Trivial Authentication Bypass In Libssh Leaves Servers Wide Open

Ars Technica reports of "a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server." It's not clear how many sites or devices may be vulnerable since neither the widely used OpenSSH nor Github's implementation of libssh was affected. From the report: The vulnerability, which was introduced in libssh version 0.6 released in 2014, makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple's macOS let people log in as admin without entering a password. On the brighter side, there were no immediate signs of any big-name sites being bitten by the bug, which is indexed as CVE-2018-10933. While Github uses libssh, the site officials said on Twitter that " and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library." In a follow-up tweet, GitHub security officials said they use a customized version of libssh that implements an authentication mechanism separate from the one provided by the library. Out of an abundance of caution, GitHub has installed a patch released with Tuesday's advisory. Another limitation: only vulnerable versions of libssh running in server mode are vulnerable, while the client mode is unaffected. Peter Winter-Smith, a researcher at security firm NCC who discovered the bug and privately reported it to libssh developers, told Ars the vulnerability is the result of libssh using the same machine state to authenticate clients and servers. Because exploits involve behavior that's safe in the client but unsafe in the server context, only servers are affected. Read more of this story at Slashdot.
2018-10-17 21:00:01 preview's
Facebook Lured Advertisers By Inflating Ad-watch Times Up To 900 Percent

Zorro shares a report from The Mercury News: Not only did Facebook inflate ad-watching metrics by up to 900 percent (Warning: source may be paywalled, alternative source), it knew for more than a year that its average-viewership estimates were wrong and kept quiet about it, a new legal filing claims. A group of small advertisers suing the Menlo Park social media titan alleged in the filing that Facebook "induced" advertisers to buy video ads on its platform because advertisers believed Facebook users were watching video ads for longer than they actually were. That "unethical, unscrupulous" behavior by Facebook constituted fraud because it was "likely to deceive" advertisers, the filing alleged. The latest allegations arose out of a lawsuit that the advertisers filed against Mark Zuckerberg-led Facebook in federal court in 2016 over alleged inflation of ad-watching metrics. "Suggestions that we in any way tried to hide this issue from our partners are false," the company told The Wall Street Journal. "We told our customers about the error when we discovered it -- and updated our help center to explain the issue." "The plaintiffs are seeking class-action status to bring other advertisers into the legal action, plus unspecified damages," reports The Mercury News. "They also want the court to order a third-party audit of Facebook's video-ad metrics." Read more of this story at Slashdot.
2018-10-17 19:00:01 preview's
Apple Launches Portal For US Users To Download Their Data

An anonymous reader quotes a report from Bloomberg: Apple on Wednesday began allowing users in the U.S. to download a copy of all of the data that they have stored with the company from a single online portal. U.S. users will be able to download data such as all of their address book contacts, calendar appointments, music streaming preferences and details about past Apple product repairs. Previously, customers could get their data by contacting Apple directly. In May, when Apple first launched the online privacy portal, it only allowed U.S. users to either correct their data or delete their Apple accounts. Read more of this story at Slashdot.
2018-10-17 17:45:01 preview's
Facebook Posts May Point To Depression, Study Finds

People's Facebook posts might predict whether they are suffering from depression, researchers reported this week. From a report: The researchers found that the words people used seemed to indicate whether they would later be diagnosed with depression. The findings offer a way to flag people who may be in need of help, but they also raise important questions about people's health privacy, the team reported in the Proceedings of the National Academy of Sciences. People who were later clinically diagnosed with depression used more "I" language, according to Johannes Eichstaedt of the University of Pennsylvania and his colleagues. They also used more words reflecting loneliness, sadness and hostility. "We observed that users who ultimately had a diagnosis of depression used more first-person singular pronouns, suggesting a preoccupation with the self," they wrote. That is an indicator of depression in some people. The team recruited 683 people who visited an emergency room for their study and asked to see their Facebook pages. Most were not depressed, but 114 had a depression diagnosis in their medical records. Read more of this story at Slashdot.
2018-10-17 17:00:01 preview's
Former Top Waymo Engineer Altered Code To Go on 'Forbidden Routes', Report Says

In the early days of what ultimately became Waymo, Google's self-driving car division (known at the time as "Project Chauffeur"), there were "more than a dozen accidents, at least three of which were serious," according to a new article in The New Yorker . From a report: The magazine profiled Anthony Levandowski, the former Google engineer who was at the center of the Waymo v. Uber trade secrets lawsuit. According to the article, back in 2011, Levandowski also modified the autonomous software to take the prototype Priuses on "otherwise forbidden routes." Citing an anonymous source, The New Yorker reports that Levandowski sat behind the wheel as the safety driver, along with Isaac Taylor, a Google executive. But while they were in the car, the Prius "accidentally boxed in another vehicle," a Camry. As The New Yorker wrote: "A human driver could easily have handled the situation by slowing down and letting the Camry merge into traffic, but Google's software wasn't prepared for this scenario. The cars continued speeding down the freeway side by side. The Camry's driver jerked his car onto the right shoulder. Then, apparently trying to avoid a guard rail, he veered to the left; the Camry pinwheeled across the freeway and into the median. Levandowski, who was acting as the safety driver, swerved hard to avoid colliding with the Camry, causing Taylor to injure his spine so severely that he eventually required multiple surgeries." This was apparently just one of several accidents in Project Chauffeur's early days. Read more of this story at Slashdot.
2018-10-17 16:15:02 preview's
Driverless Car Hype Gives Way To E-Scooter Mania Among Technorati

Millions of dollars in funding and billions of dollars in valuations have made scooters the next big thing since the last big thing. From a report: When Michael Ramsey, an analyst for technology research firm Gartner, started in February to put together his 2018 "hype cycle" report for the future of transportation, he had plenty of topics to choose from: electric vehicles, flying cars, 5G, blockchain, and, of course, autonomous vehicles. But one type of transportation is conspicuously absent from the results of the report: electric scooters. "At the time, outside of California, these scooters were really not that common," Ramsey said. "That's how much has happened." As for autonomous vehicles, which have enjoyed years of hype as the next big thing, Ramsey labeled them sliding into "the trough of disillusionment," which Ramsey described as "when expectations don't meet the truth." In a matter of months, electric scooter startups have gone from tech oddity to global phenomenon. In some cities, hundreds of scooters suddenly showed up on streets from companies including Bird and Lime, leaving municipalities to figure out how to handle the sudden influx of two-wheeled travelers. The concept behind the scooters is simple: A user can grab any available scooter, unlock it with an app, ride to their destination, and leave the scooter there for someone else to use. Even by the hyper-growth expectations of Silicon Valley, the rise of scooter companies has been dizzying. Scooters can be found in more than 125 cities in the U.S. and more than 10 across the globe. In the year after their launch, both Lime and Bird said their scooters had been used for more than 10 million rides. Read more of this story at Slashdot.
2018-10-17 15:45:01 preview's
Researcher Finds Simple Way of Backdooring Windows PCs and Nobody Notices for Ten Months

A security researcher from Colombia has found a way of gaining admin rights and boot persistence on Windows PCs that's simple to execute and hard to stop -- all the features that hackers and malware authors are looking for from an exploitation technique. From a report: What's more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns. Discovered by Sebastian Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID). The RID is a code added at the end of account security identifiers (SIDs) that describes that user's permissions group. There are several RIDs available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts. Castro, with help from CSL CEO Pedro Garcia, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group. The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password. But in cases where a hacker has a foothold on a system -- via either malware or by brute-forcing an account with a weak password -- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC. Read more of this story at Slashdot.
2018-10-17 15:00:01 preview's
Someone Used a Deep Learning AI To Perfectly Insert Harrison Ford Into "Solo: A Star Wars Story"

Andrew Liszewski, writing for io9: Casting anyone other than Harrison Ford in the role of Han Solo just feels like sacrilege, but since Ford is now 76 years old, playing a younger version of himself would be all but impossible. Or at least impossible if you rely on the standard Hollywood de-aging tricks like makeup and CG. Artificial intelligence, it turns out, does a pretty amazing job at putting Ford back into the role of Solo. The YouTube channel "derpfakes" has been posting videos that demonstrate the impressive, and at times frightening, capabilities of image processing using artificial intelligence. Using a process called deep learning, an AI analyzes a large collection of photos of a given person, creating a comprehensive database of them in any almost any position and pose. It then uses that database to intelligently perform an automatic face replacement on a source clip, in this case replacing actor Alden Ehrenreich's face with Harrison Ford's. Read more of this story at Slashdot.
2018-10-17 14:15:01 preview's
Fortnite, GTA V hackers face legal action for online cheating

Take-Two, Epic Games use lawsuits, search warrants in battle against cheaters.
2018-10-17 11:45:01 preview's
Actors Are Digitally Preserving Themselves To Continue Their Careers Beyond the Grave

Improvements in CGI mean neither age nor death need stop some performers from working. From a report: From Carrie Fisher in Rogue One: A Star Wars Story to Paul Walker in the Fast & Furious movies, dead and magically "de-aged" actors are appearing more frequently on movie screens. Sometimes they even appear on stage: next year, an Amy Winehouse hologram will be going on tour to raise money for a charity established in the late singer's memory. Some actors and movie studios are buckling down and preparing for an inevitable future when using scanning technology to preserve 3-D digital replicas of performers is routine. Just because your star is inconveniently dead doesn't mean your generation-spanning blockbuster franchise can't continue to rake in the dough. Get the tech right and you can cash in on superstars and iconic characters forever. [...] For celebrities, these scans are a chance to make money for their families post mortem, extend their legacy -- and even, in some strange way, preserve their youth. Visual-effects company Digital Domain -- which has worked on major pictures like Avengers: Infinity War and Ready Player One -- has also taken on individual celebrities as clients, though it hasn't publicized the service. "We haven't, you know, taken out any ads in newspapers to 'Save your likeness,'" says Darren Hendler, director of the firm's Digital Humans Group. The suite of services that the company offers actors includes a range of different scans to capture their famous faces from every conceivable angle -- making it simpler to re-create them in the future. Using hundreds of custom LED lights arranged in a sphere, numerous images can be recorded in seconds capturing what the person's face looks like lit from every angle -- and right down to the pores. Read more of this story at Slashdot.
2018-10-17 11:30:02