Dozens of Whole Foods stores will soon let you pay with just a scan of your palm

You can register your hands at participating stores

Image: Amazon

 

Amazon’s palm-scanning technology is expanding to 65 Whole Foods locations across California. The checkout devices were introduced in 2020 as part of the Amazon One payment service, allowing customers to pay with a scan of their palm. This is the biggest rollout by the company yet, with the first new Whole Foods locations adding support today in Malibu, Montana Avenue, and Santa Monica.

Customers can set up Amazon One by registering their palm print using a kiosk or at a point-of-sale station at participating stores. To register, you need to provide a payment card and phone number, agree to Amazon’s terms of service, and share an image of your palms. Once completed, you can take items to checkout and not have to take out your wallet — or even your phone. A hover of your hand over the device is all that’s needed to pay and leave.

The Amazon One rollout is part of the company’s campaign to change how customers interact at retail stores and runs alongside its Just Walk Out-enabled stores with technologies that make it faster to pay. Amazon One is designed to identify you accurately and allow you to pay at Amazon-owned stores, but the company is looking to expand the technology to outside businesses as well.

Several Whole Foods locations have already been testing the palm-scanning tech in the LA area as well in Austin, Seattle, and New York. It’s also been available at the company’s Amazon Style store in Glendale and at select Amazon Go and Fresh stores.

Amazon states that the images taken on the kiosk aren’t stored locally; instead, they are encrypted and then sent to a cloud server that is dedicated to Amazon One, where an identifiable palm signature is generated. My colleague James Vincent wrote more about how the technology works and its concerns in 2020.

Amazon has found success in convincing millions of customers to provide them with data in exchange for a more convenient lifestyle. Things like online shopping, grocery shopping, using Alexa, Ring smart cameras, doorbells, and now room-mapping robot vacuum cleaners are all areas that Amazon collects data in, and that will continue to be a concern to privacy advocates.

 

Encrypting Messenger could be a ‘grotesque betrayal,’ says top UK politician

End-to-end encryption is re-igniting debates about privacy vs safety

Illustration by Alex Castro / The Verge

Facebook’s parent company Meta is heading into another political battle over the planned introduction of end-to-end encryption (E2EE) in its Messenger chat platform. The UK’s home secretary, Priti Patel, makes this clear in an op-ed for Tory mouthpiece The Telegraph this week, saying it would be a “grotesque betrayal” if the company didn’t consider issues of child safety while introducing E2EE. Similar arguments are likely to be raised in the US, too.

Meta has been working on adding E2EE to Messenger for years, and recently confirmed that it aims to encrypt all chats and calls on the platform by default next year. (It currently only offers default E2EE on its other big chat platform, WhatsApp, though users can opt-in to E2EE on Messenger on a chat-by-chat basis.) The move is reigniting decades-old debates in politics and tech about the right way to balance user privacy and safety. In the US, these arguments have been heightened by the potential for police to issues search warrants for user chats in order to enforce new abortion laws after the overturn of Roe v. Wade.

In the UK, arguments over encryption tend to focus on child safety and the dissemination of of child sexual abuse material, or CSAM. “A great many child predators use social media platforms such as Facebook to discover, target and sexually abuse children,” writes Patel in her op-ed. “It is vital that law enforcement have access to the information they need to identify the children in these images and safeguard them from vile predators.”

Patel references a recent whitepaper written by the technical heads of GCHQ and the UK’s National Cyber Security Centre (NCSC), which argues in favor of “client-side scanning” as a way to balance user privacy and the needs of law enforcement. This is the same method that Apple planned to introduce in Messages on iOS last year, before it scrapped the proposal after facing strong criticism. Essentially, client-side scanning compares photos and videos on users’ devices to a list of banned content. Privacy advocates argue that this list could easily be expanded to allow broad and intrusive surveillance on said devices.

Although Patel is clear that the UK government wants some carveouts from Meta over encryption, it’s not clear how politically tenable these demands are. The UK’s Conservative party planned to enforce compliance through its Online Safety Bill, a sweeping piece of legislation with the intention of making the UK “the safest place in the world to be online.” But the Bill has been put on hold — perhaps permanently — due to the resignation of Boris Johnson as party leader, while the Tories’ ongoing leadership battle means the government is without a clear agenda for the time being. The battle of encryption will absolutely continue, but in the UK at least, forces are not yet ready to take the field.

Apple adds select MacBooks to Self Service Repair offerings

Four months after opening its Self Service Repair offerings to iPhone owners in the U.S., Apple is adding a handful of MacBooks to the mix. When the laptop repair program opens tomorrow, it will include the 2020 M1 MacBook Air and 13-inch MacBook Pro and the 14- and 16-inch 2021 M1 Pros.

As with the iPhone before it, Apple will continue adding more models (and repair types) moving forward. That includes the new M2 MacBooks (released after work began on the project) and additional systems like the iMac and Mac Studio Display.

There’s already a fairly wide range of repairs available, including the display, battery, top and bottom case, TrackPad, Touch ID module, speakers, audio board and Logic Board, among others. Prices, predictably, range fairly dramatically, from $5 for five screws, $12 for an audio board and $29 for speakers to ~$580 for the logic board. The company says prices are the same as what it charges for the 5,000 or so Apple Authorized Service Providers around the country.

Apple MacBook Pro silver keyboard. close up Mac on the blue background

Apple MacBook Pro

The pricing, keep in mind, is after trading in the older model. That both encourages recycling and keeps the prices down for Apple, which recirculates refurbed components back into the Apple ecosystem, be it through refurbished systems or the repair program itself.

Those parts that are simply too busted to save, meanwhile, get recycled, while the company still gives a discount. It’s not an insignificant one either — one logic board, for instance, is nearly 3x the price if you don’t send back the old one. It’s also attempting to address potential incompatibility. No word on whether such an issue could potentially break the system’s warranty.

The logic board is the most interesting piece of the puzzle here. I suspect handy folks will be inclined to use Self Service Repair as a kind of after-market upgrade for things like RAM and storage. The company is nipping that impulse in the bud, however, by only offering the discount if you send in a part with the same SKU. That means if you buy a board with a larger hard drive, you’ll be paying full price for the component — and it’s not cheap. This is done to actively discourage users from trying to undercut the price by upgrading after the fact.

Like the iPhone before it, Apple is providing its own pro tools for repairs. The tool size turned heads last time. Getting a massive hard case shipped to your home to repair a little phone is not exactly the most convenient thing in the world, especially compared to companies like Samsung and Google, which partnered with iFixit for their own repair offerings. But Apple is effectively giving you the same tools its certified repairers use. You can always use your own with the instructions provided on the site, but again, breaking the system during repair is a quick way to get out of a warranty.

Macbook pro 2021 speakers

Image Credits: Apple

As ever, the company would rather push most people to get their devices fixed by an authorized repairer.”Over the past three years, Apple has nearly doubled the number of service locations with access to genuine Apple parts, tools, and training, including more than 3,500 Independent Repair Providers,” it notes in a release. “A global network of more than 5,000 Apple Authorized Service Providers supports more than 100,000 active technicians. As a result, in the US, eight out of 10 Apple customers are located within 20 minutes of an authorized service provider.”

With right to repair legislation seemingly over the horizon, however, Self Service Repair, at very least, presents the option to fix it yourself, even if the process isn’t especially easier. Ultimately, you’ve got to do the math yourself on that one.

The repair kit is available for a $49 rental. And the good news is that the Mac’s kit is actually smaller that the iPhones, due to the fact that it doesn’t require a glue-melting machine. The other good bit of news is that because Macs are larger and less tightly packed together, there’s a bit more room for error here. Though, again, the company is recommending these repairs only to those with some experience under their belt, lest something go terribly wrong.

State, federal agencies warning of scam Amazon and Apple calls

  •  Updated 

The Michigan State Police and Federal Trade Commission are warning Michigan residents of a phone scam where the callers are claiming to be from Amazon and/or Apple.

Recently, the Federal Trade Commission announced scammers are calling people, posing as both Amazon and Apple representatives and claiming there is a suspicious purchase, lost package, unfilled order or an issue with Apple iCloud accounts. In both scenarios, police said the scammers say a person can “press 1” to speak with customer service or provides you with a number to call.

Police said people should not do either because it is a scam. The purpose is to attempt to steal personal information such as account passwords or credit card numbers, according to police. If a person gets an unexpected call or message about a problem with any account, the police said they should hang up.

If a person believes there is a legitimate problem with their accounts, they should contact the company using the correct contact number for customer service and support.

In recent information released by the Federal Trade Commission and Consumer Education Specialist Alvaro Puig stated these callers are trying to rip people off. Even if a person is on the National Do Not Call Registry, scammers don’t care. The best defense against unwanted calls is call blocking, according to the FTC.

Which type of call-blocking or call-labeling technology you use the FTC said will depend on the phone whether it’s a mobile, traditional landline, or a home phone that makes calls over the internet.

Call blocking technologies or devices can stop a lot of the unwanted calls you get such as scam calls and illegal robocalls before they reach you, according to the FTC. Mobile phones, landlines, and home phones that use the internet each have their call-blocking options, but the FTC said people also need to understand call-blocking services could block some legitimate calls.

For more information about how to do this go to www.consumer.ftc.gov/articles/how-block-unwanted-calls.

Got a Zoom invite? BBB says it could be a scam

Zoom video chatting has exploded in popularity thanks to the pandemic, but that popularity has given way to potential scams.
Published: Nov. 26, 2020 at 5:52 PM EST|Updated: Nov. 27, 2020 at 7:44 AM EST

The Better Business Bureau reports that a scam surrounding the video chat service Zoom is going around.

How the Scam Works

BBB says victims will receive an email, text or social media message out of the blue that includes Zoom’s logo and a messaging saying something like “Your Zoom account has been suspended. Click here to reactivate.” or “You missed a meeting, click here to see the details and reschedule.” You might even receive a message welcoming you to the platform and requesting you click on a link to activate your account.

Scammers registered more than 2,449 Zoom-related domains from late April to early May this year alone, BBB said.

To avoid the scam, BBB gave some tips:

  • Double check the sender’s information. Zoom.com and Zoom.us are the only official domains for Zoom. If an email comes from a similar looking domain that doesn’t quite match the official domain name, it’s probably a scam.
  • Never click on links in unsolicited emails. Phishing scams always involve getting an unsuspecting individual to click on a link or file sent in an email that will download dangerous malware onto their computer. If you get an unsolicited email and you aren’t sure who it really came from, never click on any links, files, or images it may contain.
  • Resolve issues directly. If you receive an email stating there is a problem with your account and you aren’t sure if it is legitimate, contact the company directly. Go to the official website by typing the name in your browser and find the “Contact Support” feature to get help.

 

Shark Tank host loses $400,000 in a scam

Updated 11:14 AM ET, Thu February 27, 2020

New York (CNN Business)“Shark Tank” judge Barbara Corcoran lost nearly $400,000 in an elaborate email scam that tricked her staff.

Corcoran said someone acting as her assistant sent an invoice to her bookkeeper earlier this week for a renovation payment. She told People that she had “no reason to be suspicious” about the email because she invests in real estate, so the bookkeeper wired $388,700 to the email address.
The problem was that the email address didn’t belong to her assistant. The scammer imitated her assistant’s email address and misspelled it with one letter. The mistake wasn’t caught until the bookkeeper emailed the assistant’s correct address for a follow-up.
Corcoran said the scammer has “disappeared,” and she acknowledged that she wouldn’t be getting her money back.
“I was upset at first, but then remembered it was only money,” Corcoran told the magazine.
Corcoran’s assistant Emily Burke told CNN Business that the “Shark Tank” star wouldn’t provide any additional comment “at the advisement of her attorneys until the authorities are done investigating.”
However, Corcoran tweeted: “Lesson learned: Be careful when you wire money!” with a link to a TMZ story.
In addition to being an investor and a judge on the hit ABC show, Corcoran formerly owned the global real estate agency that shares her name. She sold it for $66 million in 2001.
Corcoran fell for a phishing scam. It’s common, too: Nearly 30,000 people reported being a victim of that type of scam last year. Together they reported nearly $50 million in losses, according to the FBI’s 2018 Internet Crime Report.
Phishing attacks are common methods of stealing usernames, passwords and money. Hackers pretend to be a trustworthy source to convince you to share personal data. To be safe, it’s important to make sure the sender is authentic before clicking on a link. Google has rolled out security protections that warns people of potential unsafe emails.

Microsoft: Application Inspector is now open source, so use it to test code security

By  |  | Topic: Enterprise Software

Microsoft has released the Microsoft Application Inspector, a cross-platform open-source command-line tool that its engineers use to quickly probe third-party open-source software components for security issues.

The static source-code analyzer aims to help developers handle potential security issues that arise through code reuse when incorporating open-source components, such as software libraries, into a project.

“Reuse has great benefits, including time to market, quality, and interoperability, but sometimes brings the cost of hidden complexity and risk,” write Guy Acosta and Michael Scovetta, members of Microsoft’s Customer Security and Trust team.  

“You trust your engineering team, but the code they write often accounts for only a tiny fraction of the entire application. How well do you understand what all those external software components actually do?”

As they note, modern web applications often have hundreds of third-party components that contain tens of thousands of lines of code, which were written by thousands of contributors. And typically developers who use those components rely on the author’s description, which Microsoft argues is not reliable or enough to meet Microsoft’s responsibility for shipping secure code, which includes external components.

Microsoft argues Application Inspector is a unique static code analyzer because it doesn’t flag ‘good’ or ‘bad’ patterns but rather highlights ‘interesting’ features in a report based on over 500 rule patterns. The idea is that the tool can help identify these interesting characteristics more quickly than manual introspection.

The tool targets features of software components that affect security, such as the use of cryptography, components that connect to a remote entity such as a public cloud, and the platforms it runs on.

Application Inspector is built on .NET Core, which means it can be used by developers on Windows, Linux or macOS.

“Application Inspector’s primary objective is to identify source-code features in a systematic and scalable way not found elsewhere in typical static analyzers. This enables developer and security professionals to validate purported component objectives, eg, a string padding library only does what it says,” Microsoft explains in a wiki.

The tool can analyze millions of lines of source code from components that are built in multiple popular programming languages.

Application Inspector produces a browser-based report that summarizes the major characteristics identified, including application frameworks, cloud interfaces, cryptography, sensitive data like access keys, personally identifiable information, operating system functions, and security features.

But the company stresses that Application Inspector doesn’t remove the need for security code review or a security static analyzer. However, it could be a useful addition for developers facing tight deadlines.

Acosta recently demonstrated Application Inspector at the SecTor conference in Canada.

microsoft-application-inspector-21.png
Each icon in the report represents a feature that Application Inspector identified in the source code.

Image: Microsoft

Microsoft ends free Windows 7 security updates on Tuesday

FILE - In this Jan. 11, 2010 file photo, a display for Microsoft's Windows 7 is shown at the National Retail Federation's convention in New York. Users still running Microsoft's Windows 7, on their computer's might be at risk. Microsoft is no longer providing free security updates for the system as of Tuesday, Jan. 14, 2020, meaning computers using it will be more vulnerable to viruses and malware. Users who want to protect their data need to upgrade to Windows 10. (AP Photo/Mark Lennihan, File)
NEW YORK (AP) — If you’re still using Microsoft’s Windows 7, your computer might soon be at risk.

Microsoft will stop providing free security updates for the system on Tuesday, meaning computers using it will be more vulnerable to malware and hacking.

Users who want to protect their computers need to upgrade to Windows 10. They may also need to buy new computers because older machines might not be compatible with Windows 10.

Tech companies typically phase out older systems after a number of years and focus efforts on updating current versions of software. Windows 7 came out in 2009. Windows 8, which came out in 2012, will have free support end in 2023.

Windows 10 starts at $139 for a basic, “Home” version. Microsoft charges $200 for a “Pro” version meant for businesses and individuals who need its advance features. Windows 10 comes with regular free updates for security and additional features. Although Windows 10 isn’t likely to be phased out anytime soon, older versions will require those updates to keep working.

Microsoft is also ending support Tuesday for Windows Server 2008 or 2008 R2 operating systems.

Those who run Windows 7 Professional or Windows 7 Enterprise can buy extended protection for up to three years. But it might be worthwhile to just to buy new PCs or get Windows 10.

Microsoft will also be ending support on Oct. 13 for Office 2010 a package that includes word processing and spreadsheet software. Owners need to explore newer versions of Office, including a subscription offering called Office 365.

The Telegraph

GCHQ warns not to use Windows 7 computers for banking or email after Tuesday

The Telegraph
Microsoft is stopping support for Windows 7 from Tuesday - Getty Images North America
Microsoft is stopping support for Windows 7 from Tuesday – Getty Images North America

 

GCHQ has warned people not to do internet banking or use emails from computers with Windows 7 from Tuesday, when Microsoft will end support for the software.

The National Cyber Security Centre (NCSC), the public-facing arm of the cyber spy agency, said that devices still using the operating system after next week will become increasingly vulnerable to cyber attacks as the tech giant stops patching weaknesses in its product.

Microsoft announced last year that it would be ceasing technical support for Windows 7 and urged users to upgrade to its Windows 10 system, which costs £120.

It is estimated that there are still more than 440 million people using Windows 7 worldwide, which was first released in 2009.

A spokesperson for the NCSC said: “The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices.

“We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts.

“They should also consider accessing email from a different device.”

The national security agency warned that after Microsoft stopped supporting Windows XP in 2014 that hackers soon started exploiting weaknesses in the system.

Among the risks users run are having their computers infected with malware, which can steal sensitive details such as financial and banking information from their device.

The NCSC spokesman added: “As a result, it’s crucial to move away from them as quickly as possible.”

The Windows 7 operating system has previously been caught up in security lapses. In 2017, most of the NHS computers infected by the WannaCry ransomware attack, which caused almost 19,500 hospital appointments – including cancer referrals – to be cancelled, were found to be using the operating system.

However, report into the hacking, which affected 81 trusts in England and Wales, found that many of the systems had not been updated by NHS groups leaving them more vulnerable to cyber attack.

Microsoft said it will be providing security support for three more years to businesses using Windows 7 and for customers who are willing to pay for an upgraded package of updates.

However, the company itself warned users they would be at greater risk of hacking malware if they continued to use Windows 7 after Tuesday.

A Microsoft spokesman said: If you continue to use an unsupported version of Windows, your PC will still work, but it will become more vulnerable to security risks and viruses.

“Your PC will continue to start and run, but you will no longer receive software updates, including security updates, from Microsoft.”

Twitter CEO Jack Dorsey was hacked Friday. Here’s how to safeguard your Twitter account

New York (CNN)The hack of Twitter CEO Jack Dorsey’s account on Friday revealed a flaw in the social network’s systems that could leave anyone vulnerable, from lawmakers to CEOs to the average Twitter user. And it raised a serious question as to how you can keep your account safe from the same thing.

Dorsey was likely a victim of SIM swapping, a practice in which a hacker will bribe or otherwise convince a mobile carrier employee to switch a phone number to the hacker’s device.
“Somebody can just get somebody making $12 an hour and offer them a thousand dollars to do a SIM swap,” Brian Krebs, a leading cybersecurity journalist, told CNN Business on Saturday.
Thanks to a feature left over from Twitter’s early days, if a hacker gets control of the phone number associated with your Twitter account, they can text any tweets they want to Twitter’s number, 40404, and they’ll be immediately published to your account. The hacker wouldn’t need any other verification — not even your account password.
Asked by CNN Business on Saturday, Twitter declined to comment on whether it would change its security practices following the Dorsey incident.
Until it does, there doesn’t appear to be any real way to turn off the feature that the hacker or hackers apparently exploited to take over Dorsey’s account. The only way to do it actually involves making your account less safe overall. But there are still some things you can do to protect your account from these kinds of attacks.

Verification codes

First off, it’s a good idea to always have two-factor authentication on, as an additional verification step to confirm your identity beyond your regular password. But even two-factor won’t protect you from a SIM swapping hack.
Not all verifications are made equal. A hacker can intercept security codes sent via text message, rendering it useless.
Luckily, Twitter offers several more secure verification methods.
One step better would be to use the Google Authenticator phone app, which will provide you codes. A hacker would then need your actual phone to get the codes. Or you can use a physical security token, a small piece of hardware you can buy separately that generates security codes. A hacker would typically need to physically steal that key to gain access to an account.

Replace your phone number

Right now it appears that the only way to shut off the ability to use text messages to send a tweet from your account is to delete your phone number from Twitter entirely. But there’s a catch: Doing so will disable two-factor authentication on your account. I tried multiple times to keep two-factor enabled on my own Twitter account while deleting my phone number from it. Each time it appeared Twitter would allow me to do so, but when I refreshed the page, two-factor was off.
What you can do instead, if you’re in the United States, is to try replacing your phone number with a number generated by Google Voice, as first suggested on Twitter by Krebs. A Google Voice phone number isn’t managed by a mobile carrier and doesn’t have anyone a hacker could talk into helping them obtain control of your number.
“You can’t get somebody from Google Voice on the phone if you tried,” Krebs told CNN Business.
It’s not a perfect solution, Krebs said, as your Google account could also get hacked via SIM swapping if you’re set to receive text messages for two factor authentication for that account. And anyone outside the United States will need to find an alternative service. But it would still be effective if you enable an alternative verification method on your Google account and follow other generally good security procedures like setting very strong, unique passwords for all the sites you use, and using a password manager to keep track of them.

Robocall Scams Get More Sophisticated and Costly

Criminals armed with personal information are creating crafty schemes to defraud consumers out of their hard-earned money

Illustration of a robot on a smartphone.

It took two phone calls to rob an 81-year-old woman of her $80,000 life savings.

The first came from a man claiming to be from the Social Security Administration. The woman thought the call was legitimate because her ID screen displayed the agency’s phone number. Plus the man knew her name and had her Social Security information.

The man said there was a problem with her account, and unless she immediately wired him the money to fix it, her benefits would be cut off. She agreed to send him the funds.

Soon after, she got a call from an accomplice claiming to be an FBI officer. He told the woman that the first caller was an imposter and had cheated her. He then convinced her that he needed money to go after the con man. She agreed to wire him funds as well. Now, in the twilight of her life, she has lost everything.

This is just one of thousands of so-called imposter scams reported each year that target people in the U.S., particularly older ones.

While overall robocall fraud complaints have been declining, the Federal Trade Commission, one of the government entities that regulates the telephone industry, says complaints about scams like the one described above are surging. In May of this year alone, the FTC says it received 46,000 impostor scam complaints.

Also on the rise, according to the FTC, is the average amount of money lost by consumers fooled by these scams.

In total, consumers have reported losses of $285.2 million so far this year, with a median loss of $700, according to FTC data. At this point in 2018, consumers had reported losses of $239 million with a median loss of $500.

“While less and less people are getting scammed overall, the few who are are seeing much bigger losses,” says Ian Barlow, the Do Not Call program coordinator at the FTC. “And there are lots of individual consumers who lose everything.”

Older people are particularly vulnerable to scams.

“This is a really big problem,” says Amy Nofziger, director of the AARP’s fraud victim support. “From a young age we’re taught to respect authority, and so, if you get a phone call saying that your Social Security number has been used in a crime, you’re going to listen because we respect our government.”

Consumers can no longer trust the numbers that appear on their caller IDs, she says, noting that the government will never request payment in the form of a wire transfer or a gift card.

“If someone asks for that, it’s a huge red flag and you should hang up immediately,” Nofziger says.

Criminals Know More About You

Imposter scams are rising because criminals are doing more research—especially on social media—to target and earn the trust of victims they think might result in a big payday.

“Our older adults didn’t grow up with the internet, like I might have, and are really excited to be on there and to be able to share things,” Nofziger says. “But everybody is putting way too much information out on social media, regardless of if you’re in your 50s or under the age of 50.”

She says it’s important that people have their security settings and their social media profiles locked down, and to understand that otherwise, anyone can have access to what we’re sharing online.

Easily available personal information, whether stolen in a data breach or from poorly secured social media accounts, helps criminals add credibility to their cons.

“Robocall scammers know more about you, so they’re targeting you specifically,” says Al Pascual, chief operating officer and co-founder at Breach Clarity, a firm that helps consumers to understand the threat level of a data breach and what steps they need to take to be protected. “They pretend to be a family member in need of money or use other creative ways to get you to pay up.”

And while the elderly are often targeted in these attacks, people of all ages are at risk. The FTC says that consumers under the age of 60 report losing money at higher rates than consumers over that age. But the elderly are still the prime targets because, according to the FTC, older victims tend to lead to bigger paydays for crooks.

4 Popular Phone Scams

There’s a nearly endless variety of frauds being perpetrated. Here are a few of the most popular ones for which you should be on the alert.

The Tech Support Scam

How it works: In this scam, robocallers contact victims impersonating an IT customer service rep, saying there’s a problem with your Apple ID, Microsoft account, or cable company account information. In this fraud, the number is spoofed to make the call look like it’s coming from the company’s 800 number. The caller may even have your name and an old password of yours. Once you’re hooked, they’ll send you to a fake website to steal your money or collect your personal information, or they may fool you into giving it to them directly over the phone. A favorite method is to ask their target to pay using a gift card, which victims will often purchase at a drugstore. Victims will either input the card’s information into a fake website or give the card’s details to the crook over the phone. The scammers then quickly redeem the card’s value.

“We’ve definitely been seeing a high volume of calls purporting to be from the main numbers of tech companies like Apple and Microsoft being used; that’s definitely a trend,” says Jim Tyrrell, senior director of product marketing at Transaction Network Services, which provides robocall detection for big telecom companies, such as Verizon and Sprint. “We’ve seen high-risk calls increase by double digits over the last six months,” he says.

Family Emergency Scam

How it works: Scammers pose as relatives or friends calling in an emergency. By dredging your social media account, they can learn your family relationships, pet names, latest travels, and more. In this scam, once the crooks have the information, they’ll call you, making it seem like a family member, such as a grandchild who may be traveling abroad, is in a faraway jail or in the hospital and in urgent need of emergency funds. The element of urgency can trick you into sending money before you realize it’s a scam. And while you normally might recognize the voice of family members, there are some you may not have spoken to in a long time. Often, crooks ask the victim to keep it secret, preventing victims from checking with other family members about the supposed crisis.

Government Imposter Scam

How it works: It’s one of the most prevalent frauds today. In this scam, criminals use phone number spoofing technology to fraudulently make a government agency’s phone number appear on victims’ phones to fool victims into believing that the IRS or Social Security Administration is calling seeking payment. Crooks often have your name, Social Security number, or other personal information. In the IRS scam, they may threaten to arrest or deport you, or revoke your license if you don’t pay right away. With the Social Security scam, they often say your benefits are blocked and can be reactivated for a fee.

Medicare Scam

How it works: Scammers call pretending that they’re Medicare representatives or that they’re from a medical supply company. Often they are looking for your personal information and will say they need your Medicare number so that you can get a back or neck brace. Sometimes the scammers will call offering free services or equipment in exchange for your Medicare information. They may say they need your information or money so that you can get a new Medicare card and that if you don’t act quickly, you’ll be hit with fees.

Tools to Protect You

Scary as the threat may seem, there are technological and behavioral tools that may help reduce your susceptibility to being defrauded by robocall phone scams.

To help protect consumers, some phone service providers are rolling out new call authentication technology called Shaken/Stir and are working with software developers to improve analytics and artificial intelligence algorithms that monitor suspicious activity on their networks to more aggressively block unwanted calls from reaching consumers.

“We’re working with the carriers to build out technology to protect their subscribers,” says Gavin Macomber, senior vice president at First Orion, the robocall blocking firm that powers T-Mobile’s tools. “Their customers, overwhelmed by the amount of unwanted phone calls they receive—especially those that are looking to scam them—are putting more of the responsibility onto the carriers to protect them.”

AT&T and Verizon are also working with robocall blocking firms to improve their security.

“Now many carriers are offering blocking at the network level,” says the FTC’s Barlow. “So we really urge consumers to investigate what’s available for them.”

But not all consumers are equally protected, especially those with traditional copper landlines from small providers that haven’t yet switched over to a digital network.

“Too many of these robocalls are from scammers intending to do consumers harm,” says Maureen Mahoney, policy analyst at CR. “While there are an increasing number of effective anti-robocall tools for cell-phone users and consumers with advanced home phone lines, those with traditional landlines have limited options to protect themselves, and they can be costly. That’s why phone companies need to be required to implement effective anti-robocall technology for all phone customers, at no charge.”

How to Protect Yourself

  • Hang up. Don’t engage with any robocallers; it can just end up in more calls.
  • Don’t trust caller ID. Scammers can make it look like their calls are coming from trusted institutions.
  • Don’t pay anyone who calls you over the phone. If you get a call trying to get you to pay money, it’s almost certainly an unlawful robocall.
  • Never pay by wire transfer, gift card, or prepaid card over the phone. No legitimate company or government agency is asking to be paid with Amazon, Google Play, or iTunes gift cards.
  • Resist the urge to act immediately, no matter how dramatic the story is.
  • Report scam calls to the FTC at donotcall.gov or by calling 877-382-4357. The more data the agency has, the more it can focus on enforcement, Barlow says.
  • Register for the Do Not Call Registry. This may not reduce calls from criminals who ignore the registry, but it will reduce calls from the lawful companies.

 

Tipster’s Email Led to Arrest in Massive Capital One Breach

Christian Berthelsen, William Turton and Jenny Surane /
Bloomberg
 
 
 

(Bloomberg) — Capital One Financial Corp. set up an email address for tipsters — including “white hat” hackers — to alert the company to potential vulnerabilities in its computer systems. On July 17, the company got a hit.

“Hello there,” the email said, according to federal prosecutors. “There appears to be some leaked s3 data of yours in someone’s github/gist.” A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.

It didn’t take Capital One long to figure out who had accessed its files. The GitHub address included a name, Paige Thompson, a former Amazon.com Inc. employee who used the online nickname “erratic” and discussed her exploits with others, according to federal prosecutors.

“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” Thompson allegedly wrote, under the “erratic“ alias, in a June 18 Twitter message. “There ssns…with full name and dob” — an apparent reference to Social Security numbers.

Damage Assessment

It also didn’t take Capital One much time to assess the damage. On Monday, it announced that about 100 million people in the U.S. had been impacted by the breach, and another 6 million in Canada. The illegally accessed data, which was stored on servers rented from Amazon Web Services, was primarily related to credit card applications and included personal information, like names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.

Most Social Security numbers were protected, but about 140,000 were compromised, the bank said. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”

The company described the tipster to the hack as an “external security researcher.”

Thompson, 33, was charged with computer fraud and abuse. In a court hearing Monday, she broke down and laid her head on the defense table. On Tuesday, New York Attorney General Letitia James announced that her office is opening an investigation into the Capital One breach.

The scale of the breach ranks it as possibly one of the largest-ever impacting a U.S. bank, although the consequences may be limited if the data wasn’t distributed to others or used for fraud.

Capital One shares fell as much as 6.5% Tuesday morning, their biggest decline in six months.

Security Lapses

The breach shows how hackers can steal vast troves of consumer data as the result of lapses made by the companies that collect it. In 2017, Equifax Inc. failed to patch a known flaw in its servers, resulting in the theft of 145 million Social Security numbers, along with the names and dates of birth of possibly a third of the U.S. population.

In the Capital One case, Thompson was allegedly able to steal vast buckets of personal data because of an improperly configured firewall — among the most basic digital security tools. The bank said it immediately fixed the problem once it was discovered.

In a complaint filed Monday in Seattle, prosecutors said that Thompson accessed the data at various times between March 12 and July 17. A file on her GitHub account, timestamped April 21, contained a list of more than 700 folders and buckets of data, according to prosecutors.

The Capital One data had been stored on servers it contracted from a cloud computing company that isn’t identified, though the charges against Thompson refer to information stored on S3, a reference to Amazon Web Services’ popular data storage software.

An AWS spokesman confirmed that the company’s cloud had stored the Capital One data that was allegedly stolen, and said it wasn’t accessed through a breach or vulnerability in its systems.

Cloud Advocate

Capital One has been one of the most vocal advocates for using cloud services among banks. The lender has said it is migrating an increasing percentage of its applications and data to the cloud and plans to completely exit its data centers by the end of 2020. The move will help lower costs, the company has said.

The lender has been the subject of several case studies published by Amazon Web Services that noted the cloud services provider has helped the company develop new technologies faster and improve certain services including its call center.

 

“We have embraced the public cloud and are well on our way to migrating our applications and data to the cloud,” Chief Executive Officer Richard Fairbank told analysts on a conference call in April. “We are now considered one of the most cloud forward companies in the world.”

Thompson, previously an Amazon Web Services employee, last worked at Amazon in 2016, a spokesman said. The breach described by Capital One didn’t require insider knowledge, he said.

‘Wa Wa Wa’

Much of what could be learned about her Monday was information she had posted online. On her GitHub Account, she was writing code dealing with The Onion Router, or Tor, an anonymity tool that allows users to conceal their identities. Capital One investigators determined that Thompson used it in her hack of the bank, according to federal prosecutors.

In online interactions, Thompson suggested she was careful to hide her digital tracks with various security tools, including Tor. But the federal complaint against her outlines relatively simple ways Capital One and the FBI were able to establish her identity, including the name on her GitHub Page.

Thompson was active in the hacking community on Twitter, and she wrote recently about struggling emotionally, and about euthanizing her beloved cat.

On June 27, “erratic” posted about several companies, including Capital One, in an online group, according to court records.

“don’t go to jail plz,” another user wrote.

“Wa wa wa wa, wa wa wa wa wa wa wawaaaaaaaaaaaa,” Thompson responded, and later added, “I just don’t want it around though. I gotta find somewhere to store it.”

On July 29, Federal Bureau of Investigation agents executed a warrant to search Thompson’s residence. In one bedroom, they found digital devices with files that referenced Capital One and its cloud computing company. The devices also included the alias “erratic.”

(Updates with New York attorney general investigation in eighth paragraph.)

–With assistance from Matt Day and Michael Riley.

To contact the reporters on this story: Christian Berthelsen in New York at [email protected];William Turton in New York at [email protected];Jenny Surane in New York at [email protected]

To contact the editors responsible for this story: Andrew Martin at [email protected], Peter Elstrom

For more articles like this, please visit us at bloomberg.com

Stop robocalls to your phone for good

Help is on the way to keep your phone from constantly ringing, but there are steps you can take right now.

BY 

 
 
hiya-ios

Kill robocalls dead in their tracks.

Jason Cipriani/CNET

The number of robocalls ringing our phones at all hours of the day has reached an all-time high, and because of that those calls are also getting a lot of attention from the government and technology companies. Most recently, the House passed a bill that will all but stop robocalls. The FCC passed a proposal that gives carriers the permission to be more aggressive when blocking spam calls. Apple even added a feature to iOS 13 that lets you block all unknown callers from ever ringing your phone.

Robocalls convey a prerecorded message to your phone that often urges you to do something. Sometimes it’s a message from a candidate running for office or a call from your bank advertising a new service. Even more worrisome are the scammy robocalls — posing, say, as the “IRS” — that intend to trick people out of their money. It’ll be some time before the FCC’s proposal is implemented so, you’re not going to see a dramatic decrease in unwanted calls overnight. 

Not every automated solicitation call counts as illegal. Calls from political campaigns, debt collectors and charities are all permissible. What’s not allowed are the calls from the fake IRS agents or the companies that claim you won a free vacation to the Bahamas.

While it’s not possible to entirely end robocalls from reaching your phone, there are some steps you can take to reduce the number of calls you receive.

Best practices to keep annoying robocalls at bay

According to the FCC, there are some easy steps you can take to help reduce robocalls:

  • Don’t answer calls from blocked or unknown numbers.
  • Don’t answer calls from numbers you don’t recognize.
  • If someone calls you and claims to be with XYZ company, hang up and call the company yourself. Use the company’s website to find an official number.
  • If you do answer a call and hear a recording such as “Hello, can you hear me?” just hang up.
  • The same goes for a call where you’re asked to press a number before being connected to a representative.

When you answer a call and interact with the voice prompt or by pressing a number, it lets the spammer know your number is real. They can then sell your number to another company, or begin targeting your number more frequently.

iphone-x-notch-6142

Apple promises to soon lock robocalls out of your iPhone.

Josh Miller/CNET

Arguably, Google’s Call Screen feature goes against the FCC’s advice, as not only do you answer the robocall, but there’s interaction with the caller from your phone number, which will likely lead to more calls. Even though Google’s Call Screen feature is incredibly fun and entertaining to use unless you know the phone number is legit — it’s best just to not answer.

Apple recently announced iOS 13 with a ton of new features. One of those features is the option to route calls from unknown numbers straight to voicemail. According to the feature listing on this page, Siri will allow calls from numbers found in Contacts, Mail, and Messages to go through. Anything else will go to voicemail, and assuming the caller is legit, they can leave a message. 

If you find yourself receiving a lot of spam text messages, you can forward the message to the number 7726 (spells SPAM). It won’t block the number from texting you right away, but it will allow your carrier to look into where it came from and put an end to it.

Google Pixel 3 and Pixel 3 XL

Call screening is part of the Pixel 3.

Sarah Tew/CNET

Check with your provider

All four major wireless carriers offer some sort of call blocking feature to customers. Some are free, while others charge for something that should be free. 

  • AT&T’s Call Protect app is available for iOS and Android. The free version blocks calls from “likely fraudsters” and labels telemarketing calls. You can add numbers to a block list in the app, as well. The paid version provides caller ID for unknown numbers and offers mobile security features that are unrelated to robocalls. The premium version of Call Protect costs $3.99 per month.
  • Verizon’s Call Filter offers spam detection, spam filter, and the option to report numbers for free. You can pay $2.99 a month (or $7.99 a month for three or more lines of service) for caller ID, spam lookup, and a personal block and spam list. Call Filter is built into most Android devices out of the box (which you’ve probably been prompted about) but is also available in the App Store for iOS users.
  • T-Mobile’s Scam ID is free to all customers and includes Scam Block. The ID portion of the service will alert you that an incoming call is likely spam, while Block will block the call from ever reaching your phone. You need to activate the Block feature, either through the Scam Block app or by dialing #662# from your phone. You can pay $4 for Name ID to see the names of incoming callers.
  • Sprint’s Premium Caller ID feature costs $3 a month and will identify all incoming callers and block robocalls. There isn’t an app to install, the feature is built into “select” phones and the Sprint network.

Check with your wireless provider to see if they offer a similar service.

Use a third-party app

If your provider doesn’t offer an app or service to cut back on robocalls, or it’s just too expensive, there are plenty of third-party apps available. You want to find an app that works on your device, offers automatic call blocking and spam alerts for suspicious calls and can easily report a number if a call slips through.

Hiya is a free app I have used on Android and iOS for some time now with success. It’s the same company that powers AT&T’s Call Protect app, as well as Samsung’s built-in call block and spam protection service. Samsung Galaxy users can enable the built-in service in the Phone app under Settings > Caller ID and Spam Protection. Setup is painless, and it offers an easy way to report a number.

Nomorobo is the service that Verizon uses for its Fios users, but it also has a phone app. The service is free for VoIP users and costs $2 per month for mobile users. Additional services that offer similar capabilities include YouMail and RoboKiller.

The recently released Firewall app is only available on the iPhone, and does a fantastic job of keeping calls from your phone. In the event you need to make a call that you’d rather not use your real phone number for, the $4 a month subscription provides unlimited single-use fake phone numbers. 

Another option is to sign up for a free Google Voice phone number. Instead of giving out your real number for random services, you could then use your Google Voicenumber — and once the robocalls start coming in, use the block feature. Just know that blocking calls may end up being a lot of work, as robocallers are constantly spoofing different phone numbers.

None of the above solutions are perfect, and likely won’t be until carriers integrate the technology required check for caller ID spoofing, so right now you have to do some extra work to keep the number of robocalls you receive to a minimum. Between being proactive with unknown calls to your number, and using a service (paid or free), you can reduce the number of unwanted calls and spam you receive on your phone.

Microsoft Plans Windows Defender Rebrand

Credit: Emilija Milijkovic / ShutterstockHere’s an interesting example of Microsoft focusing more on cross-platform services: gHacks reported yesterday that Windows Defender and most of its associated services will be rebranded to Microsoft Defender when Windows 10 20H1 is released early next year.

This appears to be a minor change that won’t affect the way Windows Defender actually works. There are some questions about the rebranding–such as whether or not it will expand to previous versions of Windows like Windows 7–, but for the most part, it seems pretty straightforward. (And considerably less baffling than Toshiba Memory’s decision to change its name to Kioxia this October.)

The prevailing theory is that Microsoft wants to change Windows Defender’s name, so it’s no longer associated solely with Windows. GHacks noted that Windows Defender ATP (short for Advanced Threat Protection) expanded to Android, iOS, macOS, and Linux in 2017 before rebranding it as Microsoft Defender ATP. So this wouldn’t be the first time Microsoft nixed Windows from a cross-platform service’s name.

This would make sense with Microsoft’s new strategy of making its services available on other platforms. We noted earlier this week that this approach seems to be paying off, with Microsoft Word for Android surpassing 1 billion downloads from the Google Play Store. Windows 10 has been installed on 850 million devices; that means Word for Android is more popular than Microsoft’s latest operating system.

Focusing more on its own brand should make it easier for Microsoft to expand its services to other platforms. It’s kinda hard to see anyone installing Windows Defender on their Mac or Linux system without hesitation. Microsoft Defender would probably be an easier sell, even if it almost sounds like the company’s developing an app that leaps to its defense whenever someone bad-mouths it on social media.

Russia’s Secret Intelligence Agency Hacked: ‘Largest Data Breach In Its History’

uncaptioned
GETTY

Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia’s Federal Security Service. The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing.

FSB is Russia’s primary security agency with parallels with the FBI and MI5, but its remit stretches beyond domestic intelligence to include electronic surveillance overseas and significant intelligence-gathering oversight. It is the primary successor agency to the infamous KGB, reporting directly to Russia’s president.

A week ago, on July 13, a hacking group under the name 0v1ru$ that had reportedly breached SyTech, a major FSB contractor working on a range of live and exploratory internet projects, left a smiling Yoba Face on SyTech’s homepage alongside pictures purporting to showcase the breach. 0v1ru$ had passed the data itself to the larger hacking group Digital Revolution, which shared the files with various media outlets and the headlines with Twitter—taunting FSB that the agency should maybe rename one of its breached activities “Project Collander.”

uncaptioned
TWITTER

I received a link to the Digital Revolution site where an initial tranche of breached documents was “published two months ago… as part of that 7.5 terabytes.” I won’t publish the link here for obvious reasons. Digital Revolution has targeted FSB before. It is unknown how tightly the two hacking groups are linked.

BBC Russia broke the news that 0v1ru$ had breached SyTech’s servers and shared details of contentious cyber projects, projects that included social media scraping (including Facebook and LinkedIn), targeted collection and the “de-anonymization of users of the Tor browser.” The BBC described the breach as possibly “the largest data leak in the history of Russian intelligence services.”

As well as defacing SyTech’s homepage with the Yoba Face, 0v1ru$ also detailed the project names exposed: “Arion”, “Relation”, “Hryvnia,” alongside the names of the SyTech project managers. The BBC report claims that no actual state secrets were exposed.

uncaptioned
TWITTER

The projects themselves appear to be a mix of social media scraping (Nautilus), targeted collection against internet users seeking to anonymize their activities (Nautilus-S), data collection targeting Russian enterprises (Mentor), and projects that seem to relate to Russia’s ongoing initiative to build an option to separate the internal internet from the world wide web (Hope and Tax-3). The BBC claims that SyTech’s projects were mostly contracted with Military Unit 71330, part of FSB’s 16th Directorate which handles signals intelligence, the same group accused of emailing spyware to Ukranian intelligence officers in 2015.

Nautilus-S, the Tor de-anonymization project, was actually launched in 2012 under the remit of Russia’s Kvant Research Institute, which comes under FSB’s remit. Russia has been looking for ways to compromise nodes within Tor’s structure to either prevent off-grid communications or intercept those communications. None of which is new news. It is believed that some progress has been made under this project. Digital Revolution claims to have hacked the Kvant Research Institute before

The preparatory activities for splitting off a “Russian internet,” follow Russian President Vladimir Putin signing into law provisions for “the stable operation of the Russian Internet (Runet) in case it is disconnected from the global infrastructure of the World Wide Web.” The law set in train plans for an alternative domain name system (DNS) for Russia in the event that it is disconnected from the World Wide Web, or, one assumes, in the event that its politicians deem disconnection to be beneficial. Internet service providers would be compelled to disconnect from any foreign servers, relying on Russia’s DNS instead.

There is nothing newsworthy in the projects exposed here, everything was known or expected. The fact of the breach itself, its scale and apparent ease is of more note. Contractors remain the weak link in the chain for intelligence agencies worldwide—to emphasize the point, just last week, a former NSA contractor was jailed in the U.S. for stealing secrets over two decades. And the fallout from Edward Snowden continues to this day.

Digital Revolution passed the information to journalists without anything being edited, removed or changed—they said. Little is known about 0v1ru$ and the group has not come forward with any comment.

Neither, unsurprisingly, has FSB.

 

Don’t do your boss any favors buying gift cards — it’s likely a scam

Susan Tompor

We’ve had the “one ring” phone scam, the fake IRS phone calls, the scam that tricks you into thinking that your Social Security number has been connected to some car in Texas that was involved with running drugs across the border.

And now we have the “Can you do me a favor?” scam.

Sure, you’re thinking, “Hey, I know quite a few folks who ask for favors and run that scam everyday.”

But trust us, this one has a new twist.

“Usually, it starts with an email,” said Amy Nofziger, AARP fraud expert.

The email could look like it’s from your boss, maybe your minister or pastor, maybe the principal of your school.

A 31-year-old woman who had just started a job in April didn’t think twice when she got an email from her boss asking for help in early May.

“My boss was on vacation but he said he was going to be working remote,” said the Florida woman, who asked that her name not be used because she didn’t want more emails from scammers.

Investing advice: Toast America this July 4th, but run your 401(k) globally

Holiday roads: These cities have the worst Fourth of July traffic in the US

She works at a company that sells high-end appliances and her job often involves handling different projects for her boss.

So she wasn’t taken aback when he sent an email and asked her to buy four $500 gift cards to be used as prizes for employees. And she received other emails supposedly from her boss during the process.

“He kept asking: ‘Where are we on this?'” she said.

In the end, she bought two Best Buy gift cards and two Target gift cards.

She lost $2,000 in total after she charged the gift cards on her credit card.

At some point, she started thinking something was off once the boss asked for more gift cards. And then somehow, she checked on the balances on the four cards she already had bought and discovered they were all at $0.

She had sent her “boss” the codes off the gift cards and the crooks were able to access the money. She later googled scams and discovered a warning about crooks sending fake emails pretending to be your boss.

Her advice now: “As soon as you get an email like that, call your boss. Just make sure it’s him or her.”

The requests appear to be sincere
Consumers are warned that these sorts of scams can start innocently enough.

The message in the initial email might be something like: “Jane, could you please email me back? I need a favor.”

Or “Sally, are you available at the moment? I need you to handle a project. Very busy at the moment. Can’t talk. Just send an email when you receive this. Thanks.”

And remember, the phishing email is crafted to appear legitimate, often signed by someone we know. So, sure, we want to help. The email address is even similar to your supervisor’s email, too. So many of us don’t think twice.

“We want to please people and we certainly want to please people that are in a position of authority,” Nofziger said.

‘One ring’ scam: These robocalls don’t want to talk to you, they just want you to call back, FCC says

‘Grandma’ scam twist: Scammers ask grandparents to send cash, now

Liking to please people, of course, makes you a good target for scammers.

Once we respond to the first email, we’re going to get another email.

The note could say something like: “Good to hear from you. I need to get three iTunes gift cards for my niece. It’s her birthday but I can’t do this now because I’m currently traveling. Can you get them for me from any store around you? I’ll pay back next week when I get back home.”

Or the email might state: “I need you to pick up three Home Depot gift cards for our project.”

Gail Engel, 63, got a text out of the blue from Pastor Joseph saying that a friend of his has cancer and he asked her to help him buy some gift cards as a get well gift. He was at the hospital right now.

Engel, who lives in Loveland, Colo., said she works with Father Joseph but a Pastor Joseph? The wording sounded odd.

The timing of the text worked against the scammers, too.

Engel – who is retired but heads a nonprofit for grandparents raising their grandchildren – was attending a meeting of that group at a church building. The speaker was from the AARP and discussing scams.

So Engel did text back saying: “No, I can’t help you but call this number and they might be able to help you.” She texted a number for the AARP fraud hotline.

Organizations are targeted
How do the scammers even know the name of your boss?

Consumer watchdogs say the fraudsters could be using some sort of organizational chart that is easily found online. Look up a school, you’re going to have easy access to finding the emails for teachers, as well as the name of the principal. The same’s true for some online church directories or online information for a company’s staff.

“Scammers are using technology and the amount of personal information we put online to exploit us,” Nofziger said.

“It’s so creative – let’s give them some credit,” she said. “It’s creative in the way they’re social engineering you.”

“It does seem to be targeting an audience that is working or is involved in a social group,” Nofziger said.

Once the gift cards are bought, the impersonators will ask you to take photos of the numbers on the back of the gift cards and text them the photos.

Often, the person in authority says the photo is needed as a record so you can be reimbursed. But once you send those photos, you’re never, ever going to get your money back.

Crooks are able to use the numbers to download the value quickly and you’re stuck holding the bag. The money is gone and almost impossible to trace.

The scammers in the case with the four $500 gift cards somehow seemed to know that the young woman’s boss was on vacation or maybe that she was even new on the job. In retrospect, the woman said she realizes that if her company wanted her to spend that kind of money, they probably would have given her a credit card to do so.

“It was just too weird,” said the young woman, who has a toddler and a baby on the way.

She joked that she told her husband that she knew he’d be upset about her being scammed but says she reminded him that she was pregnant, so don’t get too upset.

The couple worked it out and her husband helped her deal with the added expense.

Consumer watchdogs say some gift cards requested in scams include: Home Depot, Best Buy, Amazon, Google Play, iTunes, Steam, MoneyPak and, oddly enough, even Sephora, a retailer specializing in cosmetics, skincare and fragrances.

Some consumers lose $500 and some lose as much as $5,000.

The Federal Trade Commission has warned that more scammers are demanding payment on gift cards than ever before.

Scam still going: Trending Social Security scam is costing victims thousands of dollars

Social Security scam: New phone scam attempts to make you you out to be a criminal

The AARP Fraud Network said it is seeing an uptick of phishing emails supposedly from your boss, your minister, the principal of your school, all asking for a favor.

No, the scam isn’t as widespread as one where someone pretends to be your grandson or son who is in desperate need of help. (Maybe they just got into an auto accident and they’re requesting Home Depot gift cards. Why Home Depot? The police officer needs to go out and buy tools to fix the light pole that was knocked over in the accident.)

And no, the do-me-a-favor scam isn’t as constant as the latest Social Security scam where someone needs to confirm your Social Security number so you can clear your name and prove you weren’t laundering money or hauling drugs.

But Nofziger said the scam is growing and consumers need to be made more aware of it before it hits an epidemic level. Consumers can report scams or get more information at www.aarp.org/FraudWatchNetwork or call the AARP Fraud Watch Network helpline at 877-908-3360.

So do yourself a big favor, don’t immediately respond to emails asking for a favor. Maybe pick up the phone first, call the person and ask if they really need any extra help.

Contact Susan Tompor: 313-222-8876 or [email protected]. Follow her on Twitter @tompor.

This article originally appeared on Detroit Free Press: Don’t do your boss any favors buying gift cards — it’s likely a scam

Microsoft dismisses new Windows RDP ‘bug’ as a feature

Researchers have found an unexpected behavior in a Windows feature designed to protect remote sessions that could allow attackers to take control of them.

The issue, discovered by Joe Tammariello at the CERT Coordination Center (CERT) at Carnegie Mellon’s Software Engineering Institute, is documented as CVE-2019-9510. It stems from Network Level Authentication (NLA), which is a feature that you can use to protect Windows installations that have the Remote Desktop Protocol (RDP) enabled. NLA stops anyone from remotely logging into the Windows computer by requiring them to authenticate first.

Starting with Windows 10 release 1903 in April 2019, and with Windows Server 2019, Microsoft changed the way NLA works. Now, the authentication mechanism caches the client’s login credentials on the RDP host so that it can quickly log the client in again if it loses connectivity. The change enables an attacker to circumvent a Windows lock screen, warns CERT/CC, which disclosed the issue, in an advisory.

Let’s say you remotely log in to a Windows box using RDP. Then, you lock that remote desktop to stop an attacker from accessing it from your machine while you leave the room.

The attacker could interrupt the network connection between the local machine and the remote Windows box and then reestablish it, by unplugging the network cable and plugging it in again (or disabling and re-enabling Wi-Fi).

That’s where the unexpected behavior kicks in, according to the advisory:

Because of this vulnerability, the reconnected RDP session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered.

The behavior also bypasses multi-factor authentication (MFA) systems that integrate with the Windows login screen, explains the advisory. Duo Security admits that its MFA products are affected, adding that the issue isn’t its fault:

By forcing the use of cached credentials, Microsoft has broken functionality used by credential providers to add resilience to this workflow.

However, rival MFA firm Silverfort says that it isn’t affected because it doesn’t rely on the Windows lock screen:

Due to the way our products [sic] operates, we are not affected by this vulnerability. We use a unique technology which allows us to enforce MFA on top of the authentication protocol itself (e.g. Kerberos, NTLM, LDAP) without relying on Windows login screen.

Microsoft also responded to the issue, explaining that it’s a feature, not a bug. It told CERT:

After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA). Network Level Authentication requires user creds to allow connection to proceed in the earliest phase of connection. Those same creds are used logging the user into a session (or reconnecting). As long as it is connected, the client will cache the credentials used for connecting and reuse them when it needs to auto-reconnect (so it can bypass NLA).

Unconvinced, Tammariello’s colleague Will Dormann still thinks you should work around it:

Courtesy of our own Joe Tammariello,
When connected via RDP, modern Windows session locking does NOT require authentication to unlock. Microsoft doesn’t plan to change this behavior, so do not use the “Lock” feature over RDP. Log out when done or away! https://www.kb.cert.org/vuls/id/576688/  pic.twitter.com/fevq4LvA3V

View image on Twitter

Given that Microsoft isn’t fixing this any time soon, you should use the local machine’s lock screen rather than relying on the remote box’s lock, says the CERT advisory. You can also disconnect RDP sessions when you go and visit the loo. Yes, it’s annoying, we know.

Responding to a user complaint, a Microsoft Technet moderator also said it was possible to disable automatic reconnection on the RDP host via group policy, and provided instructions.

If the phrase ‘Network Level Authentication’ rings a bell, it’s because Microsoft has recommended this as a protection measure against exploitation of CVE-2019-07-08, nicknamed BlueKeep, the serious exploit affecting pre-Windows 8 systems, which the NSA, amongst many others, is now begging people to patch.

This issue doesn’t mean that you shouldn’t use NLA to protect your pre-Windows 10 boxes. For one thing, this unexpected behavior only exists on Windows 10 and Windows Server 2019. BlueKeep doesn’t affect these editions of the Windows OS.

Firefox steps up privacy protections, now blocks tracking cookies by default

It’s open season on email hackers, tracking cookies and Facebook shadow profiling as our favorite open-source software makers at Mozilla have released a series of updates for its Firefox web browser, Firefox Monitor service, and its Facebook Container, as well as rounding out a series of mobile password managers with a new extension called Firefox Lockwise.

Mozilla actually has a history with password managers for mobile platforms, having launched the Firefox Lockbox app for iOS last summer and for Android this March. Ironically, the desktop version of Firefox has lacked the ability to autofill account credentials that have been previously used in the browser. With the new Lockwise extension rolling out today, that feature finally comes to the desktop and the Android and iOS apps have been renamed to align with the new brand.

Firefox Lockwise

The company has also updated its Firefox Monitor site, which sources its information from the data breach tracking project “Have I Been Pwned” and is able to alert users if their email address has been compromised as new breaches are reported. Mozilla has installed a new dashboard that will let users to manage multiple email addresses at once.

Mozilla has also updated its Facebook Container extension, which blocks the social platform from tracker its users’ activities on the site and on external links. It is now able to stop Facebook from collecting data wherever its sharing APIs are used. That means if a news site or blog (even ours) lets you share and like a post on Facebook, the company won’t be able to pull data and attach that to your profile or, if you don’t have an account, build a shadow profile on you. You’ll know that the container is working when you see the fence icon above a Facebook button, as you see above.

The biggest change from Firefox is that it’s about to turn on new anti-tracking measures that were promised last August. Enhanced Tracking Protection mode automatically blocks cookies listed by partner organization The Disconnect List to protect user privacy and improve page load times. Users will be able to see what trackers have been blocked by clicking on the ‘i’ symbol in the address bar.

New installations will already have ETP turned on by default. Existing users can turn on ETP manually by heading to the Content Blocking section in the browser settings and clicking on the Custom box. Users should mark the Cookies checkbox  and select “Third-party trackers” from the adjacent drop-down menu. Every user will eventually have ETP turned on by default in the next few months.

Android users have already been able to block trackers with the Firefox Focus browser, though nearly all of the features in that app are concentrated on privacy. Mainstreaming ETP on establishes a new baseline on that front for more users while keeping Firefox’s flexibility.

Watch Dogs Legion Leaks Before E3 2019, Will Appear At The Show

[Update: Without diving a great deal into specifics, Ubisoft has confirmed Watch Dogs Legion. A tweet on the official Watch Dogs account includes a brief video that might contain some teases, but more important is the accompanying message that confirms a reveal at E3. Notably, the message also reads, “God save the NPCs,” perhaps confirming some of the details below concerning the ability to assume control of any character in the game world. We should know more in just a few days’ time, as Ubisoft’s press conference is scheduled for Monday, June 10.]

Embedded video

It appears another one of Ubisoft’s big E3 2019 surprises has leaked before the big show. Following the accidental reveal of a roller derby game, Amazon UK posted a product page for Watch Dogs Legion, which is apparently set in London. The listing was originally spotted by and reported on by The Nerd Mag. The game’s product description states that the game will riff on current events, and in particular the potential outcome for the city should Brexit come to pass.

“Watch Dogs Legion is set in a near-future, dystopian version of London. It’s a post-Brexit world in which society, politics, and technology have changed and altered London’s fortunes,” it says.

The product description then gets a little odd and potentially suspect. It states, “London makes total sense for WD,” which is a kind of phrasing we wouldn’t expect from a major publisher. Additionally, the product description spells the word surveillance as “surveillce.”

Something might be off with the product description, but the London setting had been rumored for many months already, while Kotaku’s Jason Schreier reported today that Watch Dogs Legion is indeed the title of the game and London is its setting.

Perhaps the most interesting part of Watch Dogs Legion is who the main character is: anyone. The product description states, “Play as anyone, Every individual you meet in the open world, has a full set of animations, voice over, character traits and visuals that are generated & guided by gameplay systems.”

Kotaku reports that it’s also heard this about Watch Dogs 3, and that some parts of the game will play out different based on the civilian you choose to play. The system underpinning this is apparently very ambitious, so much so that it’s led to at least one delay.

The first Watch Dogs was set in Chicago, with Watch Dogs 2 moving to San Francisco.

Watch Dogs Legion is not the first Ubisoft game to leak before E3 this year. A roller derby game called Roller Champions is also reportedly set for a reveal next week. Ubisoft’s E3 press conference is scheduled for Monday, June 10; assuming both of these leaks are accurate, we’ll likely be hearing about them during that stream.

Watch Dogs Legion and Roller Champions could be two of Ubisoft’s three unannounced games scheduled to release between January and March 2020. Ubisoft didn’t confirm any details for what the three games are, other than all three would be full-priced releases and all be different genres (a specific phrase used was “unique experiences”).

There is no word yet as to when specifically Watch Dogs Legion will release or what platforms it’ll be on. A spokesperson for Ubisoft told GameSpot that the company does not comment on rumors.

Everything new coming to CarPlay in iOS 13

In its first major overhaul since its original debut, CarPlay is gaining a wealth of new features with the launch of iOS 13. Here is every new feature and changing coming to Apple’s automotive platform.

CarPlay Dashboard in iOS 13

CarPlay Dashboard in iOS 13 making driving easier

 

A necessary redesign

CarPlay got a fresh coat of paint in iOS 13. It has been modernized with a new design that matches the rest of iOS 13. CarPlay stalwarts such as the grid-based Home screen are still around but the shelf to the left has been tweaked and reorganized.

 

When first looking at the new Home screen you will notice a pair of new apps that hadn’t shown themselves before. iOS 13 adds both the Settings app and the Calendar app to CarPlay.

iOS 13 brings a new Calendar app

iOS 13 brings a new Calendar app to CarPlay

Calendar is a simple interface with a list of your upcoming appointments. You can tap into any of them and if there is an address you can quickly get turn-by-turn directions.

Settings app in CarPlay

Settings app in CarPlay

Settings gives you three options to control from CarPlay including toggling Do Not Disturb While Driving, selecting the appearance, and turning off Siri Suggestions on the Dashboard.

The appearance can now alternate between a light and a dark UI. In Settings, you can choose automatic where it stays light during the day and dark at night or you can tell it to always use the dark interface. There is no option to keep the interface light persistently.

The Music app was redesigned for CarPlay in iOS 13

The Music app was redesigned for CarPlay in iOS 13

Apple also took the opportunity to redesign the Music app. It now has a much higher focus on colorful album art and is much easier to navigate.

The new Dashboard

All the work they’ve done comes into focus with the new Dashboard view. This is your new command central while driving and gives you access to everything you need in one place. Half the display is occupied by the map while the other half is home to Siri Suggestions, the Now Playing widget, and any upcoming appointments. Siri suggestions can be a multitude of things such as the location of your next appointment, where it thinks you are heading next, or your garage door opener as you arrive home.

New CarPlay Dashboard view

New CarPlay Dashboard view brings all your information together

The top is also taken over by driving instructions when using turn-by-turn navigation.

You can jump between the Home screen and Dashboard by way of a new icon in the lower left-hand corner. The Home button seems to now have disappeared from CarPlay just as it has vanished on iPhones and iPads.

Tapping any of these Dashboard items will take you directly to those apps, as you’d expect. To the left of the dashboard is your quick launch icons for your recently used audio, navigation, and communication apps.

Siri

Siri has been upgraded here with iOS 13 too. Not only does the virtual assistant have a new voice, but she can interact with third-party audio and navigation apps too.

Auto manufacturers are able to build in “Hey, Siri” support this time around so no button is needed to invoke Siri when needed. Whether you are launching Siri through your voice or the physical button, the UI no longer takes over the entirety of the display. Siri is now relegated to the bottom of the display leaving the rest visible which is crucial when navigating.

Bits and pieces go a long way

There is much more going on with CarPlay in iOS 13 that you may or may not see coming to your own vehicle. Things like support for adjustable screens or irregular screen sizes. iOS 13 now supports a second video stream so HUDs or other secondary displays can now also be used in CarPlay.

OS supports the AVRCP 1.6 standard which means album art can be transmitted over Bluetooth when being used to play audio.

Share your ETA with Maps in iOS 13

Share your ETA with Maps in iOS 13

Maps looks new as well with a refreshed interface and more mapping data coming throughout the U.S., as well as has adopted the ability to share your ETA with recent contacts.

Arguably the biggest change coming to CarPlay fixes a persistent issue that anyone who has used CarPlay has experienced. On iOS 12 and prior, CarPlay and the connected iPhone had to display the same appWhether Messages, Music, Maps, etc it was a hassle.

Personally, my other half would connect her iPhone to CarPlay but whenever she would send a text or change the music it would take the map and navigation off the screen. This is no longer the case with iOS 13 which has independent app views. You can now use your iPhone independently from what is displayed on the CarPlay UI.

Apple will be releasing iOS 13 as a free update later this fall. Check out our previous feature on our top new inclusions in iOS 13 and how to master Dark Mode.

UPDATE NOW! Critical, remote, ‘wormable’ Windows vulnerability

15 MAY 2019

Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code:

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

It doesn’t get much worse than that.

Fixes are included in for versions of Windows 7 and Windows 2008 (see the advisory for the full list) as part of Microsoft’s most recent Patch Tuesday. Patches have also been made available for versions of Windows XP and Windows 2003 (see the customer guidance for the full list). For all the details about this month’s patch Tuesday, including some other critical fixes, read the SophosLabs analysis of May’s Patch Tuesday.

The flaw is considered ‘wormable’, meaning that it has the potential to be used in malware that spreads by itself across and between networks.

Millions of computer networks around the world have RDP exposed to the outside world so that they can be managed not only via their local network but also across the internet. Sometimes, that external access was enabled on purpose; sometimes the exposure is an unwanted mistake – but in either case, a network where RDP can be reached from the outside is a potential gateway for an automated attack to reach a new victim.

Given the number of targets, and the potential for an explosive, exponential spread, we suggest you treat it as a matter of when, not if, the patch is reverse engineered and an exploit created, so you should update immediately. For more guidance, check out this article’s What to do? section.

The fact that Microsoft has taken the exceptional step of issuing patches for Windows XP and Windows 2003, is instructive.

Given the potential impact to customers and their businesses, we made the decision to make security updates available for platforms that are no longer in mainstream support … We recommend that customers running one of these operating systems download and install the update as soon as possible.

In the five years since the end-of-life date for Windows XP and 2003, Microsoft has issued countless patches for critical issues in its family of operating systems that it didn’t back-port to its retired products. It’s only broken that support embargo on four occasions, including this one, most notably during the WannaCry outbreak of 2017.

WannaCry was a ransomware worm that spread around the world in a day by exploiting a flaw in version one of Microsoft’s SMB software. The worm had no trouble finding hundreds of thousands of Windows systems to infect despite the age of the software and a patch having been issued the previous month.

As if to demonstrate our continued, collective failure to learn the lesson about the importance of patching, WannaCry was followed a little over a month later by NotPetya, another global ransomware outbreak using the same exploit.

What to do

Whatever else you do, patch.

If, for some reason, you can’t patch immediately, Microsoft offers the following mitigations and workarounds:

  • Enable Network Level Authentication (NLA). This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
  • Turn off RDP. If RDP isn’t running, the vulnerability can’t be exploited. As obvious as this seems, some organisations are unable to work without RDP, and some are running it without realising it.
  • Block TCP port 3389. Blocking port 3389 (and any other ports you’ve assigned to RDP) at the perimeter will prevent an attack from entering your network but can’t stop an attack from originating inside your network.

(Watch directly on YouTube if the video won’t play here.)

Social Security impostor scam: It’s growing, and this is how it works

 David P. Willis 3 hours ago

Google’s next-gen Assistant is 10x faster and knows where your mom lives

After three years, the voice-activated helper gets its biggest update yet. And it shows just how much Google already knows about you.

MAY 7, 2019

ROBERT RODRIGUEZ

One of the best ways to understand the potential of the Google Assistant is to watch how fast the voice-activated helper can now bring up Beyonce’s Instagram page.

“Hey Google,” says Meggie Hollenger, a Google program manager, using the wake words that trigger the software on her smartphone. Then it’s off to the races as she shoots off 12 commands in rapid-fire succession.

“Open the New York Times…Open YouTube…Open Netflix…Open Calendar…Set a timer for five minutes…What’s the weather today?…How about tomorrow?….Show me John Legend on Twitter…Show me Beyonce on Instagram…Turn on the flashlight…Turn it off…Get an Uber to my hotel.”

As she makes each ask, the phone pops up the new information. The whole sequence takes 41 seconds. She doesn’t have to repeat the wake words between commands. When she makes the request to see what Beyonce is up to, the Assistant not only launches the Instagram app, but it automatically takes us directly to the pop star’s page so I can see the latest photos she’s shared with her 127 million followers. Likewise, when Hollenger asks for an Uber, the software already knows where she’s staying.

Three years after CEO Sundar Pichai introduced his AI-driven digital helper to the world, Google is previewing the “next-generation” of the Assistant at its annual I/O developer conference on Tuesday. The new version can deliver answers up to 10 times faster than it did before. A big boost of speed could help turn around the perception that voice assistants are too laggy and inaccurate. That’s a big deal if companies like Google and Amazon want to take these digital helpers further into the mainstream.

Making Google Assistant a success is key for the world’s biggest search service, which delivers answers to over a trillion searches a year. Many of us are moving away from looking for information by typing on our computers and are instead talking to our smartphones and smart speakers. Google is now racing with Amazon, and its Alexa voice assistant, and Apple, with Siri, to give us the instant gratification we increasingly expect from our always-connected gadgets.

That’s why Google invited me to its global headquarters in Mountain View, California, a few days before I/O to see the biggest update yet of its make-or-break Assistant.

It’s fascinating — and a little bit scary.

The next-gen software is the headliner in a new slate of features that showcase Google’s world-class artificial intelligence and engineering chops. The Assistant isn’t only faster, but smarter, with Google counting on breakthroughs it’s made in neural network research and speech recognition over the past five years to set itself apart from its rivals.

And it’s getting more personal. You’ll be able to add family members to a list of close contacts. When you ask the Assistant for directions to your mom’s house, for instance, it knows who your mom is and where she lives. Another feature, an update to last year’s eerily human-sounding Duplex voice concierge, lets the Assistant automatically fill out forms on the web after you make a verbal request for actions like booking a rental car or ordering movie tickets.

“We could potentially see a world where actually talking to the system is a lot faster than tapping on the phone,” says Manuel Bronstein, vice president of product for the Google Assistant. “And if that happens — when that happens — you could see more people engaging.”


But all that highlights the massive cache of data Google already holds on billions of people across the planet. It also underscores how much more personal information it’s going to need to collect from us to bring the true vision of its Assistant to life.

 

The Assistant is now on 1 billion devices, mostly because it comes preinstalled on phones running Android, the world’s most popular mobile operating system. Many of Google’s other services — Gmail, YouTube, Maps, the Chrome browser — also serve more than 1 billion people a month. All these services are useful and innovative, but their lifeblood is the data you feed the company every day through your search history, email inbox, video viewing habits and driving directions.

Of course, this is all predicated on the Assistant actually working as billed. Google wouldn’t let me try it for myself, and my colleagues and I weren’t allowed to video record the demo. Instead, Google provided us with a pre-shot marketing video. Hollenger also read from a script, following a cheat sheet of written commands. So it’s unclear how deft the software would be in carrying out the sometimes meandering requests of regular people.

The demo even had a few stumbles. While the jumps from app to app are snappy, Hollenger had to repeat queries once or twice because the software didn’t process her requests on the first try. In other demos, though, Hollenger used the Assistant to dictate texts and emails with hyper-accuracy. The system can also tell the difference between what she wants written in the email and what’s a general command. For example, when she says “Send it,” the software sends the email instead of typing “Send it” in the email body.

Still, the Assistant is sure to be the subject of discussion — and perhaps controversy.

“There are positives and negatives and tradeoffs,” says Betsy Cooper, director of the Aspen Tech Policy Hub. “With the Google Assistant, since it’s always listening [for a wake word], there’s always the possibility that they could abuse that privilege.”

‘Your own individual Google’

The new Assistant is the culmination of five years of work, says Francoise Beaufays, a principal scientist at Google. That’s longer than the Assistant has been around. Over those five years, Google researchers have made key advances in AI audio, speech and language recognition.

“What we did was reinvent the whole stack, using one neural network that does the whole thing,” says Beaufays.

It’s a major technological breakthrough, bringing down the space needed from 100 gigabytes to less than half a gigabyte. Still, the suped-up digital helper requires hefty computing power for a phone, so it will only be available on high-end devices. Google will debut the product on the next premium version of its flagship Pixel phone, expected in the fall.

Days before he unveiled the Assistant in May 2016, I sat down with Pichai in his glass-walled office, secluded within the sprawling Googleplex, to hear his pitch. The search giant, already years late to the digital voice assistant game, was finally getting ready to jump into the ring with Siri and Alexa.

From the very beginning, Pichai was adamant it was much more than that. For Google, the Assistant is about breaking past the company’s iconic white homepage and spilling its engineering smarts into every piece of tech you own — your phone, your car, your washing machine.

“It’s Google asking users, ‘Hi. How can I help?'” he said at the time. “Think of it as building your own individual Google.”

Now as Pichai ushers in a new phase for the Assistant — including the feature that knows specific details about your family — it’s clearer than ever that when he said “your own individual Google,” he meant it.

Google wouldn’t make Pichai available for an interview for this story.

Changing times

Of course, the world is a much different place than it was three years ago.

For starters, the competition with Amazon is now a full-fledged rivalry. When it comes to smart speakers, Amazon’s Echo devices powered by Alexa own almost 67% of the market, according to research firm eMarketerGoogle Home devices, driven by the Assistant, account for almost 30%.

Then there’s the public debate on privacy and security. Lawmakers and consumers are taking a harder look at the policies of big tech companies after Facebook’s Cambridge Analytica scandal, which brought data collection issues to the forefront throughout 2018. Google was criticized just last month for its Sensorvault database, which helps measure the effectiveness of lucrative targeted ads served to you based on the personal information Google knows about you. It turns out that police departments across the country have tapped Sensorvault for location data when trying to crack criminal investigations. In response, a US House of Representatives committee sent a letter to Pichai demanding answers about the database. Lawmakers have asked for an in-person briefing by May 10.

When I asked during a product briefing last week what Google would do if law enforcement asked for data on family relationships and other info collected by Assistant, a spokesman said that Google doesn’t have anything to share on that front.

Bronstein, the product head for the Assistant, says Google constantly has “very good debates” about storing data for advertising purposes. The philosophy, he says, is “Don’t store the information for the sake of storing it. Store it because you think it can deliver value.”

He adds, “We want to be very transparent with all those things, so that you know when this is going to be used for advertising or is…never going to be used for advertising.”

But privacy experts say Google should do a better job communicating its policies to consumers.

“I don’t know how well people actually understand,” Jen King, director of consumer privacy at the Stanford Center for Internet and Society. She adds that the company should give people more options to opt out of data collection, instead of lumping things together.

Google has already been challenged on how it deals with transparency. Last year, the Associated Press reported that Google tracked people’s location even after they’d turned off location-sharing on their smartphones. The data was stored through a Google Maps feature called “Location History,” the same feature at issue in the Sensorvault database. Critics like the ACLU said Google was being disingenuous with its disclosures. The company later revised a help page on its website to clarify how the settings work. Last week, Google announced a feature that lets people auto-delete location, web and app history.

Bronstein also says a “small fraction” of voice queries from the Assistant are shared with a team at Google that works on improving the AI system, if users allow for that in the settings. He didn’t provide any details about how many “small” is. But he did say that in those cases, personal information is stripped from the voice audio.

The evolution of Duplex

In addition to giving the Assistant a jolt of speed, Google is also updating the project that stoked the most controversy at last year’s conference: Duplex.

The feature uses unnervingly human-sounding AI software to call businesses to book reservations and appointments on the behalf of Google Assistant users. Its AI mimics human speech, using verbal tics like “uh” and “um.” It speaks with the cadence of a real person, pausing before responding and elongating certain words as though it’s buying time to think.

Last year’s demo immediately raised flags for AI ethicists, industry watchers and consumers, who worried about the robot’s ability to deceive people. Google later said it would build in disclosuresso people would know they were talking to automated software.

This new iteration is a lot tamer.

google-io-2019-0276
The update to Google Duplex is like autofill on steroids.

James Martin/CNET

Google on Tuesday is updating Duplex to streamline bookings for more types of things, such as car rentals and movie tickets. But this time there are no human-sounding robots. It basically automates the process of filling out forms you’d find on the mobile web — think of it like autofill on steroids.

Here’s how it works: You  say something like “Hey Google, get me a rental car from National for my next trip.” The Assistant then pulls up National’s website on your phone and starts filling out the fields in real time.

Throughout the process, you’ll see a progress bar, just like one you’d see if you were downloading a file. Whenever Duplex needs more information, like a price or seat selection, the process pauses and prompts you to make a selection. When the form is filled, you tap to confirm the booking or payment. Like other Assistant features, the system fills out the form by using data culled from your calendar, Gmail inbox and Chrome autofill (that includes your credit card information). The update launch later this year on Android phones.

While this version will probably cause less blowback, last year’s widespread recoil was a key moment for Google, Scott Huffman, head of engineering for the Google Assistant, told me earlier this year. “The strength of the reaction surprised me,” he said. “It made it clear to us how important those societal questions are going forward.”

There’s other stuff coming for the Assistant, too. Google on Tuesday also unveiled a new “driving mode” for Android phones. When you activate it, the user interface puts a few items front and center that you’re likely to use while driving. Those include navigation directions for Google Maps and Waze, music controls and reminders of missed calls. When you’ve got navigation directions up, your music or phone call controls sit at the bottom of the screen, so you don’t have to fiddle with your phone to find them.

‘Rules of the road’

Taken as a whole, Google’s new Assistant announcements could have a hefty impact on how we use tech.

Making voice commands easier and faster could change the way we interact with devices, just as when smartphones, led by Apple’s iPhone, became mainstream over a decade ago and sparked the age of touchscreen everything.

Perhaps we may look back at this as the first step toward a world in which people are constantly talking to inanimate objects. (It reminds me of those videos of toddlers holding magazines, trying to swipe at them like they’re iPads. In the future, kids could talk to a candle or chair and be surprised when it doesn’t talk back.)

The next-gen Assistant could also set a foundation for new habits around voice queries. Last year, Google announced “continued conversation” for voice commands, which keeps the mic open for eight seconds after a query so you can ask a follow-up question. The next-gen Assistant builds on that concept and could eventually forge a path for getting rid of wake words. (Huffman told me earlier this year that he thinks wake phrases like “Hey Google” are “really weird” and unnatural.)

That open mic would likely spark privacy concerns. Bronstein says it’s helpful to keep the microphone open for a little while — the company is still tuning how long that duration will be — but he wants people to be “intentional” when they’re talking to it. “You don’t necessarily want this thing to be transcribing everything you’re saying,” he says. “Because you wouldn’t feel comfortable.”

There are many other ways Google could advance the Assistant. Huffman told me earlier this year he’s interested in having the software remember an exact discussion you had with it yesterday, so that today you can pick up where you left off. He even wants the Assistant to be able to detect your mood and tone.

Whether that’s frightening or not, it’s how Google is thinking about evolving the Assistant. For now, though, Bronstein says he’s focused on making the experience more seamless, and figuring out what features will be valuable to users before adding that future-looking stuff.

In the meantime, people will have to work through all the issues that come with large-scale data collection and smarter-than-ever tech, and Google knows that. As Huffman told me earlier: “With AI, we’re going to end up with society thinking through some of the rules of the road.” ●

Facebook’s Oculus Quest heralds VR’s next gen, but will we buy in?

The $399 virtual reality headset, shipping May 21, is being positioned as the industry’s first true mass-market product.

BY 

facebook-f8-2019-9634
Mark Zuckerberg says virtual reality is a bold bet on the future.

James Martin/CNET

If you list people’s complaints about virtual reality, they usually include how expensive the headsets can be, how clunky they are to connect by wire to a computer, and how there aren’t enough compelling games and apps.

Facebook believes it’s about to make a big dent in all that with its new Oculus Quest.

Powered by a self-contained onboard computer, the device is more powerful than the entry-level $199 Oculus Go and works with a pair of hand controllers.

It can play many of the popular games on the high-end computer-connected Oculus Rift S, like the popular rhythm game Beat Saber and the boxing movie tie-in Creed: Rise to Glory. It’s also got an upcoming Star Wars game, Vader Immortal, planned around its upcoming launch.

And it’s priced at $399, less than other high-end headsets like the new Valve Indexor HTC Vive, both of which start at $499.

Bottom line, it attempts to answer most of people’s complaints about VR headsets so far. And Facebook CEO Mark Zuckerberg thinks that could be a game changer.

The Quest is “the all-in-one headset that we’ve all been waiting for,” he said Tuesday while announcing the device’s shipping date of May 21 during his company’s F8 developer’s conference. “Quest just blows people away.”

CNET’s Scott Stein agreed, declaring the Quest “the best thing I’ve tried this year.”

What we don’t know, even with all that, is whether it’ll succeed.

Now playing: We took Oculus Quest on vacation
 5:18

The VR world has been riding a wave of hype for years. It started in 2012, when Oculus was a startup, co-founded by the device’s teenage inventor, Palmer Luckey. In a Kickstarter video, the company pitched a $300 headset that promised to let you “step into the game.”

Fast-forward seven years, with a more than $2 billion acquisition by Facebook and the 2016 launch of the then-$599 Oculus Rift, and VR hasn’t yet proven to be the world-changing technology it promises to be. Headset shipments, which started in 2016 at about 6.6 million units, are estimated to rise just to 8.4 million this year, according to estimates from market watcher Nielsen’s SuperData Research.

“VR has no necessity to it yet,” said Stephanie Llamas, who oversees VR research at SuperData. The technology has caught on with gamers, artists and tech enthusiasts, she added, but it’s struggled beyond that.

That’s where she thinks the Quest could succeed. Facebook boasts at least 50 titles that will be available around when the Quest launches, including that Star Wars game.

“The Quest could be the opportunity to bring in the second wave of users,” she said. “It depends.”

facebook-f8-2019-9662
Facebook sees the Oculus Quest as the next big step in VR.

James Martin/CNET

Beginning the Quest

The Oculus Quest and Rift S aren’t just new devices from Facebook’s VR division. They represent a second generation of VR, from one of the most influential device makers in the industry.

One way Facebook is telegraphing the importance of the Quest is through retail stores. The company is updating its retail displays for stores like Best Buy with new large touchscreens that help people learn what the Oculus Go, Oculus Quest and Oculus Rift S are, what games and apps are available for them, and why they’re different.

The company’s also expanding its retail presence into GameStop retail stores, in an effort to draw gamers too.

“We hope the Quest will mark an inflection point,” said Sean Liu, director of product management at Oculus. The company is beginning to sell to businesses as well, and plans to begin offering software to manage fleets of VR headsets soon. “There’s a lot of foundation work we need to do, and I think this is a stride in that direction.”

oculus-touch-37
Unlike the original Oculus Rift, the Quest doesn’t need a computer, a bunch of wires or additional sensors. It’s all self-contained.

Sarah Tew/CNET

Betting on Quest

Some nagging issues could hold the Quest back.

A recent survey by IDC sponsored by PlayStation VR maker Sony found that some of the top reasons people still hold off buying VR devices are the cost of hardware and a lack of compelling games and experiences. Lapsed VR users don’t have enough reasons to keep coming back.

“Getting people to put the headset on for multiple hours per month is hard,” said IDC analyst Lewis Ward, who authored the study. He found that on average, VR owners spend less than seven hours per month in the headsets. That makes owners question the wisdom of their $250 to $800 purchase, not including the cost of a game console or PC to power their devices, he said.

“What can be done to drive up hours of use?” he said. “You’ve got to drive that number up. And then those people will go tell their friends, ‘You gotta put the headset on, you’ve gotta try it.'”

For game developers like Survios, which made Creed: Rise to Glory, that means coming up with even more must-have titles that work well with the new device. James Iliff, the company’s co-founder and creative chief, said he’s already pushing his teams to build their next games with the Quest in mind.

“The Quest is a starting point,” he said. What excites him about it is the wire-free design, including cameras that can track your movements, so when you duck in the real world you do so in the game world too. That, in addition to offering the same hand controllers the higher-end Rift already uses, makes it a compelling device.

“Quest is finally a synthesis of all these different technologies,” he said. “Things are taking longer, but progress is happening.”

That’s likely how Zuckerberg feels too. “This is gonna be a big year for VR,” he said Tuesday while talking about the Quest and Rift S launch plans. “These are a real step forward.”

 

How to explore deep space from your desktop with WorldWide Telescope

 

WorldWide Telescope

Image credit: Microsoft

WorldWide Telescope is an incredible program that puts the universe at your fingertips. It was created using images and information gathered by telescopes probes and satellites, which are combined to create an interactive view of the sky that you can explore from your desktop.

WorldWide Telescope was developed by Microsoft Research – a branch of the company dedicated to furthering state-of-the-art computing and solving real-world problems. Astronomers use WorldWide Telescope to see the universe in many different wavelengths (including visible light, infra-red and gamma radiation), and there’s access to much more data via the Astrophysics Data System.

WorldWide Telescope already has more than a million active users, so let’s join them and turn our eyes to the heavens.

Image credit: Microsoft

Image credit: Microsoft

1. Get started online

WorldWide Telescope is available as an HTML5 web app and a downloadable Windows application. We’ll start with the web version at www.worldwidetelescope.org.

To use Microsoft WorldWide Telescope, scroll past the welcome video and click ‘Explore WWT on the web’. A message will appear asking whether you want to share your location. This is optional, but telling WWT where you are will let you explore the sky as you’d see it from outside your own front door.

Image credit: Microsoft

Image credit: Microsoft

2. Begin exploring

Read the notes explaining how to navigate, then click ‘Close’.  WorldWide Telescope will present you with an image of the sky with constellations highlighted.

Try clicking and dragging to pan around. You’ll see the list of celestial objects at the bottom of the screen change as you move around. Select one to explore it in more detail. Here we’ve chosen Mercury. You can click and drag to spin the planet, and use your mouse wheel to zoom. The amount of detail visible is incredible.

Image credit: Microsoft

Image credit: Microsoft

3. Pick a star

Now let’s use Microsoft WorldWide Telescope to take a look at a constellation. Click ‘Constellations’ in the top left, then pick one from the menu. Here we’ve chosen Ursa Major.

Make sure ‘Sky’ is selected under ‘Look at’, then right-click one of the constellation’s stars to learn more about it. Click ‘View object’ and the display will zoom right in to show you the star up close. You can also see research papers on the star, look it up online, and more.

Image credit: Microsoft

Image credit: Microsoft

4. Go deeper

Use your mouse wheel to zoom out again. Now you can try exploring Microsoft WorldWide Telescope on your own. Pan around and find a patch of sky that you’d like to explore and zoom in.

Right-click when you see something interesting and zoom in for a closer look. Here we’ve found a spherical collection of stars called NCGC 6752. It’s visible from Earth, so we could use the right ascension and declination provided to find it with a real telescope.

Image credit: Microsoft

Image credit: Microsoft

5. See through time with cosmic dust

You can explore the sky using various surveys listed in Microsoft WorldWide Telescope’s top menu. Zoom out again and try clicking ‘SDF dust map’.

Cosmic dust used to be an annoyance to astronomers because it obscured the objects they were trying to see, but with infrared astronomy it can give us a huge amount of information about the formation and lifecycles of stars and planets. See if you can find a nebula made by a dying star.

Image credit: Microsoft

Image credit: Microsoft

6. Take a tour

Thousands of astronomers have collaborated to make Microsoft WorldWide Telescope such an extraordinary tool, and several have put together virtual tours of celestial objects and events.

Select ‘Guided tours’ from the top menu, then choose a tour and click the ‘Play’ button.  You can pause the tour at any time, or right-click anything that looks interesting to take a closer look and learn more about it.

Image credit: Microsoft

Image credit: Microsoft

7. Get the Windows app

You can do even more with the WorldWide Telescope desktop application, which is free to download. We recommend enabling the option that checks for automatic updates each time you start the program.

Image credit: Microsoft

Image credit: Microsoft

8. No place like home

While you’re using Microsoft WorldWide Telescope, take a moment to visit Earth. Here you can choose from several views (the Earth at Night options are particularly impressive) from different years. You can zoom right in to find your house, then move all the way out and begin exploring different galaxies again.

Microsoft WorldWide Telescope an amazing tool that makes you feel very powerful, but also very, very small, and it will keep you clicking, zooming and reading for days.

Divider

Space Week

Welcome to TechRadar’s Space Week – a celebration of space exploration, throughout our solar system and beyond. Visit our Space Week hub to stay up to date with all the latest news and features.

Amazon employees may be listening to your recorded Alexa conversations

Amazon Echo Plus

The Amazon Echo Plus (Image credit: Amazon)

Amazon employees could be listening to recordings of Echo speaker users’ conversations with Alexa, according to a report by Bloomberg.

The report details how teams listen to “voice recordings captured in Echo owners’ homes and offices” in a bid to improve the way Alexa understands speech and responds to commands and questions.

These recordings are apparently “transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa’s understanding of human speech and help it better respond to commands”, as part of the “Alexa voice review process”.

Bloomberg says that it spoke to seven people who “have worked on the program”, which reportedly comprises “a mix of contractors and full-time Amazon employees who work in outposts from Boston to Costa Rica, India, and Romania”

Privacy concerns

If the claims that humans are reviewing recordings of our interactions with Echo speakers proves to be true, it could be a concerning insight into how artificially intelligent voice assistants are trained by companies, as well as a potential security issues for users.

Bloomberg says that the workers parse “as many as 1,000 audio clips per shift”and that Amazon employees “occasionally pick up things Echo owners likely would rather stay private [like] a woman singing badly off key in the shower”.

Even more concerning is the claim that these workers have been privy to recordings of “possibly criminal” acts. Engadget has reported that “two workers from Romania said they had to listen to what could’ve been sexual assault” and that “they were apparently told that they couldn’t do anything about it, because it’s not Amazon’s job to interfere”.

The reports raise questions as to the legality of failing to report a potential crime, as well questions about the possible ramifications for Amazon employees who could well be distressed by hearing this kind of recording.

The Amazon Echo Spot (Image credit: TechRadar)

The Amazon Echo Spot (Image credit: TechRadar)

Amazon responds

Amazon has admitted to using human workers to annotate voice recordings. A spokesperson for the company released the following statement: “We take the security and privacy of our customers’ personal information seriously”.

“We only annotate an extremely small sample of Alexa voice recordings in order [to] improve the customer experience. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone.”

Amazon also said that employees “do not have direct access to information that can identify the person or account” when annotating voice recordings. Even so, it’s concerning to think that private conversations could be listened to by employees if Alexa is accidentally woken after misinterpreting regular speech as its wake word, ‘Alexa’.

Microsoft Ending Support for Windows 7

 

Microsoft Ending Support for Windows 7

03/19/2019 02:14 PM EDT

 

Original release date: March 19, 2019

All software products have a life-cycle. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running the Windows 7 operating system. After this date, this product will no longer receive free:

•         Technical support for any issues
•         Software updates
•         Security updates or fixes

Computers running the Windows 7 operating system will continue to work even after support ends. However, using unsupported software may increase the risks from viruses and other security threats.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to upgrade to a currently supported operating system. For more information, see the Microsoft End of Support FAQ.

This product is provided subject to this Notification and this Privacy & Use policy.

A copy of this publication is available at www.us-cert.gov. If you need help or have questions, please send an email to [email protected]. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add [email protected] to your address book.

“My God, what have I done?” Man loses over $35,000 to one of the riskiest scams out there

Brad Helding wanted some extra work so he posted his resume on some job sites and soon got an email from a company calling itself Delta Express Couriers. The job? An offer to work from home as a “purchase clerk,” buying electronics in large quantities, then shipping them to the company’s clients, mostly overseas.

The company told him since Montana has no sales tax, they’d save money running the purchases through him. The job paid over $72,000 per year, plus bonuses.

“I would be shopping locally or online for phones, computer parts, laptops,” he said. “It certainly sounded very appealing to me at the time.”

And Helding said he did his research, checking the company’s website and Sacramento location. So he filled out tax and employment forms, and when an “offer letter” arrived, he signed it.

The company then sent him $2,000 so he bought iPhones at a Best Buy and shipped them off as instructed. He says for the next batch of purchases, the company told him to temporarily use his own credit card but provided bank account and routing numbers he could use to reimburse himself for those expenses. It worked until he called his card company a few weeks later.

“She says, ‘I need to tell you that this account is stolen and you are not authorized to make payments from that account,'” Helding said.

When he called the company, he only got this automated message: “Thank you for calling Delta Express Couriers. Please leave us a message with your name and telephone number and we will return your call within normal business hours.”

It turned out, all the transactions were fraudulent including that original $2,000 “payment.” Now, Helding is out what he paid for the electronics: more than $35,000.

He’s one of thousands of Americans who fall for employment scams. Employment fraud tops the list of the riskiest scams targeting consumers in 2018, according to a new report by the Better Business Bureau which says job scams made up just over nine percent of the total. The BBB doesn’t just look at how often a scam happens. They now look at how susceptible you might be to a particular scam, and how much you could lose.

“Scammers definitely use at-home opportunities, because they know a lot of people are looking for that opportunities,” said the Better Business Bureau’s Melissa Trumpower.

Adam Levin’s company CyberScout has been looking into Helding’s case, which he says shows indications of criminal syndicates.

“I don’t believe we know who did it right now, no,” Levin said. “Because they’re laundering money … they have to find a way to launder money, so they come up with different scams in order to do it effectively because they’ve got to end the trail.”

Meaning – they get Helding to buy $30,000 worth of electronics and then they sell the electronics. Now they’ve got clean money – money that Helding now owes.

“I’m not a stupid person,” he said. “I mean I’ve got an education, I’ve been around the world and I said ‘My God, what have I done? ‘What have I fallen for?”

CBS News found the real Delta Express Couriers went out of business several years back.

Work-at-home job scams are extremely common and the BBB warns you should be very, very careful about them – especially if the company contacts you, as they did in Helding’s case.

USB 4 Debuts With Twice the Throughput and Thunderbolt 3 Support

Credit: Intel

The USB Promoter Group, the standards body behind the USB specification, announced it would step forward to the USB 4 architecture in the middle of 2019. The new speedy interface blends in Thunderbolt 3 support and offers twice the bandwidth of USB 3.2, meaning it supports up to 40 Gbps of throughput.

The USB specification is perhaps the most ubiquitous of interfaces in the computing industry. From mobile devices to laptops and desktop PCs, billions of devices have shipped that support the interface since its inception in 1995. Each step forward to a new specification, and the increased speed and compatibility that comes along with it, spurs a wave of new devices that range from cheap USB flash drives to new external storage enclosures. The USB interface has had its challengers over the years, but its royalty-free model and broad use, along with a steady cadence of higher speeds through improved specifications, has staved off the competition.

Advertisement

To further expand the range of devices using the Thunderbolt 3 specification, Intel has contributed its protocol to the USB standards committee, which integrated the protocol into USB 4. Intel’s contribution comes without royalties, meaning that other chip manufacturers can build supporting silicon without paying a fee.

SpecificationThroughputPrevious TermTechnical TermMarketing Term
USB 440 GbpsN/AUSB 4.0Not Announced
USB 3.220 GbpsN/AUSB 3.2 Gen 2×2SuperSpeed USB 20Gbps
USB 3.110 GbpsUSB 3.1 Gen 2USB 3.2 Gen 2SuperSpeed USB 10Gbps
USB 3.05 GbpsUSB 3.1 Gen 1USB 3.2 Gen 1SuperSpeed USB

USB4 doubles throughput up to 40 Gbps across a two-lane interface with certified USB Type-C cables. The USB Promoter Group will also introduce a new USB Type-C Specification to handle USB 4 bus discovery.

Thunderbolt 3 integration also enables the simultaneous transfer of both data and display protocols, meaning that you can daisy-chain 4K monitors and other Thunderbolt 3 devices, like external storage or GPU enclosures, together into one cable that connects to your PC. Thunderbolt 3 passes data across four lanes of PCIe 3.0, while also supplying eight lanes of DisplayPort 1.2 that supports up to two 4K displays at 60 Hz. Thunderbolt 3 also provides up to 100W of power for system charging and 15W for bus-powered devices.

As expected, USB 4 will retain compatibility with USB 2.0 and 3.2, the latter of which was recently renamed in a bid to simplify the somewhat confusing USB naming schemes. The USB Promoter Group hasn’t assigned a new marketing term for the interface (like SuperSpeed USB), though it plans to soon.

Intel has already announced that it is baking in support for the Thunderbolt 3 specification directly into its forthcoming 10nm Ice Lake processors, eliminating the need for third-party control chips. That tight level of integration builds upon the existing Thunderbolt 3 support in Windows 10 and macOS.

Intel says that over 400 PC designs have come with Thunderbolt 3 support from the likes of HP, Dell, Lenovo, Apple, and Asus, with the number of units shipped doubling each year into the “tens of millions.” To ensure consistent performance and quality standards, Intel manages a mandatory Thunderbolt 3 certification program that uses third-party test labs for verification. The company has certified over 450 devices, including docks, displays, storage, and external graphics enclosures.

Credit: Intel

Manufacturers of end devices pay a one-time fee for the certification, which is the only payment required to obtain the Thunderbolt 3 badge, but cable makers are subject to ongoing rigorous inspections that include spot checks and factory audits to ensure that quality remains acceptable on an ongoing basis. Intel also hosts plugfests, during which interoperability with numerous new devices is tested, and workshops.  

“Releasing the Thunderbolt protocol specification is a significant milestone for making today’s simplest and most versatile port available to everyone,” said Jason Ziller, General Manager, Client Connectivity Division at Intel. “By collaborating with the USB Promoter Group, we’re opening the doors for innovation across a wide range of devices and increasing compatibility to deliver better experiences to consumers.”

For now, the USB Promoter Group, along with 50 companies, is focused on the final stages of the USB 4 draft specification. The group is also hosting the USB Developer Days 2019 event later this year. The event will provide detailed technical training on the new specification along with USB Type-C cable and USB Power Delivery training.

The USB 4 standard will be finalized in mid-2019.

How the Pentagon Uses Drones | DoD Domestic Drone Use Reaches All-time High

BY ISABELLA LEE

31 January 2019

Department of Defense (DoD) drone operations have reached an all-time high in the United States according to new data released by the Pentagon. According to the data, the Pentagon deployed drones domestically more often last year than in the previous five years combined.

When prompted to think about drone use by the military, many think about the deployment of armed drones in foreign wars. It’s not often that military drone use is discussed stateside/domestically. However, this new data reveals that military drone use is on the rise here at home in the U.S. But it may not be in the ways you expect.

MILITARY DRONES DEPLOY STATESIDE IN SUPPORT OF FIREFIGHTERS, POLICE OFFICERS, BORDER PATROL, AND OTHER CIVILIAN AUTHORITIES

The majority of domestic DoD drone operations took place to support civilian authorities, such as firefighters, civilian law enforcement officers, and first-responders. Let’s take a look at the data:

DoD UAS Operations in 2018:

  • 4 operations to support firefighters
  • 2 operations to support domestic DoD installations (military bases located in the U.S.)
  • 1 operation to support civil authorities at the southern border
  • 1 operation to support civil authorities in hurricane/flood response
  • 1 operation to support civil law enforcement in counterdrug operations
  • 1 operation to support Public Affairs with an air show within DoD airspace
  • 1 training exercise operation

During the 2018 fiscal year, the Pentagon engaged in 11 total domestic drone operations. Some of these operations involved multiple drone flights and took place over several months.

The majority of domestic DoD drone operations took place as part of the effort to monitor the California wildfires that started last summer. Military drone operations typically don’t cross over into the civilian sector; however, the DoD used drones to support CAL Fire multiple times throughout the year. Drones are used by firefighters to collect vital information about ongoing fires and to assess the damage they leave behind. This data enables firefighters to focus their efforts where their help is most needed, keep them from harm’s way, and save lives.

Similarly, drones are able to assist with other natural disasters such as floods and hurricanes. In September 2018, the DoD used drones to assist civil authorities, such as emergency medical service personnel, with Hurricane Florence flood response efforts.

WHAT TYPES OF DRONES DID THE DOD USE?

The drones used in the DoD operations discussed above include multirotor and fixed-wing drones. Some must be launched by hand while others can take off autonomously. According to the data shared from the Pentagon, the drones used in the DoD’s 2018 domestic operations include:

  • DJI Phantom
  • MQ-1C Gray Eagle 4
  • MQ-9 Reaper
  • RQ-11B Raven
  • RQ-21 Blackjack

DJI Phantom 1

DJI Phantom 1, Source: Clément Bucco-Lechat via WikiMedia

 

The DJI Phantom is a multirotor quadcopter drone developed by Chinese technology company DJI. Multirotor drones are commonly equipped with a camera and can be used to quickly get an “eye in the sky.” These drones provide excellent control over positioning, allowing the operator to direct precise movements and collect accurate data.

In May of 2018, the DoD issued a ban on the purchase and use of commercial off-the-shelf drones (including DJI drones) due to cybersecurity concerns. So while the DJI Phantom appears on this list, its use by the DoD has since been suspended.

The MQ-1C Gray Eagle 4 and the MQ-9 Reaper are large, fixed-wing drones. Both were developed by General Atomics Aeronautical Systems for military use. These drones are better suited for long-endurance flights at higher altitudes than multirotor drones like the DJI Phantom.

 

The RQ-11B Raven was developed by AeroVironment and is a small, hand-launched, fixed-wing drone. It was designed specifically for the United States military but is now used in defense operations by countries around the world.

The RQ-21 Blackjack was developed by Boeing and is another fixed-wing drone. The benefit of this unmanned aircraft is its ability to carry heavy payloads (up to 39 lbs.) and to travel at high speeds.

CIVILIAN AND COMMERCIAL DRONE USE ON THE RISE IN THE U.S.

Just as the military is increasing their use of drones, so are civilians. Drones have been used by the military since the times of World War II, but the civilian and commercial use of drones has only taken off recently.

The number of registered drone operators in the U.S. has exploded in recent years, reaching over 116,000 in 2018. This increase in drone use by civilians is due, in part, to the FAA’s establishment of the Part 107 Rule in 2016 for commercial drone operations. Additionally, the rise is also the result of the mainstream commercialization of drones readily available for purchase from public retailers.

So how are drones being used in the civilian sector? We’ve already mentioned some use cases, such as firefighting and natural disaster response, but those are only a couple of ways drones can be used. Drones are used in agriculture to count crops and analyze crop yields. They’re used on construction sites to survey and map out building projects. They’re used by utility companies to inspect power lines, oil wells, and equipment. This list could reach down the page, but you probably already see just how much value drones can offer civilian and commercial industries.

There are hundreds of ways to use drones with more applications still to be discovered and explored. It can be assumed that there are still industries which drones have yet to penetrate—industries where the potential to increase efficiency with drones is still to be recognized. As the technology becomes more mainstream, new and expanded uses for drones will be recognized in more fields of work.

Share your thoughts on the increasing use of drone technology in both the military and civil sectors in this thread on our community forum.

NASA Will Test Drone Traffic Management Systems in U.S. Cities as Final Phase of UTM Project

BY ZACC DUKOWITZ

22 February 2019

NASA recently announced that they’ve selected two partners to host the fourth and final phase of its UTM Project, which will test systems to safely and effectively manage drone traffic in urban areas in two U.S. cities.

nasa-utm
Image depicting a city sky populated by both manned and unmanned aerial vehicles.

Image credit: NASA Illustration/Lillian Gipson

NASA’s two partners are the Nevada Institute for Autonomous Systems, located in Las Vegas, NV and the Lone Star UAS Center for Excellence & Innovation, located in Corpus Christi, TX.

This [fourth] phase represents the most complicated demonstration of advanced UAS operating in a demanding urban environment that will have been tested to date.

– Ronald Johnson, UTM Project Manager for NASA

The test flights will take place in and around downtown Reno, Nevada between March and June, and in Corpus Christi during July and August.

ABOUT NASA’S UTM PROJECT

UTM stands for Unmanned Traffic Management, which is a catchall phrase for systems made to manage drone traffic and keep drones and manned aircraft from colliding.

Although private companies like Matternet and AirMap have made headlines for their work in bringing UTMs to market at scale—most notably in Switzerland, where there is now a UTM in place for the entire country’s air traffic—NASA has also been working on its own UTM technology for several years.

The stated goal of the NASA UTM Project is “to develop technologies, roles, responsibilities and procedures for a future airspace management system that safely manages autonomous aircraft operations in populated areas.”

utm-nasa
Image source

NASA has enlisted a plethora of private and government agency partners to help with this work. In addition to the two partners mentioned above, who will be hosting the fourth phase of their UTM testing, NASA has also partnered with the FAA, as well as 70+ other private companies and government entities (see the full list of NASA’s UTM partners here).

A key part of NASA’s UTM Project has been the testing they’ve conducted of their UTM system, which has taken place in a series of phases (also referred to as different levels of Technical Capabilities).

These tests are a core part of NASA’s initial directive in this research, which was to design, test, and demonstrate a UTM that will allow drones to have full access to low-altitude airspace “not currently managed by the FAA” (i.e., airspace other than that found at airports and in other highly-trafficked/highly managed areas).

FOUR PHASES OF TESTING

NASA’s UTM Project has already undergone three phases of testing over the last several years. In each phase, the level of complexity being tested has grown significantly.

In its fourth and final phase, NASA plans to test their UTM system’s ability to manage drone traffic in an urban area—possibly the most complicated scenario for UTM that could be imagined.

The Four Phases/Levels of Technical Capability

  • Technical Capability Level One (TCL1): Focused on field testing rural UAS operations for agriculture, firefighting, and infrastructure monitoring. It enabled UAS operators to file flight plans reserving airspace for their operations and provide situational awareness about other operations planned in the area.
  • Technical Capability Level Two (TCL2): Demonstrated UAS applications that operate beyond visual line of sight of the operator in sparsely populated areas. Researchers tested technologies that allowed dynamic adjustments to availability of airspace and contingency management.
  • Technical Capability Level Three (TCL3): Included cooperative and uncooperative UAS tracking capabilities to ensure the collective safety of manned and unmanned operations over moderately populated areas.
  • Technical Capability Level Four (TCL4): Will leverage TCL3 results and focus on UAS operations in higher-density urban areas for tasks such as news gathering and package delivery. It will also test technologies that could be used to manage large-scale contingencies.

Note: The above text has been adapted from TCL descriptions that appear on NASA’s website.

nasa-utm-cities
Image source

WHAT’S NEXT FOR NASA’S UTM PROJECT?

Once the fourth and final phase of testing is done NASA will presumably begin looking at ways to enable the widespread use of their UTM technology, with the ultimate goal of making the national airspace safer.

Results of [UTM] research in the form of airspace integration requirements are expected to be transferred from NASA to the FAA in 2019 for their further testing.

– NASA website

But the path from research and testing to implementation is not a clear one right now. While it’s exciting that NASA is closing in on the final phase of their UTM Project, there doesn’t seem to be much information available about how they plan to bridge the gap from technological development to actual use.

If some form of UTM is launched nationwide in the U.S. it could go a long way toward enabling those types of commercial drone operations that require BVLOS (Beyond Visual Line of Sight) flights, including drone deliveries and inspections of assets in remote or hard-to-reach locations.

Most likely UTM, if and when it does arrive here, won’t be rolled out in organized batches that eventually cover the entire U.S.—as the LAANC updates did—but will arrive piecemeal, with some areas of the U.S. having certain UAS management capabilities long before other areas do, based on need and the influence private companies.

When do you think we’ll see UTM implemented throughout the U.S., as it already is in Switzerland? And how important is UTM to the future of the drone industry as a whole? Share your thoughts and opinions in this thread on the UAV Coach community forum.

‘Romance scams’ cost online daters $143M in 2018, federal data show

The median reported loss last year amounted to $2,600 — seven times higher than other frauds, according to the Federal Trade Commission.
By Kathy Park

As more people look for love on dating apps and social media, there’s a steady spike in scammers trying to warm their way into hearts and wallets.

Last year, consumers reported the most fraud losses from “emotional romance scams” than any other category of fraud, said Monica Vaca, of the Federal Trade Commission. “That’s $143 million that consumers reported that they lost in 2018 to romance scams.”

The median reported loss last year amounted to $2,600 — seven times higher than other frauds, according to the FTC. Most of that money was wired or sent with gift cards.

Federal data also show that people between the ages of 40 to 69 have the highest rates of romance scams.

One woman told NBC News that she was swindled following her divorce.

Connie, who asked her real name not be used for fear of embarrassment, said she began looking for love on the online dating site Plenty of Fish.

“I met this guy and he was supposed to be a doctor … and so he was very charming, he had the whole set up, pictures with the dog, his house on the beach,” Connie said. “And so we talked for about a week or two weeks.”

But what appeared to be a connection turned into a con. The man said he was taking a work trip abroad, and that’s when his actions became suspicious: He began asking Connie for money.

“He said you can send me $100 on (an) Amazon card,” she said.

Such requests for money, however, should be an immediate red flag, according to the FTC.

“You know as long as that spigot is on and there’s a little bit of money coming through to these folks, they’re going to keep trying to get some of that money,” Vaca said.

Scammers often use similar tactics to pull at heartstrings. The FTC said creative tales of emergencies and misfortune requiring financial assistance are common. Any plans to meet in person, however, never transpire.

Further investigation typically reveals the swindler’s profile is phony, the FTC said.

“When they take those photographs and they do a Google image search on those photographs, they’ll find that photo, and they will see it with someone else’s name,” Vaca said.

Connie fell into that exact trap.

“I couldn’t find him. I searched his Facebook and everything, and then I realized it was just a fake person, using somebody else’s pictures and everything,” she said. “I was very upset because it was a waste of time and energy.”

Victims are encouraged to report online scams to FTC.gov.

NASA, SpaceX look ready to finally launch Crew Dragon capsule to ISS

NASA just dropped some enticing new details about the much anticipated and much delayed test flight.

BY 

The SpaceX Crew Dragon capsule gets ready ahead of an uncrewed test flight

Delays and space flights are close companions. NASA has pushed back the launch date for the SpaceX Demo-1 uncrewed test flight of the Crew Dragon capsule several times already, but new details make it sound like early March could finally be go time.

NASA shared details of the mission on Wednesday, including a launch-time target of 11:48 p.m. Pacific on Friday, Mar. 1 (2:48 a.m. Eastern on Saturday, Mar. 2). “The uncrewed test flights will be the first time a commercially built and operated American rocket and spacecraft designed for humans will launch to the space station,” the agency says.

The Crew Dragon capsule will lift off with an assist from a Falcon 9 rocket and head to the International Space Station. It’s scheduled to dock at the ISS on March 3 very early in the morning. Though it won’t have any humans on board, it will be stocked with 400 pounds of crew supplies and equipment.

SpaceX has looked ready to get going on this mission for quite some time. The capsule and Falcon 9 are already in position on the launch pad at the Kennedy Space Center in Florida. SpaceX tweeted a dramatic static test fire on Jan. 24, back when it was still targeting a February launch.

The Crew Dragon is set to hang out at the ISS for five days and then come back to Earth carrying research samples. If all goes well, the capsule will reenter Earth’s atmosphere and land in the Atlantic Ocean for recovery.

NASA TV will cover prelaunch events starting on Feb. 22 and follow the actual launch at the scheduled time if there are no further delays.

The Crew Dragon launch will mark a major milestone in NASA’s Commercial Crew Program, which features both SpaceX and Boeing working to bring launches back to US soil. NASA has been hitching astronaut rides to the ISS on Russian Soyuz spacecraft.

If Dragon passes its uncrewed flight testing, it could then be cleared to ferry astronauts into space as early as mid-2019 and begin a new era in American spaceflight.

Update, February 20 at 9:11 p.m. PT: This story has been updated to correct and clarify the scheduled launch time.

WinRAR patches 19-year-old security vulnerability that put millions at risk

Support for an outdated format was to blame

Illustration by Alex Castro / The Verge

WinRAR has patched a 19-year-old security vulnerability that allowed attackers to extract malicious software to anywhere on your hard drive. The vulnerability was discovered by researchers at Check Point Software Technologies, who realised that WinRAR’s support for the effectively defunct ACE archive format meant that it was still relying on an insecure and dated DLL file from 2006.

The researchers have compiled a lengthy blog post explaining how they discovered the bug, but a short video tells you everything you need to know about how it works. Simply by renaming an ACE file to give it a RAR extension you can get WinRAR to extract a malicious program to a computer’s startup folder, meaning it will run automatically the next time the computer boots up.

After the security researchers informed WinRAR of their findings, the team patched the vulnerability with version 5.70 beta 1 of the software. Rather than attempt to fix the issue, the team opted to drop support for ACE archives entirely, which was probably the sensible option considering the only program capable of creating the archives, WinACE, hasn’t been updated since 2007.

It’s unclear if any attacks have used this exploit in the 19 years it’s existed, but with 500 million WinRAR users worldwide they had plenty of opportunities to do so. If you’re one of these users then it’s pretty critical that you update it at the earliest opportunity to ensure that you don’t fall prey to this exploit.

Hackers steal $800,000 from Cape Cod Community College

 

Hackers steal $800,000 from Cape Cod Community College

Hackers stole more than $800,000 from Cape Cod Community College last week when they infiltrated the school’s bank accounts, the school notified its employees Friday.
Cape Cod Community College/File
Hackers stole more than $800,000 from Cape Cod Community College last week when they infiltrated the school’s bank accounts, the school notified its employees Friday.

Hackers stole more than $800,000 from Cape Cod Community College last week when they infiltrated the school’s bank accounts, the school notified its employees Friday.

Several computers in the school’s Nickerson Administration Building were hacked by a phishing scheme that used malware to obtain access to the school’s accounts, according to an e-mail from the school president, John Cox, sent Friday afternoon to school faculty and staff.

Hackers obtained banking information from the school by sending computer viruses via e-mail that lodged in the computer and stole school bank information, then fraudulently transferred the money out of the school’s accounts at TD Bank, according to a school spokesman. Working with the bank, the school has recovered about $300,000 of the funds, the school said.

Since the hack, the school has identified and prevented several subsequent attacks, according to Cox’s e-mail. The spokesman said Friday the school believes the same hackers tried unsuccessfully to infiltrate other colleges in the area but said he did not know which ones.

The attack started with an Internet outage that school officials believed was a Comcast issue but later realized was a hack, said the school spokesman, Patrick Stone. The school said the FBI is investigating; an FBI spokeswoman said she could not confirm an investigation. No personal information from students or college employees was compromised, the college said.

The school said payroll and other financial operations will not be affected, and it is working with the bank to recover the rest of the stolen money. The school is also working with state IT officials and the comptroller’s office to prevent future attacks, the school said.

Cox plans to hold a meeting Monday with school employees to provide more information.

The West Barnstable college has an operating budget of about $35 million, about half of which comes from the state, according to its most recent financial statement. It has 4,900 students, 68 full-time faculty, and 159 full-time staff. The school offers associate’s degrees with a specialty in aviation programs and partners with schools that offer bachelor’s and master’s degrees.

The college has replaced all infected hard drives, according to the president’s e-mail. It will conduct more cybersecurity training for faculty, staff, and students. Stone, the school spokesman, said the college plans to invest in more sophisticated software to prevent attacks in the future.

Laura Krantz can be reached at [email protected].

Troubleshooter: Durham couple loses $8,900 in computer virus scam

It happens again and again-a computer scam that causes many people to lose thousands.

Some people call it the Microsoft scam, others the computer virus scam, but no matter what it’s called it almost always ends in financial heartache.

This time, a retired Triangle couple lost $8,900. Amelia Lewis said she was on her computer when an alert popped up that said her computer could be at risk. “Don’t continue to use your computer, don’t shut it down,” Amelia said the computer read.

She and her husband Al immediately called the phone number on the screen, which they said appeared to be the number for the company they subscribe to virus protection services from. “They started telling me that they were gonna have to cancel their subscription, because of the fires in California burned the service so they’re not able to protect our machines and they were going to refund our money,” Al said.

Al said he believed the story, and thought they would get a refund of $318. He gave the person on the phone remote access to his computer so they could put the refund directly into his account.

“This Chase Bank screen came up with all this money,” said Al. Instead of refunding $318 into Al’s bank account, the screen showed that $3,188 had appeared in the Chase account. “It was there I could see it,” Al said.

At this point, Al said the man on the phone started to sound distressed. “He said well my boss is gonna be mad at me I might lose my job because of the mistake.”

Al said the man told him he could not reverse the charges, so instead, he asked Al and his wife to buy Walmart gift cards to refund the difference. The Lewis’ drove to their local Walmart and bought $2,700 worth of gift cards. “He wanted us to scratch the back of the gift cards off and texted it to him. And we did that,” Al said.

They thought it was over after that, but the next morning when Al looked on his computer, it showed that the company had put two more payments of $3,188 in his bank account. “I could see it,” Al said again. So they went back to Walmart and purchased $6,200 worth of gift cards, scratched off the backs, and sent the number to the man who had called them.

The next day, he called again and tried to do it again, and that was when they realized something was wrong. “I said ‘man I got that you’re a scam.’ I said I want the money back,” Al said.

There was no way to reverse it; the $8,900 they had spent on those gift cards was gone.

“I was really sick, I was like oh my God I can’t believe this just happened,” Amelia said. “You know it really hurt. You know it took us a long time to save that money, and now they are playing with it.”

The Lewis’ are not alone, I hear from people often who said they’ve fallen for this scam. The computer pop-ups can be very convincing. If you get one that says your computer is at risk, do not call the number. Instead, shut down your computer.

Another note of caution- you should never give someone you don’t know remote access to your computer. The Lewis’ believe once they gave the scammers access to their computer, the scammers were moving money back in forth into their accounts to make it look like the couple was being refunded the money but it was just their money being moved from account to account.

Finally, if anyone asks for you to use gift cards as payment, that’s a huge red flag that they are scammers.

NASA wowed with Mars landing, but InSight’s just getting started

Following a dramatic touchdown, a new robot on the Red Planet is ready to get down to business.

BY 

NASA pulled off its eighth landing of a spacecraft on the surface of Mars as the world watched on Monday. But making the long journey and touching down without any explosions is just the beginning.

The first few things the InSight lander did after its hot and harrowing six-minute descent through the Martian atmosphere included snapping a dusty but still remarkable photo and then beginning to unfurl its solar arrays.

Later on Monday, NASA received confirmation that the solar arrays are in place and working. This will be critical to ensuring InSight can actually carry out its mission to explore the interior of Mars, listen for “Marsquakes” and figure out how many meteorites batter the Red Planet.

“We are solar powered, so getting the arrays out and operating is a big deal,” InSight project manager Tom Hoffman said in a statement following the landing. “With the arrays providing the energy we need to start the cool science operations, we are well on our way to thoroughly investigate what’s inside of Mars for the very first time.”

Once InSight is powered up, the mission teams will go over a checklist to make sure the lander, its on-board robotic arm and all its science instruments are in good health. The dust covers will come off its two cameras, clearing up the gritty view seen in InSight’s first photo and allowing for a detailed survey of that red ground to determine the best place to set down the instruments.

Next, the robotic arm will position InSight’s seismometer, called SEIS (Seismic Experiment for Interior Structure), and put a wind and thermal shield on top of it. With SEIS in place, next up will be the probes and “mole” that will dig as deep as 16 feet (4.9 meters) into the planet to measure internal temperature and to study Mars’ guts.

Elizabeth Barrett, who heads InSight’s instrument operations, told reporters Monday that the process of setting the instruments on the ground alone will take two to three months, followed by another month or two to drill and begin getting science data back.

When it all comes together, the science portion of the mission could begin in March 2019.

“Landing was thrilling, but I’m looking forward to the drilling,” InSight principal investigator Bruce Banerdt said in a statement.

Once InSight’s instruments are set up, they could return data for quite some time.

“We should be listening for Marsquakes for at least two years, and we hope considerably longer,” Tom Pike of Imperial College London, who was part of the team that designed the seismometer, said in a statement.

Banerdt says the broader goal of InSight is to better understand not just Mars, but Earth and other planets. While evidence from the early years after Earth’s formation has been erased by processes like weather and plate tectonics, those processes seem to be less active on Mars.

“On Mars, all those things that were formed [early] are still frozen in place,” Banerdt said during Monday’s press conference.

Unlike its rover cousins, InSight will be stuck in place, but it stands to be very active in shaping our understanding of Mars and the rest of the universe. Stay tuned.

Major SMS security

Major SMS security lapse is a reminder to use authenticator apps instead

26 million customer texts were exposed

Illustration by Alex Castro / The Verge

A recent data breach has exposed a database of around 26 million text messages containing private customer information, reports TechCrunch. In addition to the privacy concerns, the breach also highlights the dangers of relying on SMS messages for receiving two-factor authentication codes or account reset links, which sees sensitive information sent over an unencrypted communications platform.

The breach was brought to light by a Berlin-based security researcher named Sébastien Kaul, who discovered that the Voxox-managed database was discoverable, unprotected, and easily searchable for both names and telephone numbers. Since the server was still active after the breach was discovered, anyone could have monitored a near-real-time data stream to find the relevant two-factor authentication code sent after trying to log into someone else’s account. Only after being contacted by TechCrunch did Voxox take down the database, which contained text messages sent to customers from companies including Google, Amazon, and Microsoft.

Two-factor authentication is one of the best ways you can protect your accounts against being hijacked. Even if someone has your username and password, they won’t be able to log in without this second code. While it’s common for websites and services to text you this number (meaning only someone with access to your phone can log in), a breach such as this (or the increasingly common SIM hijacking) would allow a hacker to see the code being sent to your phone, and use it to login to your account.

Instead, using an authentication app such as Google Authenticator or 1Password (with it’s built-in 2FA code generator) is much more convenient and secure. These apps are completely self-contained, meaning no sensitive data needs to be sent to them, and this also creates the secondary benefit of allowing them to work when your phone doesn’t have an active cell connection. Increasingly, hardware keys are also proving popular, with Google reporting that it has seen no successful phishing attacks since making hardware security keys mandatory for its employees. Unfortunately in some cases you’ll still need to rely on SMS as a security backup, but this should only be used as a last resort to minimize your exposure to breaches such as this.

Critical Security flaws in several popular Crucial and Samsung solid state drives (SSDs)

Security researchers have busted the encryption in several popular Crucial and Samsung SSDs

Assorted Mac Hardware And Accessory Shoots

Researchers at Radboud University have found critical security flaws in several popular Crucial and Samsung solid state drives (SSDs), which they say can be easily exploited to recover encrypted data without knowing the password.

The researchers, who detailed their findings in a new paper out Monday, reverse engineered the firmware of several drives to find a “pattern of critical issues” across the device makers.

In the case of one drive, the master password used to decrypt the drive’s data was just an empty string and could be easily exploiting by flipping a single bit in the drive’s memory. Another drive could be unlocked with “any password” by crippling the drive’s password validation checks.

That wouldn’t be much of a problem if an affected drive also used software encryption to secure its data. But the researchers found that in the case of Windows computers, often the default policy for BitLocker’s software-based drive encryption is to trust the drive — and therefore rely entirely on a device’s hardware encryption to protect the data. Yet, as the researchers found, if the hardware encryption is buggy, BitLocker isn’t doing much to prevent data theft.

In other words, users “should not rely solely on hardware encryption as offered by SSDs for confidentiality,” the researchers said.

Alan Woodward, a professor at the University of Surrey, said that the greatest risk to users is the drive’s security “failing silently.”

“You might think you’ve done the right thing enabling BitLocker but then a third party fault undermines your security, but you never know and never would know,” he said.

Matthew Green, a cryptography professor at Johns Hopkins, described the BitLocker flaw in a tweet as “like jumping out of a plane with an umbrella instead of a parachute.”

The researchers said that their findings are not yet finalized — pending a peer review. But the research was made public after disclosing the bugs to the drive makers in April.

Crucial’s MX100, MX200 and MX300 drives, Samsung’s T3 and T5 USB external disks, and Samsung 840 EVO and 850 EVO internal hard disks are known to be affected, but the researchers warned that many other drives may also be at risk.

The researchers criticized the device makers’ proprietary and closed-source cryptography that they said — and proved — is “often shown to be much weaker in practice” than their open source and auditable cryptographic libraries. “Manufacturers that take security seriously should publish their crypto schemes and corresponding code so that security claims can be independently verified,” they wrote.

The researchers recommend using software-based encryption, like the open source software VeraCrypt.

In an advisory, Samsung also recommended that users install encryption software to prevent any “potential breach of self-encrypting SSDs.” Crucial’s owner Micron is said to have a fix on the way, according to an advisory by the Netherlands’ National Cyber Security Center, but did not say when.

Micron did not immediately respond to a request for comment.

iPad Pro’s USB-C port

The iPad Pro’s USB-C port is great. It should be on my iPhone, too

Commentary: Who wants incompatible cables, chargers and earbuds? USB-C fixes that, and gives the iPad laptop power.

by

 

When Apple announced Tuesday that its iPad Pro had ditched the proprietary Lightning port in favor of USB-C, my eyes lit up.

Lightning has had a good run, but I’d be happy to toss my collection of Lightning cables into my junk drawer alongside the ones for Firewire hard drives, VGA video and printers that perversely used those weird squarish USB connectors.

Why? USB-C is better than Lightning, letting you connect Apple products to more devices. It’s the new standard for charging Android phones and many laptops, including Apple’s own. In Apple’s insular world, where Cupertino engineers mostly don’t have to trouble themselves about the existence of Windows laptops and Android smartphones, USB-C solves real problems.

Our world has too many incompatible cables and dongles to bridge the gap between old and new devices. USB-C offers a path to a simpler, saner future.

USB-C in my life

Standardizing on USB-C makes my gadget-heavy life simpler. All three of the following situations happened to me in the last month:

  • At a conference, I was scurrying from room to room and trying to keep my MacBook Pro and two phones charged. Several times I unplugged the USB-C charging cable from my Mac and into my Google Pixel 3 XL phone to top off its battery. My iPhone was stranded because I didn’t bring a Lightning cable.
  • I needed earbuds for a Skype call in the office using my Mac. The Pixel 3’s USB-C earbuds worked just fine with my Mac.
  • At night, I use my iPad to watch video but my 2-year-old Pixel phone to listen to music and podcasts. Both work with my old earbuds with a 3.5mm audio jack, but those earbuds just started dying. I could buy another set, but why bother when 3.5mm jacks are disappearing?

My examples involve a Pixel 3, but USB-C is the norm for flagship Android phones including the Samsung Galaxy S9 and Note 9, OnePlus 6T and LG V40. Multiply the number of places you need to charge your phone — home, office, car, friend’s house — by the number of phones around, and you’ll see why USB-C charging would be great for the iPhone as well.

Although my work means I have more gadgets than the average person, my situation isn’t that far removed from the mainstream. My tech hassles often are a preview of what a more mainstream population will have to endure over a longer period of time, while working from a hotel or borrowing devices from friends or co-workers.

And my hassles would be greatly reduced if I didn’t have that Lightning port in my life. Even if I only had Apple hardware, USB-C is the one port that best spans tablets, PCs and phones.

What USB-C does that Lightning can’t

Another big reason I’m a fan of USB-C is that it’s got a better hardware ecosystem than Lightning — or at least it will as the connection technology matures and spreads.

USB-C already pays me dividends with chargers and earbuds, but other devices will come. On the iPad Pro, it can work to offload photos and videos from cameras, as well as connect to electronic instruments, docking stations and external monitors.

That’s a big step toward making the iPad Pro into a full-fledged laptop, even if it’s running iOS and not traditional personal computer operating systems, whether Windows or MacOS. I appreciate the fact that the iPad Pro can use USB-C to charge iPhones, too.

Apple’s long-term plans aren’t clear here, but the company has gone out of its way to show off the iPad Pro as a capable laptop replacement and the company clearly sees iPads as productivity devices. Apple’s new iPad keyboard, though it costs $179 and $199 for the two 11-inch and 12.9-inch iPads and lacks a trackpad, features prominently in Apple’s iPad Pro promotional photos. Apple let Adobe Systems take the stage during the launch event to show off a full-fledged version of Photoshop for the iPad. USB-C really helps the iPad PC ambition.

Well, except for one thing. You can’t plug storage devices into the iPad’s USB-C port. That means no external drives with lots of video to edit or thumb drives so you can transfer that file from your friend. If you’re planning on using your iPad to edit your SLR’s high-resolution photos while you’re on vacation, consider getting the more expensive models with more storage, because you won’t be able to just copy the ones that don’t fit onto an external USB drive.

Now USB-C iPhones too, please

You’re not as likely to connect cameras or thumb drives to your iPhone, but there are good reasons for USB-C there, too.

First, you’d be able to charge in more places, including from your MacBook or iPad Pro charger. That means less junk on your desk or in your suitcase and less of a problem if you forget something. Maybe it’ll even mean some price pressure on Apple’s expensive chargers, too. (We can dream, right?)

Second, USB-C is the best way out of the industry’s abandonment of 3.5mm audio jacks. Because face it, they’re not coming back. With USB-C iPhones, you’d be able to use one set of earbuds or headphones with your laptops, phones and whatever devices you buy in the future.

Third, Apple’s choices send an important message to any other tech company. A USB-C iPhone would help car manufacturers, speaker makers and others embrace USB-C and deliver on its all-purpose promise. That may never happen — Apple didn’t respond to requests for comment — but today’s iPad Pro already sends a message to electronics makers that Lightning’s future is uncertain and that Apple appreciates what USB-C has to offer.

New value for the iPad Pro

The USB-C advantages may not be worth it for you today. Especially if you don’t have a newer Mac, don’t want to spend $9 for an Apple USB-C adapter for your favorite old headphones with a 3.5mm jack, or have accessories like speaker dock reliant on a Lightning port.

But it’s worth it to me, for charging and earbuds today and for digital photography on my next laptop-free vacation.

I still have concerns about the iPad Pro as a full-on laptop replacement. There’s no trackpad, the keyboard lacks a forward-delete key, and some things as routine as copy and paste I do hundreds of times a day are slower than on a “real” laptop. But I use the iPad enough that I’m confident it’s worth it for me.

USB-C on the iPad — and on iPhones, too, if we’re lucky — will help make your life better, too.