stripping, Novell can try and find a preferred bidder — a company with some interest in running Novell as a business, and preferrably a tech company. Or another company may make a move independently. But who might that be? A couple of analysts have suggested IBM, Oracle, or SAP. These all have problems... Microsoft is in a similar category, with one added problem. ... Microsoft has staked any open source credibility that it has on Novell's SUSE distribution. If Novell falls to bits, then Microsoft's efforts to gain open source cred pretty much disappear with it. It's something that would have been impossible to imagine a few years back, but if we're looking for someone to prop Novell up, Microsoft would now be a prime candidate."

A couple of weeks ago you posed some questions for Matt Asay, who recently moved into the COO role at Canonical. Click below to read his answers.

Ianopolous writes "Classic DOOM and DSL Linux Desktop inside your Java-enabled browser! The latest JPC, the fast 100% Java x86 PC emulator, is now available with online demos and downloads. JPC is open source and is the most secure way of running x86 software ever — 2 layers (applet sandbox, JPC sandbox) of independently validated security make it the world's most secure means of isolating x86 software. Visit the website to try out some classic games and play around with Linux all within your web browser. Refresh = reboot!"

1 a bee writes "Ars Technica is running a story by Matthew Lasar about how Disney's ESPN360.com is charging ISPs for 'bulk' access to their content. According to the article, if you visit ESPN using a 'non-subscribing' ISP, you're greeted with a message explaining why access is restricted for you. This raises a number of issues: '... it's one thing to charge users an access fee, another to charge the ISP, potentially passing the cost on to all the ISPs subscribers whether they're interested in the content or not.' Ironically, the issue came to the fore in a complaint from the American Cable Association (ACA) to the FCC. A quoted ACA press release warns, 'Media giants are in the early stages of becoming Internet gatekeepers by requiring broadband providers to pay for their Web-based content and services and include them as part of basic Internet access for all subscribers. These content providers are also preventing subscribers who are interested in the content from independently accessing it on broadband networks of providers that have refused to pay.' So, is this a real threat to net neutrality (and the end-to-end principle) or just another bad business model that doesn't stand a chance?"

Frequent Slashdot contributor Bennett Haselton writes with his idea for mass adoption of anti-virus software: "If the US government did more to encourage people to keep their computers secure — by buying TV ads to publicize free private-sector anti-virus programs, or subsidizing the purchase of anti-virus software — we'd all be better off, on average. That's not just idealistic nanny-statism, but something you can argue mathematically, to the point where even some libertarians would agree." Read on for the rest of Bennett's thoughts.

holy_calamity writes "Two research teams have independently made quantum computers that run the prime-number-factorising Shor's algorithm — a significant step towards breaking public key cryptography. Most of the article is sadly behind a pay-wall, but a blog post at the New Scientist site nicely explains how the algorithm works. From the blurb: 'The advent of quantum computers that can run a routine called Shor's algorithm could have profound consequences. It means the most dangerous threat posed by quantum computing - the ability to break the codes that protect our banking, business and e-commerce data - is now a step nearer reality. Adding to the worry is the fact that this feat has been performed by not one but two research groups, independently of each other. One team is led by Andrew White at the University of Queensland in Brisbane, Australia, and the other by Chao-Yang Lu of the University of Science and Technology of China, in Hefei.'"