President Trump on Thursday signed a long-delayed executive order on cybersecurity that "makes clear that agency heads will be held accountable for protecting their networks, and calls on government and industry to reduce the threat from automated attacks on the internet," reports The Washington Post. From the report: Picking up on themes advanced by the Obama administration, Trump's order also requires agency heads to use Commerce Department guidelines to manage risk to their systems. It commissions reports to assess the country's ability to withstand an attack on the electric grid and to spell out the strategic options for deterring adversaries in cyberspace. [Thomas Bossert, Trump's homeland security adviser] said the order was not, however, prompted by Russia's targeting of electoral systems last year. In fact, the order is silent on addressing the security of electoral systems or cyber-enabled operations to influence elections, which became a significant area of concern during last year's presidential campaign. The Department of Homeland Security in January declared election systems "critical infrastructure." The executive order also does not address offensive cyber operations, which are generally classified. This is an area in which the Trump administration is expected to be more forward-leaning than its predecessor. Nor does it spell out what type of cyberattack would constitute an "act of war" or what response the attack would invite. "We're not going to draw a red line," Bossert said, adding that the White House does not "want to telegraph our punches." The order places the defense secretary and the head of the intelligence community in charge of protecting "national security" systems that operate classified and military networks. But the secretary of homeland security will continue to be at the center of the national plan for protecting critical infrastructure, such as the electric grid and financial sector.

An Austrian court has ruled that Facebook must delete hate speech postings worldwide. "The case -- brought by Austria's Green party over insults to its leader -- has international ramifications as the court ruled the postings must be deleted across the platform and not just in Austria, a point that had been left open in an initial ruling," reports Reuters. From the report: The case comes as legislators around Europe are considering ways of forcing Facebook, Google, Twitter and others to rapidly remove hate speech or incitement to violence. Facebook's lawyers in Vienna declined to comment on the ruling, which was distributed by the Greens and confirmed by a court spokesman, and Facebook did not immediately reply to a request for comment. Strengthening the earlier ruling, the Viennese appeals court ruled on Friday that Facebook must remove the postings against Greens leader Eva Glawischnig as well as any verbatim repostings, and said merely blocking them in Austria without deleting them for users abroad was not sufficient. The court added it was easy for Facebook to automate this process. It said, however, that Facebook could not be expected to trawl through content to find posts that are similar, rather than identical, to ones already identified as hate speech. The Greens hope to get the ruling strengthened further at Austria's highest court. They want the court to demand Facebook remove similar - not only identical - postings, and to make it identify holders of fake accounts. The Greens also want Facebook to pay damages, which would make it easier for individuals in similar cases to take the financial risk of taking legal action.

An anonymous reader writes: A rogue ISP could take down large parts of the Bitcoin ecosystem, according to new research that will be presented in two weeks at the 38th IEEE Symposium on Security and Privacy in San Jose, USA. According to the researchers, there are two types of attack scenarios that could be leveraged via BGP hijacks to cripple the Bitcoin ecosystem: hijacking mining proceeds, causing double-spending errors, and delaying transactions. These two (partition and delay) attacks are possible because most of the entire Bitcoin ecosystem isn't as decentralized as most people think, and it still runs on a small number of ISPs. For example, 13 ISPs host 30% of the entire Bitcoin network, 39 ISPs host 50% of the whole Bitcoin mining power, and 3 ISPs handle 60% of all Bitcoin traffic. Currently, researchers found that around 100 Bitcoin nodes are the victims of BGP hijacks each month.

An anonymous reader quotes The Hill: Oracle voiced support on Friday for FCC Chairman Ajit Pai's controversial plan to roll back the agency's net neutrality rules. In a letter addressed to the FCC, the company played up its "perspective as a Silicon Valley technology company," hammering the debate over the rules as a "highly political hyperbolic battle," that is "removed from technical, economic, and consumer reality"... Oracle wrote in their letter [PDF] that they believe Pai's plan to remove broadband providers from the FCC's regulatory jurisdiction "will eliminate unnecessary burdens on, and competitive imbalances for, ISPs [internet service providers] while enhancing the consumer experience and driving investment"... Other companies in support of Pai's plan, like AT&T and Verizon, have made the argument that the rules stifled investment in the telecommunications sector, specifically in broadband infrastructure.
Cisco has also argued that strict net neutrality laws on ISPs "restrict their ability to use innovative network management technology, provide appropriate levels of quality of service, and deliver new features and services to meet evolving consumer needs. Cisco believes that allowing the development of differentiated broadband products, with different service and content offerings, will enhance the broadband market for consumers."

An anonymous reader quotes BetaNews: WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes -- previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use -- or, indeed, if it has actually ever been used -- but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.

The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."

An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.

A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday. From the article: For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors. But on Wednesday, German newspaper The Suddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts. This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.

sombragris writes: WhatsApp, a proprietary instant messaging platform owned by Facebook and used by millions of users, is currently down according to user reports from various parts of the world. There's no official word yet on the cause but I'm among the many affected by the outages. UPDATE 5/3/17: "Earlier today, WhatsApp users in all parts of the world were unable to access WhatsApp for a few hours. We have now fixed the issue and apologize for the inconvenience," WhatsApp said in an email late Wednesday afternoon.

An anonymous reader quotes a report from The Hill: Sen. Mike Lee (R-Utah) introduced a bill Monday to nullify the Federal Communications Commission's net neutrality rules. "Few areas of our economy have been as dynamic and innovative as the internet," Lee said in a statement. "But now this engine of growth is threatened by the Federal Communications Commission's 2015 Open Internet Order, which would put federal bureaucrats in charge of engineering the Internet's infrastructure." Sens. John Cornyn (R-Texas), Tom Cotton (R-Ark.), Ted Cruz (R-Texas), Ron Johnson (R-Wis.), Rand Paul (R-Ky.), Thom Tillis (R-N.C.), Ben Sasse (R-Neb.), and James Inhofe (R-Okla.) co-sponsored Lee's bill. FCC Chairman Ajit Pai introduced his own plan last week to curb significant portions of the 2015 net neutrality rules that Lee's bill aims to abolish. Pai's more specific tack is focused on moving the regulatory jurisdiction of broadband providers back to the Federal Trade Commission, instead of the FCC, which currently regulates them.

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.
Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"

An anonymous reader quotes Sopho's Naked Security blog: In a column in The West Australian, Dan Tehan, Australia's cybersecurity minister, wrote: "Just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies to protect our information from threats." A companion news article in the same newspaper cited Tehan as arguing that "the onus is on telecommunications companies to develop products to stop their customers being infected with viruses"...

Tehan's government roles include assisting the prime minister on cybersecurity, so folks throughout Australia perked up when he said all this. However, it's not clear if there's an actual plan behind Tehan's observations -- or if there is, whether it will be backed by legal mandates... Back home in Australia, some early reactions to the possibility of any new government interference weren't kind. In iTWire, Sam Varghese said, "Dan Tehan has just provided the country with adequate reasons as to why he should not be allowed anywhere near any post that has anything to do with online security."
The West Australian also reports Australia's prime minister met telecommunications companies this week, "where he delivered the message the Government expected them to do more to shut dodgy sites and scams," saying the government will review current legislation to "remove any roadblocks that may be preventing the private sector and government from delivering such services."

An anonymous reader wants to start a grassroots effort to build a self-organizing global radio mesh network where every device can communicate with every other device -- and without any central authority. There is nothing in the rules of mathematics or laws of physics that prevents such a system. But how would you break the problem up so it could be crowdfunded and sourced? How would you build the radios? And what about government spectrum rules... How would you persuade governments to allow for the use of say, 1%, of the spectrum for an unlicensed mesh experiment? In the U.S. it would probably take an Act of Congress to overrule the FCC but a grassroots effort with potential for major technology advances backed by celebrity scientists might be enough to tilt the issue but would there be enough motivation?
Is this feasible? Would it amass enough volunteers, advocates, and enthusiastic users? Would it become a glorious example of geeks uniting the world -- or a doomed fantasy with no practical applications. Leave your best thoughts in the comments. Could we build a global wireless mesh network?

An anonymous reader quotes the security editor at Ars Technica: On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

Anomalies in the border gateway protocol -- which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks -- are common and usually the result of human error. While it's possible Wednesday's five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident "curious" to engineers at network monitoring service BGPmon. What's more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.

sciencehabit quotes a report from Science Magazine: Your wireless router may be giving you away in a manner you never dreamed of. For the first time, physicists have used radio waves from a Wi-Fi transmitter to encode a 3D image of a real object in a hologram similar to the image of Princess Leia projected by R2D2 in the movie Star Wars. In principle, the technique could enable outsiders to "see" the inside of a room using only the Wi-Fi signals leaking out of it, although some researchers say such spying may be easier said than done. Their experiment relies on none of the billions of digital bits of information encoded in Wi-Fi signals, just the fact that the signals are clean, "coherent" waves. However, instead of recording the key interference pattern on a photographic plate, the researchers record it with a Wi-Fi receiver and reconstruct the object in a computer. They placed a Wi-Fi transmitter in a room, 0.9 meters behind the cross. Then they placed a standard Wi-Fi receiver 1.4 meters in front of the cross and moved it slowly back and forth to map out a "virtual screen" that substituted for the photographic plate. Also, instead of having a separate reference beam coming straight to the screen, they placed a second, stationary receiver a few meters away, where it had a direct view of the emitter. For each point on the virtual screen, the researchers compared the signals arriving simultaneously at both receivers, and made a hologram by mapping the delays caused by the aluminum cross. The virtual hologram isn't exactly like a traditional one, as researchers can't recover the image of the object by shining more radio waves on it. Instead, the scientists used the computer to run the radio waves backward in time from the screen to the distance where wave fronts hit the object. The cross then popped out.

An anonymous reader shares a report: The "Internet of Things" (IoT) category is starting to mature in terms of startup investments, according to a new report from Silicon Valley venture capital firm Wing. Like any other trendy area of tech, IoT is in the midst of its own hype cycle, so it's important to get a more detailed picture of how the money is flowing.

AT&T announced plans to deliver what it's calling the "5G Evolution" network to more than 20 markets by the end of the year. While the company is "using some wordsmithing to deliver to you faster internet speeds," it's important to note that this is not actually a real 5G network. Yahoo reports: 5G still has years of development and testing before it will be rolled out across the U.S. So don't let AT&T's use of "5G" make you think that the next-generation wireless standard has arrived. In reality, the 5G AT&T is talking about is a bumped-up version of its 4G LTE to help it bridge the gap until the real 5G, with its ultra-fast speeds and better bandwidth, is rolled out. It's also important to note that AT&T won't offer its 5G Evolution technology to all of its customers initially. In fact, it's currently only available in Austin, TX, and the company plans to extend it to Atlanta, Boston, Chicago, Los Angeles, and other big markets in the coming months. If you're in a smaller metro market, you'll be out of luck. Perhaps the biggest limitation, and the reason few people will likely have the chance to actually use the 5G Evolution, is that AT&T is restricting it to select devices -- specifically, the Samsung Galaxy S8 and S8+. While that's great if you have one of those particular phones in one of the specific cities where AT&T's faster service exists, it's not so great if you're using another device.

An anonymous reader writes from a report via Bleeping Computer: Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month, on April 10. The attack, which the company claimed was a "malicious hacking event," was the work of BrickerBot, an IoT malware family that bricks unsecured IoT and networking devices. "BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity." The crook, going by Janit0r, tried to pin some of the blame on Mirai, but all the clues point to BrickerBot, as Sierra Tel had to replace bricked modems altogether, or ask customers to bring in their modems at their offices to have them reset and reinstalled. Mirai brought down over 900,000 Deutsche Telekom modems last year, but that outage was fixed within hours with a firmware update. All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

Sometimes it's very important to know that the servers of the web services you're using are situated somewhere in your neighbourhood. And it's not just because of privacy concerns. The Outline has a story this week in which it talks about gamers in Hawaii who're increasingly finding it difficult to compete in global tournaments because the games' servers are almost every time placed overseas. From the article: [...] The game's server is in Chicago. That means if you live in the Midwest, your computer can communicate with it almost instantaneously. If you're in L.A., it can take roughly 60 milliseconds. But if you're in Hawaii, it can take 120 milliseconds, with some players reporting as long as 200 milliseconds. And at the highest echelons of competitive video gaming, milliseconds matter. [...] In League and other eSports games, playing on a high ping is a big disadvantage. The goal of the game is to set up defenses to protect your base while pushing forward to capture the enemy's base, and there are typically lightning bolts and fireballs and slime-spitting dragons shooting across the screen. Playing on a high ping means players may not see all of the action that happens in a game. Latency can really screw things up for a young eSports scene, said Zack Johnson, who runs gg Circuit, a global tournament provider for gaming centers like PC Gamerz. Players on the mainland sometimes say they don't want to compete against Hawaii players, he said, because the high ping throws things off.

Thelasko shares an excerpt from a report via The Atlantic, which describes how price discrimination is used in online shopping and how businesses like Amazon try to extract consumer surplus: Will you pay more for those shoes before 7 p.m.? Would the price tag be different if you lived in the suburbs? Standard prices and simple discounts are giving way to far more exotic strategies, designed to extract every last dollar from the consumer. We live in the age of the variable airfare, the surge-priced ride, the pay-what-you-want Radiohead album, and other novel price developments. But what was this? Some weird computer glitch? More like a deliberate glitch, it seems. "It's most likely a strategy to get more data and test the right price," Guru Hariharan explained, after I had sketched the pattern on a whiteboard. The right price -- the one that will extract the most profit from consumers' wallets -- has become the fixation of a large and growing number of quantitative types, many of them economists who have left academia for Silicon Valley. It's also the preoccupation of Boomerang Commerce, a five-year-old start-up founded by Hariharan, an Amazon alum. He says these sorts of price experiments have become a routine part of finding that right price -- and refinding it, because the right price can change by the day or even by the hour. (Amazon says its price changes are not attempts to gather data on customers' spending habits, but rather to give shoppers the lowest price out there.)

According to Bloomberg, Square has acquired the engineering team of Yik Yak for "less than $3 million." From the report: The payments processor paid less than $3 million for between five and ten of Yik Yak's engineers, according to the person. Atlanta-based Yik Yak's Chief Executive Officer Tyler Droll will not join Square, the person added, asking not to be identified talking about a private matter. Atlanta-based Yik Yak, which started in 2013, created a smartphone app that allowed people to contribute to anonymous chat groups in a narrow geographical radius -- like college campuses.