For about eight days, some versions of Windows 10 bundled a password manager that contained a critical vulnerability within its browser plugin.
The flaw was almost identical to the one that the same researcher had disclosed in the same manager plugin 16 months ago, which allowed websites to steal passwords.
Google Project Zero researcher Tavis Ormandy, in a blog post Friday, said that the Keeper Password Manager came pre-installed on a newly built Windows 10 system. When he tested this unrequested app, it prompted him to enable a browser plugin, and that plugin contained a bug that represents "a complete compromise of Keeper security, allowing any website to steal any password."
With only basic changes to "selectors," Ormandy's old proof-of-concept exploit worked on the new Keeper plugin.
His post linked to the publicly available proof-of-concept exploit, which steals an end user's Twitter password if it's stored in the Keeper app and the plugin is enabled.
After the post went live, a Keeper spokesman said the bug only affected version 11 of the app, which was released on December 6, and only when a user followed Keeper prompts to install the browser plugin.
They fixed the flaw in the just-released version 11.4 by removing the vulnerable functionality. The fix came 24 hours after Ormandy privately reported the flaw to Keeper.
Sent to us by: Roy W. Nash
A San Francisco animal shelter has announced it will no longer use a Knightscope security robot to patrol its office, after a widely-circulated report described the robot being used to “deter” nearby homeless encampments and rising crime.
The San Francisco SPCA said it has received hundreds of messages inciting violence and vandalism against their facility after the story of the robot went viral. In response to that pressure, the organization will seek “a more fully informed, consensus-oriented, local approach” to the use of security robots. San Francisco authorities had already advised the SPCA to stop using the robot on sidewalks without proper approval.
Mountain View-based Knightscope has said in a statement that the robot “was not brought in to clear the area around the San Francisco SPCA of homeless individuals,” but only to “serve and protect the SPCA.”
The recent influx of tech companies and their high-paid employees has helped drive income inequality and make San Francisco the most expensive place to rent an apartment in the United States.
Those underlying tensions have boiled over in protests against tech companies, including over private shuttles run by companies including Google. The San Francisco SPCA facility is located in a rapidly-gentrifying neighborhood where inequality is particularly acute, contributing to the rise of homeless encampments on sidewalks.
The SPCA reported a recent rise in vandalism and theft, which it has said declined after the security robot was put into service.
But in San Francisco’s current context, the thought of using a high-tech robot to deter homeless people doesn't go over well.
The robot could also be seen as taking a job from a human.
The president of the SPCA earlier told the San Francisco Business Times that the robot cost just $6 an hour to rent, while San Francisco’s minimum wage is $14 an hour. As a non-profit, the cost of a human worker would be cost-prohibitive. So while they are retiring the robot, they have no intention of hiring a person to take its place.
Sent to us by: Jeff Weston
The Federal Communications Commission voted Thursday to deregulate the broadband industry, and to eliminate net neutrality rules that prohibit Internet service providers from blocking and slowing Internet traffic.
Going forward, home Internet providers and mobile carriers will no longer be bound by strict net neutrality rules but rather by whatever promises they choose to make. ISPs will be allowed to block or throttle Internet traffic or offer priority to websites and online services in exchange for payment.
As long as ISPs publicly disclose the blocking, slowing, or paid prioritization, they won't be violating any FCC rules. The Federal Trade Commission could punish ISPs if they make promises and then break them,
but there's no requirement that the ISPs make the promises in the first place.
The FCC will have to defend its decision in court, as pro-net neutrality groups plan to appeal. Advocates are also pushing Congress to reinstate net neutrality rules.
Sent to us by: Roy W. Nash
Google will be using lasers instead of fiber to deploy high-speed internet in India.
There are two main components to getting an entire nation online: the last mile, and the backbone. The often-talked-about “last mile” is the final piece of the puzzle—the cable running to each house, or the wireless link between your cellphone and a nearby tower.
But in order for that last mile to work, it has to be hooked up to something. Normally, that means a dedicated fiber line running from the cell tower to a local exchange; which is time-consuming and costly to run. So, faced with the challenge of bringing rural India online, Google is trying something very different.
Alphabet, Google’s parent company, has entered into an agreement with India’s government to provide high-speed wireless internet to millions of residents using a point-to-point laser connectivity system, Reuters reports.
The system will reportedly involve 2,000 boxes installed in total, with some up to 12 miles apart. Some kind of optical system — which essentially means lasers — will be used to connect the boxes together. The system will provide a backbone for cell towers and Wi-Fi hotspots, which will allow residents to access the internet using basic smartphones. The optical data links have a capacity of up to 20 gigabits, according to Alphabet; far more than traditional radio-wave systems can achieve.
The project is a spin-off of Alphabet’s Project Loon, a concept that uses giant floating balloons to distribute wireless internet to rural areas. The optical link technology might be related directly to Loon, although Alphabet hasn’t provided any details to that effect.
Sent to us by: Jeff Weston