Monthly Archives: January 2017
Twitter on Tuesday announced yet another crackdown on abusers.
With the goal of making Twitter a safer place, it has come up with new ways to
- Prevent the creation of new abusive accounts;
- Make search safer; and
- Collapse potentially abusive or low-quality tweets.
Twitter also pledged to persist in its anti-abuse endeavors, saying it would keep rolling out product changes, some more visible than others, and updating users on its progress every step of the way.
Twitter “is more vulnerable than other social media because people expect it to be their link to the world, and not just their friends,” noted Jim McGregor, a principal analyst at Tirias Research.
“People use it for news and for access to quick gossip,” he told TechNewsWorld, adding that its open-ended structure makes it an easier target for abuse.
Twitter will identify account owners it has suspended permanently and block them from creating new accounts.
That might be a reaction to the creation of multiple fake accounts last fall, after Twitter had suspended several accounts linked to the alt-right movement, which is known for advocating white supremacy and other extreme views.
Those suspensions came amid mounting criticism of the company’s failure to expunge harassing, racist, sexist and anti-Semitic tweets from its network.
Safe search involves filtering tweets that contain potentially sensitive content, as well as tweets from blocked and muted accounts, from search results. However, users would have other ways to search for and access those tweets.
Under the new system, potentially abusive and low-quality replies will be collapsed, although they will be available if users want to seek them out. This change will roll out in the coming weeks, Twitter said.
Protection or Cybergagging?
“Ultimately, determining what constitutes cyberharassent or any kind of inappropriate behavior on Twitter is a subjective undertaking,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.
“As soon as you introduce subjectivity into regulating Twitter, it loses its appeal,” he told TechNewsWorld. “One person’s freedom of speech is another person’s microaggression. Twitter’s best bet is to say, ‘Abandon all hope ye who enter here.'”
Getting around the problem of subjective judgment will be difficult, McGregor suggested. “How do you decide what’s appropriate or abusive, and what’s not? You need to have a context for the conversation and the relationship.”
Friends would couch statements in terms that might be considered inappropriate when relayed to a stranger, he pointed out. “For example, I could tweet the word ‘s**t’ to a friend in response to something he’d said or a news item we were discussing, and it would be all right.”
Using artificial intelligence to filter out potentially offending tweets isn’t going to resolve the issue, because “AI systems have to learn like humans do, and no AI solution will really work unless you have a finite number of inputs,” McGregor pointed out.
Twitter’s Battle Against the Trolls
Twitter in 2014 suspended several accounts for violating its rules after actor Robin Williams’ daughter Zelda publicly quit the site due to hateful tweets about her father’s tragic suicide. She later reactivated her account
Another victim, Imani Gandy, had been harassed since 2012 by someone with the handle “Assholster,” who created up to 10 different Twitter accounts a day to hurl racist invectives at her.
Leslie Jones, a Saturday Night Live cast member, temporarily quit Twitter last year after being deluged with hundreds of racist and abusive tweets. She returned after an outpouring of support.
Twitter permanently suspended conservative commentator Milo Yiannopoulos this summer on the grounds that he had subjected users to targeted abuse.
Twitter over the years has introduced a laundry list of new measures to curb the abuse.
The frequent changes are necessary, according to Laura DiDio, a research director at 451 Research.
“Twitter has to update its rules to reflect the changing times,” she told TechNewsWorld. “Nothing’s 100 percent foolproof.”
Dozens of applications for Apple’s mobile devices are vulnerable to WiFi snoopers, a security researcher reported this week.
Will Strafach, CEO of the Sudo Security Group, identified 76 popular iOS apps available at Apple’s App Store that were vulnerable to wireless eavesdroppers, even though the connections were supposed to be protected by encryption.
There have been 18 million downloads of the vulnerable apps, he said.
Strafach categorized 33 of the vulnerable apps as “low risk.” Potentially intercepted information included partially sensitive analytics data about a device and partially sensitive personal data, such as an email address or login credentials.
VivaVideo, Snap Upload for Snapchat, Volify, Loops Live, Private Browser, Aman Bank, FirstBank, VPN One Click Professional, and AutoLotto: Powerball, MegaMillions Lottery Tickets are some of the apps he assigned to the low-risk category.
Strafach categorized another 24 iOS apps as “medium risk.” Potentially intercepted information included service login credentials and session authentication tokens for users logged onto the network.
Strafach labeled the remaining apps “high risk” because potentially intercepted information included the snatching of financial or medical services login credentials.
He did not identify the medium and high risk apps by name, in order to give their makers time to patch the vulnerability in their apps.
How concerned should users be about their security when using these apps?
“I tried to leave out anything regarding concern level, as I do not want to freak people out too much,” Strafach told TechNewsWorld.
“While this is indeed a big concern in my opinion, it can be mostly mitigated by turning off WiFi and using a cellular connection to perform sensitive actions — such as checking bank balances — while in public,” he said.
Man in the Middle Attack
If anything, Strafach is understating the problem, maintained Dave Jevans, vice president for mobile security products at Proofpoint.
“We’ve analyzed millions of apps and found this is a widespread problem,” he told TechNewsWorld, “and it’s not just iOS. It’s Android, too.”
Still, it likely is not yet a cause for great alarm, according to Seth Hardy, director of security research at Appthority.
“It’s something to be concerned about, but we’ve never seen it actively exploited in the wild,” he told TechNewsWorld.
What the vulnerability does is enable a classic man-in-the-middle attack. Data from the target phone is intercepted before it reaches its destination. It is then decrypted, stored, re-encrypted and then sent to its destination — all without the user’s knowledge.
To do that, an app needs to be fooled into thinking it’s communicating with a destination and not an evesdropper.
“In order for a man-in-the-middle attack to be successful, the attacker needs a digital certificate that’s either trusted by the application, or the application is not properly vetting the trust relationship,” explained Slawek Ligier, vice president of engineering for security at Barracuda Networks.
“In this case, it appears that developers are developing applications in a way that allows any certificate to be accepted,” he told TechNewsWorld. “If the certificate is issued and not expired, they’re accepting it. They’re not checking if it’s been revoked or even if it’s properly signed.”
Should Apple act to weed these vulnerable apps from behind its walled garden?
“Apple should most certainly remove any of the offending apps from the App Store,” said Sam McLane, head of security engineering at Arctic Wolf.
“This is something that is relatively easy to test for and should be enforced by Apple, since the trust model starts with the Apple ecosystem being safe for people to use,” he told TechNewsWorld.
Strafach disagreed. “The setup now is exactly as it should be with regards to developer control of networking code,” he said. “Developers can do something about this problem. For affected apps, the fix is only a few lines — less than an hour tops, if that, to fix the matter in affected code.”
If Apple tried to address this app vulnerability, it could create headaches for developers, especially those developing enterprise apps, noted Simeon Coney, chief strategy officer for AdaptiveMobile.
“A lot of app developers rely on current behaviors to do things like enterprise apps, which may not have a public certificate,” he told TechNewsWorld, “so the responsibility lies more with the app developers to make sure their apps aren’t bundled with this risk.”
Apple doesn’t want to force developers to fully trust certificates, added Ligier. “It will break a lot of things, especially internal apps, and generate a lot of unhappy users,” he said.
Nevertheless, developers should not release apps that allow for third-party certificates to be blindly accepted, McLane maintained.
“This is entirely in their hands to remedy,” he said. “It’s easily tested and only out of laziness would someone ever ship an app that had this egregious security hole in production level code.”
Welcome to Gadget Dreams and Nightmares, the column that occasionally stops gaping at contentious Senate confirmation hearings and votes to peruse the latest gadget announcements.
This time around, we’re looking at some of the gadgets that perhaps got a little lost in the noise after CES in January but caught our eye, for better or worse. Among them are a 4-D arcade machine and a robot designed to carry all the things you don’t want to.
As ever, dear readers, this is not a review column, in part because these products have yet to reach the public sphere, but mostly because the chances of my actually ever using said products are slim. The ratings relate only to how much I’d like to try them, should the stars align.
Regular readers will know that I’ve played games my entire life. I hold deep reverence for the care and attention that go into creating these experiences, and I’ve rarely met a game I didn’t want to conquer.
Yet I am nervous about virtual reality. I’ve tried it and found those disorientating worlds difficult to handle, though I suspect that over time I could grow more accustomed to it. I doubt I could say the same for an arcade machine that both locks me into a VR world and pelts me with physical stimuli.
Koei Tecmo Wave’s VR Sense machine is a virtual reality arcade cabinet that houses you and subjects you to what I can only imagine is sheer torture. It has what Koei Tecmo Wave calls a “3D seat,” which attempts to draw players further into the games through touch, movement, aroma, wind, and temperature and precipitation changes. It’s not completely clear as yet whether you have to wear a headset for the full VR effect.
It’s launching with three games: a horse-riding simulator, a version of Koei Tecno Wave’s Dynasty Warrior franchise (with a stab at replicating in-game flames while you swelter in your moving chair), and a horror game.
I enjoy horror titles. However, I’d be less likely to welcome a VR horror game, as I’d probably come close to having a heart attack or three. There’s next to no chance I’d ever try Horror Sense.
That’s in large part due to the game apparently mimicking bugs falling from the ceiling and critters scuttling along the floor. I have a lot of questions about this, but ultimately, I’d tear off a VR headset in a second if I thought there were bugs falling on me while playing. No thank you, ma’am.
I’m happy to transport myself into different times and landscapes mentally if not physically. I may yet become a virtual reality convert — but for now I’m more than happy with a flat screen and a controller.
There is little I detest more, outside the realm of what certain parties are doing to the planet, than the act of carrying things. I truly despise it. I suppose in my heart of hearts I am a minimalist, and things get in the way constantly. It doesn’t help that I don’t have a car to dump purchases into on a shopping trip, or to hold my bag on the passenger seat.
Praise be to Piaggio Fast Forward, then, for its personal cargo robot, Gita. The machine can cart around up to 40 pounds of your things. It can follow you as you trudge home wearing a special belt that connects to Gita over WiFi and houses cameras to help Gita see where it’s headed.
Gita can move autonomously if has an area mapped out — though I suspect I would not be likely to let a Gita trundle around by itself lest someone smash it open to steal my water bottle or something.
There’s good news if you’re a cyclist, since Gita can travel at up to 22 miles per hour and has a zero turning radius. I’d love to have this little gizmo even to carry my wallet around instead of stuffing it in my pocket, though I admit I’d feel a little silly having a moving shopping dolly following me around.
For people who aren’t as carrying-averse as I am, there are some broader, practical benefits — like transporting groceries and having only the intended recipient able to open it, or moving goods around a hospital.
Postal workers might find it useful as well, especially since Piaggio is developing a bigger version, the Kilo, which can transport up to 200 pounds of goods.
Mostly, I’m just glad I may never again have to contend with twine bag handles tearing into my hands as I desperately speed home to unload my frightful burden.
Twenty percent of the Dark Net was taken offline last week, when a hacker compromised a server hosting some 10,000 websites on the Tor network.
Tor, designed to hide the identities of its users, is widely used on the Dark Web, which isn’t indexed by mainstream search engines and serves as a hub for illegal online activities.
Visitors to the affected pages were greeted with the message, “Hello, Freedom Hosting II, you’ve been hacked.” Freedom Hosting II is the server that hosted the Tor pages.
The attacker, who has claimed to be part of the hacker collective Anonymous, reportedly took Freedom Hosting II offline because 50 percent of its sites contained child pornography.
The original Freedom Hosting sites hosted as much as 50 percent of the Dark Web’s pages as of 2013, when it was taken down by law enforcement. A number of child porn prosecutions followed that action.
This incident supposedly was the first hack carried out by the attacker, who claimed responsibility in an interview with Motherboard. In addition to taking Freedom II offline, the person stole 74 gigabytes in files and a 2.3-GB database.
The database stolen from Freedom II contains 381,000 email addresses — thousands of them with .gov extensions, Troy Hunt, who runs the Have I Been Pwned website, told Wired.
However, those .gov addresses may not be legitimate, he noted.
The hack of Freedom II was relatively rudimentary, said Tim Condello, technical account manager and security researcher at RedOwl.
“They identified a configuration issue and used it to identify the root user of the system and gain control of it that way,” he told TechNewsWorld. After gaining control of the system, “they overwrote the index file and redirected the landing page for all the websites to a landing page containing their message.”
This attack demonstrates that when it comes to resistance to vulnerabilities, the Dark Web doesn’t have an edge.
“The underlying technology of the Dark Web isn’t anything revolutionary. The way a content management system or a hosting service operates is identical to how it’s done on the open Web,” Condello said.
“The difference is how the content is communicated, so it’s accessible only through the Dark Web,” he continued.
“The code that’s used for a forum on the Dark Web is the same code that’s used on the clear Web,” Condello explained, “so if there’s a vulnerability identified for WordPress, that vulnerability can be exploited on a Dark Web website using WordPress just as it would on the open Web.”
Flaws in Dark Web
The attack on Freedom II also shows the danger of concentrating resources in a central location.
“The fact that so many sites used this single particular hosting provider meant that a breach of that provider meant a breach of thousands of sites,” noted Danny Rogers, CEO of Terbium Labs.
“The anonymity of the Dark Web relies on its distributed nature,” he told TechNewsWorld. “These sorts of centralizations create significant weaknesses.”
Although breaking into servers and stealing data on the open Web is illegal, it remains to be seen what the consequences may be for the hacker of Freedom II.
“I’m sure they angered a lot of people, but I’m not sure how much anyone can do about it,” Rogers said.
There may be legal ramifications from the attack, but they could be for the people identified in the dump of stolen data rather than for the hacker.
“The data release is going to be a major boon to law enforcement,” Rogers observed.
More Attacks to Come
Attacks on the Dark Web are commonplace, but they don’t often get the visibility of the assault on Freedom II.
“These attacks will continue on a pace with what we see on the clear Web,” Condello maintained.
“I think the new pattern is going to be [that] as vulnerabilities are revealed on the open Web, people are going to go to the Dark Web and see if there are any sites with those same vulnerabilities,” he suggested. “Getting access to sites built around anonymity and pulling the curtain back on that can give you power and money.”