Researchers uncover 125 vulnerabilities across 13 routers and NAS devices

Found on Help Net Security on Tuesday, 17 September 2019
Browse Internet

In a cybersecurity study of network attached storage (NAS) systems and routers, Independent Security Evaluators (ISE) found 125 vulnerabilities in 13 IoT devices, reaffirming an industrywide problem of a lack of basic security diligence.

In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

This will only change if manufacturers can be held responsible for neglecting security. Bugs can happen, but when 12 out of 13 are exploitable by default, something is wrong.

123-Reg and NamesCo decided to register millions of .uk domains for customers without asking

Found on The Register on Monday, 16 September 2019
Browse Internet

It wasn’t just 123-Reg either, another big registrar, NamesCo was doing the exact same thing: sending invoices to customers for names they had never requested.

These are just some of the thousands of UK domain holders who will soon be charged tens of millions of pounds for domain names they never ordered and in many cases do not want.

Nominet pushed for the creation of new .uk domains over two years ago, despite strong objections from the internet community. It stands to make tens of millions of pounds a year from the scheme.

So, in essence, it's a scam. You do not pay for a product you never ordered. Courts should clean up this mess very quickly.

281 Alleged Email Scammers Arrested in Massive Global Sweep

Found on Wired on Wednesday, 11 September 2019
Browse Internet

The action is the biggest of its kind yet against this type of digital scammer, and is a strong symbol of law enforcement's sense of urgency in trying to contain a rapidly growing threat.

"Will it make a dent? It's really hard to say," says Crane Hassold, senior director of threat research at Agari who previously worked as a digital behavior analyst for the FBI, of the arrests. "There are so many actors doing BEC and other types of social engineering scams—there could be thousands, especially in West Africa—that it's going to be difficult to make a significant impact overall."

Better than nothing. Hopefully those 281 will end up in jail for a long time.

Google has secret webpages that feed your personal data to advertisers, report says

Found on CNet News on Wednesday, 04 September 2019
Browse Internet

The company allegedly relays this information to advertisers using hidden webpages, allowing it to circumvent EU privacy regulations.

Ryan reportedly said he discovered that Google used a tracker containing web browsing information, location and other data and sent it to ad companies via webpages that "showed no content," according to FT.

The Data Protection Commission began an investigation into Google's practices in May after it received a complaint from Brave that Google was allegedly violating the EU's General Data Protection Regulation.

The more Google can tell advertisers about users, the higher the reward. True or not, it is important that someone takes a good look into it.

YouTube algorithms mistake sparring robots for animal cruelty

Found on The Register on Monday, 26 August 2019
Browse Internet

Under YouTube’s community guidelines, content that shows “unnecessary suffering or harm deliberately causing an animal distress,” or scenes where “animals are encouraged or coerced to fight by humans,” are not allowed on the video-sharing platform.

Engineers participating in Battlebots, a robot-fighting American TV show, had their videos removed. Some of the titles of their videos did contain names of animals, they noted.

Let AI do the job. AI is great and never makes mistakes. Welcome our new overlord.

Amazon Has Ceded Control of Its Site

Found on Slashdot on Friday, 23 August 2019
Browse Internet

Amazon has increasingly evolved like a flea market. It exercises limited oversight over items listed by millions of third-party sellers, many of them anonymous, many in China, some offering scant information.

The Journal commissioned tests of 10 children's products it bought on Amazon, many promoted as "Amazon's Choice." Four failed tests based on federal safety standards, according to the testing company, including one with lead levels that exceeded federal limits. Of the 4,152 products the Journal identified, 46% were listed as shipping from Amazon warehouses.

Amazon had lost it long ago. The shop has turned into a useless mess and with a lack of consistent and available filtering options it is pointless to try and order something there.

Gmail in G Suite now uses AI for inline spelling and grammar suggestions

Found on Venturebeat on Thursday, 22 August 2019
Browse Internet

Starting August 20 for rapid release domains and September 12 for scheduled release domains across all G Suite editions, Google will begin applying AI to make real-time spell-check suggestions while detecting potential grammar issues.

Grammar suggestions built on Smart Reply, a machine learning-powered feature that uses AI to generate brief, contextually relevant responses to incoming messages.

Another way to look at is that it makes people dumber because you only need to somehow get your idea across well enough for the AI to do the fine polish.

Google wants to reduce lifespan for HTTPS certificates to one year

Found on ZD Net on Tuesday, 20 August 2019
Browse Internet

No vote was held on the proposal; however, most browser vendors expressed their support for the new SSL certificate lifespan.

On the other side, certificate authorities were not too happy, to say the least. In the last decade and a half, browser makers have chipped away at the lifespan of SSL certificates, cutting it down from eight years to five, then to three, and then to two.

"If the CAs vote this measure down, there's a chance the browsers could act unilaterally and just force the change anyway," HashedOut said. "That's not without precendent, but it's also never happened on an issue that is traditionally as collegial as this.

Google is trying to grab too much. Browsers don't have any reason to meddle with the systems behind TLS/SSL. It's the job of the CA to take care of that, and the customer should always have the last word. If someone wants a 5 year TLS certificate, why not? Don't even think about LE; it's not the perfect solution for every case.

With Tumblr Sale, Verizon Continues To Stumble In Bungled Pivot Away From Telecom

Found on Techdirt on Thursday, 15 August 2019
Browse Internet

By late last year Verizon was forced to acknowledge that its Oath entity was effectively worthless. And this week, Verizon issued a statement saying that it would be selling Tumblr to WordPress owner Automattic after a rocky ownership stretch.

Companies like Verizon are good at two things: running networks, and lobbying government to hamstring broadband competition. Every time Verizon has tried to stumble outside of its core competencies (whether it's running its own app store, its VCast apps, or the Go90 fracas), Verizon has fallen flat on its face, because as a government-pampered telecom monopoly, innovation, disruption, and pleasing customers are alien phrenology.

Maybe Verizon should show some interest in Facebook...

Verizon selling Tumblr to WordPress.com owner

Found on Ars Technica on Monday, 12 August 2019
Browse Internet

Terms of the deal were not disclosed, but an Axios article said the sale price is "well below" $20 million.

Yahoo bought Tumblr for $1.1 billion in 2013. Verizon bought Yahoo's operating business, including Tumblr, for $4.48 billion in June 2017.

"Mr. Mullenweg said his company intends to maintain the existing policy that bans adult content," today's Journal article said. "He said he has long been a Tumblr user and sees the site as complementary to WordPress.com.

That's one way to burn money. After the adult ban, it was pretty obvious to everybody that the site would vanish.