Russia’s Twitter throttling may give censors never-before-seen capabilities

Ars Technica

Russia has implemented a novel censorship method in an ongoing effort to silence Twitter. Instead of outright blocking the social media site, the country is using previously unseen techniques to slow traffic to a crawl and make the site all but unusable for people inside the country.

Research published Tuesday says that the throttling slows traffic traveling between Twitter and Russia-based end users to a paltry 128kbps. Whereas past Internet censorship techniques used by Russia and other nation-states have relied on outright blocking, slowing traffic passing to and from a widely used Internet service is a relatively new technique that provides benefits for the censoring party.

Full article

Hackers backdoor PHP source code after breaching internal git server

Ars Technica

A hacker compromised the server used to distribute the PHP programming language and added a backdoor to source code that would have made websites vulnerable to complete takeover, members of the open source project said.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice. The malicious commits here and here gave the code the code-injection capability to visitors who had the word “zerodium” in an HTTP header.

Full article

Ars Technica

Researchers have discovered a new advanced piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.

The app disguises itself as a system update that must be downloaded from a third-party store, researchers from security firm Zimperium said on Friday. In fact, it’s a remote-access trojan that receives and executes commands from a command-and-control server. It provides a full-featured spying platform that performs a wide range of malicious activities.

Full article

New York lawmaker wants to ban police use of armed robots

Ars Technica

New York City councilmember Ben Kallos says he “watched in horror” last month when city police responded to a hostage situation in the Bronx using Boston Dynamics’ Digidog, a remotely operated robotic dog equipped with surveillance cameras. Pictures of the Digidog went viral on Twitter, in part due to their uncanny resemblance with world-ending machines in the Netflix sci-fi series Black Mirror.

Now Kallos is proposing what may be the nation’s first law banning police from owning or operating robots armed with weapons.

Full article

Apple bent its rules for Russia—and other countries will take note

Ars Technica

Beginning in April, new iPhones and other iOS devices sold in Russia will include an extra setup step. Alongside questions about language preference and whether to enable Siri, users will see a screen that prompts them to install a list of apps from Russian developers. It’s not just a regional peculiarity. It’s a concession Apple has made to legal pressure from Moscow—one that could have implications far beyond Russia’s borders.

The law in question dates back to 2019, when Russia dictated that all computers, smartphones, smart TVs, and so on sold there must come preloaded with a selection of state-approved apps that includes browsers, messenger platforms, and even antivirus services. Apple has stopped short of that; the suggested apps aren’t pre-installed, and users can opt not to download them. But the company’s decision to bend its rules on pre-installs could inspire other repressive regimes to make similar demands—or even more invasive ones.

Full article

Prosecutor charges former phone company employee in SIM-swap scheme

Ars Technica

Getty Images

A former phone company worker has been charged with conspiracy to commit fraud for allegedly using his access to customer account data to take over the phone numbers of 19 customers, including at least one cryptocurrency holder.

Stephen Daniel DeFiore of Brandon, Florida, received about $2,325 between October 20, 2018, and November 9, 2018 in exchange for swapping the targeted customers’ SIM cards with ones belonging to a co-conspirator, prosecutors in New Orleans said earlier this week. For each SIM swap, the co-conspirator sent DeFiore the customer’s phone number, a four-digit PIN, and a SIM card number to which that phone number was to be swapped, prosecutors said.

Full article

With Trump gone, Huawei tells Biden it’s not a security threat

Ars Technica

Bloomberg | Getty Images

The Trump administration spent the last two years going to war with Huawei, calling the company a national security risk due to its alleged ties with the Chinese government. An executive order barred companies (even international companies) from selling Huawei hardware or software that contained US technology, and additional restrictions on trade with Huawei have made it extremely difficult for the company to keep building networking equipment and smartphones. It has been a tough few years for Huawei, but now that the Biden administration is in charge, will things be any different?

Full article

Chrome users have faced 3 security concerns over the past 24 hours

Ars Technica

Chrome

Users of Google’s Chrome browser have faced three security concerns over the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can abuse Chrome’s sync feature to bypass firewalls. Let’s discuss them one by one.

First up, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been pulled from Google servers and deleted from users’ computers. The extension has been an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that haven’t been opened recently. That allows Chrome to run smoothly on systems with modest resources.

Full article

Huawei’s HarmonyOS: “Fake it till you make it” meets OS development

Ars Technica

Aurich Lawson

Huawei is China’s—and formerly the world’s—largest smartphone vendor, and over the past 18 months, it learned an important lesson: the company can’t rely on the US supply chain. In 2019, the US government banned US exports to Huawei, which cut the company off from access to most chip and software suppliers. Building a phone is hard without access to key parts and apps. Huawei’s latest Q4 2020 numbers show its phone sales in free fall, dropping 42 percent year-over-year.

Because of this, Huawei wants independence from the worldwide smartphone supply chain. While hardware independence is something the company needs to work on, Huawei also needs to get free of Google’s software. So, as many companies have tried to do before it, Huawei hopes to make an Android killer.

The company’s attempt at an in-house OS is called “HarmonyOS” (also known as “HongmengOS” in China). “Version 2” was released in December, bringing “beta” smartphone support to the operating system for the first time. Can Huawei succeed where Windows Phone, Blackberry 10, Sailfish OS, Ubuntu Touch, Firefox OS, Symbian, MeeGo, WebOS, and Samsung’s Tizen have all tried and failed?

To hear Huawei tell the story, HarmonyOS is an original in-house creation—a defiant act that will let the company break free of American software influence. Huawei’s OS announcement in 2019 got big, splashy articles in the national media. CNN called HarmonyOS “a rival to Android,” and Richard Yu, the CEO of Huawei’s consumer business group, told the outlet that HarmonyOS “is completely different from Android and iOS.” Huawei President of Consumer Software Wang Chenglu repeated these claims just last month, saying (through translation), “HarmonyOS is not a copy of Android, nor is it a copy of iOS.”

Full article

Flash is dead—but South Africa didn’t get the memo

Ars Technica

Aurich Lawson

The South African Revenue Service ran into a big problem this month: Adobe Flash stopped working on January 12, 2021, and the agency (still) hadn’t migrated all of its e-filing forms from Flash to HTML and JavaScript. So to “fix” the issue, SARS decided to release its own, custom browser with a working Flash plugin pre-installed and enabled.

Adobe announced a timeline for the final death of Flash more than three years ago, with the elderly plugin slated to leave support in December 2020 and be actively blocked from functioning as of January 12, 2021. As of today, the majority of SARS’ online filing system has been migrated to HTML5—but there are still a few languishing holdouts with no HTML5 version in sight. SARS’ new “browser” is a stopgap that allows South African taxpayers and traders access to the remaining forms in the meantime.

Full article