An academic study published last month shows that despite years worth of research into the woeful state of network traffic inspection equipment, vendors are still having issues in shipping appliances that don't irrevocably break TLS encryption for the end user. From a report: Encrypted traffic inspection devices (also known as middleware), either special hardware or sophisticated software, have been used in enterprise networks for more than two decades. System administrators deploy such appliances to create a man-in-the-middle TLS proxy that can look inside HTTPS encrypted traffic, to scan for malware or phishing links or to comply with law enforcement or national security requirements.

[...] In the last decade, security researchers have looked closely at the issue of TLS inspection appliances that break or downgrade encryption. There has been much research on the topic, from research teams from all over the world. But despite years worth of warnings and research, some vendors still fail at keeping the proper security level of a TLS connection when relaying traffic through their equipment/software. Academic research [PDF] published at the end of September by three researchers from Concordia University in Montreal, Canada, shows that network traffic inspection appliances still break TLS security, even today.

An anonymous reader quotes a report from NPR: The Chinese government has been forming global partnerships with Western think tanks, recruiting key talent at networking events sponsored by the Chinese government and working with U.S. universities, says Michael Brown, managing director of the Pentagon's Defense Innovation Unit in Mountain View, Calif. The unit was set up in 2015 to help the U.S. military capitalize on emerging commercial technologies. And, he notes, there is serious concern in Washington that China could acquire too much sensitive U.S. technology and transfer it back home.

Adam Lysenko, a senior analyst at Rhodium Group, an economic research firm, says American entities represent the largest venture capital investment in startup technology companies, but Chinese investment accounts for about 15 percent of the deals. In the past eight years, there were more than 1,300 rounds of funding for U.S. startups with at least one Chinese investor, Lysenko says, totaling about $11 billion of Chinese investment. After a record 2017, Rhodium Group predicts 2018 will be another record year for Chinese venture capital into U.S. startups. Lysenko says this has become a concern in national security circles because the nature of emerging technology is inherently dual-use: The artificial intelligence algorithms that help speed up your smartphone could also be applied to weapons on the battlefield. China's quest for innovation and know-how can best be illustrated by the offices of Baidu -- China's largest internet provider and Google's rival -- which is located right next to a Google complex. "Baidu opened its innovation center, called the Institute of Deep Learning, four years ago, with a focus on a self-driving vehicle called Apollo," reports NPR. "Other Chinese tech powerhouses -- Alibaba, Tencent and Huawei -- also have Silicon Valley research and development centers. Instead of buying an existing U.S. business, these Chinese tech giants come to the U.S. and build new companies from the ground up, in what's known as 'greenfield' investments. [T]hese Chinese tech companies hire away a lot of U.S. employees who might otherwise work for American businesses."

An anonymous reader quotes a report from TechCrunch: Facebook has said it's found "no evidence" that third-party apps were affected by the data breach it revealed last week. Hackers stole account access tokens on at least 50 million users by exploiting a chain of three vulnerabilities inadvertently introduced by Facebook last year. Another 40 million also may have been affected by the attack. Facebook revoked those tokens -- which keep users logged in when they enter their username and password -- forcing users to log back into the site again. But there was concern that third-party apps, sites and services that rely on Facebook to log in -- like Spotify, Tinder and Instagram -- also may have been affected, prompting companies that use Facebook Login to seek answers from the social networking giant. "We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week,â said Guy Rosen, Facebook's vice president of product management, in a blog post. "That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login. Any developer using our official Facebook SDKs -- and all those that have regularly checked the validity of their users' access tokens -- were automatically protected when we reset people's access tokens."

Furthermore, Rosen said that not all developers use Facebook's developer tools, so the social network is "building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out."

An anonymous reader quotes a report from TechCrunch: U.S. government investigators have lost a case to force Facebook to wiretap calls made over its Messenger app. A joint federal and state law enforcement effort investigating the MS-13 gang had pushed a district court to hold the social networking giant in contempt of court for refusing to permit real-time listening in on voice calls. According to sources speaking to Reuters, the judge later ruled in Facebook's favor -- although, because the case remains under seal, it's not known for what reason. The case, filed in a Fresno, Calif. district court, centers on alleged gang members accused of murder and other crimes. The government had been pushing to prosecute 16 suspected gang members, but are said to have leaned on Facebook to obtain further evidence.

Kashmir Hill, reporting for Gizmodo: Last week, I ran an ad on Facebook targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn't work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove's office, a number Mislove has never provided to Facebook. He saw the ad within hours.

One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way.

[...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.

A former Facebook contract employee has filed a lawsuit, alleging that content moderators who face mental trauma after reviewing distressing images on the platform are not being properly protected by the social networking company. Reuters reports: Facebook moderators under contract are "bombarded" with "thousands of videos, images and livestreamed broadcasts of child sexual abuse, rape, torture, bestiality, beheadings, suicide and murder," the lawsuit said. "Facebook is ignoring its duty to provide a safe workplace and instead creating a revolving door of contractors who are irreparably traumatized by what they witnessed on the job," Korey Nelson, a lawyer for former Facebook contract employee Selena Scola, said in a statement on Monday. Facebook in the past has said all of its content reviewers have access to mental health resources, including trained professionals onsite for both individual and group counseling, and they receive full health care benefits. More than 7,500 content reviewers work for Facebook, including full-time employees and contractors. Facebook's director of corporate communications, Bertie Thomson, said in response to the allegations: "We take the support of our content moderators incredibly seriously, [...] ensuring that every person reviewing Facebook content is offered psychological support and wellness resources."

An anonymous reader writes: Hackaday recently engaged in a bit of urban exploration, taking a look inside of a recently purchased Toys "R" Us location that has been boarded up since the once giant toy store chain folded in June. Inside they found plenty of hardware left behind, from point-of-sale systems to the Cisco networking gear in the server room. But the most interesting find was on paper.

In a back office, they found "several boxes" of personal information about the store's employees, from their medical records to photocopies of their driver's licenses and Social Security cards [and also tax forms]. A video included with the article gives the viewer an impression of just how large a collection of files were left behind.

The author wonders if the situation in this particular store was a fluke, or if the other [800] Toys "R" Us locations were left in a similar state.
The article calls it "a very surprising look at what get's left behind when the money runs out and the employees simply give up...."

"We saw the great lengths the company went to protect customer information, so to see how little regard they had for their own people was honestly infuriating."

CloudFlare has introduced a new gateway that allows you to easily access content stored on IPFS, or the InterPlanetary File System, through a web browser and without having to install a client. From a report: With this announcement, CloudFlare also explains how you can use their gateway to create static web sites that are served entirely over IPFS. This allows users to create web sites containing information that cannot be censored by governments, companies, or other organizations. [...] With CloudFlare's IPFS Gateway, it is very easy to access files stored in IPFS using any web browser. To open a file stored on IPFS you would simply connect to the web address https://cloudflare-ipfs.com/ipfs/[hash] URL, where hash is the hash of the file stored on IPFS.

Will Townsend, a senior analyst at Moor Insights & Strategy research firm, writes: As it relates to networking, the Linux Foundation is currently focused on a number of projects that are bringing top networking vendors, operators, service providers, and users together. Among the top initiatives are the Open Network Automation Platform (ONAP) and Data Plane Development Kit (DPDK). In this article, I would like to dive into both of these initiatives and share my perspective on how each is transforming the nature of networking [Editor's note: the website may have auto-playing videos; an alternative link was not available].

It makes sense that ONAP's releases are named after global cities, considering the platform's growing global footprint. ONAP is aimed at bringing real-time automation and orchestration to both physical and virtualized network functions. The first release in the fall of 2017, named Amsterdam, delivered a unified architecture for providing closed-loop networking automation. The underlying framework ensured a level of modularity to facilitate future functionality as well as standards harmonization and critical upstream partner collaboration. Initial use cases centered on Voice Over LTE (VoLTE) services as well as Virtualized Consumer Premise Equipment (vCPE). Both are extremely cost disruptive from a deployment and management perspective and deliver enhanced service provider agility. What I find extremely compelling is that Amsterdam was only an eight-month development cycle from start to release. That's an amazing feat even in the fast-paced technology industry.

[...] DPDK was an effort initially led by Intel at its inception nearly eight years ago, but became a part of the Linux Foundation back in 2017. At a high level, the technology accelerates packet processing workloads running on a variety of CPU architectures. DPDK is aimed at improving overall network performance, delivering enhanced encryption for improved security and optimizing lower latency applications that require lightning-fast response time. The transformative power of 5G networks lies in their potential to deliver low latency for applications such as augmented/virtual reality and self-driving cars -- DPDK will further extend that performance for next-generation wireless wide area networks. I had the opportunity recently to speak to project chair Jim St. Leger after the fifth DPDK release, and I was impressed with the depth and breadth of the open source project. Over 25 companies and 160 technologists are involved in advancing the effort. With the proliferation of data, cord cutting at home, and growing consumption of video over wired and wireless networks, high-quality compression techniques will dramatically improve performance and reliability. DPDK appears to be poised to contribute significantly to that effort.

Facebook believes they can use machine learning to speed up magnetic resonance imaging (MRI) scans. Computer scientists from the social networking site are working with New York University's medical school on the project. CNNMoney reports: NYU is providing an anonymous dataset of 10,000 MRI exams, a trove that will include as many as three million images of knees, brains and livers. Researchers will use the data to train an algorithm, using a method called deep learning, to recognize the arrangement of bones, muscles, ligaments, and other things that make up the human body. Building this knowledge into the software that powers an MRI machine will allow the AI to create a portion of the image, saving time. Making the tests faster would allow radiologists to perform a wider variety of tests.

News outlet CNET has two big stories on Microsoft today. The publication interviewed CEO Satya Nadella on the changes he has made since taking the top job. The stories, among other things, talks about Microsoft Hackathon, the diversity pushes Nadella has made at the company, and how Microsoft lost the touch with what made it successful, and how Nadella is trying to fix that. From story one: Nadella dreamed up the Microsoft Hackathon, which the company calls the "largest private hackathon in the world," when he became CEO in February 2014. Just a few of the thousands of projects pitched over the past five years have inspired mainstream products. Most of these let's-change-the-world ideas aren't the kind of business tech that Microsoft makes the bulk of its money on -- at least not today.

That's just fine with Nadella, because the meetup serves another purpose: rebranding Microsoft as a modern, relevant company. When he became the third CEO of the world's largest software company, after Bill Gates and Steve Ballmer, Nadella made changing Microsoft's rigid, hierarchical and arrogant culture his top priority. He sort of had to. Though arguably one of the most successful technology companies in history, Microsoft's had a string of high-profile misses in mobile, search and social networking. Additionally, the company's toxic culture, characterized by corporate politics, infighting and backstabbing, fed an image of Microsoft as a fading legend.

Rivals Apple, Google and Facebook were seen as innovators creating shiny new opportunities with their disruptive tech. A generation grew up without ever having used a Microsoft product. "One of the things that happens when you're super successful is you sort of sometimes lose touch with what made you successful in the first place," Nadella tells us when we ask what he was trying to solve with the hackathon."I wanted to go back to the very genesis of this company: What is that sense of purpose and drive that made us successful? What was the culture that may have been there in the very beginning or in the times when we were able to achieve that success? How do we really capture it?" says Nadella, who joined Microsoft in 1992. It's about "the renaissance as much as about just sort of fixing something that's broken." From story two: CNET: What is the vibe or image of Microsoft you want the world to know?
Nadella: It's in our mission. It's empowering. Any association with this company should be, they put some tools, they put some platforms, they gave me the opportunity to really do something. Whether it's a student writing a term paper, whether it's a startup trying to create a company, a small business that's trying to be more productive or even a public sector institution that's trying to be more efficient and serve its citizens -- [they] should feel that association with Microsoft is empowering to them. That's what I want us to stand for.

An anonymous reader quotes the BBC: Ordinary wi-fi could be used to detect weapons and explosives in public places, according to a study led by the Rutgers University in New Jersey. Wireless signals can penetrate bags to measure the dimensions of metal objects or estimate the volume of liquids, researchers claim. Initial tests appeared to show that the system was at least 95% accurate.

It could provide a low-cost alternative to airport-style security, researchers said. The system works by analysing what happens when wireless signals penetrate and bounce off objects and materials.

The systems and database administrator for a Fortune 500 company notes that while NFS is "decades old and predating Linux...the most obvious feature missing from NFSv4 is native, standalone encryption." emil (Slashdot reader #695) summarizes this article from Linux Journal: NFS is the most popular remote file system in the Linux, UNIX, and greater POSIX community. The NFS protocol pushes file traffic over cleartext connections in the default configuration, which is poison to sensitive information.

TLS can wrap this traffic, finally bringing wire security to files vulnerable to compromise in transit. Before using a cloud provider's toolset, review NFS usage and encrypt where necessary.
The article's author complains that Google Cloud "makes no mention of data security in its documented procedures," though "the performance penalty for tunneling NFS over stunnel is surprisingly small...."

"While the crusade against telnet may have been largely won, Linux and the greater UNIX community still have areas of willful blindness. NFS should have been secured long ago, and it is objectionable that a workaround with stunnel is even necessary."

fstack writes: Linus Torvalds has released Linux 4.18 as the newest kernel bringing a Steam Controller kernel driver, Spectre updates for ARM64, power management updates, a "Restartable Services" system call, AMD Radeon graphics driver improvements, V3D DRM as Broadcom's new graphics driver, DM writecache support, USB 3.2 support, and many other updates. Linus Torvalds wrote of the 4.18 final release: "It was a very calm week, and arguably I could just have released on schedule last week, but we did have some minor updates. Mostly networking, but some vfs race fixes (mentioned in the rc8 announcement as 'pending') and a couple of driver fixes (scsi, networking, i2c). Some other minor random things (arm crypto fix, parisc memory ordering fix)." In a separate article, Phoronix details all the changes and new features available in this release.

Booby-trapped image data sent by fax can let malicious hackers sneak into corporate networks, security researchers have found. From a report: Since many companies use fax machines that are also printers and photocopiers, they often have a connection to the internal network. The malicious images exploit protocols established in the 1980s that define the format of fax messages. The research was presented at the Def Con hacker conference in Las Vegas. The two researchers said millions of companies could be at risk because they currently did little to secure fax lines. "Fax has no security measures built in -- absolutely nothing," security researcher Yaniv Balmas, from Check Point software, told the BBC. Mr Balmas uncovered the security holes in the fax protocols with the help of colleague Eyal Itkin and said they were "surprised" by the extent to which fax was still used.

An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."

NEC, a Japanese IT and networking company, announced plans to provide a large-scale facial recognition system for the 2020 Summer Olympic and Paralympic Games in Tokyo. "The system will be used to identify over 300,000 people at the games, including athletes, volunteers, media, and other staff," reports The Verge. From the report: NEC's system is built around an AI engine called NeoFace, which is part of the company's overarching Bio-IDiom line of biometric authentication technology. The Tokyo 2020 implementation will involve linking photo data with an IC card to be carried by accredited people. NEC says that it has the world's leading face recognition tech based on benchmark tests from the US's National Institute of Standards and Technology. NEC demonstrated the technology in Tokyo today, showing how athletes and other staff wouldn't be able to enter venues if they were holding someone else's IC card. The company even brought out a six-foot-eight former Olympic volleyball player to demonstrate that the system would work with people of all heights, though he certainly had to stoop a bit. It worked smoothly with multiple people moving through it quickly; the screen displayed the IC card holder's photo almost immediately after.

At least two malls in Calgary are using facial recognition technology to track shoppers' ages and genders without first obtaining their consent. "A visitor to Chinook Center in south Calgary spotted a browser window that had seemingly accidentally been left open on one of the mall's directories, exposing facial-recognition software that was running in the background of the digital map," reports CBC.ca. "They took a photo and posted it to the social networking site Reddit on Tuesday." From the report: The mall's parent company, Cadillac Fairview, said the software, which they began using in June, counts people who use the directory and predicts their approximate age and gender, but does not record or store any photos or video from the directory cameras. Cadillac Fairview said the software is also used at Market Mall in northwest Calgary, and other malls nationwide. Cadillac Fairview said currently the only data they collect is the number of shoppers and their approximate age and gender, but most facial recognition software can be easily adapted to collect additional data points, according to privacy advocates. Under Alberta's Personal Information Privacy Act, people need to be notified their private information is being collected, but as the mall isn't actually saving the recordings, what they're doing is legal. It's not known how many other Calgary-area malls are using the same or similar software and if they are recording the data.

LinkedIn has been trying to make its business networking platform more like Facebook of late, with features like presence, and Google-like smart replies. Now, it's introducing voice messages just like Facebook and Facebook-owned WhatsApp. From a report: "Whether you're responding while walking or multitasking, or need to give an in-depth explanation, voice messages let you more easily and quickly communicate in your own voice with your connections," LinkedIn said in a blog. Personally, I loathe having to open voice messages on WhatsApp and have never received one on Facebook Messenger, but for the sender, at least, such services can be helpful if they're on the go and can't stop to type a message. And that's LinkedIn's justification for releasing the feature. LinkedIn thinks its new option will be a time-saver for users who find typing laborious in some situations. On the downside, this feature could rapidly become a real pain for those who already get bombarded with written messages from strangers promoting products and services on LinkedIn Messages.

secwatcher writes from a report via Threatpost: Cisco Talos researchers found flaws located in Samsung's centralized controller, a component that connects to an array of IoT devices around the house -- from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices. "Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities," researchers said in a report. Threatpost goes on to detail the "multiple attack chain scenarios." Thankfully, Samsung has since patched the bugs. "We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue," a Samsung spokesperson told Threatpost. "All active SmartThings Hub V2 devices in the market are updated to date." The company released a firmware advisory for Hub V2 devices on July 9th.