Businesses

SmugMug Buys Flickr, Vows To Revitalize the Photo Service (usatoday.com) 60

On Friday, Silicon Valley photo-sharing and storage company SmugMug announced it had acquired Flickr, the photo-sharing site created in 2004 by Ludicorp and acquired in 2005 by Yahoo. SmugMug CEO Don MacAskill told USA TODAY he's committed to revitalizing the faded social networking site, which hosted photos and videos long before it became trendy. Flickr will reportedly continue to operate separately, and SmugMug and Flickr accounts will "remain separate and independent for the foreseeable future." From the report: He declined to disclose the terms of the deal, which closed this week. "Flickr is an amazing community, full of some of the world's most passionate photographers. It's a fantastic product and a beloved brand, supplying tens of billions of photos to hundreds of millions of people around the world," MacAskill said. "Flickr has survived through thick-and-thin and is core to the entire fabric of the Internet." The surprise deal ends months of uncertainty for Flickr, whose fate had been up in the air since last year when Yahoo was bought by Verizon for $4.5 billion and joined with AOL in Verizon's Oath subsidiary.
Network

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks (bleepingcomputer.com) 22

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.
Operating Systems

'Fuchsia Is Not Linux': Google Publishes Documentation Explaining Their New OS (xda-developers.com) 245

An anonymous reader quotes a report from XDA Developers: You've probably seen mentions of the Fuchsia operating system here and there since it has been in development for almost 2 years. It's Google's not-so-secretive operating system which many speculate will eventually replace Android. We've seen it grow from a barely functional mock-up UI in an app form to a version that actually boots on existing hardware. We've seen how much importance Google places on the project as veteran Android project managers are starting to work on it. But after all of this time, we've never once had either an official announcement from Google about the project or any documentation about it -- all of the information thus far has come as a result of people digging into the source code.

Now, that appears to be changing as Google has published a documentation page called "The Book." The page aims to explain what Fuchsia, the "modular, capability-based operating system" is and is not. The most prominent text on that page is a large section explaining that Fuchsia is NOT Linux, in case that wasn't clear already. Above that are several readme pages explaining Fuchsia's file systems, boot sequence, core libraries, sandboxing, and more. The rest of the page has sections explaining what the Zircon micro-kernel is and how the framework, storage, networking, graphics, media, user interface, and more are implemented.

Security

'Vigilante Hackers' Strike Routers In Russia and Iran, Reports Motherboard (vice.com) 121

An anonymous reader quotes Motherboard: On Friday, a group of hackers targeted computer infrastructure in Russia and Iran, impacting internet service providers, data centres, and in turn some websites. "We were tired of attacks from government-backed hackers on the United States and other countries," someone in control of an email address left in the note told Motherboard Saturday... "We simply wanted to send a message...." In addition to disabling the equipment, the hackers left a note on affected machines, according to screenshots and photographs shared on social media: "Don't mess with our elections," along with an image of an American flag...

In a blog post Friday, cybersecurity firm Kaspersky said the attack was exploiting a vulnerability in a piece of software called Cisco Smart Install Client. Using computer search engine Shodan, Talos (which is part of Cisco) said in its own blog post on Thursday it found 168,000 systems potentially exposed by the software. Talos also wrote it observed hackers exploiting the vulnerability to target critical infrastructure, and that some of the attacks are believed to be from nation-state actors...

Reuters reported that Iran's IT Minister Mohammad Javad Azari-Jahromi said the attack mainly impacted Europe, India, and the U.S.... The hackers said they did scan many countries for the vulnerable systems, including the U.K., U.S., and Canada, but only "attacked" Russia and Iran, perhaps referring to the post of an American flag and their message. They claimed to have fixed the Cisco issue on exposed devices in the US and UK "to prevent further attacks... As a result of our efforts, there are almost no vulnerable devices left in many major countries," they claimed in an email.

Their image of the American flag was a black-and-white drawing done with ASCII art.
Education

Schools Are Giving Up on Smartphone Bans (gizmodo.com) 117

Bans on phones in schools are increasingly becoming a thing of the past, new research shows. From a report: A survey from the National Center for Education Statistics exploring crime and safety at schools indicates that there is a trend toward relaxing student smartphone bans. The survey reports that the percentage of public schools that banned cell phones and other devices that can send text messages dropped from nearly 91 percent in 2009 through 2010 to nearly 66 percent in 2015 through 2016.

This drop did not coincide, however, with more lenient rules around social media. In 2009 and 2010, about 93 percent of public schools limited student access to social networking sites from school computers, compared to 89 percent from 2015 through 2016. That's likely because these bans aren't lifted in response to student demands to use their electronics during school hours -- they are bending to the pressure of parents who want to be able to reach their kids.

Network

Cloudflare Launches 1.1.1.1 Consumer DNS Service With a Focus On Privacy (betanews.com) 225

BrianFagioli writes: Today, Cloudflare announces a new consumer DNS service with a focus on privacy. Called '1.1.1.1.' it quite literally uses that easy-to-remeber IP address as the primary DNS server. Why announce on April Fool's Day? Because the IP is four ones and today's date is 4/1 -- clever. The secondary server is 1.0.0.1 -- also easy to remember.

The big question is why? With solid offerings from Google and Comodo, for instance, does the world need another DNS service? The answer is yes, because Cloudflare intends to focus on both speed, and more importantly, privacy.

Businesses

Foxconn Announces Purchase of Belkin, Wemo, and Linksys (androidpolice.com) 80

Foxconn, the Taiwan-based company best-known for manufacturing Apple products announced that one of its subsidiaries (Foxconn Interconnect Technology) is purchasing U.S.-based Belkin for $866 million in cash. "Belkin owns a number of major brands, including Linksys and Wemo," notes Android Police. From the report: The buyout would make Foxconn a major player in consumer electronics, instead of just a contract manufacturing company. Belkin primarily sells phone/tablet accessories, but also manufactures networking equipment like routers and Wi-Fi range extenders. The company also sells a range of smart home products under the Wemo brand. According to The Financial Times, the purchase is subject to approval from the U.S. Committee on Foreign Investment. In other words, there is a very real chance the acquisition could be blocked. President Trump blocked Broadcom's acquisition of Qualcomm earlier this month, based on advice from the committee.
Facebook

Facebook Scraped Call, Text Message Data For Years From Android Phones (arstechnica.com) 158

An anonymous reader quotes a report from Ars Technica: This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us -- my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata. In response to an email inquiry about this data gathering by Ars, a Facebook spokesperson replied, "The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts." The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

If you granted permission to read contacts during Facebook's installation on Android a few versions ago -- specifically before Android 4.1 (Jelly Bean) -- that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 -- the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data.
You are able to have Facebook delete the data it collects from you, "but it's not clear if this deletes just contacts or if it also purges call and SMS metadata," reports Ars. Generally speaking, if you're concerned about privacy, you shouldn't share your contacts and call-log data with any mobile application.
Databases

Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys (fossbytes.com) 41

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.

Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
Networking

Ask Slashdot: How Can I Prove My ISP Slows Certain Traffic? 203

Long-time Slashdot reader GerryGilmore is "a basically pretty knowledgeable Linux guy totally comfortable with the command line." But unfortunately, he lives in north Georgia, "where we have a monopoly ISP provider...whose service overall could charitably be described as iffy." Sometimes, I have noticed that certain services like Netflix and/or HBONow will be ridiculously slow, but -- when I run an internet speed test from my Linux laptop -- the basic throughput is what it's supposed to be for my DSL service. That is, about 3Mbps due to my distance from the nearest CO. Other basic web browsing seems to be fine... I don't know enough about network tracing to be able to identify where/why such severe slowdowns in certain circumstances are occurring.
Slashdot reader darkharlequin has also noticed a speed decrease on Comcast "that magickally resolves when I run internet speed tests." But if the original submitter's ultimate goal is delivering evidence to his local legislators so they can pressure on his ISP -- what evidence is there? Leave your best answers in the comments. How can he prove his ISP is slowing certain traffic?
Security

1 in 3 Michigan Workers Tested Opened A Password-Phishing Email (go.com) 119

An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.
Hardware

Raspberry Pi 3 Model B+ Launched (raspberrypi.org) 164

New submitter stikves writes: The Raspberry foundation has launched an incremental update to the Raspberry Pi 3 model B: Raspberry Pi 3 Model B+ . In addition to slight increase (200MHz) in CPU speed, and upgraded networking (802.11ac and Gigabit, albeit over USB2), one big advantage is the better thermal management which allows sustained performance over longer load periods. Further reading: TechRepublic, and Linux Journal.
Security

Massive DDOS Attacks Are Now Targeting Google, Amazon, and the NRA (pcmag.com) 121

PC Magazine reports: A new way to amplify DDoS attacks has been spotted harassing Google, Amazon, Pornhub and even the National Rifle Association's main website after striking Github last week. The attacks, which exploit vulnerable "memcached servers," have been trying to hose down scores of new targets with a flood of internet traffic, according to Chinese security firm Qihoo 360... Github was the first high-profile victim and suffered a 1.35 Tbps assault -- or what was then the biggest DDoS attack on record. But days later, an unnamed U.S. service provider fended off a separate assault, which measured at 1.7 Tbps. Unfortunately, the amplified DDoS attacks haven't stopped. They've gone on to strike over 7,000 unique IP addresses in the last seven days, Qihoo 360 said in a blog post... Gaming sites including Rockstargames.com, Minecraft.net, and Playstation.net have been among those hit...

The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Radware security researcher Daniel Smith said. That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.

Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating: "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."
Bug

How Are Sysadmins Handling Spectre/Meltdown Patches? (hpe.com) 49

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..."

The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.

The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."
Google

Former Google Employee Files Lawsuit Alleging the Company Fired Him Over Pro-Diversity Posts (theverge.com) 308

According to court documents filed today, a former Google engineer is suing the company for discrimination, harassment, retaliation, and wrongful termination. "Tim Chevalier, a software developer and former site-reliability engineer at Google, claims that Google fired him when he responded with internal posts and memes to racist and sexist encounters within the company and the general response to the now-infamous James Damore memo," reports The Verge. From the report: Chevalier said in a statement to The Verge, "It is a cruel irony that Google attempted to justify firing me by claiming that my social networking posts showed bias against my harassers." Chevalier, who is also disabled and transgender, alleges that his internal posts that defended women of color and marginalized people led directly to his termination in November 2017. He had worked at Google for a little under two years. Notably, Chevalier's posts had been quoted in Damore's lawsuit against Google -- in which Damore sued the company for discrimination against conservative white men -- as evidence Google permitted liberals to speak out at the company unpunished. Chevalier's lawsuit alleges that his firing is, in fact, a form of punishment. The lawsuit was filed in San Francisco County Superior Court and Chevalier is seeking damages for lost wages, emotional distress, punitive damages, and injunctive relief against those alleged harmful acts. Google did not immediately respond to a request for comment.
Google

AMP For Email Is a Terrible Idea (techcrunch.com) 177

An anonymous reader shares an excerpt from a report via TechCrunch, written by Devin Coldewey: Google just announced a plan to "modernize" email with its Accelerated Mobile Pages platform, allowing "engaging, interactive, and actionable email experiences." Does that sound like a terrible idea to anyone else? It sure sounds like a terrible idea to me, and not only that, but an idea borne out of competitive pressure and existing leverage rather than user needs. Not good, Google. Send to trash. See, email belongs to a special class. Nobody really likes it, but it's the way nobody really likes sidewalks, or electrical outlets, or forks. It not that there's something wrong with them. It's that they're mature, useful items that do exactly what they need to do. They've transcended the world of likes and dislikes. Email too is simple. It's a known quantity in practically every company, household, and device. The implementation has changed over the decades, but the basic idea has remained the same since the very first email systems in the '60s and '70s, certainly since its widespread standardization in the '90s and shift to web platforms in the '00s. The parallels to snail mail are deliberate (it's a payload with an address on it) and simplicity has always been part of its design (interoperability and privacy came later). No company owns it. It works reliably and as intended on every platform, every operating system, every device. That's a rarity today and a hell of a valuable one.

More important are two things: the moat and the motive. The moat is the one between communications and applications. Communications say things, and applications interact with things. There are crossover areas, but something like email is designed and overwhelmingly used to say things, while websites and apps are overwhelmingly designed and used to interact with things. The moat between communication and action is important because it makes it very clear what certain tools are capable of, which in turn lets them be trusted and used properly. We know that all an email can ever do is say something to you (tracking pixels and read receipts notwithstanding). It doesn't download anything on its own, it doesn't run any apps or scripts, attachments are discrete items, unless they're images in the HTML, which is itself optional. Ultimately the whole package is always just going to be a big , static chunk of text sent to you, with the occasional file riding shotgun. Open it a year or ten from now and it's the same email. And that proscription goes both ways. No matter what you try to do with email, you can only ever say something with it -- with another email. If you want to do something, you leave the email behind and do it on the other side of the moat.

The Internet

Trump's Infrastructure Plan Has No Dedicated Money For Broadband (arstechnica.com) 103

An anonymous reader quotes a report from Ars Technica: President Trump's new 10-year plan for "rebuilding infrastructure in America" doesn't contain any funding specifically earmarked for improving Internet access. Instead, the plan sets aside a pool of funding for numerous types of infrastructure projects, and broadband is one of the eligible categories. The plan's $50 billion Rural Infrastructure Program lists broadband as one of five broad categories of eligible projects.

Eighty percent of the program's $50 billion would be "provided to the governor of each state." Governors would take the lead in deciding how the money would be spent in their states. The other 20 percent would pay for grants that could be used for any of the above project categories. Separately, broadband would be eligible for funding from a proposed $20 billion Transformative Projects Program, along with transportation, clean water, drinking water, energy, and commercial space. Trump's plan would also add rural broadband facilities to the list of eligible categories for Private Activity Bonds, which allow private projects to "benefit from the lower financing costs of tax-exempt municipal bonds." The plan would also let carriers install small cells and Wi-Fi attachments without going through the same environmental and historical preservation reviews required for large towers.

Software

Windows 10 Will Soon Get Progressive Web Apps To Boost the Microsoft Store (techradar.com) 152

The next major update to Windows 10 will bring Progressive Web Apps (PWAs) to the Microsoft Store. PWAs are websites (or web apps) which are implemented as native apps, and delivered just like a normal app through Windows 10's store. According to TechRadar, "The big advantages are that no platform-specific code is required, allowing devs to make apps that run across different platforms, and that PWAs are hosted on the developer's server, so can be updated directly from there (without having to push updates to the app store)." The other benefit for Microsoft is that they will be getting a bunch of new apps in Windows 10's store. From the report: As Microsoft explains in a blog post, these new web apps are built on a raft of nifty technologies -- including Service Worker, Fetch networking, Push notifications and more -- all of which will be enabled when EdgeHTML 17 (the next version of the rendering engine that powers the Edge browser) goes live in Windows 10 in the next big update. PWAs can be grabbed from the Microsoft Store as an AppX file, and will run in their own sandboxed container, without needing the browser to be open at all. As far as the user is concerned, they'll be just like any other app downloaded from the store. Microsoft says it is already experimenting with crawling and indexing PWAs from the web to pick out the quality offerings, which it will draft into the Microsoft Store. The firm has already combed through some 1.5 million web apps to pick out a small selection of PWAs for initial testing. As well as discovering apps via web crawling, developers will also be able to submit their offerings directly to Microsoft for approval.
OS X

Apple Deprecates More Services In OS X Server (apple.com) 145

Long-time Slashdot reader HEMI426 writes: Long ago, Apple used to produce rack servers, and a special flavor of OS X for that hardware with extra, server-friendly features. After Apple got out of the rack server game, OS X Server soldiered on, with the occasional change in cost or distribution method.

The next stop on the long, slow death march of OS X Server is here. With a recent post to their knowledgebase, Apple states that almost all of the services not necessary for the management of networked Macs and other iDevices are being deprecated. These services will be hidden for new installs, and dropped in the future.

Apple writes that "those depending on them should consider alternatives, including hosted services."
Networking

Is It Time For Zero-Trust Corporate Networks? (csoonline.com) 150

An anonymous reader quotes CSO: "The strategy around Zero Trust boils down to don't trust anyone. We're talking about, 'Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized,'" says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass... The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn't pose a threat and therefore was cleared for access. Security and technology experts say the castle-and-moat approach isn't working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance...

Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users -- employees, partners, customers -- accessing applications from a range of devices from multiple locations and even potentially from around the globe... The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise... Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.

"Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments," says the chief product officer at an IAM/PIM solutions supplier.

"Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment."

Slashdot Top Deals