Month: March 2018

Enlarge / Thumbs down for this week's weird Facebook survey. (credit: Getty Images / Hiroshi Watanabe)

Facebook's ongoing effort to solicit user feedback reached a bizarre low over the weekend. As reported by The Guardian, the social network included a question in a survey that allowed responders to indicate that FB should allow illegal, sexualized content from teenagers on the platform.

A screengrab clarified the exact phrasing of two questions, and these appear to combine stock question templates with a controversial phrase: "a private message in which an adult man asks a 14-year-old girl for sexual pictures." The first asked how users thought Facebook should respond to such a scenario, and it included positive-sounding answers such as, "this content should be allowed on Facebook, and I would not mind seeing it."

The second question asked "who should be deciding the rules" on that kind of content appearing on Facebook, and its answers included, "Facebook decides the rules on its own," "external experts decide the rules and tell Facebook," and "users decide the rules by voting and telling Facebook."

Enlarge / The LLVM dragon logo, in honor of the dragon book. (credit: Apple)

Google's Chrome browser is now built using the Clang compiler on Windows. Previously built using the Microsoft C++ compiler, Google is now using the same compiler for Windows, macOS, Linux, and Android, and the switch makes Chrome arguably the first major software project to use Clang on Windows.

Chrome on macOS and Linux has long been built using the Clang compiler and the LLVM toolchain. The open-source compiler is the compiler of choice on macOS, making it the natural option there, and it's also a first-class choice for Linux; though the venerable GCC is still the primary compiler choice on Linux, by using Clang instead, Google ensured that it has only one set of compiler quirks and oddities to work with rather than two.

But Chrome on Windows has instead used Microsoft's Visual C++ compiler. The Visual C++ compiler is the best-supported, most widely used compiler on Windows and, critically, is the compiler with the best support for Windows' wide range of debugging and diagnostic tools. The Visual Studio debugger is widely loved by the C++ community, and other tools, such as the WinDbg debugger (often used for analyzing crash dumps), are core parts of the Windows developer experience.

Enlarge / Bugs in some carriers’ 4G LTE implementations and flaws in parts of the standard could make anyone nationwide a target for hacks and surveillance. (credit: T-Link Wireless)

There have been lots of reasons to be concerned about how easily someone with the right tools and knowledge could do very bad things with cellular communications networks. And while none of them have necessarily been to the level of some of the fictional stunts pulled off on television (see Mr. Robot), new research shows that things are even worse than they appear—and in many cases, that’s because of how carriers have implemented cellular standards.

As ZDNet’s Zack Whittaker reports, researchers at Purdue University and the University of Iowa conducting tests of 4G LTE networks have uncovered 10 new types of attacks. They made this discovery as part of their evaluation of a proof-of-concept 4G LTE penetration testing toolset, called LTEInspector. Combined with nine previously known attack methods that Syed Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino also identified as still being usable against many carrier networks, the collection of exploits could be used to track device owners, eavesdrop on texts and other sensitive data, and even pose as them on cellular networks and spoof location and other data. An attacker could even spoof warning messages like those used by government agencies and weather services—such as the false missile warning sent out by a Hawaii government employee.

The security of 4G LTE networks is largely based on obscurity—many of the implementations are proprietary “black boxes,” as the Purdue and Iowa researchers put it, which makes performing true security evaluations difficult. And because of the large range of sub-components that must be configured, along with the need to be able to handle devices configured primarily for another carrier, there is a lot of slush in LTE implementations and not a lot of transparency about network security. Recent IEEE-published research found that implementations of the “control plane” for various LTE networks varied widely—problems found on one network didn’t occur on others.

This is Cortana. (credit: Cortana)

Cortana is coming to the Outlook email and calendar app for iOS and Android, according to The Verge. The publication cites sources "familiar with Microsoft's Outlook plans."

Microsoft is reportedly testing a feature internally that would allow users to verbally ask the virtual assistant Cortana to read their emails to them in both iOS and Android. This would be particularly useful for commuters who depend on Outlook for their email and who want to get caught up while driving into work.

Google Assistant does not offer similar functionality with Outlook. Siri, Apple's own digital assistant built into iOS, already does this, but not with the Outlook app. In most cases, you must use Apple's own Mail app to access these kinds of features.

(credit: California Department of Water Resources)

A new technique that abuses poorly secured servers is fueling record-breaking denial-of-service attacks, along with notes demanding the targets pay hefty ransoms for the debilitating flood of junk traffic to stop.

As Ars reported last week, memcached, a database caching system for speeding up websites and networks, lets DDoS vandals amplify their attacks by an unprecedented factor of 51,000. That means a single home computer with a 100 megabit-per-second upload capacity from its ISP is capable of bombarding a target with a once-unimaginable 5 terabits per second of traffic, at least in theory.

Following the discovery that DDoS vandals in the wild were abusing open memcached servers, researchers last week predicted a new round of record attacks. Two days later, DDoS mitigation service Akamai/Prolexic reported the 1.3Tbps attack against Github, just slightly topping previous records set in 2016.