Category Archives: Uncategorized

Microsoft adds Dark Mode support and more to Office 365 for Mac

Nate Anderson

Microsoft has released version 16.20.18120801 of Office 365 for the Mac platform, bringing support for a couple of key Mac features introduced in September’s macOS 10.14 Mojave release, as well as a number of small features and user experience improvements not related to Mojave.

The headline feature is, of course, dark mode support, which requires Mojave to work. Word, Excel, PowerPoint, and Outlook all support Mojave’s dark theme. Also related to Mojave, you can now use Apple’s Continuity Camera feature to insert a photo directly from your iPhone’s photos to a slide in PowerPoint.

Read 6 remaining paragraphs | Comments

Testing the first commercial VPN provider to offer WireGuard connectivity

We don't recommend specific VPN solutions, but we sure like analyzing them.

Enlarge / We don’t recommend specific VPN solutions, but we sure like analyzing them. (credit: Pixabay)

Following our earlier WireGuard coverage, commercial VPN provider IVPN‘s chief marketing officer reached out to me to let me know his company was adding WireGuard support to its offering and asked if I’d be interested in covering the launch. Honestly, I planned to brush him off—there are a million VPN providers out there, and at least 999,000 of them are pretty shady—so I answered with a quick, dirty trick question: what are you doing on the Windows side?

Viktor surprised me with a picture-perfect answer that ruined my plans to get rid of him fast:

The official Ars stance on VPN recommendations is that we can’t recommend anyone whose policies we can’t independently verify and whose log retention we can’t audit ourselves. This sounds like a cop-out from having to make a recommendation, but this is a service that readers will likely be putting a significant amount of trust in, and it would be irresponsible to give a recommendation that important without being able to provide assurances.

Read 25 remaining paragraphs | Comments

Google adds always-on VPN to its Project Fi cellular service

Google adds always-on VPN to its Project Fi cellular service

Enlarge

Today, Google announced a new feature for its Project Fi cellular service: an always-on VPN. Project Fi’s VPN previously was used to encrypt traffic while connecting to a network of free public Wi-Fi hotspots, but now Google will enable the VPN for all your traffic, be it over the LTE service or a Wi-Fi connection.

For now, the always-on VPN will need to be turned on in the Project Fi settings, where the feature is called “Enhanced Network” and labeled a “beta.”

“When you enable our enhanced network, all of your mobile and Wi-Fi traffic will be encrypted and securely sent through our virtual private network (VPN) on every network you connect to, so you’ll have the peace of mind of knowing that others can’t see your online activity,” Google’s blog post says. “That includes Google—our VPN is designed so that your traffic isn’t tied to your Google account or phone number.”

Read 3 remaining paragraphs | Comments

Mail bombing suspect repeatedly threatened Democrats on Twitter

The images accompanying a tweet authorities believe was sent by the recently alleged package bomber, Cesar Altieri Sayoc.

Enlarge / The images accompanying a tweet authorities believe was sent by the recently alleged package bomber, Cesar Altieri Sayoc. (credit: Twitter)

Cesar Altieri Sayoc, the suspect in the nationwide bombing campaign against critics of President Trump, regularly took to Twitter to make thinly veiled death threats against other users and peppered some of the targets with abuse, according to a quick review of an account authorities believe belongs to Sayoc. Twitter initially allowed the posts to remain despite its stated policy barring threats.

Former Vice President Joe Biden, actor Jim Carrey, director and former actor Ron Howard, and the TMZ celebrity news service all received tweets from someone using the handle @hardrock2016 that made thinly veiled threats against their lives. Rochelle Ritchie, a political commentator who tweets under the @RochelleRitchie handle, received a similar tweet warning her that “We have nice silent air boat ride for u here on Everglades swamp. We will see you 4 sure. Hug your loved ones real close every time you leave home.” Similar to the tweets sent to others, the message directed at Ritchie included an image of her and accompanying images of the tarot card for death and TV news coverage purporting to report on a body being recovered from the Everglades.

Five hours, later, Ritchie tweeted that Twitter asked her to disregard the earlier refusal. “We’ve investigated and suspended the account you reported as it was found to be participating in abusive behavior,” company representatives wrote.

Read 7 remaining paragraphs | Comments

GitHub is now officially a part of Microsoft

GitHub is now officially a part of Microsoft

Enlarge

satyan@redmond:~/src$ git checkout -b microsoft-acquisitions
Switched to a new branch 'microsoft-acquisitions' satyan@redmond:~/src$ git add github satyan@redmond:~/src$ git commit -m "Microsoft announced in June that it
> was buying the Git repository and collaboration platform GitHub for > $7.5 billion in stock. That acquisition has received all the necessary > regulatory approvals, and has now completed. Nat Friedman, formerly of
> Xamarin, will take the role as GitHub CEO on Monday.
>
> The news of the acquisition sent ripples around the open source world,
> as GitHub has become the home for a significant number of open source
> projects. We argued at the time that the sale was likely one of
> necessity, and that of all the possible suitors, Microsoft was the best
> one, due to common goals and shared interests. Friedman at the time
> sought to reassure concerned open source developers that the intent was
> to make GitHub even better at being GitHub, and that he would work to
> earn the trust of the GitHub community. Those views were reiterated
> today.
>
> Since then, Microsoft has joined the Open Invention Network, a patent
> cross-licensing group that promises royalty free licenses for any patents
> that apply to the Linux kernel or other essential open source packages.
> This was a bold move that largely precludes Redmond from asserting its
> patents against Android, and should mean that the company will no longer
> receive royalties from smartphone manufacturers.
>
> Sources close to the matter tell us that Microsoft's decision to join
> OIN was driven in no small part by the GitHub acquisition. GitHub is
> already a member of OIN, which left Microsoft with only a few options:
> withdraw GitHub from OIN, a move that would inevitably upset the open
> source world; acquire GitHub as some kind of arm's length subsidiary
> such that GitHub's OIN obligations could not possibly apply to
> Microsoft; or join OIN too, as the most straightforward approach that
> also bolstered the company's open source reputation. Microsoft took
> the third option."
[microsoft-acquisitions baadf00d] Microsoft announced...
1 file changed, billions of insertions(+), 0 deletions(-) satyan@redmond:~/src$ git checkout microsoft-corp
Switched to branch 'microsoft-corp' satyan@redmond:~/src$ git merge microsoft-acquisitions
Updating cafef00d..baadf00d
Fast-forward billions-of-files | billions ++++++++++++ satyan@redmond:~/src$ git branch -d microsoft-acquisitions

Read on Ars Technica | Comments

Bug in libssh could make it amazingly easy for hackers to gain root access

Bug in libssh could make it amazingly easy for hackers to gain root access

Enlarge (credit: starwars.com)

There’s a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server. While the authentication-bypass flaw represents a major security hole that should be patched immediately, it wasn’t immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github’s implementation of libssh was affected.

The vulnerability, which was introduced in libssh version 0.6 released in 2014 makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple’s macOS let people log in as admin without entering a password.

The effects of malicious exploits, assuming there were any during the four-plus years the bug was active, are hard to fathom. In a worst case scenario, attackers would be able to use exploits to gain complete control over vulnerable servers. The attackers could then steal encryption keys and user data, install rootkits and erase logs that recorded the unauthorized access. Anyone who has used a vulnerable version of libssh in server mode should consider conducting a thorough audit of their network immediately after updating.

Read 8 remaining paragraphs | Comments

Caffeinate in style with an Ars Technica mug—now cheaper than ever

Could there be a holiday gift better for the geek in your life than an Ars Technica “nuke it from orbit” mug? Probably! But you’d better buy one anyway—it’s the only way to be sure. (Also, the mugs are less expensive than ever.)

Designed by our own Aurich Lawson, our mugs come direct from the Ars Technica Orbiting HQ to your kitchen cupboard, feature spiffy front and back designs, and are dishwasher and microwave safe. You can also get them in 11oz and 15oz sizes. Originally $15 or $17, we’ve been able to cut prices back to $13 and $16, respectively. As always, the mugs ship anywhere in the world.

Read 4 remaining paragraphs | Comments

In a blow to e-voting critics, Brazil suspends use of all paper ballots

Enlarge / An electronic voting machine used in Brazil. (credit: Aranha et al.)

In a blow to electronic-voting critics, Brazil’s Supreme Court has suspended the use of all paper ballots in this year’s elections. The ruling means that only electronic ballot boxes will be used, and there will be no voter-verified paper trail that officials can use to check the accuracy of results.

In an 8-2 majority, justices on Wednesday sided with government arguments that the paper trails posed a risk to ballot secrecy, Brazil’s Folha De S.Paulo newspaper reported on Thursday. In so doing, the justices suspended a requirement that 5 percent of Brazil’s ballot boxes this year use paper. That requirement, by Brazil’s Supreme Electoral Court, already represented a major weakening of an election reform bill passed in 2015.

Speaking in support of Wednesday’s decision, Justice Gilmar Mendes equated proponents of voter-verified paper trails to conspiracy theorists.

Read 6 remaining paragraphs | Comments

How to protect yourself from megabreaches like the one that hit Ticketfly

Enlarge (credit: Lisa Brewster / Flickr)

A recent hack of ticket-distribution website Ticketfly exposed more than 26 million email addresses, along with home addresses, phone numbers, and first and last names, according to the Have I Been Pwned breach notification service. The intrusion provides the latest reminder that users should provide incorrect or incomplete information to online services whenever possible. More about that later.

The breach was first reported last week by Motherboard, which said the breach was carried out by a hacker who had first offered to provide Ticketfly officials with details of the underlying vulnerability in exchange for one bitcoin, worth roughly $7,500. When the officials didn’t respond, the hacker defaced the site and published the user data online, Motherboard said.

Have I Been Pwned said over the weekend that the data included 26.1 million unique email addresses, names, physical addresses, and phone numbers. It didn’t include password or credit card data. In a blog post, Ticketfly officials said they were in the process of bringing the ticket service back online. Part of that effort involves working with forensic and security experts to investigate the hack and to better secure the new site against similar intrusions.

Read 5 remaining paragraphs | Comments

Police use of Amazon’s face-recognition service draws privacy warnings

Enlarge (credit: Amazon)

Amazon is actively courting law-enforcement agencies to use a cloud-based facial-recognition service that can identify people in real time, the American Civil Liberties Union reported Tuesday, citing the documents obtained from two US departments.

The service, which Amazon markets under the name Rekognition, can recognize as many as 100 people in a single image and can compare images against databases containing tens of millions of faces. Company executives describe deployment by law enforcement agencies as common use case.

“Cameras all over the city”

Rekognition is already being used by the Orlando Police Department and the Washington County Sheriff’s Office in Oregon, according to documents the ACLU obtained under Freedom of Information requests. Both agencies became customers last year. The entire list of returned documents is here.

Read 8 remaining paragraphs | Comments