Transportation

Tesla Model 3 Falls Short of Consumer Reports Recommendation (cnbc.com) 264

Consumer Reports published their review of the Tesla Model 3 today. The product review site liked the vehicle's range of the battery and agile handling, but had issues with braking, controls, and ride quality. Overall, it failed to get a recommendation. CNBC highlights the key shortfalls: "Our testers also found flaws -- big flaws -- such as long stopping distances in our emergency braking test and difficult-to-use controls," said a review in the publication. In particular, the car's stopping distance of 152 feet from a speed of 60 miles per hour was slower than any of its contemporaries, including the Ford F-150, a full-size pickup. The location of almost all of Tesla's controls on a touchscreen and the vehicle's ride quality were also factors in the group's decision. Tesla issued a statement in response to Consumer Reports' stopping distance claim: "Tesla's own testing has found braking distances with an average of 133 feet when conducting the 60-0 mph stops using the 18-inch Michelin all season tire and as low as 126 feet with all tires currently available. Stopping distance results are affected by variables such as road surface, weather conditions, tire temperature, brake conditioning, outside temperature, and past driving behavior that may have affected the brake system. Unlike other vehicles, Tesla is uniquely positioned to address more corner cases over time through over-the-air software updates, and it continually does so to improve factors such as stopping distance."
Businesses

Amazon's New Marketplace Appstore Connects Sellers To Software (cnet.com) 6

Amazon is creating another app store, but it's not for consumers. From a report: Instead, the online retail giant will for the first time put its seal of approval on a bunch of third-party apps intended for professional sellers with its new Marketplace Appstore. It launches to sellers starting Monday, the company said. CNET reported on plans for the app store earlier this month. The new app store, which will be available in North America through Amazon's main hub for sellers called Seller Central, will include tools to handle pricing, inventory, advertising and other needs for pro sellers. The app store will be introduced to sellers slowly to ensure a smooth rollout. "Many developers have innovated and created applications that complement our tools and integrate with our service," Amazon said in a statement Monday. "We created the Marketplace Appstore to help businesses more easily discover these applications, streamline their business operations, and ultimately create a better experience for our customers."
AI

New Toronto Declaration Calls On Algorithms To Respect Human Rights 156

A coalition of human rights and technology groups released a new declaration on machine learning standards, calling on both governments and tech companies to ensure that algorithms respect basic principles of equality and non-discrimination. The Verge reports: Called The Toronto Declaration, the document focuses on the obligation to prevent machine learning systems from discriminating, and in some cases violating, existing human rights law. The declaration was announced as part of the RightsCon conference, an annual gathering of digital and human rights groups. "We must keep our focus on how these technologies will affect individual human beings and human rights," the preamble reads. "In a world of machine learning systems, who will bear accountability for harming human rights?" The declaration has already been signed by Amnesty International, Access Now, Human Rights Watch, and the Wikimedia Foundation. More signatories are expected in the weeks to come.

Beyond general non-discrimination practices, the declaration focuses on the individual right to remedy when algorithmic discrimination does occur. "This may include, for example, creating clear, independent, and visible processes for redress following adverse individual or societal effects," the declaration suggests, "[and making decisions] subject to accessible and effective appeal and judicial review."
Privacy

'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com) 44

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

Open Source

Tesla Releases Some of Its Software To Comply With Open-Source Licenses (sfconservancy.org) 24

Jeremy Allison - Sam shares a blog post from Software Freedom Conservancy, congratulating Tesla on their first public step toward GPL compliance: Conservancy rarely talks publicly about specifics in its ongoing GNU General Public License (GPL) enforcement and compliance activity, in accordance with our Principles of Community Oriented GPL Enforcement. We usually keep our compliance matters confidential -- not for our own sake -- but for the sake of violators who request discretion to fix their mistakes without fear of public reprisal. We're thus glad that, this week, Tesla has acted publicly regarding its current GPL violations and has announced that they've taken their first steps toward compliance. While Tesla acknowledges that they still have more work to do, their recent actions show progress toward compliance and a commitment to getting all the way there.
Software

Popular 'Gboard' Keyboard App Has Had a Broken Spell Checker For Months 54

The popular Gboard keyboard app for iOS and Android devices has a fundamental flaw. According Reddit user SurroundedByMachines, the red underline has stopped appearing for incorrectly spelled words since November of last year -- and it doesn't appear to be limited to any one device. Issues with the spell checker have been reported on multiple devices across Android and iOS. A simple Google search brings up several different threads where people have reported issues with the feature.

What's more is that nobody at Google seems to get the memo. The Reddit user who first brought this to our attention filed several bug reports, left a review, and joined the beta channel to leave feedback there, yet no response was given. "Many people have been having the issue, and it's even been escalated to the community manager," writes SurroundedByMachines. Since the app has over 500 million downloads on the Play Store alone, this issue could be frustrating a lot of users, especially those who use their phones to send work emails or write documents. Have you noticed Gboard's broken spell checker on your device? If so, you may want to look into another third-party keyboard, such as SwiftKey or Cheetah Keyboard.
Software

In Virtual Reality, How Much Body Do You Need? (nytimes.com) 34

An anonymous reader quotes a report from The New York Times: Will it soon be possible to simulate the feeling of a spirit not attached to any particular physical form using virtual or augmented reality? If so, a good place to start would be to figure out the minimal amount of body we need to feel a sense of self, especially in digital environments where more and more people may find themselves for work or play. It might be as little as a pair of hands and feet, report Dr. Michiteru Kitazaki and a Ph.D. student, Ryota Kondo. In a paper published Tuesday in Scientific Reports, they showed that animating virtual hands and feet alone is enough to make people feel their sense of body drift toward an invisible avatar (Warning: source may be paywalled; alternative source). Their work fits into a corpus of research on illusory body ownership, which has challenged understandings of perception and contributed to therapies like treating pain for amputees who experience phantom limb.

Using an Oculus Rift virtual reality headset and a motion sensor, Dr. Kitazaki's team performed a series of experiments in which volunteers watched disembodied hands and feet move two meters in front of them in a virtual room. In one experiment, when the hands and feet mirrored the participants' own movements, people reported feeling as if the space between the appendages were their own bodies. In another experiment, the scientists induced illusory ownership of an invisible body, then blacked out the headset display, effectively blindfolding the subjects. The researchers then pulled them a random distance back and asked them to return to their original position, still virtually blindfolded. Consistently, the participants overshot their starting point, suggesting that their sense of body had drifted or "projected" forward, toward the transparent avatar.

Intel

New Spectre Attack Can Reveal Firmware Secrets (zdnet.com) 60

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

Security

RedDawn Android Malware Is Harvesting Personal Data of North Korean Defectors (theinquirer.net) 21

According to security company McAfee, North Korea uploaded three spying apps to the Google Play Store in January that contained hidden functions designed to steal personal photos, contact lists, text messages, and device information from the phones they were installed on. "Two of the apps purported to be security utilities, while a third provided information about food ingredients," reports The Inquirer. All three of the apps were part of a campaign dubbed "RedDawn" and targeted primarily North Korean defectors. From the report: The apps were promoted to particular targets via Facebook, McAfee claims. However, it adds that the malware was not the work of the well-known Lazarus Group, but another North Korean hacking outfit that has been dubbed Sun Team. The apps were called Food Ingredients Info, Fast AppLock and AppLockFree. "Food Ingredients Info and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components."

"AppLockFree is part of the reconnaissance stage, we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted Food Ingredients Info," according to McAfee security researcher Jaewon Min. "After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team."

AI

Google's Duplex AI Robot Will Warn That Calls Are Recorded (bloomberg.com) 28

An anonymous reader quotes a report from Bloomberg: On Thursday, the Alphabet Inc. unit shared more details on how the Duplex robot-calling feature will operate when it's released publicly, according to people familiar with the discussion. Duplex is an extension of the company's voice-based digital assistant that automatically phones local businesses and speaks with workers there to book appointments. At Google's weekly TGIF staff meeting on Thursday, executives gave employees their first full Duplex demo and told them the bot would identify itself as the Google assistant. It will also inform people on the phone that the line is being recorded in certain jurisdictions, the people said.
Businesses

Fed Up With Apple's Policies, App Developers Form a 'Union' (wired.com) 108

Even as Apple has addressed some of the concerns outlined by iOS developers in the recent years, many say it's not enough. As the iOS App Store approaches its tenth anniversary, some app developers are still arguing for better App Store policies, ones that they say will allow them to make a better living as independent app makers. On Friday, a small group of developers, including one who recently made a feature-length film about the App Store and app culture, are forming a union to lobby for just that. From a report: In an open letter to Apple that published this morning, a group identifying themselves as The Developers Union wrote that "it's been difficult for developers to earn a living by writing software" built on Apple's existing values. The group then asked Apple to allow free trials for apps, which would give customers "the chance to experience our work for themselves, before they have to commit to making a purchase."

The grassroots effort is being lead by Jake Schumacher, the director of App: The Human Story; software developer Roger Ogden and product designer Loren Morris, who both worked for a timesheet app that was acquired last year; and Brent Simmons, a veteran developer who has made apps like NetNewsWire, MarsEdit, and Vesper, which he co-created with respected Apple blogger John Gruber.

Programming

Ask Slashdot: What's the Most Sophisticated Piece of Software Ever Written? (quora.com) 234

An anonymous reader writes: Stuxnet is the most sophisticated piece of software ever written, given the difficulty of the objective: Deny Iran's efforts to obtain weapons grade uranium without need for diplomacy or use of force, John Byrd, CEO of Gigantic Software (formerly Director of Sega and SPM at EA), argues in a blog post, which is being widely shared in developer circles, with most agreeing with Byrd's conclusion.

He writes, "It's a computer worm. The worm was written, probably, between 2005 and 2010. Because the worm is so complex and sophisticated, I can only give the most superficial outline of what it does. This worm exists first on a USB drive. Someone could just find that USB drive laying around, or get it in the mail, and wonder what was on it. When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC. It has at least three ways of trying to get itself to run. If one way doesn't work, it tries another. At least two of these methods to launch itself were completely new then, and both of them used two independent, secret bugs in Windows that no one else knew about, until this worm came along."

"Once the worm runs itself on a PC, it tries to get administrator access on that PC. It doesn't mind if there's antivirus software installed -- the worm can sneak around most antivirus software. Then, based on the version of Windows it's running on, the worm will try one of two previously unknown methods of getting that administrator access on that PC. Until this worm was released, no one knew about these secret bugs in Windows either. At this point, the worm is now able to cover its tracks by getting underneath the operating system, so that no antivirus software can detect that it exists. It binds itself secretly to that PC, so that even if you look on the disk for where the worm should be, you will see nothing. This worm hides so well, that the worm ran around the Internet for over a year without any security company in the world recognizing that it even existed."
What do Slashdot readers think?
Operating Systems

Canonical Shares Desktop Plans For Ubuntu 18.10 (ubuntu.com) 79

Canonical's Will Cooke on Friday talked about the features the company is working on for Ubuntu 18.10 "Cosmic Cuttlefish" cycle. He writes: We're also adding some new features which we didn't get done in time for the main 18.04 release. Specifically: Unlock with your fingerprint, Thunderbolt settings via GNOME Control Center, and XDG Portals support for snap.

GNOME Software improvements
We're having a week long sprint in June to map out exactly how we want the software store to work, how we want to present information and to improve the overall UX of GNOME Software. We've invited GNOME developers along to work with Ubuntu's design team and developers to discuss ideas and plan the work. I'll report back from the sprint in June.

Snap start-up time
Snapcraft have added the ability for us to move some application set up from first run to build time. This will significantly improve desktop application first time start up performance, but there is still more we can do.

Chromium as a snap
Chromium is becoming very hard to build on older releases of Ubuntu as it uses a number of features of modern C++ compilers. Snaps can help us solve a lot of those problems and so we propose to ship Chromium only as a snap from 18.10 onwards, and also to retire Chromium as a deb in Trusty. If you're still running Trusty you can get the latest Chromium as a snap right now.
In addition, Ubuntu team is also working on introducing improvements to power consumption, adding support for DLNA, so that users could share media directly from their desktop to DLNA clients (without having to install and configure extra packages), and improved phone integration by shipping GS Connect as part of the desktop, the GNOME port of KDE Connect. Additional changelog here.
Security

A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim (zdnet.com) 47

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

XBox (Games)

Microsoft Announces Xbox Adaptive Controller For Players With Disabilities (theverge.com) 19

A new Xbox controller designed for people with disabilities has been announced by Microsoft today. The Xbox Adaptive Controller features two large programmable buttons and 19 jacks that can be connected to a range of joysticks, buttons, and switches to make it easier for a wider range of people to play games on Xbox One and Windows 10 PCs. The Verge reports: "I can customize how I interface with the Xbox Adaptive Controller to whatever I want," says Solomon Romney, a Microsoft Store learning specialist who was born without fingers on his left hand. "If I want to play a game entirely with my feet, I can. I can make the controls fit my body, my desires, and I can change them anytime I want. You plug in whatever you want and go. It takes virtually no time to set it up and use it. It could not be simpler."

The focus is on connectivity and customizability, with players able to build a setup that works for their capabilities and needs. It won't be an all-in-one solution for many games, but through the use of peripherals and the Xbox's system-level button remapping, the possibilities could be endless. The Xbox Adaptive Controller will cost $99.99 and goes on sale later this year.

Privacy

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations (zdnet.com) 39

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Security

Hardcoded Password Found in Cisco Enterprise Software, Again (bleepingcomputer.com) 70

Catalin Cimpanu, writing for BleepingComputer: Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score. The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center. The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network. This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.
Chrome

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com) 101

Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.
Music

YouTube Unveils New Streaming Service 'YouTube Music,' Rebrands YouTube Red (gizmodo.com) 106

An anonymous reader quotes a report from Gizmodo: YouTube Music, a streaming music platform designed to compete with the likes of Spotify and Apple Music, officially has a launch date: May 22nd. Its existence will also shift around YouTube and Google's overall media strategy, which has thus far been quite the mess. YouTube Music will borrow the Spotify model and offer a free, ad-supported tier as well as a premium version. The paid tier, which will be called YouTube Music Premium, will be available for $9.99 per month. It will debut in the U.S., Australia, New Zealand, Mexico, and South Korea before expanding to 14 other countries.

One of the selling points for YouTube Music will be the ability to harness the endless amount of information Google knows about you, which it will use to try to create customized listening experiences. Pitchfork reported that the app, with the help of Google Assistant, will make listening recommendations based on the time of day, location, and listening patterns. It will also apparently offer "an audio experience and a video experience," suggesting perhaps an emphasis on music videos and other visual content. From here, Google seems to be focused on making its streaming strategy a little less wacky. Google Play Music, the company's previous music streaming service that is still inexplicably up and running despite teetering on the brink of extinction for years, will slowly be phased out according to USA Today.
Meanwhile, the paid streaming subscription service, known as YouTube Red, is being rebranded to YouTube Premium and will cost $11.99 per month instead of $9.99. (Pitchfork notes that existing YouTube Red subscribers will be able to keep their $9.99 rate.) YouTube Premium will include access to YouTube Music Premium. Here's a handy-dandy chart that helps show what is/isn't included in the two plans.
Twitter

Twitter Will Start Hiding Tweets That 'Detract From the Conversation' (slate.com) 183

Yesterday, Twitter announced several new changes to quiet trolls and remove spam. According to Slate, the company "will begin hiding tweets from certain accounts in conversations and search results." In order to see them, you'll now have to scroll to the bottom of the conversation and click "Show more replies," or go into your search settings and choose "See everything." From the report: When Twitter's software decides that a certain user is "detract[ing] from the conversation," all of that user's tweets will be hidden from search results and public conversations until their reputation improves. And they won't know that they're being muted in this way; Twitter says it's still working on ways to notify people and help them get back into its good graces. In the meantime, their tweets will still be visible to their followers as usual and will still be able to be retweeted by others. They just won't show up in conversational threads or search results by default. The change will affect a very small fraction of users, explained Twitter's vice president of trust and safety, Del Harvey -- much less than 1 percent. Still, the company believes it could make a significant difference in the average user's experience. In early testing of the new feature, Twitter said it has seen a 4 percent drop in abuse reports in its search tool and an 8 percent drop in abuse reports in conversation threads.

Slashdot Top Deals