People Are Slinging Overpriced Ethereum Rigs on Craigslist
Like selling pickaxes during a gold rush.
During the California gold rush in the late 19th century, some of the most successful prospectors were not the miners actually hunting for gold, but the businessmen selling mining tools. Most people wouldn’t think that hocking canvas pants is the path to millions when there’s gold to be found, but I doubt that Levi Strauss would care what you think.
Today there is a new mining boom underway, but these 21st century miners are searching for computer code, not gold. Just like its 19th century predecessor, the cryptocurrency rush also has its fair share of pickaxe merchants looking to cash in on the boom by selling would-be miners the supplies they need to start extracting cryptocurrency from a network. This is most obvious on sites like Craigslist or Ebay, where people are making bank by selling computer mining rigs for several thousand dollars above retail value.
“We can’t build the rigs fast enough. I get more calls then we can handle right now.”
Once upon a time, anyone could’ve used their personal PC to mine for bitcoin, a process that involves finding solutions to cryptographic hashing problems. But bitcoin quickly succumbed to economies of scale and now it’s basically only possible to profitably mine bitcoin using expensive, special-made hardware in giant Chinese bitcoin mines. But newer cryptocurrencies—sometimes called altcoins—like Ethereum, Litecoin, or Zcash can all be profitably mined using off-the-shelf gaming hardware and free open-source software. All you need is a handful of graphics processing units (GPUs), a working motherboard and a little bit of PC-building knowhow.
The problem is that the great cryptocurrency rush of 2017 has made the crucial ingredient for Ethereum mining—GPUs—incredibly hard to find. This has prompted a number of seasoned cryptominers to start selling ready-made rigs online, often for thousands of dollars above the market value of their constituent hardware. But according to Scott McCarthy, the CEO of SMS IT Group, a Los Angeles-based IT consultancy that also sells mining rigs on the side, the price doesn’t seem to be a deterrent.
“We can’t build the rigs fast enough,” McCarthy told me. “I get more calls then we can handle right now. We will take a deposit but tell the customers they have to wait up to three weeks before we can deliver. I got over 20 calls this past weekend from people looking to buy a rig or take training classes.”
The six-GPU rigs sold by McCarthy cost $3,755 and use Radeon RX 580 graphics cards. Before the cryptorush, these GPUs cost about $250 a pop and a six-GPU rig could’ve easily been built for under $2000. While $3,755 might seem high for a mining rig considering its components, McCarthy’s actually offering one of the better rig deals on the web. It’s not uncommon to see used mining rigs selling for $4000 or above.
One seller on Craigslist—a man named John from a suburb just outside of Washington DC—said he has previously sold one of his rigs for around $4000 and is currently listing another for the same price. He said he’s received a lot of interest, but most people want to talk his price down.
“Due to the shortage of AMD GPUs, the rise in price in Ethereum and the desire to get in on it from a lot of people with very little technical know-how, the amount people would pay for a pre-assembled mining system has skyrocketed,” John told me in an email.
The question is why aren’t these buyers just collecting the parts for a mining rig and building one themselves? This could potentially save them thousands of dollars over a readymade rig and John was the first to admit that it’s “very easy” to build a rig. Aside from the hardware shortage, John thinks that most people are simply intimidated by the idea of building a PC from the ground up. It’s not the hardest thing in the world by any means, but some people are babies about it.
“I think most people are capable of building their own rig, they just don’t want to spend the time to learn how or have a fear about breaking something,” John said.
But McCarthy isn’t so sure. Although he’s sold hundreds of bitcoin and Ethereum mining rigs and has 15 years professional experience in IT, he said it took him a year before he could properly build a rig.
“It’s almost impossible for someone without PC experience to build one,” McCarthy said. “The challenge is not only knowing the components to use and all the terminology, you have to know what is going to work properly with which components.”
As someone with zero PC-building experience who recently built his own Ethereum mining rig, I can tell you that it is possible, but that, as McCarthy said, the process did involve several hours of research and trial and error before getting it right. Most second-hand mining rig vendors are banking on people not wanting to invest that amount of time in learning about mining.
So for now, if you build it and list it on Craigslist, they will come.
Correction: Originally the headline for this article was “People Are Getting Rich Slinging Overpriced Ethereum Rigs on Craigslist.” According to one of the sellers we talked to, Scott McCarthy, that isn’t a fair portrayal of what’s happening. McCarthy said that he makes about $200 per hour building Ethereum mining rigs, assuming each rig takes about five hours to build, and that he can make slightly more money on the high end of his consulting business. He also said he doubts anyone is getting rich building Ethereum mining rigs. We have updated the headline to reflect this. Motherboard regrets the error.
Continue reading the original article over at Vice.
Microsoft’s decision to patch Windows XP is a mistake
There will always be one more emergency.
Once again, Microsoft has opted to patch the out-of-support Windows XP. Dan has written about the new patch, the circumstances around the flaws it addresses, and why Microsoft has chosen to protect Windows XP users. While Microsoft’s position is a tricky one, we argue in this post first published in 2014 that patching is the wrong decision: it sends a clear message to recalcitrant corporations that they can stick with Windows XP, insecure as it is, because if anything too serious is found, Microsoft will update it anyway.
Windows 10 contains a wide range of defense-in-depth measures that will never be included in Windows XP: every time an organization resists upgrading to Microsoft’s latest operating system, it jeopardizes its own security. Back in 2014, it was an Internet Explorer patch that Microsoft released after Windows XP’s end of support; this time around the patches are for flaws in the kernel and file sharing drivers. While this means that the situations are not quite identical, we nonetheless feel that the arguments against releasing a patch for an out-of-support operating system in 2014 hold up today. It was bad then; it’s still bad now.
Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn’t, because the company has included Windows XP in its off-cycle patch to fix an Internet Explorer zero-day that’s receiving some amount of in-the-wild exploitation. The unsupported operating system is, in fact, being supported.
Explaining its actions, Microsoft says that this patch is an “exception” because of the “proximity to the end of support for Windows XP.”
The decision to release this patch is a mistake, and the rationale for doing so is inadequate.
A one-off patch of this kind makes no meaningful difference to the security of a platform. Internet Explorer received security patches in 11 of the last 12 Patch Tuesdays. Other browsers such as Chrome and Firefox receive security updates on a comparable frequency.
Web browsers are complex. They’re necessarily exposed to all manner of potentially hostile input that the user can’t really control, and as such, they’re a frequent target for attacks. They need regular updates and ongoing maintenance. The security of a browser is not contingent on any one bugfix; it’s dependent on a continuous delivery of patches, fixes, and improvements. One-off “exceptions” do not make Internet Explorer on Windows XP “safe.” There’s no sense in which this patch means that all of a sudden it’s now “OK” to use Internet Explorer on Windows XP.
And yet it seems inevitable that this is precisely how it will be received. The job of migrating away from Windows XP just got a whole lot harder. I’m sure there are IT people around the world who are now having to argue with their purse-string-controlling bosses about this very issue and IT people who have had to impress on their superiors that they need the budget to upgrade from Windows XP because Microsoft won’t ship patches for it any longer. Microsoft has made these IT people into liars. “You said we had to spend all this money because XP wasn’t going to get patched any more. But it is!”
Bosses who were convinced that they could stick with Windows XP because Microsoft would blink are now vindicated.
After all, if Microsoft can blink once, who’s to say it won’t do so again? The next Patch Tuesday patch for Internet Explorer is almost certainly going to include flaws that affect Internet Explorer on Windows XP: the nature of software means that most flaws in Internet Explorer 7 (supported for the remainder of Windows Vista’s life cycle) and Internet Explorer 8 (tied to Windows 7’s life cycle) will also be flaws in Internet Explorer 7 and 8 when run on Windows XP. Many of them will also hit Internet Explorer 6.
In fact, this is precisely the pattern we’ve seen with this flaw. The first in-the-wild exploits hit only Internet Explorer 9, 10, and 11, on Windows 7 and 8. As security firm FireEye reports, it’s only later that attacks for (unsupported) Internet Explorer 8 on Windows XP materialized.
Virtually every time Microsoft updates one of its remaining supported platforms, the company will also simultaneously be disclosing a zero-day vulnerability for Windows XP (something Apple has recently been criticized for doing). The patch list for May’s Patch Tuesday—less than two weeks away—isn’t out yet, but based on Internet Explorer’s track record, it’s highly likely that it’s going to get updated, and it’s highly likely that these updates will reveal exploitable flaws on Windows XP.
By Microsoft’s “proximity” argument, those flaws should be patched on Windows XP, too. In fact, it’s hard to see a time when “proximity” won’t be an issue. It’s inevitable that Patch Tuesday will reveal exploitable flaws for the unsupported operating system, and it’s similarly inevitable that at least some of those flaws will get exploited. With Windows XP’s market share as high as it is, there was never any realistic chance that an exploit would not materialize in “proximity” to the end of support.
People using Windows XP are going to be exploited through known but unpatched vulnerabilities. That is what the end of support means. That is its unavoidable consequence. For as long as Windows XP has a substantial number of users, there will be calls for “one more patch” to be released. There’s nothing special about this latest flaw that warrants special treatment, and the next weeks and months will see the disclosure and exploitation of many more similar flaws. If this bug was fixed, all those bugs should get fixed, too.
The zero-day flaw and its exploitation is unfortunate, and Microsoft is likely smarting from government calls for people to stop using Internet Explorer. The company had three ways it could respond. It could have done nothing—stuck to its guns, maintained that the end of support means the end of support, and encouraged people to move to a different platform. It could also have relented entirely, extended Windows XP’s support life cycle for another few years and waited for attrition to shrink Windows XP’s userbase to irrelevant levels. Or it could have claimed that this case is somehow “special,” releasing a patch while still claiming that Windows XP isn’t supported.
None of these options is perfect. A hard-line approach to the end-of-life means that there are people being exploited that Microsoft refuses to help. A complete about-turn means that Windows XP will take even longer to flush out of the market, making it a continued headache for developers and administrators alike.
But the option Microsoft took is the worst of all worlds. It undermines efforts by IT staff to ditch the ancient operating system and undermines Microsoft’s assertion that Windows XP isn’t supported, while doing nothing to meaningfully improve the security of Windows XP users. The upside? It buys those users at best a few extra days of improved security. It’s hard to say how that was possibly worth it.
Read the original article over at ArsTechnica.
5 Features in Windows 10 Creators Update You Should Know
The Fall Creators Update for Windows 10 has just gotten a lot more interesting as the latest build of Windows 10 Insider has introduced a number of features that will be made available when the major update launches.
Seeing as the list of features is extremely long, we’ll be focusing on some of the key features that have been introduced with Windows 10 Insider Build 16215.
A new Fluent Design-based Start Menu and Action Center
Fluent Design, formerly known as Project Neon, will be making itself known with the new Windows 10 Insider Build as both the Start Menu and Action Center have adopted Microsoft’s new design system.
Besides receiving a shiny new look, both the Start Menu and Action Center have been updated to make them more user friendly. In case of the Start Menu, Microsoft has made it so that the Start Menu can now be resized at will. As for the Action Center, Microsoft has tweaked it to provide much clearer information separation and hierarchy.
Microsoft Edge now lets you pin websites to the Taskbar
The new Windows 10 Insider Build is bringing webpage bookmarks to the next level, assuming of course that your default web browser is Microsoft Edge. With the latest build, Microsoft Edge will now let you pin websites to the taskbar.
To do so, all the user needs to do is to select the “Pin this page to the taskbar” option found in the settings menu.
Besides adding bookmarks to the taskbar, Microsoft is also making Full Screen mode a lot more accessible for Edge.
Previously only accessible via the Shift + Windows + Enter button combination, the latest Windows 10 Build now lets you access Full Screen mode via the more traditional F11 button. Alternatively, users can activate Full Screen mode by accessing the Settings menu.
A better handwriting experience
When the Fall Creators Update was first announced, Microsoft mentioned that one of the areas that the company will be focusing on is the Windows Ink experience. With the latest Windows 10 Insider Build, we now know what those improvements will be.
For starters, Microsoft is introducing a new conversion and overflow model to Windows 10. With this model in place, users will now see their previously written words convert to typed text within the handwriting panel.
Once the panel is filled and the pen is lifted off the screen, the text would be shifted to the side, giving the user more room to write. Once they’re done writing, all the user needs to do is tap on the commit button to insert the text and clear the panel.
When it comes to editing, Microsoft has introduced two new features for handwriting. The first is the ability to correct errors simply by writing on top of the error itself. This is useful for correcting minor spelling mistakes.
The other feature is called ink gestures, and it allows users to make simple sentence edits from the handwriting panel itself. There are currently four supported gestures: strikethrough, scratch, join and split.
A Find My Pen feature
Can’t remember where you left your Surface Pen? Well, Microsoft is introducing a Find My Pen feature that may assist you in locating your misplaced pen. Found under the Find My Device section of the Settings menu, this feature will see Windows 10 pull up information on the location and time in which you’ve last used the pen on your computer.
While the information provided by the feature may be useful, Microsoft has explicitly warned that the Surface Pen does not come with a GPS. As such, those looking for up-to-date information about their lost pen will not be able to find it with this feature.
It wouldn’t be a Windows 10 update if Cortana wasn’t in the mix, and sure enough, Microsoft’s assistant too is getting some love with this update.
The first improvement that Cortana is getting relies on what Microsoft is referring to as vision intelligence. Beginning with the latest Windows 10 Insider Build, Cortana will now be able to create reminders out of pictures found in the user’s camera roll.
One example that Microsoft has provided is a photograph of an upcoming concert. With the new improvement, Cortana can now ask the user if they would like to add the event to their schedule.
The second improvement for Cortana focuses on the pen. Called Cortana Lasso, this feature will allow Surface Pen owners to use the new lasso tool to circle relevant information on the desktop. From there, Cortana can then schedule the event onto their calendar.
One thing to note is that Cortana Lasso will only work with Surface Pens that support Press and Hold. As such, Surface Pens that came before the release of the Surface Pro 4, the Surface Book or the Surface Studio will not be able to take advantage of the feature.
Read the original article over at Hongkiat.com.
Sneaky hackers use Intel management tools to bypass Windows firewall
Serial ports don’t have firewalls.
When you’re a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you’re there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.
The group, which Microsoft has named PLATINUM, has developed a system for sending files—such as new payloads to run and new versions of their malware—to compromised machines. PLATINUM’s technique leverages Intel’s Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.
The AMT needs this low-level access for some of the legitimate things it’s used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what’s on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.
But this low-level operation is what makes AMT attractive for hackers: the network traffic that AMT uses is handled entirely within AMT itself. That traffic never gets passed up to the operating system’s own IP stack and, as such, is invisible to the operating system’s own firewall or other network monitoring software. The PLATINUM software uses another piece of virtual hardware—an AMT-provided virtual serial port—to provide a link between the network itself and the malware application running on the infected PC.
Communication between machines uses serial-over-LAN traffic, which is handled by AMT in firmware. The malware connects to the virtual AMT serial port to send and receive data. Meanwhile, the operating system and its firewall are none the wiser. In this way, PLATINUM’s malware can move files between machines on the network while being largely undetectable to those machines.
AMT has been under scrutiny recently after the discovery of a long-standing remote authentication flaw that enabled attackers to use AMT features without needing to know the AMT password. This in turn could be used to enable features such as the remote KVM to control systems and run code on them.
However, that’s not what PLATINUM is doing: the group’s malware requires AMT to be enabled and serial-over-LAN turned on before it can work. This isn’t exploiting any flaw in AMT; the malware just uses the AMT as it’s designed in order to do something undesirable.
Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place; if it’s not turned on at all, there’s no remote access. Microsoft’s write-up of the malware expressed uncertainty about this part; it’s possible that the PLATINUM malware itself enabled AMT—if the malware has Administrator privileges, it can enable many AMT features from within Windows—or that AMT was already enabled and the malware managed to steal the credentials.
While this novel use of AMT is useful for transferring files while evading firewalls, it’s not undetectable. Using the AMT serial port, for example, is detectable. Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it’s nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity.
WWDC 2017 – Everything You Need to Know
As expected from Apple, the WWDC 2017 keynote has introduced the world to a new batch of cool stuff from the company, ranging from hardware like the new iMac to software such as iOS 11.
Seeing as there is quite a number of things to go through, I’ll being this article by looking at Apple’s hardware offerings, before moving on to the software side of things. Without further ado, let’s begin.
New iMac Pro and updated iMacs
We start off this hardware roundup with a look at one of Apple’s older products: the iMac. At WWDC 2017, Apple has introduced a new top-of-the-line iMac that the company has unsurprisingly dubbed the iMac Pro.
Sporting a Space Gray (dark gray) chassis as opposed to the regular iMac’s silvery-gray one, Apple claims that the iMac Pro is the “most powerful Mac ever made”, and the internals more or less proves just that.
The iMac Pro comes with:
- 27-inch 5K Retina display.
- Equipped with up to an 18-core Intel Xeon processor.
- AMD Radeon Pro Vega 64 GPU with 16GB of HBM2 VRAM, up to 128GB of RAM.
- 4TB of SSD storage space.
- 10Gb Ethernet port, and four Thunderbolt 3 ports.
For cooling, the iMac Pro comes with a new thermal design that Apple claims could provide up to 80% more cooling capacity than the regular iMac. The iMac Pro will come with a keyboard and mouse of the same Space Gray color, which according to Apple, is exclusive to the iMac Pro itself.
Pricing for the iMac Pro begins at USD4,999, with the product expected to ship out sometime in December. So yes, you won’t be able to get your hands on it for quite a while.
If you’re looking to replace your aging iMac sooner, you might want to take a look at the newly refreshed iMac line. While all new iMacs are now powered by Intel’s Kaby Lake processor, the 21.5-inch Retina 4K iMac and the 27-inch Retina 5K iMac gets some additional upgrades.
The newly refreshed iMacs are now available for purchase with the prices starting at USD1,099 for the standard iMac model.
MacBooks & MacBook Pros get refreshed
In terms of announcements, the MacBook and MacBook Pros aren’t getting any major upgrades from the pre-existing models. That being said, Apple’s series of laptops will be getting hardware refreshes, with the MacBook Pro lines getting an upgrade to Intel’s Kaby Lake processors as well as faster SSDs.
Speaking of MacBook Pros, Apple has also announced that a new 13-inch MacBook Pro will be making its way to the market. This particular laptop will be a base model, which means it doesn’t come with a Touch Bar. That aside, the new 13-inch MacBook Pro will sport a 500-nit Retina display and an Intel Core i7 processor. Prices for this variant of the MacBook Pro will begin at USD1,299.
Rounding up the MacBook session, we’ve finally learned that Apple is not abandoning the MacBook Air after all. While the MacBook Air isn’t getting any large scale updates, Apple has decided to bump up the laptop’s performance by equipping it with a 1.8GHz processor.
New 10.5? iPad Pro & refreshed 12.9? iPad Pro
Are you a fan of the 9.7-inch iPad Pro? If you’ve answered yes to the question, I have some bad news for you – the 9.7-inch iPad Pro has been discontinued. To replace the 9.7-inch model, Apple has announced a new iPad Pro model that sports a bigger screen, 10.5-inches to be exactly.
Continue reading the original article over at Hongkiat.com.
iOS 11 will bring big updates to Siri, iMessages, Apple Pay, and more
Lots of updates will make iOS 11 look and feel different come Fall 2017.
Apple announced iOS 11 at its annual developers conference today, revealing details on what changes will come to your iPhone or iPad in the near future. Some of the updates include a new app drawer for finding iMessage apps and stickers, new integrations for Apple Pay, a Siri translation beta, drag-and-drop for iPad, and more.
Apple’s Craig Federighi dove into the software update at the conference keynote, demoing a bunch of new features coming in iOS11. There’s a redesigned app drawer for iMessage apps and stickers. The current drawer is pretty sparse, so the company redesigned it to make compatible apps and sticker packs more discoverable in iMessage. All your messages will also be automatically synced to iCloud to optimize storage on each of your iOS devices.
iMessages is also getting Apple Pay in a new way: the contactless payment system will have its own iMessage app in iOS11 so you can pay people directly within your messages. You can use TouchID to authenticate payments and money transfers, and any money you receive through Apple Pay in iMessage will go to your Apple Pay cash card.
The “proactive” nature of Siri we saw in the watchOS 4 announcement continues with Siri in iOS 11. Federighi showed off some of the new machine learning capabilities of SiriKit in the iOs update, including on-device learning about topics that are pertinent to each user. For example, Siri will be able to suggest sending your location in a message to a friend, or making a calendar event based on something you looked up using Safari. Features like these are reminiscent of Google’s Assistant, which already provides contextual answers and suggestions based on questions you ask it and activity you perform on your device.
Siri is also getting a translation beta and a new male voice. On iOS 11, you’ll be able to ask Siri how to say a phrase in a different language, and it’ll pump out a translation for you. At launch, the beta will support English translations to Chinese, French, German, and Italian, and Spanish, and more languages should come later. The voice is particularly interesting since Apple demoed it saying the same word three times with different intonations. The company briefly explained it used deep learning to make this voice more natural and expressive than other Siri voices that came before it.
Photos and Memories
In addition to the promise of better low-light photos with iOS 11’s updates, the software update will bring a new Memories feature to iOS photos. Machine learning can identify different kinds of “memories,” or situations that you may want to keep track of like birthday parties, graduations, and more. This goes along with enhancements to Live Photos, which will allow you to capture a different still from within a Live Photo. That could be helpful if you take a still photo but there’s a better shot lying within the few seconds that replay as a Live Photo. You can also make loops of Live Photos as well, stringing multiple gifs together to make creative moving images.
HomeKit and Control Center
Apple added a a speaker category to HomeKit, letting you add and control smart speakers using the company’s new AirPlay 2 protocol. That also adds multi-room audio support for iOS, so you should be able to control speakers that live in different rooms individually, playing unique music on each if you please. Since speakers are a totally new category for HomeKit, you’ll have to wait for audio manufacturers to make AirPlay 2-compatible speakers before you can use the new feature.
A couple UI changes are coming to the Control Center as well. Instead of three separate pages you swipe through, the Control Center packs everything onto one page in iOS 11. Nothing is eliminated from the Control Center, but Apple strategically placed all the shortcuts in the Control Center into differently-sized squares. You can tap on icons in those squares to do things like turn on Wi-Fi and Bluetooth, and use 3D Touch to access more information and advanced settings.
Maps and CarPlay
Apple Maps will have new detailed floorpans and directories for malls in iOS 11, and it’ll have detailed information for airports. You’ll be able to see where security is in some airports, hopefully making it easier to find what area of the airport you need to be in using Apple Maps. While driving, Maps will also show speed limits and lane guidance which could be useful information while you’re driving as long as you don’t get distracted.
That leads us to CarPlay, and no, you don’t need a CarPlay vehicle to access the new features in iOS 11. With the software update, your device will get a Do Not Disturb While Driving mode that can turn on automatically when your device uses Wi-Fi or Bluetooth to detect you’re in a moving car (you can also tell it when you’re not driving to manually disable the feature). Do Not Disturb While Driving turns your iOS device’s screen blank so you won’t be distracted by all those notifications that typically pop up. Notifications from important contacts will come through, but all those Snapchat and Instagram alerts won’t.
Apple Music and the App Store
Apple Music now has 27 million paid subscribers, and the company is adding a couple social features to the app in iOS 11. In the updated Apple Music app, you can see what your friends are listening to in real time, and users can control their privacy settings surrounding this feature including the playlists they want to make shareable. Spotify has had these features for years, so Apple’s clearly trying to get its music subscription service up to the social standards of its biggest competitor. There’s also a new MusicKit API which will let developers build Apple Music access into their apps.
The App Store looks very different in iOS 11. Overall it’s more visual with large images promoting apps and games on the homepage. There’s a whole new Today tab for viewing the most popular and newest apps on that day, and a dedicated Games tab that lets you easily access games and nothing more. Each app and game how has its own “page,” which looks like a big, bold card with an image representing the app or game. Tapping on that page brings you to a more traditional app info page, with all the details you’d expect to see when you search for an app in the store today. Apple’s placed more emphasis on the app experience in these individual pages, with videos of gameplay front-and-center for games and quotes from the developers. In the short demo Apple gave during the keynote, the App Store in iOS 11 seems to draw upon the visual aspects of new TV streaming apps, like that for YouTube TV and Hulu with Live TV. Apple wants the experience of using the App Store to be just as engaging and visual as the experience using any of the apps you may be searching for in the store itself.
Developers are getting some perks in the App Store as well: currently Apple shaved the app review time down to 24 hours, but the company is promising even shorter review times for iOS 11. Developers will also have access to “phase releases,” a new feature that lets them submit an app and send updates for it out in phases so their infrastructure doesn’t get hit all at once.
Apple touched upon a new augmented reality feature coming in iOS 11 called ARKit. It essentially lets you experience AR situations through an iOS camera and it appears much like the technology Facebook hopes to bring to its mobile apps that have access to mobile device cameras.
The ARKit demo had Craig Federighi interacting with an AR coffee cup and lamp on a table in front of him on the stage. The technology detects surfaces, and estimates scale and ambient light to account for your real-life environment and properly place AR objects in that space that you can see through the camera’s lens. Then using motion tracking, you can move things around and the camera will account for the new placement of the AR objects. A couple more demos show ARKit in action, creating 3D scenes of a village on a table using just an iPad and its camera. ARKit could also make games like Pokemon Go even more realistic, but third-parties have to embrace it first.
Special iPad features
After announcing the new 10.5-inch iPad Pro, Apple showed off a bunch of iOS 11 features specifically for the company’s tablets. Many of the changes revolve around making it easier to multitask on an iPad and share information between apps, and there’s a lot of dragging. Now you can drag an app from the Dock into the Slide Over bar and drag-and-drop information between two apps in Split View. Drag-and-drop is a long awaited feature for the iPad (some third-parties have found ways to incorporate it into their own apps for iPad) and it works for images, texts, and URLs.
The App Switcher has been totally redesigned, now with rows of open apps occupying most of the screen’s space and the Control Center at the right-hand side. The Switcher can also remember paired apps so they’re more easily accessible every time you go to use them together in Split View. The on-screen keyboard has a new “flick” feature as well, letting you lightly touch keys to access numbers and symbols instead of changing the entire keyboard layout to get to those special characters.
While demoing the new iPad features, Apple also showed off its new File system for iOS that will be available for iPads and iPhones. It’s a traditional final manager, but significant because iOS has never had this kind of user-friendly file system before. Not only can you save device-specific files into the Files app, but you can also see all your cloud storage provides (like Dropbox, Box, and others) within the same UI in the Files app. Read more about the Files app here.
The Apple Pencil isn’t a necessary accessory for the iPad Pro, but Apple’s trying to entice handwriting-happy users with changes to iOS 11. First, Apple Pencil users can markup any PDFs in apps that support printing, giving you more freedom over which documents you can scribble on with the company’s stylus. You’ll also be able to markup screenshots: snap a screenshot like you normally would in iOS and immediately a thumbnail of that screenshot will appear at the bottom of the screen. You can tap on that to open a markup-friendly version of the screenshot and write on it as you please.
Inline drawing is another new feature—press on an area of an app (this works in Mail for sure, but compatibility with other apps is currently uncertain), in the middle of an email for example, and you’ll be able to draw a map or scribble a handwritten message even if text surrounds that area. While this is all added practicality for the Apple Pencil, we don’t know how much of it is exclusive to the Apple Pencil. Third-party styluses are available for the iPad Pro for those who don’t want to spend $100 on a digital pen—but there’s a chance some of these new features will only work with the Apple Pencil if iPads running iOS 11 can distinguish between it and another stylus’ tip.
While there are a ton of note-taking apps for the iPad, Apple wants users to use the native Notes app as much as possible. To accompany the new Apple Pencil features, Notes is getting some complementary upgrades: you’ll be able to search handwritten notes within the app in iOS 11 thanks to machine learning that identifies words in each note. Apple’s demo of this feature used handwriting that was pretty legible, so there’s no telling how neatly you have to write for this to work completely. Notes will also include a new document scanner that scans papers, corrects perspective, and then lets you mark them up digitally all from within the Notes app.
iOS 11 will be available for all iOS devices in the fall as a free upgrade.
Read the original article over at ArsTechnica.
If you’d bought $1,000 of the Cryptocurrency Bitcoin in 2010, you’d be worth $35M
Price of Bitcoin has doubled in 2017, and other currencies have jumped even more.
The price of Bitcoin, the most popular digital crytpo-currency, has skyrocketed this year.
According to Coindesk, bitcoins are currently trading for $2,483 per coin. The price is an all-time record, and the remarkable valuation blows earlier price spikes out of the water. Bitcoins have more than doubled since the beginning of 2017, when they hovered around $1,000 per coin. Bitcoin broke the $2,000-per-coin barrier on Saturday.
The run-up has led to increased interest in lesser-known digital currencies, like Etherium and Ripple. Ethereum, which is backed by large companies working on blockchain projects, has jumped in value from $8.24 at the beginning of the year to $203.30, according to CNBC. Ethereum prices began climbing in March, around the time when Bitcoin investors started “getting jittery” about whether Bitcoin software would be able to handle the increased level of transactions. Looking at the market capitalization for all cryptocurrencies, Techcrunch notes that Bitcoin now makes up just 47 percent of the total market value.
Guessing what’s behind the price increase is inevitably speculative. CBS news quotes market watchers who think digital currency value is being pushed up by economic instability in places like Russia, Nigeria, and South Korea. At Fortune, Jeff John Roberts argues that the mainstreaming of Bitcoin means that “investors see it as a new asset class” and are backing hedge funds to acquire it. Regulators in Japan and China have taken steps recently to formalize trading in Bitcoins, which has increased investment from Asia.
Price run-ups like this lead to “if only” type of thinking. Marketwatch published one portfolio manager’s “regret” chart, showing that an investment of $1,000 USD in Bitcoin in July 2010 would be worth more than $35 million today. A $1,000 investment in a fund tied to the S&P 500 index would be worth around $2,500.
The price of Bitcoin has been highly volatile over the years, and it hasn’t just moved in one direction. Bitcoins jumped to nearly $1,000 each in late 2013, but then plummeted in value, taking more than three years to rise back to that price point. 2017 is certainly a heady year for Bitcoin fans, but whether the crypto-currency gains widespread acceptance or ends up more like the 17th century Dutch tulip bubble, remains to be seen.
Read the original article over at Wired.com.
Over 98% of All WannaCry Victims Were Using Windows 7
Numbers released by Kaspersky Lab on Friday reveal that over 98% of all documented WannaCry infections were running versions of the Windows 7 operating system.
Out of all Windows 7 users, the worst hit were users running Windows 7 64-bit edition, accounting for more than 60% of all infections.
The second and third most targeted OS versions were Windows Server 2008 R2, and Windows 10, respectively.
So! XP wasn’t to blame after all
The statistics come to disprove popular belief that WannaCry hit mostly Windows XP machines. “The Windows XP count is insignificant,” said Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab.
To infect all these computers, the WannaCry ransomware used an SMB worm that spread on its own to new computers that ran vulnerable SMB services.
That SMB worm was powered by an exploit named ETERNALBLUE. The exploit is part of a collection of hacking tools a group of hackers calling themselves The Shadow Brokers have stolen from the NSA and leaked online in April 2017.
ETERNALBLUE never worked properly on XP, only on Windows 7
Initial analysis of ETERNALBLUE revealed the worm could run on platforms from Windows XP up to Windows 8.1 and Server 2012.
It was during the WannaCry outbreak that researchers discovered the worm only worked reliably on Windows 7, causing errors on other platforms, including Windows XP, on which most infosec talking heads falsely blamed for most WannaCry infections.
Following this discovery, a user has patched the ETERNALBLUE exploit to work without errors on 64-bit editions of Windows 8/8.1 and Windows Server 2012.
Currently, WannaCry’s worm modules are still searching for new victims. The latest tally of computers that have been touched by this worm is 416,989, albeit not all computers have had their files encrypted, as WannaCry’s ransomware payload has been defanged by a clever British researcher.
Bleeping Computer has reached out to Kaspersky Labs to inquire on why we see Windows 10 machines in the chart, and any possible scenarios that WannaCry could have used to infect those systems.
Read the original article over at Bleeping Computer.
Two-Factor Authentication: Who Has It and How to Set It Up
Everyone is concerned about online safety. Whether you use Google and Twitter or TeamViewer and Dreamhost, keep your services secure with two-factor authentication.
In 2014, the Heartbleed exploit left everyone’s log-in information potentially up for grabs thanks to one itty-bitty piece of code. But what is a person afraid for their security to do? Well, you should definitely change your passwords—regularly! By sheer brute force or simple phishing, passwords are, to be honest, a pretty laughable way of authentication.
What you really need is a second factor of authentication. That’s why many internet services, a number of which have felt the pinch of being hacked, have embraced two-factor authentication for their users. It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing. Even the White House has a campaign asking you #TurnOn2FA.
But exactly what is it?
As PCMag’s lead security analyst Neil J. Rubenking puts it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”
The problem is, we are far from ubiquity on having biometric scanners for fingerprints and retinas as that second factor. In most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
More and more services support a specialized app on the phone called an “authenticator,” which will do that same job. The app, pre-set by you to work with the service, has a constantly rotating set of codes you can use whenever needed—and it doesn’t even require a connection. The arguable leader in this area is Google Authenticator (free on Android, iOS, and BlackBerry). Twilio Authy (free on iOS including Apple Watch, Android, BlackBerry, macOS, Windows, and the Chrome browser) and Duo Mobile (on iOS, Android, BlackBerry, and Windows Phone) do the same thing, and with far more color and style; both make Google’s app look washed out and ancient. Password manager LastPass launched a 2FA authenticator for iOS and Android as well. The codes in authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.
Here’s a video Google made about two-step verification basics; it provides a good idea of what’s involved.
Be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA set up with Microsoft, that’s great—until you try to log into Xbox Live on the Xbox 360. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.
Remember as you panic over how hard this all sounds: being secure isn’t easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA on accounts will mean it takes a little longer to log in each time on a new device, but it’s worth it in the long run to avoid some serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you’ll be more secure than ever.
Google 2-Step Verification
With access to your credit card (for shopping on Google Play), important messages and documents, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.
Google calls its system 2-Step Verification. It’s all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge that you were the one signing in. Easy.
If that doesn’t work, you’ll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, you can opt to register your computer so you don’t have to enter a code during every sign-in. If you have a G Suite account for business, you can opt to only receive a code every 30 days.
Google Authenticator—actually, any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text or voice calls or email. Authenticator apps also work with other services, like LastPass, WordPress, Facebook, Evernote, Microsoft, IFTTT, Dropbox, Amazon, and Slack.
Once you’ve set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access your 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can’t get to the authenticator app.)
This is also where you generate app-specific passwords. Let’s say you want to use your Google account with a service or software that doesn’t use the standard Google login (I ran into this with Trillian on iOS). You typically get shut out of such a service if you’ve got 2-Step Verification activated, and will need an app-specific password to get on them using your Google credentials.
Continue reading the entire original article over at PCMag.
How an Accidental ‘Kill Switch’ Slowed Friday’s Massive WannaCry Ransomware Attack
Written by Wired/ Courtesy of
Amid a desperate situation on Friday in which hundred of thousands of WannaCry ransomware attacks pelted computers in nearly 100 countries, one stroke of good fortune hit, too. As the malware analysis expert who calls himself MalwareTech rushed to examine the so-called WannaCry strain, he stumbled on a way to stop it from locking computers and slow its spread. All it took was ten bucks, and a little luck.
WannaCry swept Europe and Asia quickly yesterday, locking up critical systems like the UK’s National Health Service, a large telecom in Spain, and other businesses and institutions around the world, all in record time. Once infected, a victim’s computer denies access, and instead displays a message that demands the equivalent of around $300 in bitcoin.
While many thousands have had their lives impacted—including countless people in need of medical care in the UK—two things have slowed WannaCry’s spread. First, Microsoft released a rare emergency patch to help protect Windows XP devices from its reach. (The company hasn’t officially supported XP since 2014.) That helps the many aging systems with no security resource get ahead of infection, if they can download the patch before WannaCry hits. The other, though, was MalwareTech’s happy accident.
As he worked to reverse-engineer samples of WannaCry on Friday, MalwareTech discovered that the ransomware’s programmers had built it to check whether a certain gibberish URL led to a live web page. Curious why the ransomware would look for that domain, MalwareTech registered it himself. As it turns out, that $10.69 investment was enough to shut the whole thing down—for now, at least.
It turned out that as long as the domain was unregistered and inactive, the query had no effect on the ransomware’s spread. But once the ransomware checked the URL and found it active, it shut down.
There are competing theories as to why WannaCry’s perpetrators built it this way. One possibility: The functionality was put in place as an intentional kill switch, in case the creators ever wanted to rein in the monster they’d created. “Based on the behavior implemented in the code, the kill switch was most likely intentional,” says Darien Huss, senior security research engineer at the security intelligence firm Proofpoint, who was working on real-time WannaCry analysis and mitigation on Friday.
MalwareTech theorizes that hackers could have included the feature to shield the ransomware from analysis by security professionals. That sort of examination often takes place in a controlled environment called a “sandbox.” Researchers construct some of these environments to trick malware into thinking it’s querying outside servers, even though it’s really talking to a bunch of dummy sandbox IP addresses. As a result, any address the malware tries to reach gets a response—even if the actual domain is unregistered. Since the domain MalwareTech acquired was supposed to be dormant but went live, WannaCry may have assumed it was in the middle of forensic analysis, and shut down.
Building anti-analysis defenses into malware is common, but the WannaCry hackers appear to have botched the implementation. By relying on a static, discoverable address, whoever found it—in this case MalwareTech—could just register the domain and trigger WannaCry’s shutdown defense.
“It was all pretty shocking, really,” MalwareTech says. The kill switch “was supposed to work like that, just the domain should [have been] random so people can’t register it.”
A Temporary Fix
The kill switch doesn’t help devices WannaCry has already infected and locked down. But by registering the domain, and then directing the traffic to it into a server environment meant to capture and hold malicious traffic—known as a “sinkhole”—MalwareTech bought time for systems that hadn’t already been infected to be patched for long-term protection, particularly in the United States where WannaCry was slower to proliferate because its spread had mostly been in Europe and Asia early on.
“Thankfully MalwareTech already had infrastructure in place for the sinkhole,” Huss says. “If someone had sinkholed the domain and had not been prepared then we would be seeing many more infections right now.” If the setup doesn’t have those enough server space and bandwidth, the malware wouldn’t consistently become trapped and, in this case anyway, self-destruct.
With so many security analysts working to reverse-engineer and observe WannaCry, someone else would have eventually found the valuable mechanism MalwareTech spotted. But when infections are spreading as quickly as they were on Friday, every minute counts.
The discovery doesn’t amount to a permanent fix. All it would take to get around it would be a new strain of WannaCry whose code excludes the kill switch, or relies on a more sophisticated URL generator instead of a static address. And the more fundamental problem of vulnerable devices, particularly Windows XP devices, remains. Still, MalwareTech’s find helped turn a bad situation around—and saved people a lot of bitcoin in the process.
Read the original article over at Wired.