Roger Cochetti directed internet public policy for IBM from 1994 through 2000 and later served as Senior Vice-President & Chief Policy Officer for VeriSign and Group Policy Director for CompTIA. This week he warned about signs "that the once open, global internet is slowly being replaced by 200, nationally-controlled, separate internets." And, while these separate American, Chinese, Russian, Australian, European, British, and other "internets" may decide to have some things in common with each other, the laws of political gravity will slowly pull them further apart as interest groups in each country lobby for their own concerns within their own country. Moreover, we will probably see the emergence of a global alternate internet before long...

As background, it's important to recognize that — by almost any measure — the global internet is controlled by businesses and non-profits subject to the jurisdiction of the United States government. Within a roughly 1,000-mile strip of land stretching from San Diego to Seattle lie most major internet businesses and network control or standards bodies (and those that aren't there likely lie elsewhere in the United States). So — as the governments of China, Russia and Iran never tire of explaining — while Americans constitute around 310 million out of the world's 4.3 billion internet users (around 8%), the U.S. government exercises influence or control over more than 70% of the internet's controls and services... China's ability to control the internet experience within its bordersx` between roughly 2005 and 2018 taught many other countries that doing so, even if costly, is possible. This lesson was not lost on Russia, Iran, Australia, Turkey, Saudi Arabia, the EU and many other countries, which began developing legal (and sometimes technical) means to control internet content within their borders. This legal/technical nationalization over the past decade was significantly boosted by the realization that it was actually not very difficult for a government to substantially shut down the internet within a territory...

The first major step in the introduction of a new, China-centric internet may have taken place last year when China introduced to the UN's International Telecommunications Union a proposal for a new type of protocol that would connect networks in a way comparable to, but different from, the way that the internet protocols have done. This was quickly dubbed China's New IP, and it has been the subject of major controversy as the nations and companies decide how to react. Whether a new Chinese-centric internet is based on a new series of protocols or is simply based on a new set of internet domain names and numbers, it seems likely that this alternate internet will give national governments quite a bit more control over what happens within their territories than does the global, open internet. This feature will attract quite a few national governments to join in — not least Russia, Iran and perhaps Turkey and India.

The combined market power of those participating countries would make it difficult for any global internet business to avoid such a new medium. The likely result being two, parallel global computer inter-networking systems... which is pretty much what Google CEO Eric Schmidt predicted.

Grindr, one of the world's largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user's account using only their email address. TechCrunch reports: Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. When he didn't hear back, Bouimadaghene shared details of the vulnerability with security expert Troy Hunt to help. The vulnerability was fixed a short time later. Bouimadaghene found the vulnerability in how the app handles account password resets.

To reset a password, Grindr sends the user an email with a clickable link containing an account password reset token. Once clicked, the user can change their password and is allowed back into their account. But Bouimadaghene found that Grindr's password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user's registered email address, and collect the password reset token from the browser if they knew where to look.

The clickable link that Grindr generates for a password reset is formatted the same way, meaning a malicious user could easily craft their own clickable password reset link -- the same link that was sent to the user's inbox -- using the leaked password reset token from the browser. With that crafted link, the malicious user can reset the account owner's password and gain access to their account and the personal data stored within, including account photos, messages, sexual orientation and HIV status and last test date.

The Cybersecurity and Infrastructure Security Agency (CISA) has published a security advisory today warning of a wave of attacks carried out by hacking groups affiliated with China's Ministry of State Security (MSS). From a report: CISA says that over the past year, Chinese hackers have scanned US government networks for the presence of popular networking devices and then used exploits for recently disclosed vulnerabilities to gain a foothold on sensitive networks. The list of targeted devices includes F5 Big-IP load balancers, Citrix and Pulse Secure VPN appliances, and Microsoft Exchange email servers. For each of these devices, major vulnerabilities have been publicly disclosed over the past 12 months, such as CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688, respectively. According to a table summarizing Chinese activity targeting these devices published by CISA today, some attacks have been successful and enabled Chinese hackers to gain a foothold on federal networks.

schwit1 shares a report from TechRadar: Huawei has announced a series of layoffs in the UK as the company is forced to alter its corporate strategy in the face of further bans and restrictions. The Chinese giant is set to pull sales all of its Enterprise hardware lines, including all servers, storage and networking switches from the UK. The news means severe job cuts across Huawei's Enterprise hardware divisions in the UK as the company faces yet more challenges, despite pledges to remain in the country. The Register [which broke the story] said it had initially been told of Huawei's move by several channel partners, and that 20 of the 50 roles in the Enterprise team would be affected. The European arm of the Enterprise division is not thought to be affected by the news. "Our Enterprise Business is to focus its operations in the UK to deliver fewer products in a better way. Unfortunately this means a number of roles are no longer required, however, we hope to reposition colleagues who are affected elsewhere within the businesses," a Huawei spokesperson told The Register in a statement.

"Ultimately, the business has done a review and decided to focus on a number of product lines," the spokesperson added, noting that Huawei will, "continue to provide full service and maintenance to existing customers for the life-cycle of our products."

Facebook is getting back to its roots as a college-focused social network. The company announced today the launch of a new social networking platform, Facebook Campus, which offers college students a private place to connect with classmates, join groups, discover upcoming campus events, get updates from their school's administration and chat with other students from their dorm, clubs or any other campus group. From a report: The new platform requires a school email address (@.edu) to join and will live within a dedicated section of the Facebook app. It will be accessible from a tab at the bottom of the screen or from the "More" menu alongside sections like Watch, Dating, Gaming, News, Marketplace and others. "We wanted to create a product where it was easy for classmates to meet each other, foster new relationships and also easily start conversations," explains Facebook Campus Product Manager Charmaine Hung. "And we really think that Campus is more relevant than ever right now. With COVID-19, we see that many students aren't returning to campus in the fall. Now, classes are being held online and students are trying to react to this new normal of what it's like to connect to clubs and organizations that you care about, when you're not together," she added.

"A few years ago, a hacker managed to exploit vulnerabilities in Tesla's servers to gain access and control over the automaker's entire fleet," remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).

Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.

All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."

Electrek calls it "a good example of the importance of whitehat hackers."

Today, Lenovo has released a ThinkPad with Red Hat's community Linux, Fedora. ZDNet reports: First in this new Linux-friendly lineup is the X1 Carbon Gen 8. It will be followed by forthcoming versions of the ThinkPad P1 Gen2 and ThinkPad P53. While ThinkPads are usually meant for business users, Lenovo will be happy to sell the Fedora-powered X1 Carbon to home users as well. The new X1 Carbon runs Fedora Workstation 32. This cutting-edge Linux distribution uses the Linux Kernel 5.6. It includes WireGuard virtual private network (VPN) support and USB4 support. This Fedora version uses the new GNOME 3.36 for its default desktop.

The system itself comes standard with a 10th Generation Intel Core 1.6Ghz i5-10210U CPU, with up to 4.20 GHz with Turbo Boost. This processor boasts 4 Cores, 8 Threads, and a 6 MB cache. It also comes with 8MBs of LPDDR3 RAM. Unfortunately, its memory is soldered in. While that reduces the manufacturing costs, Linux users tend to like to optimize their hardware and this restricts their ability to add RAM. You can upgrade it to 16MBs, of course, when you buy it for an additional $149. For storage, the X1 defaults to a 256GB SSD. You can push it up to a 1TB SSD. That upgrade will cost you $536.

The X1 Carbon Gen 8 has a 14.0" Full High Definition (FHD) (1920 x 1080) screen. For practical purposes, this is as high-a-resolution as you want on a laptop. I've used laptops with Ultra High Definition (UHD), aka 4K, with 3840x2160 resolution, and I've found the text to be painfully small. This display is powered by an integrated Intel HD Graphics chipset. For networking, the X1 uses an Intel Wi-Fi 6 AX201 802.11AX with vPro (2 x 2) & Bluetooth 5.0 chipset. I've used other laptops with this wireless networking hardware and it tends to work extremely well. The entire default package has a base price of $2,145. For now, it's available for $1,287. If you want to order one, be ready for a wait. You can expect to wait three weeks before Lenovo ships it to you.

An anonymous reader quotes a report from ZDNet: A South Carolina man was sentenced this week to two years in federal prison for taking government-owned networking equipment and selling it on eBay. The man, Terry Shawn Petrill, 48, of Myrtle Beach, worked as the IT Security Director for Horry County in South Carolina, the Department of Justice said in a press release on Tuesday. According to court documents, "beginning on June 11, 2015, through August 23, 2018, Petrill ordered forty-one Cisco 3850 switches that were to be installed on the Horry County network."

US authorities said that through the years, when the switches would arrive, Petrill would take custody of the devices and tell fellow IT staffers that he would handle the installation alone. However, investigators said that "Petrill did not install the switches on the network and instead sold them to third parties and kept the proceeds for himself." FBI agents who investigated the case said they tracked nine of the 41 missing Cisco switches to ads on eBay, while the location of the rest remains unknown. Nonetheless, this was enough to file charges against Petrill, which authorities arrested and indicted in November 2019. Besides prison time, Petrill was also ordered to pay restitution in the amount of $345,265.57 to the Horry County Government.

An anonymous reader shares a report: In a worst-case scenario, Apple's annual iPhone shipments could decline by 25-30% if it is forced to remove WeChat from its App Stores around the world, according to a new research note from analyst Ming-Chi Kuo viewed by MacRumors. The removal could occur due to a recent executive order aiming to ban U.S. transactions with WeChat and its parent company Tencent. Kuo lays out optimistic and pessimistic scenarios depending on whether Apple is only required to remove WeChat from the App Store in the United States or if the ban would apply to the App Store in all countries. WeChat is extremely popular with Chinese mobile device users, essentially operating as its own platform on top of iOS and Android for many users, and Kuo argues that a worldwide ban on WeChat in the App Store would be devastating due to the size of the Chinese market.

"Because WeChat has become a daily necessity in China, integrating functions such as messaging, payment, e-commerce, social networking, news reading, and productivity, if this is the case, we believe that Apple's hardware product shipments in the Chinese market will decline significantly. We estimate that the annual iPhone shipments will be revised down by 25-30%, and the annual shipments of other Apple hardware devices, including AirPods, iPad, Apple Watch and Mac, will be revised down by 15-25%," he wrote in a note. Under his optimistic scenario in which WeChat is only removed from the U.S. App Store, Kuo predicts iPhone shipments would be impacted by 3-6% with other Apple products being affected by less than 3%.

This week saw the release Linux 5.8, which Linus Torvalds called "one of our biggest releases of all time," reports TechRepublic: The new version of the Linux kernel brings a number of updates to Linux 5.7 spanning security, core components, drivers, memory management, networking and improvements to the kernel's design, amongst others. This includes updates for Microsoft's Hyper-V virtualization platform, Intel Tiger Lake Thunderbolt support, improvements to Microsoft's exFAT file system, and support for newer Intel and ARM chips.

Torvalds said the kernel had received over 15,000 merge requests and that around 20% of all the files in the kernel source repository had been modified. "That's really a fairly big percentage, and while some of it is scripted, on the whole it's really just the same pattern: 5.8 has simply seen a lot of development," Torvalds said.

Translated into numbers, Linux 5.8 includes over 800,000 new lines and over 14,000 changed files. It also received one of the biggest number of merge requests during its merge window — over 14,000 non-merge commits and more than 15,000 including merges, according to Torvalds. "5.8 looks big. Really big," he added.

Today the BBC told the story of Jun Wei Yeo, "an ambitious and freshly enrolled Singaporean PhD student" who was gradually recruited by Chinese intelligence.

Yeo "would end up using the professional networking website LinkedIn, a fake consulting company and cover as a curious academic to lure in American targets." Some of the targets that Yeo found by trawling through LinkedIn were commissioned to write reports for his "consultancy", which had the same name as an already prominent firm. These were then sent to his Chinese contacts. One of the individuals he contacted worked on the U.S. Air Force's F-35 fighter jet programme and admitted he had money problems. Another was a U.S. army officer assigned to the Pentagon, who was paid at least $2,000 (£1,500) to write a report on how the withdrawal of US forces from Afghanistan would impact China... According to the court documents, his handlers advised him to ask targets if they "were dissatisfied with work" or "were having financial troubles"...

In 2018, Yeo also posted fake online job ads for his consulting company. He told investigators he received more than 400 CVs with 90% of them coming from "US military and government personnel with security clearances". Some were passed to his Chinese handlers... Dickson Yeo does not appear to have got as far with his contacts as his handlers would have liked. But in November 2019, he travelled to the U.S. with instructions to turn the army officer into a "permanent conduit of information", his signed statement says.

He was arrested before he could ask.
The 39-year-old now faces up to 10 years in prison for being an "illegal agent of a foreign power" — but the article notes he was "aided by an invisible ally — the LinkedIn algorithm.

"Each time Yeo looked at someone's profile it would suggest a new slate of contacts with similar experience that he might be interested in..."

Microsoft's professional networking site LinkedIn said on Tuesday it would cut about 960 jobs, or 6% of its global workforce, as the coronavirus pandemic is having a sustained impact on demand for its recruitment products. From a report: California-based LinkedIn helps employers assess a candidate's suitability for a role and employees use the platform to find new job. Jobs will be cut across sales and hiring divisions of the group globally. Announcing the plan in a message posted on LinkedIn's website, Chief Executive Ryan Roslansky said the company would provide at least 10 weeks of severance pay as well as health insurance for a year for U.S. employees, and will hire for newly-created roles from laid-off staff. "I want you to know these are the only layoffs we are planning," Roslansky said in his message. Affected staff, who have not yet been told, would be able to keep company-issued cell phones, laptops, and recently purchased equipment to help them work from home while making career transitions, he said.

Microsoft will stop relying on Amazon to help it run the popular Minecraft video game. CNBC reports: The shift represents an obvious way for Microsoft to cut back on payments to one of its toughest competitors and promote its own product. Amazon Web Services rules the market for public cloud infrastructure for running software from afar through vast data centers, and Microsoft has been working to take share with its Azure cloud. Azure is growing faster than many other parts of Microsoft, helping it lean less on longstanding properties like Windows and Office. Moving more of its own software to Azure can help Microsoft make the case to customers that it doesn't look anywhere else for computing, storage and networking resources to deliver its online services. That's an important consideration, because Amazon can tell customers that its sprawling e-commerce business consumes resources from AWS.

The use of AWS for Minecraft for a version called Realms -- virtual places for small groups to gather and play the open-world game together -- dates to 2014. Months after AWS published a blog post about how Mojang, the game developer behind Minecraft, had chosen to tap AWS for Realms, Microsoft announced that it would acquire Mojang for $2.5 billion. It would not have been right to make Mojang get off AWS immediately after the acquisition, Matt Booty, the head of studios at Microsoft, suggested in a recent interview. Now there is an end in sight for the dependence on a rival. "We'll be fully transitioned to Azure by the end of the year," the Microsoft spokesperson wrote.

During a series of Cisco online all-hands meetings on race in early June, some workers posted comments in message channels that other staff and company management said were demeaning to Black people, exposing racial divisions at the Silicon Valley tech giant and leading to the dismissal of a number of people. From a report: During the first videoconference on June 1, following the killing of George Floyd by Minneapolis police, Chief Executive Officer Chuck Robbins spoke with Ford Foundation President Darren Walker, who is Black, and Bryan Stevenson, a Black lawyer and author who founded the Equal Justice Initiative, in front of 30,000 employees. The conversations about race continued in subsequent online global staff meetings. "Black lives don't matter. All lives matter," one worker wrote in the comments during one of the virtual all-hands meetings, according to screen shots obtained by Bloomberg. Another said the phrase Black Lives Matter "reinforces racism" because it singles out one ethnic group. "People who complain about racism probably have been a racist somewhere else to people from another race or part of systematic oppression in their own community!" a third worker wrote in the chat section visible for all those online. Cisco, the world's largest networking company, said it fired "a handful" of workers for inappropriate conduct because it "will not tolerate" racism.

The U.S. is "looking at" banning TikTok and other Chinese social media apps, Secretary of State Mike Pompeo told Fox News. From a report: His comments come amid rising tensions between the U.S. and China and as scrutiny on TikTok and Chinese technology firms continues to grow. When asked in a Fox News interview if the U.S. should be looking at banning TikTok and other Chinese social media apps, Pompeo said: "We are taking this very seriously. We are certainly looking at it. We have worked on this very issue for a long time," he said. "Whether it was the problems of having Huawei technology in your infrastructure we've gone all over the world and we're making real progress getting that out. We declared ZTE a danger to American national security," Pompeo added, citing the two Chinese teleommunications networking companies. The remark comes days after India banned TikTok and 58 other apps and services developed by Chinese firms citing cybersecurity concerns.

Andy Greenberg writes via Wired: Late last week, government agencies, including the United States Computer Emergency Readiness Team and Cyber Command, sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended security professionals immediately implement a patch to protect the devices from hacking techniques that could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. Now some security companies say they're already seeing the F5 vulnerability being exploited in the wildâ"and they caution that any organization that didn't patch its F5 equipment over the weekend is already too late.

The F5 vulnerability, first discovered and disclosed to F5 by cybersecurity firm Positive Technologies, affects a series of so-called BIG-IP devices that act as load balancers within large enterprise networks, distributing traffic to different servers that host applications or websites. Positive Technologies found a so-called directory traversal bug in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they're not intended to. That vulnerability was exacerbated by another bug that allows an attacker to run a "shell" on the devices that essentially lets a hacker run any code on them that they choose. The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer. While only a small minority of F5 BIG-IP devices are directly exploitable, Positive Technologies says that still includes 8,000 devices worldwide. "About 40 percent of those are in the U.S., along with 16 percent in China and single-digit percentages in other countries around the globe," reports Wired.

"Owners of those devices have had since June 30, when F5 first revealed the bug along with its patch, to update," adds Wired. "But many may not have immediately realized the seriousness of the vulnerability. Others may have been hesitant to take their load balancing equipment offline to implement an untested patch, points out Gennuso, for fear that critical services might go down, which would further delay a fix."

As advertisers pull away from Facebook to protest the social networking giant's hands-off approach to misinformation and hate speech, the company is instituting a number of stronger policies to woo them back. From a report: In a livestreamed segment of the company's weekly all-hands meeting, CEO Mark Zuckerberg recapped some of the steps Facebook is already taking, and announced new measures to fight voter suppression and misinformation -- although they amount to things that other social media platforms like Twitter have already enacted and enforced in more aggressive ways.

At the heart of the policy changes is an admission that the company will continue to allow politicians and public figures to disseminate hate speech that does, in fact, violate the Facebook's own guidelines -- but it will add a label to denote they're remaining on the platform because of their "newsworthy" nature. It's a watered down version of the more muscular stance that Twitter has taken to limit the ability of its network to amplify hate speech or statements that incite violence. [...] Zuckerberg's remarks came days of advertisers -- most recently Unilever and Verizon -- announced that they're going to pull their money from Facebook as part the #StopHateforProfit campaign organized by civil rights groups.

Google escalated a fight with Sonos over the wireless home-speaker market, filing a lawsuit that alleges patent infringement. From a report: The conflict between the two companies, which had been collaborating on incorporating some Google features in Sonos's speakers, erupted in January when Sonos sued Google for infringing its patents. The speaker maker is facing increased competition from tech giants such as Google and Amazon.com that are expanding into selling Internet-connected home gadgets, including less expensive wireless speakers. "Sonos has made false claims about the companies' shared work and Google's technology in the lawsuits," the Alphabet unit said in a complaint filed Thursday in San Francisco federal court. "While Google rarely sues other companies for patent infringement, it must assert its intellectual property rights here." Sonos, the Santa Barbara-based pioneer of wireless speakers, is using Google's patented technology for search, software, networking, audio processing and digital-media management and streaming, while refusing to pay a license, according to the lawsuit.

A group of U.S. lawmakers preparing to fight a legislative attack on encrypted communications is trying to establish what happened when encryption was subverted at a Silicon Valley maker of networking gear. From a report: Democrat Ron Wyden, who sits on the Senate Intelligence Committee, said the 2015 incident at Sunnyvale-based Juniper Networks could shed light on the risks of compromised encryption before an expected hearing on the proposed legislation. The EARN IT Act could penalize companies that offer security that law enforcement can't easily penetrate. "Attorney General (William) Barr is demanding that companies like Facebook weaken their encryption to allow the Department of Justice to monitor users' conversations," Wyden told Reuters. ""Congress and the American people must understand the serious national security risks associated with weakening the encryption that protects Americans' personal data, as well as government and corporate systems." In a letter to Juniper Chief Executive Rami Rahim sent late Tuesday, Wyden, Republican Senator Mike Lee of the Judiciary Committee, and the chairmen of the House Judiciary and Homeland Security committees asked what had happened to an investigation Juniper announced after it found "unauthorized code" inside its widely used NetScreen security software in 2015.

Last month Techcrunch reported that Mozilla had gone "full incubator" by holding a startup lab called Fix the Internet, followed by "a formal program dangling $75,000 investments in front of early-stage companies..."

Fix the Internet had many key themes, including collaboration and decentralization (as well as user-controlled data and privacy-protecting social networks). That event "drew the interest of some 1,500 people in 520 projects, and 25 were chosen to receive the full package and stipend during the development of their minimum viable product (MVP). Below that, as far as pecuniary commitment goes, is the 'MVP Lab,' similar to the spring program but offering a total of $16,000 per team."

And one of those MVP Lab teams is Meething, a new video conferencing and collaboration platform from the innovation lab ERA. Meething "aims to be more secure than existing video conferencing tools and run on a decentralized database engine and leverage peer-to-peer networking" according to ZDNet.

In their video interview with CEO Mark Nadal, he outlined the following selling points:

• Browser based video conferencing gives customers better options for security as well as branding.
• Open source architecture is a win and the peer-to-peer networking is more efficient on compute costs.
• Meething doesn't require downloads or apps that increase the security attack surface.
  
  The total addressable market for video conferencing is large and can support multiple players.

Their press release quotes Mark Mayo, a former Chief Product Officer at Mozilla who served as Meething's mentor, arguing that video conferencing on the web "has long promised to enable a whole new world of online collaboration. Frankly, it hasn't delivered. It's been way too hard to build cool products with video and Meething aims to be the zero-barrier-to-entry platform that realizes this future. Soon, video conferencing won't suck!"