New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

The Trump administration is giving American companies another three months to do business with the Chinese telecom giant Huawei, the Commerce Department said Monday. From a report: It is the third time the U.S. has extended a reprieve, which is meant to help ease disruption for Huawei customers. Many Internet and cellphone carriers in rural parts of the U.S. buy networking equipment from Huawei, and the temporary extension means they can keep their networks up to date. "The Temporary General License extension will allow carriers to continue to service customers in some of the most remote areas of the United States who would otherwise be left in the dark," said Commerce Secretary Wilbur Ross in a statement.

An anonymous reader writes: A team of academics has disclosed today two vulnerabilities known collectively as TPM-FAIL that could allow an attacker to retrieve cryptographic keys stored inside TPMs. The first vulnerability is CVE-2019-11090 and impacts Intel's Platform Trust Technology (PTT). Intel PTT is Intel's fTPM software-based TPM solution and is widely used on servers, desktops, and laptops, being supported on all Intel CPUs released since 2013, starting with the Haswell generation. The second is CVE-2019-16863 and impacts the ST33 TPM chip made by STMicroelectronics. This chip is incredibly popular and is used on a wide array of devices ranging from networking equipment to cloud servers, being one of the few chips that received a CommonCriteria (CC) EAL 4+ classification — which implies it comes with built-in protection against side-channel attacks like the ones discovered by the research team. Unlike most TPM attacks, these ones were deemed practical. A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes depending on the access level. We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a virtual private network (VPN) server in 5 hours.

Dell is planning to offer business clients a subscription model for products like servers and personal computers, "seeking to counter the lure of cloud services from Amazon and Microsoft," reports Bloomberg. From the report: Dell and its hardware peers have been under pressure to offer corporate clients the flexibility and simplicity of infrastructure cloud services. Public cloud titans such as Amazon Web Services and Microsoft Azure have cut demand for data-center hardware as more businesses look to rent computing power rather than invest in their own server farms. Rival Hewlett Packard Enterprise said in June that it would move to a subscription model by 2022. Research firm Gartner predicts 15% of data-center hardware deals will include pay-per-use pricing in 2022, up from 1% in 2019, Dell said.

Dell is making it easier for clients to upgrade their hardware since they don't have to spend a large amount of capital expenditures upfront, but can pay a smaller amount each month that counts toward a company's operating expenditures. For the consumption programs, customers pay for the amount of storage or computing power they use. Companies can also hire Dell to completely manage their hardware infrastructure for them. While Dell's overall sales climbed 2% in the quarter that ended Aug. 2, demand for its servers and networking gear dropped 12% in a reversal from last year, when there was unprecedented customer interest in the products. Dell still expects the vast majority of customers to pay upfront for products in the next three to five years, Grocott said.

Twitter is proposing a handful of new features designed to help its users spot "synthetic" or "manipulated" media, including deepfake videos. From a report: The social networking giant last month announced plans to implement a new policy around media assets that have been altered to mislead the public. Today heralds Twitter's first draft proposal, alongside a public consultation period, as it works to refine the rules and how they will be enforced. "When you come to Twitter to see what's happening in the world, we want you to have context about the content you're seeing and engaging with," said Twitter VP of trust and safety Del Harvey in a blog post. "Deliberate attempts to mislead or confuse people through manipulated media undermine the integrity of the conversation."

All major browsers -- including Chrome, Firefox, Safari, Opera, Microsoft Edge, Vivaldi, Brave -- have plans to support DNS-over-HTTPS (or DoH), a protocol that encrypts DNS traffic and helps improve a user's privacy on the web. From a report: The DoH protocol has been one of the year's hot topics. It's a protocol that, when deployed inside a browser, it allows the browser to hide DNS requests and responses inside regular-looking HTTPS traffic. Doing this makes a user's DNS traffic invisible to third-party network observers, such as ISPs. But while users love DoH and have deemed it a privacy boon, ISPs, networking operators, and cyber-security vendors hate it. A UK ISP called Mozilla an "internet villain" for its plans to roll out DoH, and a Comcast-backed lobby group has been caught preparing a misleading document about DoH that they were planning to present to US lawmakers in the hopes of preventing DoH's broader rollout. However, this may be a little too late. ZDNet has spent the week reaching out to major web browser providers to gauge their future plans regarding DoH, and all vendors plan to ship it, in one form or another.

New submitter Myself writes: There's a funny thing about a global satellite system that beams signals down to anyone to use: It also means anyone can monitor the performance thereof. So when such a system suffers a crippling days-long outage and the operators are tight-lipped about why, look no further than Bert Hubert (who you may know from the PowerDNS project) to scramble together a bunch of code and a worldwide network of volunteers, to analyze exactly what happened. This is the story of how and why the Galileo GNSS network was down for a whole week.

In one of America's top cities for property crime, the Atlantic examines the "porch pirate" of San Francisco's Potrero Hill. It's an 8,000-word long read about how one of the neighborhood's troubled long-time residents "entered a vortex of smart cameras, Nextdoor rants, and cellphone surveillance," in a town where the public hospital she was born in is now named after Mark Zuckerberg.

Her story begins when a 30-something product marketing manager at Google received a notification on his iPhone from his home surveillance camera, sharing a recording of a woman stealing a package from his porch. He cruises the neighborhood, spots her boarding a city bus, and calls 911, having her arrested. The article notes that 17% of America's homeowners now own a smart video surveillance device. But it also seems to be trying to bring another perspective to "the citizen surveillance facilitated by porch cams and Nextdoor to the benefit of corporations and venture capitalists."

From the article: Under the reasoning that more surveillance improves public safety, over 500 police departments -- including in Houston and a stretch of Los Angeles suburbs -- have partnered with Ring. Many departments advertise rebates for Ring devices on government social-media channels, sometimes offering up to $125. Ring matches the rebate up to $50. Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation, a nonprofit focused on digital civil liberties, said it's unseemly to use taxpayer money to subsidize the build-out of citizen surveillance. Amazon and other moneyed tech companies competing for market share are "enlisting law enforcement to be their sales force, to have the cops give it their imprimatur of credibility," said Maass, a claim echoed in an open letter to government agencies from more than 30 civil-rights organizations this fall and a petition asking Congress to investigate the Ring partnerships. (Ring disputes this characterization....)

In some cities, the relationship between the police and companies has gone beyond marketing. Amazon is helping police departments run "bait box" operations, in which police place decoy boxes on porches -- often with GPS trackers inside -- to capture anyone who tries to steal them... Amazon sent police free branded boxes, and even heat maps of areas where the company's customers suffer the most thefts...

Stings and porch-pirate footage attract media attention -- but what comes next for the thieves rarely gets the same limelight. Often, perpetrators face punishments whose scale might surprise the amateur smart-cam detectives and Nextdoor sleuths who help nail them... In December, the U.S. attorney for the Eastern District of Arkansas announced an enforcement campaign called Operation Porch Pirate. Two suspects were arrested and charged with federal mail theft. One pleaded guilty to stealing $170.42 worth of goods, including camouflage crew socks and a Call of Duty video game from Amazon, and was sentenced to 14 months of probation. Another pleaded guilty to possession of stolen mail -- four packages, two from Amazon -- and awaits sentencing of up to five years in prison and a $250,000 fine...

While porch cams have been used to investigate cases as serious as homicides, the surveillance and neighborhood social networking typically make a particular type of crime especially visible: those lower-level ones happening out in public, committed by the poorest. Despite the much higher cost of white-collar crime, it seems to cause less societal hand-wringing than what might be caught on a Ring camera, said W. David Ball, a professor at Santa Clara University School of Law. "Did people really feel that crime was 'out of control' after Theranos?" he said. "People lost hundreds of millions of dollars. You would have to break into every single car in San Francisco for the next ten years to amount to the amount stolen under Theranos."
In the article the EFF's investigative researcher also asks if police end up providing more protection to affluent communities than the ones that can't afford Amazon's Ring cameras. But W. David Ball, the law professor, also asks whether locking up low-level criminals is just ignoring the larger issue of poverty in increasingly expensive cities.

"Everyone assumes that jail works to deter people. But I don't know if I were hungry, and had no other way of eating, that that would deter me from stealing."

hackingbear writes: As reported by market researcher Canalys, Chinese tech giant and smartphone maker Huawei posted 66% annual growth, reaching a staggering 42% market share in China, which is the largest, albeit slightly shrinking, smartphone market in the world. A combination of keen pricing, technical innovation and patriotism has turned its strong domestic position into a dominant one, at the expense of Apple, whose market share has dropped to 5.1%, as well as other Chinese vendors such as Vivo and Xiaomi.

"Huawei is in a strong position to consolidate its dominance further amid 5G network rollout," Canalys commented. The Shenzhen tech giant knows that the impact of the blacklist is limited by unwavering support at home, where the headline loss of full-fat Android, its biggest international issue, has no impact -- Google's software and services are unavailable in China, while completely removing US-made semiconductors and components from its phones and networking gear.

harrymcc writes: On October 29, 1969, a graduate student in a UCLA computer science lab logged into a computer hundreds of miles away at the Stanford Research Institute. It was the first connection via ARPANET, which -- after 20 years as a government and academic network -- evolved into the modern internet. Over at Fast Company, Mark Sullivan marked the anniversary by visiting the room where the historic login took place and talking to three of the people who made it happen.

An anonymous reader quotes ISP Review: The RIPE Network Coordination Centre (RIPE NCC), which manages regional distribution of internet addresses for the UK, Europe, Middle East and parts of Central Asia, has confirmed that their final reserve pool of Internet Protocol v4 (IPv4) addresses will completely run out in November 2019. Strictly speaking the Regional Internet Registry (RIR) started running out of address space in 2012 and began rationing the little they had left. Fast forward a few years and at the start of October 2019 it was confirmed that they only had 1 million IPv4 addresses left in their available pool (out of 4 billion addresses total), "which we expect to run out in November 2019...."

Thankfully many ISPs, devices and services have now introduced "newer" IPv6 addresses, although some still have a lot of work to do (e.g. TalkTalk)... A Spokesperson for RIPE NCC told ISPreview.co.uk "... IPv4 'run-out' has long been anticipated and planned for by the technical community and no one needs to worry about the Internet suddenly breaking. But it does mean that the pressure will continue to build for many networks, necessitating the use of complex and expensive workarounds.

"Our advice to network operators is to take stock of their IP resources and to make sure their IPv6 plans are making progress."

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.

Two senior members of Congress, Senate Minority Leader Charles E. Schumer (D-N.Y.) and Sen. Tom Cotton (R-Ark.), asked U.S. intelligence officials late Wednesday to determine whether the Chinese-owned social-networking app TikTok poses "national security risks." From a report: In a letter to Joseph Maguire, the director of national intelligence, the lawmakers questioned TikTok's data-collection practices and whether the app adheres to censorship rules directed by the Chinese government that could limit what U.S. users see. TikTok, which provides users a feed of short videos, has become wildly popular among teenagers worldwide. "With over 110 million downloads in the U.S. alone, TikTok is a potential counterintelligence threat we cannot ignore," wrote Schumer and Cotton, who sits on the Senate Intelligence Committee. "Given these concerns, we ask that the Intelligence Community conduct an assessment of the national security risks posed by TikTok and other China-based content platforms operating in the U.S. and brief Congress on these findings."

A publicly-funded group of designers, artists and privacy experts from Amsterdam have designed a smart home system prototype to "prove it's technically possible to build a privacy respecting smart home while maintaining convenience."

Its controller uses an Arduino Nano to disconnect the system from the internet during times when it's not in use. They're building everything on Mozilla's open smart home gateway software. The system's microphone is a separate USB device that can be easily unplugged. For extra security, the devices don't even use wifi to communicate.

"The Candle devices offer the advantages of a smart home system -- such as voice control, handy automations and useful insights -- without the downsides of sending your data to the cloud and feeling watched in your own home," explains their blurb for Dutch Design Week, where they're launching their prototypes of trust-worthy smart locks, thermostats, and other Internet of Things devices: Most smart devices promises us an easier life, but they increasingly disappoint; they eavesdrop, share our data with countless third parties, and offer attractive targets to hackers. Candle is different. Your data never leaves your home, all devices work fine without an internet connection, and everything is open source and transparent.
One of the group's members is long-time Slashdot reader mrwireless, who shares an interesting observation: Smart homes track everything that happens inside them. For developing teenagers, this makes it more difficult to sneak in a date or break the rules in other subtle ways, which is a normal, healthy part of growing up. Candle is a prototype smart home that tries to mitigate these issue. It has given its sensors the ability to generate fake data for a while. In the future, children could get a monthly fake data allowance.

Some of the devices have "skirts", simple fabric covers that can be draped over the devices to hide their screen. If you own a dust sensor, this can be useful if your mother in law comes over and you haven't vacuumed in a while.

Google appears to be removing apps that have donation links, including open-source apps where donations are one of the main sources of revenue. WireGuard, a free and open-source VPN, has been reportedly dropped over this according to WireGuard lead developer Jason Donenfeld. Phoronix reports: After waiting days for Google to review the latest version of their secure VPN tunnel application, it was approved and then removed and delisted -- including older versions of WireGuard. The reversal comes on the basis of violating their "payments policy." The only bit of possible "payments" within the WireGuard app is a donation link within the program taking the user to the WireGuard website should anyone want to donate to support this promising open-source secure networking tech. An appeal to the situation was also rejected by Google, Donenfeld has confirmed this morning on their mailing list. In trying to make it back into Android's Play Store, Jason has dropped the donation link from the Android app version while it's still awaiting review from Google. UPDATE: WireGuard lead developer Jason Donenfeld says the app "has been relisted on the Play Store in its usual location," adding: "Sorry again for any inconvenience this has caused users, or caused developers who depend on the availability of our app for use by their own users. We won't be making any similar changes unless we're certain that we won't be delisted."

Not a great start to the day for Cisco employees, many of which are struggling in the face of an internal IT outage. From a report: The technology and networking giant confirmed in a tweet it was "aware of some disruption" to its IT systems and is "working" on restoring the network. Worse, the company's corporate blog also went kaput. For a period, Cisco's blog was displaying the default WordPress install page. But at the time of publication, the blog had been restored. Some customers were unable to login through Cisco's single sign-on.

Smartphone maker Vivo, broadcaster CCTV, and internet giant Tencent said today they are suspending all cooperation with the National Basketball Association, becoming the latest Chinese firms to cut ties with the league after a tweet from a Houston Rockets executive supporting Hong Kong's pro-democracy protesters offended many in the world's most populous nation. From a report: Vivo, which is a key sponsor for the upcoming exhibition games to be played in Shanghai and Shenzhen this week, said in a statement on Chinese social networking platform Weibo, that it was "dissatisfied" with Rockets General Manager Daryl Morey's views on Hong Kong. In a tweet over the weekend, Morey voiced his support for protesters in Hong Kong. He said, "Fight for freedom, stand with Hong Kong." Even as he quickly moved to delete the tweet and the NBA attempted to smoothen the dialogue, Morey's views had offended many in China, which maintains a low tolerance for criticism of its political system. In a statement, the NBA said it was "regrettable" that Morey's views had "deeply offended many of our friends and fans in China." This stance from the NBA, which has grown accustomed to seeing its star players speak freely and criticize anyone they wish including the U.S. president Donald Trump, in turn, offended many.

Earlier today, Chinese state broadcaster CCTV said it was also suspending broadcasts of the league's games to be played in China. China remains a key strategic nation for the NBA. According to official figures, more than 600 million viewers in China watched the NBA content during the 2017-18 season. The league's five-year partnership with Chinese tech giant Tencent for digital streaming rights of matches is reported to be worth $1.5 billion. In a statement issued today, Tencent Sports said it was "temporarily suspending" the pre-season broadcast arrangements.

"Big Cable and other telecom industry groups warned that Google's support for DNS over HTTPS (DoH) 'could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues,'" reports Ars Technica.

But are they really just worried DNS over HTTPS will end useful ISP practices that involve monitoring or modifying DNS queries? For example, queries to malware-associated domains can be a signal that a customer's computer is infected with malware. In some cases, ISPs also modify customers' DNS queries in-flight. For example, an easy way to block children from accessing adult materials is with an ISP-level filter that rewrites DNS queries for banned domains. Some public Wi-Fi networks use modified DNS queries as a way to redirect users to a network sign-on page. Some ISPs also use DNS snooping for more controversial purposes -- like ad targeting or policing their networks for copyright infringement. Widespread adoption of DoH would limit ISPs' ability to both monitor and modify customer queries.

It wouldn't necessarily eliminate this ability, since ISPs could still use these techniques for customers who use the ISP's own DNS servers. But if customers switched to third-party DNS servers -- either from Google or one of its various competitors -- then ISPs would no longer have an easy way to tell which sites customers were accessing. ISPs could still see which IP addresses a customer had accessed, which would give them some information -- this can be an effective way to detect malware infections, for example. But this is a cruder way to monitor Internet traffic. Multiple domains can share a single IP address, and domains can change IP addresses over time. So ISPs would wind up with reduced visibility into their customers' browsing habits.

But a switch to DoH would clearly mean ISPs had less ability to monitor and manipulate their customers' browsing activity. Indeed, for advocates that's the point. They believe users, not their ISPs, should be in charge... [I]t's hard to see a policy problem here. ISPs' ability to eavesdrop on their customers' DNS queries is little more than a historical accident. In recent years, websites across the Internet have adopted encryption for the contents of their sites. The encryption of DNS is the natural next step toward a more secure Internet. It may require some painful adjustments by ISPs, but that hardly seems like a reason for policymakers to block the change.

Wired reports on both Sidewalk, Amazon's new low-bandwidth long-range wireless networking protocol, and Apple's new position- and distance-measuring U1 chip (mentioned in a recent keynote). Apple's U1 chip -- which allows precise, indoor positional tracking via the latest iPhones and will power, at the very least, directional AirDrop file-sharing -- popped up on screen but was never even mentioned. The interest-piquing phrase "GPS at the scale of your living room" was saved for the online iPhone product pages rather than the bombast of the Steve Jobs Theater... Both Amazon and Apple have the hardware scale to build up the base of access points needed to create a useful network before reaching out to, most likely, iOS developers in Apple's case, and hardware makers already on board with Alexa in Amazon's case. For Amazon, in fact, that work has already begun as Sidewalk originally came out of the Ring team's ambition to extend its connected security devices out into gardens. "Ring lighting was the first time we ran into it as a company, because we wanted to extend out onto the sidewalk," says Daniel Rausch, VP of smart home at Amazon (which owns Ring).

The smart outoor Ring lights are already out. Products like the Smart Floodlight and Pathlight list a "wireless connection to the Ring Bridge" in the tech specs but eagle-eyed Ring owners had already started to figure out what band Amazon was playing with for this connection, before the Sidewalk announcement. "They've been using an internal version of the protocol on the freely available and unlicensed 900MHz part of the spectrum already," explains Rausch. "What we realised was 'woah, we can actually do something special'. We can make a version of this protocol which is secure and have this unbelievably ubiquitous coverage if we bring it all together, neighbours and neighbours and neighbours...." An innocent smart dog tracker like Ring Fetch fits perfectly into this model of Amazon-networked communities sharing video, alerts and location tracking.

Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade "Layer 7" routers to steal payment card details. From a report: This discovery is a game-changer in what researchers call Magecart attacks, also known as web skimming. These are attacks where hackers plant malicious code on an online store that records and steals payment card details. Until now, Magecart-specific code was only delivered at the website level, hidden inside JavaScript or PHP files. However, this new discovery is an escalation of Magecart attacks to a new level, where the malicious code is injected at the router level, rather than being added by hackers on outdated websites.

Layer 7, or L7, routers are a type of commercial, heavy-duty router that's usually installed on large networks, such as hotels, malls, airports, casinos, government networks, public spaces, and others. They work like any other router, except with the added benefit of being able to manipulate traffic at the seventh layer (application level) of the OSI networking model -- meaning they can react to traffic based on more than just IP addresses, such as cookies, domain names, browser types, and more. In a report published today, researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team said they found evidence that a well-known hacker group has been testing Magecart scripts to deploy on L7 routers.