Skip to content

Oh, that Apple Link you clicked on — it is Russian or Chinese or anything but Apple

Quote

Click this link (don’t fret, nothing malicious). Chances are your browser displays “apple.com” in the address bar. What about this one? Goes to “epic.com,” right?

Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.

In quick testing by El Reg, Chrome 57 on Windows 10 and macOS 10.12, and Firefox 52 on macOS, display apple.com and epic.com rather than the actual domains. We’re told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear. Bleeding-edge Chrome 60 on macOS 10.12 was not vulnerable.

This domain disguising, which tricks people into visiting a site they think is legit but really isn’t, is called a “homograph attack” – and we were supposed to have fixed it more than a decade ago when the exact same problem was noticed with respect to the address “paypal.com.”

So what is this, how does it work, and why does it still exist?

Well, thanks to the origins of the internet in the United States, the global network’s addressing systems were only designed to handle English – or, more accurately, the classic Western keyboard and computer ASCII text.

The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language.

And so a lengthy and often embarrassingly tone-deaf effort was undertaken by largely American engineers to resolve this by assigning ASCII-based codes to specific symbols. Unicode became “Punycode.”

PS: To fix the issue with Chrome, wait for Chrome 58 to arrive around April 25 and install it. On Firefox, Firefox Mobile, and Seamonkey, go to about:config and set network.IDN_show_punycode to true.

Unroll.me — Not sorry we did it – just sorry you’re pissed off

Quote

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.
We’re ‘heartbroken’ we got caught selling your email records to Uber, says Unroll.me boss
Not sorry we did it – just sorry you’re pissed off
tears

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms & conditions and privacy policy, they would have seen the legalese that allows such practices

Ah Bullshit. 5000 Word legal beagle stuff no reads. But the point is that “you are the product”. Anybody foolish enough to use a free service to mine their emails is just plane stupid.

Dear Microsoft: absolutely not!

Great Rant–Quote

#MakeWhatsNext: Change the Odds

And it has nothing to do with your software. It has to do with your new ad campaign, which I happened to see while I was at the gym last week. Here’s the gist: brilliant young girls express their ambitions to cure cancer and explore outer space and play with the latest in virtual reality tech. Then—gotcha!—they’re shown a statistic that only 6.7% of women graduate with STEM degrees. They look crushed. The tagline? “Change the world. Stay in STEM.”

Are you fucking kidding me?

Microsoft, where’s your ad campaign telling adult male scientists not to rape their colleagues in the field? Where’s the campaign telling them not to steal or take credit for women’s work? Or not to serially sexually harass their students? Not to discriminate against them? Not to ignore, dismiss, or fail to promote them at the same rate as men? Not to publish their work at a statistically significant lower rate? Not to refuse to take women on field expeditions, as did my graduate advisor, now tenured at University of Washington? Where’s your ad campaign telling institutions not to hire, shelter, or give tenure to serial harassers or known sexists, as UW and countless others have done? Where’s your ad campaign encouraging scientific journals to switch to blind submissions and blind peer reviewers? Or to pay women at the same rate as men? I could keep linking articles all day. But I’m tired. Everyones’ noses have been pushed in these same data for decades and nothing changes.

There’s a reason women and girls leave STEM. It is because STEM is so hostile to women that leaving the field is an act of survival. It was for me.

Microsoft, do not dump this shit on the shoulders of young girls. It’s not their responsibility; it’s the responsibility of those in power. That means you.

Researcher: 90% Of ‘Smart’ TVs Can Be Compromised Remotely

Quote
“So yeah, that internet of broken things security we’ve spent the last few years mercilessly making fun of? It’s significantly worse than anybody imagined. “

So we’ve noted for some time how “smart” TVs, like most internet of things devices, have exposed countless users’ privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible “advancements” in television technology.

As recent Wikileaks data revealed, the lack of security and privacy standards in this space has proven to be a field day for hackers and intelligence agencies alike.

And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting – Terrestrial) signals.

This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems. Using $50-$150 DVB-T transmitter equipment, an attacker can use this standard to exploit smart dumb television sets on a pretty intimidating scale, argues Scheel:

“By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city.”

Scheel says he has developed two exploits that, when loaded in the TV’s built-in browser, execute malicious code, and provide root access. Once compromised, these devices can be used for everything from DDoS attacks to surveillance. And because these devices are never really designed with consumer-friendly transparency in mind, users never have much of an understanding of what kind of traffic the television is sending and receiving, preventing them from noticing the device is compromised.

Scheel also notes that the uniformity of smart TV OS design (uniformly bad, notes a completely different researcher this week) and the lack of timely updates mean crafting exploits for multiple sets is relatively easy, and firmware updates can often take months or years to arrive. Oh, and did we mention these attacks are largely untraceable?:

“But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good.”

Democrats draft laws in futile attempt to protect US internet privacy

At a the the present, I agree that this has a snowball’s chance in hell. But if more states take it seriously, just maybe it will negate the disgusting screwing of Internet users privacy by big corporate ISPs with their bidding done by their lackies in the congress, chief FCC lackie Pai and signed by the poorest excuse for a leader in years, Trump.

Hah Hah – Drain the swamp. What a joke. Just filled it with swine dung and does it wreak worse than it ever did. Hey maybe I show start a new category “swine swamp.”

Oh, do I sound angry? God damn right I am.

Less than a week after President Trump signed the law allowing ISPs to sell customers’ browsing habits to advertisers, Democratic politicians are introducing bills to stop the practice.

On Thursday, Senator Ed Markey (D-MA) submitted a bill [PDF] that would enshrine the FCC privacy rules proposed during the Obama administration into law – the rules just shot down by the Trump administration. Americans would have to opt in to allowing ISPs to sell their browsing data under the proposed legislation, and ISPs would have to take greater care to protect their servers from hacking attacks.

“Thanks to Congressional Republicans, corporations, not consumers, are in control of sensitive information about Americans’ health, finances, and children. The Republican roll-back of strong broadband privacy rules means ISP no longer stands for Internet Service Provider, it stands for ‘Information Sold for Profit’,” said Senator Markey.

“This legislation will put the rules back on the books to protect consumers from abusive invasions of their privacy. Americans should not have to forgo their fundamental right to privacy just because their homes and phones are connected to the internet.”

The bill has been cosponsored by ten senators, all Democrats except for the independent Bernie Sanders. No Republicans have added their name to the legislation – nor shown any support for it – which probably means it’s doomed to failure given the GOP-dominated composition of the Senate.

The new bill echoes similar legislation introduced in the House of Representatives earlier in the week. Representative Jacky Rosen, who was a software developer before she got into politics, has introduced the Restoring American Privacy Act of 2017.

“As someone who has first-hand experience as a computer programmer, I know that keeping privacy protections in place is essential for safeguarding vulnerable and sensitive data from hackers,” said Representative Rosen (D-NV).

“I will not stand by and let corporations get access to the most intimate parts of people’s lives without them knowing and without consent. It is appalling that Republicans and President Trump would be in favor of taking Americans’ most personal information to sell it to the highest bidder.”

The FCC rules would have required internet users to sign up to allow their browsing histories to be sold, and put an increased onus on ISPs to protect their private data. One of the first acts of the new administration was to drop the FCC rules and legislate against them, with President Trump signing off on the legislation on Monday.

Facing a public backlash, the major ISPs have promised that they won’t sell off an individual’s browsing history – but left the door open for selling the data as part of a group. Customers will also have the choice to opt out, but you can bet the form to do so will be in the internet equivalent of a locked filing cabinet carrying a sign reading “Beware of the leopard.”

The bills will be welcomed by many but, realistically, have no chance of passing unless a sizable number of Republicans cross the floor. That’s not going to happen, so individual states have been taking action of their own.

Last week, Minnesota and Illinois legislatures began enacting legislation to provide privacy protections for internet users, and now New York has done the same. Senator Tim Kennedy (D-Buffalo) has introduced legislation to stop ISPs selling off their customers’ browsing histories.

“When voters across the country elected this House and US Senate last November, I doubt they were voting with the hope that their ISP would be allowed to sell their browsing history,” said Senator Kennedy.

“This kind of anti-consumer, anti-privacy action doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks – this is bad policy with real-world consequences.”

It’s possible the ISPs could have bitten off more than they can chew on this one by seriously underestimating quite how angry this issue has made people. Despite frantic PR moves, more and more states are now taking matters into their own hands – which is just as the Founding Fathers designed the system.

SOURCE: HERE

Corrupt Politician Signs Bill Recinding America’s digital privacy protections while Grunting

Oh and of course he said he was “for the little guy right.” Bullshit. Oink Oink Grunt Grunt.

So let’s do some work via the Register

Ajit Pai, the chief lackie…eerhh, chairman of the FCC, said

“resident Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers.”

BULLSHIT on the last part of that sentence, that the rules were “designed to benefit one group of favored companies, not online consumers.”

The rules were developed entirely and absolutely to protect online consumers. They required ISPs to get an opt-in from customers for sensitive information, to offer an opt-out for other uses of that data, and to ensure that they appropriately protected that data.


The other Republican commissioner on the FCC, Mike O’Rielly, had his own statement that, unfortunately, layered bullshit upon bullshit.

“I applaud President Trump and Congress for utilizing the CRA to undo the FCC’s detrimental privacy rules,” he said. “The parade of horribles trotted out to scare the American people about its passage are completely fictitious, especially since parts of the rules never even went into effect. Hopefully, we will soon return to a universe where thoughtful privacy protections are not overrun by shameful FCC power grabs and blatant misrepresentations.”

What O’Rielly does, however, is pinpoint the beating heart of the bullshit: the claim that since something hasn’t happened yet, it means that it won’t happen.

For someone who is a commissioner at a federal regulator, this willful blindness over how the real world works is borderline obnoxious.

Here is the absolute solid reality of what this decision to scrap the FCC rules means:

ISPs were previously able to do what they can do now, ie, sell their customers’ private data.
But they were previously at risk of being investigated by the FTC and then, later, the FCC.
If they had been found to have broken data privacy rules, they faced huge fines and most likely the requirement to get prior approval from the FTC/FCC before doing anything similar in future.
Now, however, there is no backstop. The FTC does not have jurisdiction. And nor does the FCC. The ISPs currently exist in a regulatory-free world.

What this means is significant and it is the source of (Democrat) claims that ISPs will soon be selling your private data and the counter-claims (by Republicans) that people are fear-mongering and inventing problems. Source: Here

Swine — oh wait, that is unfair…to the the swine I mean.

Amnesia’ IoT botnet feasts on year-old unpatched vulnerability

Why anyone would want to connect any home device to the internet at this stage in the game is beyond me.

“Hackers have brewed up a new variant of the IoT/Linux botnet “Tsunami” that exploits a year-old but as yet unresolved vulnerability.

The Amnesia botnet targets an unpatched remote code execution vulnerability publicly disclosed more than a year ago in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide.

The vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed, specialists at Unit 42, Palo Alto Networks’ threat research unit, warn.

The Amnesia botnet is yet to be abused to mount a large-scale attack but the potential for harm is all too real.

“Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems,” the researchers warn. “A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall [autumn] 2016.”

El Reg asked TVT Digital, based in Shenzhen, China, for a response to Palo Alto’s warning but are yet to receive a reply. We’ll update the story as and when we hear more.” Source: Here

The House voted to wipe away the FCC’s Internet privacy protections

SJ 34 would repeal safeguards that prohibit Internet service providers (ISPs) from sharing data, such as e-mails and web history, with third parties without user consent. It would also do away with transparency requirements, which mandate that ISPs provide easily accessible privacy notices to customers and advanced notice prior to changes…..Assuming Trump signs the measure, Internet providers will be freed from those obligations, which would otherwise have taken effect later this year. With this data, Internet providers can sell highly targeted ads, making them rivals to Google and Facebook, analysts say.

Internet providers also will be free to use customer data in other ways, such as selling the information directly to data brokers that target lucrative or vulnerable demographics.

“ISPs like Comcast, AT&T, and Charter will be free to sell your personal information to the highest bidder without your permission — and no one will be able to protect you,” wrote Gigi Sohn, a former FCC staffer who helped draft the privacy rules, in a recent blog post on the Verge.

Selling your data is merely one of the four ways in which Internet providers intend to make money off consumers. The others include selling you access to the Internet, as they have traditionally done; selling access to media content they’ve acquired by purchasing large entertainment companies; and selling advertising that directly targets you based on the data the provider has collected by watching how you use the Internet and what content you consume.

Sources: The Hill, Washington Post

Here is the roll call Miscreants who voted to repeal. Source Senate.Gov

Miscreants who voted For BillVoted AgainstNot Voting
Alexander (R-TN)Baldwin (D-WI)sakson (R-GA)
Barrasso (R-WY)Bennet (D-CO)Paul (R-KY)
Blunt (R-MO)Blumenthal (D-CT)
Boozman (R-AR)Booker (D-NJ)
Burr (R-NC)Brown (D-OH)
Capito (R-WV)Cantwell (D-WA)
Cassidy (R-LA)Cardin (D-MD)
Cochran (R-MS)Carper (D-DE)
Collins (R-ME)Casey (D-PA)
Corker (R-TN)Coons (D-DE)
Cornyn (R-TX)Cortez Masto (D-NV)
Cotton (R-AR)Donnelly (D-IN)
Crapo (R-ID)Duckworth (D-IL)
Cruz (R-TX)Durbin (D-IL)
Daines (R-MT)Feinstein (D-CA)
Enzi (R-WY)Franken (D-MN)
Ernst (R-IA)Gillibrand (D-NY)
Fischer (R-NE)Harris (D-CA)
Flake (R-AZ)Hassan (D-NH)
Gardner (R-CO)Heinrich (D-NM)
Graham (R-SC)Heitkamp (D-ND)
Grassley (R-IA)Hirono (D-HI)
Hatch (R-UT)Kaine (D-VA)
Heller (R-NV)King (I-ME)
Hoeven (R-ND)Klobuchar (D-MN)
Inhofe (R-OK)Leahy (D-VT)
Johnson (R-WI)Manchin (D-WV)
Kennedy (R-LA)Markey (D-MA)
Lankford (R-OK)McCaskill (D-MO)
Lee (R-UT)Menendez (D-NJ)
McCain (R-AZ)Merkley (D-OR)
McConnell (R-KY)Murphy (D-CT)
Moran (R-KS)Murray (D-WA)
Murkowski (R-AK)Nelson (D-FL)
Perdue (R-GA)Peters (D-MI)
Portman (R-OH)Reed (D-RI)
Risch (R-ID)Sanders (I-VT)
Roberts (R-KS)Schatz (D-HI)
Rounds (R-SD)Schumer (D-NY)
Rubio (R-FL)Shaheen (D-NH)
Sasse (R-NE)Stabenow (D-MI)
Scott (R-SC)Tester (D-MT)
Shelby (R-AL)Udall (D-NM)
Strange (R-AL)Van Hollen (D-MD)
Sullivan (R-AK)Warner (D-VA)
Thune (R-SD)Warren (D-MA)
Tillis (R-NC)Whitehouse (D-RI)
Toomey (R-PA)Wyden (D-OR)
Wicker (R-MS)
Young (R-IN)

Is Microsoft blocking Windows 7/8.1 updates on newer hardware?

NOTE: I think this is rumor at this point, but I certainly would not put it past that awful company Microsoft to do this to force more people onto their Windows 10 Advertising & Spyware Platform.

Source: Here

Is Microsoft blocking Windows 7/8.1 updates on newer hardware?

A year ago, Microsoft revealed that Windows 10 would be the only Windows platform to support nextgen processors like Intel’s Kaby Lake, AMD’s Bristol Ridge, and Qualcomm’s 8996. The message then — as now — was clear: If you want to run a nextgen processor, you’ll need Windows 10.

Last week, Microsoft published KB 4012982, with the title “‘Your PC uses a processor that isn’t supported on this version of Windows’ error when you scan or download Windows updates”, suggesting that the restriction was now being enforced.

In the article, Microsoft describes the “symptoms” of the error as:

When you try to scan or download updates through Windows Update, you receive the following error message:

Unsupported Hardware
Your PC uses a processor that isn’t supported on this version of Windows and you won’t receive updates.

Additionally, you may see an error message on the Windows Update window that resembles the following:

Windows could not search for new updates
An error occurred while checking for new updates for your computer.
Error(s) found:
Code 80240037 Windows Update encountered an unknown error.

The “cause” of the error being:

This error occurs because new processor generations require the latest Windows version for support. For example, Windows 10 is the only Windows version that is supported on the following processor generations:

Intel seventh (7th)-generation processors
AMD “Bristol Ridge”
Qualcomm “8996”

Because of how this support policy is implemented, Windows 8.1 and Windows 7 devices that have a seventh generation or a later generation processor may no longer be able to scan or download updates through Windows Update or Microsoft Update.

As noted by Woody Leonhard over at Woody on Windows, there’s a long thread on the topic on Reddit (naturally) but as of yet no one appears to have seen the error message “in the wild” so it’s likely updates aren’t currently being blocked (if you do see the error message we’d love to know).

Of course, updates being blocked through Windows Update — when it eventually happens — is an inconvenience rather than the end of the world, as there will no doubt be plenty of workarounds to enable nextgen processor owners to keep older Windows versions fully up to date.

Windows 10: Just Say No

Comment: I have been in I.T. my entire career. I witness the birth of the internet, and with the help of Microsoft, Google and their ilk, I am witnessing its death. What was suppose to be an open platform for information sharing and communication has descended into an advertising & spyware platform for all sorts of miscreants – legal and otherwise. Welcome to the cesspool.

Microsoft is disgustingly sneaky: Windows 10 isn’t an operating system, it’s an advertising platform

Don’t believe what Microsoft tells you — Windows 10 is not an operating system. Oh, sure, it has many features that make it look like an operating system, but in reality it is nothing more than a vehicle for advertisements. Since the launch of Windows 10, there have been numerous complaints about ads in various forms. They appear in the Start menu, in the taskbar, in the Action Center, in Explorer, in the Ink Workspace, on the Lock Screen, in the Share tool, in the Windows Store and even in File Explorer.

Microsoft has lost its grip on what is acceptable, and even goes as far as pretending that these ads serve users more than the company — “these are suggestions”, “this is a promoted app”, “we thought you’d like to know that Edge uses less battery than Chrome”, “playable ads let you try out apps without installing”. But if we’re honest, the company is doing nothing more than abusing its position, using Windows 10 to promote its own tools and services, or those with which it has marketing arrangements. Does Microsoft think we’re stupid?

….
(Yes they do)

It might feel as though we’re going over old ground here, and we are. Microsoft just keeps letting us (and you) down, time and time and time again.

It’s time for things to change, but will Microsoft listen?
Article source: HERE

(Of course not, they are a monopolist)