Category: Computers, Science & Technology

This is sad!

Windows 10 face unlock can be tricked using printed headshot

ZDNet – By: Liam Tung – “Security researchers are urging Windows 10 users to update their system to prevent attackers from using a printed headshot to bypass Windows Hello facial authentication.

Researchers from German pen-testing firm SYSS report that Windows 10 systems that have not yet received the recent Fall Creators Update are vulnerable to a ‘simple spoofing attack using a modified printed photo of an authorized person’. The attack works against multiple versions of Windows 10 and different hardware.

The researchers tested the spoofing attack against a Dell Latitude with a LilBit USB camera and against a Surface Pro 4 running various versions of Windows 10, going back to the first release, version 1511.

SYSS claims the spoofing attack was successful on a Surface Pro 4 running version 1607 of Windows 10, the Anniversary Update rolled out in summer 2016, even with Microsoft’s enhanced anti-spoofing enabled. However, the attack was only successful on version 1703, the Creators Update rolled out in Spring 2017, and 1709, the Fall Creators Update currently being rolled out, when anti-spoofing was disabled.

However, just applying the Fall Creators Update is not enough to block the spoofing attack, according to SYSS. To prevent a successful attack users need to also setup Windows Hello face authentication from scratch after the update, as well as enabling anti-spoofing.

SYSS provided two videos demonstrating its proof of concept attacks. A third video shows the attack on a Surface Pro that was updated to version 1709 without reconfiguring Hello face authentication.

The Register spotted SYSS’s advisory on Full Disclosure. SYSS offers a few more details about its attack on a separate [German language] writeup on its website.

A key element of the attack appears to be taking a headshot of the authenticated user with the near-infrared (IR) camera. Windows Hello uses near-IR imaging to unlock Windows devices. Microsoft chose near-IR imaging for authentication because it worked in poor lighting and offered some protection against spoofing attacks, since IR images aren’t typically displayed in photos or on an screen.

SYSS printed out a modified version of the near-IR captured headshot in various resolutions and colors. Holding the printout up to a locked device’s camera successfully unlocked it. Another method involved placing opaque sticky tape over the RGB camera lens and then holding the same printout up.

As far as the fix goes, SYSS notes that in its test only the Surface Pro 4 supported enhanced anti-spoofing while the LilBit USB IR camera did not.

The company plans to reveal further variations of its attack in spring 2018.

‘According to our test results, the newer Windows 10 branches 1703 and 1709 are not vulnerable to the described spoofing attack by using a paper printout if the ‘enhanced anti-spoofing’ feature is used with respective compatible hardware,’ SYSS wrote.

‘Thus, concerning the use of Windows Hello face authentication, SYSS recommend updating the Windows 10 operating system to the latest revision of branch 1709, enabling the ‘enhanced anti-spoofing’ feature, and reconfiguring Windows Hello face authentication afterwards.’

Microsoft had not responded to a request for comment at the time of publication.”

OK, so it is available on Android… I will stick with Chrome!

Microsoft Edge on Android: Windows 10 browser spinoff clocks up million users

ZDNet – By: Liam Tung – “Just a week after coming out of preview, the Microsoft Edge app for Android has been downloaded at least a million times.

According to the Google Play Store, the Blink-based Microsoft Edge app has been downloaded between one million and five million times. The app has been available to testers for a while, but only reached preview in October before becoming generally available at the end of November.

The Microsoft Edge apps for iOS and Android aim to make Edge more appealing to use on Windows 10 by making it more convenient to sync the browsing experience across devices.

The app offers Microsoft’s ‘Continue on PC’, which allows users to pass a site, app, photos, and files from a phone to a Windows 10 PC.

Microsoft has also added a roaming passwords feature that allows users to save a password on the phone, which carries across to the PC, as well as a dark theme.

It’s likely to take a while for Edge app downloads to pass the five million milestone on Android, given that the app is only useful for the subset of Windows 10 users who actually use Edge on a PC.

While Windows 10 is now running over 500 million PCs, Edge currently only has a 3.6 percent share of desktops worldwide, according to NetMarketShare.

So anything Microsoft can do to boost appeal of Edge on the PC will be helpful in convincing more users to make the switch, either from Chrome or Internet Explorer 11.

It’s also working to expand the number of Edge extensions, which over a year after Microsoft enabled them now numbers 80.”

Do you have an HP notebook? If so, you may want to get the latest patch from HP! For the second time this year HP has announced that some of the “bloatware” that it puts on its systems before they are sold included a key logger that can lead to you losing your personal data or compromising your system.

This is another good reason that I wipe a system and reinstall the operating system when I get a new computer! Too many vendors that get paid for putting all this junk on the system before goes out the door have this junk on the PC that just slows it down! In this case, it’s actual malware! This is getting out of hand! Let’s fight bloatware!

HP systems that have this problem include HP G2 Notebooks, the HP Elite x2 1011 G1 tablet, HP EliteBooks, HP ProBooks and HP ZBook models, among others.

So, another good reason to keep your systems patched, whether by the vendor, or your standard operating system patches. We live in a really strange world!

Are you ready for a good tip about your Internet connection? This is going to sound really weird! But, think about it, your Internet router is actually just a computer. It may be running a proprietary operating system, it may be based on Linux, who knows? In any case, computers don’t run forever without running into an error. And, what do you do when a computer encounters an error? You restart it! So, the best thing you can do is occasionally restart your router on a regular, controlled, basis! Say, every month or so. If you do it in a planned fashion, you won’t be caught off guard when your router quits working.

I know this sounds silly, but if you make it part of your regular computer maintenance, like doing your backups and keeping a backup off-site (and I know you do that, right?) Then, your Internet connection will be solid and life will be good… Because we all need a good Internet connection, it is a function of life! Or, at least it is in these modern days… Am I right?

The value of Bitcoin is going through the roof. But, it is highly volatile and risky!

Bitcoin’s Crazy Run Is Crushing All Other Digital Currencies

Fortune – By: Jeff John Roberts – “Even by the standards of bitcoin, it’s been a crazy few days. In the last 48 hours, bitcoin smashed through the $12,000 mark and kept right on climbing—to $14,000 then $15,000 and past $16,000 as of Thursday morning.

This is a remarkable run but, in the midst of the mania, something else surprising is happening in the digital currency markets. Namely, the price of other crypto-currencies are not rising right alongside bitcoin as you might expect—they’re not even rising more slowly.

Instead, other popular digital assets like Ethereum and Bitcoin Coin have actually been tumbling as bitcoin soars like a rocket ship…

In the last 24 hours, bitcoin has left its erstwhile rivals in the dust, gaining 25% in value while the others have fallen anywhere from 3% to 10%.

What exactly is going on here? As with many things related to bitcoin, it’s hard to know for sure. Even though quants have long been poring over price movements to find correlations between bitcoin and other assets—such as those that exist between equities and Treasuries or airline stocks and oil prices —few predictable patterns have emerged.

One guess is that speculators are deciding that even the most popular substitutes will not hold value, and are deciding they want bitcoin or nothing.

As Charlie Lee, the creator of LiteCoin (currently number 7 on the list above) and a good source for digital currency insights, declared on Twitter, bitcoin is clearly ‘the king of crypto.’

Bitcoin is making a HUGE statement today showing all the altcoins who the king of crypto is! Wow.

$16500 now. I’m expecting a correction anytime now. But then again, I have been expecting a correction since $5000.

What happens next, of course, is anyone’s guess. As Lee suggests, a bitcoin price correction is likely on the way and, if that happens, it’s unclear if the sellers will redirect their money to other crypto currencies—or get out of the market altogether.”

MGM has a Stargate “Prequel” coming out soon!

Disney might buy Fox, and the X-Men and Fantastic Four could come back “in the fold” of Marvel characters on screen. I would like that! But, this article points out the downside:

A Disney-Fox Deal Would Mean Far More Than Just ‘X-Men’ Joining Marvel

Forbes – By: Scott Mendelson – “I have thus far avoided dipping my toes into the whole ‘Disney might buy Fox’ story, both because Disney might not buy Fox and because there are tons of unanswered questions even if the deal does go through. But I do find distress in those who discuss this news entirely in terms of Fox’s Marvel superhero properties making their way into Disney’s MCU. That’s just the tip of the iceberg in terms of the broader implications, and the ability for Wolverine to show up in Avengers 4 may come at far too high a price.

First and foremost, Walt Disney DIS -0.18% is currently running up 18% of the total domestic box office as Fox now makes up 12% of the 2017 North American theatrical market. While Disney is now behind Warner Bros./Time Warner Inc. in domestic market share, it’s close enough that The Last Jedi should put it over the top. Very rough math, but just $650 million domestic for Star Wars plus left-over money for Coco and Thor: Ragnarok should push Disney over $2.5 billion for the year as WB hopes to get to $2.1b.

Last year, Walt Disney had a jaw-dropping 26% of the domestic box office while Fox had 13%. With Fox and Disney combined into one entity, it’s plausible to see Walt Disney’s theatrical output controlling close to 40% of the theatrical business. With that kind of hold, the Mouse House could essentially rewrite the rules for how its movies are seen in theaters (higher ticket prices, higher percentages back to the studios, exclusive auditorium control, etc.) in a way that wouldn’t remotely help the likes of Universal or Warner Bros.

Disney has already gotten heat this year for somewhat more draconian terms for domestic theaters planning to show Star Wars: The Last Jedi (because it knows that much of the money isn’t going to come from the overseas business). It justifiably got torn to shreds for blacklisting Los Angeles Times journalists from Thor: Ragnarok press screenings after the paper reported unfavorably on Disneyland’s tax-related relationship with Anaheim. While Disney relented quickly, arguably because Coco needed the critical buzz more than Thor, such a move could well be solidified with that much control of the market.

And while Walt Disney is a publicly traded company and not a charity, this wouldn’t necessarily be good for the overall industry. Fewer major studios mean fewer places for artists to pitch their work, and thus potentially a less diverse slate of movies and television shows. Less competition could also drive down compensation for said artists, and Disney would be powerful enough to (if it chose to) essentially set the status quo for compensation for the next round of union negotiations. But at least we’d get a decent Fantastic Four movie, right, guys?

Disney would own the X-Men characters, the Fantastic Four franchise and a host of other huge franchises like Avatar, Alien, The X-Files and The Simpsons. I guess Avatar 2 (or, less likely, Deadpool 2) wouldn’t be the first $1 billion+ grosser outside Disney or Universal since Transformers: Age of Extinction back in 2014. Since Disney already owns ABC, I don’t think it’d be allowed to own the Fox broadcast network as well, although it could get the cable channels (like FX) and enough of a stake in Hulu to make it Netflix’s primary rival whether Hulu becomes Disney’s de facto streaming service or not. So it could well be Disney vs. Netflix vs. Amazon vs. everyone else.

Even if X-Men joined the MCU, Fox has just found its footing in terms of differentiating X-Men from the MCU or DC Films by going all-in with genre appropriation and offbeat comic book cinema. Would we lose R-rated fare like Logan and Deadpool or genre-specific offshoots like The New Mutants? Marvel has thrived partially because it didn’t have access to the most popular characters and had to make its B-characters into A-level movie stars. Assuming Marvel even wants those new franchises, what will the MCU look like if it can churn out X-Men, Fantastic Four and occasional Sony-produced Spider-Man films?

Disney won’t own Fox News or Fox Sports, but what do you think the owners of Fox News are going to do with lots more money on hand and an explicit devotion to news and media? It’s not Disney’s responsibility to make sure that its money doesn’t go toward evil, but the powers behind Fox News having more money and more free time to devote to media and politics is not going to be good for media and politics. At least Captain America can punch Dr. Doom. Now it isn’t all doom and gloom, but silver linings require a certain degree of idealistic optimism.

I’d like to think that Disney wants Fox not to crush a major competitor but rather to use Fox’s bench in terms of making adult-skewing fare a major asset for Disney. I’d like to think that Disney would continue to let Fox do what it wants (as it has given Marvel and Lucasfilm comparative creative freedom) and allow Fox and Fox Searchlight to allow Disney to also corner the market on adult-skewing prestige fare, Oscar-season biggies and grown-up blockbusters like War for the Planet of the Apes or Murder on the Orient Express. But that’s no guarantee.

And if Disney views the Fox/Fox Searchlight fare as glorified prestige releases, less about drowning in profits than cornering the market, then those films would be less beholden to the whims of theatrical moviegoing. They would dominate the blockbuster realm with the likes of Star Wars and Beauty and the Beast, while also offering (presumably under Fox’s banner or the likes of Touchstone) adult-skewing biggies like The Revenant as well. But that’s assuming Disney has any interest in the likes of Kingsman: The Secret Service, Gone Girl or 12 Years A Slave.

Again, that’s not inherently good for competition, as it would essentially turn Hollywood into ‘Disney/Fox versus everyone else’ with Warner Bros./Time Warner Inc. and Universal/Comcast Corp. as the only ones who could stand up to the Mouse House. Assuming Disney doesn’t decrease the Fox output, those three studios alone could control 55-70% of the domestic market share in any given year. Yes, Lionsgate and the smaller distributors (A24, Open Road, STX, etc.) could still do their thing, but Sony and Paramount/Viacom Inc. would be in trouble.

It might be good news for those of us who still champion the theatrical experience. Disney has thus far been the major holdout in would-be attempts to jump-start early VOD. If that one company now controlled 35-40% of the marketplace, it could be a boon for theaters, assuming Disney doesn’t use its overall dominance to extract concessions and/or extra money from theaters in a way that hurts its rivals and/or the theater chains. Again, I’m not saying it would, and I hope that it wouldn’t, but it isn’t required to have the same values as the characters in its movies.

Maybe the deal won’t go through, although Fox apparently wants to unload its film/TV divisions, so someone is probably going to snatch it up (at least Universal and Fox would together control only 25% of the market). It is … disconcerting to see how much of the talk concerning this potential merger has been focused entirely on the notion of Deadpool hanging out with Thor. This would be a game-changing shift in the entertainment industry, one that would cement Walt Disney as an ultimate power in the world of TV and film while potentially allowing Fox to become even more of a dominant player in media.

That are potential upsides but far more potential trouble spots to this deal. Moreover, I am not so naïve as to not understand the disconnect between the idealistic product that Walt Disney puts out and the cold, calculating business decisions made by folks who may be inclined to act closer to Scar than Steve Rogers. But the cost of bringing Avatar and the X-Men into the Disney fold may well be the creation of a true multimedia empire. And even the potential for monopoly-esque tactics or inadvertently giving Fox News buckets of money for its media pursuits may cost Disney any appearance of moral righteousness.

As someone who likes the products and values that Disney presents to the world, I would rather this not come to pass.”

I wanted to give you guys an update on the Dr. Bill.TV netcast. I hope that you been watching the recent programs that I posted YouTube. I’m working on the audio and the lighting, and it’s looking better and better every time. Hopefully, by the next episode I will have even better lighting, and things should really be about like I want them to be.

I did think it was interesting that on the last episode on YouTube it was flagged by YouTube as not being available for monetization: the reason? Because I mentioned “controversial topics!” The controversial topic was a review of TerrariumTV! I found that very interesting, because I specifically said that I was not advocating illegally watching movies and television shows that you didn’t pay for, but rather just highlighting the technology.

But, c’est la vie! At least I know that my netcasts are very edgy! Dr. Bill can really stir up some controversy, huh? Anyway, stay tuned for more edgy topics in technology, and cord cutting tips! [Smile]

And, the fix is out, update now!

Apple releases macOS High Sierra security fix for critical root vulnerability
Apple releases macOS High Sierra security fix for critical root vulnerability 

9to5mac – By: Zac Hall = If you’re running macOS High Sierra, it’s time to update your Mac as soon as possible. Apple has released a security update that addresses the security vulnerability discovered yesterday afternoon. The update is available now through the Mac App Store.

Apple details the fix here:

SECURITY UPDATE 2017-001

Released November 29, 2017

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.

If you require the root user account on your Mac, you can enable the root user and change the root user’s password.

While the security vulnerability was a rather serious one, Apple has promptly responded with a fix less than 24 hours after it became public. The issue did not affect older versions of macOS, although there doesn’t appear to be a fix available for macOS 10.13.2 beta yet as the fix (downloadable here) only appears to apply to macOS 10.13.1 for now.

Apple issued this statement to 9to5Mac following the software fix:

‘Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.'”

Wired is reporting this super easy hack on High Sierra. Ouch!

Anyone Can Hack MacOS High Sierra Just by Typing ‘Root’

Wired – By: Andy Greenberg – “There are hackable security flaws in software. And then there are those that don’t even require hacking at all—just a knock on the door, and asking to be let in. Apple’s macOS High Sierra has the second kind.

On Tuesday, security researchers disclosed a bug that allows anyone a blindingly easy method of breaking that operating system’s security protections. Anyone who hits a prompt in High Sierra asking for a username and password before logging into a machine with multiple users, they can simply type ‘root’ as a username, leave the password field blank, click ‘unlock’ twice, and immediately gain full access.

In other words, the bug allows any rogue user that gets the slightest foothold on a target computer to gain the deepest level of access to a computer, known as ‘root’ privileges. Malware designed to exploit the trick could also fully install itself deep within the computer, no password required.

‘We always see malware trying to escalate privileges and get root access,’ says Patrick Wardle, a security researcher with Synack. ‘This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter.’

As word of the security vulnerability rippled across Twitter and other social media, a few security researchers found they couldn’t replicate the issue, but others captured and posted video demonstrations of the attack, like Wardle’s GIF below, and another that shows security researcher Amit Serper logging into logged-out account. WIRED also independently confirmed the bug.

The fact that the attack could be used on a logged-out account raises the possibility that someone with physical access could exploit it just as easily as malware, points out Thomas Reed, an Apple-focused security researcher with MalwareBytes. They could, for instance, use the attack to gain root access to a logged-out machine, set a root password, and then regain access to a machine at any time. ‘Oooh, boy, this is a doozy,’ says Reed. ‘So, if someone did this to a Mac sitting on a desk in an office, they could come back later and do whatever they wanted.’

Reed also notes, however—and other researchers confirm—that it’s possible to block the attack simply by setting a password for the root user.. If you’ve installed High Sierra and haven’t set a root password, you should do it now. In a statement, Apple confirmed the problem, reiterated that short-term fix, and promised a longer-term software patch: ‘We are working on a software update to address this issue,’ an Apple spokesperson wrote.1

‘This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter.’

High Sierra’s ‘root’ bug was first revealed by Turkish software developer Lemi Orhan Ergin?, who says security staff at his company stumbled on the issue while trying to help a user get back into their account. ‘They informed me and tried on my machine too. And I saw the security issue with my eyes. That was scary,’ Ergin says.

The face-palm worthy bug is only the latest in a disturbing series that have plagued High Sierra. On the day the operating system launched, Wardle found that malicious code running on the operating system could steal the contents of its keychain without a password. And another shocking bug showed the user’s password as a password hint when they try to unlock an encrypted partition on their machine known as an APFS container.

Wardle argues that those flaws might have been caught earlier if Apple offered a ‘bug bounty’ for information about security vulnerabilities in its desktop software, just as most other companies do. Apple does have a bug bounty, but only for iOS, not MacOS. ‘A bug bounty program is a no-brainer. Maybe this is something that will encourage them to go down that path,’ Wardle says. ‘It’s crazy these kinds of bugs keep blowing up. I don’t know if I should laugh or cry.'”