AT&T

Mobile Phone Companies Appear To Be Selling Your Location To Almost Anyone (techcrunch.com) 128

An anonymous reader quotes a report from TechCrunch: You may remember that last year, Verizon (which owns Oath, which owns TechCrunch) was punished by the FCC for injecting information into its subscribers' traffic that allowed them to be tracked without their consent. That practice appears to be alive and well despite being disallowed in a ruling last March: companies appear to be able to request your number, location, and other details from your mobile provider quite easily. The possibility was discovered by Philip Neustrom, co-founder of Shotwell Labs, who documented it in a blog post earlier this week. He found a pair of websites which, if visited from a mobile data connection, report back in no time with numerous details: full name, billing zip code, current location (as inferred from cell tower data), and more. (Others found the same thing with slightly different results depending on carrier, but the demo sites were taken down before I could try it myself.)
Wireless Networking

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 106

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Microsoft

Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability; Android Will Be Patched Within Weeks (theverge.com) 125

Microsoft says it has already fixed the problem for customers running supported versions of Windows. From a report: "We have released a security update to address this issue," says a Microsoft spokesperson in a statement to The Verge. "Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected." Microsoft is planning to publish details of the update later today. While it looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, Google has promised a fix for affected devices "in the coming weeks." Google's own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an "exceptionally devastating" variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.
Security

WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (zdnet.com) 242

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
Crime

Dutch Police Build a Pokemon Go-Style App For Hunting Wanted Criminals (csoonline.com) 62

"How can the police induce citizens to help investigate crime? By trying to make it 'cool' and turning it into a game that awards points for hits," reports CSO. mrwireless writes: Through their 'police of the future' innovation initiative, and inspired by Pokemon Go, the Dutch police are building an app where you can score points by photographing the license plates of stolen cars. When a car is reported stolen the app will notify people in the neighbourhood, and then the game is on! Privacy activists are worried this creates a whole new relationship with the police, as a deputization of citizens blurs boundaries, and institutionalizes 'coveillance' -- citizens spying on citizens. It could be a slippery slope to situations that more resemble the Stasi regime's, which famously used this form of neighborly surveillance as its preferred method of control.
CSO cites Spiegel Online's description of the unofficial 189,000 Stasi informants as "totally normal citizens of East Germany who betrayed others: neighbors reporting on neighbors, schoolchildren informing on classmates, university students passing along information on other students, managers spying on employees and Communist bosses denouncing party members."

The Dutch police are also building another app that allows citizens to search for missing persons.
Google

Google Slashes Prices of Its USB-C Headphone Dongle Following Minor Outrage (mashable.com) 197

At its hardware event last week, Google unveiled its two new flagship smartphones: the Pixel 2 and Pixel 2 XL. While these devices feature high-end specifications and the latest version of Android, they both lack headphone jacks, upsetting many consumers who still rely heavily on wired headphones. To add insult to injury, Google announced a USB-C adapter for a whopping price of $20 -- that's $11 more than Apple's Lightning to 3.5mm adapter. This resulted in some minor outrage and caused Google to rethink its decision(s). As reported by 9to5Google, Google decided to slash the price of the dongle by over 50%. It is now priced at a more reasonable $9.
IOS

Latest iOS Update Shows Apple Can Use Software To Break Phones Repaired By Independent Shops (vice.com) 127

The latest version of iOS fixes several bugs, including one that caused a loss of touch functionality on a small subset of phones that had been repaired with certain third-party screens and had been updated to iOS 11. "Addresses an issue where touch input was unresponsive on some iPhone 6S displays because they were not serviced with genuine Apple parts," the update reads. "Note: Non-genuine replacement displays may have compromised visual quality and may fail to work correctly. Apple-certified screen repairs are performed by trusted experts who use genuine Apple parts. See support.apple.com for more information." Jason Koebler writes via Motherboard: "This is a reminder that Apple seems to have the ability to push out software updates that can kill hardware and replacement parts it did not sell iPhone customers itself, and that it can fix those same issues remotely." From the report: So let's consider what actually happened here. iPhones that had been repaired and were in perfect working order suddenly stopped working after Apple updated its software. Apple was then able to fix the problem remotely. Apple then put out a warning blaming the parts that were used to do the repair. Poof -- phone doesn't work. Poof -- phone works again. In this case, not all phones that used third party parts were affected, and there's no reason to think that, in this case, Apple broke these particular phones on purpose. But there is currently nothing stopping the company from using software to control unauthorized repair: For instance, you cannot replace the home button on an iPhone 7 without Apple's proprietary "Horizon Machine" that re-syncs a new home button with the repaired phone. This software update is concerning because it not only undermines the reputation of independent repair among Apple customers, but because it shows that phones that don't use "genuine" parts could potentially one day be bricked remotely.
Iphone

Apple To Ditch Touch ID Altogether For All of Next Year's iPhones (macrumors.com) 133

Earlier this week, a report said that Apple is planning to equip next year's iPad Pro with the hardware necessary for Face ID. Now, according to KGI Securities analyst Ming-Chi Kuo, it appears the company is taking that one step further with its 2018 iPhones. All of the iPhones Apple plans to produce next year will reportedly abandon the Touch ID fingerprint sensor in favor of facial recognition. Mac Rumors reports: According to Kuo, Apple will embrace Face ID as its authentication method for a competitive advantage over Android smartphones. Kuo has previously said that it could take years for Android smartphone manufacturers to produce technology that can match the TrueDepth camera and the Face ID feature coming in the iPhone X. Face ID, says Kuo, will continue to be a major selling point of the new iPhone models in 2018, with Apple planning to capitalize on its lead in 3D sensing design and production. Kuo's prediction suggests that all upcoming 2018 iPhones will feature a full-screen design with minimal bezels like the iPhone X, meaning no additional models with the iPhone 8/iPhone 8 Plus design would be produced. That would spell the end of the line for Touch ID in the iPhone, which has been available as a biometric authentication option since 2013.
Businesses

Qualcomm Seeks China iPhone Ban, Escalating Apple Legal Fight (bloomberg.com) 36

Qualcomm filed lawsuits in China seeking to ban the sale and manufacture of iPhones in the country, the chipmaker's biggest shot at Apple so far in a sprawling and bitter legal fight. From a report: The San Diego-based company aims to inflict pain on Apple in the world's largest market for smartphones and cut off production in a country where most iPhones are made. The product provides almost two-thirds of Apple's revenue. Qualcomm filed the suits in a Beijing intellectual property court claiming patent infringement and seeking injunctive relief, according to Christine Trimble, a company spokeswoman. "Apple employs technologies invented by Qualcomm without paying for them," Trimble said. An Apple spokesman didn't immediately respond to a request for comment on Friday. Qualcomm's suits are based on three non-standard essential patents, it said. They cover power management and a touch-screen technology called Force Touch that Apple uses in current iPhones, Qualcomm said. The inventions "are a few examples of the many Qualcomm technologies that Apple uses to improve its devices and increase its profits," Trimble said. The company made the filings at the Beijing court on Sept. 29. The court has not yet made them public.
Google

Google Is Really Good At Design 183

Joshua Topolsky, writing for The Outline: The stuff Google showed off on October 4 was brazenly designed and strangely, invitingly touchable. These gadgets were soft, colorful... delightful? They looked human, but like something future humans had made; people who'd gotten righteously drunk with aliens. You could imagine them in your living room, your den, your bedroom. Your teleportation chamber. A fuzzy little donut you can have a conversation with. A VR headset in stunning pink. A phone with playful pops of color and an interface that seems to presage what you want, when you want it. It's weird. It's subtle. It's... good. It's Google? It's Google.

It was only a few years ago that Google was actually something of a laughing stock when it came to design. As an aggressively engineer-led company, the Mountain View behemoth's early efforts, particularly with its mobile software and devices, focused not on beauty, elegance, or simplicity, but rather concentrated on flexibility, iteration, and scale. These are useful priorities for a utilitarian search engine, but didn't translate well to many of the company's other products. Design -- the mysterious intersection of art and communication -- was a second-class citizen at Google, subordinate to The Data. That much was clear from the top down.

Enter Matias Duarte, the design impresario who was responsible for the Sidekick's UI (a wacky, yet strangely prescient mobile-everything concept) and later, the revolutionary (though ill-fated) webOS -- the striking mobile operating system and design language that would be Palm's final, valiant attempt at reclaiming the mobile market. Duarte was hired by Google in 2013 (initially as Android's User Experience Director, though he is now VP of design at the company), and spearheaded a complete reset of the company's visual and functional instincts. But even Duarte was aware of the design challenges his new role presented. "I never thought I'd work for Google," he told Surface Magazine in August. "I had zero ambition to work for Google. Everybody knew Google was a terrible place for design." Duarte went to work on a system that would ultimately be dubbed Material Design -- a set of principles that not only began to dictate how Android should look and work as a mobile operating system, but also triggered the march toward a unified system of design that slowly but surely pulled Google's disparate network of services into something that much more closely resembled a singular vision. A school of thought. A family.
Android

Is the Chromebook the New Android Tablet? (computerworld.com) 182

An anonymous reader shares a report from Computerworld, where JR Raphael makes the case for why it's time to call the Chromebook the new Android tablet: What does a traditional Android tablet do that a convertible Chromebook doesn't? No matter how long you mull, it's tough to come up with much. Nowadays, a Chromebook runs the same apps from the same Google Play Store. It has an increasingly similar user interface, with a new touch-friendly and Android-reminiscent app launcher rolling out as we speak. It's likely to have an Android-like way of getting around the system before long, too, not to mention native integration of the Google Assistant (which is launching with the newly announced Pixelbook and then presumably spreading to other devices from there). But on top of all of that, a Chromebook offers meaningful advantages a traditional Android tablet simply can't match. It operates within the fast-booting, inherently secure, and free from manufacturer- or carrier-meddling Chrome OS environment. The operating system is updated every two to three weeks, directly by Google, for a minimum of five years. That's a sharp contrast to the software realities we see on Android -- and if you think the updates on Android phones are bad, let me tell you: The situation with Android tablets is worse.

In addition to the regular selection of Android apps, a Chromebook also gives you a desktop-caliber browser experience along with a laptop-level keyboard and capable trackpad. (And, as a side perk, that means you've got a built-in multi-mode stand for your tablet, too.) It's the best of both worlds, as I've put it before -- a whole new kind of platform-defying, all-purpose productivity and entertainment machine. And while it won't immediately lead to the outright extinction of traditional Android tablets, it certainly makes them seem like a watered-down and obsolete version of the same basic experience.

Books

Amazon Finally Makes a Waterproof Kindle (theverge.com) 65

After 10 years of Kindles, Amazon has finally made a kindle e-reader with an IPX8 waterproof rating. The new Kindle Oasis features a 7-inch display and aluminum back. The Verge reports: Unlike last year's Kindle Oasis, which used a magnetic case you attached to the e-reader to extend its battery life, the new Oasis relies entirely on its built-in battery. It has a similar physical design, with one thicker side that tapers down on the other side, for one-handed reading. But Amazon has made a point of saying that it managed to fit in a bigger battery, while keeping the tapered side of the device at 3.4 millimeters. The resolution of the e-paper display is the same at 300 ppi, but it has a couple extra LED lights now for a brighter, more even-looking display. And it also has ambient light sensors that adjust the brightness as you move from room to room, or from outdoors to indoors. There are physical page-turn buttons, plus the touchscreen page-turn option; Amazon says it's worked on both the hardware and software side of things to make page-turning feel faster. The new e-reader has been tested in two meters of water for up to 60 minutes. It's also been tested in different water environments, like hot tubs, pools, and bubble baths.
Operating Systems

OxygenOS Telemetry Lets OnePlus Tie Phones To Individual Users (bleepingcomputer.com) 164

An anonymous reader quotes a report from Bleeping Computer: OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer. A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day. The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.

Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.

Cellphones

Security, Privacy Focused Librem 5 Linux Smartphone Successfully Crowdfunded (softpedia.com) 82

prisoninmate shares a report from Softpedia: Believe it or not, Purism's Librem 5 security and privacy-focused smartphone has been successfully crowdfunded a few hours ago when it reached and even passed its goal of $1.5 million, with 13 days left. Librem 5 wants to be an open source and truly free mobile phone designed with security and privacy in mind, powered by a GNU/Linux operating system based on Debian GNU/Linux and running only Open Source software apps on top of a popular desktop environment like KDE Plasma Mobile or GNOME Shell. Featuring a 5-inch screen, Librem 5 is compatible with 2G, 3G, 4G, GSM, UMTS, and LTE mobile networks. Under the hood, it uses an i.MX 6 or i.MX 8 processor with separate baseband modem to offer you the protection you need in today's communication challenges, where you're being monitored by lots of government agencies.
IBM

How Does Microsoft Avoid Being the Next IBM? (arstechnica.com) 223

An anonymous reader quotes a report from Ars Technica: For fans of the platform, the official confirmation that Windows on phones isn't under active development any longer -- security bugs will be fixed, but new features and new hardware aren't on the cards -- isn't a big surprise. This is merely a sad acknowledgement of what we already knew. Last week, Microsoft also announced that it was getting out of the music business, signaling another small retreat from the consumer space. It's tempting to shrug and dismiss each of these instances, pointing to Microsoft's continued enterprise strength as evidence that the company's position remains strong. And certainly, sticking to the enterprise space is a thing that Microsoft could do. Become the next IBM: a stable, dull, multibillion dollar business. But IBM probably doesn't want to be IBM right now -- it has had five straight years of falling revenue amid declining relevance of its legacy businesses -- and Microsoft probably shouldn't want to be the next IBM, either. Today, Microsoft is facing similar pressures -- Windows, though still critical, isn't as essential to people's lives as it was a decade ago -- and risks a similar fate. Dropping consumer ambitions and retreating to the enterprise is a mistake. Microsoft's failure in smartphones is bad for Windows, and it's bad for Microsoft's position in the enterprise as a whole.

Slashdot Top Deals