A Chatbot Can Now Offer You Protection Against Volatile Airline Prices ( 24

The same bot, DoNotPay, that helped users overturn parking tickets and sue Equifax for small sums of money is now offering you protection against volatile airline prices. The Verge reports: Joshua Browder, a junior at Stanford University, designed the new service on the bot in a few months, after experiencing rapidly fluctuating airline prices when flying to California during the wildfires last year. "It annoyed me that every single flight, I could be paying sometimes double or even triple the person next to me in the same type of seat," he told The Verge. Browder first used the service himself and then tested it among his friends in a closed beta. He claims that the average amount saved among the beta testers is $450 a year, though it's not clear how many flights were booked and how much they cost. The service is available to the public starting today. To use it, log in with a Google account, input your phone number, birthday, and credit card information through Stripe. (Browder swears the credit card information won't be stored.) Then the chatbot tells you you're all set. Now, every time you buy airline tickets, whether from an airline's site or a third party, the chatbot will help make sure you pay the lowest price for your class and seat.

US Navy Under Fire In Mass Software Piracy Lawsuit ( 121

An anonymous reader quotes a report from TorrentFreak: In 2011 and 2012, the U.S. Navy began using BS Contact Geo, a 3D virtual reality application developed by German company Bitmanagement. The Navy reportedly agreed to purchase licenses for use on 38 computers, but things began to escalate. While Bitmanagement was hopeful that it could sell additional licenses to the Navy, the software vendor soon discovered the U.S. Government had already installed it on 100,000 computers without extra compensation. In a Federal Claims Court complaint filed by Bitmanagement two years ago, that figure later increased to hundreds of thousands of computers. Because of the alleged infringement, Bitmanagement demanded damages totaling hundreds of millions of dollars. In the months that followed both parties conducted discovery and a few days ago the software company filed a motion for partial summary judgment, asking the court to rule that the U.S. Government is liable for copyright infringement. According to the software company, it's clear that the U.S. Government crossed a line. In its defense, the U.S. Government had argued that it bought concurrent-use licenses, which permitted the software to be installed across the Navy network. However, Bitmanagement argues that it is impossible as the reseller that sold the software was only authorized to sell PC licenses. In addition, the software company points out that the word "concurrent" doesn't appear in the contracts, nor was there any mention of mass installations. The full motion brings up a wide range of other arguments as well which, according to Bitmanagement, make it clear that the U.S. Government is liable for copyright infringement.

Lyft Says Its Revenue Is Growing Nearly 3x Faster Than Uber's ( 53

U.S. ride-sharing company Lyft says it passed $1 billion in revenue last year and that its revenue grew 168 percent year over year in the fourth quarter of 2017, almost three times faster than Uber's reported 61 percent growth. "Uber, of course, is still much larger than Lyft -- it generated a reported $7.5 billion in revenue last year and operates in many more cities and countries," notes Recode. "While its fourth-quarter growth may have been smaller than Lyft's percentage-wise, it was still almost certainly many times larger dollar-wise. Both companies are still unprofitable." From the report: But the big-picture reality is that despite Uber's head start, its early dominance, ability to raise massive amounts of financing, aggressive (often allegedly illegal) growth tactics, faster move into self-driving cars and everything else in its favor, it has not been able to destroy Lyft. Instead, Lyft capitalized somewhat on Uber's missteps and unsavory reputation, raised another $2 billion last year, gained market share, launched its first international market last year (Toronto) and seems poised to exist for the foreseeable future.

'Slingshot' Malware That Hid For Six Years Spread Through Routers 72

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

Apple Seems OK With Currency Miners In the Mac App Store 38

Apple has yet to block a popular title in the Mac App Store that has openly embraced coin mining, prompting one to ask the question: does Apple allow apps in the Mac App Store if they clearly disclose that they will be mining cryptocurrency? Ars Technica reports: The app is Calendar 2, a scheduling app that aims to include more features than the Calendar app that Apple bundles with macOS. In recent days, Calendar 2 developer Qbix endowed it with code that mines the digital coin known as Monero. The xmr-stack miner isn't supposed to run unless users specifically approve it in a dialog that says the mining will be in exchange for turning on a set of premium features. If users approve the arrangement, the miner will then run. Users can bypass this default action by selecting an option to keep the premium features turned off or to pay a fee to turn on the premium features. If Calendar 2 isn't the first known app offered in Apple's official and highly exclusive App Store to do currency mining, it's one of the very few.

Apple Must Explain Why It Doesn't Want You To Fix Your Own iPhone, California Lawmaker Says ( 195

A California state lawmaker says she hopes to make Apple explain specifically why it has opposed and lobbied against legislation that would make it easier for you to repair your iPhone and other electronics. Motherboard reports: Last week, California assemblymember Susan Talamantes-Eggman announced that she plans to introduce right to repair legislation in the state, which would require companies like Apple, Microsoft, John Deere, and Samsung to sell replacement parts and repair tools, make repair guides available to the public, and would require companies to make diagnostic software available to independent shops. Public records show that Apple has lobbied against right to repair legislation in New York, and my previous reporting has shown that Apple has privately asked lawmakers to kill legislation in places like Nebraska. To this point, the company has largely used its membership in trade organizations such as CompTIA and the Consumer Technology Association to publicly oppose the bill. But with the right to repair debate coming to Apple's home state, Talamantes-Eggman says she expects the company to show up to hearings about the bill.

"Apple is a very important company in the state of California, and one I have a huge amount of respect for. But the onus is on them to explain why we can't repair our own things and what damage or danger it causes them," Talamantes-Eggman told me in a phone interview. Talamantes-Eggman told me that the bill she plans to introduce will apply to both consumer electronics as well as agricultural equipment such as tractors. Broadly speaking, the electronics industry has decided to go with an "authorized repair" model in which companies pay the original device manufacturer to become authorized to fix devices.


Firefox Gets Privacy Boost By Disabling Proximity and Ambient Light Sensor APIs ( 79

Stating with Firefox 60 -- expected to be released in May 2018 -- websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information. From a report: Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs. But at the start of the month, Mozilla engineers decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default. This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors. The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled.

What Image Should Represent All of Humanity On Wikipedia? ( 347

An anonymous reader writes: If aliens ever do come across the Pioneer spacecraft and make assumptions about the entire human species based on the man and woman etched onto the plaque it carries, this is what they will think of us: We all look like white people; we all look about 30ish years old; we do not wear clothes. It's a problem you encounter anytime you have to choose a few individuals to represent an entire group, and it's one that the editors of Wikipedia have debated for years: What image should grace the top of the "human" entry in the online dictionary?

The photo that's there now, after years of feverish debate, is of an Akha couple from a region of Thailand along the Mekong river. "The photo of the Akha couple remain humanity's type specimens on Wikipedia," writes author Ellen Airhart. "Just as a shriveled northeastern leopard frog at the University of Michigan Museum of Zoology represents its whole species, so this couple stands for all of us."

Such musing about the taxonomic representation of the human species could actually have a big impact on our digital future. "Future scientists will have to teach computers, not aliens, to recognize the human image. Right now, software engineers program artificial intelligence to recognize people by feeding them millions of pictures of faces," she writes. "But whose faces? Computer scientists run into the same questions about gender, race, and culture that the Wikipedia editors encountered. Being able to use more than one photo expands the conversation but does not necessarily make it easier."


Ubuntu Linux 18.04 'Bionic Beaver' Beta 1 Now Available For Download ( 101

From a report: This week, Ubuntu Linux 18.04 'Bionic Beaver' Beta 1 became available for download. Ubuntu 18.04 is significant, as it will be an LTS (Long Term Support) version. As was the case when Unity was the primary DE, GNOME is not available in this beta stage. Instead, there are other flavors from which to choose, such as Kubuntu with KDE Plasma and Xubuntu, which uses Xfce.

"Pre-releases of the Bionic Beaver are not encouraged for anyone needing a stable system or anyone who is not comfortable running into occasional, even frequent breakage. They are, however, recommended for Ubuntu flavor developers and those who want to help in testing, reporting, and fixing bugs as we work towards getting this release ready. Beta 1 includes some software updates that are ready for broader testing. However, it is quite an early set of images, so you should expect some bugs," says Dustin Krysak, Ubuntu Budgie team member.

Hardware Hacking

ESR's Newest Project: An Open Hardware/Open Source UPS ( 232

An anonymous reader writes: Last month Eric S. Raymond complained about his choices for a UPS (Uninterruptible Power Supply), adding that "This whole category begs to be disrupted by an open-hardware [and open-source] design that could be assembled cheaply in a makerspace from off-the-shelf components, an Arduino-class microcontroller, and a PROM...because it's possible, and otherwise the incentives on the vendors won't change." It could be designed to work with longer-lasting and more environmentally friendly batteries, using "EV-style intelligent battery-current sensors to enable accurate projection of battery performance" (along with a text-based alert system and a USB monitoring port).

Calling the response "astonishing," Raymond noted the emergence within a week of "the outlines of a coherent design," and in an update on GitLab reported that "The response on my blog and G+ was intense, almost overwhelming. It seems many UPS users are unhappy with what the vendors are pushing" -- and thus, the UPSide project was launched. "We welcome contributors: people with interest in UPSes who have expertise in battery technology, power-switching electronics, writing device-control firmware, relevant standards such as USB and the DMTF battery-management profile. We also welcome participation from established UPS and electronics vendors. We know that consumer electronics is a cutthroat low-margin business in which it's tough to support a real R&D team or make possibly-risky product bets. Help us, and then let us help you!"

There's already a Wiki with design documents -- plus a process document -- and Raymond says the project now even has a hardware lead with 30 years experience as a power and signals engineer, plus "a really sharp dev group. Half a dozen experts have shown up to help spec this thing, critique the design docs, and explain EE things to ignorant me." And he's already touting "industry participation! We have a friendly observer who's the lead software architect for one of the major UPS vendors." Earlier Raymond identified his role as "basically, product manager -- keeper of the requirements list and recruiter of talent" -- though he admits on his blog that he's already used a "cute hack" to create a state/action diagram for the system, "by writing a DSL to generate code in another DSL and provably correct equivalent C application logic."

He adds to readers of the blog that if that seems weird to you, "you must be new here."

Open Source

Linux Developer McHardy Drops GPLv2 'Shake Down' Case ( 53

Former Linux developer Patrick McHardy dropped his Gnu General Public License version 2 (GPLv2) violation case against Geniatech in a German court this week. ZDNet explains why some consider this a big "win": People who find violations typically turn to organizations such as the Free Software Foundation, Software Freedom Conservancy (SFC), and the Software Freedom Law Center to approach violators. These organizations then try to convince violating companies to mend their ways and honor their GPLv2 legal requirements. Only as a last resort do they take companies to court to force them into compliance with the GPLv2. Patrick McHardy, however, after talking with SFC, dropped out from this diplomatic approach and has gone on his own way. Specifically, McHardy has been accused of seeking his own financial gain by approaching numerous companies in German courts. Geniatech claimed McHardy has sued companies for Linux GPLv2 violations in over 38 cases. In one, he'd requested a contractual penalty of €1.8 million. The company also claimed McHardy had already received over €2 million from his actions...

In July 2016, the Netfilter developers suspended him from the core team. They received numerous allegations that he had been shaking down companies. McHardy refused to discuss these issues with them, and he refused to sign off on the Principles of Community-Oriented GPL Enforcement. In October 2017, Greg Kroah-Hartman, Linux kernel maintainer for the stable branch, summed up the Linux kernel developers' position. Kroah-Hartman wrote: "McHardy has sought to enforce his copyright claims in secret and for large sums of money by threatening or engaging in litigation...."

Had McHardy continued on his way, companies would have been more reluctant to use Linux code in their products for fear that a single, unprincipled developer could sue them and demand payment for his copyrighted contributions... McHardy now has to bear all legal costs for both sides of the case. In other words, when McHardy was faced with serious and costly opposition for the first time, he waved a white flag rather than face near certain defeat in the courts.


SgxSpectre Attack Can Extract Data From Intel SGX Enclaves ( 28

An anonymous reader quotes BleepingComputer: A new variation of the Spectre attack has been revealed this week by six scientists from the Ohio State University. Named SgxSpectre, researchers say this attack can extract information from Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a feature of modern Intel processors that allow an application to create so-called enclaves. This enclave is a hardware-isolated section of the CPU's processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more... Neither Meltdown and Spectre were able to extract data from SGX enclaves. This is where SgxSpectre comes in.

According to researchers, SgxSpectre works because of specific code patterns in software libraries that allow developers to implement SGX support into their apps. Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX. Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This allows for side-channel attacks that allow a threat actor to infer and slowly recover data from secure enclaves.

Intel's recent Spectre patches don't necessarily help, as an attacker can work around these fixes. Intel says an update for the Intel SGX SDK that adds SgxSpectre mitigations will be released on March 16. Apps that implement Google's Retpoline anti-Spectre coding techniques are safe, researchers say.


Android Beats iOS In Smartphone Loyalty, Study Finds 145

Android users don't appear to be switching to the iPhone like they used to. According to a new study from Consumer Intelligence Research Partners (CIRP), Android users have higher loyalty than iOS users do. "The research firm found that Android brand loyalty has been remaining steadily high since early 2016, and remains at the highest levels ever seen," reports TechCrunch. From the report: Today, Android has a 91 percent loyalty rate, compared with 86 percent for iOS, measured as the percentage of U.S. customers who stayed with their operating system when they upgraded their phone in 2017. From January 2016 through December 2017, Android loyalty ranged from 89 to 91 percent (ending at 91 percent), while iOS loyalty was several percentage points lower, ranging from 85 to 88 percent. Explains Mike Levin, partner and co-founder of CIRP, users have pretty much settled on their brand of choice at this point. "With only two mobile operating systems at this point, it appears users now pick one, learn it, invest in apps and storage, and stick with it. Now, Apple and Google need to figure out how to sell products and services to these loyal customer bases," he said. It's worth noting that Android hasn't always led in user loyalty as it does now. CIRP has been tracking these metrics for years, and things used to be the other way around.

YouTube Is Full of Easy-To-Find Neo-Nazi Propaganda ( 376

An anonymous reader quotes an exclusive report from Motherboard: Through a software-aided investigation, Motherboard has found that while YouTube has managed to clamp down on Islamic extremists uploading propaganda, the video giant is still awash with videos supporting violent and established neo-Nazi organizations, even when, in some cases, users have reported the offending videos. Clips of neo-Nazi propaganda operations, hate-filled speeches, and extremists pushing for direct action have remained on the site for weeks, months, or years at a time. Arguably, many if not all of these videos may fall under YouTube's own policy on hate speech, which "refers to content that promotes violence against or has the primary purpose of inciting hatred against individuals or groups based on certain attributes," including race or ethnic origin, religion, and sexual orientation, according to the policy.

Motherboard built a tool to monitor YouTube and make a record of when the platform removed certain videos, and limited the clips to propaganda for established neo-Nazi and far-right terrorist organizations like Atomwaffen, rather than people in the so-called "alt-right." Most of the videos were discovered through simple YouTube searches of relevant organizations' names, or sometimes through the "recommended videos" sidebar after Motherboard had built up a browsing history of neo-Nazi material. For the sake of comparison, over a week-long period Motherboard also tracked pro-ISIS videos uploaded by the group's supporters and then distributed through a network of Telegram channels. Typically, YouTube removed these Islamic extremism videos in a matter of hours, including those that did not contain images of violence, but were instead speeches or other not directly violent content. But YouTube is playing catch up with neo-Nazi material. YouTube removed only two videos that Motherboard was monitoring: two identical clips of a speech from UK terrorist organization National Action.


Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen Lab ( 29

Matthew Braga, reporting for CBC: Since last fall, Turkish internet users attempting to download one of a handful of popular apps may have been the unwitting targets of a wide-reaching computer surveillance campaign. And in Egypt, users across the country have, seemingly at random, had their browsing activity mysteriously redirected to online money-making schemes. Internet filtering equipment sold by technology company Sandvine -- founded in Waterloo, Ont. -- is believed to have played a significant part in both.

That's according to new research from the University of Toronto's Citizen Lab, which has examined misuse of similar equipment from other companies in the past. The researchers say it's likely that Sandvine devices are not only being used to block the websites of news, political and human rights organizations, but are also surreptitiously redirecting users toward spyware and unwanted ads. Using network-filtering devices to sneak spyware onto targets' computers "has long been the stuff of legends" according to the report -- a practice previously documented in leaked NSA documents and spyware company brochures, the researchers say, but never before publicly observed.
Citizen Lab notes that targeted users in Turkey and Syria who attempted to download Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects. It adds: This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default. Additionally, targeted users in Turkey and Syria who downloaded a wide range of applications from CBS Interactive's (a platform featured by CNET to download software) were instead redirected to versions containing spyware. does not appear to support HTTPS despite purporting to offer "secure download" links.

Windows 10's Next Update Will Be Called 'Spring Creators Update' ( 92

The Verge reports: Microsoft is planning to reuse its "Creators Update" naming for a third Windows 10 update. The software giant has strangely not yet officially named its next Windows 10 update, due next month, but it has been testing a future update that appears to reveal the spring update name. "Windows 10 Spring Creators Update" has been spotted in the latest test builds of the Redstone 5 update expected to be released later this fall. Microsoft first launched Windows 10 Creators Update last spring, followed by the Windows 10 Fall Creators Update in the fall. The new Windows 10 Spring Creators Update naming was originally spotted in Microsoft blog posts last year, but this is the first time it has appeared in the operating system itself.

Windows 10 Is Finally Adding Tabs To File Explorer ( 161

Microsoft has released insider preview build 17618 that includes tabs in File Explorer as part of its Sets feature. Bleeping Computer reports: Windows 10 Sets is an upcoming feature where you can group documents and apps into one tabbed window that are related to the particular task at hand. This feature was released for testing to a small controlled group of insiders in Insider Preview Build 17063 and was subsequently removed after the test. With build 17618, Sets are back and with it come tabs in File Explorer. You can now open different folders in the same File Explorer window with each one having their own tabs. This way one File Explorer window can have a tab for the pictures folder, a tab for the documents folder, and a tab for your documents, which you can easily switch between. If you look closely, though, the Sets feature does more than just allow you to have different tabs for different folders, but also allows you to add applications as a tab in File Explorer. According to Microsoft, in addition to File Explorer, Notepad, Command Prompt, and Powershell are also getting tabbed support.
United States

Trump's Meeting With The Video Game Industry To Talk Gun Violence Could Get Ugly ( 498

Anonymous readers share a report: President Trump is set to pit the video game industry against some of its harshest critics at a White House meeting on Thursday that's designed to explore the link between violent games [Editor's note: the Washington Post article may be paywalled], guns and tragedies such as last month's shooting in Parkland, Fla. Following the attack at Marjory Stoneman High School, which left 17 students dead, Trump has said violent games are "shaping young people's thoughts." The president has proposed that "we have to do something about maybe what they're seeing and how they're seeing it." Trump has invited video game executives like Robert Altman, the CEO of ZeniMax, the parent company for games such as Fallout; Strauss Zelnick, the chief executive of Take Two Interactive, which is known for Grand Theft Auto, and Michael Gallagher, the leader of the Entertainment Software Association, a Washington-focused lobbying organization for the industry.

Three people familiar with the White House's planning, but not authorized to speak on the record, confirmed those invitees. A spokeswoman for the White House declined to share a full list of participants on Wednesday. ESA confirmed its attendance this week, but the others did not respond to questions. Opposite of them are expected to be some of the video-game industry's toughest critics, including Brent Bozell, the founder of the Parents Television Council, and Rep. Vicky Hartzler, a Republican from Missouri, the three people said. After another shooting -- the 2012 massacre at Sandy Hook Elementary School in Newtown, Conn. -- they each called on government to focus its attention on violent media rather than just pursuing new gun restrictions.


Hardcoded Password Found in Cisco Software ( 52

Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

Most Americans Think AI Will Destroy Other People's Jobs, Not Theirs ( 268

An anonymous reader quotes a report from The Verge: Nearly three-quarters (73 percent) of U.S. adults believe artificial intelligence will "eliminate more jobs than it creates," according to a Gallup survey. But, the same survey found that less than a quarter (23 percent) of people were "worried" or "very worried" automation would affect them personally. Notably, these figures vary depending on education. For respondents with only a four-year college degree or less, 28 percent were worried about AI taking their job; for people with at least a bachelor degree, that figure was 15 percent. These numbers tell a familiar story. They come from a Gallup survey of more than 3,000 individuals on automation and AI. New details were released this week, but they echo the findings of earlier reports. The newly released findings from Gallup's survey also show that by one measure, the use of AI is already widespread in the U.S. Nearly nine out of 10 Americans (85 percent) use at least one of six devices or services that use features of artificial intelligence, says Gallup. Eighty-four percent of people use navigation apps like Waze, and 72 percent use streaming services like Netflix. Forty-seven percent use digital assistants on their smartphones, and 22 percent use them on devices like Amazon's Echo.

Slashdot Top Deals