As you travel this holiday season, bouncing from airport to airplane to hotel, you'll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it. Wired: This advice comes with plenty of qualifiers. If you're planning to commit crimes online at the Holiday Inn Express, or to visit websites that you'd rather people not know you frequented, you need to take precautionary steps that we'll get to in a minute. Likewise, if you're a high-value target of a sophisticated nation state, stay off of public Wi-Fi at all costs. But for the rest of us? You're probably OK. That's not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.

"A lot of the former risks, the reasons we used to warn people, those things are gone now," says Chet Wisniewski, principle researcher at security firm Sophos. "It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel." In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off. All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live. From a report: Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology. The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether.

Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

Forget the old American campaign slogan of a chicken in every pot, or the Indian politician's common pledge to put rice in every bowl. The New York Times reports: Here in the state of Chhattisgarh, the chief minister, Raman Singh, has promised a smartphone in every home -- and he is using the government-issued devices to reach voters as he campaigns in legislative elections that conclude on Tuesday. [...] The phones are the latest twist in digital campaigning by the B.J.P., which controls the national and state government and is deft at using tools like WhatsApp groups and Facebook posts to influence voters. The B.J.P. government in Rajasthan, which holds state elections next month, is also subsidizing phones and data plans for residents, and party leaders are considering extending the model to other states.

Chhattisgarh's $71 million free-phone program -- known by the acronym SKY after its name in Hindi -- is supposed to bridge the digital divide in this state of 26 million people, which is covered by large patches of forest and counts 7,000 villages that do not even have a wireless data signal. The plan is to add hundreds of cellphone towers and give a basic smartphone to every college student and one woman in every household to connect more families to the internet and help fulfill the central government's goal of a "Digital India." But this election season, many of the 2.9 million people who have received the phones have found themselves targeted by the B.J.P.

An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks. From a report: Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week. The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users' bank cards (also known as skimming). Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to. Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.

An anonymous reader quotes a report from Ars Technica: Three U.S. Senate Democrats today asked the four major wireless carriers about allegations they've been throttling video services and -- in the case of Sprint -- the senators asked about alleged throttling of Skype video calls. Sens. Edward Markey (D-Mass.), Richard Blumenthal (D-Conn.), and Ron Wyden (D-Ore.) sent the letters to AT&T, Verizon, Sprint, and T-Mobile, noting that recent research using the Wehe testing platform found indications of throttling by all four carriers.

"All online traffic should be treated equally, and Internet service providers should not discriminate against particular content or applications for competitive advantage purposes or otherwise," the senators wrote. Specifically, the Wehe tests "indicated throttling on AT&T for YouTube, Netflix, and NBC Sports... throttling on Verizon for Amazon Prime, YouTube, and Netflix... throttling on Sprint for YouTube, Netflix, Amazon Prime, and Skype Video calls... [and] delayed throttling, or boosting, on T-Mobile for Netflix, NBC Sports, and Amazon Prime by providing un-throttled streaming at the beginning of the connection, and then subsequently throttling the connection," the senators' letters said.

An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

Microsoft has announced an agreement with Native Network to provide broadband internet access to nearly 73,500 people without service in rural communities in Montana and Washington. Great Falls Tribune reports: This is part of the Microsoft Airband Initiative, which aims to extend broadband access to 2 million people in unserved portions of rural America by July 4, 2022, officials said. Unused parts of the broadcast spectrum are used to help rural communities access the internet. Through the partnership, Native Network will provide affordable hybrid fixed wireless broadband internet access, including TV White Spaces, to tribes within Flathead Reservation in Montana as well as Lummi Nation and Swinomish Tribe in Washington. It will come to rural Americans through commercial partnerships and investment in digital skills training for people. Proceeds from Airband connectivity projects will be reinvested into the program to expand broadband to more rural areas, officials said. "Broadband is the electricity of the 21st century and is critical for farmers, small business owners, health care practitioners, educators and students to thrive in today's digital economy," Microsoft President Brad Smith said in a news release. "We are excited about the partnership with Native Network which will help close the digital divide in rural Montana and Washington, bringing access to approximately 73,500 people within and around the tribal communities."

An anonymous reader quotes a report from Fortune: Sprint has been slowing traffic to Microsoft's internet-based video chat service Skype, according to new findings from an ongoing study by Northeastern University and the University of Massachusetts. Among leading U.S. carriers, Sprint was the only one to throttle Skype, the study found. The throttling was detected in 34 percent of 1,968 full tests -- defined as those in which a user ran two tests in a row -- conducted between Jan. 18 and Oct. 15. It happened regularly, and was spread geographically across the U.S. Android phone users were more affected than owners of Apple Inc.'s iPhones. The finding is particularly troubling because Skype relies on Sprint's wireless internet network, but the app also provides a communication tool that competes with Sprint's calling services, the researcher added. "If you are a telephony provider and you provide IP services over that network, then you shouldn't be able to limit the service offered by another telephony provider that runs over the internet," David Choffnes, one of the researchers who developed the app used to conduct the survey, said. "From a pure common sense competition view, it seems directly anti-competitive."

Apple is not in talks "at any level" to settle its wide-ranging legal dispute with mobile chip maker Qualcomm, Reuters reported Wednesday, citing a source familiar with the matter. From the report: In the past, Apple used Qualcomm's modem chips in its flagship iPhone models to help them connect to wireless data networks. But early last year, Apple sued Qualcomm in federal court in San Diego, alleging that the chip company's practice of taking a cut of the selling price of phones as a patent license fee was illegal. The case is to go to trial early next year and has spawned related legal actions in other courts around the world. In July, Qualcomm's chief executive, Steve Mollenkopf, told investors on the company's quarterly earnings call that the two companies were in talks to resolve the litigation.

FCC Chairman Ajit Pai on Monday wrote the chief executives of major telephone service providers and other companies, demanding they launch a system no later than 2019 to combat billions of "robocalls" and other nuisance calls received by American consumers. Reuters reports: In May, Pai called on companies to adopt an industry-developed "call authentication system" or standard for the cryptographic signing of telephone calls aimed at ending the use of illegitimate spoofed numbers from the telephone system. Monday's letters seek answers by Nov. 19 on the status of those efforts.

The letters went to 13 companies including AT&T, Verizon, T-Mobile, Alphabet, Comcast, Cox, Sprint, CenturyLink, Charter, Bandwith and others. Pai's letters raised concerns about some companies current efforts including Sprint, CenturyLink, Charter, Vonage, Telephone and Data Systems and its U.S. Celullar unit and Frontier. The letters to those firms said they do "not yet have concrete plans to implement a robust call authentication framework," citing FCC staff. The authentication framework "digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is from the person supposedly making it," the FCC said.

An anonymous reader quotes a report from The Washington Post: For the last few weeks, I've been performing the same battery test over and over again on 13 phones. With a few notable exceptions, this year's top models underperformed last year's. The new iPhone XS died 21 minutes earlier than last year's iPhone X. Google's Pixel 3 lasted nearly an hour and a half less than its Pixel 2. Phone makers tout all sorts of tricks to boost battery life, including more-efficient processors, low-power modes and artificial intelligence to manage app drain. Yet my results, and tests by other reviewers I spoke with, reveal an open secret in the industry: the lithium-ion batteries in smartphones are hitting an inflection point where they simply can't keep up.

"Batteries improve at a very slow pace, about 5 percent per year," says Nadim Maluf, the CEO of a Silicon Valley firm called Qnovo that helps optimize batteries. "But phone power consumption is growing up faster than 5 percent." Blame it on the demands of high-resolution screens, more complicated apps and, most of all, our seeming inability to put the darn phone down. Lithium-ion batteries, for all their rechargeable wonder, also have some physical limitations, including capacity that declines over time -- and the risk of explosion if they're damaged or improperly disposed. And the phone power situation is likely about to get worse. New ultrafast wireless technology called 5G, coming to the U.S. neighborhoods soon, will make even greater demands on our beleaguered batteries. If you want a smartphone that excels in battery life, you pretty much have two options: Samsung's Galaxy Note 9 and Apple's iPhone XR. According to The Washington Post's tests, the iPhone XR and Note 9 topped the list with times of 12:25 and 12:00, respectively.

Fast Company reports that Apple is working on a 5G iPhone that will come to market in 2020, according to a source familiar with the matter. From the report: Apple plans to use Intel's 8161 5G modem chip in its 2020 phones. Intel hopes to fabricate the 8161 using its 10-nanometer process, which increases transistor density for more speed and efficiency. If everything goes as planned, Intel will be the sole provider of iPhone modems. Intel has been working on a precursor to the 8161 called the 8060, which will be used for prototyping and testing the 5G iPhone.

Apple, our source says, has been unhappy with Intel lately. The most likely reason relates to the challenge of solving heat dissipation issues caused by the 8060 modem chip. Many wireless carriers, including Verizon and AT&T in the U.S., will initially rely on millimeter-wave spectrum (between 28 gigahertz and 39 Ghz) to connect the first 5G phones. But millimeter-wave signal requires some heavy lifting from the modem chips and RF chains, our source explains. This causes the release of higher-than-normal levels of thermal energy inside the phone -- so much so that the heat can be felt on the outside of the phone. The problem also affects battery life. The alternative is for Apple to source its modems from Qualcomm, but Fast Company's source "says Apple's current issues with Intel are not serious enough to cause Apple to reopen conversations with Qualcomm." Also, Qualcomm's X50 modem has heat dissipation issues of its own. MediaTek is reportedly a distant "Plan B."

iRobot and Google are looking for ways to integrate the Roomba-maker's home maps with Google Assistant to extend instructions to other gadgets. "The collaboration centers on iRobot's Roomba i7+ vacuum models' ability to map home floor plans and remember room names," notes TechCrunch. From the report: As it is, Google Home users or anyone with Google Assistant can give a voice command like, "Hey Google, clean the kitchen," and a Roomba carries out the task. The integration supports the task across multiple rooms that have been assigned a name, such as the bedroom, living room, and other named areas. According to iRobot, the home-mapping data could also be used to make it easier to set up new smart home gadgets and create new ways to automate the home.

In a statement to The Verge, Google said iRobot's maps could help locate wifi-connected lights and automatically assign names and locations to them within the house. Google stressed that Assistant only learns the names people have given to areas in the home so it can then instruct Roomba i7+ to go to that area. Google doesn't receive information about the layout of the home. Colin Angle, chairman and CEO of iRobot, told the publication that the partnership could help users in future tell Assistant to control other smart home gadgets using the same naming and location information used by the Roomba.

Two new zero-day vulnerabilities called "Bleeding Bit" have been revealed by security firm Armis, impacting Bluetooth Low-Energy (BLE) chips used in millions of Cisco, Meraki, and Aruba wireless access points (APs). "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products," reports ZDNet. From the report: The first vulnerability, CVE-2018-16986, impacts Cisco and Meraki APs using TI BLE chips. Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.

The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool. This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point. "It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."

Security researchers at UpGuard discovered that a Washington-based ISP called Pocket iNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. "Said bucket, named 'pinapp2,' contained the 'keys to the kingdom,' according to the security firm, including internal network diagramming, network hardware configuration photos, details and inventory lists -- as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees," reports Motherboard. From the report: Upguard says the firm contacted Pocket iNet on October 11 of this year, the same day the exposed bucket was discovered, but the ISP took an additional week before the data was adequately secured. "Seven days passed before Pocket iNet finally secured the exposure," noted the firm. "Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset."

According to UpGuard, the list of plain text passwords was particularly problematic, given it provided root admin access to the ISP's firewalls, core routers and switches, servers, and wireless access points. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business," noted UpGuard. "If such documents must exist, they should be strongly encrypted and stored in a known secure location," said the firm. "Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users," the ISP said in a statement to Motherboard. "It has since been secured."

An anonymous reader quotes a report from Ars Technica: Google's Pixel 3 smartphone is shipping out to the masses, and people hoping to take advantage of the new Qi wireless charging capabilities have run into a big surprise. For some unexplained reason, Google is locking out third-party Qi chargers from reaching the highest charging speeds on the Pixel 3. Third-party chargers are capped to a pokey 5W charging speed. If you want 10 watts of wireless charging, Google hopes you will invest in its outrageously priced Pixel Stand, which is $79.

Android Police reports that a reader purchased an Anker wireless charger for their Pixel 3, and, after noticing the slow charging speed, this person contacted the company. Anker confirmed that something screwy was going on with Google's charging support, saying "Pixel sets a limitation for third-party charging accessories and we are afraid that even our fast wireless charger can only provide 5W for these 2x devices." Normally we would chalk this up to some kind of bug, but apparently Google told Android Police that this was on purpose. The site doesn't have a direct quote, but it writes that, after reaching out to Google PR, it was "told that the Pixel 3 would charge at 10W on the Pixel Stand [and that] due to a 'secure handshake' being established that third-party chargers would indeed be limited to 5W." In an update, Google said the reason has to do with the "proprietary wireless charging technology" it has via its Pixel Stand and other select wireless chargers. The Pixel 3 only supports 5W Qi charging; "Google's 10W proprietary wireless charging technology" is what will allow the phone to charge at faster speeds.

"Google says it is 'certifying' chargers for the Pixel 3 via the 'Made for Google' program and pointed us to one such device, a Belkin charger called the 'Boost Up Wireless Charging Pad 10W for Pixel 3 and Pixel 3 XL,'" reports Ars Technica. "Belkin's description is very enlightening, saying 'Made with the Google Pixel 3 and Pixel 3 XL in mind, this wireless charging pad uses Google's 10W proprietary wireless charging technology. It's certified for Pixel, so you know that the BOOST UP Wireless Charging pad has been made specifically for your Pixel 3 and meets Google's high product standards.'"

Mozilla is reportedly preparing to offer a VPN service for Firefox users to help protect them when surfing the web. According to Trusted Reviews, Mozilla has partnered with the ProtonVPN service, "with a new notification piping-up when the browser detects an unsecured connection, or in a scenario when VPN might be preferable to users." From the report: However, it appears Firefox users will have to pay for the privilege. Austrian site Soeren-hentzschel reports the premium VPN service will be $10 a month, which is what ProtonVPN charges its users. Users will receive a "Firefox Recommends" pop-up when browsing an unsecured wireless network. The pop-up says the VPN service will provide a "private and secure' internet connection. According to the reports, a subset of Firefox 62 users in the United States will begin receiving the pop-up from today. Mozilla will reportedly get a cut of any subscription fee handed over by users to access the VPN service. MSPowerUser points out that this will be the first advertised service that costs money for Firefox users.

sharkbiter shares a report from Ars Technica: The Federal Communications Commission chairman slammed wireless carriers on Tuesday for failing to quickly restore phone service in Florida after Hurricane Michael, calling the delay "completely unacceptable." But FCC Chairman Ajit Pai's statement ignored his agency's deregulatory blitz that left consumers without protections designed to ensure restoration of service after disasters, according to longtime telecom attorney and consumer advocate Harold Feld.

The Obama-era FCC wrote new regulations to protect consumers after Verizon tried to avoid rebuilding wireline phone infrastructure in Fire Island, New York, after Hurricane Sandy hit the area in October 2012. But Pai repealed those rules, claiming that they prevented carriers from upgrading old copper networks to fiber. Pai's repeal order makes zero mentions of Fire Island and makes reference to Verizon's response to Hurricane Sandy only once, in a footnote. Among other things, the November 2017 FCC action eliminated a requirement that telcos turning off copper networks must provide Americans with service at least as good as those old copper networks. This change lets carriers replace wireline service with mobile service only, even if the new mobile option wouldn't pass a "functional test" that Pai's FCC eliminated. Additionally, "in June 2018, Chairman Pai further deregulated telephone providers to make it easier to discontinue service after a natural disaster," Feld wrote. In response to Pai's deregulation, Feld wrote: "The situation in Florida shows what happens when regulators abandon their responsibilities to protect the public based on unenforceable promises from companies eager to cut costs for maintenance and emergency preparedness. This should be a wake-up call for the 37 states that have eliminated traditional oversight of telecommunications services and those states considering similar deregulation: critical communications services cannot be left without some kind of public oversight."

An anonymous reader quotes a report from Reuters: Five industry groups representing major internet providers and cable companies filed suit on Thursday seeking to block a Vermont law barring companies that do not abide by net neutrality rules from receiving state contracts. The lawsuit was filed in U.S. District Court in Vermont by groups representing major providers like AT&T, Comcast and Verizon. It followed a lawsuit by four of the groups earlier this month challenging a much broader California law mandating providers abide by net neutrality rules.

The trade associations are also challenging an executive order on the issue signed by Vermont Governor Phil Scott. The Vermont lawsuit was filed by the American Cable Association; CTIA -- The Wireless Association; NCTA -- The Internet & Television Association; USTelecom -- The Broadband Association and the New England Cable & Telecommunications Association. The lawsuit argues that states cannot regulate "indirectly through their spending, procurement, or other commercial powers what they are forbidden from regulating directly."

"Qualcomm is launching a family of chips that can add incredibly high-speed Wi-Fi -- at speeds up to 10 gigabits per second -- to phones, laptops, routers, and so on," reports The Verge. The Wi-Fi standard used for something like replacing a virtual reality headset's data cable with a high-speed wireless link is being updated. Qualcomm's latest chips improve a wireless technology called WiGig, which relies on a connection standard known as 802.11ad, which can hit speeds up to 5 gigabits per second over close to 10 meters. The new generation of that wireless standard, called 802.11ay, can reach speeds twice as fast, and can do so up to 100 meters away, according to Dino Bekis, the head of Qualcomm's mobile and compute connectivity group. The Wi-Fi Alliance says the new standard "increases the peak data rates of WiGig and improves spectrum efficiency and reduces latency." From the report: So why not just use this as normal Wi-Fi, given how fast it gets? Because that range is only line-of-sight -- when there's literally nothing in the way between the transmitter and the receiver. This high-speed Wi-Fi is based on millimeter wave radio waves in the 60GHz range. That means it's really fast, but also that it has a very difficult time penetrating obstacles, like a wall. That's a problem if you want a general purpose wireless technology. That's why 802.11ay, like 802.11ad before it, is being used as an optional add-on to existing Wi-Fi technology. If you're one of the people who has a need for these extreme wireless speeds, then maybe you'll find a use for it. Just keep in mind, you'll probably need to keep your router and the device receiving these high speeds in the same room in order for it to work, due to the whole "walls" issue. WiGig will also be competing with 5G, as it offers "similarly fast speeds over similarly limited distances," reports The Verge. "[T]he two standards may be competing as an option for delivering internet from a tower to a home -- that's what Facebook's Terragraph is doing with WiGig, and it's what Verizon is doing with 5G."