Apple snags Oprah Winfrey in original content deal
Winfrey’s deal reportedly isn’t limited to TV shows, either.
Apple announced today that it signed a multi-year content partnership with actress, philanthropist, and talk-show host Oprah Winfrey. The partnership is the latest in a series of moves Apple has made to bolster its original programming efforts. Winfrey’s content will be released as part of Apple’s lineup, but it’s still unclear when and where Apple will debut the bulk of its planned original content.
Monetary details of the deal have not be disclosed. According to a report by The Hollywood Reporter, the partnership is non-exclusive, as Winfrey will remain chairman and CEO of OWN, her cable network backed by Discovery.
Apple’s statement says that Winfrey will create content that embraces “her incomparable ability to connect with audiences around the world.” Reports suggest that Winfrey may not only make a certain type of content for Apple—the deal supposedly covers movies, TV shows, books, applications, and more. Snagging a partnership with Winfrey is one of Apple’s biggest gets yet in terms of talent, especially considering Netflix and Amazon were reportedly also in talks with the star.
One year ago, Apple hired former Sony execs Jamie Erlicht and Zack Van Amburg to lead its original programming efforts. Since then, the company pledged $1 billion to go toward original content, and it has inked about 12 content deals, many of which are straight-to-series programs. These deals include a series about a morning show starring Reese Witherspoon and Jennifer Aniston, a reboot of Steven Spielberg’s Amazing Stories, and an animated series from the creator of Bob’s Burgers.
Apple plans to release a slew of original programming in March 2019 or the summer thereafter, although the platform on which these programs will live remains unclear. It’s possible the company will lump all this content into Apple Music, its music streaming subscription service that costs $9.99 per month. Ultimately, Apple is late to the party—Netflix, Amazon, Disney, and others have been penning content partnerships for years, gleaning only bigger and bigger names as time goes on. Netflix recently signed Scandal creator Shonda Rhimes and American Horror Story creator Ryan Murphy, and Amazon recently made a deal with Nicole Kidman to have her Blossom Films production company make original content.
History proves that having Oprah Winfrey on your side usually brings good things and a lot of money, so Apple’s original content will likely receive a boost from this partnership. So while Apple may not have time on its side, it does have about $285 billion at its disposal to further advance its content offerings and streaming services.
Read the original article over at ArsTechnica.com.
Cutting edge technology – computers, drones and television
Written by Al Warr / Courtesy of NJ.com
Today’s technology is everywhere. We could not do the things we do without the marvelous inventions that have come down the pike in recent years.
Our personal lives will never be the same, and neither will our businesses. Desktops and laptops, smartphones and drones pervade the landscape. Robotics already replace assembly lines, and artificial intelligence is fast coming at us.
So what do you do when your computer screen goes blank? When you need a drone to find a lost child? When your television dies? You go looking for expert help from a specialist who works with today’s – and tomorrow’s – technology.
Dave and James Cahill are well into their eighth year in business. They run River Net Computers and River Net Creative, side-by-side operations.
There is much interaction between the two businesses. In addition to being brothers, both men run businesses concerned with today’s technology. And all those problems of technology.
“The main thing here is you get free diagnostics with feedback and recommendations at no charge,” said Dave.
They can handle commercial and home networking, hardware and software installations including repairs and upgrades. They regularly track down and removes viruses, adware, spyware, malware and other bugs and system glitches. And they can provide remote assistance. All at your place or theirs.
People bring their laptops and desktops to his shop or he will travel to their place. River Net is located at 10 Bridge St. in Frenchtown, but clients hail from a wide area – New York City to Delaware, Dave said. “With network or printer problems, we come to your place.”
River Net offers low-priced business contracts for 24-hour support. “You pay for what you use, including cell phone support,” he added. He also can special order computers, including refurbished business class machines.
On the River Net Creative side, they handle web design, graphics and logo design, and promotional materials. From time to time, he holds events including music production and videos–a recent art show included photos of Jupiter. Call for details of the next event.
For more information, call Dave at 908-996-3279 and visit RiverNetComputers.com.
Read the original article over at NJ.com.
Cortana Hack Lets You Change Passwords on Locked PCs
Microsoft has patched a vulnerability in the Cortana smart assistant that could have allowed an attacker with access to a locked computer to use the smart assistant and access data on the device, execute malicious code, or even change the PC’s password to access the device in its entirety.
The issue was discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee. Cochin privately reported the problems he discovered to Microsoft in April.
Cochin says the issue was present because of different quirks in how Cortana allows users to interact with the underlying Windows 10 OS, while in a locked state.
The researchers discovered several features that could be combined into one larger attack:
? Users can start typing after they say “Hey Cortana” and issue a voice command. This brings up a special search popup with various features and capabilities.
? Users can type text in this popup, which searches the laptop’s application index and its filesystem. By typing certain words, like “pas” (as in password), this search can bring up files containing this string in their file paths or inside the file itself. Hovering the mouse over one of these search results can reveal the file’s location on disk, or the content of the file itself (big issue if the disclosed detail is a password).
? Users can access the right-click menu after using the same trick of starting to type after triggering Cortana. These menus include various sensitive options, such as “Open file location,” “Copy full path,” “Run as Administrator,” or, the more dangerous one, “Run with PowerShell.”
? Using the same trick of starting to type after issuing a Cortana voice command, attackers can execute files or run PowerShell commands.
Combining all these issues into one attack, Cochin says that a hacker with access to a locked computer can carry out the following attack:
? The attacker issues a Cortana voice command but starts typing on the keyboard to interrupt the voice command execution. This brings up a special Cortana search popup.
? Attacker runs a PowerShell command with CLI arguments to run the malicious PowerShell script found on the USB drive.
? The malicious PowerShell script executes, despite the computer being locked. The attacker can use PowerShell to reset the password, disable security software, run chained commands, or any other thing he wants.
Cochin published fine-grained details about how CVE-2018-8140 affects recent versions of Windows 10, along with the below video, showing how he hijacked a PC by changing a locked account’s password using Cortana.
Users are advised to either update to the latest version of Windows, or disable Cortana on the lock screen.
Read the original article over at Bleeping Computer.
Password reset flaw at internet giant Frontier allowed account takeovers
A two-factor code used to reset an account password could be easily bypassed.
A bug in how cable and internet giant Frontier reset account passwords allowed anyone to take over user accounts.
The vulnerability, found by security researcher Ryan Stevenson, allows a determined attacker to take over an account with just a username or email address. And a few hours worth of determination, an attacker can bypass the access code sent during the password reset process.
Stevenson found that the access code field was not limited, allowing him to enter as many codes as he wanted. By automating the process using a network intercept tool on a test account he created, Stevenson was able to reproduce the access code.
After disclosing the bug to Frontier, the cable giant told ZDNet that an investigation is underway.
“Out of an abundance of caution, while the matter is being investigated Frontier has shut down the functionality of changing a customer’s password via the web,” said the spokesperson.
Frontier is one of the largest internet providers in the US.
Stevenson demonstrated the password reset vulnerability in a video.
Using Burp Suite, a network intercept tool widely used by security researchers, and a test account he created, Stevenson automated the sending of hundreds of six-digit access code iterations to the browser, one after the other. In the demonstration, he showed that a correct code returned a bigger server response than the incorrect codes.
When he entered the correct code on the form, he could reset the account password.
Based on our calculations, Stevenson could generate around 100 codes in 10 seconds, amounting to a little over a day to run every combination of the code. Stevenson believes that a successful attack could have been achieved far sooner with a faster connection.
Because the password reset process is initially protected by a CAPTCHA form, an attacker likely would only be able to carry out targeted attacks on accounts.
It’s not known if anyone has exploited the password reset bug.
Read the original article over at ZDNet.com.
Facebook privacy goof makes posts by 14 million users readable to anyone
Posts were made public even when set to be viewed by a limited number of contacts.
Facebook disclosed a new privacy blunder on Thursday in a statement that said the site accidentally made the posts of 14 million users public even when they designated the posts to be shared with only a limited number of contacts.
The mixup was the result of a bug that automatically suggested posts be set to public, meaning the posts could be viewed by anyone, including people not logged on to Facebook. As a result, from May 18 to May 27, as many as 14 million users who intended posts to be available only to select individuals were, in fact, accessible to anyone on the Internet.
“We have fixed this issue, and, starting today, we are letting everyone affected know and asking them to review any posts they made during that time,” Facebook Chief Privacy Officer Erin Egan said in the statement. “To be clear, this bug did not impact anything people had posted before–and they could still choose their audience just as they always have. We’d like to apologize for this mistake.”
The statement said that Facebook technicians stopped automatically making private posts public on May 22, but that it took them another five days to fully restore privacy settings for all the affected posts.
The bug occurred as Facebook developers were creating a new way to share photos and other featured items in user profiles. In the process, the developers accidentally suggested all new posts be set to public, rather than just the featured items. Normally, Facebook makes it possible for users to share photos, text, or video only with family members, work colleagues, or other specially designated contacts, preventing anyone else from seeing the content. The bug caused such posts to be viewable to anyone.
Thursday’s disclosure comes three months after The New York Times reported that in 2016, Facebook provided personal data for more than 87 million users to Cambridge Analytica, a political firm with ties to Donald Trump’s presidential campaign. The social network has since worked to assure users and politicians around the world that it will give users more control over who gets access to their posts, contact lists, and other personal data.
Starting Thursday, Facebook started notifying the 14 million users affected by the bug that some of their private posts had been made public. Facebook is also referring users to this privacy basics page.
“We’ve heard loud and clear that we need to be more transparent about how we build our products and how those products use your data—including when things go wrong,” Thursday’s statement read. “We expect that this kind of on-platform notification is something which people might see more of over the coming months as we try and do more (and better) to detect and fix issues before they affect people’s experience.”
Read the original article over at ArsTechnica.com.
Microsoft to Acquire GitHub for $7.5 Billion
With the acquisition of the popular GitHub code repository service it’s bringing a huge population of open source and cloud app developers under its wing.
Microsoft is acquiring GitHub for $7.5 in Microsoft stock, the companies announced today. The transaction is expected to close by the end of 2018, pending regulatory approval.
San Francisco-based GitHub runs the code repository service of the same name, home to many open source projects and popular with developer teams of all stripes, from fledging startups to established enterprise coders. According to company estimates, GitHub has attracted 28 million developers and more than 85 million repositories. More than 1.5 million companies are represented on the platform.
GitHub will continue to operate independently after the acquisition. Nat Friedman, former CEO of Xamarin and a current Microsoft Corporate Vice President, will take the role of GitHub’s CEO. Microsoft acquired mobile developer toolmaker Xamarin in 2016.
Friedman is a good fit for GitHub under Microsoft, said Gartner Research Director Thomas Murphy. “The fact the Xamarin guy runs the unit is good. He has done a great job with the Xamarin-Microsoft transition and that should give the open-source world comfort.”
But smooth sailing is not assured. “The bigger question for Microsoft is how it helps them sell intelligent services and how it impacts the battle for cloud supremacy,” Murphy added. “Certainly, they realize that the cloud is the platform and that is the battle they must win and own.”
GitHub co-founder Chris Wanstrath’s new position will be that of a Microsoft technical fellow working closely with Friedman.
Much has changed in the ten years since GitHub first hit the scene, Wanstrath observed. Git was a niche tool and Microsoft was just embarking on its cloud journey in early days of the code repository. However, even now Microsoft still develops and markets a huge amount of proprietary software development technology.
Today, “Git is far and away the most popular version control system, clouds are mostly computers, and Microsoft is the most active organization on GitHub in the world,” stated Wanstrath in a blog post. “Their [Visual Studio] Code project alone is beloved by millions of developers, entirely open source, and built using GitHub’s Electron platform.”
For Microsoft, GitHub enables the software giant to plug into a massive community of developers. Dismissing concerns that Microsoft may revert to its closed ecosystem roots, CEO Satya Nadella assured that “GitHub will remain an open platform, which any developer can plug into and extend,” in a June 4 announcement.
“Developers will continue to be able to use the programming languages, tools and operating systems of their choice for their projects—and will still be able to deploy their code on any cloud and any device,” Nadella continued.
Naturally, Microsoft would prefer that code ultimately winds up on its own Azure cloud computing platform, noted Jack Gold, principal analyst at J. Gold Associates. The Redmond, Wash. software and cloud services provider “wants to be the destination for app developers with tools and app deployments on Azure, and GitHub would further that goal, not just with third-party app developers but also potentially with [the] enterprise,” he said.
Regardless of where the code on GitHub repositories is eventually deployed, there’s a good chance that it will spend some time on Azure. Gold expects GitHub to be fully hosted on Azure, which opens the door to cloud services bundles “geared towards developers specifically to make Azure more competitive” against market-leading Amazon Web Services and Google.
Read the original article over at eWeek.com
CSS Is So Overpowered It Can Deanonymize Facebook Users
Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.
Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user’s online privacy.
The leak isn’t specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.
Vulnerability resides in browsers, not websites
The actual vulnerability resides in the browser implementation of a CSS feature named “mix-blend-mode,” added in 2016 in the CSS3 web standard.
The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to the way they interact.
As the feature’s name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.
The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).
Researchers uses a DIV stack to reconstruct iframe content
In research published today, Ruslan Habalov, a security engineer at Google in Switzerland, together with security researcher Dario Weißer, have revealed how an attacker could abuse CSS3 mix-blend-mode to leak information from other sites.
The technique relies on luring users to a malicious site where the attacker embeds iframes to other sites. In their example, the two embedded iframes for one of Facebook’s social widgets, but other sites are also susceptible to this issue.
The attack consists of overlaying a huge stack of DIV layers with different blend modes on top of the iframe. These layers are all 1×1 pixel-sized, meaning they cover just one pixel of the iframe.
Habalov and Weißer say that depending on the time needed to render the entire stack of DIVs, an attacker can determine the color of that pixel shown on the user’s screen.
The researchers say that by gradually moving this DIV “scan” stack across the iframe, “it is possible to determine the iframe’s content.”
Normally, an attacker wouldn’t be able to access the data of these iframes due to anti-clickjacking and other security measures implemented in browsers and in the remote sites that allow their content to be embedded via iframes.
Two very impressive demos are available
The actual attack takes about 20 seconds to leak the username, 500 milliseconds to check the status of any liked/not-liked page, and around 20 minutes to retrieve a Facebook user’s avatar.
The attack is easy to disguise because the iframe can easily be moved offscreen, or hidden under another element (see demo gif below, hiding the attack under a cat photo). Furthermore, keeping a user on a site for minutes is also possible by keeping him busy with an online test or a longer article.
Fixes available for Chrome and Firefox
The two reported the bug to Google and Mozilla engineers, who fixed the issue in Chrome 63 and Firefox 60.
“The bug was addressed by vectorizing the blend mode computations,” Habalov and Weißer said. Safari’s implementation of CSS3 mix-blend-mode was not affected as the blend mode operations were already vectorized.
Besides the two, another researcher named Max May independently discovered and reported this issue to Google in March 2017.
Court docs show Apple knew about the bendiness of the iPhone 6, 6 Plus
Engineering changes were eventually made to prevent “Touch Disease” screen problems.
Newly released court documents reveal just how much Apple apparently knew about the iPhone 6’s and 6 Plus’ propensity to bend. A report by Motherboard shows parts of the documents that were made public by US District Court Judge Lucy Koh (most of the documents remain sealed), and they say Apple’s internal testing found that iPhone 6 and 6 Plus models were indeed bendier than previous iPhones.
“The iPhone 6 was 3.3 times more likely to bend than the iPhone 5s” and “the iPhone 6 Plus was 7.2 times more likely to bend than the iPhone 5s,” the document states. Judge Koh wrote that “one of the major concerns Apple Identified prior to launching the iPhones was that they were ‘likely to bend more easily when compared to previous generations.'”
Flashback to Bendgate
The bending issues with the iPhone 6 and 6 Plus date back to shortly after the phones’ release in September 2014. Many users reported their new smartphones bending easily from regular use, like sticking the phone in their back pocket. At the time, Apple highlighted the vigorous testing it puts handsets through before release, including a three-point bending test.
“Bendgate” news slowly died down until early 2016, when iPhone 6 and 6 Plus users began reporting issues with their smartphones’ displays. The problems—which included touchscreens with a flickering gray bar at the top, touchscreens with intermittent response, and touchscreens that stopped working completely—were collectively dubbed “Touch Disease.”
Loose Touch IC chips were later identified as the source of Touch Disease. These touchscreen-controlling chips became unseated from the logic board due to bending and flexing with normal use. The problem affected more than just a handful of users and prompted Apple to start the iPhone 6 Plus Multi-Touch Repair Program, which would repair handsets with touchscreen input problems for $149.
It also prompted users to file a class-action lawsuit against the company for allegedly misleading them about Touch Disease. Apple was forced to hand over internal documents as part of the suit, and that’s where these new details come from.
A late fix
Apple eventually acknowledged Touch Disease, saying it only affected iPhones ”dropped multiple times on a hard surface and then incurring further stress on the device.” But the company has not said anything publicly about the iPhone 6 and 6 Plus being more susceptible to bending, a design issue that seems to have contributed to Touch Disease problems.
The details made public from these court documents show Apple did indeed know that the iPhone 6 and 6 Plus were more likely to bend than earlier iPhone models, despite the company denying any engineering issues with the smartphones.
According to the documents, Apple investigated the issue and came up with a fix—reinforcing part of the logic board with an epoxy to prevent dislodging. However, this design change wasn’t implemented until May 2016, and it was only a fix for new iPhone 6 and 6 Plus models being produced. Apple moved the touchscreen controlling-chips in question from the logic board to the display construction with the release of the iPhone 6S. It’s thought that those later iPhone 6 models were not as susceptible to Touch Disease because of the new placement of the touchscreen-controlling chips.
Ars has reached out to Apple for further comment.
Read the original article over at ArsTechnica.com.
Windows 10 April 2018 Update problems: Users struggle with mystery ‘black screen’
Is third-party antivirus to blame for the latest Windows 10 update issues?
Windows 10 users over the past two days have begun reporting serious glitches after updating to the Windows 10 April 2018 Update.
As per an account on Reddit, after installing the update the computer appears to boot but then gets stuck with a black screen and no icons. There’s also an error message that the Desktop file could not be accessed.
Users on Microsoft’s forums have been reporting similar black-screen problems since May 14 after updating to the latest version of Windows 10. However, more reports have flowed in over the past two days.
“Tried the update on my Dell and all I got was a black screen with a mouse, then on my Asus I get the black desktop screen with only the recycle bin icon,” wrote a user on May 22 on another thread.
“On my Dell it just kept restarting, trying to reinstall the software. On the Asus after every restart, it goes back to the setup screen telling me these ‘updates help protect you from an online world’.”
As per The Register, a US computer-repair firm Computer Cellar has written a post on Reddit blaming the issue on Avast antivirus because a number of users who also run that AV have had the same problems.
Indeed, some Reddit users do claim they were running Avast when they struck problems after updating to the Windows 10 April 2018 Update, while others claim to be using AVG, which is owned by Avast.
However, there are also multiple Reddit users who claim not be running either antivirus and yet are experiencing the same problem.
Avast told the publication it has tested the issue and “don’t see any indications this is caused by Avast”.
Either way, it’s sparked a debate about whether Windows 10’s built-in antivirus, Windows Defender, is sufficient protection, or whether consumers need third-party antivirus.
Once upon a time, Microsoft consistently trailed third-party antivirus firms in malware detection tests run by AV-Comparatives and AV-Test. Nowadays Windows Defender scores as high if not higher than Kaspersky and Symantec.
And as Microsoft recently boasted, these machine learning-led improvements to its antivirus are paying off in the enterprise, where Windows Defender has a 50 percent share of Windows 10 devices.
But this supposed third-party antivirus isn’t the only teething issue Windows 10 users have had since Microsoft released the Windows 10 April 2018 Update.
Earlier this month, Microsoft said it was aware of some devices hanging or freezing when using apps such as ‘Hey Cortana’ or Chrome, after installing the Windows 10 April 2018 Update and was working on a fix.
Microsoft has also told users with Intel SSD 600p Series or Intel SSD Pro 6000p Series to roll back to the Windows 10 Fall Creators Update because the latest update was causing crashes.
Read the original article over at ZDNet.com.
Google Chrome Has a Built-In Password Generator. Here’s how to use it!
Chrome has a surprising amount of features that are hidden or not well known that can offer a great deal of functionality for users. One of these features, is a built-in password generator that can be used to create strong passwords when creating new accounts and a password manager called Smart Lock that stores these passwords on Google.com so that you can retrieve them later.
With the constant stream of reported data breaches, it should come as no surprise that it is important to use unique and strong passwords at every site you visit. Unfortunately, remembering a unique password for each site you use is a daunting, if not impossible, task without the use of password manager.
While there are plenty of password managers available with more features, if you are a fan of Chrome and Google and want an all-in-one solution, then Chrome’s built-in password generator and the Smart Lock manager may be the solution you are looking for.
Enabling Chrome’s Strong Password Generator
In order to use Chrome’s password generator and manager, you first need to enabled password synchronization by logging into Chrome using your Google account. To do this, go into Chrome’s settings (chrome://settings) and click on the “Sign in to Chrome” link as shown below.
Once you sign in, you will be shown a prompt stating synchronization has been enabled. The settings screen will also show you as signed in with Sync set to On.
Now we need to enable password generation using the experimental features screen. To access this screen, type chrome://flags in the Chrome address bar and you will be shown a list of experimental features you can enable.
In the “Search flags” field, type password and you should see a new flag called “Password generation”. Set this flag to Enabled and Chrome will display an alert stating that you need to relaunch the browser. Click on the “Relaunch Now” button to do so.
Once Chrome has restarted, the feature will be enabled and we can use Chrome to generate strong passwords.
Generating Passwords with Chrome at Account Creation Screens
Now that we have the “Password generation” flag enabled, if Google recognizes a password field on an account creation screen and you click in the field, it should automatically generate the password for you and display it. Unfortunately, Chrome does not always do a good job detecting these types of fields and does not generate a password.
In this case, you will need to right-click in Chrome and select “Generate password…” as shown in the context menu below.
Once you generate a password, Chrome will display a dialog box showing the generated password.
If you click on the password, it will automatically be inserted into both the password and password confirmation fields. This password will also be saved to Google’s Smart Lock password manager so that Chrome, and other devices you are logged into, can automatically log you into the site the next time you visit.
To see a list of passwords stored in Smart Lock you can either go to https://passwords.google.com or to the chrome://settings/passwords page in Chrome.
Using Google’s Smart Lock Password Manager
Whenever you generate a password or log into an account and save your password, the password and account information is saved into Google’s Smart Locker password manager. This allows Chrome to automatically insert a saved username and password into a site’s login form when you visit the site in the future.
You can also tell if Smart Lock has a saved password for the site you are at as it will display a little key in the address bar as shown below.
If you have multiple accounts at a site, you can select which account you wish to login with by clicking on the key. Once clicked, it will display all saved accounts for the particular site you are trying to login to.
To manage your stored passwords you can either go to https://passwords.google.com or to the chrome://settings/passwords page in Chrome. From here you can disable auto sign-in, view any saved passwords, and saved account credentials. Unfortunately, unless a username was saved at the same time as the password, there is no way to edit it later.
While Chrome’s password generator and Smart Lock password manager are good for most people, it definitely has some shortcomings compared to full featured password managers. For example, you can’t add a username if one wasn’t originally saved with the password, you can’t edit a password and instead have to delete and resave the entire account, and you cannot organize your saved passwords.
For those types of features, you would want to use a full featured password manager product such as LastPass, Dashlane, & KeePass. If all you need is the ability to save unique passwords at each site you visit and be automatically sign into them, then Chrome’s password manager does the job well.
Read the original article over at Bleeping Computer.