"Red faces in Red Square, again," writes a Forbes cybersecurity correspondent: Last July, I reported on the hacking of SyTech, an FSB contractor working on internet surveillance tech. Now, reports have emerged from Russia of another shocking security breach within the FSB ecosystem. This one has exposed "a new weapon ordered by the security service," one that can be used to execute cyber attacks on IoT devices. The goal of the so-called "Fronton Program" is to exploit IoT security vulnerabilities en masse — remember, these technologies are fundamentally less secure than other connected devices in homes and offices...

The security contractors highlight retained default "factory" passwords as the obvious weakness, one that is easy to exploit... The intent of the program is not to access the owners of those devices, but rather to herd them together into a botnet that can be used to attack much larger targets — think major U.S. and European internet platforms, or the infrastructure within entire countries, such as those bordering Russia.
But the article also notes that targetted devices for the exploits include cameras, adding that compromising such devices in foreign countries by a nation-state agency "carries other surveillance risks as well." It also points out that the FSB "is the successor to the KGB and reports directly to Russia's President Vladimir Putin," and its responsibilities include electronic intelligence gathering overseas.

"The fact that these kind of tools are being contracted out for development given the current geopolitical climate should give us all serious pause for thought."

"The dramatic expansion of teleworking by U.S. schools, businesses and government agencies in response to the coronavirus is raising fresh questions about the capacity and security of the tools many Americans use to connect to vital workplace systems and data," reports CNN: As of last week the Air Force's virtual private networking software could only support 72,000 people at once, according to a federal contractor who was also not authorized to speak on the record, and telework briefing materials viewed by CNN. The Air Force employs over 145,000 in-house civilian workers, and over 130,000 full-time contractors.

As they increasingly log on from home, Americans are having to meld their personal technology with professional tools at unprecedented scale. For employers, the concern isn't just about capacity, but also about workers introducing new potential vulnerabilities into their routine — whether that's weak passwords on personal computers, poorly secured home WiFi routers, or a family member's device passing along a computer virus.
Long-time Slashdot reader Lauren Weinstein also worries about a world where "doctors switch to heavy use of video office visits, and in general more critical information than ever is suddenly being thrust onto the Internet..." For example, the U.S. federal government is suspending key aspects of medical privacy laws to permit use of "telemedicine" via commercial services that have never been certified to be in compliance with the strict security and privacy rules associated with HIPAA (Health Insurance Portability and Accountability Act).

The rush to provide more remote access to medical professionals is understandable, but we must also understand the risks of data breaches that once having occurred can never be reversed.

President Trump on Thursday signed into law a bill banning the use of federal funds to purchase equipment from telecom companies deemed a national security threat, such as Chinese telecom group Huawei. From a report: The Secure and Trusted Communications Act, which the Senate passed in February and the House approved last year, will also require the Federal Communications Commission (FCC) to establish a $1 billion fund to help small telecom groups remove existing equipment that is deemed to be a threat. "Securing our networks from malicious foreign interference is critical to America's wireless future, especially as some communications providers rely on equipment from companies like Huawei that pose an immense threat to America's national and economic security," the bill's House sponsors, House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.), ranking member Greg Walden (R-Ore.), and Reps. Doris Matsui (D-Calif.) and Brett Guthrie (R-Ky.), said in a statement.

Fast Company's Mark Sullivan argues that cancelling this year's tech conferences could have a silver lining -- by encouraging a movement toward virtual conferences: There are developers across the U.S. and around the world who get shut out when the conferences get sold out. Even more of them simply can't afford the admission fee (last year's WWDC was $1599) and travel expenses required to spend time in the Bay Area or Seattle. Apple uses a lottery system to pick registered developers at random, who then get the opportunity to buy a ticket for the event. "Not having a set of 5,000 people who paid to be there, and potentially millions of other people who don't get access to things exclusive to those attending, such as labs and all of the networking, but instead having everyone on the same level can be a good thing," says iOS developer Guilherme Rambo.

Even before the coronavirus came along, the major developer conferences were developing more robust online elements. Far more people stream the keynotes than watch them in person. Many conference now stream the developer sessions as well. And an increasing body of sessions from the events is archived online... With all the cancellations this year, big tech companies like Apple may get some time to really think about the value of big events in the age of live streaming. Apple, for one, might think about ways of further virtualizing WWDC.

An anonymous reader quotes a report from Ars Technica: Networking giant Cisco is getting into the coronavirus monitoring and mitigation game with its Webex remote meeting property. The company notes that in the wake of mandates issued to employees to halt travel plans and/or work from home, traffic across its Webex backbone has increased significantly. Webex meeting traffic connecting Chinese users to global workplaces has increased by a factor of 22 since the outbreak began; traffic in other Asian countries is up by 400 percent or more, and free signup rates in impacted countries have increased 700 percent or more. In response, Cisco is offering temporarily unlimited usage (with no time restrictions) in all countries where the service is available (full list here), not just the ones worst hit by coronavirus. The company is also offering free 90-day licenses to businesses that are not currently Webex customers and offering free upgrades to customers whose current plan is insufficient to accommodate increased traffic due to the outbreak.

In the worst affected countries, telepresence and remote work software like Webex is currently the only alternative to a complete shutdown of activities. In its press release, Cisco highlights the Nesbitt Center, an organization working with disabled young adults in Hong Kong. All Hong Kong schools, including the Nesbitt Center, have been required to suspend day programs during the outbreak. Webex videoconferencing has allowed the Nesbitt Center to continue delivering educational sessions despite the lockdown. Ars Technica also recommends Jitsi, a "free and open source software, offering video call and screen sharing capabilities." There's also Jitsi Meet for people "who just need to get something done on-the-fly with no setup at all."

Do you have a favorite remote work software?

There are robots on the prowl at Facebook's server farms. The social networking giant has quietly built a fleet of mobile robots to patrol its data centers, and now has a team dedicated to automating its vast network of facilities around the globe, Business Insider reported Tuesday. From the report: The high-tech initiative could boost the firm's profits and help revolutionize the data center industry -- and potentially prompt job losses around the country. As Facebook has grown, it has built out a sprawling network of data centers around the globe dedicated to hosting users' content and supporting its apps and services. Its locations now stretch from Oregon to Sweden to Singapore -- but maintaining the vast facilities requires human data center operators and engineers to manage the systems, replace malfunctioning drives, and so on.

If you thought LinkedIn had already reached peak undesirability, you were wrong: the company is now planning to add Snapchat-style Stories to its platform. From a report: Yes, the business-focused networking app that fills your inbox with recruiter and PR spam may be getting Stories. Social media users have been suffering from Stories exhaustion for years at this point. It's a feature that works great for its pioneer, Snapchat, and for Instagram... and pretty much nothing else -- I mean, have you ever watched a Facebook Story on purpose? LinkedIn Stories inevitably promise to bring well-manicured, painfully corporate video clips to your feed as a way to mix up the approach to networking. Or, as the company puts it, to "bring creativity and authenticity to the ways that members share more of their work life, so that they can build and nurture the relationships necessary to become more productive and successful."

Facebook filed today a federal lawsuit in a California court against OneAudience, a New Jersey-based data analytics firm. From a report: The social networking giant claims that OneAudience paid app developers to install its Software Development Kit (SDK) in their apps, and later used the control it had over the SDK's code to harvest data on Facebook users. According to court documents obtained by ZDNet, the SDK was embedded in shopping, gaming, and utility-type apps, some of which were made available through the official Google Play Store. "After a user installed one of these apps on their device, the malicious SDK enabled OneAudience to collect information about the user from their device and their Facebook, Google, or Twitter accounts, in instances where the user logged into the app using those accounts," the complaint reads. "With respect to Facebook, OneAudience used the malicious SDK -- without authorization from Facebook -- to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook said. Twitter was the first to expose OneAudience's secret data harvesting practices on November 26, last year.

Nokia Oyj is exploring strategic options as fierce competition puts pressure on the Finnish network equipment maker's earnings, Bloomberg reported Thursday, citing people familiar with the matter. From the report: The company is working with advisers to consider alternatives ranging from potential asset sales to mergers, the people said, asking not to be identified because the information is private. Other options include shifting investments and making balance-sheet adjustments, one of them said. Deliberations are ongoing, and there's no certainty they will lead to any transactions, the people said. Nokia shares have lost roughly a third of their value over the past year before news of its deliberations.

Larry Tesler, a computer scientist who created the terms "cut," "copy," and "paste," has passed away at the age of 74. Gizmodo reports: Born in 1945 in New York, Tesler went on to study computer science at Stanford University, and after graduation he dabbled in artificial intelligence research (long before it became a deeply concerning tool) and became involved in the anti-war and anti-corporate monopoly movements, with companies like IBM as one of his deserving targets. In 1973 Tesler took a job at the Xerox Palo Alto Research Center (PARC) where he worked until 1980. Xerox PARC is famously known for developing the mouse-driven graphical user interface we now all take for granted, and during his time at the lab Tesler worked with Tim Mott to create a word processor called Gypsy that is best known for coining the terms "cut," "copy," and "paste" when it comes to commands for removing, duplicating, or repositioning chunks of text.

Xerox PARC is also well known for not capitalizing on the groundbreaking research it did in terms of personal computing, so in 1980 Tesler transitioned to Apple Computer where he worked until 1997. Over the years he held countless positions at the company including Vice President of AppleNet (Apple's in-house local area networking system that was eventually canceled), and even served as Apple's Chief Scientist, a position that at one time was held by Steve Wozniak, before eventually leaving the company.

In addition to his contributions to some of Apple's most famous hardware, Tesler was also known for his efforts to make software and user interfaces more accessible. In addition to the now ubiquitous "cut," "copy," and "paste" terminologies, Tesler was also an advocate for an approach to UI design known as modeless computing, which is reflected in his personal website. In essence, it ensures that user actions remain consistent throughout an operating system's various functions and apps. When they've opened a word processor, for instance, users now just automatically assume that hitting any of the alphanumeric keys on their keyboard will result in that character showing up on-screen at the cursor's insertion point. But there was a time when word processors could be switched between multiple modes where typing on the keyboard would either add characters to a document or alternately allow functional commands to be entered.

rastos1 writes: The 40th Root Key Signing Key Ceremony, originally scheduled for 12 February 2020 at 2100 UTC in El Segundo, California, is being postponed. "During routine administrative maintenance of our Key Management Facility on 11 February, we identified an equipment malfunction that will prevent us from successfully conducting the ceremony as originally scheduled. The issue disables access to one of the secure safes that contains material for the ceremony," ICANN's Kim Davies wrote.

Earlier this week, searching in Windows 10 was broken, "with a black bar showing where search results should be, even for those who tried to perform a local search of their files." Microsoft issued a fix and blamed the issue on a "third-party networking fiber provider".

But unfortunately, Microsoft's fix isn't working for everyone -- and that's just the beginning. Long-time Slashdot reader Futurepower(R) shares Forbes' report: Second, and more worryingly, Microsoft's explanation doesn't add up and it has prompted serious questions to be asked about how the operating system works and what personal data it is sharing. Popular Microsoft pundit Woody Leonard led the charge, writing: "If you believe that yesterday's worldwide crash of Windows 10 Search was caused by a bad third-party fiber provider, I have a bridge to sell you."

In an open letter to new Windows head Panos Panay, Susan 'Patch Lady' Bradley was similarly sceptical, noting that today "we all found out that our local search boxes are somehow dependent on some service working at Microsoft." She attacked the company for a lack of transparency and gave it a maximum 'Pinocchio score' for a lack of trust... Similarly, Engadget writer Richard Lawler revealed that users were now trying to hack the Windows 10 registry to disconnect their local file searches from Microsoft servers "and I can't say I blame them after this episode. Microsoft owes users a better explanation than this and should make sure it's impossible for offline features to get taken out when the cloud is having an issue."
In fact, Forbes writes that "the aforementioned Windows 10 registry hack appears to be the only 100% fix for this issue and it also disconnects Bing and Cortana online services from Windows 10 search."

And then on Saturday the Windows Latest blog also noticed that Microsoft's release notes for Windows 10 20H1 Build 19035 reveal that Microsoft is apparently now delaying the roll-out of a widely-anticipated "Optional Updates" option. "It appears that the new Optional updates experience will come out in October/November 2020, not this spring as previously planned."

Two smartphone makers canceled events at the world's biggest mobile technology showcase in response to the coronavirus outbreak, and organizers reinforced hygiene protocol for people still planning to attend. From a report: Delegates were warned to avoid handshakes and microphones will be changed for different conference speakers in an effort to avoid infections at MWC Barcelona, an annual event that's set to draw around 100,000 people from around the world to the Spanish city from Feb. 24 to 27. This year's conference is supposed to be a launch pad for a renewed push on 5G devices. However, South Korea's LG Electronics said it's withdrawing from exhibiting at the conference because most health experts advised against "needlessly" exposing hundreds of employees to international travel. Shenzhen, China-based ZTE, which makes smartphones and wireless networking equipment, cited difficulties in traveling out of China while virus-containment restrictions are in place, and so it's canceling its MWC press conference, though it will still send a delegation.

Microsoft's built-in Windows search went down for more than three hours today due to access and latency issues "with multiple Microsoft 365 services." While the issues have since been resolved, it comes just days after Microsoft's Teams service experienced a widespread outage after the company forgot to renew a SSL certificate. The Verge reports: Windows search is built into Microsoft's latest Windows 10 operating system, and it started presenting blank search results for apps or any other search queries at around 8AM ET today. Windows search uses the Bing backend to search for results across the web, and it appears that this was the source of the issue. Microsoft blames a "third-party networking fiber provider" for experiencing a network disruption resulting in multiple Microsoft 365 services issues. "This issue has been resolved for most users and in some cases you may need to reboot your machine," says a Microsoft spokesperson in a statement to The Verge.

Slashdot reader JustAnotherOldGuy quotes ZDNet: Security experts have published a report Tuesday warning that the new and fast-rising LoRaWAN technology is vulnerable to cyberattacks and misconfigurations, despite claims of improved security rooted in the protocol's use of two layers of encryption.

LoRaWAN stands for "Long Range Wide Area Network." It is a radio-based technology that works on top of the proprietary LoRa protocol. LoRaWAN takes the LoRa protocol and allows devices spread across a large geographical area to wirelessly connect to the internet via radio waves...

But broadcasting data from devices via radio waves is not a secure approach. However, the protocol's creators anticipated this issue. Since its first version, LoRaWAN has used two layers of 128-bit encryption to secure the data being broadcast from devices — with one encryption key being used to authenticate the device against the network server and the other against a company's backend application. In a 27-page report published Tuesday, security researchers from IOActive say the protocol is prone to misconfigurations and design choices that make it susceptible to hacking and cyber-attacks. The company lists several scenarios it found plausible during its analysis of this fast-rising protocol.
Some examples:

• "Encryption keys can be extracted from devices by reverse engineering the firmware of devices that ship with a LoRaWAN module."
• "Many devices come with a tag displaying a QR code and/or text with the device's identifier, security keys, or more."

"Cisco is urging customers to update its Firepower Management Center software," ZDNet reported Thursday, "after users informed it of a critical bug that attackers could exploit over the internet." Like many Cisco bugs, the flaw was found in the web-based management interface of its software. The bug has a severity rating of 9.8 out of a possible 10 and means admins should patch sooner rather than later.

The vulnerability is caused by a glitch in the way Cisco's software handles Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. Remote attackers could exploit the flaw by sending specially crafted HTTP requests to the device. Devices are vulnerable if they've been configured to authenticate users of the web interface through an external LDAP server...

How customers should remediate the issue will depend on which release of Firepower Management Center (FMC) they're running. There is no workaround, but hotfix patches are available for several new releases of FMC, and maintenance releases that address the flaw are scheduled for later this year. "Customers may install a fix either by upgrading to a fixed release or by installing a hotfix patch," Cisco notes...

Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues.

This FMC critical flaw follows updates made available earlier this month for three critical flaws affecting Cisco's Data Center Network Manager software. The researcher who reported the flaw has released proof-of-concept exploit code, but Cisco says it is not aware of any malicious use of the flaws.

The New York Times reports on "Ring Neighbors," a local social networking service launched by Amazon in 2018 where users "share videos of delivery people carelessly throwing packages, or failing to wait for an answer at the door; others share footage of mail people navigating treacherous ice, or merely waving at the camera." On a U.S. Postal Service forum, a mail carrier asked: "Anyone else feel kind of creeped out that people are recording and watching you, up close, deliver mail to their house or is it just me...?" The company also selects videos from its users to be shared on Ring TV, a video portal run by the company, under categories such as "Crime Prevention," "Suspicious Activity" and "Family & Friends." The videos are, essentially, free ads: The terrifying ones might convince viewers to buy cameras of their own; funny or sweet ones, at a minimum, condition viewers to understand front-door surveillance as normal, or even fun...

Ring videos also provide a constant stream of news and news-like material for media outlets. The headlines that accompany those videos portray an America both macabre and surreal: "Screams for Help Caught on Ring Camera," in Sacramento; "Man pleads for help on doorbell camera after being carjacked, shot in Arizona," in Phoenix; "WOMAN CAUGHT ON MEDFORD DOORBELL CAMERA WITH STOLEN GUN," in Oregon; "Alien abduction' caught on doorbell cam," in Porter, Tex. (it was a glitch); "Doorbell camera captures Wichita boy's plea for help after getting lost." And then there are videos like one shared by Rob Fox, in McDonough, Ga., in which his dog, locked out of the house, learns to use his doorbell. Mr. Fox posted the video to Facebook and then Reddit, from which the story drew news coverage. Ring contacted him, too, he said, to ask whether the company could use the footage in marketing materials.

Elsewhere, the footage is billed as entertainment. In early December, "America's Funniest Home Videos," which has been aggregating viewer videos since the 1980s, released a best-of compilation: "Funny Doorbell Camera Fails." It is composed almost entirely of people falling down...

Home surveillance means you're never quite home, but you're never completely away from home, either.
Footage from one Florida camera showed a bearded man who "licks the doorbell repeatedly. Then he stands back and stares," according to the Times.

And they also report that Ring cameras are now also being stolen, "leaving their owners with a final few seconds of footage — a hand, a face, a mask — before losing their connections."

Peter Kirstein, a British computer scientist who was widely recognized as the father of the European internet, died on Wednesday at the age of 86. According to his daughter Sara Lynn Black, the cause was a brain tumor. The New York Times reports: Professor Kirstein fashioned his pivotal role in computer networking the old-fashioned way: through human connections. In 1982, his collegial ties to American scientists working in the nascent field of computer networks led him to adopt their standards in his own London research lab. Those standards were called Transmission Control Protocol and Internet Protocol, or TCP/IP, which enable different computer networks to share information. Professor Kirstein embraced TCP/IP despite competing protocols being put forward at the time by international standards groups.

"Peter was the internet's great champion in Europe," said Vinton G. Cerf, an American internet pioneer who was a developer of TCP/IP and a colleague and friend of Professor Kirstein's. "With skill and finesse, he resisted enormous pressure to adopt alternatives." Professor Kirstein was so avid a fan of computer networking that he gave Queen Elizabeth II her own email address, HME2. In 1976, while christening a telecommunications research center in Malvern, England, the queen became one of the first heads of state to send an email.

China said Friday its Beidou Navigation Satellite System that emulates the U.S. Global Positioning System will be competed with the launch of its final two satellites in the first half of next year. From a report: Project director Ran Chengqi told reporters that the core of the positioning system was completed this month with the launch additional satellites bringing its total constellation to 24. That was up from 19 the year before, making it one of rising space power China's most complex projects. Ran described the system at a rare news conference as having "high performance indicators, new technology systems, high localization, mass production networking and a wide range of users." "Before June 2020, we plan to launch two more satellites into geostationary orbit and the Beidou-3 system will be fully completed," Ran said.

orange shares a report: The organization responsible for allocating internet addresses across Africa has yet again become embroiled in scandal, this time over long-standing claims of corruption. A founding employee of Afrinic resigned soon after allegations emerged that millions of its valuable public-facing IPv4 addresses had been stolen and sold or leased to others through companies he controlled. Soon after, Afrinic's external auditor PwC informed the organization it, too, was resigning from its role.

In both cases, Afrinic's board has attempted to place itself above the issue by ordering an investigation and sending a letter to PwC asking for an explanation. But internet insiders say the rot goes far deeper, and note that warnings of unusual activity at Afrinic, including misdirected organizational funds, have long gone unanswered by a series of CEOs and boards, despite a series of "investigations." In an explosive article earlier this month, the lease and sale of allegedly stolen blocks of IP addresses going back years was traced directly to the organization's second employee, Ernest Byaruhanga, Afrinic's policy coordinator.