Windows 10 News and info | Forum
January 17, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1] 2 3 ... 10
 on: Today at 01:56:06 PM 
Started by javajolt - Last post by javajolt
If you want to be part of the in-crowd, adding a dark mode to your software is essential. Google has already shown a lot of love for gothic hues, and it looks set to continue this with Android Q -- or Android 10, if you prefer.

Over on the Chromium Bug Tracker, Google worker Lukasz Zbylut appears to confirm that Android Q will feature a system-wide dark mode, with all preloaded apps offering the option natively.

As reported by Android Police, Zbylut posted an intriguing message on the bug tracker. Back at the end of October, he wrote: "Dark mode is an approved Q feature [...] The Q team wants to ensure that all preloaded apps support dark mode natively. In order to ship dark mode successfully, we need all UI elements to be ideally themed dark by May 2019".

Zbylut makes reference to a "master setting" that will be accessible via Settings > Display > Dark Mode, or Settings > Display > NightMode.

The post was initially publicly available, but since the news started to leak out, Google has changed the permissions so the post is no longer accessible to people outside of the company. While the post is now more than two months old, it is hard to tell what progress has been made since then. But for fans of darker tones, it still bodes well for the next installment of Android.


 on: Today at 11:48:08 AM 
Started by javajolt - Last post by javajolt
For those looking for extra protection while browsing the web, Emsisoft has a released a browser extension that will block you from interacting with known phishing, malware, or scam sites.

This Emsisoft Browser Security extension is currently available for Chrome and Firefox, with Emsisoft stating that they hope to have one available for Microsoft Edge in the future.

When installed, the extension will quietly run in the background and will query Emsisoft's servers as you browse the web to to determine if a site should be blocked. If the site you are visiting is detected as malicious, it will block you from interacting with the site as shown below.

Blocked Site

If a site that is blocked by the extension is actually legitimate, you can click on the Report an error button to alert Emsisoft and display the site. This site will also be added to your exclusion list so it will not be blocked in the future.

To view the sites in your Exclusion list, you can click on the extension's icon and select Manage exclusions as shown below.

Manage exclusions option

This will cause a list of the currently excluded sites to be displayed and allow you to remove any that were added by mistake.

Excluded Site List

While testing the site against urls listed in the OpenPhish list, Emsisoft's extension did an excellent job blocking all but one of the phishing sites currently listed.

Report malicious, scam, or phishing sites to Emsisoft
There are a lot of unwanted scammy and malicious sites out there, so if you find one that was not blocked by the Emsisoft's extension, please report it to them.

Reporting a site is easy. While on the unwanted site, click on the extension's icon and select Report this site as dangerous.

Report Site

When you report a site, the current URL will be sent to Emsisoft's servers where it will analyze by their researchers.


 on: Today at 11:36:49 AM 
Started by javajolt - Last post by javajolt
The EU Copyright Directive has made a lot of waves lately given that many fear that some of its provisions will lead to increased censorship, with almost 4.5 million Europeans signing a petition to stop Article 13.

This article was the one that attracted almost everyone's attention seeing that it will require large online platforms such as Google, Facebook, Twitter, and YouTube to always keep an eye out on what their users are uploading and block all copyrighted items such as videos, images, and text.

The other controversial article part of the EU Copyright Directive is Article 11, a provision which will force news aggregators to pay the copyright holders a fee for every news item they link to.

Google, one of the most heated critics of the two provisions, is now testing a new search engine results page (SERP) template where the EU Copyright Directive is applied to the listed search results "to understand what the impact of the proposed EU Copyright Directive would be to our users and publisher partners," according to Search Engine Land.

EU Copyright Directive will turn SERPs into a ghost town according to Google

As the SERP screenshots show, Google's search results will look like a deserted town, with no article titles, no images, and no news summaries, or "like pages that have failed to completely load" as Search Engine Land's Greg Sterling very appropriately describes them.

EU Copyright Directive SERP templates - click to enlarge
According to a Q and A page on the "Directive on copyright in the Digital Single Market" directive published by the EU Parliament's Legislative Affairs Committee (JURI) on January 11:

The proposed "Directive on copyright in the Digital Single Market" seeks to ensure that artists (especially small ones, for example, musicians), and news publishers and journalists benefit from the online world and the internet as they do from the offline world.

JURI continues to say that, because of the current outdated copyright rules, the ones collecting all the rewards from the work of artists, news publishers, and journalists are news aggregators and online platforms, hence making it very hard for content creators to earn a decent living.

Moreover, JURI summarizes the draft directive:

• The draft directive intends to oblige giant internet platforms and news aggregators (like YouTube or GoogleNews) to pay content creators (artists/musicians/actors and journalists) what they truly owe them;

• No new rights or obligations are being created. What is currently legal and permitted to share will remain legal and permitted to share.

How the Internet in the EU and Google's search results will look like after the EU Copyright Directive will be sent to the EU government to be enacted as a law is not yet known.

However, given the way similar copyright legislation performed in Spain and Germany, the future looks very bleak for both journalists and EU citizens who want to freely access news content on the Internet.

As Richard Gingras, Google's News VP said in December:

Unlike people in other parts of the world, European citizens may no longer find the most relevant news across the web, but rather the news that online services have been able to commercially license. We believe the information we show should be based on quality, not on payment. And we believe it’s not in the interest of European citizens to change that.

Five days ago, when the Q and A page addressing the EU Copyright Directive was published European Parliament's website the discussions were still ongoing, with the directive's text subject to modification during the trilogue negotiations taking place between the European Parliament, the European Commission, and the Council of the European Union.


 on: January 16, 2019, 05:28:54 PM 
Started by javajolt - Last post by javajolt
A lesser-known feature of Apple AirPods, aimed at helping those with hearing impairment, can also be used to engage in eavesdropping, the media has reported.

Included in Apple's latest version of iOS 12 operating system (OS) and what appears like an ear icon once you activate it, "Live Listen" essentially helps the hearing impaired by allowing them to place their iPhone close to a person they're having trouble hearing.

"But people can commandeer Live Listen to snoop on their boss or partner by hiding their iPhone in the same room as their victim. Anyone using the tool can simply turn up the volume on their iPhone's microphone to listen through AirPods," The Sun reported late on Thursday.

Live Listen can help you hear a conversation in a noisy area or even hear someone speaking across the room, according to Apple's website.

Several users have pointed out on discussion website Reddit and Twitter that "Live Listen" also means Apple users can listen to conversations going on in another room - as long as their iPhone is in the room, they have their AirPods in and "Live Listen" tool is turned on.

On Twitter, where the previously little-known feature has gone viral, p ..


 on: January 16, 2019, 02:59:45 PM 
Started by javajolt - Last post by javajolt
A weakness in Epic Games' authentication process for the highly popular Fortnite left gamers' accounts exposed to take over risks. An attacker could have stolen login tokens by just tricking the victim into clicking a link.

The combination of an unvalidated subdomain and cross-site scripting (XSS) in another allowed security researchers to bypass the protections implemented by the single sign-on (SSO) access control mechanism used for logging into Fortnite.

SSO is good if login page is not vulnerable

When properly implemented, SSO shifts the authentication responsibility to a trusted third party (Google, Facebook, X-Box, PlayStation), which authorizes access to the resource with an access token.

Taking advantage of the flaws, security researchers at Check Point were able to request a second time the authentication token from SSO provider and redirect it to a vulnerable page that allowed stealing it.

Epic Games used an unvalidated domain for the login page, which could be redirected to another online location.

It turned out that Epic Games had a sub-domain vulnerable to XSS, enabling the researchers to redirect the authentication token there and steal it with injected JavaScript code.

A successful attack requires the victim to click on a phishing link. Once the user authenticates into Fortnite, the login page redirects to the attacker's page, which asks the SSO provider for the access token. The provider complies and the attacker gets the token.

An attack of this type is far from sophisticated, but it requires some technical knowledge, and it is far more advanced than run-of-the-mill phishing scams, or the password guessing/brute-forcing that usually target Fortnite accounts.

Because of this, Check Point told BleepingComputer, that it could be possible that the flaws they uncovered and reported to Epic Games were exploited. However, it is difficult to confirm this because of the numerous login stealing attack targeting Fortnite over the past year.

Check Point has released a video showing the exact steps of the attack and how easy it would have been to trick a Fortnite user into clicking the wrong link.

Epic Games fixed the issues in early December and did not say if they were exploited before that.

Crooks are after the in-game currency

"With the access token now in the hands of the attacker, he can now log in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on conversations taking place during gameplay," Check Point says.

Fortnite enjoys mad popularity, with at least 78 million monthly players, while statistics point to around 200 million registered users.

Its players are often targeted for the V-Bucks - short for Vindertech Bucks or Vinderbucks in their accounts, an in-game currency that can be used to get cosmetic items for your character or to give it a competitive advantage through weaponry.

Since real money is involved, criminals often use Fortnite to launder their proceedings by getting V-Bucks with stolen credit cards. The in-game currency is then sold at a discount price. At the moment, 1,000 V-Bucks cost $10.


 on: January 16, 2019, 02:11:40 PM 
Started by javajolt - Last post by javajolt

The latest Microsoft patent applications published by USPTO details possible improvements for digital inking on Microsoft’s Surface lineup. The patent for Surface Pen was filed at the end of 2016 and the Surface Dial patent was filed in 2017, but it’s unclear if Microsoft has any intentions of bringing the ideas in a future iteration of its devices.

Surface Pen

The patent titled ‘Pen battery mechanical shock reduction design’ was filed by Microsoft back in late August 2016 and the USPTO published it on January 15, 2019.

It details a method for manufacturing of a printed circuit board for installing in a battery-powered pen device. The patent shows off a pen which uses shock-absorbing battery contacts for better durability.

“A device and a method for manufacturing of a printed circuit board for installing in a battery-powered device, the method including mounting on a printed circuit board (PCB) a PCB surface mount component comprising a planar mount configured to be mounted on the PCB and a kinetic energy absorption element with a battery contact on a distal end of the energy absorption element, and trimming the PCB out of a panel comprising the PCB and a border around the PCB, the border connected integrally with the PCB, wherein the border comprises supports configured to support corresponding ear extensions in the absorption element in order to align the battery contact with a PCB plane,” the patent abstract reads.

Surface Dial

The patent for Surface Dial has also detailed some improvements. Titled “PERIPHERAL USER-INTERFACE DEVICE”, the patent was filed by Redmond-based Microsoft in July 2017 and published by USPTO on January 10, 2019.

The patent has revealed that the Surface Dial uses an electronic touch sensor to execute some functions. In the description section, Microsoft explains that the electronic touch sensor could be a resistive, capacitive, or optical touch sensor, and it may also support multitouch sensor which can distinguish between two-finger pinch gesture.

“A peripheral user-interface device for navigation of display content on an electronic display of a computer system. It comprises a base movable relative to the electronic display, a rotary dial arranged on the base and rotatable relative to the base, and an electronic touch sensor coupled mechanically to the base,” Microsoft explains.


 on: January 16, 2019, 11:54:26 AM 
Started by javajolt - Last post by javajolt

A team of researchers discovered six zero-day vulnerabilities in protocols and individual components used in smart buildings. The flaws could be used to steal sensitive information, access or delete critical files, or perform malicious actions.

The glitches range from cross-site scripting (XSS), and path traversal, to arbitrary file deletion, and authentication bypass. They were found in building automation devices such as programmable logic controllers (PLCs) and gateway protocols.

Aggregated data from two search engines for discovering computer hardware connected to the internet shows that thousands of devices affected by these vulnerabilities are exposed online.

To demonstrate that the risks in modern smart buildings are real, the researchers built proof-of-concept malware that targeted surveillance, access control, and HVAC systems set up in a laboratory.

A typical Building Automation System (BAS) network is larger than this, though, and comprises a variety of systems, like elevators, access control systems, video surveillance, HVAC, lighting, fire alarms, or energy producing systems.

This type of infrastructure is present not only in residential and commercial buildings but also in hospitals, airports, stadiums, schools or data centers.

Zero days and non-public vulnerabilities

Following security assessment and penetration testing standards, members of the OT Research team at ForeScout started to evaluate their targets.

They found three XSS vulnerabilities in the Access Control PLC and the protocol gateway, a component that allows connections over a specific protocol. It can be used to inject malicious scripts into the web interface running on the vulnerable devices, giving an attacker access to cookies and session tokens.

The protocol gateway component was also affected by a path traversal and an arbitrary file deletion vulnerability, which provide access to files (system included) and directories present outside the root folder of the web app running on the affected device.

Another vulnerability unknown to the vendor before the researcher's reporting was in the HVAC PLC - an authentication bypass that permits stealing user credentials, "including plaintext passwords."

Two other issues, a buffer overflow, and hardcoded password were discovered in the Access Control PLC from June 2013. However, the vendor was aware of them ahead of ForeScout's disclosure and had released a patch.

These flaws are the most severe of the bunch as they could allow code execution on the system, allowing a remote attacker to take full control.

All vulnerabilities were disclosed responsibly to the vendors of the affected products and patches are now available.

Exposed vulnerable devices

ForeScout researchers checked to see how many of the systems they analyzed were vulnerable and exposed.

They searched on Shodan and Censys for the same models in their lab and found that out of a total of 22,902 publicly reachable devices (IP cameras excluded), 9,103 were affected by the zero-days they uncovered.

Things are worse with the IP cameras in the surveillance system. Out of 11,269 devices, over 91% (10,312) were vulnerable.

Door to a BAS network: publicly exposed systems

Elisa Costante, Technology Innovation Director at ForeScout, presented the team's findings in a presentation today at S4X19 ICS security event in Miami South Beach.

She says that an ideal architecture, the subsystems would be isolated from one another and from the IT network. In practice, this is rarely the case, though.

One of the weak spots is that the implementation of the security features for data authentication is optional. Also, many buildings rely on old versions of the protocols and do not exchange data in a secure way.

"Regardless of the protocol employed, IoT and building automation devices are notoriously vulnerable to, e.g., injection and memory corruption vulnerabilities, due to poor coding practices, which allow attackers to bypass their security features and gain full control of them," reads the research report ForeScout shared with BleepingComputer.

According to the report, malware designed to hit BAS network could have four possible attack paths:

1. Publicly reachable PLCs (programmable logic controllers) that command the actuators and sensors (follow the green arrows in the pic below)

2. Exposed workstations responsible with managing the entire system; the attacker would then have to move laterally to reach the PLCs (yellow arrows)

3. Publicly reachable IoT devices - an IP camera or router - and use it as an entry point into the network, then move to the workstations and other subsystems (red arrows)

4. Air-gapped network - this requires physical access to enter the network, but this is not difficult to achieve most of the times - and then try to reach the PLCs (purple arrows)

Devices exposed on the internet are discoverable via dedicated search engines (Shodan, Censys, ZoomEye) that scan for systems that are online. If they are accessible and should not be so, chances are it's because of misconfiguration or inherent weakness.

Malware targeting Operational Technology (OT) can get on the network from a management workstation, whose admin fell victim to a phishing attack. It can move laterally or stay at the same level. Once it achieves persistence on the network, it typically launches a final payload.

Connected automation systems in the buildings offer a wide attack surface that could be reduced by applying patches for reported vulnerabilities. But despite the availability of a fix, they remain vulnerable, leaving open the possibility of large-scale cyber attacks.

The researchers say that exploiting vulnerabilities in smart buildings would have devastating effects. They believe that malware targeting smart buildings is inevitable in the near future.


 on: January 16, 2019, 11:33:35 AM 
Started by javajolt - Last post by javajolt

We are already very familiar with Samsung’s folding smartphone, the Samsung Galaxy F, with the device likely the first of a wave of folding smartphones released this year by competitors like LG and Huawei.

One company which is expected to wait at least till 2020 to enter the market is Apple, and it now seems the company may make a giant departure from the rest of the market, with a phone which does not fold inwards but opens up outwards.

The idea is hinted at by Federico Casalegno, head of Samsung Design Innovation Center, who is quoted in the Korea Herald as saying:

Compared to the wrap-around display phone — which Apple seems to be looking into as one possible design for its foldable model — Casalegno said Samsung’s in-folding display phone could provide better experiences for users in terms of design.

The outward folding phone is actually a much simpler device to create than an inward folding phone, due to the larger turn radius, which explains why the only actual folding phone with a flexible screen which is on sale uses an outward folding screen.

It does, however, produce a device with a rather bulky hinge, though work to produce a better inward folding phone screen will of course also advantage work for an outward folding phone even more easily.

Apple has hinted at using the back of the phone as a display surface in a 2013 patent, as noted by BGR, who quotes:

In the last few years the functionality of portable electronic devices has increased exponentially. Further improvements be realized by investigating ways to maximize the utility of unused portions of these devices. The Form factor is an interesting area for development given that a large majority of portable electronic devices have settled into a standard form factor; namely a flat planar form factor with a display on one side and an opaque housing which contains the electrical components covering the rear surface of the device. Unfortunately, this popular form factor leaves the sides and rear surfaces of the device unused or at best configured with buttons and switches with fixed location and functionality. Since many of these buttons and switches have fixed functionality they cannot always be incorporated into third-party applications.

It would be interesting to see if Apple would forge their own way, and how the market would react to the design, which is ultimately cheaper and easier to produce, but also certainly uglier and more ungainly. Like the notch, will we see many companies rushing to follow the lead, or will it be another example of Apple losing touch with consumers?


 on: January 16, 2019, 03:53:44 AM 
Started by javajolt - Last post by javajolt
If you're a Windows Insider on the Fast ring, it's time to check for updates. There's a new cumulative update that's out with a few fixes, for the most recent build. The update is KB4487181 and it brings the build number to 18312.1007.

As you'd expect with any cumulative update, there are no new front-facing features, but there are some fixes. Here are the fixes listed in the changelog:

• We fixed an issue resulting in File Explorer unexpectedly having a lock on USBs when trying to safely eject them.

• We fixed an issue resulting in frequent bugchecks (GSODs) in the last two flights, citing an error with bindflt.sys.

• We fixed an issue where a password change can result in the next unlock hanging for AD users.

Interestingly, there's nothing in there about a fix for the issue that prevented Night Light and f.lux from working. This is a bug that Insider chief Dona Sarkar said was fixed.

It's possible that users will just have to wait for the next build for that one, which could come as soon as tomorrow.

If you're on the Fast ring, you can get today's update by going to Settings -> Update & security -> Windows Update -> Check for updates. If not, go to the Windows Insider Program tab to get started.


 on: January 16, 2019, 03:44:29 AM 
Started by javajolt - Last post by javajolt
Microsoft announced Windows 10 SDK Insider Preview build 18312 today. The timing is pretty typical, being released the Tuesday after the client build was released to the Fast ring.

There's not much that's new in this build. Things that we've seen previously are some changes to Fluent Design, which added an effect to AcrylicBrush called Luminosity. This makes sure that shadows don't appear behind transparent panels without a cutout, and there will be an API for additional customization.

You can use the new build alongside of previous builds, which means that this can run in a production environment as long as your app still targets a production version of Windows 10 when you submit it to the store. Unfortunately, you need to run SDK build 18312 on an Insider Preview build of Windows 10 though.

To download Windows 10 SDK Preview build 18312, you can find it here. Also, there are new images for the Desktop App Converter, Assessment and Deployment Kit (ADK), Windows Deployment Kit (WDK), and Hardware Lab Kit (HLK).


Pages: [1] 2 3 ... 10
Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page Today at 01:18:16 PM