Posted on

US Government Details Procedure In Revealing Security Vulnerabilities

The U.S. government has detailed the guidelines it follows on revealing security flaws to companies.

Unveiled in its Vulnerabilities Equities Policy, the White House delved into the specific set of rules it follows while working alongside various government agencies, such as the National Security Agency (NSA) and the Department of Homeland Security.

The VEP Charter touches on how the federal government handles the process that determines whether they should inform a company about a cyber security flaw found in its service or product. But the document also mentions how they may also withhold showing the vulnerability so it can be used for “operational or intelligence-gathering purposes”.

In a blog post, White House cybersecurity coordinator Rob Joyce stressed the importance of transparency, with the release of the once-private rules being “important to establish confidence” in the government’s decision-making process.

A flow chart in the charter details how the board starts the process with analyzing how dangerous the security flaw is, as well looking at the amount of potential damage that could be caused and how easy it is for the vulnerability to be exploited by hackers.

The agencies will also consider using the vulnerability for their own benefit, as well as assessing the risks involved with how the U.S.’s relationship with other countries and companies will be affected should it be revealed that the government had knowledge of the security defect.

The review occurs in the space of five days but is expedited if attacks because of vulnerability are already being used. The board then must come to a consensus on whether to reveal the security flaw to the company or not. Should the board decide to disclose the vulnerability, it must alert the company in seven business days. However, if the powers that be determine that the discovered flaw should be kept a secret, the board will annually review it until they have a change of heart or it becomes known to the public.

The government has been criticized for keeping security exploits it’s discovered a secret from an affected company. For example, a vulnerability that was being exploited by the NSA led to the WannaCry/WannaCrypt ransomware global outbreak, prompting Microsoft to condemn the government’s insistence in keeping certain security flaws to itself.

Posted on

Apple Releases iOS 11.1.2 Update: What Features Are Included?

Today Apple released iOS 11.1.2 for the iPhone, iPad and iPod touch. Apple did not release any iOS 11.1.2 betas to developers or the public before it was rolled out today. As iOS 11.1.2 is a minor point release, Apple did not add any major features in this update.

Apple is currently in the process of testing iOS 11.2 in beta, which is expected to support Apple Pay Cash and SiriKit for the HomePod with limited third-party developer support. iOS 11.1.2 is the sixth update to iOS 11 following iOS 11.0.1, iOS 11.0.2, iOS 11.0.3, iOS 11.1 and iOS 11.1.1. And this version of iOS is specifically a minor point update for the iOS 11.1 iteration with a couple of bug fixes.

iOS 11.1.1 contained a fix for the keyboard auto-correct problem that caused the letter “i” to be converted to an “a” with a question mark symbol next to it and a fix for a problem that caused “Hey Siri” to stop working.

iOS 11.1 included over 70 new emoji and it brought back the 3D multitasking gesture. iOS 11.1 also included bug fixes where Live Photo effects played back slowly and a problem that caused Mail notifications to reappear on the Lock screen.

iOS 11.0.3 fixed a bug that caused the audio and haptic feedback to become dysfunctional on a number of iPhone 7 and iPhone 7 Plus devices. And iOS 11.0.3 also fixed an issue that caused the touch input to become unresponsive on some iPhone 6s displays that were not serviced with genuine Apple parts.

iOS 11.0.2 contained fixes for bugs that caused crackling noises in the iPhone 8 earpiece, a bug that caused attachments in S/MIME encrypted emails to not be able to open and a bug that prevented photos from appearing on certain devices.

iOS 11.0.1 fixed a bug that caused synchronization issues in Outlook.com, Office 365 and Exchange Server 2016 running on Windows Server 2016 in Apple Mail. And it also had performance improvements for iMessage app Drawer, Springboard, and App Explorer.

The big iOS 11 release was on September 19th and it brought many new features. The new features in iOS 11 included Do Not Disturb While Driving, the new Files app, document scanning in the Notes app, the app drawer in the Messages app, a customizable Control Center, indoor airport and mall maps, lane guidance in the Maps app, Live Photos editing and new iPad multitasking tools.

In the release notes, Apple said that iOS 11.1.2 fixes two issues. The first issue that iOS 11.1.2 fixes is a bug that causes the iPhone X screen to become temporarily unresponsive to touch after a rapid decrease in temperature. And the second issue that iOS 11.1.2 fixes is a bug that causes distortion in Live Photos and videos captured with the iPhone X.

Apple confirmed the iPhone X temperature problem about a week ago and said that the issue would be “addressed in an upcoming software update.” I am impressed with that kind of turnaround time.

Posted on

FCC vote could force low-income households offline

Bootstrapping yourself out of poverty via the internet is about to get a lot harder in the US. The FCC, led by industry-friendly chairman Ajit Pai, has voted along party lines to reform the low-income Lifeline broadband subsidy program. Among the most contentious items are a proposal to tighten eligibility requirements and cap spending, and another to halt subsidies through internet resellers like Windstream. If voted through, the latter proposal could force over 70 percent of Lifeline enrollees to seek a new provider, and many would have no option at all.

Lifeline gives low-income households a $9.25 monthly credit towards discounted home internet service from 900 participating companies. Until last year, that could only be applied to landline and mobile voice service, but former FCC Chairman Tom Wheeler expanded the program to broadband early last year. However, Pai scrapped an FCC directive that came at the end of Wheeler’s tenure that allowed nine new companies to participate, and promised more cost-cutting reforms, supposedly to close the digital divide.

Some of the reforms are still in the proposal stages, but the FCC issued an order yesterday that directly affects Tribal land residents. Those folks used to receive a $25 monthly subsidy on top of the $9.25 discount, but in 90 days, they’ll no longer be able to obtain the $25 subsidy through resellers. That will give many Native Americans far fewer options for mobile internet. “This will be a travesty to Indian Country because it will turn back the clock to times when consumers had but one choice,” Joe Redcloud from the South Dakota Sioux Tribe told the Washington Post.

Another proposal suggests that the FCC eliminate Lifeline subsidies across the US through carriers that don’t operate their own networks, but resell services from AT&T, Verizon and other companies. Advocacy group Public Knowledge says that 70 percent of Lifeline subscribers use such resellers, so they would be forced to use AT&T, T-Mobile and other direct providers.

This is not real reform. This is cruelty. It is at odds with our
statutory duty. It will do little more than consign too many
communities to the wrong side of the digital divide.

However, those carriers are often more expensive than resellers, so switching could eliminate much of the $9.25 Lifeline benefit. In some instances, low-income users wouldn’t have any option at all. “In many states, facilities-based providers have opted out of offering Lifeline-supported service altogether and prefer to allow non-facilities-based wireless providers to serve Lifeline subscribers and the low-income segments of the wireless market,” Public Knowledge wrote.

Finally, the FCC is looking at a cap that could drastically reduce the Lifeline budget and institute more rigorous checks. “The reforms that we implement and propose today seek to … curtail the waste, fraud and abuse that continue to plague the Lifeline program,” Pai said ahead of the vote. That includes forcing subscribers — many of whom have their broadband bill entirely paid by Lifeline — into co-paying part of their bill.

That could effectively cut off a lot of the most needy Lifeline recipients from the internet altogether. “The co-pay requirement would create significant attrition in the program since most subscribers are on plans that provide no-cost service, and many Lifeline subscribers lack bank accounts and access to basic financial services,” Public Knowledge said.

The advocacy group notes that there is no support for the FCC’s plan in the 50-plus dockets filed since the proposal was issued. Meanwhile, dozens of others from veterans, seniors, Tribes, and even the wireless industry have urged it not to implement the proposed items. Commissioner Jessica Rosenworcel, who voted against the bill, put it succinctly. “This is not real reform. This is cruelty,” she said. “It is at odds with our statutory duty. It will do little more than consign too many communities to the wrong side of the digital divide.”

Posted on

Twitter’s 280 character tweets are rolling out for (almost) everyone today

After testing a new 280-character limit a couple of months ago, Twitter is rolling out the new limit to everyone, starting today.

Twitter says you shouldn’t expect to see an apocalyptic flood of massive tweets now, though. According to its data, the number of tweets with a higher-than-average character count was small after the initial novelty wore off. In fact, only 5 percent of tweets sent by testers were longer than 140 characters.
According to Twitter’s Product Manager Aliza Rosen:

We saw when people needed to use more than 140 characters, they Tweeted more easily and more often. But importantly, people Tweeted below 140 most of the time and the brevity of Twitter remained.

I’m not sure whether that means Twitter is actually committed to the 140 character limit long term, or whether we’re just conditioned to self-edit and will grow out of that when all of us have the option.

The new character limit will be available to all languages that have problems with cramming. According to a spokesperson, Japanese, Korean, and Chinese languages don’t require a higher limit due to the languages inherently having more meaning packed into every character than in, say, English. As such, those who tweet primarily in those languages don’t have as much of a problem with cramming.

Posted on

The Windows 10 Fall Creators Update Is Here

The Windows 10 Fall Creators Update is here. Microsoft’s latest major upgrade to its desktop OS brings with it plenty of changes, from new visual styles to the dawn of Windows Mixed Reality, and you can now install the update to see how things have improved from the Creators Update.

Much of the focus on the Fall Creators Update, at least among enthusiasts, will be on Windows Mixed Reality. This is Microsoft’s attempt to prove that mixed reality headsets will soon be one of the primary ways we interact with our devices instead of luxury items used mostly for entertainment. Dell, Samsung, and several other companies have prepared headsets for launch alongside the Fall Creators Update.

But that doesn’t mean the only thing worth paying attention to in the Fall Creators Update is Windows Mixed Reality. The release also sees the debut of Fluent Design, improves central utilities like Action Center and Task Manager, and introduces new features that expand upon Windows 10’s capabilities. Yet some of the update’s standout features—Story Remix and new Windows Timeline prime among them—are missing.

Windows Mixed Reality

In case you’ve missed our flurry of coverage over the last year, Windows Mixed Reality is the new name for Windows Holographic. Microsoft believes wearing a mixed reality headset will soon become just as common as using a desktop or laptop PC, and it wants its OS to be ready for that shift. Now it’s finally here, and that means you’ll be able to see for yourself how it compares to platforms like Oculus and HTC Vive.

First, you’ll have to make sure your PC meets the minimum requirements for Windows Mixed Reality. The base platform isn’t all that taxing—you can get away with a modern CPU with integrated graphics—but Windows Mixed Reality Ultra requires more powerful processors and dedicated graphics. (Windows Mixed Reality Ultra offers improved performance, support for more software, and other benefits over the base platform.)

You can learn how to check if your PC supports Windows Mixed Reality here. Once you’ve done that, just head to the Mixed Reality Portal from the Start menu, agree to Microsoft’s terms, and then follow the setup process, which should be quite simple.

Fluent Design, New Features, And What’s Missing

The Windows 10 Fall Creators Update also features some obvious changes to Windows 10’s design. Microsoft has implemented a new Fluent Design system that emphasizes textures, lighting, and motion to make it easier for people to use Windows apps and services. Fluent Design also appears to have been influenced by HoloLens, and it seems poised to prepare Windows for use across both traditional PCs and mixed reality headsets.

The Fall Creators Update is more than just a new coat of paint, however. Microsoft also introduced some new features, such as a GPU monitor in Task Manager, ransomware protections via the Windows Defender Exploit Guard, and expanded PDF support in the Edge browser. These won’t lead to monumental shifts in how you use Windows; they’re simply quality-of-life improvements meant to refine Windows 10’s base experience.

Similar changes were made to gaming on Windows 10. Microsoft will now let you toggle the performance-enhancing Game Mode right from the Game bar (where you can buy a Game cocktail and watch a Game game on the Game TV) instead of having to rifle through the Settings app. You can also check on network quality issues via an Xbox Networking section in Settings, and you should notice improved Mixer broadcasting.

All of these changes, as well as the many improvements Microsoft made to Windows 10’s accessibility, are welcome. But it seems like the Fall Creators Update lacks any single marquee feature that will compel everyone to upgrade. Windows Mixed Reality is the main attraction, but how many people will actually be purchasing one?

It wasn’t supposed to be this way. Microsoft showed off new apps at Build that would’ve made the Fall Creators Update seem like a much bigger deal. Perhaps the coolest was Story Remix, an app that lets you combine photos, videos, music, and 3D objects into one AI-generated video. Story Remix was stunning, but it’s nowhere to be found in the Fall Creators Update. Many of its features were instead added to the existing Photos app, with the notable exception of the support for 3D objects, which is said to be coming at a later date.

The new Windows Timeline, which promised to make it easy to access backups of your files or pick up where you left off in an app, is also missing. Its omission comes as less of a surprise because Joe Belfiore, corporate vice president of Windows, said in July that it wouldn’t debut alongside the Fall Creators Update. Instead, Microsoft told us that features announced at Build would merely start to roll out with this release.

You can find a full list of the changes coming in the Fall Creators Update in Microsoft’s blog post about its release.

How You Can Get It

If you’re itching to give Windows Mixed Reality a whirl, or if you simply like to use the latest version of Windows as soon as it’s available, you can download it starting at 10am PT today. There are two ways to update—Microsoft’s preferred way, and the impatient way. Both are easy to do.

Microsoft would prefer for you to wait for the Fall Creators Update to roll out to your device. The company is staggering the release of new Windows updates to select hardware to ensure the best experience on as many systems as possible. If you have a newer system, you’ll be prompted to install the Fall Creators Update before those with older systems. You can also go to the Windows Update section in the Settings app to see if you’re part of the first group to receive the update. If you are, it will start to download immediately.

But waiting is for squares. That’s why Microsoft will also let you manually install the Fall Creators Update by heading to its Software Download Site (its capitalization) and clicking “Update now.” Once you do that, the Update Assistant will help you get things rolling. Easy-peezy.

Posted on

FTC Asked To Investigate Hackable Kids’ Smartwatches

The Norwegian Consumer Council and Mnemonic, a security company, revealed that several brands of smartwatches made for children are easily hackable. In response to these findings, U.S. privacy groups have asked the Federal Trade Commission (FTC) to investigate the products’ makers.

These watches are equipped with GPS capabilities that are supposed to let parents keep track of their children’s locations. The Norwegian Consumer Council and Mnemonic tested the security of four of these watches; three had serious flaws. Mnemonic said in its announcement that the vulnerabilities are “not technically difficult to exploit, and in two cases, allow a third party to covertly take control over the watch.”

“It’s very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly,” says Finn Myrstad, Director of Digital Policy at the Norwegian Consumer Council. “Importers and retailers must know what they stock and sell. These watches have no place on a shop’s shelf, let alone on a child’s wrist.”

Yet at this point, the fact that these watches are easily compromised shouldn’t come as a shock to anyone. Here’s the common sequence of events: An internet-connected product is released, purchased by a bunch of people, and then hacked. It’s gotten to the point where the FBI warned parents not to buy internet-connected toys without vetting them first, and Mattel preemptively canceled a kid-focused IoT device called “Aristotle.”

There were more concerns about some of the devices. In addition to putting children’s data at risk of being hacked, several of the companies’ terms and conditions violate the Norwegian Marketing Control Act and the Personal Data Act by not allowing accounts to be deleted, or they were simply lacking terms and conditions. That means the data collected by these watches is just waiting to be abused to suit the companies’ own purposes.

That’s why the Electronic Privacy Information Center (EPIC), The Center for Digital Democracy, and other U.S. privacy groups asked the FTC to investigate the Norwegian Consumer Council and Mnemonic’s findings. In a letter, the groups said “this is a real risk to children’s safety” and urged the regulator to be more proactive in protecting kids from companies like this.