Category Archives: Uncategorized

The original Ghostbusters franchise is getting a new film in 2020

Who ya gonna call? Three of the four original Ghostbusters: Bill Murray, the late Harold Ramis, and Dan Ackroyd.
Enlarge / Who ya gonna call? Three of the four original Ghostbusters: Bill Murray, the late Harold Ramis, and Dan Ackroyd.
Columbia Pictures

Fire up your proton packs, people, because there’s going to be another Ghostbusters movie from Sony Pictures, according to Entertainment Weekly. Jason Reitman (Juno, Thank You For Smoking) will direct the new film, which will be set in the same fictional universe as the 1984 original and its sequel—unlike Paul Feige’s 2016 all-female Ghostbusters.

Reitman is a fitting choice, seeing as how he’s the son of Ivan Reitman, director of the 1980s films. You may have glimpsed Jason, his mother, and his sister in the original Ghostbusters, as residents fleeing their haunted skyscraper. Jason even had a line in the 1989 sequel: he was the birthday boy who told the ‘Busters, “My dad says you guys are full of crap.”

Reitman resisted following in his father’s footsteps for years, but it seems he’s finally succumbing to the call. “I’ve always thought of myself as the first Ghostbusters fan, when I was a 6-year-old visiting the set. I wanted to make a movie for all the other fans,” Reitman told EW. “This is the next chapter in the original franchise. It is not a reboot. What happened in the ‘80s happened in the ‘80s, and this is set in the present day.”

Reitman co-wrote the script with Gil Kenan (Monster House), but declined to share any details with EW, preferring to let “the film unwrap like a present.” But there’s bound to be excited speculation about the possibility of original cast members returning. Harold Ramis died in 2014, but Dan Ackroyd, Ernie Hudson, and Bill Murray are still around. Murray had a small role in the 2016 reboot, along with cameos by Sigourney Weaver and Annie Potts (who played the shrill receptionist Vanessa in the original.)

Count me among those who genuinely loved Feige’s 2016 vision (especially the extended director’s cut, which was vastly superior to the theatrical release)—Kate Mackinnon as Jillian Holtzmann was a sheer delight and practically stole every scene. I thought the controversy surrounding its all-female cast was ridiculous. Reitman is a fan too. “I have so much respect for what Paul created with those brilliant actresses and would love to see more stories from them,” he said.

Shooting should begin later this year, with a planned release in 2020. But do we really need another Ghostbusters movie, especially since Sony is also developing an animated Ghostbusters film? Reitman certainly thinks so. “The Ghostbusters universe is big enough to hold a lot of different stories,” he said.

Software patents poised to make a comeback under new patent office rules

Software patents poised to make a comeback under new patent office rules

A landmark 2014 ruling by the Supreme Court called into question the validity of many software patents. In the wake of that ruling, countless broad software patents became invalid, dealing a blow to litigation-happy patent trolls nationwide.

But this week the US Patent and Trademark Office (USPTO) proposed new rules that would make it easier to patent software. If those rules take effect, it could take us back to the bad old days when it was easy to get broad software patents—and to sue companies that accidentally infringe them.

The Federal Circuit Appeals Court is the nation’s highest patent court below the Supreme Court, and it is notoriously patent friendly. Ever since the Supreme Court’s 2014 ruling, known as Alice v. CLS Bank, the Federal Circuit has worked to blunt the ruling’s impact. In a 2016 ruling called Enfish, the Federal Circuit ruling took a single sentence from the Supreme Court’s 2014 ruling and used it as the legal foundation for approving more software patents.

This legal theory, known as the “technical effects doctrine,” holds that software that improves the functioning of a computer should be eligible for a patent. A version of this rule has long held sway in Europe, but it has only recently started to have an impact in US law.

This week, the Patent Office published a new draft of the section on examining software and other potentially abstract ideas in its Manual of Patent Examination Procedure (MPEP). This is the official document that helps patent examiners understand and interpret relevant legal principles. The latest version, drawing on recent Federal Circuit rulings, includes far tighter restrictions on what may be excluded from patentability.

This matters because there’s significant evidence that the proliferation of software patents during the 1990s and 2000s had a detrimental impact on innovation—precisely the opposite of how patents are supposed to work.

In the decade before 2014, a growing army of patent trolls were acquiring broad, vague software patents and using them to demand big payments from companies producing actual products. One 2012 study estimated that this kind of thing cost the economy $29 billion per year.

Another researcher calculated that 60 percent of the patent troll revenue came from patents related to software and high tech, with the especially aggressive cases focused on pure software: 115 lawsuits against 435 defendants for a patent for “Associating online information with geographic areas,” 106 defendants threatened with a patent for a “Customer based product design module,” and 79 defendants in a case regarding a “digital fingerprinting” patent.

On the flip side, the argument that without software patents modern tech-based companies can’t thrive seems weaker every day. A 2015 article calculated that 30 percent of billion-dollar startups have zero patents.

How the courts legalized—then limited—software patents

You can't patent drawing blood, but you apparently can patent what might be done with the blood afterward.
Enlarge / You can’t patent drawing blood, but you apparently can patent what might be done with the blood afterward.
Olga Efimova / EyeEm

The courts have long held that patents can’t claim abstract ideas or laws of nature. And until the 1990s, courts held that most software patents were attempts to claim mathematical algorithms—a kind of abstract idea. But a series of Federal Circuit rulings gradually watered down this rule. By the turn of the century, there were few meaningful limits to patenting software.

The result was a proliferation of patents that soon turned into a proliferation of software-related patent litigation. The Supreme Court had largely given the Federal Circuit a free hand to develop this area of the law in the 1990s and early 2000s. But then the high court started to check the lower court’s work—and it didn’t like what it found.

In 1996, a team at a teaching hospital in Montreal found that the correct dosage for a certain drug could be partially determined by measuring metabolites in the bloodstream and published the results of its research. While this scientific finding couldn’t be patented directly, a company called Prometheus Laboratories sought a patent on the concept of drawing a patient’s blood, measuring the level of the metabolites, and then providing a diagnosis based on the research. They argued that this was a patent on a process, not an abstract idea.

The Patent Office bought this argument, but the Supreme Court didn’t. In a 2012 ruling called Mayo v. Prometheus, the Supreme Court ruled that the patent was claiming the law of nature itself and adding nothing truly inventive.

From this emerged a two-part test for patentability. Here is the MPEP’s summary of what is often now referred to as the Mayo/Alice test:

The first part of the Mayo test is to determine whether the claims are directed to an abstract idea, a law of nature or a natural phenomenon (i.e., a judicial exception).

If the claims are directed to a judicial exception, the second part of the Mayo test is to determine whether the claim recites additional elements that amount to significantly more than the judicial exception. The Supreme Court has described the second part of the test as the search for an ‘inventive concept’.

Back to software: in 2014, the Supreme Court ruled on the case of Alice v CLS Bank regarding a stock computer on which is loaded software to facilitate trades with a third-party intermediary. Their opinion directly applied the Mayo test: like the research result with a blood test tacked on, the technical details of the Alice software patent were really just a fig leaf over a claim on an abstract concept:

Viewed as a whole, petitioner’s method claims simply recite the concept of intermediated settlement as performed by a generic computer. The method claims do not, for example, purport to improve the functioning of the computer itself or effect an improvement in any other technology or technical field. An instruction to apply the abstract idea of intermediated settlement using some unspecified, generic computer is not “enough” to transform the abstract idea into a patent-eligible invention.

This seemed to be a real blow against all those patent claims for taking a business and doing it on the Internet and possibly any claim for pure software without new hardware. Software patent supporters feared—and opponents hoped—that the Alice ruling could lead to wholesale invalidation of software patents. And these hopes and fears were partially realized: in the months after the Alice decision, a lot of software patents were declared invalid by lower courts. This had an immediate effect on the patent trolls’ favorite strategy, because their nastygrams to businesses of the form “we will win eventually in court so you might as well spare the effort and pay now” lost credibility.

But software patent owners had a powerful ally in the Federal Circuit, which is responsible for interpreting and fleshing out the Supreme Court’s rulings. The Federal Circuit is more favorable to software patents, and since 2014 it has interpreted the high court’s rulings in a way that limits the Alice decision’s impact on software patent holders.

Conservation of energy used to parallelize quantum key distribution

A large number of keys against a light-colored wooden background.

It has been a while since I wrote about quantum key distribution. Once a technology is commercially available, my interest starts to fade. But commercial availability in this case hasn’t meant widespread use. Quantum key distribution has ended up a niche market because creating shared keys with it for more than one connection using a single device is so difficult.

That may all change now with a very inventive solution that makes use of all the best things: lasers, nonlinear optics, and conservation of energy.

Quantum key distribution in less than 500 words

The goal of quantum key distribution is to generate a random number that is securely shared between two people, always termed Alice and Bob. The shared random number is then used to seed classical encryption algorithms.

The rules of quantum mechanics are what allow Alice and Bob to securely generate a shared random number. The process looks like the following: Alice generates a photon via two decisions made randomly. The first is the orientation of a measuring apparatus—vertical/horizontal or diagonal/anti-diagonal. The second is which axis the photon is polarized along—polarization is the spatial orientation of the electric field of the photon. That leaves the photon in one of four possible states, which we will call horizontal, vertical, diagonal, and anti-diagonal.

Bob does not know the settings that Alice has used and can only make a random choice for the orientation of his measurement apparatus: horizontal/vertical or diagonal/anti-diagonal. Bob ends up with a string of horizontal, vertical, diagonal, and anti-diagonal measurement results (one for each photon that Alice sends).

To understand how to make sense of these results, consider two cases: Alice sets her apparatus to horizontal/vertical and sends a vertically polarized photon. Bob sets his apparatus to horizontal/vertical and measures a vertically polarized photon. Everything is entirely predictable.

For the next photon, Alice sets her apparatus to horizontal/vertical and sends a horizontally polarized photon. But Bob has set his apparatus to diagonal/anti-diagonal. In this case, the photon sets off one of the detectors at random. Nothing is predictable.

To make sense of these results, Bob and Alice share the orientation settings of their apparatus but keep everything else secret. When they happen to have the same settings, Alice and Bob know that the measurements they made of the polarization of the photon will agree. All the other results are thrown out. The randomly generated polarization settings and measurements have generated a shared random number without the actual number being transmitted.

Conservation of energy spreads your secret

One of the key points of the distribution system above is that there are only two parties: Alice and Bob. Adding a third would mean that both Alice and Bob have to have a separate connection to the third party and generate another key. The equipment overhead makes that undesirable. This is where the latest bit of research comes in.

Before we get to the key generation and distribution part, let’s talk about the physical network that connects the parties together. Let’s imagine we have four parties: Alice, Bob, Chloe, and Dave, all of whom wish to have pair-wise encrypted communication. Each receiver is fed by a single optical fiber, but each fiber carries multiple signals using different wavelength channels. Thanks to this capacity, any two of the above group (say, Dave and Chloe) have a pair of channels that are unique to them.

The channels are filled in a very clever way. Alice has a device that generates pairs of photons. These photons are generated by splitting an incoming photon from a laser. The splitting process pairs up the photon’s polarizations (the technical term is entangled). We can then use conservation of energy to divide up the photon pairs among the channels.

Maybe an example is easiest. If the incoming laser has a wavelength of 775 nanometers, the photon split could produce a photon with a wavelength of 1,544.5 nanometers (in this system, that corresponds to channel 41), then the second photon must have a wavelength of 1,555.5 nanometers (which is channel 27). If Alice measures on channel 41 and Bob measures on channel 27, they are measuring a pair of photons that were created together. Given a clever assignment scheme, we can ensure that each pair of receivers in the network has a unique pair of channels and so is always measuring photons created together.

The rest of the process relies on the same method described above to create a secure random number. Critically, by keeping track of the channels used, it’s possible to have a single apparatus handle creating random numbers for multiple pairs of devices.

Open secrets

No one else inside or outside the network knows that number. Indeed, if someone on the network were to measure the photons in either of those channels, doing so would disrupt the measurement process and reveal the eavesdropper’s presence (in practice, the eavesdropper is revealed by errors in the key generation process).

Splitting off the channels at the receiver end is not even necessary. Each receiver is connected via a length of fiber that is, in general, unique. So, the photon pairs have unique arrival times. By synchronizing the detectors, the different channels can be separated. This makes the receiver setup identical to that for a simple pair-wise quantum key distribution link.

In addition to being slow, the researchers’ system has a serious disadvantage. In commercial systems, we cheat. Instead of a true single-photon source, we use very weak laser light: a mostly single-photon source. This weakens the key generation process a little but reduces the cost a lot. In this system, it is absolutely critical that pairs of entangled photons are generated, meaning that each network requires a highly stabilized laser and a delicate nonlinear optical device. As much as I love me some delicate nonlinear optical devices, I am not sure anyone else does.

Nature, 2018, DOI: 10.1038/s41586-018-0766-y (About DOIs)

Microsoft adds Dark Mode support and more to Office 365 for Mac

Microsoft has released version 16.20.18120801 of Office 365 for the Mac platform, bringing support for a couple of key Mac features introduced in September’s macOS 10.14 Mojave release, as well as a number of small features and user experience improvements not related to Mojave.

The headline feature is, of course, dark mode support, which requires Mojave to work. Word, Excel, PowerPoint, and Outlook all support Mojave’s dark theme. Also related to Mojave, you can now use Apple’s Continuity Camera feature to insert a photo directly from your iPhone’s photos to a slide in PowerPoint.

The process for Continuity Camera is outlined in Microsoft’s support documents thusly:

  • Take a photo and then add it.
  • Open an editable document on your Mac in PowerPoint.
  • Select where you want to insert the photo by control-clicking in the document.
  • Under the name of the iOS device you’ll use to take the photo, select Take Photo.
  • On your iOS device, the camera app opens. Take a photo with it.
  • If you’re satisfied with the captured image, tap Use Photo. (Or, if you want to try again, tap Retake.)
  • After a moment, the photo is inserted in the document on your Mac. You may now style, move, or resize it in any way you like.

It still faces the same limitations that we noted in our macOS Mojave review. As Ars contributor Andrew Cunningham noted:

You can only take standard photos—no square mode, no video modes, no filters, no HDR or Live Photo options—images are always sent to your Mac as jpegs rather than HEIF files to maximize compatibility, and images are saved at a lower-than-native resolution with the phone’s EXIF data stripped out.

Most of the notable additions that don’t require Mojave are for Outlook. You can click on a meeting event in your calendar to see a list of attendees or disable forwarding of meeting invites by attendees to keep your meetings from ballooning to include people you don’t want. There’s also support for creating Microsoft Teams meetings directly from Outlook, the ability to share your calendar with other people, and a new multiple-time-zone view for the calendar for up to three time zones.

Microsoft also expanded the proofreading tools in PowerPoint with grammar suggestions. In Microsoft Word, you can now check a box labeled “Embed fonts in file” to make sure that your document looks as intended on the computers it’s viewed on, even if the target computer didn’t already have all the necessary fonts. This feature was already added to PowerPoint back in September.

Microsoft has updated Office 365 for Mac monthly for some time. Last month, the company added Web picture support directly in Word, Excel, and PowerPoint; new mail encryption features for Outlook; and a new view in PowerPoint, called “summary zoom.”

However, some major changes, like a total overhaul and redesign of Outlook, are still pending in future updates.

Listing image by Apple

Testing the first commercial VPN provider to offer WireGuard connectivity

We don't recommend specific VPN solutions, but we sure like analyzing them.
Enlarge / We don’t recommend specific VPN solutions, but we sure like analyzing them.

Following our earlier WireGuard coverage, commercial VPN provider IVPN‘s chief marketing officer reached out to me to let me know his company was adding WireGuard support to its offering and asked if I’d be interested in covering the launch. Honestly, I planned to brush him off—there are a million VPN providers out there, and at least 999,000 of them are pretty shady—so I answered with a quick, dirty trick question: what are you doing on the Windows side?

Viktor surprised me with a picture-perfect answer that ruined my plans to get rid of him fast:

Since there is no official support for Windows by WireGuard and they advise against any non-official implementation as per, we are launching this beta without Windows support […] We are in contact with the author however and aim to integrate it first thing as they release a package for Windows (they are working on it).
Viktor Vecsei, IVPN CMO

The official Ars stance on VPN recommendations is that we can’t recommend anyone whose policies we can’t independently verify and whose log retention we can’t audit ourselves. This sounds like a cop-out from having to make a recommendation, but this is a service that readers will likely be putting a significant amount of trust in, and it would be irresponsible to give a recommendation that important without being able to provide assurances.

And to be very clear, we are still not recommending either IVPN or any other commercial VPN provider directly—but knowing and respecting the WireGuard project’s official guidelines, even when that meant minimizing the impact of its own product launch, made me a lot more interested in taking a look at what IVPN is doing.

Fantastic tunnels and where you can find them

IVPN isn’t the first commercial VPN provider to offer WireGuard connectivity. To the best of my knowledge, that would be a widely respected and unusually tech-friendly Swedish provider, Mullvad, which began offering WireGuard support almost a year ago. What makes IVPN’s WireGuard support launch news despite being a year behind Mullvad? Simplicity. While Mullvad (and another Swedish provider, AzireVPN) will offer you a working key that you can use with your own WireGuard client and config files, IVPN is offering you a dead-simple, user-friendly, tap-it-and-it-works application requiring no personal technical ability from the end user.

The sharper-eyed among you might notice something else IVPN is bringing to the table, and it’s a doozy: the first widely available iOS implementation of WireGuard. WireGuard’s Jason Donenfeld has had iOS client code in his Git repo for some time now, but for most of us, that’s been a purely academic curiosity—getting a non-Apple-approved app running on iOS is a non-trivial task, much more difficult than side-loading APKs on an Android device. Donenfeld made a TestFlight release for the stock WireGuard iOS app available in November. The release cut down the difficulty of getting the code working on an iPhone or iPad considerably, but IVPN’s effort is still the only WG client available in the App Store itself.

This brings the list of WireGuard-supported platforms out to, effectively, “everything but Windows.” IVPN itself offers support in its easy-mode app for macOS, Android, and iOS (all of which I directly tested). It also offers basic “here’s your key” support for Linux, BSD, or any other platform that you’ve got your own working WireGuard client running on.

I also tested IVPN’s WireGuard functionality on a Linux workstation—it worked fine, which wasn’t a surprise; what was a mild surprise was that IVPN’s framework still made the process a touch quicker and easier than rolling my own. In your own “clientarea” on IVPN’s website, you can feed it a public key you generated locally, and it’ll automatically set up everything necessary on the back end for you to connect to. The site will also provide you with a boilerplate WireGuard config file into which you can paste your private key and the IP address the site has given you.

Is it fast?

WireGuard itself has the potential to be faster than IPSec or OpenVPN, especially on slower devices. But in my experience, it isn’t really there yet. To realize the full potential, it’ll need to run in kernel mode instead of user mode. That isn’t the case so far on either of the major mobile platforms, whether you’re using Donenfeld’s stock WireGuard app or IVPN’s new easy-mode app.

However, as a pretty heavy VPN user, I’m happy to report that I am already seeing significant decrease in battery usage. My Huawei Mediapad M5 android tablet still likes to warn me that WireGuard wakes up the tablet more frequently than it prefers, but I don’t see any significant difference in experienced battery life whether the app is running or not. By contrast, with an OpenVPN tunnel active and significant Web-browsing use, battery life would go down from a couple of days to no more than four or five hours on either the MediaPad M5 or my Pixel 2XL.

Cutting connect times down from 8+ seconds to a tenth of a second feels downright amazing.
Enlarge / Cutting connect times down from 8+ seconds to a tenth of a second feels downright amazing.

WireGuard also still offers near-magical connection times for those who have to make and break their VPN connections frequently. In my experience, OpenVPN and IPSec tunnels generally require somewhere between eight seconds and 30+ seconds to establish a tunnel, during which time the user must twiddle his or her thumbs and stare uncertainly at a very techy-looking dialog. WireGuard, by contrast, connects in 0.2 seconds or less, every time. No scary dialog talking about key exchanges and whether or not the perfect forward secrecy is perfect enough; just tap—connected—done.

Why, in 2018, is Microsoft adding security questions to Windows 10?

Why, in 2018, is Microsoft adding security questions to Windows 10?

Security questions—the annoying shared secrets used as a secondary form of authentication—have been around forever and are used by just about everyone to deal with users who forget their password. That’s starting to change as more enlightened services—most notably Google and Facebook—have recently phased out security questions after recognizing something then vice presidential candidate Sarah Palin learned the hard way in 2008: the answers are easy for hackers to guess.

Enter Microsoft, which earlier this year added a security questions feature to Windows 10. It allows users to set up a list of security questions that can be asked in the event they later forget a password to one of their administrative accounts. By answering questions such as “What was your first car?” the users can reset the forgotten password and regain control of the account. It didn’t take long for researchers to identify weaknesses in the newly introduced feature. They presented their findings today at the Black Hat Europe Security Conference in London.

“Durable, stealthy backdoor”

The problem, the researchers said, is that the password reset questions are too easy to set and too hard to monitor in networks made up of hundreds or thousands of computers. A single person with administrator credentials can remotely turn them on or change them on any Windows 10 machine and there’s no simple way for the changes to be monitored or changed. As a result, malicious users—say a rogue employee or a hacker who briefly gains unauthorized administrative control—can use the security questions as a backdoor that will secretly allow them to regain control should they ever lose it.

“Once an attacker is inside a compromised domain, each Windows 10 machine that he has network access and admin privileges to he can remotely change the security questions for administrative users on that machine and therefore create a very stealthy backdoor,” Magal Baz, a security researcher at Illusive Networks, told Ars in an interview. “He can choose any Windows 10 machine with the security questions feature and create this backdoor without executing his own code, simply with remote access to it, and create for himself this durable, stealthy backdoor.”

One technique for exploiting the feature is for someone with administrative control of a network to remotely “spray” security questions and corresponding answers across a fleet of Windows 10 machines. By knowing the answers, the attacker can ensure a persistent hold over the network.

The researchers also described a method for remotely accessing the password reset screen once security questions have been sprayed. By default, the password reset screen isn’t available through the Windows 10 remote desktop. But to make Windows 10 compatible with earlier Windows versions, the newer OS can be configured so that users can log on using the ordinary winlogon screen, and from there they can access the password reset option. After attackers have accessed the password reset screen and answered a previously set question to remotely take over a computer, they can revert back to the user’s original password to avoid leaving any signs of the remote compromise. They can do this using the Mimikatz tool to get the hash of the previous password.

When the researchers began looking into Windows 10 security questions, there was no tool that allowed administrators to access all Windows 10 machines in-network and check if security questions had been changed and to reset them if they had. The researchers went on to develop such an open source tool, which they are now releasing. Among other things, it allows admins to disable security questions remotely or to set answers to be something only they know, such as a nonsensical string of characters.

The researchers urged Microsoft to improve the nascent security questions feature, either by building a better monitoring capability directly into the OS or providing other changes that will make it less prone to abuse. When Ars asked Microsoft for comment, a spokesman sent the following response: “The described technique requires an attacker to already possess administrator access.”

The talk is titled “When Everyone’s Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence.” Besides Baz, Tom Sela, who is head of research at Illusive Networks, also participated. They said their goal is to bring awareness to a feature that’s ripe for abuse.

“We’re not looking at a catastrophe, but a feature like that is creating a larger attack surface,” Baz said. “It creates more opportunities for creating persistence on machines. It’s creating an opportunity for attackers inside a compromised network. If it’s not mitigated there is a new blind spot that could be utilized by attackers.”

Google adds always-on VPN to its Project Fi cellular service

Google adds always-on VPN to its Project Fi cellular service

Today, Google announced a new feature for its Project Fi cellular service: an always-on VPN. Project Fi’s VPN previously was used to encrypt traffic while connecting to a network of free public Wi-Fi hotspots, but now Google will enable the VPN for all your traffic, be it over the LTE service or a Wi-Fi connection.

For now, the always-on VPN will need to be turned on in the Project Fi settings, where the feature is called “Enhanced Network” and labeled a “beta.”

“When you enable our enhanced network, all of your mobile and Wi-Fi traffic will be encrypted and securely sent through our virtual private network (VPN) on every network you connect to, so you’ll have the peace of mind of knowing that others can’t see your online activity,” Google’s blog post says. “That includes Google—our VPN is designed so that your traffic isn’t tied to your Google account or phone number.”

Just toggle the "Enhanced network" selector and Google says all your connections will be encrypted.
Enlarge / Just toggle the “Enhanced network” selector and Google says all your connections will be encrypted.

Google also claims the “Enhanced network” check box will help users seamlessly transition from a spotty Wi-Fi connection to LTE service. “Our enhanced network automatically detects when your Wi-Fi connection becomes unusable and then fills in those connection gaps with cellular data,” Google’s blog post reads. “In our testing, we’ve reduced the time without a working connection by up to 40 percent.”

Project Fi launched in 2015 as Google’s MVNO (Mobile Virtual Network Operator) service. Fi combines service from Sprint, T-Mobile, and US Cellular into a single service. It combines the best features of Google Voice with great international support and sells to consumers under a flexible payment plan that works well for some usage patterns. The big downside is extremely limited device support: thanks to the need for multi-network support, Fi only works with a handful of Android phones.

As always, Project Fi users will know the VPN is active when they see a key icon in the status bar. The “Enhanced network” feature should pop up in the settings later this week for Fi-compatible phones running Android 9 Pie.

Mail bombing suspect repeatedly threatened Democrats on Twitter

The images accompanying a tweet authorities believe was sent by the recently alleged package bomber, Cesar Altieri Sayoc.
Enlarge / The images accompanying a tweet authorities believe was sent by the recently alleged package bomber, Cesar Altieri Sayoc.

Cesar Altieri Sayoc, the suspect in the nationwide bombing campaign against critics of President Trump, regularly took to Twitter to make thinly veiled death threats against other users and peppered some of the targets with abuse, according to a quick review of an account authorities believe belongs to Sayoc. Twitter initially allowed the posts to remain despite its stated policy barring threats.

Former Vice President Joe Biden, actor Jim Carrey, director and former actor Ron Howard, and the TMZ celebrity news service all received tweets from someone using the handle @hardrock2016 that made thinly veiled threats against their lives. Rochelle Ritchie, a political commentator who tweets under the @RochelleRitchie handle, received a similar tweet warning her that “We have nice silent air boat ride for u here on Everglades swamp. We will see you 4 sure. Hug your loved ones real close every time you leave home.” Similar to the tweets sent to others, the message directed at Ritchie included an image of her and accompanying images of the tarot card for death and TV news coverage purporting to report on a body being recovered from the Everglades.

A threat made against political commentator Rochelle Ritchie. Twitter denied her request to take it down.
Enlarge / A threat made against political commentator Rochelle Ritchie. Twitter denied her request to take it down.

Five hours, later, Ritchie tweeted that Twitter asked her to disregard the earlier refusal. “We’ve investigated and suspended the account you reported as it was found to be participating in abusive behavior,” company representatives wrote.

Below are images other threatening tweets that Twitter removed only after Sayoc’s arrest.

Shortly after Sayoc’s arrest, Ritchie said on Twitter that she had reported the threatening tweet to Twitter, and the site did nothing.

“Hey @Twitter remember when I reported the guy who was making threats towards me after my appearance on @FoxNews and you guys sent back a bs response about how you didn’t find it that serious,” Ritchie tweeted. “Well guess what it’s the guy who has been sending #bombs to high profile politicians!!!!”

In an email sent after this post went live, a Twitter representative cited an “ongoing criminal investigation” in declining to comment or explain why the the company didn’t take down the tweets until now. As this post was being published, Twitter suspended the @hardrock2016 account, which used the name Cesar Altieri.

According to a criminal complaint filed Friday by the FBI, the @hardrock2016 account user made some of the same spelling mistakes found on packages containing the bombs and also made criticisms of former president Barack Obama and philanthropist George Soros on Wednesday, two days after a bomb sent to Soros was recovered.

The Washington Post has a much more detailed profile of Sayoc here that, among other things, says the suspect delivered pizzas in a van that was covered in disturbing images, including headless puppets and mannequins, Ku Klux Klan figures, a black person being hung, anti-gay symbols, torchings, and bombings. In much the way Twitter allowed the abusive tweets to remain online, the pizza maker allowed Sayoc to continue working for company, saying he was a dependable worker.

GitHub is now officially a part of Microsoft

GitHub is now officially a part of Microsoft

satyan@redmond:~/src$ git checkout -b microsoft-acquisitions
Switched to a new branch 'microsoft-acquisitions'

satyan@redmond:~/src$ scp .

satyan@redmond:~/src$ git add github

satyan@redmond:~/src$ git commit -m "Microsoft announced in June that it
> was buying the Git repository and collaboration platform GitHub for 
> $7.5 billion in stock. That acquisition has received all the necessary 
> regulatory approvals, and has now completed. Nat Friedman, formerly of
> Xamarin, will take the role as GitHub CEO on Monday.
> The news of the acquisition sent ripples around the open source world,
> as GitHub has become the home for a significant number of open source
> projects. We argued at the time that the sale was likely one of
> necessity, and that of all the possible suitors, Microsoft was the best
> one, due to common goals and shared interests. Friedman at the time
> sought to reassure concerned open source developers that the intent was
> to make GitHub even better at being GitHub, and that he would work to
> earn the trust of the GitHub community. Those views were reiterated
> today.
> Since then, Microsoft has joined the Open Invention Network, a patent
> cross-licensing group that promises royalty free licenses for any patents
> that apply to the Linux kernel or other essential open source packages.
> This was a bold move that largely precludes Redmond from asserting its
> patents against Android, and should mean that the company will no longer
> receive royalties from smartphone manufacturers.
> Sources close to the matter tell us that Microsoft's decision to join
> OIN was driven in no small part by the GitHub acquisition. GitHub is
> already a member of OIN, which left Microsoft with only a few options:
> withdraw GitHub from OIN, a move that would inevitably upset the open
> source world; acquire GitHub as some kind of arm's length subsidiary
> such that GitHub's OIN obligations could not possibly apply to
> Microsoft; or join OIN too, as the most straightforward approach that
> also bolstered the company's open source reputation. Microsoft took
> the third option."
[microsoft-acquisitions baadf00d] Microsoft announced...
1 file changed, billions of insertions(+), 0 deletions(-)

satyan@redmond:~/src$ git checkout microsoft-corp
Switched to branch 'microsoft-corp'

satyan@redmond:~/src$ git merge microsoft-acquisitions
Updating cafef00d..baadf00d
 billions-of-files | billions ++++++++++++

satyan@redmond:~/src$ git branch -d microsoft-acquisitions

Bug in libssh could make it amazingly easy for hackers to gain root access

Trivial authentication bypass in libssh leaves servers wide open

There’s a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server. While the authentication-bypass flaw represents a major security hole that should be patched immediately, it wasn’t immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github’s implementation of libssh was affected.

The vulnerability, which was introduced in libssh version 0.6 released in 2014 makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple’s macOS let people log in as admin without entering a password.

The effects of malicious exploits, assuming there were any during the four-plus years the bug was active, are hard to fathom. In a worst-case scenario, attackers would be able to use exploits to gain complete control over vulnerable servers. The attackers could then steal encryption keys and user data, install rootkits and erase logs that recorded the unauthorized access. Anyone who has used a vulnerable version of libssh in server mode should consider conducting a thorough audit of their network immediately after updating.

On the brighter side, there were no immediate signs of any big-name sites being bitten by the bug, which is indexed as CVE-2018-10933. While Github uses libssh, the site officials said on Twitter that “ and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library.” In a follow-up tweet, GitHub security officials said they use a customized version of libssh that implements an authentication mechanism separate from the one provided by the library. Out of an abundance of caution, GitHub has installed a patch released with Tuesday’s advisory.

Another limitation: only vulnerable versions of libssh running in server mode are vulnerable, while the client mode is unaffected. Peter Winter-Smith, a researcher at security firm NCC who discovered the bug and privately reported it to libssh developers, told Ars the vulnerability is the result of libssh using the same machine state to authenticate clients and servers. Because exploits involve behavior that’s safe in the client but unsafe in the server context, only servers are affected.

How many sites?

A search on Shodan showed 6,351 sites using libssh, but knowing how meaningful the results are is challenging. For one thing, the search probably isn’t exhaustive. And for another, as is the case with GitHub, the use of libssh doesn’t automatically make a site vulnerable.

Rob Graham, who is CEO of the Errata Security firm, said the vulnerability “is a big deal to us but not necessarily a big deal to the readers. It’s fascinating that such a trusted component as SSH now becomes your downfall.”

Winter-Smith agreed. “I suspect this will end up being a nomination for most overhyped bug, since half the people on Twitter seem to worry that it affects OpenSSH and the other half (quite correctly!) worry that GitHub uses libssh, when in fact GitHub isn’t vulnerable,” he said. “Remove GitHub and my guess is you’ll be left with a small handful of random sftp servers or IoT devices and little else!”

The researcher provided additional details about the bug:

The issue is basically a bug in the libssh library, not to be confused with the similarly named libssh2 or OpenSSH projects (especially the latter) which results from the fact that the server uses the same state machine to authenticate clients and servers.

The message dispatching code that processes messages either in client mode or server mode (it’s the same function) doesn’t make sure that the message type received is suitable for the mode it’s running in. So, for example, the server will dispatch messages which are only intended by design for processing client side, even when running in server mode.

The SSH2_MSG_USERAUTH_SUCCESS message is used by the server to inform the client that they were authenticated successfully, it updates the internal libssh state machine to mark the client as being authenticated with the server. What I found was that if the exact same message is sent to the server it updates the state machine to tell the server the client is authenticated.

Technically: I would say that it’s surprising how fairly straightforward bugs with serious consequences can still lurk, and sometimes it pays to take a step back from fuzzing to try to understand how a protocol implementation works.

Again, anyone who runs a vulnerable version of libssh should patch immediately. And anyone who used the app to receive incoming connections from untrusted users should consider closely examining their servers for signs of compromise. At the same time, all indications at the moment are that the number of devices affected by this high-severity bug appear to be relatively small, a limitation that’s being lost on many people discussing this bug over social media.

This post will be updated as new information becomes available.