Linux fréttir

NSO Group 'will no longer be responding to inquiries' about misuse of its software

TheRegister - Thu, 2021-07-22 04:09
Denies everything, as governments open probes into the company and its wares

The NSO Group, a purveyor of spyware it hopes governments and law enforcement bodies will use to fight terrorism, has announced it will not answer any further questions about allegations raised by Amnesty International and Forbidden Stories that its products have been widely misused.…

Categories: Linux fréttir

16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines

Slashdot - Thu, 2021-07-22 03:30
An anonymous reader quotes a report from Threatpost: Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity. According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations. "This function copies a string from the user input using 'strncpy' with a size parameter that is controlled by the user," according to SentinelOne's analysis, released on Tuesday. "Essentially, this allows attackers to overrun the buffer used by the driver." Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm. The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup. "Thus, in effect, this driver gets installed and loaded without even asking or notifying the user," explained the researchers. "Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected." Affected models and associated patches can be found here and here. "While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing," according to SentinelOne. "This is not considered best practice since the vulnerable driver can still be used in bring-your-own-vulnerable-driver (BYOVD) attacks." Some Windows machines may already have the vulnerable driver without even running a dedicated installation file, since it comes with Microsoft Windows via Windows Update.

Read more of this story at Slashdot.

Categories: Linux fréttir

US senators warn China's Digital Yuan could compromise Olympic athletes

TheRegister - Thu, 2021-07-22 02:48
Meanwhile, Tokyo games ticket holder data leaks, and those affected can't even use their seats

Three US senators have written to their nation's Olympic Committee with a request that it "forbid American athletes from receiving or using Digital Yuan during the Beijing Olympics" – a reference to the Winter Games scheduled to commence on February 4th, 2022.…

Categories: Linux fréttir

'Nuclear Football' Safety Procedures To Be Reassessed

Slashdot - Thu, 2021-07-22 02:02
quonset writes: Wherever the president goes, so goes the nuclear football, a 45 pound case which allows the president to to confirm his identity and authorize a nuclear strike. The Football also provides the commander in chief with a simplified menu of nuclear strike options -- allowing him to decide, for example, whether to destroy all of America's enemies in one fell swoop or to limit himself to obliterating only Moscow or Pyongyang or Beijing. During the attempted insurrection on January 6th, video from inside the capitol showed the mob coming within 100 feet of then-Vice President Mike Pence and his military aide who was carrying a second nuclear football. Had they lost control of the case, no nuclear weapons could have been launched, but the highly classified information within the case could have been leaked, or sold, to nation states. As a result, members of Congress asked the Pentagon to review procedures for handling and security of the nuclear football. The Department of Defense Inspector General will evaluate the policies and procedures around the Presidential Emergency Satchel, also known as the "nuclear football," in the event that it is "lost, stolen, or compromised," according to an announcement from the DoD IG's office. This would not be the first time procedures for the case have been reviewed. Jimmy Carter, who qualified as a nuclear sub commander, was aware that he would have only a few minutes to decide how to respond to a nuclear strike against the United States. Carter ordered that the war plans be drastically simplified. A former military aide to President Bill Clinton, Col. Buzz Patterson, would later describe the resulting pared-down set of choices as akin to a "Denny's breakfast menu." "It's like picking one out of Column A and two out of Column B," he told the History Channel. Following Carter, an incident during the Reagan administration led to another review. In the chaos after the attempted assassination, the aide carrying the case was separated from Reagan and did not accompany him to the hospital. When Reagan was stripped of his clothes prior to going into surgery, the biscuit, a card every president is given, which, if needed, can personally identify the president, was found abandoned in a hospital plastic bag. Bill Clinton had his review moment when it was discovered he had lost his biscuit for months, and never told anyone.

Read more of this story at Slashdot.

Categories: Linux fréttir

Clubhouse Is Now Out of Beta and Open To Everyone

Slashdot - Thu, 2021-07-22 01:25
Clubhouse announced Wednesday that it would end its waitlist and invite system, opening up to everyone. TechCrunch reports: Clubhouse is also introducing a real logo that will look familiar -- it's basically a slightly altered version of the waving emoji the company already used. Clubhouse will still hold onto its app portraits, introducing a new featured icon from the Atlanta music scene to ring in the changes. "The invite system has been an important part of our early history," Clubhouse founders Paul Davison and Rohan Seth wrote in a blog announcement. They note that adding users in waves and integrating new users into the app's community through Town Halls and orientation sessions helped Clubhouse grow at a healthy rate without breaking, "but we've always wanted Clubhouse to be open." According to new data SensorTower provided to TechCrunch, Clubhouse hit its high point in February at 9.6 million global downloads, up from 2.4 million the month prior. After that, things settled down a bit before perking back up in May when TikTok went live on Android through the Google Play Store. Since May, new Android users have accounted for the lion's share of the app's downloads. In June, Clubhouse was installed 7.7 million times across both iOS and Android -- an impressive number that's definitely in conflict with the perception that the app might not have staying power. Clubhouse's success is a double-edged sword. The app's meteoric rise came as a surprise to the team, as meteoric rises often do. The social app is still a wild success by normal metrics in a landscape completely dominated by a handful of large, entrenched platforms, but it can be tricky to maintain healthy momentum after such high highs. Opening up the app to everybody should certainly help.

Read more of this story at Slashdot.

Categories: Linux fréttir

Steve Jobs' 1973 Job Application Once Again Up For Auction, In Physical and NFT Form

Slashdot - Thu, 2021-07-22 00:45
A London-based entrepreneur is putting a 1973 job application filled out by Steve Jobs up for auction. "The form Jobs apparently filled out for an unspecified position at an unspecified company will be available to buy either as a purportedly authenticated physical good or in digital form, as a nonfungible token, or NFT," reports CNET. From the report: The job application's gone up for auction several times before, selling in 2017 for $18,750, in 2018 for $174,757, and just this last March for a reported $222,400. The auction's organizer, Olly Joshi, is hoping to sweeten the pot by taking bids for the physical and a new NFT version side by side. Bidding starts July 21. "The Steve Jobs hand-written 1973 job application auction aims to highlight the modern shift in perceived value -- the physical or the digital," he said in a statement. The auction will run for seven days, during which people seeking the physical version can bid through Joshi's website, which is being run off an auctioneering app called Snoofa. People hoping to snag the digital version can go to popular NFT marketplace Rarible.

Read more of this story at Slashdot.

Categories: Linux fréttir

Audacity's New Owner Is In Another Fight With the Open Source Community

Slashdot - Thu, 2021-07-22 00:02
An anonymous reader quotes a report from Ars Technica: Muse Group -- owner of the popular audio-editing app Audacity -- is in hot water with the open source community again. This time, the controversy isn't over Audacity -- it's about MuseScore, an open source application that allows musicians to create, share, and download musical scores (especially, but not only, in the form of sheet music). The MuseScore app itself is licensed GPLv3, which gives developers the right to fork its source and modify it. One such developer, Wenzheng Tang ("Xmader" on GitHub) went considerably further than modifying the app -- he also created separate apps designed to bypass MuseScore Pro subscription fees. After thoroughly reviewing the public comments made by both sides at GitHub, Ars spoke at length with Muse Group Head of Strategy Daniel Ray -- known on GitHub by the moniker "workedintheory" -- to get to the bottom of the controversy. While Xmader did, in fact, fork MuseScore, that's not the root of the controversy. Xmader forked MuseScore in November 2020 and appears to have abandoned that fork entirely; it only has six commits total -- all trivial, and all made the same week that the fork was created. Xmader is also currently 21,710 commits behind the original MuseScore project repository. Muse Group's beef with Xmader comes from two other repositories, created specifically to bypass subscription fees. Those repositories are musescore-downloader (created November 2019) and musescore-dataset (created March 2020). Musescore-downloader describes itself succinctly: "download sheet music from musescore.com for free, no login or MuseScore Pro required." Musescore-dataset is nearly as straightforward: it declares itself "the unofficial dataset of all music sheets and users on musescore.com." In simpler terms: musescore-downloader lets you download things from musescore.com that you shouldn't be able to; musescore-dataset is those files themselves, already downloaded. For scores that are in the public domain or that users have uploaded under Creative Commons licenses, this isn't necessarily a problem. But many of the scores are only available by arrangement between the score owner and Muse Group itself -- and this has several important implications. Just because you can access the score via the app or website doesn't mean you're free to access it anywhere, anyhow, or redistribute that score yourself. The distribution agreement between Muse Group and the rightsholder allows legitimate downloads, but only when using the site or app as intended. Those agreements do not give users carte blanche to bypass controls imposed on those downloads. Further, those downloads can often cost the distributor real money -- a free download of a score licensed to Muse Group by a commercial rightsholder (e.g., Disney) is generally not "free" to Muse Group itself. The site has to pay for the right to distribute that score -- in many cases, based on the number of downloads made. Bypassing those controls leaves Muse Group on the hook either for costs it has no way to monetize (e.g., by ads for free users) or for violating its own distribution agreements with rightsholders (by failing to properly track downloads).

Read more of this story at Slashdot.

Categories: Linux fréttir

NPM is Now Providing Malware – or was until recently

TheRegister - Wed, 2021-07-21 23:59
Password-stealing package outed by security firm evokes sense of déjà vu

Another malicious library has been spotted in the JavaScript-oriented NPM registry, underscoring the continued fragility of today's software supply chain.…

Categories: Linux fréttir

Amazon Promises Most Echo Speakers Will Support the Matter Smart Home Platform

Slashdot - Wed, 2021-07-21 23:20
Today, Amaon said it will be upgrading almost every plug-in Echo smart speaker to support Matter, a cross-platform open-source standard coming later this year. This includes most Echo and Echo Dot speakers and every Echo Studio, Echo Show, Echo Plus, and Echo Flex. "In fact, the only Echo smart speakers that won't get upgraded to Matter are the first-gen Echo, first-gen Echo Dot and Echo Tap," reports The Verge. From the report: While the company doesn't provide a timeline for those upgrades, the general idea is that Matter will launch by late 2021, so it shouldn't be long until Amazon's newest and / or more popular devices receive the capability. A bigger question is whether any of them will work as Matter hubs. Google announced in May that in addition to upgrading its Nest devices to Matter, it would allow its devices that support the Thread protocol (like the Nest Wi-Fi, Nest Hub Max, and second-gen Nest Hub) to double as connection hubs for Matter, too, not simply as a voice assistant to control Matter gadgets. But while Amazon's Eero routers were early to adopt Thread, Amazon's Echo smart speakers were not.

Read more of this story at Slashdot.

Categories: Linux fréttir

Serial Swatter Who Caused Death Gets Five Years In Prison

Slashdot - Wed, 2021-07-21 22:40
A 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that lead to the death of a 60-year-old grandfather in 2020 was sentenced to 60 months in prison today. Krebs on Security reports: Shane Sonderman, of Lauderdale County, Tenn. admitted to conspiring with a group of criminals that's been "swatting" and harassing people for months in a bid to coerce targets into giving up their valuable Twitter and Instagram usernames. At Sonderman's sentencing hearing today, prosecutors told the court the defendant and his co-conspirators would text and call targets and their families, posting their personal information online and sending them pizzas and other deliveries of food as a harassment technique. Other victims of the group told prosecutors their tormentors further harassed them by making false reports of child abuse to social services local to the target's area, and false reports in the target's name to local suicide prevention hotlines. Eventually, when subjects of their harassment refused to sell or give up their Twitter and Instagram usernames, Sonderman and others would swat their targets -- or make a false report to authorities in the target's name with the intention of sending a heavily armed police response to that person's address. [...] Sonderman might have been eligible to knock a few months off his sentence had he cooperated with investigators and refrained from committing further crimes while out on bond. But prosecutors said that shortly after his release, Sonderman went right back to doing what he was doing when he got caught. Investigators who subpoenaed his online communications found he'd logged into the Instagram account "FreeTheSoldiers," which was known to have been used by the group to harass people for their social media handles. Sonderman was promptly re-arrested for violating the terms of his release, and prosecutors played for the court today a recording of a phone call Sonderman made from jail in which he brags to a female acquaintance that he wiped his mobile phone two days before investigators served another search warrant on his home. "Although it may seem inadequate, the law is the law," said Judge Norris after giving Sonderman the maximum sentence allowed by law under the statute. "The harm it caused, the death and destruction... it's almost unspeakable. This is not like cases we frequently have that involve guns and carjacking and drugs. This is a whole different level of insidious criminal behavior here."

Read more of this story at Slashdot.

Categories: Linux fréttir

Money can't buy you love: Huawei continues to throw fistfuls of dollars at US lobbying efforts

TheRegister - Wed, 2021-07-21 22:29
Another year, and Chinese tech bogeyman is still on the blocklist

Huawei says it is looking to facilitate a "deeper, mutual understanding" with the US government despite remaining on the security naughty step, and is continuing to spend millions lobbying American officials in areas such as broadband and mobile technology.…

Categories: Linux fréttir

FTC Formally Adopts Right To Repair Platform

Slashdot - Wed, 2021-07-21 22:02
An anonymous reader quotes a report from Motherboard: The Federal Trade Commission unanimously voted Wednesday to pursue policies that will make it easier for people to repair their own things. In a vote of 5-0 during a Commission Meeting, the FTC agreed to adopt a policy paper outlining how it planned to enforce rules that keep manufacturers from restricting aftermarket repair. It plans to enforce existing warranty law, coordinate with state and local lawmakers to ensure open markets, and investigate the current repair monopolies for violations of antitrust law. The move comes just weeks after President Joe Biden signed an executive order directing the commission to create right-to-repair rules. The FTC policy paper outlined a five-pronged approach to the problem. First, it's asking for comments and complaints from the public about bad experiences it's had with repair issues and violated warranty. It's long been illegal under federal law for companies to void warranties based on aftermarket repairs. The problem is that those laws often aren't enforced, though the FTC did take some action on manufacturers who put warranty-void-if-removed stickers on their devices after Motherboard reported on the problem several years ago. "While current law does not provide for civil penalties or redress, the Commission will consider filing suit against violators of the Magnuson-Moss Warranty Act to seek appropriate injunctive relief," the policy paper said. Next, the FTC said it will look over current repair restrictions for violations of existing antitrust and anti-competition laws. "Finally, the Commission will bring an interdisciplinary approach to this issue, using resources and expertise from throughout the agency to combat unlawful repair restrictions," the policy paper said. "The FTC will also closely coordinate with state law enforcement and policymakers to ensure compliance and to update existing law and regulation to advance the goal of open repair markets." "Manufacturers, be warned: It's time to clean up your act and let people fix their stuff," Nathan Proctor, U.S. PIRG Right to Repair Senior Campaign Director, told Motherboard in an email. "With unanimous support from commissioners, there's a new sheriff in town. The FTC is ready to act to stop many of the schemes used to undermine repair, while support is increasing for new legislation to further crack down."

Read more of this story at Slashdot.

Categories: Linux fréttir

China Rejects Hacking Charges, Accuses US of Cyberspying

Slashdot - Wed, 2021-07-21 21:25
China has rejected an accusation by Washington and its Western allies that Beijing is to blame for a hack of the Microsoft Exchange email system and complained Chinese entities are victims of damaging U.S. cyberattacks. From a report: A foreign ministry spokesman demanded Washington drop charges announced Monday against four Chinese nationals accused of working with the Ministry of State Security to try to steal U.S. trade secrets, technology and disease research. The announcement that the Biden administration and European allies formally blame Chinese government-linked hackers for ransomware attacks increased pressure over long-running complaints against Beijing but included no sanctions. "The United States ganged up with its allies to make unwarranted accusations against Chinese cybersecurity," said the spokesman, Zhao Lijian. "This was made up out of thin air and confused right and wrong. It is purely a smear and suppression with political motives. China will never accept this," Zhao said, though he gave no indication of possible retaliation. China is a leader in cyberwarfare research along with the United States and Russia, but Beijing denies accusations that Chinese hackers steal trade secrets and technology. Security experts say the military and security ministry also sponsor hackers outside the government.

Read more of this story at Slashdot.

Categories: Linux fréttir

Gloom-dwelling subterranean robots battle for million-dollar DARPA prize

TheRegister - Wed, 2021-07-21 21:15
SubT Challenge pits high-tech rescue drones against one another in upsettingly non-violent combat

Legendarily loopy US military (and now also non-military) ideas factory DARPA has launched a $1m competition for underground robots.…

Categories: Linux fréttir

Spanish cops cuff Brit bloke accused of playing role in 2020 celeb Twitter hijacking

TheRegister - Wed, 2021-07-21 20:54
'PlugWalkJoe' also said to have meddled with TikTok, SnapChat

The Spanish National Police have, at the request of America, arrested UK citizen Joseph O’Connor in Estepona, Spain, in connection with the July 2020 takeover of more than 130 Twitter accounts.…

Categories: Linux fréttir

Australia's Giant Carbon Capture Project Fails To Meet Key Targets

Slashdot - Wed, 2021-07-21 20:43
The world's largest carbon capture and storage project has failed to meet a crucial target of capturing and burying an average of 80% of the carbon dioxide produced from gas wells in Western Australia over five years. From a report: The energy giant Chevron agreed to the target with the West Australian government when developing its $54 billion Gorgon project to extract and export gas from fields off the WA coast. The five year milestone passed on Sunday. In a statement the energy giant Chevron announced that since operations began in August 2019 it had injected five million tonnes of greenhouse gases underground. According to the independent analyst Peter Milne, that leaves a shortfall of around 4.6 million tonnes, which he estimates would cost about $100 million to offset via carbon credits. The project has national and even international significance, with the oil and gas industry and the federal government declaring the success of carbon capture and storage to be crucial in tackling climate change while making use of fossil fuels. "It is essential we position Australia to succeed by investing now in the technologies that will support our industries into the future, with lower emissions energy that can support Australian jobs," Prime Minister Scott Morrison said in April while announcing $263.7 million in funding to develop carbon capture and storage technology.

Read more of this story at Slashdot.

Categories: Linux fréttir

Square To Create New Bitcoin Platform for Financial Services

Slashdot - Wed, 2021-07-21 20:05
Payments services company Square will open a new business focused on creating an "open developer platform" to make it easier to provide non-custodial, decentralized financial services, CEO Jack Dorsey said Thursday in a series of tweets. From a report: The still to-be-named division's "primary focus" would be bitcoin, he added. The initiative, which will be led by Mike Brock, would feature "open roadmap, open development and open source," Dorsey tweeted. Brock heads the company's strategic development group. The new division will differ from Square Crypto in that Square will provide direction as well as funding for its work, Dorsey tweeted. Square Crypto is working on the Lightning Development Kit.

Read more of this story at Slashdot.

Categories: Linux fréttir

The old New: Windows veteran explains <i>that</i> menu item

TheRegister - Wed, 2021-07-21 19:47
'Maybe that's what you do, but that's not what everybody does'

Microsoft veteran Raymond Chen has addressed a question that has occurred to most Windows users one time or another: why does Windows have a "New" menu?

Categories: Linux fréttir

Tesla Will 'Most Likely' Restart Accepting Bitcoin As Payments, Says Musk

Slashdot - Wed, 2021-07-21 19:25
Electric-car maker Tesla will most likely restart accepting bitcoin as payments, Chief Executive Officer Elon Musk said at a conference on Wednesday. From a report: Musk's comments come after Tesla said in May it would stop accepting bitcoin for car purchases. "Tesla would resume accepting bitcoin, it is most likely" Musk said at the B Word conference, where Square's Jack Dorsey also took part. Musk said he personally owned bitcoin, ethereum and dogecoin, apart from bitcoin that Tesla and SpaceX owned. Musk added that neither he nor any of his companies are selling any bitcoin. "If the price of bitcoin goes down, I lose money. I pump but i don't dump. I would like to see bitcoin succeed," he added.

Read more of this story at Slashdot.

Categories: Linux fréttir

Hijacked, rampaging infrastructure will kill humans by 2025 – Gartner

TheRegister - Wed, 2021-07-21 19:02
Ransomware efforts will inevitably lead to threats to life as attacks on OT go OTT

Rise of The Machines Rampaging cyber hoods will be using compromised machinery and systems to kill humans by 2025, according to cheerfully optimistic new predictions from research company Gartner.…

Categories: Linux fréttir

Pages

Subscribe to netserv.is aggregator - Linux fréttir