Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Google

Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com) 48

An anonymous reader quotes PCWorld: Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...

In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.

100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.
Cellphones

FTC Dismantles Two Huge Robocall Organizations (onthewire.io) 117

Billions of robocalls came from two groups selling extended auto warranties, SEO services, and home security systems over the last seven years -- many to numbers on the "Do Not Call" list -- but this week the Federal Trade Commission took action. Trailrunner7 shares this report from OnTheWire: Continuing its campaign against phone fraud operations, the FTC has dismantled two major robocall organizations... They and many of their co-defendants have agreed to court-ordered bans on robocall activities and financial settlements... The FTC and the FCC both have been cracking down on illegal robocall operations recently. The FCC has formed a robocall strike force with the help of carriers and also has signed an agreement to cooperate with Canadian authorities to address the problem.
"The law is clear about robocalls," says one FTC executive. "If a telemarketer doesn't have consumers' written permission, it's illegal to make these calls."
Businesses

Uber Will Pay $20 Million For Exaggerating Drivers' Earnings (engadget.com) 79

Uber is paying $20 million to settle allegations that it duped people into driving for its ride-hailing service with false promises about how much they would earn and how much they would have to pay to finance a car. From a report: The FTC claimed that Uber was advertising an annual median income of over $90,000 per year for uberX drivers in New York and more than $74,000 for uberX drivers in San Francisco. But, as the commission found out, less than 10 percent of all drivers in those cities actually make that much. The complaint also alleges that Uber was inflating the hourly earnings on job boards like Craigslist. New drivers who financed a new car through Uber's Vehicle Solutions Program found out the company's claims were too good to be true as well. Although Uber told new drivers they would be able to lease a new car for around $119 per week, the actual lease rates never dipped below $200 from late 2013 to April 2015. And, despite its promise of delivering "the best financing options available," it turns out that Uber's rates were actually worse than consumers with similar credit scores could have gotten elsewhere. Adding insult to overpriced injury, Uber tacked on mileage limits to lease agreements that were advertised with unlimited mileage.
China

Viral Chinese Selfie App Meitu, Valued at Over $5 Billion, Phones Home With Personal Data (theregister.co.uk) 79

The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say. The app, which has been featured on several popular outlets including the NYTimes, USA Today, and NYMag, harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded. From a report: But worst of all, the free app appears to be phoning some to share personal data with its makers. Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset's MAC address. "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found. The app, which was valued at over $5 billion last year due its popularity, seeks access to device and app history; accurate location; phone status; USB, photos, and files storage read and write; camera; Wifi connections; device ID & call information; full network access, run at startup, and prevent device from sleeping on Android phones.
Advertising

Drone Maker Lily Robotics Faked Promotional Video, Gets Sued For False Advertising and Misleading Business Practices (theregister.co.uk) 39

Dotnaught quotes a report from The Register: Lily Robotics says its decision on Thursday to shut down and return pre-order payments for a never-delivered drone, which came on the same day that San Francisco District Attorney George Gascon charged the company with false advertising and misleading business practices, was purely coincidental. According to a source familiar with the complaint filed against the company, Lily Robotics has known about the DA's investigation for several months. On the strength of a promotional video on YouTube in May 2015, embedded below, Lily Robotics raised more than $34 million in pre-order sales over the course of that year for a drone called Lily Camera. The flying gadget, when built, would be capable of being launched with a throw, following people, and recording them. But after pushing the delivery date back multiple times, Lily Robotics has yet to ship a single drone to its 60,000 prospective customers, according to the lawsuit filed against the company. In theory, Lily Robotics could face a fine of more than a hundred million dollars, depending upon the outcome of a trial, if it comes to that. The company faces potential fines for at least two business code violations subject to a civil penalty of $2,500 per violation, and there are some 60,000 individuals affected. In practice, however, such fines are usually orders of magnitude less, particularly if both sides agree on a settlement. The complaint against Lily, obtained by The Register, alleges that the company knowingly misled customers by creating a promotional video that purported to show video footage captured with a Lily drone prototype. "In fact, none of the video in the Promotional Video was shot by a Lily Camera," the complaint says. "Most notably, the POV footage used in the promotional video was filmed using a professional camera drone called the DJI Inspire." Among the Lily Camera prototypes present at the video shoot, the complaint says, the ones that could actually record video were able to do so because they had Go-Pro cameras mounted on them.
Facebook

Instagram Stories Hits 150M Active Users, Adds Advertising To Instagram Stories (techcrunch.com) 31

An anonymous reader writes: Instagram Stories now has as many users as the last number announced by Snapchat, the app Instagram copied. And it's swiftly moving to monetize that massive audience. Along with the new 150 million daily user stat, Instagram today announced the launch of ads mixed into Stories. The unclickable 5-second photo and 15-second video ads appear between different people's stories and can be easily skipped. Instagram will also provide business accounts with analytics on the reach, impressions, replies and exits of their Stories.
Microsoft

Microsoft To Enhance User Privacy Controls In Upcoming Windows 10 Update (hothardware.com) 183

MojoKid writes: When Microsoft first launched Windows 10, it was generally well-received but also came saddled with a number of privacy concerns. It has taken quite a while for Microsoft to respond to these concerns in a meaningful way, but the company is finally proving that it's taking things seriously by detailing some enhanced privacy features coming to a future Windows 10 build. Microsoft is launching what it calls a (web-based) privacy dashboard, which lets you configure anything and everything about information that might be sent to back to the mothership. You can turn all tracking off, or pick and choose, if certain criteria don't concern you too much, like location or health activity, for example. Also, for fresh installs, you'll be given more specific privacy options so that you can feel confident from the get-go about the information you're sending Redmond's way. If you do decide to send any information Microsoft's way, the company promises that it won't use your information for the sake of targeted advertising.
Businesses

Supreme Court Will Not Examine Tech Industry Legal Shield (reuters.com) 51

An anonymous reader shares a Reuters report: The U.S. Supreme Court on Monday let stand a lower court's decision that an online advertising site accused by three young women of facilitating child sex trafficking was protected by a federal law that has shielded website operators from liability for content posted by others. The refusal by the justices to take up the women's appeal in the case involving the advertising website Backpage.com marked a victory for the tech industry, which could have faced far-reaching consequences had the Supreme Court decided to limit the scope of the Communications Decency Act, passed by Congress in 1996 to protect free speech on the internet.
Toys

Ask Slashdot: What's The Most Useful 'Nerd Watch' Today? 232

He's worn the same watch for two decades, but now Slashdot reader students wants a new one. For about 20 years I've used Casio Databank 150 watches. They were handy because they kept track of my schedule and the current time. They were very cheap. They required very little maintenance, since the battery lasts more than a year and the bands last even longer. Since they were waterproof, I don't even have to take them off (or remember where I put them!) They were completely immune to malicious software, surveillance, and advertising. However, their waterproof gaskets have worn out so they no longer work for me. Casio no longer makes them or any comparable product (their website is out of date).
Today's watches include everything from heart rate monitors to TV remote controls, and Casio even plans to release a new version of their Android Wear watch with a low-power GPS chip and mapping software. But what's your best suggestion? "I don't want a watch that duplicates the function of my cell phone or computer," adds the original submission -- so leave your best answers in the comments. What's the most useful nerd watch today?
AI

Huawei Snubs Google, Ships An Android Phone With Alexa (reuters.com) 63

Huawei announced its flagship handset will gives users access to Amazon's Alexa assistant in the U.S., suggesting a new worry for Google, according to Reuters. An anonymous reader writes: "The adoption of Alexa by a prominent Android manufacturer indicates that Amazon may have opened up an early lead over Google as the companies race to present their digital assistants to as many people as possible, analysts said." Analyst Jan Dawson at Jackdaw Research even told Reuters that if Google's personal assistant lags in popularity when voice becomes the most popular interface, "that's a huge loss for Google in terms of data gathering, training its AI, and ultimately the ability to drive advertising revenue."

Tension may have started when Google decided to debut Google Assistant on their own Pixel smartphones. "While Google has expressed an interest in bringing its assistant to other Android smartphones, the decision to debut the feature on its own hardware may have strained relations with manufacturers, Dawson said. 'It highlights just what a strategic mistake it can be for services companies to make their own hardware and give it preferential access to new services.'"

Nvidia announced this week at CES that they'd be using Google Assistant for their Shield TVs, while Whirlpool and Ford both announced Alexa-enabled products. But this article argues Google Assistant has one thing that Alexa doesn't have: a search engine.
Android

Fake Malware-Filled Super Mario Run Apps Take Advantage of Android Absence (silicon.co.uk) 34

Mickeycaskill writes: Nintendo's Super Mario Run was downloaded more than 40 million times in the first four days it was available. But an Android version has yet to materialize. An official release is on the way, but cybercriminals are taking advantage of this vacuum by spreading malicious apps masquerading as the real thing. The "Android Marcher trojan" appears as a fake landing page advertising the release of the game, where it can be downloaded onto users' devices. It then targets financial and banking apps and can modify your settings and read your contacts. The popularity of Pokemon GO last year saw similar scams emerge as users waited for the game.
Privacy

Ultrasound Tracking Could Be Used To Deanonymize Tor Users (bleepingcomputer.com) 207

New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.
Google

Google Really, Really Wants To Bring India's Small Businesses Online (buzzfeed.com) 36

An anonymous reader shares a report: Millions more Indians are now coming online, but India's small businesses -- including everything from decades-old mom and pop stores to neighborhood bakeries -- are lagging behind. Google wants to change that. At an event in New Delhi today, Google CEO Sundar Pichai announced a brand new program called Digital Unlocked aimed at helping India's 51 million small and medium businesses establish an online presence. Over the next three years, Google will hold 5,000 daylong classes in 40 Indian cities to teach business owners everything from the basics -- getting their business listed on Google Maps, for instance -- to advanced courses like running an online advertising campaign and measuring analytics.
Security

How Russia Recruited Elite Hackers For Its Cyberwar (nypost.com) 236

Lasrick quotes a report from The New York Times (Warning: source may be paywalled; alternate source): For more than three years, rather than rely on military officers working out of isolated bunkers, Russian government recruiters have scouted a wide range of programmers, placing prominent ads on social media sites, offering jobs to college students and professional coders, and even speaking openly about looking in Russia's criminal underworld for potential talent. From the New York Post: "Russia's Defense Ministry bought advertising on Vkontakta, the country's most popular social media site, to lure those who were more talented with a keyboard than an AK-47 rifle. 'If you graduated from college, if you are a technical specialist, if you are ready to use your knowledge, we give you an opportunity,' the ad promised, according to the Times. The ad went on to assure recruits that they would be part of units called science squadrons based at military installations where they would live in 'comfortable accommodation' and showed an apartment outfitted with a washing machine, the Times reported. The Defense Ministry even dangled the chance to dodge Russia's mandatory draft by allowing university students to join a science squadron instead and then questioned them about their proficiency with programming languages, the report said."
Patents

Amazon Patents Floating Airship Warehouse For Its Delivery Drones (techcrunch.com) 94

An anonymous reader quotes a report from TechCrunch: We've known about Amazon's drone delivery ambitions since 2013. But patent filings from Amazon, circulated today by CB Insights' Zoe Leavitt, reveal more details about how the e-commerce titan could make drone deliveries work at scale, namely through "airborne fulfillment centers." Yes, that's a warehouse in a zeppelin. The airborne fulfillment centers, or AFCs, would be stocked with a certain amount of inventory and positioned near a location where Amazon predicts demand for certain items will soon spike. Drones, including temperature-controlled models ideally suited for food delivery, could be stocked at the AFCs and sent down to make a precise, safe scheduled or on-demand delivery. An example cited in the filing was around a sporting event. If there's a big championship game down below, Amazon AFC's above could be loaded with snacks and souvenirs sports fans crave. The AFCs could be flown close to a stadium to deliver audio or outdoor display advertising near the main event, as well, the filing suggested. The patent reflects a complex network of systems to facilitate delivery by air. Besides the airborne fulfillment centers and affiliated drones, the company has envisioned larger shuttles that could carry people, supplies and drones to the AFCs or back to the ground. Using a larger shuttle to bring drones up to the AFC would allow Amazon to reserve their drones' power for making deliveries only. Of course, all these elements would be connected to inventory management systems, and other software and remote computing resources managed by people in the air or on the ground. The filing also reveals that the shuttles and drones, as they fly deliveries around, could function in a mesh network, relaying data to each other about weather, wind speed and routing, for example, or beaming e-book content down to readers on the ground. Amazon also recently patented a system to defend its drones against hackers, jammers and bows and arrows.
Advertising

Ask Slashdot: Is Computing As Cool and Fun As It Once Was? 449

dryriver writes: I got together with old computer nerd friends the other day. All of us have been at it since the 8-bit/1980s days of Amstrad, Atari, Commodore 64-type home computers. Everybody at the meeting agreed on one thing -- computing is just not as cool and as much fun as it once was. One person lamented that computer games nowadays are tied to internet DRM like Steam, that some crucial DCC software is available to rent only now (e.g. Photoshop) and that many "basic freedoms" of the old-school computer nerd are increasingly disappearing. Another said that Windows 10's spyware aspects made him give up on his beloved PC platform and that he will use Linux and Android devices only from now on, using consoles to game on instead of a PC because of this. A third complained about zero privacy online, internet advertising, viruses, ransomware, hacking, crapware. I lamented that the hardware industry still hasn't given us anything resembling photorealistic realtime 3D graphics, and that the current VR trend arrived a full decade later than it should have. A point of general agreement was that big tech companies in particular don't treat computer users with enough respect anymore. What do Slashdotters think? Is computing still as cool and fun as it once was, or has something "become irreversibly lost" as computing evolved into a multi-billion dollar global business?
Advertising

Russian Hackers Stole $5 Million Per Day From Advertisers With Bots and Fake Websites (cnn.com) 93

Russian hackers have used fake websites and bots to steal millions of dollars from advertisers. According to researchers, the fraud has siphoned more than $180 million from the online ad industry. CNNMoney reports: Dubbed "Methbot," it is a new twist in an increasingly complex world of online crime, according to White Ops, the cybersecurity firm that discovered the operation. Methbot, so nicknamed because the fake browser refers to itself as the "methbrowser," operates as a sham intermediary advertising ring: Companies would pay millions to run expensive video ads. Then they would deliver those ads to what appeared to be major websites. In reality, criminals had created more than 250,000 counterfeit web pages no real person was visiting. White Ops first spotted the criminal operation in October, and it is making up to $5 million per day -- by generating up to 300 million fake "video impressions" daily. According to White Ops, criminals acquired massive blocks of IP addresses -- 500,000 of them -- from two of the world's five major internet registries. Then they configured them so that they appeared to be located all over the United States. They built custom software so that computers (at those legitimate data centers) acted like real people viewing those ads. These "people" even appeared to have Facebook accounts (they didn't), so that premium ads were served. Hackers fooled ad fraud blockers because they figured out how to build software that mimicked a real person who only surfed during the daytime -- using the Google Chrome web browser on a Macbook laptop.
Republicans

Twitter Cut Out of Trump Tech Meeting Over Failed Emoji Deal, Says Report (politico.com) 551

According to Politico, Twitter CEO Jack Dorsey was "bounced" from Wednesday's meeting between tech executives and President-elect Donald Trump in retribution for refusing during the campaign to allow an emoji version of the hashtag #CrookedHillary. Trump's adviser Sean Spicer denied the report, saying "the conference table was only so big." Politico reports: Twitter was one of the few major U.S. tech companies not represented at Wednesday afternoon's Trump Tower meeting attended by, among others, Apple's Tim Cook, Amazon's Jeff Bezos, Facebook's Sheryl Sandberg, and Tesla's Elon Musk -- an omission all the more striking because of Trump's heavy dependence on the Twitter platform. Trump's campaign also made a $5 million deal with Twitter before the election, in which the campaign committed "to spending a certain amount on advertising and in exchange receive discounts, perks, and custom solutions," the campaign's director of digital advertising and fund raising, Gary Coby, wrote in a Medium post last month. So the campaign objected when the company refused to allow the anti-Clinton emoji. Coby wrote that Dorsey personally intervened to block the Trump operation from deploying the emoji, which would have shown, in various renderings, small bags of money being given away or stolen. That emoji would have been offered to users as a replacement for the hashtag #CrookedHillary, a preferred Trump insult for his Democratic opponent. Spicer also objected to the company's refusal, telling the Washington Examiner in October that "while Twitter claims to be a venue that promotes the free exchange of ideas, it's clear that it's leadership's left wing ideology literally trumps that." POLITICO's source said Spicer, who's also the Republican National Committee spokesman, was the one who made the call to refuse an invitation to Dorsey or other Twitter executives to Wednesday's meeting.
Youtube

YouTube's $1 Billion Royalties Are Not Enough, Says Music Industry (bbc.com) 220

YouTube said Tuesday that it has paid the music industry over one billion dollars in advertising revenue in the past 12 months. The music industry thinks that sum is not enough. From a report on BBC: "Google has issued more unexplained numbers on what it claims YouTube pays the music industry," said a spokesperson for the global music body, the IFPI. "The announcement gives little reason to celebrate, however. With 800 million music users worldwide, YouTube is generating revenues of just over $1 per user for the entire year. "This pales in comparison to the revenue generated by other services, ranging from Apple to Deezer to Spotify. For example, in 2015 Spotify alone paid record labels some $2bn, equivalent to an estimated $18 per user." In his blog post, Mr Kyncl conceded that the current model was not perfect, arguing: "There is a lot of work that must be done by YouTube and the industry as a whole. "But we are excited to see the momentum," he added.
Advertising

New Stegano Exploit Kit Hides Malvertising Code In Banner Pixels (bleepingcomputer.com) 207

An anonymous reader quotes a report from BleepingComputer: For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files. In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads. The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites. Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character. Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo. When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users. This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers. Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm. If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL. The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.

Slashdot Top Deals