News the Internet

iOS cookie theft bug allowed hackers to impersonate users

Apple fixes vulnerability 2.5 years after receiving private report.
Apple has squashed a bug in its iOS operating system that made it possible for hackers to impersonate end users who connect to websites that use unencrypted authentication cookies.

The vulnerability was the result of a cookie store iOS shared between the Safari browser and a separate embedded browser used to negotiate "captive portals" that are displayed by many Wi-Fi networks when a user is first joining. Captive portals generally require people to authenticate themselves or agree to terms of service before they can gain access to the network.

According to a blog post published by Israeli security firm Skycure, the shared resource made it possible for hackers to create a booby-trapped captive portal and associate it with a Wi-Fi network. When someone with a vulnerable iPhone or iPad connected, it could steal virtually any HTTP cookie stored on the device. Skycure researchers wrote:

This issue allows an attacker to:

Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.
Perform a session fixation attack, logging the user into an account controlled by the attacker–because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.
Perform a cache-poisoning attack on a website of the attacker’s choice (by returning an HTTP response with caching headers). This way, the attacker’s malicious JavaScript would be executed every time the victim connects to that website in the future via Mobile Safari.
Skycure researchers privately reported the vulnerability to Apple in June 2013. It was fixed last week with the release of iOS 9.2.1. The update provides an isolated cookie store for captive portals. There are no reports of exploits in the wild.

TorFlow visualizes data flow over the Tor network

The Tor network is in use all over the world, but have you ever wondered where and how much? Well, now there’s a handy online tool called TorFlow that helps you visualize Tor connections across the globe.
Most coverage of Tor these days relates to its use as a place to host sketchy services like drug marketplace The Silk Road. However, at the core it’s simply an anonymization network. Tor is used by people concerned about privacy or security, including journalists and political activists. When you connect to Tor, your connection is routed through multiple encrypted nodes (or relays) before emerging onto the open internet. You can also connect directly to hidden services within Tor instead of the open internet. The Silk Road was one such service.
The TorFlow visualization shows the raw data exchange between Tor relay servers overlaid on a world map. The fascinating thing about Tor is that each server only knows the IP of the previous “hop” in the chain. So, each of those dots flowing across the globe is just a link in a chain, and there’s no viable way to know where it’s going next or where it was before.

You can zoom in and see servers grouped by data volume. In particularly dense areas, there’s just a circle and a count of relays. For example, Germany has a large hub of Tor activity with almost 1,000 servers in one area. TorFlow isn’t a live analysis of Tor, despite what it may look like. It’s showing you the aggregated activity for a whole day with the dot animation. You can use the slider at the bottom to see what Tor activity was like on any day all the way back to 2007. If poking around in Tor itself is a little too intimidating for you, this might be the next best thing.

Emily Ratajkowski flaunts pert derriere in sexy bikini snap on Instagram
EMILY RATAJKOWSKI flashed her pert derriere in a patterned bikini as she enjoyed the sunny weather in LA.

Emily Ratajkowski flaunted her pert derri?re in a sexy bikini snap
The model flaunted her enviable figure in the sexy snap which she shared with her 4.6 million followers on Instagram.

In the photo she can be seen facing a clear blue pool on a rooftop in LA as she poses next to a friend.
Emily opted for a black, checked two-piece and accessorised her look with a green baseball cap, a pair of hoop earrings and sunglasses.

She captioned the image: "Real Friends/ No More Parties in LA."

The Gone Girl actress, who recently returned from a holiday in Thailand, appeared to be enjoying soaking up the LA sun while the East Coast battled with Storm Jonas.

Emily was recently spotted at an event hosted by SVEDKA Vodka where she flashed her best assets in a plunging dress.

Chrome to warn when insecure websites expose your passwords
Google believes unencrypted websites are fundamentally flawed and should be banished. It's enlisted its own web browser to spread the message.
Google's Chrome browser soon will begin warning you when websites aren't securing your passwords or credit card numbers properly, an early step in the company's plan to fundamentally change how we view encryption on the web.

Encryption scrambles data so eavesdroppers can't understand information being sent to or from your web browser. It also keeps people from modifying websites -- for example, by inserting their own advertisements. And it makes life harder for police investigators and spies, which is why law enforcement and surveillance authorities have been trying to find ways around encryption.

Google wants encrypted websites to become the norm to improve privacy and security, and it's using its browser to push that agenda to hundreds of millions of people who use it. Starting with Chrome 56, due in January 2017, the browser will present a "not secure" alert on websites that handle passwords and credit card numbers insecurely.
It's a small, not terribly controversial change. Website encryption was invented more than two decades ago precisely so this kind of information could be secured to enable e-commerce. But this is just a first step in Google's plan to get us all to think of unencrypted websites as flawed, not ordinary.

The FBI may not like it, but Google's pro-encryption stance is increasingly common. As we live more and more of our lives online, building better privacy into the global internet seems sensible.

To fetch website content from where it's stored on a web server, your browser uses the foundational technology called HTTP, or Hypertext Transfer Protocol. For encrypted website communications, though, browsers use a secure version called HTTPS. To encourage website developers to move from HTTP to HTTPS, Google gradually will spread the Chrome "not secure" warning to any website delivered over HTTP, not just those with passwords and credit card numbers.

"Chrome currently indicates HTTP connections with a neutral indicator. This doesn't reflect the true lack of security for HTTP connections," said Emily Schechter, a member of the Chrome security team, in a blog post Thursday. "When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."

UK ISPs to block set-top boxes that illegally live-stream soccer matches
Premier League wins court injunction requiring server-level blocking.

Kodi set-top boxes that allow football fans to stream live matches without a licence will be blocked by the UK's four biggest ISPs, after the High Court approved a piracy clampdown order.

Sky, BT, TalkTalk, and Virgin Media will all be required to block servers that stream Premier League football games.

"The new block will enable a proportionate and targeted restriction of content that would otherwise have been proliferated to unauthorised websites and IPTV devices," said the Premier League after it secured the court order from Mr Justice Arnold on Wednesday.

BT and Sky fling millions of pounds at footie matches to win exclusive rights to broadcast the games live. Earlier this week, BT Sport secured the exclusive rights to show UEFA Champions League and UEFA Europa League matches until 2021.
But broadcasters and the Premier League have been fretting about the rise of Kodi set-top boxes, which allow football fans to watch live streams of copyrighted material on their TVs without paying for a subscription.

The High Court granted the order to block the servers that stream the matches via the Kodi boxes under section 97a of the Copyright, Designs, and Patents Act.

"We will continue working with ISPs, government, and other sports content producers to protect consumers from illegitimate services that offer no recourse when services are removed, provide no parental controls and, in many instances, are provided by individuals involved in other criminal activity," the Premier League said.

The Premier League has been involved in a number of recent legal actions against individuals who have supplied Kodi boxes to football fans seeking to watch the matches without coughing up a subscription fee to Sky or BT.

This week, a millionaire who flogged Kodi boxes to pubs for ?1,000 a pop was ordered to pay ?250,000 and handed a 10-month prison sentence, which was suspended for one year after 65-year-old Malcom Mayes of Hartlepool, County Durham pleaded guilty to selling the boxes illegally.

This post originated on Ars Technica UK

Facebook takes aim at Netflix with original TV shows

facebook_live.jpg

New content could arrive as soon as mid-June, and will come in two 'tiers' - one feature-length, the other short-form
Facebook's first original programming could land as soon as next month, sources say.

Business Insider quotes "people familiar with the plans" as saying the shows could arrive in mid-June. The line-up is said to number about two dozen shows, with many more greenlit for production.

The content will be split into two 'tiers'. Feature-length shows will comprise the upper tier - think glossy, slickly produced dramas to compete with the likes of House Of Cards. The lower tier will consist of shorter, five- or 10-minute segments that will be refreshed every 24 hours.

One of the shows is said to follow couples as they go on a date in virtual reality before meeting up in person to go on the real thing. It's being made by Conde Nast Entertainment, the studio production arm of the glossy magazine company.
Conde Nast Entertainment has previously announced it was working on a video project for Facebook, but hasn't confirmed what the content will be.

Facebook is also targeting A-list celebs, with at least one lined up to star in a show, according to the sources.

Facebook is investing heavily in video to try to lure users away from Snapchat. According to one source, "They are obsessed with Snapchat." Snap Inc. - Snapchat's parent company - is also pursuing deals for TV shows for Snapchat's Discover section.

Facebook's shows are expected to be unveiled at the Cannes Lions advertising festival, which starts on 17th June. According to one source, however, the launch could be pushed back to later in the year.

Facebook isn't the only company investing in original TV programming. Apple and Spotify have both announced original shows in an effort to differentiate their streaming services from rivals.

Dutch anti-piracy association sued 75 sellers of illegal IPTV and VOD subs

Online-Piracy.jpg

The Dutch anti-piracy association Brein said this year it sued 75 sellers of illegal IPTV and VOD subscriptions.

Brein offers all providers a civil settlement, but in the event of refusal, legal proceedings are initiated and full legal costs will also be claimed. The total amount of settlements, penalties and reimbursement of legal costs collected this year is around €300,000.

In total, since the GS Media and Brein / Film Player judgments by the Court of Justice of the EU, 275 illegal sellers have been detected by Brein. Of these, around 50 have stopped on their own initiative before Brein knocked on their door. “Stopping before you are caught is still a sensible idea, because the amounts to be paid can be quite high,” said Brein director Tim Kuik.

Meanwhile, last month at an electronics store in The Hague ten IPTV set-tops were confiscated by the police. The company sold them in combination with an IPTV subscription for €199 per year. After entering a code, the box could give unauthorised access to more than a thousand channels including sports.

The case has now been dealt with under civil law by means of a voluntary withdrawal of the boxes and a declaration of abstention with a penalty clause of €500 per box and subscription. This is the second time that the police in The Hague has seized illegal media boxes.

Recently Brein has also arranged with a small online seller of IPTV subscriptions who, besides access to encrypted channels, also gave video-on-demand access to films and series. The man settled for €1250 and signed a declaration of abstention with a penalty clause of €500 per subscription.

Judge slams bikini-app maker’s lawyers in legal clash with Facebook
"What has happened is unconscionable," judge tells Six4Three's Ted Kramer.

getty-facebook-icon-800x575.jpg

At the conclusion of a tense hearing that lasted over 3.5 hours, a San Mateo County judge ruled Friday that a top executive of an embattled and now-defunct bikini-related app company now must surrender his electronic devices for forensic inspection.
San Mateo County Judge V. Raymond Swope ordered Six4Three's managing director, Ted Kramer, to hand over his computer and mobile devices by 9pm PT on Friday evening.

In addition, Thomas Scaramellino, one of Kramer's lawyers, also had to give up his electronic devices by 12pm PT on Saturday. It is not clear whether the two men—who did not immediately respond to Ars' request for comment late Friday evening—complied with the orders.

The two orders came 10 days after the revelation that Kramer strangely shared a number of files that had previously been kept secret in an ongoing lawsuit that dates back years.

In 2015, Six4Three sued Facebook in San Mateo County Superior Court. The company alleged "fraudulent and anti-competitive schemes" in relation to changes made by Facebook in 2014 to the way that access to its Graph API worked. Those changes quickly ended Six4Three's business model on its short-lived "Pikinis" app, which was designed to identify photos of bikini-clad Facebook users. The case remains set for an April 25, 2019, trial date in the county court in Redwood City, California, roughly five miles north from Facebook's headquarters in Menlo Park.

The lawsuit gained new life last month when Kramer was confronted by Damian Collins, a British member of parliament currently leading an investigation into Facebook. The MP demanded that Kramer hand over certain documents obtained during the course of the lawsuit.
However, those documents were already under protective order by the San Mateo court. Nevertheless, Kramer, according to his lawyer's testimony, "panicked:" on November 20, Kramer handed over a USB stick with some materials to Collins, who has vowed to publish them soon.
"What has happened is unconscionable," Judge Swope said from the bench, addressing Kramer, according to The Guardian. "It shocks the conscience. And your conduct is not well taken by this court."

The judge slammed Kramer's lawyers, expressing amazement that not only had Kramer been improperly given access to the files due to an apparently misconfigured Dropbox app, but that he handed over the files to British authorities seemingly without his lawyers' knowledge or approval.

"When I issue a valid court order governing the conduct of parties in this case or any such court order, I expect these orders to be followed. I do not expect a compromise of the integrity of this judicial system, which has been done," Judge Swope said. "The ends do not justify the means, whatever you're trying to accomplish."

David Godkin, another one of Six4Three's lawyers, said that he and the other company lawyers would be withdrawing from the case.

Godkin's redaction failures in a February 2017 court document also recently revealed that Facebook had once considered charging access to its Graph API—a fact that Facebook had wished to keep secret.

"This whole situation has created serious issues for us under the rules of professional responsibility," he said.

Verizon takes aim at Tumblr’s kneecaps, bans all adult content
Adult content has been estimated at 10-20 percent of the blogging service's traffic.

tumblr-sexay-800x450.jpg

Oath, the Verizon subsidiary that owns the Yahoo and AOL digital media brands, has announced that as of December 17, all adult content will be banned from the Tumblr blogging site. Any still or moving images displaying real-life human genitals or female nipples and any content—even drawn or computer-generated artwork—depicting any sexual acts will be prohibited.

Genitals and female nipples will only be permitted within the context of breastfeeding, childbirth, and in health-related subjects such as gender confirmation surgery. Written erotica will also remain on the site.
Nowadays, pornography represents a substantial element of Tumblr's content. A 2013 estimate said that around 11 percent of the site's 200,000 most-visited domains were porn, and some 22 percent of inbound links were from adult sites.

Tumblr's relaxed attitude both toward adult content and to copyright infringement—a good proportion of the porn is simply lifted from commercial adult websites—created a safe space for adult content. So a wide range of communities—particularly those poorly represented in broadly heteronormative mainstream porn—took advantage of this atmosphere to publish their own pornography. Present-day Tumblr has substantial LGBT, kink, fetish, and BDSM representation, for example. This encompasses a mix both of the commercial (amateur models promoting their content) and the non-commercial (porn made for fun, for empowerment, for the sheer joy of exhibitionism).

This is not to say that Tumblr has done nothing to limit porn before. Shortly after the site was purchased by Yahoo in 2013, blogs marked as not safe for work were hidden; they only became accessible to Tumblr users logged into their accounts. Such sites were also removed from Tumblr's search listings. Photographs have usually been published without problem, but many producers of adult content have noticed that publishing video to the site has become increasingly hit-and-miss, with pornographic video content routinely being pulled.

Porn has caused issues for Tumblr, too. Earlier this year, Apple removed the Tumblr app from the iOS App Store; this was because child porn had been published on Tumblr, and the filtering system the site uses to prevent such things did not catch it.

Going forward, blogs with adult content will not be destroyed. Tumblr says that their owners are free to continue to use their existing blogs to start publishing permitted content.

Tumblr CEO Jeff D'Onofrio said that the decision was motivated by a desire to make Tumblr a more welcoming platform for publishing, suggesting that the presence of adult content made people uncomfortable to express themselves. In his statement, he appeared indifferent to the communities that will be harmed by this action, saying only that there's "no shortage" of adult sites on the Internet, suggesting that they can fill the space once occupied by Tumblr. While there are now a number of outlets for commercialization of self-produced amateur porn, the community element that Tumblr fostered was unique. For now, it's unclear where these

📺Пикник ТВ👍