China

China Blocks Foreign Companies From Mapping Its Roads for Self-Driving Cars (thedrive.com) 79

The Chinese government is blocking foreign companies from mapping its roads in great detail, according to a Financial Times (paywalled) report. The restrictions, which reportedly do not apply to Chinese firms, are being instituted in the name of national security. China is concerned about spying. From a report: China has restricted the recording of geographic information for more than a decade because it believes giving other countries access to that information constitutes a security risk. Geographic surveys can't be performed without permission from the government, and many digital cameras don't record GPS coordinates for geotagging, as they do in other countries, according to Fortune.
Microsoft

Microsoft Disables Word DDE Feature To Prevent Further Malware Attacks (bleepingcomputer.com) 73

An anonymous reader writes: As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware. DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened. DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.

Television

What's The Best TV Show About Working in Tech? (gizmodo.com) 185

An anonymous reader writes: Recently Gizmodo hailed "the best show ever made about Silicon Valley", asking its readers one question: why didn't you watch it? They're talking about AMC's Halt and Catch Fire, which their Senior Reviews Editor says "discovered the fascinating, frustrating human side to the soulless monsters who built Silicon Valley." Unfortunately, "nobody watched it. The show never cracked a million live viewers after the pilot episode. It sat firmly on the bubble every season, getting greenlit only by the grace of AMC."

Today Netflix is making that show's fourth (and final) season available -- but is it the best show about working in tech? What about Mr. Robot, Silicon Valley, or The IT Crowd -- or that short-lived X-Files spin-off, The Lone Gunmen?

Has there ever been a good show about geeks -- besides those various PBS documentaries? Leave your own answers in the comments.

What's the best TV show about working in tech?
Microsoft

Microsoft Releases a Preview of OpenSSH Client and Server For Windows 10 (servethehome.com) 142

kriston (Slashdot user #7,886) writes: Microsoft released a preview of the OpenSSH server and client for Windows 10. Go to Settings, Apps & Features, and click "Manage optional features" to install them. The software only supports AES-CTR and chacha20 ciphers and supports a tiny subset of keys and KEXs, but, on the other hand, a decent set of MACs.

It also says that it doesn't use the OpenSSL library. That's the really big news, here. I understand leaving out arcfour/RC4 and IDEA, but why wouldn't MSFT include Blowfish, Twofish, CAST, and 3DES? At least they chose the CTR versions of these ciphers. (Blowfish isn't compromised in any practical way, by the way). I prefer faster and less memory- and CPU-intensive ciphers.

Still, it's a good start. The SSH server is compelling enough to check out especially since I just started using X2GO for remote desktop access which requires an SSH server for its file sharing feature.

Microsoft

Windows 10 Bundled a Password Manager with a Security Flaw (bleepingcomputer.com) 48

An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.

Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.

The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
The Courts

Here's the Letter Alleging Uber Spied on Individuals For Competitive Intelligence (recode.net) 37

The judge in the $1.9 billion civil suit between Google-parent company Alphabet's self-driving car unit Waymo and Uber released the letter of a disgruntled former employee -- former Uber security officer Richard Jacobs -- on Friday, laying bare a number of explosive allegations against the ride-hailing company that include corporate espionage, unlawful surveillance, illegal wiretapping, bribery of foreign officials, and illicit hacking. From a report: The letter read: "This program, formerly known as the Strategic Services Group, under Nick Gicinto, collected intelligence and conducted unauthorized surveillance, including unauthorized recording of private conversations against executives from competitor firms, such as DiDi Chuxing and against its own employees and contractors at the Autonomous Technologies Group in Pittsburgh." Jacobs testified in court and walked back some of the allegations made in the letter, which was written by his attorney, Clayton Halunen. Days later, Uber's new chief legal officer Tony West issued a directive to employees to stop surveilling individuals, which Recode first reported. In a separate note to staff Khosrowshahi (current CEO of Uber) said the letter detailed enough to "merit serious concern." While Jacobs, Padilla (Uber's general counsel) and other employees addressed some of the claims made within the letter -- confirming the use of Wickr for business-related communications -- the letter itself had not been made public before Friday evening. The document prepared by Jacobs' attorney also claimed Uber was using some of these surveillance tactics on Alphabet's self-driving arm, Waymo. However, during his testimony, Jacobs walked that allegation back.
Mozilla

Mozilla Slipped a 'Mr. Robot'-Promo Plugin Into Firefox and Users Are Pissed (gizmodo.com) 303

MarcAuslander shares a report from Gizmodo: Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox -- and managed to piss off a bunch of its privacy-conscious users in the process. The extension, called Looking Glass, is intended to promote an augmented reality game to "further your immersion into the Mr. Robot universe," according to Mozilla. It was automatically added to Firefox users' browsers this week with no explanation except the cryptic message, "MY REALITY IS JUST DIFFERENT THAN YOURS," prompting users to worry on Reddit that they'd been hit with spyware. Without an explanation included with the extension, users were left digging around in the code for Looking Glass to find answers. Looking Glass was updated for some users today with a description that explains the connection to Mr. Robot and lets users know that the extension won't activate without explicit opt-in.

Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. "The Mr. Robot series centers around the theme of online privacy and security," the company said in an explanation of the mysterious extension. "One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy."

Security

Lock Out: the Austrian Hotel That Was Hacked Four Times (bbc.com) 53

AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.
Government

CIA Captured Putin's 'Specific Instructions' To Hack the 2016 Election, Says Report (thedailybeast.com) 531

An anonymous reader quotes a report from The Daily Beast: When Director of National Intelligence James R. Clapper Jr., CIA Director John Brennan and FBI Director James B. Comey all went to see Donald Trump together during the presidential transition, they told him conclusively that they had "captured Putin's specific instructions on the operation" to hack the 2016 presidential election, according to a report in The Washington Post. The intel bosses were worried that he would explode but Trump remained calm during the carefully choreographed meeting. "He was affable, courteous, complimentary," Clapper told the Post. Comey stayed behind afterward to tell the president-elect about the controversial Steele dossier, however, and that private meeting may have been responsible for the animosity that would eventually lead to Trump firing the director of the FBI.
Bitcoin

A Cryptocurrency Without a Blockchain Has Been Built To Outperform Bitcoin (technologyreview.com) 185

An anonymous reader quotes a report from MIT Technology Review: Bitcoin isn't the only cryptocurrency on a hot streak -- plenty of alternative currencies have enjoyed rallies alongside the Epic Bitcoin Bull Run of 2017. One of the most intriguing examples is also among the most obscure in the cryptocurrency world. Called IOTA, it has jumped in total value from just over $4 billion to more than $10 billion in a little over two weeks. But that isn't what makes it interesting. What makes it interesting is that it isn't based on a blockchain at all; it's something else entirely. The rally began in late November, after the IOTA Foundation, the German nonprofit behind the novel cryptocurrency, announced that it was teaming up with several major technology firms to develop a "decentralized data marketplace."

Though IOTA tokens can be used like any other cryptocurrency, the protocol was designed specifically for use on connected devices, says cofounder David Sonstebo. Organizations collect huge amounts of data from these gadgets, from weather tracking systems to sensors that monitor the performance of industrial machinery (a.k.a. the Internet of things). But nearly all of that information is wasted, sitting in siloed databases and not making money for its owners, says Sonstebo. IOTA's system can address this in two ways, he says. First, it can assure the integrity of this data by securing it in a tamper-proof decentralized ledger. Second, it enables fee-less transactions between the owners of the data and anyone who wants to buy it -- and there are plenty of companies that want to get their hands on data.
The report goes on to note that instead of using a blockchain, "IOTA uses a 'tangle,' which is based on a mathematical concept called a directed acyclic graph." The team decided to research this new alternative after deciding that blockchains are too costly. "Part of Sonstebo's issue with Bitcoin and other blockchain systems is that they rely on a distributed network of 'miners' to verify transactions," reports MIT Technology Review. "When a user issues a transaction [with IOTA], that individual also validates two randomly selected previous transactions, each of which refer to two other previous transactions, and so on. As new transactions mount, a 'tangled web of confirmation' grows, says Sonstebo."
Security

Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment (securityweek.com) 30

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.
Security

Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks (bleepingcomputer.com) 32

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.
IT

Internet Traffic To Major Tech Firms Mysteriously Rerouted To Russia (securityweek.com) 105

wiredmikey writes: Internet traffic to some of the world's largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack. Internet monitoring service BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).

It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC. Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries. The incident is rather suspicious, as the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren't normally seen on the Internet.

Security

Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com) 149

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
Cloud

Trump Administration Calls For Government IT To Adopt Cloud Services (reuters.com) 208

According to Reuters, The White House said Wednesday the U.S. government needs a major overhaul of information technology systems and should take steps to better protect data and accelerate efforts to use cloud-based technology. The report outlined a timeline over the next year for IT reforms and a detailed implementation plan. One unnamed cloud-based email provider has agreed to assist in keeping track of government spending on cloud-based email migration. From the report: The report said the federal government must eliminate barriers to using commercial cloud-based technology. "Federal agencies must consolidate their IT investments and place more trust in services and infrastructure operated by others," the report found. Government agencies often pay dramatically different prices for the same IT item, the report said, sometimes three or four times as much. A 2016 U.S. Government Accountability Office report estimated the U.S. government spends more than $80 billion on IT annually but said spending has fallen by $7.3 billion since 2010. In 2015, there were at least 7,000 separate IT investments by the U.S. government. The $80 billion figure does not include Defense Department classified IT systems and 58 independent executive branch agencies, including the Central Intelligence Agency. The GAO report found some agencies are using systems that have components that are at least 50 years old.
Open Source

Avast Launches Open-Source Decompiler For Machine Code (techspot.com) 113

Greg Synek reports via TechSpot: To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS. As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service.

Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software. For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

Security

Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters (zdnet.com) 86

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."
Communications

Someone Used Wet String To Get a Broadband Connection (vice.com) 77

dmoberhaus shares a Motherboard report: A UK techie with a sense of humor may have found an alternative to expensive corporate broadband cables: some wet string. It's an old joke among network technicians that it's possible to get a broadband connection with anything, even if it's just two cans connected with some wet string. As detailed in a blog post by Adrian Kennard, who runs an ISP called Andrews & Arnold in the UK, one of his colleagues took the joke literally and actually established a broadband connection using some wet string. Broadband is a catch-all term for high speed internet access, but there are many different kinds of broadband internet connections. For example, there are fiber optic connections that route data using light and satellite connections, but one of the most common types is called an asymmetric digital subscriber line (ADSL), which connects your computer to the internet using a phone line. Usually, broadband connections rely on wires made of a conductive substances like copper. In the case of the Andrews & Arnold technician, however, they used about 6 feet of twine soaked in salt water (better conductivity than fresh water) that was connected to alligator clips to establish the connection. According to the BBC, this worked because the connection "is not really about the flow of current." Instead, the string is acting as a guide for an electromagnetic wave -- the broadband signal carrying the data -- and the medium for a waveguide isn't so important.
Botnet

Mirai IoT Botnet Co-Authors Plead Guilty (krebsonsecurity.com) 33

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.
Businesses

Uber's Massive Scraping Program Collected Data About Competitors Around The World (gizmodo.com) 29

Kate Conger, reporting for Gizmodo: For years, Uber systemically scraped data from competing ride-hailing companies all over the world, harvesting information about their technology, drivers, and executives. Uber gathered information from these firms using automated collection systems that ran constantly, amassing millions of records, and sometimes conducted physical surveillance to complement its data collection. Uber's scraping efforts were spearheaded by the company's Marketplace Analytics team, while the Strategic Services Group gathered information for security purposes, Gizmodo learned from three people familiar with the operations of these teams, from court testimony, and from internal Uber documents. Until Uber's data scraping was discontinued this September in the face of mounting litigation and multiple federal investigations, Marketplace Analytics gathered information on Uber's overseas competitors in an attempt to advance Uber's position in those markets. SSG's mission was to protect employees, executives, and drivers from violence, which sometimes involved tracking protesters and other groups that were considered threatening to Uber. An Uber spokesperson declined to comment for this story.

Slashdot Top Deals