By msmash from Slashdot's security-woes department
Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.
While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloudâ(TM)s keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.Read Replies (0)
By msmash from Slashdot's privacy-woes department
Eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera. From a news writeup: Researchers at security and data management company Wandera have uncovered a vulnerability affecting a number of e-ticketing systems that could allow third parties to view, and in some cases even change, a user's flight booking details, or print their boarding passes. The problem affects a number of major airlines including Southwest, Air France, KLM and Thomas Cook.
All of these have sent unencrypted check-in links to passengers. On clicking these links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make changes to their booking.Read Replies (0)
By msmash from Slashdot's security-woes department
Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.Read Replies (0)
By BeauHD from Slashdot's money-talks department
An anonymous reader quotes a report from CNET: Former FCC Commissioner Mignon Clyburn is working to help T-Mobile and Sprint get their $26 billion merger approved by regulators. Clyburn, a Democrat, confirmed she's working as a paid consultant to the carriers to advise them on their impending merger. The news of her involvement was first reported by Politico on Monday. The companies, whose merger was announced in April last year, need approval from the Federal Communications Commission and the US Department of Justice. "Affordable broadband access is a critical priority particularly for those Americans who are underserved or currently have no viable options at all," she said in an interview with CNET. "I am advising T-Mobile and Sprint as they seek to accelerate the creation of an inclusive nationwide 5G network on how best to build a bridge across the digital divide that currently exists in our country."
Clyburn's involvement in advising the merger is interesting because she was part of the majority on the FCC in 2011 that rejected the merger between AT&T and T-Mobile, concluding that a reduction in the number of national carriers would harm consumers. When the idea of a merger between T-Mobile and Sprint was first floated in 2014, the Democratic-controlled FCC also signaled it wouldn't approve the deal for the same reason. [...] Executives for the companies say they will not raise rates on consumers. In a letter to the FCC on Monday, T-Mobile CEO John Legere made a personal pledge to regulators that the "New T-Mobile" would not raise prices on its service following the merger. Doing so, he said, would erode the relationship with T-Mobile customers.Read Replies (0)
By BeauHD from Slashdot's new-and-improved department
Scientists at Hokkaido University have found a way to create materials that actually get stronger the more you use them. "By mimicking the mechanism that allows living muscles to grow and strengthen after exercise, the team led by Jian Ping Gong developed a polymer that breaks down under mechanical stress, then regrows itself into a stronger configuration by feeding off a nutrient bath," reports New Atlas. From the report: To achieve this, the Hokkaido team used what is called double-network hydrogels. Like other hydrogels, these are polymers that are 85 percent water by weight, but in this case, the material consist of both a rigid, brittle polymer and a soft, stretchable one. In this way, the finished product is both soft and tough. However, the clever bit is that under laboratory conditions the hydrogel was immersed in a bath of monomers, which are the individual molecular links that make up a polymer. These serve the same function in the muscle-mimicking material as amino acids do in living tissue.
According to the team, when the hydrogel is stretched, some of the brittle polymer chains break, creating a chemical species called "mechanoradicals" at the end of the broken polymer chains. These are very reactive and quickly join up with the floating monomers to form a new, stronger polymer chain. Under testing, the hydrogel acted much like muscles under strength training. It became 1.5 times stronger, 23 times stiffer, and increased in weight by 86 percent. It was even possible to control the properties of the material by using heat-sensitive monomers and applying high temperatures to make it more water resistant. Gong says this approach could lead to materials suitable for a variety of applications, such as in flexible exosuits for patients with skeletal injuries that become stronger with use. The study has been published in the journal Science. For those interested, the researchers have published a video discussing the new hydrogel material.Read Replies (0)
By BeauHD from Slashdot's push-it-to-the-limit department
Researchers at the Allen Institute for AI (Ai2) believe that Pictionary could push machine intelligence beyond its current limits. To that end, they have devised an online version of the game that pairs a human player with an AI program. MIT Technology Review reports: In case you've never played it before, Pictionary involves trying to draw an image that conveys a written word or phrase for your teammates to guess. This tests a person's drawing skills but also the ability to convey complex meaning using simple concepts. Given the phrase "wedding ring," for example, a player might try to draw the object itself but also a bride and groom or a wedding ceremony.
That makes it the perfect vehicle to help teach machines. The team developed an online version of the game, called Iconary, that pairs a user with an AI bot called AllenAI. Both take turns as the artist and the guesser. Playing as artist, a user is given a phrase and then has to sketch things to convey it. The sketches are first turned into clip-art icons using computer vision; then the computer program tries to guess the phrase using a database of words and concepts and the relationship between them. If the program gets only part of the phrase, it will ask for another image to clarify. The AI program uses a combination of AI techniques to draw and guess. Over time, by playing against enough people, AllenAI should learn from their common-sense understanding of how concepts (like "books" and "pages") go together in everyday life, Fahadi says. It will also help the researchers explore ways for humans and machines to communicate and collaborate more effectively.Read Replies (0)
By BeauHD from Slashdot's rest-in-peace department
An anonymous reader quotes a report from NBC New York: Colin Kroll, the co-founder of HQ Trivia and Vine, died of an accidental overdose, the city's medical examiner announced Tuesday. According to the autopsy results, Kroll died of "acute intoxication due to the combined effects of fentanyl, fluoroisobutyryl fentanyl, heroin, and cocaine." Kroll, 34, was found dead in his SoHo, Manhattan, apartment on Dec. 16, 2018. Police responded to a 911 call for a welfare check at the Spring Street apartment where they found Kroll unconscious and unresponsive in a bedroom of the apartment, a New York Police Department spokesman previously told NBC News. Kroll was named the chief executive of HQ Trivia, a phone-based trivia platform, in September. Prior to that, Kroll co-founded Vine, the popular short-form video service acquired in 2012 by Twitter. Vine was discontinued four years later.Read Replies (0)
By BeauHD from Slashdot's under-pressure department
slack_justyb shares a report from Ars Technica: The House Commerce Committee is "reassuming its traditional role of oversight to ensure the agency is acting in the best interest of the public and consistent with its legislative authority," Commerce Committee Chairman Frank Pallone, Jr. (D-N.J.) and Communications and Technology Subcommittee Chairman Mike Doyle (D-Penn.) said in an announcement yesterday. Pallone, Jr. and Doyle wrote a letter to Pai, saying that he has made the FCC too secretive and has repeatedly advanced the interests of corporations over consumers. They wrote: "Not only have you have failed on numerous occasions to provide Democratic members of this committee with responses to their inquiries, you have also repeatedly denied or delayed responding to legitimate information requests from the public about agency operations. These actions have denied the public of a full and fair understanding of how the FCC under your leadership has arrived at public policy decisions that impact Americans every day in communities across the country. Under your leadership, the FCC has failed repeatedly to act in the public interest and placed the interest of corporations over consumers. The FCC should be working to advance the goals of public safety, consumer protection, affordable access, and connectivity across the United States. To that end, it is incumbent upon the Committee's leadership and its members to oversee the activities of the FCC."
On Thursday this week, the Communications Subcommittee will hold a hearing about the impact of Pai's net neutrality repeal on consumers, small businesses, and free speech. Witnesses who have been invited to testify at the hearing include former FCC Chairman Tom Wheeler, cable industry chief lobbyist Michael Powell (who is also a former FCC chairman), and representatives of Mozilla, Free Press, and Eastern Oregon Telecom.Read Replies (0)
By BeauHD from Slashdot's it's-about-time department
Amazon has for the first time acknowledged sales of counterfeits and pirated items as a risk in its annual earnings report to investors and the U.S. SEC. "Some third-party sellers have been using the reach of Amazon's marketplace as an opportunity to sell counterfeit and pirated items," reports Quartz. "The pressure on the company has been growing as brands such as Birkenstock and Mercedes Benz have lambasted it for not being able to control the problem." From the report: Under the section of "risk factors" to the business, Amazon says it "could be liable" for the activities of its sellers, and explains: "Under our seller programs, we may be unable to prevent sellers from collecting payments, fraudulently or otherwise, when buyers never receive the products they ordered or when the products received are materially different from the sellers' descriptions. We also may be unable to prevent sellers in our stores or through other stores from selling unlawful, counterfeit, pirated, or stolen goods, selling goods in an unlawful or unethical manner, violating the proprietary rights of others, or otherwise violating our policies. Under our A2Z Guarantee, we reimburse buyers for payments up to certain limits in these situations, and as our third-party seller sales grow, the cost of this program will increase and could negatively affect our operating results. In addition, to the extent any of this occurs, it could harm our business or damage our reputation and we could face civil or criminal liability for unlawful activities by our sellers."Read Replies (0)
By BeauHD from Slashdot's sneaky-bastard department
An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.
Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.Read Replies (0)
By msmash from Slashdot's how-about-that department
You have read about bots that fight parking tickets. But what about all those flights that get delayed, canceled or overbooked? Could you a bot look into that? From a report: AirHelp, a Europe-based company that assists people in pursuing such claims, today announced two new bots to further automate its operations and sift through the monumental number of requests it receives. AirHelp provides a free website people can use to determine if they are eligible for a refund from their airline. Founded in 2013 as a Y Combinator-backed startup, AirHelp claims to have aided more than 7 million people in processing airline compensation worth almost $930 million in total. The company, which operates in 30 countries, including the U.S., only takes a cut when a customer has been successfully reimbursed by the airline.
Naturally, it receives a high volume of claims. To sift through these, in 2016 it began working on bots to automate parts of its screening and analysis. The company launched two bots -- Herman and Lara -- and today it is adding AgA and Docky to the mix. AgA (short for Agent's Assistant) and Docky will help the company with customer service and automatic assessment of claims. AirHelp says it has been testing these bots internally since last year and that they have already assessed 30 percent of claims it receives with 95 percent accuracy. [...] AirHelp's new bots would complement Herman, which mimics the work of a legal agent and looks after 100 percent of cases requiring legal actions, and Lara, which assesses 60 percent of all cases that get past Herman's virtual desk.Read Replies (0)