An anonymous reader quotes a report from Ars Technica: For months, security practitioners have worried about the public release of attack code exploiting BlueKeep, the critical vulnerability in older versions of Microsoft Windows that's "wormable," meaning it can spread from computer to computer the way the WannaCry worm did two years ago. On Friday, that dreaded day arrived when the Metasploit framework -- an open source tool used by white hat and black hat hackers alike -- released just such an exploit into the wild. The module, which was published as a work in progress on Github, doesn't yet have the polish and reliability of the EternalBlue exploit that was developed by the NSA and later used in WannaCry. For instance, if the people using the new module specify the wrong version of Windows they want to attack, they'll likely wind up with a blue-screen crash. Getting the exploit to work on server machines also requires a change to default settings in the form of a registry modification that turns on audio sharing.

The latest flaw, which is indexed as CVE-2019-0708 but is better known by the name BlueKeep, resides in earlier versions of the Remote Desktop Services, which help provide a graphical interface for connecting to Windows computers over the Internet. It affects Windows 2003 and XP, Vista 7, Server 2008 R2, and Server 2008. When Microsoft patched the vulnerability in May, it warned that computers that failed to install the fix could suffer a similar fate if reliable attack code ever becomes available. The reason: like the flaw that EternalBlue exploited, BlueKeep allowed for self-replicating attacks. Like a falling line of dominoes, a single exploit could spread from vulnerable machine to vulnerable machine with no interaction required of end users. "The release of this exploit is a big deal because it will put a reliable exploit in the hands of both security professionals and malicious actors," Ryan Hanson, principal research consultant at Atredis Partners and a developer who helped work on the release, told Ars. "I'm hoping the exploit will be primarily used by offensive teams to demonstrate the importance of security patches, but we will likely see criminal groups modifying it to deliver ransomware as well."

The ACLU tested Rekognition, Amazon's facial recognition technology, on photographs of California lawmakers. It matched 26 of them to mugshots. From a report: In a recent test of Amazon's facial recognition software, the American Civil Liberties Union of Northern California revealed that it mistook 26 California lawmakers as people arrested for crimes. The ACLU used Rekognition, Amazon's facial recognition software, to evaluate 120 photos of lawmakers against a database of 25,000 arrest photos, ACLU attorney Matt Cagle said at a press conference on Tuesday. One in five lawmaker photographs were falsely matched to mugshots, exposing the frailties of an emerging technology widely adopted by law enforcement. The ACLU used the default Rekognition settings, which match identity at 80 percent confidence, Cagle said. Assembly member Phil Ting was among those whose picture was falsely matched to an arrest photo. He's also an active advocate for limiting facial recognition technology: in February, he introduced a bill, co-sponsored by the ACLU, that bans the use of facial recognition and other biometric surveillance on police-worn body cameras.

An anonymous reader quotes a report from PC Magazine: As Softpedia reports, the independent IT security institute AV-TEST spent May and June continuously evaluating 20 home user security products using their default settings to see which offered the best protection. Only four of those products achieved a top score, and one of them was Windows Defender. The other three are F-Secure SAFE 17, Kaspersky Internet Security 19.0, and Norton Security 22.17. The big difference between these and Windows Defender is the fact Microsoft includes Windows Defender for free with Windows 10, where as the others require a paid subscription to continue being fully-functional. "Of the other products evaluated, Webroot SecureAnywhere 9.0 came last," adds PC Magazine. "Those just missing out on the top score while still earning an AV-TEST 'Top Product' award include Avast Free AntiVirus 19.5, AVG Internet Security 19.5, Bitdefender Internet Security 23.0, Trend Micro Internet Security 15.0, and VIPRE AdvancedSecurity 11.0."

An anonymous reader shares a report from VentureBeat: Google today launched Chrome 76 for Windows, Mac, Linux, Android, and iOS. The release includes Adobe Flash blocked by default, Incognito mode detection disabled, multiple PWA improvements, and more developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. Google has been taking baby steps to kill off Flash for years. In 2015, Chrome started automatically pausing less important Flash content. In 2016, Chrome started blocking "behind the scenes" Flash content and using HTML5 by default. In July 2017, however, Adobe said it would kill Flash by 2020. With Chrome 76, Flash is now blocked by default. Users can still turn it on in settings, but next year, Flash will be removed from Chrome entirely.

With TVs now delivering images faster than movies, TV manufacturers have tried to make up for that discrepancy via a digital process called motion smoothing. Whether you've realized it or not, you've likely watched a movie in motion smoothing, as it's now the default setting on most TVs sold in the United States. Bilge Ebiri from Vulture says that while this feature was well-intentioned, "most people hate it." He argues: "Motion smoothing transforms an absorbing movie or narrative TV show into something uncanny. The very texture of what you're watching changes. The drama onscreen reads as manufactured, and everyone moves like they're on a daytime soap -- which is why it's sometimes called the 'soap-opera effect.' In other words, motion smoothing is fundamentally ruining the way we experience film." From the report: Motion smoothing is unquestionably a compromised way of watching films and TV shows, which are meticulously crafted to look and feel the way they do. But its creeping influence is so pervasive that at the Cannes Film Festival this May -- the same Cannes Film Festival that so valorizes the magic of the theatrical experience and has been feuding with Netflix for the past two years -- the fancy official monitors throughout the main festival venue had left motion smoothing on.

That seems like a funny oversight, but it's not surprising. "There are a lot of things turned on with these TVs out of the box that you have to turn off," says Claudio Ciacci, lead TV tester for Consumer Reports, who makes sure to switch smoothing off on the sets he evaluates. "It's meant to create a little bit of eye candy in the store that makes customers think, at first glance, Hey, look at that picture, it really pops. But when you finally have it at home, it's really not suitable." He notes that most people don't fiddle much with their settings because motion smoothing isn't easy to find on a TV menu. (It's also called something different depending on the manufacturer.) Which gets to the heart of the problem: As more and more people watch movies at home instead of in theaters, most won't bother trying to see the film as it was intended to be seen without the digital "enhancements" mucking it up. "Once people get used to something, they get complacent and that becomes what's normal," Morano says. And what films were supposed to look like will be lost. Mark Henninger, editor of the online tech community AVSForum, suggests TV manufacturers "just put a couple of buttons on the remote that are direct surface level -- TV, movie, sports, or whatever." The industry's reluctance, he says, has as much to do with uncertainty as anything else. "Manufacturers don't know who to listen to. They don't know if it should be the reviewers, their own quality-assurance lab, or user complaints."

"Windows 10 continues to be a danger zone," writes Forbes senior contributor Gordon Kelly: Not only have problems been piling up in recent weeks, Microsoft has also been worryingly deceptive about the operation of key services. And now the company has warned millions about another problem. Spotted by the always excellent Windows Latest, Microsoft has told tens of millions of Windows 10 users that the latest KB4501375 update may break the platform's Remote Access Connection Manager (RASMAN). And this can have serious repercussions.

The big one is VPNs. RASMAN handles how Windows 10 connects to the internet and it is a core background task for VPN services to function normally. Given the astonishing growth in VPN usage for everything from online privacy and important work tasks to unlocking Netflix and YouTube libraries, this has the potential to impact heavily on how you use your computer. Interestingly, in detailing the issue Microsoft states that it only affects Windows 10 1903 - the latest version of the platform.

The problem is Windows 10 1903 accounts for a conservative total of at least 50M users.
Microsoft estimates they'll have a solution available "in late July," adding that the issue only occurs "when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections." That support page also offers a work-around which involves configuring the default telemetry settings in either the group policy settings or with a registry value.

UPDATE (7/7/2019): ZDNet is strongly criticizing Forbes' article, arguing that the issue affects only a small number of Windows users, "when the diagnostic data level setting is manually configured to the non-default setting of 0." For those who don't understand how unusual that configuration is, note that it applies only to Windows 10 Enterprise and that it can be set only using Group Policy on corporate networks or by manually editing the registry. You can't accidentally enable this setting. And you can't deliberately set it on a system running Windows 10 Home or Pro, because it is for Enterprise edition only.

The associate director of research at the Electronic Frontier Foundation published a new warning in the Opinion section of the New York Times this week, calling Slack the only unicorn going public this year "that has admitted it is at risk for nation-state attacks" and saying there's a simple way to minimize risk -- that Slack has so far refused to take:

Right now, Slack stores everything you do on its platform by default -- your username and password, every message you've sent, every lunch you've planned and every confidential decision you've made. That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers -- including the nation-state actors highlighted in Slack's S-1 -- can break in and steal it...

Slack's paying enterprise customers do have a way to mitigate their security risk -- they can change their settings to set shorter retention periods and automatically delete old messages -- but it's not just big companies that are at risk... Free customer accounts don't allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack's servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers...

Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete. It's undeniably Slack's prerogative to charge for a more advanced product, but making users pay for basic privacy and security protections is the wrong call. It's time for Slack to step up, minimize the amount of sensitive data hanging around on its servers and give all its users retention controls.
The article notes that Slack's stock filings acknowledge that it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors."

The filings even specifically add that Slack's security measures "may not be sufficient to protect Slack and our internal systems and networks against certain attacks," and that completely eliminating the threat of a nation-state attack would be "virtually impossible."

Over a quarter of all the major content management systems (CMSs) use the old and outdated MD5 hashing scheme as the default for securing and storing user passwords. From a report: Some of the projects that use MD5 as the default method for storing user passwords include WordPress, osCommerce, SuiteCRM, Simple Machines Forum, miniBB, MyBB, SugarCRM, CMS Made Simple, MantisBT, Phorum, Observium, X3cms, and Composr. The MD5 algorithm has been cracked for years now, meaning all passwords stored in this format can be reversed back to their plaintext version. This means that unless website owners changed these default settings by modifying the CMS source code, most websites built on top of these CMSs puts user passwords at risk in the case a hacker steals the site's database. This revelation is just one of the many observations that came out of an extensive academic research project at the University of Piraeus, in Greece. Academics examined 49 commonly used CMSs and 47 popular web application frameworks and looked at their default password storage mechanism, namely their password hashing schemes.

Some users of Yahoo Japan are rising up against Japan's biggest web portal after the rollout of a new rating system that's being compared with a social-scoring initiative in China. From a report: The 48 million people with a Yahoo! Japan ID will have to opt-out within a privacy settings webpage if they don't want to be rated. The score is based on a variety of factors and is calculated based on inputs such as payment history, shopping reviews, whether a user canceled bookings and the amount of identifiable personal information. Unless users opt out, their ratings may be accessible to freelance jobs site Crowdworks, Yahoo's bike-sharing service and other businesses. Makoto Niida, a longtime Yahoo user, opted out of the rating system when he learned about it. "It's a big deal that the service was enabled by default," Niida said. "The way they created services that benefit businesses without clear explanations to their users reminds me of China's surveillance society." Yahoo's new credit-score program follows efforts by Mizuho Financial Group, NTT Docomo and other companies to use algorithms to assign ratings to consumers. Japan doesn't have a system similar to FICO in the U.S., so businesses in the world's third-largest economy have come up with their own solutions to determine financial trustworthiness.

An anonymous reader quotes a report from VentureBeat: Mozilla today announced a slew of privacy improvements. The company has turned on Enhanced Tracking Protection, which blocks cookies from third-party trackers in Firefox, by default. Mozilla has also improved its Facebook Container extension, released a Firefox desktop extension for its rebranded Lockwise password keeper, and updated Firefox Monitor with a dashboard for multiple email addresses.

If you download a fresh copy of Firefox today, Enhanced Tracking Protection will be on by default as part of the Standard setting. That means third-party tracking cookies are blocked without users having to change a thing. You will notice Enhanced Tracking Protection working if there is a shield icon in the address bar. If you click on the shield icon and open the Content Blocking section and then Cookies, you'll see a Blocking Tracking Cookies section. There you can see the companies listed as third-party cookies and trackers that Firefox has blocked. You can also turn off blocking for a specific site. The feature focuses on third-party trackers (the ad industry) while allowing first-party cookies (logins, where you last left off, and so on). Mozilla says it is enabling Enhanced Tracking Protection by default because most users don't change their browser settings.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.

Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."

A Dutch security researcher says he found credentials for the Russian government's backdoor account for accessing servers of businesses operating in Russia, ZDNet reports: The researcher says that after his initial finding, he later found the same "admin@kremlin.ru" account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia. Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.... "The first time I saw these credentials was in the user table of a Russian Lotto website," Victor Gevers told ZDNet in an interview Monday. "I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions....

"All the systems this password was on were already fully accessible to anyone," Gevers said. "The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access."
"It took a lot of time and also many attempts to contact and warn the Kremlin about this issue," the researcher added -- specifically, three years, five months and 15 days. The Kremlin reused the same credentials "everywhere," reports IT News, "leaving a large number of businesses open to access from the internet."

Long-time Slashdot reader Bismillah calls it "an illustration of the dangers of giving governments backdoors into systems and networks."

Amazon's Web Services division rolled out new security features to AWS account owners last week that are meant to prevent accidental data exposures caused by the misconfiguration of S3 data storage buckets. From a report: Starting today, AWS account owners will have access to four new options inside their S3 dashboards under the "Public access settings for this account" section. These four new options allow the account owner to set a default access setting for all of an account's S3 buckets. These new account-level settings will override any existing or newly created bucket-level ACLs (access control lists) and policies. Account owners will have the ability to apply these new settings for S3 buckets that will be created from now onwards, to apply the new setting retroactively, or both.

Last week, a mix of people who own Google Pixel phones and other devices running Android 9 Pie noticed that the software's Battery Saver feature had been switched on -- seemingly all by itself. And oddly, this was happening when the phones were near a full charge, not when the battery was low. From a report: Initially it was assumed that this was some kind of minor bug in the latest version of Android, which was only released a few weeks ago. Some users thought they might've just enabled Battery Saver without realizing. But it was actually Google at fault. The company posted a message on Reddit last night acknowledging "an internal experiment to test battery saving features that was mistakenly rolled out to more users than intended." So Google had remotely -- and accidentally -- changed a phone setting for a bunch of real-world customers. Several staffers at The Verge experienced the issue. "We have now rolled battery saver settings back to default. Please configure to your liking," the Pixel team wrote on Reddit before apologizing for the error.

An anonymous reader shares a report: If you open Edge and search for "Chrome" or "Firefox" using Bing, Edge's default search engine, you'll be presented with a massive banner informing you that "Microsoft Edge is the faster, safer browser on Windows 10 and is already installed on your PC." Four boxes below then show you how Edge lets you browse longer, and faster, offers built-in protection and built-in assistance. If that doesn't stop you, then Microsoft has a new, much nastier trick up its sleeve -- when you go to install Firefox or Chrome it intercepts the action and pops up a window promoting Edge with the same line about how its browser is faster and safer. It then gives you a blue button to click to open Edge, or a grey one you can click to install the browser you actually want to use. Oh, and this window will keep appearing, unless you go into Settings and stop Windows 10 from offering you app "recommendations."
UPDATE (9/15/18): "After massive backlash by users against this move, Microsoft has finally decided to eliminate the warning message," reports Neowin.

Further reading: Creator of Opera Says Google Deliberately Undermined His New Vivaldi Web Browser.

Google's alleged practice of recording location data about Android device owners even when they believe they have opted out of such tracking, reports The Washington Post, has sparked an investigation in Arizona, where the state's attorney general could potentially levy a hefty fine against the search giant. From the report: The probe, initiated by Republican Attorney General Mark Brnovich and confirmed by a person familiar with his thinking but not authorized to speak on the record, could put pressure on other states and the federal government to follow suit, consumer advocates say -- though Google previously insisted it did not deceive consumers about the way it collects and taps data on their whereabouts. The attorney general signaled his interest in the matter in a public filing [PDF] that indicated the office had retained an outside law firm to assist in an investigation. The document, dated August 21, said the hired lawyers would help probe an unnamed tech company and its "storage of consumer location data, tracking of consumer location, and other consumer tracking through ... smartphone operating systems, even when consumers turn off 'location services' and take other steps to stop such tracking," according to the heavily redacted public notice.

Since Venmo's transactions are "public" by default and broadcast on Venmo's API, a Python programmer decided to publicize a few of them, reports the Mercury News: The creator of the bot named "Who's buying drugs on Venmo" under the Twitter handle @venmodrugs says he wanted users to consider their privacy settings before using Venmo. The bot finds Venmo transactions that include words such as heroin, marijuana, cocaine, meth, speed or emojis that denote drugs and tweets the transaction with the names of the sender and receiver and the sender's photo, if there is one... "I wanted to demonstrate how much data Venmo was making publicly available with their open API and their public by default settings and encourage people to consider their privacy settings," Joel Guerra, the creator of the bot, told Motherboard, a technology news outlet run by Vice.
He shut the bot after 24 hours, according to a Medium essay titled "Why I blasted your 'drug' deals on Twitter": I chose drugs, sex and alcohol keywords as the trigger for the bot because because they were funny and shocking. I removed the last names of users because I didn't want to actually contribute to the problem of lack of privacy... I braced myself for backlash but the response was overwhelmingly positive. People understood my point and I had sparked a lot of discussion about online privacy and the need for users to do a better job of understanding the terms of software they were using -- and a lot of discussion about how companies need to do a better job of informing customers how their data was being used...

After about 24 hours of tweeting everyone's drug laden Venmo transactions I shut down the bot (Python script!!) and deleted all the tweets. I had successfully made my point and gotten more attention than I had imagined possible. Thousands of people were reading tweets and articles about the bot and discussing data privacy. I saw no further value in tweeting out anyone's personal transactions anymore. However, all I ever did was format the data and automate a Twitter account -- the data is still readily available.
His closure of the bot drew some interesting reactions on Twitter.

"booooooooo. I was so entertained by this."

"I remember I had a dealer take my phone and set venmo to private lol."

"we're looking to add a Python developer to our team and I think you'd be a good fit."

Commenting on the record $5 billion fine on Google by the European Commission, privacy focused search engine DuckDuckGo said this week it welcomes the decision as it has "felt [Google's] effects first hand for many years and has led directly to us having less market share on Android vs iOS and in general mobile vs desktop." The company said: Up until just last year, it was impossible to add DuckDuckGo to Chrome on Android, and it is still impossible on Chrome on iOS. We are also not included in the default list of search options like we are in Safari, even though we are among the top search engines in many countries. The Google search widget is featured prominently on most Android builds and is impossible to change the search provider. For a long time it was also impossible to even remove this widget without installing a launcher that effectively changed the whole way the OS works. Their anti-competitive search behavior isn't limited to Android. Every time we update our Chrome browser extension, all of our users are faced with an official-looking dialogue asking them if they'd like to revert their search settings and disable the entire extension. Google also owns http://duck.com and points it directly at Google search, which consistently confuses DuckDuckGo users. "If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is google," wrote security researcher Mikko Hypponen, summing up the story.

Update: Google makes amends.

The Verge's Dieter Bohn set out to review Acer's Chromebook Tab 10 tablet, but ended up sharing his impressions of using Chrome OS instead. An anonymous reader shares an excerpt from his review: If you're not familiar with Chrome OS, you should know that there are three different tracks you can run Chrome OS on. There's "Stable," which is what most people should use. It's the build I mostly used while testing this device and coming to the conclusions you see above. Then there's "Beta," which is a little on the edge but has been pretty solid for me. Lots of people run it to get slightly earlier access to new features. But because I wanted to see what the future of Chrome looks like, I also looked at the "Developer" build. Most people shouldn't do this. It's buggy and maybe a little less secure. Here be monsters. On a tablet, Chrome OS looks and feels a lot like it does when you have a keyboard. There's a button to get to your apps, a task bar along the bottom, and a system menu in the lower-right corner. In the Developer build, you'll find more squarish tabs and a system menu that's been "Android-ified," so it looks like the Quick Settings you'd see on an Android phone.

By default, all apps in Chrome OS go to full screen in tablet mode. Recently, however, split screen was rolled out. You tap the multitasking button on the lower right, drag one window to the left, then pick another open window to fill the right (or vice versa). You can then drag the divider to set up a one-third / two-thirds split screen if you like. That's all well and good, but it's the next steps that make this whole thing feel not quite baked. If you rotate the tablet 180 degrees, everything flips. So if you had a notepad open on the left and Chrome open on the right, when you flip it, the notepad ends up on the right. I found it disconcerting, but perhaps that's just a matter of it being different instead of it being broken. Different UX strokes for different OS folks. [...] I don't want to be too harsh on the lagginess I experienced because it's unfair to judge software that's still in development. But I did experience a lot, even on the more stable builds. That's a particularly egregious problem when there's no physical keyboard. If there's one thing that will drive a user crazy, it's input lag. And I saw much too much of that, even on the Stable build, which is what most educators will experience with this tablet. I also felt at times that I was struggling to hit buttons with my finger that would have been no problem if I had a mouse.