An anonymous reader writes: Snapchat suffered a huge data breach over the weekend after an employee fell victim to a phishing email scam which impersonated co-founder and CEO Evan Spiegel requesting payroll information. While the video messaging app's servers were unaffected and user data remained completely safe, both former and current employees were informed that some of their sensitive information had been leaked. Snapchat immediately reported the incident to the FBI and has offered affected staff two years of free identity theft insurance and monitoring. Snapchat admitted that it felt 'real remorse and embarrassment' that one of its employees had fallen for the attack, particularly as it takes privacy and security so seriously.

An anonymous reader writes: The original Raspberry Pi went on sale four years ago, and more than 8,000,000 units have shipped since then. Raspberry Pi computers are used in schools and universities, in factories and other industrial applications, in home automation and hobby projects, and much more. Today the Raspberry Pi 3 was announced, featuring a 64-bit quad-core ARMv8 CPU clocked at 1.2GHz, making it roughly 10x the speed of the original Pi 1. Many people will be pleased to hear that the Raspberry Pi 3 also features on-board Wi-Fi and Bluetooth, greatly improving the device's connectivity. The new device goes on sale today at the usual price of US $35. (Here's the official announcement itself.)

An anonymous reader writes: A popular internet-enabled security camera "secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware," according to security blogger Brian Krebs. While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it's still extremely hard to turn off. Krebs notes that the same behavior has been detected in DVRs and smart plugs -- they're secretly connecting to the same IP address in China, apparently without any mention of this in the product's packaging. One security researcher told Krebs the behavior is an "insanely bad idea," and that it opens an attack vector into home networks.

John McAfee, American computer programmer and contributing editor of Business Insider, explains how the NSA's back door has given every U.S. secret to its enemies. He begins by mentioning the importance of software, specifically meta- software, which contains a high level set of principles designed to help a nation survive in a cyberwar. Such software must not contain any back doors under any circumstances, otherwise it can and may very likely allow perceived enemies of the U.S. to have access to top-secret information. For example, the Chinese used the NSA's back door to hack the Defense Department last year and steal 5.6 million fingerprints of critical personnel. "Whatever gains the NSA has made through the use of their back door, it cannot possibly counterbalance the harm done to our nation by everyone else's use of that same back door." McAfee believes the U.S. has failed to grasp the subtle implications of technology and, as a result, is 20 years behind the Chinese, and by association, the Russians as well.

Tekla Perry writes: Last week at Berkeley's Center for Long-Term Cybersecurity, cybersecurity mavens from the industry, academia, government, and media considered a futuristic scenario in which traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts -- had been compromised. The challenge was to use the scenario to figure out how to establish a new means of verifying one's identity and to rebuild trust in the electronic records system in the case of such an imaginary crisis. Furthermore, they were then challenged to take the conclusions and develop policies that could prevent such a massive breach of digital trust from ever happening in the first place.

MojoKid writes: A Denver-based security startup called ProtectWise has a rather interesting twist on a security as a service platform that also incorporates an innovative threat detection and management user interface. The ProtectWise security platform runs on a cloud-based infrastructure that currently utilizes Amazon AWS for storage and processing. ProtectWise is an all software solution comprised of a "Cloud Network DVR" platform made-up of virtual cameras in the cloud that record all traffic on the network. The sensors (12MB install package) record all network traffic wherever they're installed and stream it up to the ProtectWise platform where it is securely stored and the threat analysis is performed. The sensors can be configured with profiles to capture just light metadata like netflow or headers (source, destination etc.) all the way to the full payload. You can then playback the traffic from the ProtectWise cloud analytics platform, going months back if needed, and analyze the data for threats. You can go back in time and see if, where and how you've been compromised retrospectively. There's also a ProtectWise HUD that visualizes and renders network threat location and progression, allowing you to make better use of all the data recorded. It has a 'KillBox' that visually shows attack event progression across the network area. The only question has to do with compliance for financial applications since it is cloud-based. Currently, ProtectWise has 100 or so deployments of its product in the market with customers like Netflix, Hulu, Expedia, Pandora and Universal Music.

An anonymous reader writes: After researchers discovered that SHA-1 can be decrypted, Mozilla, together with Microsoft and Google, said they will no longer "trust" SHA-1-based certificates issued after January 1, 2016, and later stop supporting any type of SHA-1 certificates after June 30, 2016, or January 1, 2017. The foundation went back on its word this week, when Symantec begged Mozilla to allow it to issue nine new certificates for one of its clients, Worldpay PLC, which forgot to request these certificates before January 1. Symantec got what it wanted. Fortunately, other companies like Microsoft, Apple, or Google didn't cave under the pressure.

DVDFab, a software tool for ripping and decrypting DVDs and Blu-ray discs, will not be upgraded to support newer Ultra HD (4K) Blu-ray discs. Fengtao Software, which makes DVDFab, said in a statement that it "will not decrypt or circumvent AACS 2.0 in the days to come. This is in accordance with AACS-LA, (which has not made public the specifications for AACS 2.0), the Blu-ray Disc Association and the movie studios." AACS-LA is the body that develops and licenses the Blu-ray DRM system. AACS 2.0 has a 'basic' version that sounds quite similar to existing AACS, but also an 'enhanced' version of DRM that requires the playback device to download the decryption key from the internet. There might still be a hole in the AACS 2.0 crypto scheme that allows for UHD discs to be ripped, but presumably it'll be a lot tougher that its predecessors.

mikejuk writes: Details of the next in the family of the successful Raspberry Pi family have become available as part of FCC testing documents. The Pi 3 finally includes WiFi and Bluetooth/LE. Comparing the board with the Pi 2 it is clear that most of the electronics has stayed the same. A Raspberry Pi with built in WiFi and Bluetooth puts it directly in competition with the new Linux based Arduinos, Intel's Edison and its derivatives, and with the ESP8266 — a very low cost (about $2) but not well known WiFi board. And of course, it will be in competition with its own stablemates. If the Pi 3 is only a few dollars more than the Pi 2 then it will be the obvious first choice. This would effectively make the Pi Zero, at $5 with no networking, king of the low end and the Pi 3 the choice at the other end of the spectrum. Let's hope they make more than one or two before the launch because the $5 Pi Zero is still out of stock most places three months after being announced and it is annoying a lot of potential users.

prisoninmate writes: On Monday, February 22, 2016, Softpedia reported on the availability of new kernel updates for several of Canonical's supported Ubuntu Linux operating systems, including Ubuntu 15.10, for which five kernel vulnerabilities have been patched at that point in time. And from the looks of it, the respective kernel updates introduced a regression, which Canonical patched four days later, on February 26, 2016, saying that the issue was introduced along with the fixed vulnerabilities for Ubuntu 15.10 (Wily Werewolf) and it broke graphics displays for those running the OS in VMWare VMs.

dcblogs writes: At a congressional hearing Thursday on the H-1B visa's impact on high-skilled workers, the first person to testify was Leo Perrero, a former Disney IT worker. He was overcome with emotion for parts of it, pausing to gather himself as he told the story of how he was replaced by a foreign visa holder. Perrero wondered how he would tell his family that "I would soon be living on unemployment." He paused. The hearing room was still as the audience waited for him to continue."Later that same day I remember very clearly going to the local church pumpkin sale and having to tell the kids that we could not buy any because my job was going over to a foreign worker," he said. But a person who made a case for access to foreign workers was Mark O'Neill, the CTO of Jackthreads, an online retailer. He argued that there is a need for more skilled workers. Competition is so fierce for developers "that my developers' starting salaries have risen by 50% in the last eight years," said O'Neill, and "senior positions command compensation that meets or exceeds even that of United States Senators."

An anonymous reader writes: A high-ranking general in the Norwegian Army and head of the Norwegian Intelligence Service E-tjenesten (Etterretningstjenesten) has made official statements accusing the Chinese government of launching cyber-attacks against his country. Gen. Lunde says that state-sponsored hacking groups have targeted many Norwegian companies during the past year. He says that these companies are suppliers and collaborators of the Norwegian army and that hackers have stolen information considered to be state military secrets. The statements were made to Norwegian TV station TV2 by General Lt. Morten Haga Lunde, who was detailing his agency's most recent intelligence report.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

mi writes: Though loudly resisting the American government's attempts to make it help break into the phone of a dead scumbag, Apple is very accommodating of the Chinese government's attempts to keep tabs on the citizenry's communications. Apple has censored apps that wouldn't pass muster with the Chinese government, moved local user data onto servers operated by the state-owned China Telecom, and submitted to Chinese audits. According to James Lewis, senior fellow at the Center for Strategic and International Studies in Washington, "I can't imagine the Chinese would tolerate end-to-end encryption or a refusal to cooperate with their police, particularly in a terrorism case." Why the accommodation there?

An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.

schwit1 writes: The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations.

The idea is to let more experts across American intelligence gain direct access to unprocessed information, increasing the chances that they will recognize any possible nuggets of value. That also means more officials will be looking at private messages - not only foreigners' phone calls and emails that have not yet had irrelevant personal information screened out, but also communications to, from, or about Americans that the NSA's foreign intelligence programs swept in incidentally.

Civil liberties advocates criticized the change, arguing that it will weaken privacy protections. They said the government should disclose how much American content the NSA collects incidentally - which agency officials have said is hard to measure - and let the public debate what the rules should be for handling that information.

An anonymous reader writes: Google plans to follow Microsoft in throwing its legal support behind Apple in its increasingly contentious dispute with the federal government around the iPhone connected with the San Bernardino terror attacks, according to sources.

At a congressional hearing on Thursday, Microsoft's legal chief, Brad Smith, said that the company plans to file an amicus brief next week in support of Apple's resistance to helping the FBI hack the phone. Google will deliver its own supporting brief 'soon,' according to sources familiar with the company.

wjcofkc writes: A group of ISIS supporters have threatened to take down Facebook and Twitter, as well as their leaders. In a 25-minute propaganda video released by a group calling itself "the sons of the Caliphate army," photographs of both technology leaders are riddled with bullets. The video was first spotted by Vocativ. The threats are being made over the two companies' efforts to seek out and remove terrorist-related content on their respective platforms. The group is quoted as saying, "If you close one account, we will take 10 in return and soon your names will be erased after we delete your sites, Allah willing, and will know that we say is true."

sarahnaomi writes: For years, San Francisco has had a robust fiber optic infrastructure laying dormant underneath its streets. Google announced Wednesday that it's going to start lighting some of those cables up. Welcome to the future of broadband in major cities. Most people don't know that many cities throughout the United States are already wired with "dark fiber": infrastructure that, for a variety of reasons, is never used to provide gigabit connections to actual residents. This fiber is often laid by companies you rarely hear about, like Zayo and Level 3, which lay fiber infrastructure in hopes the city, a provider like Google, or a corporate customer (like an office building) will eventually make use of it.

AmiMoJo writes: Back in November 2015 it was speculated that Carnegie Mellon University (CMU) helped the FBI attack the TOR network. Now, both the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases: "The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU") [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense ("DOD")," an order filed on Tuesday in the case of Brian Farrell reads. Between January and July 2014, a large number of malicious nodes operated on the Tor network, with the purpose, according to the Tor Project, of deanonymising dark web sites and their users. The attack relied on a set of vulnerabilities in the Tor software—which have since been patched—and according to one source, the technique could unmask new hidden services within two weeks.

An anonymous reader writes: Last summer someone created and dumped the source code of a keylogger called KeyBase. Since then, hackers have been churning out their own versions, but as you'd expect, skids would play with it too. Palo Alto researchers found the (unprotected) Web panels of some of these keyloggers, and discovered screenshots of the hackers' computers. Some of them even had dating pics.

It's not just hospital networks that are in danger; mask.of.sanity writes with this story at The Register: Security researchers have exploited notoriously porous hospital networks to gain access to, and tamper with, critical medical equipment in attacks they say could put lives in danger. In tests, hospital hackers from the Independent Security Evaluators research team popped patient monitors, making them display false readings which could result in medical responses that injury or kill patients. Full paper here.

theodp writes: Less than 48 hours after the Chicago Public Schools hosted a three-hour "soiree" at Google's brand-new Chicago HQ, the CPS Board of Education voted unanimously to make computer science a graduation requirement for all high school students in the nation's third largest school district. Starting with next school year's freshman class, CPS students will be required to complete curriculum around computer science before graduating. "Requiring computer science as a core requirement will ensure that our graduates are proficient in the language of the 21st century so that they can compete for the jobs of the future," said Chicago Mayor Rahm Emanuel. CPS is working with tech bankrolled and led Code.org and other organizations to further develop a CS education curriculum to implement across all its high schools. Nationwide, President Obama has a $4B proposal on the table to bring CS education to all K-12 schools across the nation, which is also spurring action at the state level, Officials from Code.org, Microsoft and Google joined Arkansas Gov. Asa Hutchinson and Washington Gov. Jay Inslee at the National Governors Association winter meeting in Washington D.C. on Sunday to kick off a new partnership aimed at promoting CS. The new GovsForCS website notes that the Governors will be relying on Code.org for advice, explaining that the nonprofit "will provide the Partnership with resources related to best practices in policy and programs, and will facilitate collaboration among Governors and their staff, in person and virtually."

An anonymous reader writes: Google has launched a free tool to help all media sites and and other organisations protect themselves against Distributed Denial of Service (DDoS) attacks. The Project Shield initiative allows websites to redirect traffic through Google's existing infrastructure, in order to keep their content online in the face of such attacks. Google will aim to work with smaller sites which do not necessarily have the money or are not fully equipped with strong enough infrastructure to the attacks. However, the Shield tool has also been made available to larger outlets, such as popular news sites and human rights platforms.

An anonymous reader writes with this story at the New York Times: Apple engineers have already begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts. If Apple succeeds in upgrading its security — and experts say it almost surely will — the company would create a significant technical challenge for law enforcement agencies, even if the Obama administration wins its fight over access to data stored on an iPhone used by one of the killers in last year's San Bernardino, Calif., rampage. The F.B.I. would then have to find another way to defeat Apple security, setting up a new cycle of court fights and, yet again, more technical fixes by Apple.

GWBasic writes: Some of Nissan's Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to [Troy Hunt,] a prominent security researcher. .... Mr Hunt said the root of the problem was that the firm's NissanConnect app needed only a car's vehicle identification number (VIN) to take control. That means that pranksters could pretty easily run down a Leaf's battery via Nissan's app just by cycling through VIN numbers, which, the article points out, typically vary only in the last few digits for same-region Leafs, and for an electric car that's a big deal -- you can't just get a quick jump and be on your way. For now, Hunt says, the only thing owners can do is disable the remote-control feature completely.

An anonymous reader writes: The FTC is actively trying to make sure that companies secure the software and devices that they provide to consumers, and a settlement with Taiwan-based hardware maker ASUSTeK Computer is one step towards that goal. The complaint was raised after well-meaning hackers exploited a weakness on Asus routers and left note on victims' drives notifying them of the matter. Later, a researcher discovered an exploit campaign that abused vulnerabilities to change vulnerable routers' DNS servers. According to the settlement, the company will have to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

An anonymous reader writes: The Baidu Web browser for Windows and Android exhibits behavior that could easily be categorized by a security researcher as an infostealer virus because the browser collects information on its users, and then sends it to Baidu's home servers.

Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models, CPU serials, and personal browsing history. The browser collected and sent this information on startup, when the user started typing content in his address bar, and on any page view. Some of this was sent via unencrypted connections. Additionally, the browser update did not use code signatures, meaning you could man-in-the-middle the connection and send anything you'd like to the browser, from Pokemon games to banking trojans, and have it installed locally.

itwbennett writes: FireEye researchers have found a way for exploits to trigger a specific function in EMET that disables all protections it enforces for other applications. The researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. It works against all supported versions of EMET — 5.0, 5.1 and 5.2 — but Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. So if you haven't upgraded yet, now would be a good time to do it. For more about how the technique works, read FireEye's blog post.

chicksdaddy writes: Security Ledger has a piece that looks at the efforts of a string of startups to secure ATM transactions from skimmers and malware-based attacks. Step 1: get rid of the ATM card. The article profiles a couple different companies. One, Trusona, has technology that can uniquely identify standard issue ATM cards by analyzing the unique distribution of Barium Ferrite particles on their magnetic strips and using it to connect the card to the customer. The company combines that with card swipe biometrics to thwart malware-based replay attacks. The article also mentions upgrades that will allow banking customers in the U.S. to use a mobile application to withdraw cash from ATMs without a card or PIN, and a prototype from Diebold that combines proximity based sensing (via NFC) with iris scans to authenticate customers and authorize transactions. Cool as it sounds, its worth remembering that most ATM attacks are decidedly "low tech." A survey by the ATM Industry Association in 2015 listed "physical attacks" and those using "explosives" as the second and third most common type of ATM attack after card skimming.

daria42 writes: If you're counting on Apple to keep your digital information safe, you may want to think again ... at least if you live in Australia. Yesterday the country's two major political parties — Labor and the Coalition — voted down a motion in Federal Parliament calling for strong encryption to be supported in the wake of the FBI's demands that Apple unlock iOS. It appears that implementing comprehensive telephone and email retention in Australia may not have been the end of demands by law enforcement in the country.

An anonymous reader writes: The milestone release FFmpeg 3.0 "Einstein" has been unleashed. For those who need a reminder, FFmpeg comprises several libraries and command-line tools (the main command-line tool being "ffmpeg") that encode, decode, transcode, and stream audio/visual data, etc. FFmpeg supports a multitude of codecs, filters, and container formats too numerous to mention here. FFmpeg is used by MPlayer, VLC, HandBrake, Chrome, and many other projects. Changes from 2.x to 3.0 include: a much better native AAC encoder, better hardware acceleration, and some API/ABI breakage. See this, this, this, this, and the changelog for much better descriptions of the improvements.

An anonymous reader writes: As a way to address the many challenges associated with supporting DevOps and adopting Continuous Delivery (CD), CloudBees has released a new Jenkins platform to help teams deliver software.The new platform provides other cloud-native capabilities, including Docker deployment and Mesos large-scale cluster management, which will allow enterprises to run and manage Jenkins across the enterprise on their own private cloud, or by using dedicated AWS resources.

An anonymous reader writes: A CloudFlare engineer has discovered that 1000 of the top one million websites, including bitcoin holding sites and trading sites, are running a default setting that enables cross-site scripting. This article details his examination of the top 1 million Alexa sites for evidence of compromised settings and finds that about 1000 of the sites on the list are capable of being compromised because of running a header called Access-Allow-Origin. He found the vulnerability while working on a legitimate use of domain-communication called Cross Origin Resource Sharing for the Stripe API. The header, which Johnson claims the vulnerable websites are outputting, is concluded with a wild-card asterisk, meaning that the sites in question are giving full permission for cross-domain communication via venerable protocols such as SOAP/AJAX XML exchanges.

msm1267 writes: Researchers have discovered a vulnerability in the USB devices that support wireless keyboards and mice that could put a countless number of devices at risk to attack. Seven manufacturers have been informed of the flaw, but as of today, only Logitech has produced a firmware update. Some have no update mechanism and can never be patched. The issue lies in the fact that some of the commands from the peripheral device to the dongle are not encrypted. Most do not authenticate packets and an attacker within close proximity and using a USB transmitting malicious packets over radio frequency can trick the victim's machine into accepting mouse clicks impersonating keystrokes. It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.

An anonymous reader writes: Back 'in the day' you could easily find books on NT, Windows 2000, or Slackware that went into painstaking detail about every functional aspect of the operating system (think Slackware Unleashed). They covered the interplay between BIOS, boot sector, crash dumps, every command-line option, etc. Past about Win 2000 I fell way behind focusing on finishing my EE degree. Now when faced with a complex issue, I just end up at Google, but would prefer a good comprehensive book on recent Win8/Win10 architectures. Any suggestions? Are these books all but limited to course-prep now?

Mark Wilson writes: In the UK, ISPs are required to block access to a number of big-name torrent sites — the thinking being that sites such as The Pirate Bay are used primarily for (gasp!) downloading pirated material. Despite the government's desire to control what people can access online, good old HTTPS means that people are able to very easily bypass any blocks that may be put in place. There are all manner of proxy services and mirror sites that provide access to otherwise-blocked content, but these are really not needed. With the likes of The Pirate Bay and Kickass Torrents offering secure, encrypted connection, accessing the goodies they contain could involve little more than sticking an extra 's' in the URL.

Fudge Factor 3000 writes: Bill Gates has now publicly stated that Apple should cooperate with the FBI in the San Bernadino terrorist's phone unlocking case. He states that it is for this specific case, but seems to miss the point that there are other law enforcement officials waiting on the wings with their requests should this precedent be set. The war against privacy escalates. Setting aside the actual practicality of unlocking the San Bernadino phone, the teams that are emerging on this issue include some pretty strange bedfellows: John McAfee and Bill Gates on the pro-unlocking side, and Woz, Edward Snowden and even some of the victim's families on the con.

itwbennett writes: Researcher Chris Vickery discovered that the Arlington, Virginia based child monitoring service uKnowKids.com had a misconfigured MongoDB installation that left sensitive details on over 1,700 children exposed for months. UKnowKids helps parents monitor their child's activities online, by watching their mobile communications, social media activities, and their location. And so the database stored 6.8 million private text messages, 1.8 million images (many depicting children), Facebook, Twitter, and Instagram account details, in addition to the children's full names, email addresses, GPS coordinates, date of birth.

An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.

An anonymous reader writes: Apple may not have the public's support in its legal fight with the FBI, according to a recently published Pew report. In a survey that reached 1,000 respondents by phone over the weekend, Pew researchers found 51 percent of respondents believed Apple should comply with FBI demands to weaken security measures on an iPhone used in the San Bernardino attacks, in order to further the ongoing investigation. Only 38 percent of respondents agreed with the company's position.

Limiting the sample to respondents who own a smartphone only improved the numbers somewhat, changing them to a 50-41 split in the FBI's favor. Among those who own an iPhone, the numbers are even closer, but still in the FBI's favor 47 to 43 percent.

New submitter MitchRandall writes: Wireless provider AT&T Inc said on Monday it will partner with chipmaker Intel Corp to test the functionality of drones on its high-speed LTE wireless network. AT &T will work with Intel to examine the efficiency of drones on its LTE network at higher altitudes and potential interference with airwaves related to areas such as video streaming and flight information, AT&T said in a statement. Intel has been aggressively investing in drone technology in recent years. With the U.S. wireless market over-saturated, AT&T is betting on growth from the 'Internet of Things', or web-connected machines and gadgets from cars, home appliances to drones, a new battleground for the company and rivals ranging from Verizon Communications Inc to Amazon.com Inc.

An anonymous reader writes: Cyanogen has announced a new integrated mobile platform designed to change the way users, developers, OEMs and MNOs build and interact with mobile devices. Their new platform MOD provides developers with APIs they can use to implement intelligent, contextually aware and lightweight experiences natively into the mobile operating system. It also allows users to extend the functionality of their devices.

An anonymous reader writes: MasterCard has announced plans to invest in facial recognition technology in the UK, in a push to reduce false decline transactions and increase security for mobile payments. Following trials in countries including the U.S. and the Netherlands, 'Selfie Pay' will be introduced in Britain this summer as part of the financial services company's identity validation process. Users will be able to choose between finger scanning and face recognition for verification, instead of traditional passwords or PIN numbers. Consumers will be asked to upload their pictures to be stored on MasterCard servers [paywalled]. These registered images will then be used as a reference every time a user opts for facial verification during a transaction.

jones_supa writes: Vijay Pandurangan from Twitter warns about a Linux kernel bug that causes containers using Virtual Ethernet devices for network routing to not check TCP checksums. Examples of software stacks that use Virtual Ethernet devices are Docker on IPv6, Kubernetes, Google Container Engine and Mesos. The kernel flaw results in applications incorrectly receiving corrupt data in a number of situations, such as with bad networking hardware. The bug dates back at least 3 years or more – it is present in kernels as far back as the Twitter engineering team has tested. Their patch has been reviewed and accepted into the kernel, and is currently being backported to -stable releases back to 3.14 in various distributions. If you use containers in your setup, Pandurangan recommends that you deploy a kernel with this patch.

Nicola Hahn writes: As the Department of Justice exerts legal pressure on Apple in an effort to recover data from the iPhone used by Syed Rizwan Farook, Apple's CEO has publicly stated that "the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone." But, as one Windows rootkit developer has observed, the existing functionality that the FBI seeks to leverage is itself a backdoor. Specifically, the ability to remotely update code on a device automatically, without user intervention, represents a fairly serious threat vector. Update features marketed as a safety mechanism can just as easily be wielded to subvert technology if the update source isn't trustworthy. Something to consider in light of the government's ability to steal digital certificates and manipulate network traffic, not to mention the private sector's lengthy history of secret cooperation. Related: wiredmikey writes: Apple said Monday it would accept having a panel of experts consider access to encrypted devices if US authorities drop efforts to force it to help break into the iPhone of a California attacker. Apple reaffirmed its opposition to the US government's effort to compel it to provide technical assistance to the FBI investigation of the San Bernardino attacks, but also suggested a compromise in the highly charged legal battle.

In his first public remarks since Apple CEO Tim Cook said he would fight the federal magistrate's order, FBI Director James Comey claimed the Justice Department's request is is about "the victims and justice."

itwbennett writes: It only takes one day of online credentials being available on the Dark Web before login attempts will start, according to security company Bitglass, which set up a simulation using fake credentials for a Google Drive account, complete with real credit card details, fake corporate data and personal data, according to Bitglass' report. Bitglass said there were three attempted logins to Google Drive in the first day and five attempted logins to the fake bank site. Within two days, files were downloaded from the Google Drive account.

An anonymous reader writes: The GZIP compression format includes a field in its header that shows the Web server's local date, at which the data was gzipped. Almost all Web servers use "zeros" to pad this field by default, citing performance issues. Around 10% of Tor site operators have removed this feature and are printing the packet's compression date. Unknown to them, this "server local date" leaks the Tor site's timezone which law enforcement can then narrow down to a specific geographical area. Coupled with other Tor protocol leaks, this could help deanonymize .onion sites.

Freshly Exhumed writes: Microsoft has told The Inquirer that it is aware of a bug which has been causing users' default programs to switch to the bundled Microsoft options. After deleting the update, a user discovered the next day that Windows had reinstalled it and reset the default settings again. InfoWorld gives some real world scenarios: "If you have Chrome as the default browser on your Windows 10 computer, you'd better check to make sure Microsoft didn't hijack it last week and set Edge as your new default. The same goes for any PDF viewer: A forced cumulative update also reset PDF viewing to Edge on many PCs. Do you use IrfanView, ACDSee, Photoshop Express, or Photoshop Elements? The default photo app may have been reset to -- you guessed it -- the Windows Photos app. Music? Video? Microsoft may have swooped down and changed you over to Microsoft Party apps, all in the course of last week's forced cumulative update KB3135173."

HughPickens.com writes: The Washington Times reports that Carole Adams, the mother of Robert Adams -- a 40-year-old environmental health specialist who was shot dead in the San Bernardino, Calif., massacre by Syed Rizwan Farook and his wife in December -- is siding with Apple in its battle to protect consumer's privacy rights. Adams says she stands by Apple's decision to fight a federal court order to create software that would allow federal authorities to access the shooter's password-blocked iPhone. She understands the FBI's need to search Farook's phone, but says it has to be done without putting others at risk. "This is what separates us from communism, isn't it? The fact we have the right to privacy," she told the New York Post. "I think Apple is definitely within their rights to protect the privacy of all Americans. This is what makes America great to begin with, that we abide by a Constitution that gives us the right of privacy, the right to bear arms, and the right to vote."