Jan 27

ProtonVPN open sourced its code this week, ZDNet reports:
On Tuesday, the virtual private network (VPN) provider, also known for the ProtonMail secure email service, said that the code backing ProtonVPN applications on every system — Microsoft Windows, Apple macOS, Android, and iOS — is now publicly available for review in what Switzerland-based ProtonVPN calls “natural” progression.

“There is a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like GDPR,” the company says. “Making all of our applications open source is, therefore, a natural next step.” Each application has also undergone a security audit by SEC Consult, which ProtonVPN says builds upon a previous partnership with Mozilla…

The source code for each app is now available on GitHub (Windows, macOS, Android, iOS). “As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible,” ProtonVPN says.

“Going open source helps us to do that and serve you better at the same time.”

They’re also publishing the results of an independent security audit for each app. “As former CERN scientists, publication and peer review are a core part of our ethos…” the company wrote in a blog post. They also point out that Switzerland has some of the world’s strongest privacy laws — and that ProtonVPN observes a strict no-logs policy.

But how do they feel about their competition? “Studies have found that over one-third of Android VPNs actually contain malware, many VPNs suffered from major security lapses, and many free VPN services that claimed to protect privacy are secretly selling user data to third parties.”

Read more of this story at Slashdot.

full article

Jan 24

DesScorp writes: In an effort to better understand the latest threats to IT systems, antivirus and security company Trend Micro created a fake tech company, complete with AI-generated photos of fake employees, in order to build a honeypot environment that looked like an actual, working tech factory environment. “Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware, cryptocurrency miners — and in some cases they’re actively looking to shut down or disrupt systems,” reports ZDNet. “All of these incidents were spotted by researchers at cybersecurity company Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target.”

The report adds: “To help make the honeypot as convincing as possible, researchers linked the desktops, networks and servers to a false company they called MeTech and created a website detailing how the manufacturer served clients in high-tech sectors including defense and aerospace — popular targets for hacking. The website even featured images and bios of people who supposedly worked for the false brand, with headshots generated by artificial intelligence in an effort to make the honeypot look as much like a legitimate company as possible.” Trend Micro even leaked details of system vulnerabilities in things like Virtual Network Computing (VNC) access to further lure criminals in. The fake company was attacked by everyone from ransomware actors to cryptocurrency miners, to hackers that did “recon” to look for possible industrial espionage data.

Read more of this story at Slashdot.

full article

Jan 23

A team at Facebook AI has created a reinforcement learning algorithm that lets a robot find its way in an unfamiliar environment without using a map. MIT Technology Review reports: Using just a depth-sensing camera, GPS, and compass data, the algorithm gets a robot to its goal 99.9% of the time along a route that is very close to the shortest possible path, which means no wrong turns, no backtracking, and no exploration. This is a big improvement over previous best efforts. […] Facebook trained bots for three days inside AI Habitat, a photorealistic virtual mock-up of the interior of a building, with rooms and corridors and furniture. In that time they took 2.5 billion steps — the equivalent of 80 years of human experience. Others have taken a month or more to train bots in a similar task, but Facebook massively sped things up by culling the slowest bots from the pool so that faster ones did not have to wait at the finish line each round.

As ever, the team doesn’t know exactly how the AI learned to navigate, but a best guess is that it picked up on patterns in the interior structure of the human-designed environments. Facebook is now testing its algorithm in real physical spaces using a LoCoBot robot.

Read more of this story at Slashdot.

full article

Jan 21

An anonymous reader quotes a report from Ars Technica: Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday. The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers. The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of “admin:admin” or “root:admin” for remote administration. The exploit causes Tomato routers that haven’t been locked down with a strong password to join an IRC server that’s used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable.

Read more of this story at Slashdot.

full article

Jan 21

Apple chief executive Tim Cook believes augmented reality, or technology that overlays virtual objects onto the real world, is “the next big thing” that is poised to “pervade our entire lives.” From a report: Shanahan asked Cook about major developments in tech he expects in the next five to 10 years. “I’m excited about AR,” said the Big Tech CEO, citing augmented reality as an emerging tech space to watch. “My view is it’s the next big thing, and it will pervade our entire lives.” […] Cook also sees applications for AR helping with hands-on tasks. “You may be under the car changing the oil, and you’re not sure exactly how to do it. You can use AR,” he said. Interestingly, the tech CEO sees benefits for AR and connecting people, more than other available technologies. “I think it’s something that doesn’t isolate people. We can use it to enhance our discussion, not substitute it for human connection, which I’ve always deeply worried about in some of the other technologies.”

Read more of this story at Slashdot.

full article

Jan 17

“Not sure if this is good news (Oracle is very busy patching their stuff) or bad news (Oracle is very busy patching their stuff) but this quarterly cycle they tied their all-time high number of vulnerability fixes released,” writes Slashdot reader bobthesungeek76036. “And they are urging folks to not drag their feet in deploying these patches.” Threatpost reports: The software giant patched 300+ bugs in its quarterly update. Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle’s previous all-time high for number of patches issued, in July 2019, which overtook its previous record of 308 in July 2017. The company said in a pre-release announcement that some of the vulnerabilities affect multiple products. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible,” it added. “Some of these vulnerabilities were remotely exploitable, not requiring any login data; therefore posing an extremely high risk of exposure,” said Boris Cipot, senior security engineer at Synopsys, speaking to Threatpost. “Additionally, there were database, system-level, Java and virtualization patches within the scope of this update. These are all critical elements within a company’s infrastructure, and for this reason the update should be considered mandatory. At the same time, organizations need to take into account the impact that this update could have on their systems, scheduling downtime accordingly.”

Read more of this story at Slashdot.

full article

Jan 15

A team of programmers scraped a pet adoption website to cheat in a $10,000 contest that was intended to help shelter pets get adopted. From a report: Kaggle, an online data science community that regularly hosts machine learning competitions with prizes often in the tens of thousands of dollars, has uncovered a cheating scandal involving a winning team. The Google subsidiary announced late last week that the winner of a competition involving a pet adoption site had been disqualified from the contest for fraudulently obtaining and obscuring test set data. The fact that a team cheated in a competition nominally intended to help shelter animals also raises questions about whether the people who participate in machine learning competitions like Kaggle are actually interested in making the world a better place, or whether they simply want to win prize money and climb virtual leaderboards.

The competition asked contestants to develop algorithms to predict the rate of pet adoption based on pet listings from PetFinder.my, a Malaysian pet adoption site. The goal, according to the competition, was to help discover what makes a shelter pet’s online profile appealing for adopters. The winning team’s entry would be “adapted into AI tools that will guide shelters and rescuers around the world on improving their pet profiles’ appeal, reducing animal suffering and euthanization,” the competition site said. The algorithm from BestPetting, the first place team, seemed to almost perfectly predict the rate of adoption for the test set against which the submissions were evaluated, winning with a nearly perfect score of 0.912 (out of 1.0). As a reward for their winning solution, the team of three was awarded the top prize of $10,000. Nine months after the close of the competition, however, one observant teenager found that the impressive results were too good to be true.

Read more of this story at Slashdot.

full article

Jan 14

Cy Guy writes: Having not learned the lessons of Jurassic Park and the Terminator, scientists from the University of Vermont and Tufts have created “reconfigurable organisms” using stem cells from frogs. But don’t worry, the research was funded by the Department of Defense, so I’m sure nothing could possibly go wrong this time. “The robots, which are less than 1mm long, are designed by an ‘evolutionary algorithm’ that runs on a supercomputer,” reports The Guardian. “The program starts by generating random 3D configurations of 500 to 1,000 skin and heart cells. Each design is then tested in a virtual environment, to see, for example, how far it moves when the heart cells are set beating. The best performers are used to spawn more designs, which themselves are then put through their paces.”

“Because heart cells spontaneously contract and relax, they behave like miniature engines that drive the robots along until their energy reserves run out,” the report adds. “The cells have enough fuel inside them for the robots to survive for a week to 10 days before keeling over.”
The findings have been published in the Proceedings of the National Academy of Sciences.

Read more of this story at Slashdot.

full article

Jan 13

An anonymous reader quotes a report from Ars Technica: On December 16, 2019, Citrix revealed a vulnerability in the company’s Application Delivery Controller and Gateway products — commercial virtual-private-network gateways formerly marketed as NetScaler and used by tens of thousands of companies. The flaw, discovered by Mikhail Klyuchnikov of Positive Technologies, could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request. Citrix has published steps to reduce the risk of the exploit. But these steps, which simply configure a responder to handle requests using the text that targets the flaw, breaks under some circumstances and might interfere with access to the administration portal for the gateways by legitimate users. A permanent patch will not be released until January 20. And as of January 12, over 25,000 servers remain vulnerable, based on scans by Bad Packets.

This is not surprising, considering the number of Pulse Secure VPNs that have not yet been patched over six months after a fix was made available, despite Pulse Secure executives saying that they have “worked aggressively” to get customers to patch that vulnerability. And given that vulnerable Pulse Secure servers have been targeted now for ransomware attacks, the same will likely be true for unprotected Citrix VPN servers — especially since last week, proof-of-concept exploits of the vulnerability began to appear, including at least two published on GitHub, as ZDNet’s Catalin Cimpanu reported. “The vulnerability allows the remote execution of commands in just two HTTP requests, thanks to a directory traversal bug in the implementation of the gateway’s Web interface,” the report adds. “The attacks use a request for the directory ‘/vpn/../vpns/’ to fool the Apache Web server on the gateway to point to the ‘/vpns/’ directory without authentication. The attacks then inject a command based on the template returned from the first request.”

You can check for the vulnerability here.

Read more of this story at Slashdot.

full article

Jan 13

This week a former engineer for the Microsoft Windows Core OS Division shared an insightful (and very entertaining) list with “some changes I have noticed over the last 20 years” in the computer programming world. Some excerpts:

- Some programming concepts that were mostly theoretical 20 years ago have since made it to mainstream including many functional programming paradigms like immutability, tail recursion, lazily evaluated collections, pattern matching, first class functions and looking down upon anyone who don’t use them…

- 3 billion devices run Java. That number hasn’t changed in the last 10 years though…

- A package management ecosystem is essential for programming languages now. People simply don’t want to go through the hassle of finding, downloading and installing libraries anymore. 20 years ago we used to visit web sites, downloaded zip files, copied them to correct locations, added them to the paths in the build configuration and prayed that they worked.

- Being a software development team now involves all team members performing a mysterious ritual of standing up together for 15 minutes in the morning and drawing occult symbols with post-its….

- Since we have much faster CPUs now, numerical calculations are done in Python which is much slower than Fortran. So numerical calculations basically take the same amount of time as they did 20 years ago…

- Even programming languages took a side on the debate on Tabs vs Spaces….
- Code must run behind at least three levels of virtualization now. Code that runs on bare metal is unnecessarily performant….

- A tutorial isn’t really helpful if it’s not a video recording that takes orders of magnitude longer to understand than its text.

- There is StackOverflow which simply didn’t exist back then. Asking a programming question involved talking to your colleagues.

- People develop software on Macs.

In our new world where internet connectivity is the norm and being offline the exception, “Security is something we have to think about now… Because of side-channel attacks we can’t even trust the physical processor anymore.”

And of course, “We don’t use IRC for communication anymore. We prefer a bloated version called Slack because we just didn’t want to type in a server address….”

Read more of this story at Slashdot.

full article

«     |     ?     |     »