Security

Google Offers $1,000 Bounties For Hacking Dropbox, Tinder, Snapchat, and Others (mashable.com) 35

An anonymous reader quotes Mashable: Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace... If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. For HackerOne, it's about attracting more and better participants in bounty programs.
DRM

Denuvo's DRM Now Being Cracked Within Hours of Release (arstechnica.com) 111

Denuvo, an anti-tamper technology and digital rights management scheme, isn't doing a very good job preventing PC games from being copied. According to Ars Technica, Denuvo releases are being publicly cracked within a day of their launch. From the report: This week's release of South Park: The Fractured but Whole is the latest to see its protections broken less than 24 hours after its release, but it's not alone. Middle Earth: Shadow of War was broken within a day last week, and last month saw cracks for Total War: Warhammer 2 and FIFA 18 the very same day as their public release. Then there's The Evil Within 2, which reportedly used Denuvo in prerelease review copies but then launched without that protection last week, effectively ceding the game to immediate potential piracy. Those nearly instant Denuvo cracks follow summer releases like Sonic Mania, Tekken 7, and Prey, all of which saw DRM protection cracked within four to nine days of release. But even that small difference in the "uncracked" protection window can be important for game publishers, who usually see a large proportion of their legitimate sales in those first few days of availability. The presence of an easy-to-find cracked version in that launch window (or lack thereof) could have a significant effect on the initial sales momentum for a big release. If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers.
Chrome

Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com) 185

An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."

An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.

Security

The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day (bleepingcomputer.com) 357

Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.
Android

Android Oreo Helps Google's Pixel 2 Smartphones Outperform Other Android Flagships (hothardware.com) 86

MojoKid highlights Hot Hardware's review of Google's new Pixel 2 and Pixel 2 XL smartphones: Google officially launched it's Pixel 2 phones today, taking the wraps off third-party reviews. Designed by Google but manufactured by HTC (Pixel 2) and LG (Pixel 2 XL), the two new handsets also boast Google's latest Android 8.0 operating system, aka Oreo, an exclusive to Google Pixel and certain Nexus devices currently. And in some ways, this is also a big advantage. Though they are based on the same Qualcomm Snapdragon 835 processor as many other Android devices, Google's new Pixel 2s manage to outpace similarly configured smartphones in certain benchmarks by significant margins (Basemark, PCMark and 3DMark). They also boot dramatically faster than any other Android handset on the market, in as little as 10 seconds. Camera performance is also excellent, with both the 5-inch Pixel 2 and 6-inch Pixel 2 XL sporting identical electronics, save for their displays and chassis sizes. Another notable feature built into Android Oreo is Google Now Playing, an always-listening, Shazam-like service (if you enable it) that displays song titles on the lock screen if it picks up on music playing in the room you're in. Processing is done right on the Pixel 2 and it doesn't need network connectivity. Another Pixel 2 Oreo-based trick is Google Lens, a machine vision system that Google notes "can recognize places like landmarks and buildings, artwork that you'd find in a museum, media covers such as books, movies, music albums, and video games..." The Google Pixel 2 and Pixel 2 XL are available now on Verizon or unlocked via the Google Store starting at $649 and $849 respectively for 64GB storage versions, with a $100 up-charge for 128GB variants.
Businesses

eBay Launches Authentication Service To Combat Counterfeit High-End Goods (venturebeat.com) 70

Ecommerce giant eBay has launched a previously announced service designed to combat the scourge of fake goods on the platform. From a report: eBay has proven popular with fake goods' sellers for some time, with fashion accessories and jewelry featuring highly on counterfeiters' agenda. The company announced eBay Authenticate way back in January with a broad focus on giving "high-end" goods an official stamp of approval prior to sale. Ultimately designed to encourage buyers to part with cash on expensive items, it uses a network of professional authenticators who take physical receipt of a seller's products, validates them, and then photographs, lists, and ships the goods to the successful buyer. For today's launch of eBay Authenticate, the service is only available for luxury handbags from 12 brands, including Chanel, Gucci, Louis Vuitton, Prada, and Valentino, though the program will be expanded to cover other luxury goods and brands from next year. "With tens-of-thousands of high-end handbags currently available, eBay is primed to boost customer confidence in selling and shopping for an amazing selection of designer merchandise," noted Laura Chambers, vice president of consumer selling at eBay. "We also believe our sellers will love this service, as it provides them with a white-glove service when selling luxury handbags."
China

8.5-Ton Chinese Space Station Will Crash To Earth In a Few Months (cnbc.com) 104

dryriver writes: China launched a space laboratory named Tiangong 1 into orbit in 2011. The space laboratory was supposed to become a symbol of China's ambitious bid to become a space superpower. After two years in space, Tiangong 1 started experiencing technical failure. Last year Chinese officials confirmed that the space laboratory had to be scrapped. The 8.5 ton heavy space laboratory has begun its descent towards Earth and is expected to crash back to Earth within the next few months.

Most of the laboratory is expected to burn up in earth's atmosphere, but experts believe that pieces as heavy as 100 kilograms (220 pounds) may survive re-entry and impact earth's surface. Nobody will be able to predict with any precision where those chunks of space laboratory will land on Earth until a few hours before re-entry occurs. The chance that anyone would be harmed by Tiangong-1's debris is considered unlikely.


When NASA's SkyLab fell to earth in 1979, an Australian town fined them $400 -- for littering.
Bitcoin

Over 500 Million PCs Are Secretly Mining Cryptocurrency, Researchers Reveal (newsweek.com) 78

Ad blocking firm AdGuard has found that over 500 million people are inadvertently mining cryptocurrencies through their computers after visiting websites that are running background mining software. The company found 220 popular websites with an aggregated audience of half a billion people use so-called crypto-mining scripts when a user opens their main page. Newsweek reports: The mining tool works by hijacking a computer's central processing unit (CPU), commonly referred to as "the brains" of a computer. Using part of a computer's CPU to mine bitcoin effects the machine's overall performance and will slow it down by using up processing power. The researchers found that bitcoin browser mining is mostly found on websites "with a shady reputation" due to the trouble such sites have with earning revenue through advertising. However, in the future it could become a legitimate and ethical way of making money if the website requests the permission of the visitor first.

"220 sites may not seem like a lot," the researchers wrote in a blogpost detailing their discovery. "But CoinHive was launched less than one month ago on September 14. The growth has been extremely rapid: from nearly zero to .22 percent of Alexa's top 100,000 websites. "This analysis well illustrates the whole web, so it's safe to say that one of every forty websites currently mines cryptocurrency (namely Monero) in the browsers their users employ."

Businesses

Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries (krebsonsecurity.com) 20

Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities," the company said in a statement. "Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates." The hotel chain said the incident affected payment card information -- cardholder name, card number, expiration date and internal verification code -- from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.
Google

Google Announces $1 Billion Job Training and Education Program (axios.com) 47

Google CEO Sundar Pichai was in Pittsburgh Wednesday to announce a new five-year, $1 billion program to help close the global education gap. From a report: Part of the program was a new "Grow with Google" program to work with U.S. cities as well as a $10 million grant to Goodwill that will see Google employees working with the nonprofit to train people in digital skills. Why it matters: Google, along with Apple, Microsoft and other big tech companies, have all launched significant efforts in recent months to demonstrate their commitment to education and U.S. jobs.
Space

SpaceX Successfully Landed the 12th Falcon 9 Rocket of 2017 (theverge.com) 118

Shortly after launching from Cape Canaveral, Florida, SpaceX's Falcon 9 rocket successfully landed on one of the company's drone ships in the ocean. "It marks the 12th time SpaceX has successfully landed the first stage of a Falcon 9 rocket this year, the 18th overall, and the second this week," reports The Verge. "It was also the third time that the company has successfully launched and landed a rocket that had already flown." From the report: The vehicle for this mission has flown before: once back in February, when it lofted cargo to the International Space Station and then landed at SpaceX's ground-based Landing Zone 1. Going up on this flight is a hybrid satellite that will be used by two companies, SES and EchoStar. Called EchoStar 105/SES-11, the satellite will sit in a high orbit 22,000 miles above Earth, providing high-definition broadcasts to the U.S. and other parts of North America. While this is the first time EchoStar is flying a payload on a used Falcon 9, this is familiar territory for SES. The company's SES-10 satellite went up on the first "re-flight" in March. And SES has made it very clear that it is eager to fly its satellites on previously flown boosters.
Power

CNN Skeptical of Elon Musk's 'Big Promises' (cnn.com) 206

An anonymous reader writes: Tesla's electric semi-truck will be launched three weeks later than planned, CNN reports. It's been bumped to November 16th because Tesla says it's "diverting resources" to address problems with its Model 3 sedan production -- they've produced just 17.3% of the cars they'd planned -- and to make more batteries to send to areas hit by hurricanes. CNN notes Tesla's Model X "didn't start shipping until two years after it was supposed to roll out," and production of its Model S sedan "was also much slower than originally promised." Michelle Krebs, an analyst with Autotrader.com, complains Tesla "may well have far too much on its plate. It should focus and deliver on some key promises."

But Elon Musk "has a history of some pretty pie-in-the-sky promises," complained CNN business anchor Maggie Lake, citing Musk's claim that he had verbal approval for an underground hyperloop connecting New York City to Washington D.C. ("This is news to City Hall," said New York's press secretary at the time, and no actual approval has ever been produced.) Lake also noted Musk's promise to fix South Australia's blackout problems by building the world's largest lithium-ion battery within 100 days back in March. Last Friday Tesla signed a contract to begin the work, so the 100-day countdown has begun.

CNN's report ran under the headline "Elon Musk: Big Dreamer or Monorail Salesman?" -- referencing a satirical 1993 episode of The Simpson's. "Here's a spoiler alert," the segment concludes. "If you haven't seen that episode...the monorail plan doesn't work out too well. Let's put it that way."
Businesses

Does Online Crowdfunding Actually Reward Innovation? (strategy-business.com) 93

Slashdot reader Anirban Mukherjee is an assistant marketing professor at Singapore Management University who led a team analyzing every Kickstarter project ever launched in nine product-oriented categories. An anonymous reader summarizes their results: One 2013 report predicted $96 billion a year in crowdfunding by 2038 -- nearly twice as much as what's currently funded by venture capitalists. (In a foreword, AOL co-founder Steve Case touts the potential of crowdfunding for "the rise of the rest.") "Many have predicted that online crowdfunding will democratize product development," writes business journalist Matt Palmquist, "allowing small entrepreneurs who lack the contacts, resources, and experience of larger companies to overcome economic, geographic, and social barriers on their way to market." But a large-scale analysis discovered that the biggest barrier may be consumers themselves. "The study's authors found that the amount of money pledged increased when the product description emphasized either originality or utility -- but dropped when both attributes were mentioned. The findings suggest that the crowd does not yet prize true innovation."

"The authors posit that the high degree of ambiguity surrounding crowdfunding might scare consumers away from supporting groundbreaking projects. In the typical shopping context, they point out, consumer regulations protect the buyer. But in crowdfunding, consumers may never receive the product... Another study found that more than 75 percent of successfully funded Kickstarter projects are significantly delayed... 'We speculate that the higher level of uncertainty in the crowdfunding context drives backers to choose modest innovations and shy away from more extreme innovations, i.e., innovations that are high on both novelty and usefulness,' the authors write."

After reviewing 50,310 projects, the team concluded that crowdfunding "may not be the panacea for innovation."
Cellphones

Alphabet's Balloons Will Bring Cellphone Service To Puerto Rico (wired.com) 65

An anonymous reader writes:Hurricanes Irma and Maria wiped out more than 90 percent of the cellphone coverage on Puerto Rico. Now the FCC has given "Project Loon" permission to fly 30 balloons more than 12 miles above the island for the next six months, Wired reports, to temporarily replace the thousands of cellphone towers knocked down by the two hurricanes.

Each balloon can service an area of 1,930 miles, so the hope is to restore service to the entire island of Puerto Rico and parts of the U.S. Virgin Islands. In May Project Loon, part of Google's parent company Alphabet, deployed its technology in Peru and later provided emergency internet access there during serious flooding. (Those balloons were acually launched from Puerto Rico.) These new Project Loon balloons will be "relaying communications between Alphabet's own ground stations connected to the surviving wireless networks, and users' handsets," according to the article, which reports that eight wireless carriers in Puerto Rico have already consented to the arrangement.

Space

The World's Oldest Scientific Satellite is Still in Orbit (bbc.com) 80

walterbyrd writes: Nearly 60 years ago, the US Navy launched Vanguard-1 as a response to the Soviet Sputnik. Six decades on, it's still circling our planet. Conceived by the Naval Research Laboratory (NRL) in 1955, Vanguard was to be America's first satellite programme. The Vanguard system consisted of a three-stage rocket designed to launch a civilian scientific spacecraft. The rocket, satellite and an ambitious network of tracking stations would form part of the US contribution to the 1957-58 International Geophysical Year. This global collaboration of scientific research involved 67 nations, including both sides of the Iron Curtain.
Intel

Intel's Just Launched 8th Gen 'Coffee Lake' Processors Bring the Heat To AMD's Ryzen 137

bigwophh writes: The upheaval of the high-end desktop processor segment continues today with the official release of Intel's latest Coffee Lake-based 8th Generation Core processors. The flagship in the new lineup is the Core i7-8700K. It is a 6C/12T beast, with a base clock of 3.7GHz, a boost clock of 4.7GHz, and 12MB of Intel Smart Cache. The Core i5-8400 features the same physical die, but has only 9MB of Smart Cache, no Hyper-Threading, and base and boost clocks of 2.8GHz and 4GHz, respectively. The entire line-up features more cores, support for faster memory speeds, and leverages a fresh platform that's been tweaked for more robust power delivery and, ultimately, more performance. The Core i7-8700K proved to be an excellent performer, besting every other processor in single-threaded workloads and competing favorably with 8C/16T Ryzen 7 processors. The affordably-priced 6-core Core i5-8400 even managed to pull ahead of the quad-core Core i7-7700K in some tests. Overall, performance is strong, especially for games, and the processors seem to be solid values in their segment.
Microsoft

Microsoft Brings Edge To Android and IOS (venturebeat.com) 127

An anonymous reader writes: If you want more proof that Microsoft is embracing Android and iOS, boy, do we have it for you today. The company has launched Edge for iOS in preview, promised Edge for Android is coming soon, and launched Microsoft Launcher for Android in public preview. Edge for iOS preview is available via Apple's TestFlight and is limited, per Apple's rules, to 10,000 users. Microsoft is inviting Windows Insiders in the U.S. to sign up here. Android users can also sign up at that same link -- the preview will hit the Google Play Store in the coming weeks. Microsoft is hoping to release Edge for Android and iOS out of preview "later this year." The Microsoft Launcher is available in preview for English users in the United States on Google Play. Microsoft promises to bring it to other markets "over time" and launch it out of preview "later this year," as well.
AI

Mattel's New Baby Monitor Uses AI To Soothe Babies and Lawmakers Aren't Happy About It (washingtonpost.com) 131

Mattel has a new kid-focused smart hub called Aristotle, which can switch on a night light if it hears a baby crying to soothe the child (Warning: source may be paywalled; alternative source). The device is also designed to keep changing its activities, even to the point where it can help a preteen with homework, learning about the child along the way. Given the privacy concerns, lawmakers are worried that the always-on device could build an "in-depth profile of children and their family." Jezebel reports: The $299 Aristotle is similar in spirit to the Amazon Echo, only the scope of its features is much broader -- and scarier. Last week, Senator Ed Markey and Representative Joe Barton sent a letter to Mattel CEO Margaret Giorgiadis about their issues with the tablet, which tracks things like kids' eating and sleeping habits when they're young, and adapts to answering their questions about long division and sex or whatever as they grow up. According to nabi, the Mattel brand that developed the device, the Aristotle is meant to "provide parents with a platform that simplifies parenting, while helping them nurture, teach, and protect their young ones." Not everyone is on board. But Markey and Barton aren't the only ones squicked by Aristotle's capabilities. Buzzfeed reports that privacy experts, parents and child psychologists are also concerned that the device "encourages babies to form bonds with inanimate objects and use information it collects for targeted advertising," so much so that a petition has been launched to prevent it from going to market.
Google

Google Debuts Its $400 Google Home Max Speaker To Rival Apple's HomePod (techcrunch.com) 60

In addition to the Pixel 2 and Pixel 2 XL, Google debuted a $400 speaker, called Home Max, that looks to compete directly with Apple's recently announced HomePod. The Home Max is a larger Google Home that features stereo speakers and more premium looks and materials. It's expected to go on sale in December in the U.S. TechCrunch reports: It can tune its audio to its own space, analyzing the sound coming from the speaker using its built in microphones to determine the best equalizer settings. This is called Smart Sound, and it evolves over time and based on where you move the speaker, using built-in machine learning. It has Cast functionality, as well as input via stereo 3.5 mm jack. Home Max can output sound that's up to 20 times more powerful than the standard version of Home, Google says, and it has two 4.5 inch woofers on board with two 0.7 inch custom-built tuners. It can sit in either vertical or horizontal orientation, and it comes in both 'chalk' and 'charcoal.' Of course, this bigger speaker also includes a noise isolating array that makes it work even in open rooms with background noise, and it's Assistant-enabled, so you can use it to control your music playback via voice, or manage your smart home devices, set yourself reminders, alarms, and timers and much more. Google also launched a budget-friendly Google Home Mini that features the Google Assistant but in a smaller form factor. 9to5Google reports: Google touts the Home Mini as having a powerful speaker with "crisp" 360 degree sound. The Mini can also be connected to any Chromecast wireless speaker, but there is no 3.5mm jack like Amazon's Echo Dot. In the center, there are four white lights that note when the Home Mini is listening or responding. Besides saying the "Ok, Google" hotword, users can tap on the Home Mini to issue a command. Google also retained the Home's original button for disabling the microphone with a toggle next to the charging port. The Google Home Mini will be go on sale later this month for $49, with pre-orders starting today.

Slashdot Top Deals