Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 42 min ago

Wells Fargo Sued By 63-Year-Old Pastor They Wrongfully Accused of Forging Checks

Sun, 03/17/2019 - 23:34
Wells Fargo has been hit with a lawsuit from a 63-year-old pastor at the United Methodist Church of Parsippany. Wells Fargo sent his ATM photos to the police, which he says led to false arrest, malicious prosecution -- and humiliation. NJ.com reports: In the lawsuit filed Thursday in Morris County Superior Court, attorneys for the 63-year-old pastor sought unspecified damages against Wells Fargo, which has come under fire over a series of scandals in recent years. Also named were the State Police detectives who originally brought the charges against him last year after bank security officials allegedly mistakenly identified a photo of Edwards taken at an ATM machine as a suspect in a series of fraudulent check deposits.... In the lawsuit, Edwards' attorney wrote that Wells Fargo notified the State Police when it discovered the bogus transactions, and the bank was asked to provide any still photos or video images taken from the ATM at Parsippany where some of the checks were deposited and later cashed out. The bank sent photos of Edwards, who had made his own deposit of checks at the same ATM the very same day, according to the complaint... The pastor said he first discovered he was the focus of a criminal investigation last year after a parishioner texted him a State Police Facebook posting requesting the public's help identifying a man suspected of depositing fraudulent checks at an ATM... In an interview, Edwards said after seeing the post, he called the detectives and shared a copy of his banking transactions to show he had not deposited the fraudulent checks. "I thought it would clear things up," he said. "They said all their information was from Wells Fargo..." Last September, Edwards said he was asked to come down to the State Police station in Holmdel. After he got there, he said he was shocked to find out he was being arrested and charged with third degree forgery. When he protested and said somebody made an error, he said one of the investigators asked him if the case did go to trial, who would the jury believe -- a bank security expert or him? "They fingerprinted me. Took my mug shot and gave me a court date," he said. The case fell apart, but the 63-year-old pastor says he never received an apology from the police, or from Wells Fargo. "The carelessness of both Wells Fargo and the State Police is kind of appalling, and I wonder what happens to somebody who might not have the resources to defend themselves," the pastor told NJ.com. "I told them yes that was my picture and yes I was in the bank that day. That's all they needed to arrest me." A spokesman for Wells Fargo told the reporter they'd be unable to comment "since this is a pending legal matter." But the story was submitted to Slashdot by someone claiming to be pastor Jeff Edwards. "Wells Fargo carelessly provided ATM pictures [of] me to the state police in a fraudulent check investigation that led to my arrest," reads the original submission. "The case was dismissed when it was demonstrated that Wells Fargo had been grossly irresponsible."

BBC Visits 'Hated and Hunted' Ransomware Expert

Sun, 03/17/2019 - 19:34
In "Hated and hunted," a BBC reporter describes visiting a ransomware expert "who has devoted himself, at huge personal cost, to helping victims of ransomware around the world." They hate him so much that they leave him angry threats buried deep inside the code of their own viruses... "I was shocked but I also felt a real sense of pride," says Fabian. "Almost like, a little bit cocky. I'm not going to lie, yeah, it was nice...." He works remotely for a cyber security company, often sitting for hours at a time working with colleagues in different countries. When he's "in the zone", the outside world becomes even less important and his entire existence focuses on the code on his screen. He once woke up with keyboard imprints all over his face after falling asleep during a 35-hour session. All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes for each virus, follow the instructions and get their files back... According to research from Emsisoft, the cyber security company Fabian works for, a computer is attacked every two seconds. Their network has managed to prevent 2,584,105 infections in the past 60 days -- and that's just one anti-virus firm of dozens around the world.... "It's pretty much an arms race," says Fabian. "They release a new ransomware virus, I find a flaw in its code and build the decryption tool to reverse it so people can get their files back. Then the criminals release a new version which they hope I can't break... It escalates with them getting more and more angry with me...." Fabian accepts that moving around and restricting his life and circle of friends is just a part of the sacrifice for his hobby-turned-profession... He earns a very good salary but looking around his home and at his life it's hard to see how he spends it. He estimates that he's "upset or angered" 100 different ransomware gangs (based on his analysis of the Bitcoin wallets where they collect their ransoms.) One group had collected about $250,000 (£191,000) in three months -- until Fabian created a countering anti-ransomware program -- which is one reason he carefully hids his identity. "I know how much money they make and it would be literally nothing for them to drop 10 or 20,000 for like some Russian dude to turn up to my house and beat the living hell out of me."

F5 Acquired NGINX For $670M

Sun, 03/17/2019 - 06:04
Long-time Slashdot reader skdffff quotes ZDnet: F5 Networks on Monday announced that it will acquire NGINX, which provides popular open-source software of the same name, for $670 million. The deal advances F5's aim of capitalizing on the trend toward multi-cloud deployments. F5 plans to enhance NGINX's current offerings with F5 security solutions and will integrate F5 cloud-native technology with NGINX's software load balancing technology. This should accelerate F5's time to market of application services for containerized applications. Meanwhile, NGINX will benefit from F5's global salesforce, channel infrastructure and partner ecosystem. The acquisition adds "the power of NGINX's open source innovation to F5's ADC leadership and enterprise reach," NGINX CEO Gus Robertson said in a statement

19-Year-Old WinRAR Vulnerability Leads To Over 100 Malware Exploits

Sat, 03/16/2019 - 15:34
"Last month it was discovered that WinRAR, software used to open .zip archive files, has been vulnerable for the last 19 years to a bug that's easily exploited by hackers and malware distributors," writes SlashGear. Slashdot reader Iwastheone quotes their report: Check Point, the security researchers that revealed the WinRAR bug, explain that the software is exploited by giving malicious files a RAR extension, so that when opened they can automatically extract malware programs. These programs are installed in a PC's startup folder, allowing them to start running anytime the computer is turned on, all without the user's knowledge. Once the bug was disclosed, however, hacker groups really began using it to their advantage, with various nations becoming the target of state-backed cyber-espionage campaigns attempting to collect intelligence. The latest comes from McAfee, the software security firm, which notes that it has identified over 100 unique exploits that use the WinRAR bug, most of them targeting the U.S. WinRar 5.70, released in late January, patches the behavior, but "it must be manually downloaded and installed from the website, leaving most users unaware of the critical update," the article warns. It also estimates that during the last 19 years WinRar has been downloaded over 500 million times.

Is Amazon's AWS Approaching 'War' for Control of Elasticsearch?

Sat, 03/16/2019 - 09:34
Long-time Slashdot reader jasenj1 and Striek both shared news of a growing open source controversy. "Amazon Web Services on Monday announced that it's partnering with Netflix and Expedia to champion a new Open Distro for Elasticsearch due to concerns of proprietary code being mixed into the open source Elasticsearch project," reports Datanami. "Elastic, the company behind Elasticsearch, responded by accusing Amazon of copying code, inserting bugs into the community code, and engaging with the company under false pretenses..." In a blog post, Adrian Cockcroft, the vice president of cloud architecture strategy for AWS, says the new project is a "value added" distribution that's 100% open source, and that developers working on it will contribute any improvements or fixes back to the upstream Elasticsearch project. "The new advanced features of Open Distro for Elasticsearch are all Apache 2.0 licensed," Cockroft writes. "With the first release, our goal is to address many critical features missing from open source Elasticsearch, such as security, event monitoring and alerting, and SQL support...." Cockroft says there's no clear documentation in the Elasticsearch release notes over what's open source and what's proprietary. "Enterprise developers may inadvertently apply a fix or enhancement to the proprietary source code," he wrote. "This is hard to track and govern, could lead to breach of license, and could lead to immediate termination of rights (for both proprietary free and paid)." Elastic CEO Shay Banon responded Tuesday to AWS in a blog post, in which he leveled a variety of accusations at the cloud giant. "Our products were forked, redistributed and rebundled so many times I lost count," Banon wrote. "There was always a 'reason' [for the forks, redistributions, and rebundling], at times masked with fake altruism or benevolence. None of these have lasted. They were built to serve their own needs, drive confusion, and splinter the community." Elastic's commercial code may have provided an "inspiration" for others to follow, Banon wrote, but that inspiration didn't necessarily make for clean code. "It has been bluntly copied by various companies and even found its way back to certain distributions or forks, like the freshly minted Amazon one, sadly, painfully, with critical bugs," he wrote.

Linux Foundation Launches New Tools Supporting The Open Source Community

Sat, 03/16/2019 - 07:34
"The Linux Foundation is launching a new platform designed to sustain open-source communities," reports SD Times: CommunityBridge was announced at this week's Open Source Leadership Summit. The Linux Foundation plans to launch a number of tools to the open-source community throughout the next two years. The platform is currently being released with Community Bridge Funding to help developers raise and spend funding; CommunityBridge Security for potential vulnerabilities and fixes; and CommunityBridge People for networking and making connections with mentors and mentees. "In making the announcement, Jim Zemlin, executive director of the Linux Foundation, said on stage at the conference that the Linux Foundation would match funding for any organization that donated funds to CommunityBridge projects," reports FierceTelecom. "Following up on those announcements, Microsoft-owned GitHub said it would donate $100,000 to CommunityBridge and invited maintainers of CommunityBridge projects to take part in GitHub's maintainer program."

Stanford Unveils New AI Institute, Built To Create 'A Better Future For All Humanity'

Sat, 03/16/2019 - 05:00
An anonymous reader quotes a report from Mercury News: Amid a worldwide race for supremacy in artificial intelligence, Stanford University on Monday will unveil a new institute dedicated to using AI to build the best-possible future (Warning: source may be paywalled; alternative source). The Stanford Institute for Human-Centered Artificial Intelligence is co-directed by Fei-Fei Li, a former chief scientist for AI at Google, now a Stanford computer science professor. The institute will take advantage of Stanford's strength in a variety of disciplines, including AI, computer science, engineering, robotics, business, economics, genomics, law, literature, medicine, neuroscience and philosophy, according to promotional materials. Microsoft co-founder Bill Gates is scheduled to deliver the keynote speech at Monday's official launch. Stanford's AI institute will work in partnership with a number of other university facilities and initiatives, including the Center on AI Safety, the Center for Ethics in Society, the Center for International Security and Cooperation, and the Stanford Institute for Economic Policy Research, plus AI4ALL, which aims to boost diversity in AI fields. The 78 faculty members assigned to the institute reflect the diversity of fields the university intends to cover in its research and teaching, coming from disciplines including computer science, medicine, law, business, economics, environmental science, linguistics, political science and philosophy. Although the institute highlights the importance of AI being "broadly representative of humanity" across gender, ethnicity, nationality, culture and age, its faculty also reflect the gender gap in technology -- only 18 percent are women. About three quarters of the faculty are white. Courses will include "The Politics of Algorithms," "Theoretical Neuroscience," "AI-assisted Health Care" and "Regulating Artificial Intelligence."

Google Play Apps With 150 Million Installs Contain Aggressive Adware

Fri, 03/15/2019 - 14:50
Researchers from Checkpoint Software have identified a massive adware campaign that invaded the Google Play Store with more than 200 highly aggressive apps that were collectively downloaded almost 150 million times. "The 210 apps discovered by researchers from security firm Checkpoint Software bombarded users with ads, even when an app wasn't open," reports Ars Technica. "The apps also had the ability to carry out spearphishing attacks by causing a browser to open an attacker-chosen URL and open the apps for Google Play and third-party market 9Apps with a specific keyword search or a specific application's page. The apps reported to a command-and-control server to receive instructions on which commands to carry out." From the report: Once installed, the apps installed code that allowed them to perform actions as soon as the device finished booting or while the user was using the device. The apps also could remove their icon from the device launcher to make it harder for users to uninstall the nuisance apps. The apps all used a software development kit called RXDrioder, which Checkpoint researchers believe concealed its abusive capabilities from app developers. The researchers dubbed the campaign SimBad, because many of the participating apps are simulator games. "With the capabilities of showing out-of-scope ads, exposing the user to other applications, and opening a URL in a browser, SimBad acts now as an Adware, but already has the infrastructure to evolve into a much larger threat," Checkpoint researchers wrote. The top 14 apps were collectively downloaded a whopping 75 million times, with the No. 1 app receiving 10 million installs and the next 13 getting 5 million downloads each. The next 53 each received 1 million downloads. The remainder received 500,000 or fewer downloads each. Checkpoint has a full list of all the apps here.

The Intercept Shuts Down Access To Snowden Trove

Fri, 03/15/2019 - 13:30
An anonymous reader quotes a report from The Daily Beast: First Look Media announced Wednesday that it was shutting down access to whistleblower Edward Snowden's massive trove of leaked National Security Agency documents. Over the past several years, The Intercept, which is owned by First Look Media, has maintained a research team to handle the large number of documents provided by Snowden to Intercept journalists Laura Poitras and Glenn Greenwald. But in an email to staff Wednesday evening, First Look CEO Michael Bloom said that as other major news outlets had "ceased reporting on it years ago," The Intercept had decided to "focus on other editorial priorities" after expending five years combing through the archive. "The Intercept is proud of its reporting on the Snowden archive, and we are thankful to Laura Poitras and Glenn Greenwald for making it available to us," Bloom wrote. He added: "It is our hope that Glenn and Laura are able to find a new partner -- such as an academic institution or research facility -- that will continue to report on and publish the documents in the archive consistent with the public interest." Poitras reprimanded First Look Media for its decision to shut down its archives, and lay off 4 percent of its staff who had maintained them. "This decision and the way it was handled would be a disservice to our source, the risks we've all taken, and most importantly, to the public for whom Edward Snowden blew the whistle," she wrote. "Late Thursday evening, Greenwald tweeted that both he and Poitras had full copies of the archives, and had been searching for a partner to continue research," reports The Daily Beast.

Beto O'Rourke's Secret Membership in America's Oldest Hacking Group

Fri, 03/15/2019 - 08:50
One thing you might not know about Beto O'Rourke, the former Texas congressman who just entered the race for president is that while a teenager, O'Rourke acknowledged in an exclusive interview to Reuters, he belonged to the oldest group of computer hackers in U.S. history. From the report: The hugely influential Cult of the Dead Cow, jokingly named after an abandoned Texas slaughterhouse, is notorious for releasing tools that allowed ordinary people to hack computers running Microsoft's Windows. It's also known for inventing the word "hacktivism" to describe human-rights-driven security work. Members of the group have protected O'Rourke's secret for decades, reluctant to compromise his political viability. Now, in a series of interviews, CDC members have acknowledged O'Rourke as one of their own. Slashdot interviewed members of the Cult of the Cow in 1999 -- which gave bizarre answers.

A Worry For Some Pilots: Their Hands-On Flying Skills Are Lacking

Thu, 03/14/2019 - 10:48
An anonymous reader shares a report: Pilots now spend more time learning automated systems than practicing hands-on flying, so newer pilots are less comfortable with taking manual control when the computer steers them wrong, according to interviews with a dozen pilots and pilot instructors at major airlines and aviation universities around the world. "The automation in the aircraft, whether it's a Boeing or an Airbus, has lulled us into a sense of security and safety," said Kevin Hiatt, a former Delta Air Lines pilot who later ran flight safety for JetBlue. Pilots now rely on autopilot so often, "they become a systems operator rather than a stick-and-rudder pilot." As a result, he said, "they may not exactly know or recognize quickly enough what is happening to the aircraft, and by the time they figure it out, it may be too late." [...] While automation has contributed to the airline industry's stellar safety record in recent years, it has also been a factor in many of the crashes that have still occurred around the world. A 2011 study by a federal task force found that in about 60 percent of 46 recent accidents, pilots had trouble manually flying the plane or handling the automated controls. Complicated automation systems can also confuse pilots and potentially cause them to take action they shouldn't, pilots said.

DARPA Is Building a $10 Million, Open Source, Secure Voting System

Thu, 03/14/2019 - 10:02
samleecole writes: For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven't been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking. The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don't have to blindly trust that the machines and election officials delivered correct results.

Quantum Computer Not Ready To Break Public Key Encryption For At Least 10 Years, Some Experts Say

Thu, 03/14/2019 - 08:05
physburn writes: The Register has spoken to some experts to get a better understanding of the risk quantum computers present to the existing encryption systems we have today. Richard Evers, cryptographer for a Canadian security biz called Kryptera, argues that media coverage and corporate pronouncements about quantum computing have left people with the impression that current encryption algorithms will soon become obsolete. But they will not be ready for at least 10 years, he said. As an example, Evers points to remarks made by Arvind Krishna, director of IBM research, at The Churchill Club in San Francisco last May, that those interested in protecting data for at least ten years "should probably seriously consider whether they should start moving to alternate encryption techniques now." In a post Evers penned recently with his business partner Alastair Sweeny, he contends, "The hard truth is that widespread beliefs about security and encryption may prove to be based on fantasy rather than fact." And the reason for this, he suggests, is the desire for funding and fame.

Two-Thirds of Android Antivirus Apps Are Total BS

Wed, 03/13/2019 - 15:50
An anonymous reader quotes a report from Tom's Guide: Austrian antivirus-testing lab AV-Comparatives tested 250 antivirus apps in Google Play against 2,000 malware samples. They found that only 80 of the apps could stop even a minimal amount of malware. "Less than one in 10 of the apps tested defended against all 2,000 malicious apps, while over two-thirds failed to reach a block rate of even 30 percent," the lab said in a press release. To make sure you're protecting your Android device properly, stick to apps from well-known antivirus companies. Basically, AV-Comparatives said, most Android antivirus apps are phony, and many of them seemed to have been created only to display ads or promote a developer's career. "The main purpose of these apps seems to be generating easy revenue for their developers, rather than actually protecting their users," the AV-Comparatives report said.

America's Latest Effort To Thwart the Growth of China's Huawei is Playing Out Beneath the World's Oceans

Wed, 03/13/2019 - 09:50
A new front has opened in the battle between the U.S. and China over control of global networks that deliver the internet. This one is beneath the ocean. [Editor's note: the link may be paywalled; syndicated source.] From a report: While the U.S. wages a high-profile campaign to exclude China's Huawei from next-generation mobile networks over fears of espionage, the company is embedding itself into undersea cable networks that ferry nearly all of the world's internet data. About 380 active submarine cables -- bundles of fiber-optic lines that travel oceans on the seabed -- carry about 95% of intercontinental voice and data traffic, making them critical for the economies and national security of most countries. Current and former security officials in the U.S. and allied governments now worry that these cables are increasingly vulnerable to espionage or attack and say the involvement of Huawei potentially enhances China's capabilities. Huawei denies any threat. The U.S. hasn't publicly provided evidence of its claims that Huawei technology poses a cybersecurity risk. Its efforts to persuade other countries to sideline the company's communication technology have been met with skepticism by some. Huawei Marine Networks, majority owned by the Chinese telecom giant, completed a 3,750-mile cable between Brazil and Cameroon in September. It recently started work on a 7,500-mile cable connecting Europe, Asia and Africa and is finishing up links across the Gulf of California in Mexico. Altogether, the company has worked on some 90 projects to build or upgrade seabed fiber-optic links, gaining fast on the three U.S., European and Japanese firms that dominate the industry. These officials say the company's knowledge of and access to undersea cables could allow China to attach devices that divert or monitor data traffic -- or, in a conflict, to sever links to entire nations.

Tim Berners-Lee Talks About India's Recent Push To Data Localization, Proposed Compromise of End-to-End Encryption, and Frequent Internet Shutdowns

Wed, 03/13/2019 - 08:51
On the occasion of the web's 30th anniversary, its creator, Tim Berners-Lee, has given some interviews and shared his thoughts on some challenges that the web faces today. He spoke with Medianama, an Indian outlet, on some of the relatively unique challenges that the government over there has been pushing lately. Some of these challenges include government's push to have Silicon Valley companies store data of Indians in India itself; a nudge to WhatsApp to put an end to its encryption (On a side note: The Australian government recently passed a law to do this exact thing); and frequent shutdowns in the nation. On data localisation and data as a national resource : That's one of the things that the Web Foundation has always been concerned about: the balkanisation of the Internet. If you want to balkanise it, that's a pretty darn effective way of doing it. If you say that Indian people's data can't be stored outside India, that means that when you start a social network which will be accessed by people all over the world, that means that you will have to start 152 different companies all over the world. It's a barrier to entry. Facebook can do that. Google can do that. When an Indian company does it, and you'll end up with an Indian company that serves only Indian users. When people go abroad, they won't be able to keep track of their friends at home. The whole wonderful open web of knowledge, academic and political discussions would be divided into country groups and cultural groups, so there will be a massive loss of richness to the web.

Microsoft Brings DirectX 12 To Windows 7

Tue, 03/12/2019 - 16:50
Microsoft has announced a form of DirectX 12 that will support Windows 7. "Now before you get too excited, this is currently only enabled for World of Warcraft; and indeed it's not slated to be a general-purpose solution like DX12 on Win10," reports AnandTech. "Instead, Microsoft has stated that they are working with a few other developers to bring their DX12 games/backends to Windows 7 as well. As a consumer it's great to see them supporting their product ten years after it launched, but with the entire OS being put out to pasture in nine months, it seems like an odd time to be dedicating resources to bringing it new features." From the report: For some background, Microsoft's latest DirectX API was created to remove some of the CPU bottlenecks for gaming by allowing for developers to use low-level programming conventions to shift some of the pressure points away from the CPU. This was a response to single-threaded CPU performance plateauing, making complex graphical workloads increasingly CPU-bounded. There's many advantages to using this API over traditional DX11, especially for threading and draw calls. But, Microsoft made the decision long ago to only support DirectX 12 on Windows 10, with its WDDM 2.0 driver stack. Today's announcement is a pretty big surprise on a number of levels. If Microsoft had wanted to back-port DX12 to Windows 7, you would have thought they'd have done it before Windows 7 entered its long-term servicing state. As it is, even free security patches for Windows 7 are set to end on January 14, 2020, which is well under a year away, and the company is actively trying to migrate users to Windows 10 to avoid having a huge swath of machines sitting in an unpatched state. In fact, they are about to add a pop-up notification to Windows 7 to let users know that they are running out of support very soon. So adding a big feature like DX12 now not only risks undermining their own efforts to migrate people away from Windows 7, but also adding a new feature well after Windows 7 entered long-term support. It's just bizarre.

Windows Brings DirectX 12 To Windows 7

Tue, 03/12/2019 - 16:50
Microsoft has announced a form of DirectX 12 that will support Windows 7. "Now before you get too excited, this is currently only enabled for World of Warcraft; and indeed it's not slated to be a general-purpose solution like DX12 on Win10," reports AnandTech. "Instead, Microsoft has stated that they are working with a few other developers to bring their DX12 games/backends to Windows 7 as well. As a consumer it's great to see them supporting their product ten years after it launched, but with the entire OS being put out to pasture in nine months, it seems like an odd time to be dedicating resources to bringing it new features." From the report: For some background, Microsoft's latest DirectX API was created to remove some of the CPU bottlenecks for gaming by allowing for developers to use low-level programming conventions to shift some of the pressure points away from the CPU. This was a response to single-threaded CPU performance plateauing, making complex graphical workloads increasingly CPU-bounded. There's many advantages to using this API over traditional DX11, especially for threading and draw calls. But, Microsoft made the decision long ago to only support DirectX 12 on Windows 10, with its WDDM 2.0 driver stack. Today's announcement is a pretty big surprise on a number of levels. If Microsoft had wanted to back-port DX12 to Windows 7, you would have thought they'd have done it before Windows 7 entered its long-term servicing state. As it is, even free security patches for Windows 7 are set to end on January 14, 2020, which is well under a year away, and the company is actively trying to migrate users to Windows 10 to avoid having a huge swath of machines sitting in an unpatched state. In fact, they are about to add a pop-up notification to Windows 7 to let users know that they are running out of support very soon. So adding a big feature like DX12 now not only risks undermining their own efforts to migrate people away from Windows 7, but also adding a new feature well after Windows 7 entered long-term support. It's just bizarre.

Chrome 73 Arrives With Support For Hardware Media Keys, PWAs and Dark Mode On Mac

Tue, 03/12/2019 - 16:10
An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 73 for Windows, Mac, and Linux. The release includes support for hardware media keys, PWAs and dark mode on Mac, and the usual slew of developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. Chrome 73 supports Progressive Web Apps (PWAs) on macOS. These apps install and behave like native apps (they don't show the address bar or tabs). Google killed off Chrome apps last year and has been focusing on PWAs ever since. Adding Mac support means Chrome now supports PWAs on all desktop and mobile platforms: Windows, Mac, Linux, Chrome OS, Android, and iOS. Chrome now also supports dark mode on Apple's macOS; dark mode for Windows is on the way, the team promises. The VentureBeat report includes a long list of developer features included in this release, as well as all the security fixes found by external researchers. Chrome 73 implements a total of 60 security fixes.

Researchers Find Critical Backdoor In Swiss Online Voting System

Tue, 03/12/2019 - 13:35
An international group of researchers who have been examining the source code for an internet voting system that Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection. New submitter eatmorekix shares a report: The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection. "The vulnerability is astonishing," said Matthew Green, who teaches cryptography at Johns Hopkins University and did not do the research but read the researchers' report. "In normal elections, there is no single person who could undetectably defraud the entire election. But in this system they built, there is a party who could do that." The researchers provided their findings last week to Swiss Post, the country's national postal service, which developed the system with the Barcelona-based company Scytl. Swiss Post said in a statement the researchers provided Motherboard and that the Swiss Post plans to publish online on Tuesday, that the researchers were correct in their findings and that it had asked Scytl to fix the issue. It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss Postâ(TM)s secured IT infrastructure "as well as help from several insiders with specialist knowledge of Swiss Post or the cantons."