Technology

Presidential 'disdain' may have been a factor

re:Invernt  AWS CEO Andy Jassy faced the press yesterday at Amazon's re:Invent conference in Las Vegas, and there was one thing above all else that the press wanted to discuss. Why was Amazon heading to court to challenge the US Department of Defense's decision to award its $10bn "Project Jedi" IT project to Microsoft rather than to, well, AWS?…

At the Cascadia Rail Summit outside Seattle, a fledgling scheme to bring high-speed rail from Portland to Vancouver found an enthusiastic reception. Gregory Scruggs writes via CityLab: Only 175 miles separate Portland from Seattle. Then it's another 140 miles north to Vancouver, British Columbia. The three Pacific Northwest cities, which together form the Cascadia megaregion, are currently served by Amtrak service that tops out at 79 mph, shares track with BNSF freight trains, and runs infrequently -- just twice daily round-trip between Seattle and Vancouver. If you want to make the full 315-mile run from Portland to Vancouver on rails, it's going to take you at least 8-and-a-half hours. By bus or car, expect the journey to eat up 5 or 6 hours, with metro-area traffic an unpredictable wild card that regularly balloons travel times. But Roger Millar, Washington State's secretary of transportation, sees a better way: a trans-national, ultra-high-speed rail line that can hit 250 mph and put the three booming cities within super-commuting range. Such a system -- common in Europe and Asia but still alien to North America -- might cost $50 billion or so. That sounds like a lot, but it could be a bargain compared to adding a lane to I-5, the current north-south corridor linking the megaregion. "[For] $108 billion we've got another lane of pavement in each direction, and it still takes you all day to get from Portland to Vancouver," Millar said earlier this month of a hypothetical lane-widening project. "Half of that invested in ultra-high speed rail and it's two hours. That's game-changing stuff."

Read more of this story at Slashdot.

Researchers at Valimail found that only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks. TechCrunch reports: Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender's email and rejects fraudulent or spoofed emails. DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target's inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know. But the research found that although DMARC is enabled on many domains, it's not properly enforced, rendering its filtering efforts largely ineffective. The researchers said 66% of the district election-related domains had no DMARC entry at all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether. [...] The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data or delete it altogether, a move that would potentially disrupt the democratic process.

Read more of this story at Slashdot.

Privacy developers concerned over Chocolate Factory plans

A nascent web API called getInstalledRelatedApps offers a glimpse of why online privacy remains such an uncertain proposition. In development since 2015, Google has been experimenting with the API since the release of Chrome 59 in 2017. As its name suggests, it is designed to let web apps and sites determine whether a corresponding native app is installed on a user's device.…

An anonymous reader quotes a report from Road to VR: Qualcomm today announced Snapdragon XR2 5G, its latest chipset platform dedicated to the needs of standalone VR and AR headsets. The new platform is aimed at high-end devices with support for 3K x 3K displays at 90Hz, along with integrated 5G, accelerated AI processing, and up to seven simultaneous camera feeds for user and environment tracking. While XR1 was made for low-end devices, XR2 5G targets high-end standalone headsets, making it a candidate for Oculus Quest 2, Magic Leap 2, and similar next-gen devices. XR2 offers up notable improvements over Snapdragon 835 (one of the most common chipsets found in current standalone headsets, including Quest); Qualcomm claims 2x performance in CPU & GPU, 4x increase in pixel throughput for video playback, and up to 6x resolution per-eye compared to Snapdragon 835 -- supporting up to 3K x 3K displays at 90Hz. [...] Notably, XR2 supports up to seven simultaneous camera feeds (up from four in prior platforms). This is key for advanced tracking, both of the environment and the user. [...] Qualcomm also says that XR2 offers low-latency pass-through video which could improve the pass-through video experience on headsets like Quest, and potentially enable a wider range of pass-through AR use-cases. Additionally XR2 boasts significantly accelerated AI processing; 11x compared to Snapdragon 835, which could greatly benefit the sort of operations used for turning incoming video feeds into useful tracking information.

Read more of this story at Slashdot.

Apple analyst Ming-Chi Kuo says there will be four new OLED iPhone models in 2020, followed by a new iPhone without a Lightning port in 2021. 9to5Mac reports: In 2021, Kuo is predicting a followup to the iPhone SE 2 as well as a new iPhone model without Lightning connectivity. Kuo says that this would "provide the completely wireless experience," meaning there would be no ports at all rather than a switch to USB-C from Lightning. Kuo implies that Apple only plans to remove the Lightning port from the "highest-end model" at first, rather than from the entire iPhone lineup at once. Kuo says The 2021 followup to the iPhone SE 2, which Kuo refers to as the "iPhone SE 2 Plus," will reportedly feature an all-screen design without a Home button. Kuo predicts this device will have a screen size of either 5.5-inches or 6.1-inches. Interestingly, Kuo says the iPhone SE 2 Plus still won't include Face ID authentication. Instead, Apple is reportedly planning to integrate Touch ID into the power button on the side of the device. As for the 2020 OLED iPhones, here's what Kuo had to say: Kuo predicts that Apple will introduce 5.4-inch, two 6.1-inch, and a 6.7-inch OLED iPhone models in 2020. He says that all four of these iPhones will also feature 5G connectivity. The difference between all of these models, other than screen sizes, will be camera technology. According to Kuo, the 5.4-inch OLED iPhone will feature a dual-camera setup on the back. The lower-end 6.1-inch iPhone will feature a similar dual-camera system. The higher-end 6.1-inch model and the 6.7-inch model will include triple-lens camera setups as well as time-of-flight 3D sensing technology. In terms of design for the 2020 OLED iPhone, Kuo says the form factor will be "similar to the iPhone 4."

Read more of this story at Slashdot.

Images beamed back from NASA's OSIRIS-REx spacecraft leave scientists baffled

Pic  A closeup image of Bennu snapped by NASA’s OSIRIS-REx spacecraft reveals that the asteroid’s surface is surprisingly volatile, randomly spitting out shards of debris into space.…

pgmrdlm shares a report from Business Insider: A suspected terrorist in Syria was reportedly killed with a rare U.S. missile packed with swords, according to multiple reports. The weapon that shredded the car did not explode. While the driver's side was torn apart, the vehicle was actually mostly intact. The deadly precision weapon was, according to a report from the Wall Street Journal in May, designed by the U.S. to reduce civilian casualties. The Journal noted that the R9X has been used covertly, albeit rarely, against targets in Syria, Yemen and elsewhere since 2017.

Read more of this story at Slashdot.

A group of filmmakers have sued the State Department for making visa applicants hand over details about their social media accounts. "The lawsuit argues that the requirement unconstitutionally discourages applicants from speaking online -- and, conversely, discourages people who post political speech from trying to enter the U.S.," reports The Verge. From the report: This lawsuit, filed by the Doc Society and the International Documentary Association, challenges the decision on First Amendment grounds. It calls the registration system "the cornerstone of a far reaching digital surveillance regime" that makes would-be visitors provide "effectively a live database of their personal, creative, and political activities online" -- which the government can monitor at any time, long after the application process has been completed. Applicants must even disclose accounts that they use pseudonymously, and if U.S. authorities fail to keep that information secure, it could potentially endanger people who are trying to avoid censorship from a repressive foreign government. The plaintiffs in this lawsuit say that some non-U.S. members have begun deleting social media content or stopped expressing themselves online because they're afraid it will complicate their ability to enter the U.S. Others have decided to stop working in the country because they don't want to reveal their social media accounts. "The Registration Requirement enables the government to compile a database of millions of people's speech and associations, which it can cross-reference to glean more information about any given visa applicant," warns the suit. And "the government's indefinite retention of information collected through the Registration Requirement further exacerbates the requirement's chilling effect because it facilitates surveillance into the future."

Read more of this story at Slashdot.

An anonymous reader quotes a report from ZDNet: After more than two years since it's been used the last time, the Chinese government deployed an infamous DDoS tool named the "Great Cannon" to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests. [...] DDoS attacks with the Great Cannon have been rare, mainly because they tend to generate a lot of bad press for the Chinese government. But in a report published today, AT&T Cybersecurity says the tool has been deployed once again. This time, the Great Cannon's victim was LIHKG.com, an online platform where the organizers of the Hong Kong 2019 protests have been sharing information about the locations of daily demonstrations. The site is also a place where Hong Kong residents congregate to recant stories of Chinese police abuse and upload video evidence. AT&T Cybersecurity says the first Great Cannon DDoS attacks targeted LIHKG on August 31, while the last one being recorded on November 27. AT&T Cybersecurity researcher Chris Doman said the August attacks used JavaScript code that was very similar to the one spotted in the 2017 attacks on Mingjingnews.com. According to LIHKG, the site received more than 1.5 billion requests per hour during the August attack, compared to the site's previous traffic record that was only a meager 6.5 million requests per hour.

Read more of this story at Slashdot.

The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. From a report: The scan took place between January and March 2019. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.

Read more of this story at Slashdot.

Who needs an elevator pitch when you have man-in-the-middle attack?

A group of hackers used a compromised email account to steal a start-up's $1m venture capital payment.…

A collection of 31 advocacy groups is pressing the Federal Trade Commission on Thursday to dig into how digital media companies advertise to children and collect their data. From a report: The request for the FTC to use its subpoena authority to probe so-called kidtech companies comes as the agency considers updates to how it implements a children's online privacy law. The coalition, which includes the Center for Digital Democracy and the Campaign for a Commercial-Free Childhood, argues the FTC must examine data collection and digital marketing practices before it changes how it enforces the Children's Online Privacy Protection Act. Possible targets for the FTC study include Google, Disney, Viacom, Adobe, TikTok, Twitch and AT&T's Warner Media. "As kids are spending more time than ever on digital devices, we need the full power of the law to protect them from predatory data collection -- but we can't protect children from Big Tech business models if we don't know how those models truly work," Josh Golin, executive director of the Campaign for Commercial-Free Childhood, said in a statement.

Read more of this story at Slashdot.

Boffins ride the memory bus past Intel's SGX to your data

Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus.…

The admission comes from the author of the snippet itself, Andreas Lundblad, a Java developer at Palantir, and one of the highest-ranked contributors to StackOverflow, a Q&A website for programming-related topics. From a report: An academic paper [PDF] published in 2018 identified a code snippet Lundblad posted on the site as the most copied Java code taken from StackOverflow and then re-used in open source projects. The code snippet was provided as an answer to a StackOverflow question posted in September 2010. The code snippet printed byte counts (123,456,789 bytes) in a human-readable format, like 123.5 MB. Academics found that this code had been copied and embedded in more than 6,000 GitHub Java projects, more than any other StackOverflow Java snippet. In a blog post published last week, Lundblad said that the code had a flaw as it incorrectly converted byte counts into human-readable formats. Lundblad said he revisited the code after learning of the academic paper and its results. He looked at the code again and published a corrected version on his blog.

Read more of this story at Slashdot.

Facebook today filed a lawsuit against a Chinese company and two Chinese nationals for abusing the Facebook ad platform to run a malware scheme. From a report: The accused are ILikeAd Media International Company, a Hong Kong-based company founded in 2016, and Chen Xiao Cong and Huang Tao, the two men behind it. Facebook said today that ILikeAd used Facebook ads to lure victims into downloading and installing malware. Once installed, the malware would compromise victims' Facebook accounts and use access to these accounts to place new ads, on behalf of the infected users.

Read more of this story at Slashdot.

Documentary filmmakers lob sue ball to halt practice

The US State Department is being sued over its policy of crawling the social media accounts of people applying for entry visas.…

An anonymous reader writes: Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected: Ubuntu 19.10 (systemd), Fedora (systemd), Debian 10.2 (systemd), Arch 2019.05 (systemd), Manjaro 18.1.1 (systemd), Devuan (sysV init), MX Linux 19 (Mepis+antiX), Void Linux (runit), Slackware 14.2 (rc.d), Deepin (rc.d), FreeBSD (rc.d), and OpenBSD (rc.d). This security flaw "allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website," according to William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico. "Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections," the researchers said.

Read more of this story at Slashdot.

Looking forward to seeing these in, well, anything would be nice

Qualcomm will today expand its range of Snapdragon system-on-chips for always-connected Arm-based Windows 10 tablet-laptops from one to three.…

Shannon Bond, writing for NPR: Inside a bright red building in Redwood City, just south of San Francisco, cooks plunge baskets of french fries into hot oil, make chicken sandwiches and wrap falafel in pita bread. If you've been in a restaurant kitchen, it's a familiar scene. But what's missing here are waiters and customers. Every dish is placed in a to-go box or bag. Delivery drivers line up in a waiting area ready for the name on their order to be called. Behind the counter, racks of metal shelves hold bags of food. Each bag sports a round, red sticker with the logo of DoorDash, America's biggest food delivery app. DoorDash manages this building, the drivers, the counter staff -- everything but the food, which is made by five restaurants that are renting kitchens here. Rather than having to build a physical brick-and-mortar store, we do that on their behalf. And then they move into our DoorDash kitchen and then overnight they're live on the DoorDash platform," said Fuad Hannon, DoorDash's head of new business verticals. He oversees the new kitchen venture. Not long ago, food delivery in many places was limited to pizza and Chinese takeout. But now, thanks to apps like DoorDash, Grubhub and Postmates, customers can summon their favorite dish with a tap on a smartphone screen, whether they live in a city or the far-flung suburbs. "Your customer is just like, at their living room, watching Netflix," said Min Park, an investor in DoorDash tenant Rooster & Rice, a chicken chain with six locations in the Bay Area.

Read more of this story at Slashdot.