Google Chrome extensions with 500,000 downloads found to be malicious
Google removes four extensions that used infected computers in click fraud scheme.
Researchers have uncovered four malicious extensions with more than 500,000 combined downloads from the Google Chrome Web Store, a finding that highlights a key weakness in what’s widely considered to be the Internet’s most secure browser. Google has since removed the extensions.
Researchers from security firm ICEBRG stumbled on the find after detecting a suspicious spike in outbound network traffic coming from a customer workstation. They soon discovered it was generated by a Chrome extension called HTTP Request Header as it used the infected machine to surreptitiously visit advertising-related Web links. The researchers later discovered three other Chrome extensions—Nyoogle, Stickies, and Lite Bookmarks—that did much the same thing. ICEBRG suspects the extensions were part of a click-fraud scam that generated revenue from per-click rewards. But the researchers warned that the malicious add-ons could just as easily have been used to spy on the people or organizations who installed them.
“In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed,” ICEBRG researchers wrote in a report published Friday. “In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks.”
Google removed the extensions from its Chrome Web Store after ICEBRG privately reported its findings. ICEBRG also alerted the National Cyber Security Centre of the Netherlands and the US CERT. In its public report, ICEBRG went on to explain how the malicious extensions worked:
The Change HTTP Request Header extension downloads JSON via a function called ‘update_presets()’ which downloads a JSON blob from ‘change-request[.]info’
This is by no means the first time Chrome extensions have been abused. In late July and early August, unknown attackers compromised the accounts of at least two Chrome extension developers. The criminals then used their unauthorized access to automatically install extension updates that injected ads into the sites users visited. Later in August, Renato Marinho, who is the chief research officer of Morphus Labs and a volunteer at the SANS Institute, uncovered an elaborate bank-fraud scam that used a malicious extension in Google’s Chrome Web Store to steal targets’ passwords.
Chrome is widely regarded as one of the Internet’s most secure browsers, in large part because of the rapid availability of security patches and the effectiveness of its security sandbox, which prevents untrusted content from interacting with key parts of the underlying operating system. Undermining that security is the threat posed by malicious extensions. People should avoid installing them unless the extensions provide a true benefit, and then only after careful research into the developer or analysis of the extension code and behavior.
Read the original article over at of ArsTechnica.com.
Hackers will try to exploit Spectre and Meltdown bugs. What you need to know
The flaws have existed in modern processors for 20 years, but news surfaced last week that virtually all computers and smartphones are affected by the bugs.
So far, there is no evidence that hackers have exploited the vulnerabilities.
But it’s only a matter of time before attempts are made, according to Matt Tait, a senior fellow at UT Austin’s Strauss Center.
“We’ll absolutely see in the next few weeks and months people using this vulnerability, especially in the web browser to steal passwords,” Tait told CNNMoney.
Many tech companies were made aware of the flaws long before the news was made public and have been working on fixes for consumer products and services.
Consumers who keep their web browsers, apps and devices up-to-date should be protected from anyone trying to use these vulnerabilities.
“If you install your security updates, you will get new clever software features designed to protect your computer,” Tait said. “When your browser updates, it will prevent websites from attacking your processor and stealing your password.”
Apple(), Google ( ) and Microsoft ( ) have released some patches that mitigate bugs.
Hackers would need access to a device before they could steal information from it.
There are many ways hackers can steal personal information. For example, phishing campaigns can trick a person into providing log-in credentials or malicious software that takes advantage of outdated systems.
That’s why it’s so important to keep smartphones and computers up-to-date and to only download software from trusted sources.
Spectre and Meltdown are highly unusual flaws. Because they affect hardware, fixing them requires a different strategy than any other type of bug — companies had to build new defense mechanisms.
According to Tait, companies have been working in secret for months figuring out how the vulnerabilities work, and making changes to how their operating systems, web browsers and other services operate in order to keep users secure.
“All these tech companies had to invent completely brand new types of computer science,” Tait said. “They invented an entirely new way of a system protecting itself.”
Backdoor Account Removed from Western Digital NAS Hard Drives
A security researcher is urging owners of Western Digital MyCloud NAS devices to update the firmware of their portable hard-drives to fix a series of important security bugs he reported to the vendor, among which there is an easy exploitable and wormable hardcoded (backdoor) account.
James Bercegay, a security researcher with GulfTech Research and Development, discovered and reported these flaws to Western Digital in June 2017.
The researcher published a detailed report last Wednesday after Western Digital released firmware updates.
RCE, backdoor, and an CSRF
The expansive report describes three main flaws that can be abused for different results. A short summary of all the flaws is available below, but for more detailed analysis of each vulnerability readers should refer to Bercegay’s bug report:
1) Unrestricted file upload – A PHP file found on the WD MyCloud’s built-in web server allows an attacker to upload files on the device. Bercegay says he used this flaw to upload web shells on the device, which in turn granted him control over the device.
2) Hardcoded backdoor account – An attacker can log into vulnerable WD MyCloud NAS devices using the username “mydlinkBRionyg” and the password “abc12345cba”. Bercegay says the backdoor doesn’t give attackers admin access, but he was able to exploit another flaw and get root permissions for the backdoor account.
3) CSRF (Cross-Site Request Forgery) – A CSRF bug that can be exploited for executing rogue commands on the device and for playing stupid pranks by resetting the device’s backend panel interface language.
Flaws are wormable and can impact private NAS devices
Of all flaws, Bercegay said the hardcoded backdoor account was the bigger issue because attackers could also attack devices isolated in local networks, not just NAS devices connected to the Internet.
“The triviality of exploiting this issues makes it very dangerous, and even wormable,” the researcher says. “Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as ‘wdmycloud’ and ‘wdmycloudmirror’ etc.”
The researcher provides an example exploit. The code below is for an image that when loaded on the computer of a WD NAS device owner will format his MyCloud device. Because the code can be hidden inside an ad or in a one-pixel iframe, the user won’t even notice it when loaded on a page.
< img src="http://wdmycloud/cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;rm+-rf+/;" >
Firmware out for affected devices
Bercegay says Western Digital released firmware version 2.30.174 that removes the backdoor account and patches the reported flaws. The following WD MyCloud devices are using vulnerable firmware versions, according to Bercegay’s report:
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100
MyCloud 04.X Series
Some of the flaws Bercegay found were also discovered by researchers from the Exploitee.rs community last March.
D-Link and WD shared the same backdoor account back in 2014
Bercegay also points out another interesting detail. The researcher says that Western Digital appears to have shared firmware code —possibly through a third-party software supplier— with the D-Link DNS-320L ShareCenter.
Bercegay says old D-Link DNS-320L ShareCenter firmware code also came with the same backdoor, but D-Link removed it four years ago.
“It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while,” the researcher says. “The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates.”
Read the original article over at Hongkiat.com.
Apple admitted it’s slowing down certain iPhones
Here’s why people are freaking out.
Written by Vox/ Courtesy of
The delay in typing in messages, or the lag in loading my mail on my iPhone, has been explained. Apple has confirmed that it does deliberately slow down the operation of older iPhones, and says it is doing so to avoid the devices from shutting down because of aging batteries.
Apple says it’s doing this to protect your phone. As the lithium ion batteries in the phone age, they can’t handle processing demands at the same capacity, which causes the phone to shut down unexpectedly. It released an update to stop those unexpected shutdowns, which also means that the phones work a little more slowly.
But the revelation — or confession — that Apple is purposefully decreasing phone speed fed into a conspiracy theory that’s been circulating for awhile on “planned obsolescence.” After new products are released, the theory goes, Apple purposefully messes with your iPhone, frustrating you and forcing you to shell out money to upgrade.
The data on Apple slowing down older iPhones doesn’t necessarily mean the conspiracy theory is true. A relatively recent change to its operating system prompted the slowdowns. But the system update demonstrates why the conspiracy theory keeps circulating: It took an independent investigation by an expert and a viral Reddit post to get Apple to admit what had happened.
This whole saga began with a Reddit post — and ended with an Apple confession
People who owned iPhone 6, 6s, and 6s Plus devices complained earlier this year that they were spontaneously shutting down, even though they had sufficient battery. This was usually happening during “peak current demands,” when you’d be doing something on your phone that required a burst of power — like in the middle of a game, or downloading an app.
Those users had to plug in and recharge their phones in order to get them back online. Apple acknowledged the bug and introduced a fix in an update to its operating system software, iOS 10.2.1, which the company said would largely remedy the issue. Phones no longer shut down, but, according to users, they did slow down.
Then, last week, a Reddit post blew up that suggested the iPhone battery might be to blame for these slowness problems.
John Poole, founder of Primate Labs and Geekbench developer, seized on this hypothesis, and pulled together and compared data from the performance testing Geekbench had done on users’ iPhone 6s and 7 devices.
He analyzed all that data from a sample set of approximately 100,000 phones, said he had tens of thousands of results across different versions of iOS — specifically, he looked at iOS 10.2.0, the version before Apple fixed the shutdown bug, and iOS 10.2.1, which was released after the fix. (He also looked at later versions, including 11.2.0, which is a more recent software update.)
His analysis revealed that processors did slow down after the update meant to fix the shutdown problem, that the problem was widespread, and that, as he put it, it was “likely to get worse as phones (and their batteries) continue to age.”
Poole, as did others, speculated that the link between old batteries and slower performance had to do with the initial iPhone 6 glitch, and Apple, in fixing that, slowed down the system to avoid overloading the batteries. (He also noted that iPhone 6s users who replaced their batteries had faster phones.)
And though the iPhone 7 never had those spontaneous shutdown issues, Poole’s results indicated that it did slow down in later updates — a sign that Apple was doing this across its models.
“Once the phone is shut down, the battery is in a state where the only way to get the phone back online is to plug it into a charger. If you’re our with your phone on the go, that’s clearly not a great situation to be in,” Poole said.
“So Apple, with this fix, basically limited the processor from overtaxing the battery. But the flip side of that is now the processor can’t run as quickly as it might in a new phone with a new battery.”
Poole’s data got a lot of buzz, and finally Apple responded:
Our goal is to deliver the best experience for customers, which includes overall performance and prolonging the life of their devices. Lithium-ion batteries become less capable of supplying peak current demands when in cold conditions, have a low battery charge or as they age over time, which can result in the device unexpectedly shutting down to protect its electronic components.
Last year we released a feature for iPhone 6, iPhone 6s and iPhone SE to smooth out the instantaneous peaks only when needed to prevent the device from unexpectedly shutting down during these conditions. We’ve now extended that feature to iPhone 7 with iOS 11.2, and plan to add support for other products in the future.
So Apple basically confirmed Poole’s results and Redditors’ theories. “With this large of a sample size, I’m confident the numbers we have produced are accurate, and also the fact that Apple has verified,” Poole said. “It gives me a warm, fuzzy feeling that we didn’t screw up our analysis.”
To many, Apple’s admission seemed like proof of the company’s grand conspiracy to force people to keep buying new phones. But Apple’s explanation, and Poole’s, suggests the opposite — a slower phone is better than a glitchy one that suddenly shuts down. It’s more likely that people would end up replacing a phone that constantly shut down than a phone that’s a little slow.
Poole said the battery explanation is legitimate. Lithium-ion batteries age over time. That wear and tear makes them less capable of meeting the power and processing demands in the same way as a youthful iPhone. This is also intensified with the iPhone, which has a particularly speedy processor — which puts even more stress on the batteries.
“I have a feeling this is a weird confluence of Apple’s desire to have very thin, very sleek phones coupled with also having the fastest processors in the industry,” Poole explained.
“The fact that Apple is using these very fast, very high-end processors that they design — whereas Android phones might use slower processors — these fast processors are putting a greater demand on the battery,” Poole added. “I think that’s why is a problem that’s particularly unique to the iPhone.”
Yet Apple had not been forthcoming about slower speeds until this week, and, as CNN points out, the company doesn’t regularly notify you if your iPhone 6 battery is in poor health. (The company did alert some iPhone owners and replaced batteries for certain iPhone 6 users whose shutdown issues couldn’t be fixed by the software upgrade.)
Apple also announced the fix to the shutdown glitch early in 2017, and aging batteries were assumed to be the cause. But it didn’t mention anything specifically about slower phone speeds. That shadiness feeds the rumor mill that Apple is subtly trying to nudge you to get the shiny new iPhone.
That conspiracy existed long before Poole’s analysis. Google searches for “slow iPhone” spike around the time a new model comes out. In 2013, Catherine Rampell wrote in the New York Times that after the iPhone 5 came out, she “noticed that my sad old iPhone 4 was becoming a lot more sluggish.
The battery was starting to run down much faster, too. But the same thing seemed to be happening to a lot of people who, like me, swear by their Apple products. When I called tech analysts, they said that the new operating system (iOS 7) being pushed out to existing users was making older models unbearably slow. Apple phone batteries, which have a finite number of charges in them to begin with, were drained by the new software. So I could pay Apple $79 to replace the battery, or perhaps spend 20 bucks more for an iPhone 5C. It seemed like Apple was sending me a not-so-subtle message to upgrade.
Tech bloggers have generally knocked the idea that Apple is torturing you with a crappy phone to get you to buy a new one. But they do say is that newer software upgrades can mess with older phones because the new software is designed for, well, the newest model — the one with the fastest processor and the freshest battery. Usually Apple figures this out, and releases updates to fix as many glitches as possible. But it can’t remedy everything. Or, in the case of the iPhone 6 shutdowns, it has to find workarounds.
The counterpoint — well, maybe those phones shouldn’t be updated with the latest software if they are not fully compatible — isn’t totally convincing. As Rene Ritchie put it in a 2014 iMore article: “Phones and tablets that never get updated avoid the potential for slow down, but they also avoid getting new features, security updates, and the ability to run apps that require those updates.”
Apple’s latest admission probably won’t quell the conspiracies — or please customers. A class-action lawsuit, alleging breach of contract, was filed on Thursday in federal court.
There’s also the fact that Apple doesn’t make it easy to change or replace the battery. (Apple’s battery replacement costs $79 — not cheap, but not the cost of an iPhone X.)
But Poole says, if it were easy to replace, then the iPhone wouldn’t be an iPhone. A replaceable battery would have to be thicker, and the phone would have an obvious battery cover. “I think it’s the tradeoff that Apple makes,” Poole said. “They want the very thin, very light, very sleek phones. And by making the battery non-replaceable they’re able to accomplish that.”
Read the original article over at Vox.com.
Chinese iPhone X owners claim Apple’s Face ID facial recognition cannot tell them apart
The bizarre flaw was discovered by a husband who bought his wife an expensive new smartphone.
But she was shocked to discover her son was able to use his face to unlock the phone.
It seems the family, who live in the city of Shanghai, Eastern China, could trick the system.
The father, identified only by his surname Liu, phoned Apple’s customer service hotline to report the problem.
He was told it was a rare, isolated case caused by his wife and son looking very similar.
It is thought that the American tech giant has now launched a full investigation into the Liu family’s claims.
The news comes just a week after a Chinese woman realise she could unlock her colleague’s iPhone X using the facial recognition software.
A shocking video shows how one woman was able to easily unlock the other’s phone.
This was despite the pair having a number of different features.
It has now been suggested that the iPhone X is unable to tell Chinese people apart from one another.
Apple continues to maintain that its facial recognition software is fool-proof.
It said there is a one in a million chance of someone else’s face being able to unlock your phone.
But iPhone users in China – a country of more than a billion people – are becoming increasingly concerned about their iPhone X’s security and privacy features.
The iPhone X uses a system called Face ID that scans users’ faces.
It works by analysing the contours of peoples’ faces, so still works if owners change their haircut, grow a beard or gain weight.
Read the original article over at Metro.
2017 Tech in Memoriam: Pour One Out for AIM, Vine, GChat, and the Rest
Written by Wired/ Courtesy of
All good things come to an end. This year, we watched as some of our favorite gadgets found a new home in a casket filled with the technology of yesteryear. Fill up a glass and get ready to pour one out for the tech casualties of 2017.
On December 15, AOL Instant Messenger posted its final away message. Its days of being the hip way to stay in touch with all your school friends are long gone, but AIM is where an entire generation forged their online identities. Now, all those embarrassing screen names are six feet under along with the rest of the old web.
iPod Nano and Shuffle
Apple finally gave its flagship music player the boot this year by killing off the iPods Nano and Shuffle. Sure, you’ve streaming all your tunes with Spotify or Apple Music by now, but that doesn’t mean we won’t miss the iPod. It sparked the modern landscape for music, and it’s where many of us build the playlists that defined our youth.
Before the lauded Pivot to Video, there was Vine. It had dogs jammin’ out on the cowbell, raps about Liam Neeson, siblings ruining vape tricks, and mystifying tricks of trash cans turning into whiteboard drawings. Twitter gave it the axe late last year, but kept it on life support until January. With its departure goes another experimental platform where people could be just a little weirder with their creations. Damn, Daniel.
It probably didn’t come as a shock when Microsoft dropped Paint from its list of supported features, but it’ll be missed. Paint was the birthplace of poorly drawn memes, and even if its tools weren’t the most robust, or even that good, it made for some great laughs.
The 140 Character Limit
As if tweets weren’t already bad enough, this year Twitter decided one of the network’s biggest issues wasn’t harassment or rogue employees, it was that tweets simply weren’t long enough. So, while threats of nuclear war and hate speech ran rampant, Twitter’s Big Improvement to the platform this year was doubling its character limit to 280. At least now we can post more Smash Mouth lyrics, right?
While Twitter futzed around with its algorithms and gave us longer tweets, its distant open source cousin, App.net, closed its doors. It promised to be an ad-free microblogging platform, a model that proved unsuccessful in the long run. While it never hit the mainstream, it’s another reminder that it isn’t altruism, but a constantly changing set of unsolicited features features that wins in the social game.
The internet hate mob got a little less ludicrous this year when Twitter axed the notorious Profile Egg for accounts that never uploaded a profile picture. In its wake hatched a new mask of anonymity: a plain ol’ profile of an ambiguous human body. It didn’t cut back on harassment, but it’s easier to be mad at a human than it is an egg.
It’s hard to keep up with all of Google’s messaging apps: Allo, Google+, Hangouts, Duo. (Does anyone use this stuff?) Chat was one of the originals. Now, it’s been replaced by Hangouts, which will eventually be replaced by the next bonkers messaging app Google dishes out.
The mp3 sparked a change in the way we listened to music. It let us toss our favorite songs onto iPods and its knockoffs, but most of us probably snagged our tunes from Limewire. If you were lucky, you might have even been bamboozled into downloading a spoof of Bill Clinton telling you to hit up a sketchy website. The mp3’s license ran out this year, and its creators are pushing the AAC format to take its place — but AAC player just doesn’t have the same ring to it, huh?
There’s long been promises of mobile computing merging with desktop computing. Microsoft’s Continuum promised to turn one device, like a phone, into all your devices with a simple dock and a few peripherals. Chromebooks can now run Android apps so you’ve got all the software you need wherever you’re at. Meanwhile, Remix OS was a fork of Android that could be installed on any PC to bring all your favorite apps to the big screen. It worked great, but it was never going to make it to the big leagues.
Windows Movie Maker
Not every video needs Adobe Premiere or Final Cut Pro X to make its way to YouTube or your family’s big screen. From 2012 to its demise this year, Windows Movie Maker gave aspiring creatives and proud parents the ability to make barebones videos or vacation slideshows in a pinch, and it ways totally free! The name wasn’t flashy enough for today’s hip gadget lovers, so Microsoft gave it the boot and replaced it with Story Remix, which does most of the same things with a fresh coat of paint.
College students across the net wept as Yik Yak, the anonymous social networking app where confessions flowed throughout campuses, was shut down. Throughout its life, youths used it to confess everything from stealing their roommate’s Cheetos to showing up to class drunk.
If you had a question in the early days of the web, you probably went to About.com for the answers. It had how-to’s and explainers aplenty, but unfortunately it didn’t know much about how to keep up with the ever-changing landscape of today’s internet.
Microsoft’s motion-tracking hardware’s final gesture to the world was a wave goodbye. The Kinect wasn’t the game-changing peripheral Microsoft wanted it to be, and for many gamers it simply wasn’t worth the cost.
Nintendo made waves this year with the Switch, one of our favorite gadgets of 2017. But to make a killer console, the company had to kill some of its darlings. MiiVerse, Nintendo’s oddly charming social network where fans shared their best (and worst) drawings, became the victim and closed its doors in November.
Club Penguin was a social network where kids could masquerade as penguins clad in wizard gear or an apple costume. (Don’t ask us to explain.) Mostly, though, it was known for the memes it sparked when trolls started trying to get banned for kicks. Disney shut down the network earlier this year—the ultimate ban.
Netflix’s Star Rating system
Your favorite shows probably felt a little less love this year when Netflix nixed its five-star rating system for a simpler, less informative thumbs up/down metric. The new system coincides with a percentage match that’ll tell you how sure Netflix is that you’ll like a given show or movie, but unfortunately there’s no way to give Netflix’s decisions a thumbs down if you’re not a fan.
Microsoft Groove Music
The music streaming business is rough. Microsoft killed its Spotify-competitor earlier this year after failing to compete with the streaming giants, giving it the same fate as the Microsoft Zune.
Read the original article over at.
Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
Over the course of the current week, WordPress sites around the globe have been the targets of a massive brute-force campaign during which hackers attempted to guess admin account logins in order to install a Monero miner on compromised sites.
The brute-force attack started on Monday morning, 03:00 AM UTC and is still going strong at the time of writing.
Brute-force attack targets over 190,000 WordPress sites/hour
To get an idea of the size of the campaign, WordPress security firm Wordfence says this was the biggest brute-force attack the company was forced to mitigate since its birth in 2012.
“This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour,” said Wordfence CEO and founder Mark Maunder on Monday. “The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off.”
Wordfence says the brute-force attacks peaked at 14.1 million requests per hour. Brute-force requests originated from over 10,000 unique IP addresses and targeted around 190,000 WordPress sites per hour.
Initially, the Wordfence team believed that a recent leak which involved a torrent file shared on Reddit and GitHub, and containing over 1.4 billion cleartext username and password combinations, might have triggered the attacks by providing attackers with new credentials they could test.
After further analysis, Wordfence now says attackers use “a combination of common password lists and heuristics based on the domain name and contents of the site that it attacks.”
Attackers hack into sites to install Monero miner
Once attackers get in, they install a Monero miner, and they also use the infected site to carry out further brute-force attacks. These two operations don’t happen at the same time, and each site is either brute-forcing other WordPress sites or mining Monero.
This means the actual number of compromised sites is much larger than the number of IPs participating in the brute-force campaign.
According to Wordefence engineer Brad Haas, the company discovered all these details after one of their customers’ servers was compromised and they were able to take a peek inside the campaign’s operation.
Hackers made at least $100,000
Based on the two Monero wallet addresses connected to this illegal mining operation, Wordfence says attackers made over $100,000 worth of Monero, but the sum could be even higher.
The focus on mining Monero is no surprise since Monero’s exchange rate almost doubled this month, drawing even more crooks to the fold.
Similarly, Monero’s rising price is also what’s driving more miscreants to the recent cryptojacking craze.
— Catalin Cimpanu (@campuscodi) December 19, 2017
Read the original article over at Hongkiat.
Facebook Can Now Find Your Face, Even When It’s Not Tagged
Written by Tom Simonite / Courtesy of Wired
Facebook just loosened the leash a little on its facial-recognition algorithms. Starting Tuesday, any time someone uploads a photo that includes what Facebook thinks is your face, you’ll be notified even if you weren’t tagged.
The new feature rolled out to most of Facebook’s more than 2 billion global users this morning. It applies only to newly posted photos, and only those with privacy settings that make an image visible to you. Facebook users in Canada and the European Union are excluded. The social network doesn’t use facial-recognition technology in those regions, due to wariness from privacy regulators.
Facebook has steadily expanded its use of facial recognition over the years. The company first offered the technology to users in late 2010, with a feature that suggests people to tag in photos. Backlash against the way users were automatically opted into that system is one reason Facebook’s algorithms are face blind in Canada and the EU today. Elsewhere, the company made new efforts to notify users, but left the feature essentially unchanged. In 2015, the company launched a photo-organization app called Moments that uses facial recognition to help you share photos with people in your snaps.
Facebook’s head of privacy, Rob Sherman, positions the new photo-notification feature as giving people more control over their image online. “We’ve thought about this as a really empowering feature,” he says. “There may be photos that exist that you don’t know about.” Informing you of their existence is also good for Facebook: more notifications flying around means more activity from users and more ad impressions. More people tagging themselves in photos adds more data to Facebook’s cache, helping to power the lucrative ad-targeting business that keeps the company afloat.
Once Facebook identifies you in a photo, it will display a notification that leads to a new Photo Review dialog. There you can choose to tag yourself in the image, message the user who posted an image, inform Facebook that the face isn’t you, or report an image for breaching the site’s rules.
As part of the new feature, Facebook will also notify users if someone else attempts to use their photo in a profile; Facebook says it’s trying to make it harder to impersonate other people. The company is also adding facial recognition to its service for visually impaired people that describes photos from friends in text.
How good is Facebook’s facial-recognition technology? Among the best in the world. The hundreds of billions of photos stored on the company’s servers provide ample data to train machine-learning algorithms to distinguish different faces. Nipun Mathur, of Facebook’s applied-machine-learning group declines to provide any figures on the system’s accuracy. He said the system works even if it doesn’t have a full view of your face, although it can’t recognize people in 90-degree profile. In 2015, Facebook’s AI research group published a paper on a system that could recognize people even when their faces are not visible, using other cues such as clothing or body shape. Facebook says nothing from that work is in the new product.
If you don’t like the sound of all that, you may want to take advantage of a revamped privacy control Facebook also launched Tuesday. You could already opt out of Facebook’s facial-recognition-powered photo tag suggestions, but the setting’s description delicately avoided using the term facial recognition. A new version of the setting that allows you to turn off facial recognition altogether does use the phrase, perhaps making it easier for people to understand what they’re already allowing. If you opt-out of facial recognition, Facebook says it will delete the face template used to find you in photos. If you were already opted-out of tag suggestions, you are opted out of all the new features launched today.
Some privacy advocates say the system should require users to opt in, rather than force them to opt out. In 2015, nine organizations walked out of a Department of Commerce process intended to develop a code of conduct for commercial use of facial recognition, including at social-media companies. Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, says corporate refusals to make their technology opt-in was one reason she and others abandoned the process.
Lynch argues that Facebook’s current policy prevents people from being able to make decisions about privacy and risks to their personal data. The company can instantly and silently roll out sweeping new uses for face data that affect over a billion people.
Lynch says there’s a lot of interest from retailers in using face recognition to track and target shoppers in stores, an area of business Facebook might conceivably be tempted by. A recently disclosed patent application envisions Facebook deploying face recognition for in-store payments. The social network already works with data brokers to link Facebook users’ online activity and profiles with offline behavior.
A Facebook spokesman said the company has no plans for facial-recognition products beyond the one announced Tuesday, and that the company often patents ideas never put into practice. He didn’t answer a query about why Facebook didn’t allow users to opt in to facial recognition.
Facebook’s stance on that may be tested in court before long. The company is fighting a suit in federal court brought by a user who says the company’s opt-out approach to facial recognition breaches an Illinois privacy law.
Read the original article over at Wired.com.
FCC Repeals U.S. Net Neutrality Rules
Courtesy of Torrent Freak
The FCC has repealed U.S. net neutrality rules. As a result of today’s vote, Internet providers have the freedom to restrict, or charge for, access to certain sites and services if they please. This also means that BitTorrent throttling and blocking could become commonplace once again, as it was a decade ago.
In recent months, millions of people have protested the FCC’s plan to repeal U.S. net neutrality rules, which were put in place by the Obama administration.
Today the FCC voted to repeal the old rules, effectively ending net neutrality.
Under the net neutrality rules that have been in effect during recent years, ISPs were specifically prohibited from blocking, throttling, and paid prioritization of “lawful” traffic. In addition, Internet providers could be regulated as carriers under Title II.
Now that these rules have been repealed, Internet providers will have more freedom to experiment with paid prioritization. Under the new guidelines, they can charge customers extra for access to some online services, or throttle certain types of traffic.
Most critics of the repeal fear that, now that the old net neutrality rules are in the trash, ‘fast lanes’ for some services, and throttling for others, will become commonplace in the U.S.
This could also mean that BitTorrent traffic becomes a target once again. After all, it was Comcast’s ‘secretive’ BitTorrent throttling that started the broader net neutrality debate, now ten years ago.
Comcast’s throttling history is a sensitive issue, also for the company itself.
Before the Obama-era net neutrality rules, the ISP vowed that it would no longer discriminate against specific traffic classes. Ahead of the FCC vote yesterday, it doubled down on this promise.
“Despite repeated distortions and biased information, as well as misguided, inaccurate attacks from detractors, our Internet service is not going to change,” writes David Cohen, Comcast’s Chief Diversity Officer.
“We have repeatedly stated, and reiterate today, that we do not and will not block, throttle, or discriminate against lawful content.”
It’s worth highlighting the term “lawful” in the last sentence. It is by no means a promise that pirate sites won’t be blocked.
As we’ve highlighted in the past, blocking pirate sites was already an option under the now-repealed rules. The massive copyright loophole made sure of that. Targeting all torrent traffic is even an option, in theory.
That said, today’s FCC vote certainly makes it easier for ISPs to block or throttle BitTorrent traffic across the entire network. For the time being, however, there are no signs that any ISPs plan to do so.
If they do, we will know soon enough. The FCC requires all ISPs to be transparent under the new plan. They have to disclose network management practices, blocking efforts, commercial prioritization, and the like. And with the current focus on net neutrality, ISPs are likely to tread carefully, or else they might just face an exodus of customers.
Finally, it’s worth highlighting that today’s vote is not the end of the road yet.
Net neutrality supporters are planning to convince Congress to overturn the repeal. In addition, there are is also talk of taking the matter to court, with Attorneys General planning a multi-state lawsuit to challenge the repeal.
Read the original article over at Torrent Freak.
Microsoft’s Edge browser is in serious trouble
Analytics firm Net Applications revised its methodology to cull bots from its browser share numbers and found that as much as half of the traffic to Edge on Windows 10 was artificially inflated.
Microsoft’s Edge browser is less popular with Windows 10 users than earlier thought, if revised data from a U.S. analytics vendor can be believed.
According to Net Applications of Aliso Viejo, Calif., Edge has been designated the primary browser by fewer than one in six Windows 10 users for more than a year and a half. That’s a significant downgrading of Edge’s user share statistics from the browser’s portrayal before this month.
During the 19-month span between May 2016 and November 2017 – data for that stretch was what Net Applications offered publicly – Edge was run by between 15.6% (in April 2017) and 12.2% (September 2017) of all Windows 10 users. It never reached 16.7% – or one in six – and trended downward overall, starting the period at 14.8% (May 2016) and ending it at 13.2% (November 2017), an 11% decline.
Edge had never been a big performer in the Net Applications’ user share sweepstakes, but in earlier data iterations, the web measurement company had painted the browser in somewhat brighter colors.
Before Net Applications’ methodology modification, Edge was the choice of between 28.5% (in May 2016) and 15.7% (October 2017) of all Windows 10 users. While that was ultimately a steeper decline, for most of the period Edge’s share of Windows 10 hovered around the 21% to 22% mark. Only in the last three months did the older data show Edge’s place on Windows 10 start to slide, perhaps a sign that Net Applications’ new data scheme was implemented before the firm made the news public.
Why did Edge’s portrait change so dramatically? Bots is the answer.
“Bots can cause significant skewing of data,” admitted Net Applications earlier this month when it revealed its revised numbers. “We have seen situations where traffic from certain large countries is almost completely bot traffic. In other countries, ad fraudsters generate traffic that spoofs certain technologies in order to generate high-value clicks. Or, they heavily favor a particular browser or platform.”
These software tools often are deployed by criminals, who program their automated scripts to mimic human online behavior so that they can cash in on ad click fraud.
Net Applications did its best to scrub the bot traffic from its data, both current and past. “The primary focus … was to build detection methods to eliminate this traffic,” the company said. “We rewrote the entire collection and aggregation infrastructure to address this issue.”
The resulting data, which Net Applications implied depicted Edge’s real use, showed that the browser was a prime target of bot-wielding scammers. By comparing Edge’s old and new shares, it was evident that as much as half of the earlier Edge traffic had been faked by bots. The portion of Edge’s share credited to bots fluctuated month to month, but fell below 30% in only 4 of the 19 months for which Net Applications provided data.
Edge wasn’t the only browser that came out looking worse than presumed prior. Microsoft’s legacy browser, Internet Explorer (IE) also was revealed as a Potemkin village. Under the old data regime, which included bots, IE’s user share was overblown, at times more than double the no-bots reality.
Take May 2016 as an example. With bots, Net Applications pegged IE at 33.7%; without bots, IE’s user share dwindled to just 14.9%.
Together, IE and Edge – in other words, Microsoft’s browsers – accounted for only 16.3% of the global user share last month using Net Applications’ new calculations. Back on Jan. 1, however, IE+Edge had a user share of 32.7% with bots, just 17.3% without the shady tools.
Put plainly, Microsoft’s place in the browser race, while definitely dismal when calculated previously, became ghastly when the bot traffic was subtracted.
Other data sources also called IE’s and Edge’s position weak, and long before Net Applications scoured its data. Irish metrics vendor StatCounter, for instance, has regularly pegged the browsers’ usage share – a proxy for activity rather than an estimate of user base – at levels much lower than its American rival.
A year ago, StatCounter said IE accounted for a mere 9.8% of the world’s browser usage share, compared to the 19.9% of Net Applications with bots and 14.9% without bots. Last month, StatCounter still pegged IE lower (8.5%) than Net Applications’ bots-be-gone figure (12%), but the difference between the two data sets has been steadily shrinking.
Interestingly, Edge’s share of all browser usage on Windows 10 has remained remarkably stable in StatCounter’s tallies, falling within a narrow range of 10.1% to 10.9% over the past 12 months.
Bottom line: The data from both Net Applications and StatCounter indicate Windows 10 users are shunning Edge, and former IE users are renouncing that browser at a pace alarming to Microsoft. In fact, the combined IE and Edge now face a once unthinkable fate: falling beneath Mozilla’s Firefox.
That’s already happened in StatCounter’s figuring, which has tapped Firefox with more usage share than IE+Edge in 12 of the last 13 months. The gap between IE+Edge and Firefox in Net Applications’ reckoning is more substantial – with the edge, no pun intended, to Microsoft’s browsers – but the disparity is waning. If Firefox can regroup, stem its latest losses and return to the position it had as recently as March, it could shove IE+Edge off the No. 2 spot and claim it as its own.
As Microsoft’s browser catastrophe showed, anything is possible.
Read the original article over at Computer World.