Software

Popular 'Gboard' Keyboard App Has Had a Broken Spell Checker For Months 28

The popular Gboard keyboard app for iOS and Android devices has a fundamental flaw. According Reddit user SurroundedByMachines, the red underline has stopped appearing for incorrectly spelled words since November of last year -- and it doesn't appear to be limited to any one device. Issues with the spell checker have been reported on multiple devices across Android and iOS. A simple Google search brings up several different threads where people have reported issues with the feature.

What's more is that nobody at Google seems to get the memo. The Reddit user who first brought this to our attention filed several bug reports, left a review, and joined the beta channel to leave feedback there, yet no response was given. "Many people have been having the issue, and it's even been escalated to the community manager," writes SurroundedByMachines. Since the app has over 500 million downloads on the Play Store alone, this issue could be frustrating a lot of users, especially those who use their phones to send work emails or write documents. Have you noticed Gboard's broken spell checker on your device? If so, you may want to look into another third-party keyboard, such as SwiftKey or Cheetah Keyboard.
Software

In Virtual Reality, How Much Body Do You Need? (nytimes.com) 34

An anonymous reader quotes a report from The New York Times: Will it soon be possible to simulate the feeling of a spirit not attached to any particular physical form using virtual or augmented reality? If so, a good place to start would be to figure out the minimal amount of body we need to feel a sense of self, especially in digital environments where more and more people may find themselves for work or play. It might be as little as a pair of hands and feet, report Dr. Michiteru Kitazaki and a Ph.D. student, Ryota Kondo. In a paper published Tuesday in Scientific Reports, they showed that animating virtual hands and feet alone is enough to make people feel their sense of body drift toward an invisible avatar (Warning: source may be paywalled; alternative source). Their work fits into a corpus of research on illusory body ownership, which has challenged understandings of perception and contributed to therapies like treating pain for amputees who experience phantom limb.

Using an Oculus Rift virtual reality headset and a motion sensor, Dr. Kitazaki's team performed a series of experiments in which volunteers watched disembodied hands and feet move two meters in front of them in a virtual room. In one experiment, when the hands and feet mirrored the participants' own movements, people reported feeling as if the space between the appendages were their own bodies. In another experiment, the scientists induced illusory ownership of an invisible body, then blacked out the headset display, effectively blindfolding the subjects. The researchers then pulled them a random distance back and asked them to return to their original position, still virtually blindfolded. Consistently, the participants overshot their starting point, suggesting that their sense of body had drifted or "projected" forward, toward the transparent avatar.

Intel

New Spectre Attack Can Reveal Firmware Secrets (zdnet.com) 59

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

Security

RedDawn Android Malware Is Harvesting Personal Data of North Korean Defectors (theinquirer.net) 20

According to security company McAfee, North Korea uploaded three spying apps to the Google Play Store in January that contained hidden functions designed to steal personal photos, contact lists, text messages, and device information from the phones they were installed on. "Two of the apps purported to be security utilities, while a third provided information about food ingredients," reports The Inquirer. All three of the apps were part of a campaign dubbed "RedDawn" and targeted primarily North Korean defectors. From the report: The apps were promoted to particular targets via Facebook, McAfee claims. However, it adds that the malware was not the work of the well-known Lazarus Group, but another North Korean hacking outfit that has been dubbed Sun Team. The apps were called Food Ingredients Info, Fast AppLock and AppLockFree. "Food Ingredients Info and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components."

"AppLockFree is part of the reconnaissance stage, we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted Food Ingredients Info," according to McAfee security researcher Jaewon Min. "After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team."

AI

Google's Duplex AI Robot Will Warn That Calls Are Recorded (bloomberg.com) 27

An anonymous reader quotes a report from Bloomberg: On Thursday, the Alphabet Inc. unit shared more details on how the Duplex robot-calling feature will operate when it's released publicly, according to people familiar with the discussion. Duplex is an extension of the company's voice-based digital assistant that automatically phones local businesses and speaks with workers there to book appointments. At Google's weekly TGIF staff meeting on Thursday, executives gave employees their first full Duplex demo and told them the bot would identify itself as the Google assistant. It will also inform people on the phone that the line is being recorded in certain jurisdictions, the people said.
Businesses

Fed Up With Apple's Policies, App Developers Form a 'Union' (wired.com) 103

Even as Apple has addressed some of the concerns outlined by iOS developers in the recent years, many say it's not enough. As the iOS App Store approaches its tenth anniversary, some app developers are still arguing for better App Store policies, ones that they say will allow them to make a better living as independent app makers. On Friday, a small group of developers, including one who recently made a feature-length film about the App Store and app culture, are forming a union to lobby for just that. From a report: In an open letter to Apple that published this morning, a group identifying themselves as The Developers Union wrote that "it's been difficult for developers to earn a living by writing software" built on Apple's existing values. The group then asked Apple to allow free trials for apps, which would give customers "the chance to experience our work for themselves, before they have to commit to making a purchase."

The grassroots effort is being lead by Jake Schumacher, the director of App: The Human Story; software developer Roger Ogden and product designer Loren Morris, who both worked for a timesheet app that was acquired last year; and Brent Simmons, a veteran developer who has made apps like NetNewsWire, MarsEdit, and Vesper, which he co-created with respected Apple blogger John Gruber.

Programming

Ask Slashdot: What's the Most Sophisticated Piece of Software Ever Written? (quora.com) 232

An anonymous reader writes: Stuxnet is the most sophisticated piece of software ever written, given the difficulty of the objective: Deny Iran's efforts to obtain weapons grade uranium without need for diplomacy or use of force, John Byrd, CEO of Gigantic Software (formerly Director of Sega and SPM at EA), argues in a blog post, which is being widely shared in developer circles, with most agreeing with Byrd's conclusion.

He writes, "It's a computer worm. The worm was written, probably, between 2005 and 2010. Because the worm is so complex and sophisticated, I can only give the most superficial outline of what it does. This worm exists first on a USB drive. Someone could just find that USB drive laying around, or get it in the mail, and wonder what was on it. When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC. It has at least three ways of trying to get itself to run. If one way doesn't work, it tries another. At least two of these methods to launch itself were completely new then, and both of them used two independent, secret bugs in Windows that no one else knew about, until this worm came along."

"Once the worm runs itself on a PC, it tries to get administrator access on that PC. It doesn't mind if there's antivirus software installed -- the worm can sneak around most antivirus software. Then, based on the version of Windows it's running on, the worm will try one of two previously unknown methods of getting that administrator access on that PC. Until this worm was released, no one knew about these secret bugs in Windows either. At this point, the worm is now able to cover its tracks by getting underneath the operating system, so that no antivirus software can detect that it exists. It binds itself secretly to that PC, so that even if you look on the disk for where the worm should be, you will see nothing. This worm hides so well, that the worm ran around the Internet for over a year without any security company in the world recognizing that it even existed."
What do Slashdot readers think?
Operating Systems

Canonical Shares Desktop Plans For Ubuntu 18.10 (ubuntu.com) 78

Canonical's Will Cooke on Friday talked about the features the company is working on for Ubuntu 18.10 "Cosmic Cuttlefish" cycle. He writes: We're also adding some new features which we didn't get done in time for the main 18.04 release. Specifically: Unlock with your fingerprint, Thunderbolt settings via GNOME Control Center, and XDG Portals support for snap.

GNOME Software improvements
We're having a week long sprint in June to map out exactly how we want the software store to work, how we want to present information and to improve the overall UX of GNOME Software. We've invited GNOME developers along to work with Ubuntu's design team and developers to discuss ideas and plan the work. I'll report back from the sprint in June.

Snap start-up time
Snapcraft have added the ability for us to move some application set up from first run to build time. This will significantly improve desktop application first time start up performance, but there is still more we can do.

Chromium as a snap
Chromium is becoming very hard to build on older releases of Ubuntu as it uses a number of features of modern C++ compilers. Snaps can help us solve a lot of those problems and so we propose to ship Chromium only as a snap from 18.10 onwards, and also to retire Chromium as a deb in Trusty. If you're still running Trusty you can get the latest Chromium as a snap right now.
In addition, Ubuntu team is also working on introducing improvements to power consumption, adding support for DLNA, so that users could share media directly from their desktop to DLNA clients (without having to install and configure extra packages), and improved phone integration by shipping GS Connect as part of the desktop, the GNOME port of KDE Connect. Additional changelog here.
Security

A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim (zdnet.com) 46

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

XBox (Games)

Microsoft Announces Xbox Adaptive Controller For Players With Disabilities (theverge.com) 18

A new Xbox controller designed for people with disabilities has been announced by Microsoft today. The Xbox Adaptive Controller features two large programmable buttons and 19 jacks that can be connected to a range of joysticks, buttons, and switches to make it easier for a wider range of people to play games on Xbox One and Windows 10 PCs. The Verge reports: "I can customize how I interface with the Xbox Adaptive Controller to whatever I want," says Solomon Romney, a Microsoft Store learning specialist who was born without fingers on his left hand. "If I want to play a game entirely with my feet, I can. I can make the controls fit my body, my desires, and I can change them anytime I want. You plug in whatever you want and go. It takes virtually no time to set it up and use it. It could not be simpler."

The focus is on connectivity and customizability, with players able to build a setup that works for their capabilities and needs. It won't be an all-in-one solution for many games, but through the use of peripherals and the Xbox's system-level button remapping, the possibilities could be endless. The Xbox Adaptive Controller will cost $99.99 and goes on sale later this year.

Privacy

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations (zdnet.com) 38

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Security

Hardcoded Password Found in Cisco Enterprise Software, Again (bleepingcomputer.com) 70

Catalin Cimpanu, writing for BleepingComputer: Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score. The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center. The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network. This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.
Chrome

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com) 100

Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.
Music

YouTube Unveils New Streaming Service 'YouTube Music,' Rebrands YouTube Red (gizmodo.com) 105

An anonymous reader quotes a report from Gizmodo: YouTube Music, a streaming music platform designed to compete with the likes of Spotify and Apple Music, officially has a launch date: May 22nd. Its existence will also shift around YouTube and Google's overall media strategy, which has thus far been quite the mess. YouTube Music will borrow the Spotify model and offer a free, ad-supported tier as well as a premium version. The paid tier, which will be called YouTube Music Premium, will be available for $9.99 per month. It will debut in the U.S., Australia, New Zealand, Mexico, and South Korea before expanding to 14 other countries.

One of the selling points for YouTube Music will be the ability to harness the endless amount of information Google knows about you, which it will use to try to create customized listening experiences. Pitchfork reported that the app, with the help of Google Assistant, will make listening recommendations based on the time of day, location, and listening patterns. It will also apparently offer "an audio experience and a video experience," suggesting perhaps an emphasis on music videos and other visual content. From here, Google seems to be focused on making its streaming strategy a little less wacky. Google Play Music, the company's previous music streaming service that is still inexplicably up and running despite teetering on the brink of extinction for years, will slowly be phased out according to USA Today.
Meanwhile, the paid streaming subscription service, known as YouTube Red, is being rebranded to YouTube Premium and will cost $11.99 per month instead of $9.99. (Pitchfork notes that existing YouTube Red subscribers will be able to keep their $9.99 rate.) YouTube Premium will include access to YouTube Music Premium. Here's a handy-dandy chart that helps show what is/isn't included in the two plans.
Twitter

Twitter Will Start Hiding Tweets That 'Detract From the Conversation' (slate.com) 183

Yesterday, Twitter announced several new changes to quiet trolls and remove spam. According to Slate, the company "will begin hiding tweets from certain accounts in conversations and search results." In order to see them, you'll now have to scroll to the bottom of the conversation and click "Show more replies," or go into your search settings and choose "See everything." From the report: When Twitter's software decides that a certain user is "detract[ing] from the conversation," all of that user's tweets will be hidden from search results and public conversations until their reputation improves. And they won't know that they're being muted in this way; Twitter says it's still working on ways to notify people and help them get back into its good graces. In the meantime, their tweets will still be visible to their followers as usual and will still be able to be retweeted by others. They just won't show up in conversational threads or search results by default. The change will affect a very small fraction of users, explained Twitter's vice president of trust and safety, Del Harvey -- much less than 1 percent. Still, the company believes it could make a significant difference in the average user's experience. In early testing of the new feature, Twitter said it has seen a 4 percent drop in abuse reports in its search tool and an 8 percent drop in abuse reports in conversation threads.
Government

Cops Will Soon ID You Via Your Roof Rack (arstechnica.com) 98

An anonymous reader quotes a report from Ars Technica: On Tuesday, one of the largest license plate reader (LPR) manufacturers, ELSAG, announced a major upgrade to "allow investigators to search by color, seven body types, 34 makes, and nine visual descriptors in addition to the standard plate number, location, and time." Such a vast expansion of the tech now means that evading such scans will be even more difficult.

"Using advanced computer vision software, ELSAG ALPR data can now be processed to include the vehicle's make, type -- sedan, SUV, hatchback, pickup, minivan, van, box truck -- and general color -- red, blue, green, white and yellow," ELSAG continued. "The solution actively recognizes the 34 most-common vehicle brands on US roads." Plus, the company says, the software is now able to visually identity things like a "roof rack, spare tire, bumper sticker, or a ride-sharing company decal."

Windows

Rollout of Windows 10 April Update Halted For Devices With Intel and Toshiba SSDs (bleepingcomputer.com) 89

Catalin Cimpanu, writing for BleepingComputer: Microsoft has halted the deployment of the Windows 10 April 2018 Update for computers using certain types of Intel and Toshiba solid state drives (SSDs). The Redmond-based OS maker took this decision following multiple user reports about the Windows 10 April 2018 Update not working properly on devices using: Intel SSD 600p Series, Intel SSD Pro 6000p Series, Toshiba XG4 Series, Toshiba XG5 Series, and Toshiba BG3 Series.

The Intel and Toshiba issues appear to be different. More specifically, Windows PCs using Intel SSDs would often crash and enter a UEFI screen after reboot, while users of Toshiba SSDs reported lower battery life and SSD drives becoming very hot.

Microsoft

Microsoft To Launch a Line of Lower-Cost Surface Tablets With 10-inch Displays By Second Half of 2018, Report Says (bloomberg.com) 75

Microsoft plans to launch a line of lower-cost Surface tablets as soon as the second half of 2018, Bloomberg reported Wednesday. These devices should help Microsoft improve its market share in the iPad-led hybrid machines market, the outlet noted. From the report: Microsoft has tried this before. The software giant kicked off its consumer-oriented hardware push in 2012 with the launch of the original Surface RT. At the time, it was priced starting at $499. After the tablets didn't resonate with consumers and product reviewers, Microsoft pivoted to the more-expensive Surface Pro, a line which has gained steam and likely contributed to demand for a pro-oriented iPad, which Apple launched in 2015.

The new tablets will feature 10-inch screens -- around the same size as a standard iPad, but smaller than the 12-inch screens used on the Surface Pro laptop line. The new Surfaces, priced about $400, will have rounded edges like an iPad, differing from the squared off corners of current models. They'll also include USB-C connectivity, a first for Surface tablets, a new charging and syncing standard being used by some of the latest smartphones. The tablets are expected to be about 20 percent lighter than the high-end models, but will have around four hours fewer of battery life. (The current Surface Pro can last 13.5 hours on a single charge.)

Crime

Suspect Identified In CIA 'Vault 7' Leak (nytimes.com) 106

An anonymous reader quotes a report from The New York Times: In weekly online posts last year, WikiLeaks released a stolen archive of secret documents about the Central Intelligence Agency's hacking operations, including software exploits designed to take over iPhones and turn smart television sets into surveillance devices. It was the largest loss of classified documents in the agency's history and a huge embarrassment for C.I.A. officials. Now, The New York Times has learned the identity of the prime suspect in the breach (Warning: source may be paywalled; alternative source): a 29-year-old former C.I.A. software engineer who had designed malware used to break into the computers of terrorism suspects and other targets.

F.B.I. agents searched the Manhattan apartment of the suspect, Joshua A. Schulte, one week after WikiLeaks released the first of the C.I.A. documents in March last year, and then stopped him from flying to Mexico on vacation, taking his passport, according to court records and family members. The search warrant application said Mr. Schulte was suspected of "distribution of national defense information," and agents told the court they had retrieved "N.S.A. and C.I.A. paperwork" in addition to a computer, tablet, phone and other electronics. But instead of charging Mr. Schulte in the breach, referred to as the Vault 7 leak, prosecutors charged him last August with possessing child pornography, saying agents had found the material on a server he created as a business in 2009 while he was a student at the University of Texas.

Ubuntu

Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure' (betanews.com) 79

Last week, an app on the Ubuntu Snap Store caused a stir when it was found to be riddled with a script that is programmed to mine cryptocurrency, a phenomenon whose traces has been found in several popular application stores in the recent months. Canonical promptly pulled the app from the store, but offered little explanation at the time. On Tuesday, Ubuntu-maker addressed the matter in detail. From a report: The big question is whether or not this is really malware. Canonical also pondered this and says the following. "The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself. That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences," the company wrote in a blog post.

"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.

Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.

Slashdot Top Deals