Feed aggregator

Hacking Slack accounts: As easy as searching GitHub

Ars Technica - Thu, 28/04/2016 - 21:34

A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.

According to a blog post published Thursday, company researchers recently estimated that about 1,500 access tokens were publicly available, some belonging to people who worked for Fortune 500 companies, payment providers, Internet service providers, and health care providers. The researchers privately reported their findings to Slack, and the chat service said it regularly monitors public sites for posts that publish the sensitive tokens.

Still, a current search on GitHub returned more than 7,400 pages containing "xoxp." That's the prefix contained in tokens that in many cases allow automated scripts to access a Slack account, even when it's protected by two-factor authentication. A separate search uncovered more than 4,100 Slack tokens with the prefix "xoxb." Not all results contained the remainder of the token that's required for logging in, but many appeared to do just that. By including valid tokens in code that's made available to the world, developers make it possible for unscrupulous people to access the private conversations between the developers and the companies they work for and to download files and private Web links they exchange.

Read 6 remaining paragraphs | Comments

Report: Google is building a hardware division led by former Motorola president

Ars Technica - Thu, 28/04/2016 - 21:20

Enlarge / Our Alphabet org chart. Welcome the new hardware division. (credit: Ron Amadeo)

Google is building a hardware division. That's according to a report from Re/code, which says that Google is forming a new division with former Motorola President Rick Osterloh at the helm.

Motorola was the old "Google hardware division" that Google decided it didn't want. Osterloh originally joined Google via the company's Motorola purchase in 2011 and was named CEO of Motorola after Dennis Woodside left. Google sold Motorola to Lenovo in 2014, and Osterloh left Motorola last month after some Lenovo "reorganization" at Motorola. Google has now snapped him up. Osterloh becomes a senior vice president at Google, which puts the hardware group on equal footing with Android, Ads, Search, and YouTube.

According to the report, the Google Hardware Division will absorb most of the hardware projects inside Google. There's the good stuff from the Chrome/Android division like Nexus devices, Chromecasts, and Chromebooks, along with Google and Alphabet's struggling hardware projects that haven't had much of a home—OnHub, ATAP (the Advanced Technology and Projects group), and Google Glass. OnHub was born in Alphabet's "Access" division that also houses Google Fiber. OnHub is a router that promises to someday become a smart home device, but so far it hasn't materialized. ATAP has yet to ship an actual piece of hardware and recently had its leader—former DARPA head Regina Dugan—leave for Facebook. Google Glass failed rather spectacularly in the public and later become a forgotten-about group under Tony Fadell's leadership, but not part of Nest. Re/code notes that there's also apparently a new "living room" group in the hardware division.

Read 1 remaining paragraphs | Comments

Beyoncé’s Lemonade Is Making the Lemon Emoji Very Popular

Wired - Thu, 28/04/2016 - 21:01
Use of the emoji has been much higher than normal on Twitter since Beyoncé released her latest album and accompanying film. The post Beyoncé’s Lemonade Is Making the Lemon Emoji Very Popular appeared first on WIRED.

FCC proposes new price regulations for cable—but not for home Internet

Ars Technica - Thu, 28/04/2016 - 20:47

(credit: Getty Images | Martin Hospach)

The Federal Communications Commission today proposed new price regulations for so-called “business data services,” potentially bringing Comcast and other cable companies under a type of regulatory regime that already applied to phone companies such as AT&T and Verizon.

The price rules won’t extend to home Internet or the typical broadband service that companies buy to get their employees online. Instead, this form of data connectivity—also called “special access”—is sometimes thought of as the Internet equivalent of a barrel of oil.

Even if you don’t know what a barrel of oil costs, its price affects how much you pay for gas. Similarly, special access prices can affect what ordinary consumers pay for mobile broadband. Wireless carriers buy special access to supply bandwidth for their cellular data networks, so the prices charged can indirectly affect the monthly bills paid by smartphone users.

Read 18 remaining paragraphs | Comments

First FISC Phone Records Ruling Post-USA FREEDOM Exposes Shortcomings of Reforms

EFF Breaking News - Thu, 28/04/2016 - 20:39

The secretive Foreign Intelligence Surveillance Court (FISC) had its first opportunity to review a government request for telephone call records since the enactment in June 2015 of the USA FREEDOM Act, which placed some restrictions and oversight on the NSA’s surveillance powers. Unfortunately the results of this first post-USA FREEDOM FISC review are not pretty, and remind us all that there is still much work to be done.

In approving a request for “call detail records” by the FBI, Judge Thomas Hogan allowed the FBI to get people’s call records even in the absence of any belief that those records will be relevant to an investigation, and let the bureau keep records with no foreign intelligence value for 6 months or longer even though USA FREEDOM requires “prompt” destruction of such records. He also declined to take advantage of the new provisions that allow him to appoint an amicus to help sort through the new statute. The opinion, issued on December 31, 2015, was made public April 19, 2016.

We know that USA FREEDOM made small changes to reform and rein in NSA’s power to spy on Americans, and didn’t go as far as we would have liked. Yet we view the reforms as important changes in the law that ended some bulk surveillance, and brought more transparency to the FISC, an entity that operates mostly in secret and grants nearly every government surveillance request it receives. This opinion shows how limited these reforms are, which is not especially surprising but nevertheless disappointing and troubling.

Government Can Collect Phone Records Even if They Are Not Relevant

In its request, the FBI was expressly limited under USA FREEDOM to receiving only call detail records of a particular individual, account, or device that the government has a “reasonably articulable suspicion” is relevant to an international terrorism investigation. The narrow “individual, account or personal device” phrase is known in the law as a “specific selection term. ” The records of calls made to and from this selector are referred to as “first hop” call records. The government misinterpreted Section 215 of the Patriot Act as allowing it to collect in bulk all call records from numerous phone companies for renewable 90-day periods, an interpretation we challenged in our First Unitarian v. NSA case as well as in Jewel v. NSA and Smith v. Obama. Replacing this bulk collection with a “specific selection term” requirement was one of the major reforms we fought for and won in USA FREEDOM.

Judge Hogan approved the FBI’s request for first hop records, acknowledging that “reasonable articulable suspicion” was a less demanding standard than the “probable cause” standard required by the Fourth Amendment. This is consistent with the FISC’s long and regrettable history of finding that we all have no Fourth Amendment privacy interests in our phone records.

But Judge Hogan went even farther. He permitted the bureau to cast a wider net and get records of calls made to and from numbers that called or were called by numbers in the first hop (these additional records are known as “second hop” records). This second hop sweeps into government possession the associated records of thousands of people, the vast and overwhelming majority of whom, if not all, are known to be completely innocent. And it can be a big number. As this handy Guardian slider demonstrates, for a person who has 190 contacts, which Facebook says is its users’ average number of friends, the second hop gathers over 31,000 other people. For a person with just 50 contacts, the second hop still gathers in over 8,000 other people.

Although this "bulky" collection of second hop records is provided for in USA FREEDOM, here the government’s attempted justification for casting this wide net is generic and weak. The most the government could muster about the usefulness of these records was that they “enhance” the government’s ability to uncover “previously unknown Foreign power-associated identifiers” and “reasonably could lead” to the identification of persons that could assist in preventing terrorism. The government didn't try to prove these particular selectors would yield useful second hop records.

This is a far cry from “probable cause” but it’s even less than “relevant” or even “reasonable articulable suspicion.”

Yet Judge Hogan went even further than the government. He found that it was fine for the government to do that even if the second hop call records were not relevant at all to an international terrorism investigation. He explained that although USA FREEDOM requires that the first hop records be relevant, it doesn’t specifically require relevance for the second hop records:

The Court concludes, however, that no such relevance showing is required for the call detail records produced during the “second hop.”

As a result, given the likely large number of initial selectors, the FBI now gets phone records of, at least, hundreds of thousands people not suspected of doing anything illegal. And it gets them without having to prove that those records will be relevant to an investigation. While this is less than the collection of all the phone records from a carrier, it is still massively overbroad. Congress was wrong to allow it to continue. But ultimately, this a consequence of not applying the Fourth Amendment to phone records.

Keeping Backdoor Records for 6+ Months Is “Prompt Destruction”

In one of its significant reforms, USA FREEDOM added a requirement for the “prompt destruction of all call detail records produced under the order that the Government determines are not foreign intelligence information.”

But belying this requirement for “prompt destruction,” Judge Hogan approved the FBI’s request to keep certain records for 6 months and possibly longer. Judge Hogan found that the USA FREEDOM “prompt destruction” provision had to be reconciled with a pre-USA FREEDOM provision that allowed for the retention of “information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.” Judge Hogan uncritically found that the government’s proposed 6-month retention period for call records that “are reasonably believed to contain” evidence of a crime satisfied both parts of the law.

Regardless of what one thinks of this perceived need to reconcile the provision allowing for retention and the one requiring prompt destruction—and it is debatable whether Judge Hogan’s perceived need to reconcile them is valid—it is difficult under any circumstance to read the word “prompt” as meaning “at least six months and maybe more.”

Judge Hogan’s opinion, like the Section 702 opinion made public the same day, also confirms that these privacy-eroding surveillance programs aren’t just for combating terrorism or even foreign intelligence investigations. Rather, the government uses these records for general, domestic criminal investigations, what’s been called a “backdoor” use of information purportedly gathered for foreign intelligence purposes only. The government likes to refer to the collection of non-foreign intelligence information as “incidental.” But this collection of records is “incidental” only in the sense that domestic crime is not the initial target. The collection of records for domestic law enforcement uses is purposeful—not accidental, surprising, or unintended.

No Amicus Appointed Despite This Being the First Interpretation of USA FREEDOM

Another crucial innovation of USA FREEDOM was meant to fix the one-sidedness of the FISC by creating of a panel of amici curiae—friends of the court—to provide a counterpoint to the government’s otherwise unchallenged arguments. USA FREEDOM requires the FISC to appoint a friend of the court when the case involves a “novel or significant interpretation of law, unless the court issues a finding that such appointment is not appropriate.”

But here Judge Hogan declined to appoint an amicus even though this request required him to interpret the newly effective provisions of USA FREEDOM for the very first time, including the law’s “prompt destruction” requirement.

It is hard to imagine a more novel interpretation of law than a court’s initial interpretation of a statute. The apparent conflict between the “prompt destruction” and the retention provisions, for example, seems like a ripe area for amicus assistance. But, tautologically, Judge Hogan ruled that he did not need the amicus because he figured it out himself:

As demonstrated, however, in the final analysis the supposed conflict between Sections 501(c)(2)(F)(vii)(I) and 501(g)(2)(C) never actualized. As a result, no statutory conflict emerged that required the Court to engage in interpretation of the law – versus the straightforward application of the statute such that FISA Section 103(i) was implicated.

Under that standard, an amicus will only be appointed when the FISC judge doesn’t think she can figure out how to interpret the law on her own. This standard defeats the purpose of the amicus to provide an opposing view to the government, and shows that the amicus provision can and will be too easily avoided.

But Two Bits of Good News

Like the FISC opinion on Section 702 surveillance made public the same day, we know about this opinion. Prior to USA FREEDOM, there was no requirement that a FISC opinion be considered for publication.

And second, nowhere in the opinion does the FISC use the ungrammatical, obfuscating NSA jargon “telephony metadata.”

Small steps. Big disappointment.

Related Cases: Smith v. ObamaJewel v. NSAFirst Unitarian Church of Los Angeles v. NSA
Share this: Join EFF

Why Facebook Is Killing It—Even When Nobody Else Is

Wired - Thu, 28/04/2016 - 20:27
As other major tech companies stumble, Facebook is golden. And, for that, you can thank Mark Zuckerberg. The post Why Facebook Is Killing It—Even When Nobody Else Is appeared first on WIRED.

Annotated Volcano: A Spectacular View of Tenerife From the ISS

Wired - Thu, 28/04/2016 - 20:07
A spectacular view of Tenerife in the Canary Island shows off its volcanic history. The post Annotated Volcano: A Spectacular View of Tenerife From the ISS appeared first on WIRED.

Hands-on: HP’s Chromebook 13 isn’t cheap, but it’s high-quality hardware

Ars Technica - Thu, 28/04/2016 - 20:05

The low end of the Chromebook market is well-served, partly because Chromebooks do best in the cash-strapped education market and because the simplicity (and limitations) of ChromeOS are a better fit for budget hardware. For people who want something high-end, there’s always the $999 Chromebook Pixel, but that leaves a big space in between for people who want to make something that looks and feels nice but doesn’t cost a ton.

Certainly, there have been efforts. The Toshiba Chromebook 2 had a gorgeous 1080p IPS screen but a relatively weak Intel CPU. Dell’s Chromebook 13 is solidly mid-range, though the best features (including a 1080p screen, faster chips, and more RAM) are reserved for the higher-end models. And now there’s the HP Chromebook 13, which is merely a decent Chromebook at its $499 starting price but a full-on Chromebook Pixel competitor if you’re willing to pay more.

At $499, you get a 13.3-inch 1080p screen, a Skylake-based 1.5GHz Pentium 4405Y (which despite its name is a relative to the low-power Core M), 4GB of 1866MHz DDR3 RAM, and a 1080p screen, which isn’t bad for the price. A Core M-derived Pentium is still going to deliver stronger performance (particularly in the single-threaded CPU and the graphics departments) than the Atom-derived Celerons and Pentiums that ship in many low-end Chromebooks.

Read 9 remaining paragraphs | Comments

Call of Duty 4: Modern Warfare remake announced with poop-pants emoji

Ars Technica - Thu, 28/04/2016 - 19:31

A remake of Call of Duty 4: Modern Warfare is apparently in the works after the official Call of Duty Twitter account replied to a 16-month-old tweet with two emoji: pile of poo and jeans.


HP’s New Laptop Is a Whole Lotta Chromebook for $550

Wired - Thu, 28/04/2016 - 19:18
The HP Chromebook 13 looks like a $1,000 Pixel, feels like a $1,000 MacBook Air, and acts like a browser. The post HP's New Laptop Is a Whole Lotta Chromebook for $550 appeared first on WIRED.

7 Essential Apps for Aspiring Chefs, Even the Lazy Ones

Wired - Thu, 28/04/2016 - 19:14
Fasten your apron and load up these cooking apps to bring out your inner chef. The post 7 Essential Apps for Aspiring Chefs, Even the Lazy Ones appeared first on WIRED.

UWP, 4K, and no wheel support: Gear up for Forza’s first PC racer on May 5

Ars Technica - Thu, 28/04/2016 - 18:47

Forza 6 Apex's weather effects weren't shown in motion beyond a mere trailer tease, so we're curious whether rain detail will impact 4K performance. (credit: Microsoft/Turn 10)

After its late-February tease, Microsoft Studios and Turn 10 are finally ready to unleash the Forza Motorsport racing series on PCs—and as we reported at the game's reveal event, it's coming in an unusual way. Forza Motorsport 6 Apex will launch exclusively on Windows 10 PCs on Thursday, May 5, in the form of a free "open beta" downloadable from the Windows Store. Based on our early Apex impressions, PC players are essentially getting a limited trial version of last year's Xbox One racer as opposed to a particularly new experience.

Having seen Forza 6 Apex in the flesh, we know the game will be a huge conversation starter for PC gamers for many reasons. For one, if high-end PC owners can replicate the 4K-resolution, 60-frames-per-second performance that we saw on Turn 10's monstrous test rig, they'll be in for the most incredible public demo of DirectX 12 technology yet released. Forza 6 Apex's real-time demo looked incredible, as that silky-smooth refresh rate faced zero stutters while rendering giant textures and gorgeous lighting effects.

Nighttime racing in 4K.

6 more images in gallery

.related-stories { display: none !important; }

On the other hand, it remains to be seen exactly how well Apex will scale on weaker PCs; Turn 10 currently recommends at least a 3.7Ghz i3 processor and 2GB of VRAM. Also, since the game is tied to the beleaguered Universal Windows Platform (UWP), users may once more face issues like the inability to disable v-sync and a forced borderless, full-screen mode.

Read 3 remaining paragraphs | Comments

Ted Cruz not great at buying domain names, loses CruzFiorina.com

Ars Technica - Thu, 28/04/2016 - 18:26

Senator Ted Cruz. (credit: Gage Skidmore)

Sen. Ted Cruz (R-Texas) clearly needs to fire whoever buys domain names for him.

The Republican presidential contender, having already lost the obvious TedCruz.com—settling for TedCruz.org—missed out Wednesday on the predictable URL to incorporate his new running mate, Carly Fiorina. The former CEO of Hewlett-Packard herself ran as a GOP presidential candidate but dropped out earlier this year after failing to gain much traction with Republican voters.

According to Politico, GOP consultant Matt Mackowiak “made the snap decision” to buy CruzFiorina.com as news of Cruz’ vice presidential pick broke. For his part, Cruz settled on CruzCarly.com. Mackowiak re-directed his domain to a donation page for the Leukemia & Lymphoma Society.

Read 3 remaining paragraphs | Comments

Cape Watch: Suicide Squad Might Give the Joker a New Origin Story

Wired - Thu, 28/04/2016 - 18:25
This week's superhero movie roundup has everything: Deadpool, scary clowns, and even a Wonder Man cameo. Read on if you want in on the joke. The post Cape Watch: Suicide Squad Might Give the Joker a New Origin Story appeared first on WIRED.

Goodbye, Nexus 9—you will not be missed

Ars Technica - Thu, 28/04/2016 - 18:15

The Nexus 9.

Yesterday we got news of two new Nexus devices, and today we're losing a Nexus device. It looks like the Nexus 9 is dead. The tablet has been unceremoniously removed from the Google Store—the product page now just redirects to the generic Nexus listing page, and the "tablets" link in the navigation bar now points to the Pixel C only. RIP, Nexus 9.

The HTC-built Nexus 9 had a rough life. The Nvidia Tegra-powered tablet launched in November 2014 to a very poor reception. The supposedly "premium" tablet had a squishy back, the backlight leaked, sometimes the buttons didn't work, and the device was generally not worth its $400 price tag. It hit the bargain bin almost immediately, with HTC selling it for half price a day after launch. As an Android tablet, its apps were neglected by developers and Google, and it was resigned to a life of running stretched-out phone apps forever. It even failed as a Nexus device, taking a whopping two months to be updated to Android 5.1.

The Nexus 9 was replaced by the better-but-still-not-good Pixel C, which improved on the N9 with a metal body and removable keyboard, but it was still a tough sell at $499 with unfinished software. Now Google's troubled tablet can be laid to rest.

Read on Ars Technica | Comments

Rainbow Six: Siege reportedly reveals your IP address to potential attackers

Ars Technica - Thu, 28/04/2016 - 18:02

Artist's rendition of the horde of DDoS requests coming at your router.

Rainbow Six: Siege players are complaining that the game continues to make their global IP address available to other players, putting those players at risk for DDoS attacks from bitter opponents.

The problem seems to stem from the way the game implements voice chat between players. Back in September, Ubisoft confirmed that while the game uses dedicated servers to host matches, it still uses direct, peer-to-peer connections "strictly to support voice and chat comms for a team." Beta players began noticing almost immediately that this infrastructure decision presents a pretty big security hole when playing with strangers on the Internet. This netcode analysis from January shows how a simple packet sniffer like NetLimiter could easily reveal the IP addresses of all other players in the match, even though voice chat is only available between teammates during a match.

Armed with these IP addresses, unscrupulous players could easily use any number of services to initiate a DDoS attack to remove opposing players from the game. There's a decent amount of evidence that many players were doing just that to gain a leg up in ranked matches, with some managing to climb the in-game ranking ladder despite awful play statistics.

Read 5 remaining paragraphs | Comments

Dealmaster: Get a Dell Optiplex compact desktop with Core i7 for just $725

Ars Technica - Thu, 28/04/2016 - 17:35

Greetings, Arsians! Courtesy of our partners at TechBargains, we have a number of deals to share today. The highlight is a great deal on the Dell Optiplex 5040 compact desktop—save big on this tiny PC and get it now for just $725 instead of the usual $1,270. This compact desktop has been recently redesigned to be even more space-efficient, measuring 3.6-inches wide and 11.4-inches high, and it supports Core i7 Skylake processors. It's ideal for anyone who wants to save on space but doesn't want to compromise on computing power.

Don't forget to check out the rest of our deals below.


Read 5 remaining paragraphs | Comments

Insane ‘Swooping’ Skydiving Makes Your Tandem Jump Look Lame

Wired - Thu, 28/04/2016 - 17:32
In canopy piloting, the goal isn't to get to the ground safely. It's to get there as quickly as possible. The post Insane 'Swooping' Skydiving Makes Your Tandem Jump Look Lame appeared first on WIRED.

Comcast Is Buying DreamWorks to Challenge Disney Head On

Wired - Thu, 28/04/2016 - 17:12
It's all about family matters. The post Comcast Is Buying DreamWorks to Challenge Disney Head On appeared first on WIRED.

Michal Čihař: Weblate 2.6

Planet Debian - Thu, 28/04/2016 - 17:00

Going back to faster release cycle, Weblate 2.6 has been just released. There is improved support for Python 3 or brand new HTTP REST API.

Full list of changes for 2.6:

  • Fixed validation of subprojects with language filter.
  • Improved support for XLIFF files.
  • Fixed machine translation for non English sources.
  • Added REST API.
  • Django 1.10 compatibility.
  • Added categories to whiteboard messages.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Weblate is also being used https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Filed under: English phpMyAdmin SUSE Weblate | 0 comments

Syndicate content