This DOSS SoundBox Touch Bluetooth speaker is the best $20 you can spend today – CNET

doss-soundbox-touch
DOSS

There's an inherent tension between sound quality and price, which is why we're always jazzed to run into speakers and headphones that punch well above their weight. Portable Bluetooth speakers are a great example: Below a certain price, you tend to get mediocre sound quality pumped out of a housing with a cheap feel. That's not true of the DOSS SoundBox Touch, a solid Bluetooth speaker that sounds surprisingly good for its $28 list price. And today only, you can get the DOSS SoundBox Touch for just $19.57.

The SoundBox Touch is a great little portable speaker -- it's powered by a 12-watt amp and delivers about 20 hours of playtime. It's solidly built with an aluminum housing, and the illuminated touch controls on top give the speaker a premium feel. Even the volume is controlled with a touch-sensitive virtual dial, so it has no moving parts aside from an on-off button in back. In addition to Bluetooth, it also has a microSD slot. If you're a USB-C fan, that's one small disappointment: The speaker recharges via the older Micro-USB.

That's not all. You can browse the entire list of sale items -- DOSS has a slew of speakers and earbuds on sale today, but it's all today only, so time is of the essence. 

Some other notable items on sale today:


CNET's deal team scours the web for great deals on tech products and much more. Find more great buys on the CNET Deals page and check out our CNET Coupons page for the latest promo codes from Best BuyWalmartAmazon and more. Questions about the Cheapskate blog? Find the answers on our FAQ page.

Let's block ads! (Why?)

Read More

Episode 91: How Hackers Can Use CSRF Vulnerabilities and Spearphishing to Wreak Havoc on WordPress

On this week’s episode of Think Like a Hacker, we chat about the cross-site request forgery (CSRF) vulnerability found in the Child Theme Creator by Orbisius and how attackers could use a vulnerability like this with spearphishing to wreak havoc, much like the phishing campaigns now being found on the Canva design platform.

With WordPress adding application passwords for REST API authentication, we discuss the benefits coming with this capability in WordPress version 5.6.

We also consider the ramifications of the critical, wormable RCE bug patched by Microsoft, and how attackers are actively attacking the recent zerologon vulnerability that was patched in August.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:42 High Severity Vulnerability Patched in Child Theme Creator by Orbisius
5:29 WordPress 5.6 to Introduce Application Passwords for REST API Authentication
7:48 October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug, attackers exploiting zerologon vulnerability
12:03 Canva design platform actively abused in credentials phishing

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 91 Transcript

Kathy Zant:
Hi and welcome to Think Like a Hacker, the podcast about WordPress, security and innovation. We’re switching things up with the podcast just a bit. I am Kathy Zant, Director of Marketing here at Wordfence, and I’ve got a special guest.

Ram Gall:
Hi, I’m Ram Gall. I am a QA Engineer and Threat Analyst. You might have seen me on Wordfence Live on Tuesdays.

Kathy:
Ram is one of the stars of Wordfence Live, and he definitely bring, not only the education to Wordfence Live, but the entertainment factor as well, and I enjoy watching you every week, Ram.

Ram:
I try, I try.

Kathy:
And you do a good job.

Ram:
Aw.

Ram:
So what do we got for today?

Kathy:
Well, we’ve got a few interesting stories. First, it looks like Chloe found a high severity vulnerability that was patched in the Child Theme Creator by Orbisius. And you did some QA on this, didn’t you?

Ram:
Oh yeah. I remember this one. I tested the firewall rule for this one and I mean, it’s kind of a doozy.

Kathy:
Is it?

Ram:
Yeah, it is a Cross-Site Request Forgery vulnerability. Maybe we should go into what that means a little bit.

Kathy:
Yeah. I remember that being something that an attacker would use, but they have to trick someone into performing an action in order for it to work. Is that correct?

Ram:
Yeah. Yeah. Imagine that you’ve got a button on your site that when you click it, it makes someone else an administrator. Now, let’s say an attacker knows exactly what kind of requests that button does, they’re not an administrator so if they press it, it can’t do anything. But if they basically copy what that request would do and send it to you in an email, for instance, and get you to click that request, you’re the one doing it. So you could make them an administrator without knowing what you’re doing exactly, if they disguise the link well enough.

Kathy:
Interesting.

Ram:
And we use something called a nonce, or a number used once, to protect against this kind of attack. So what happened in this case is that the theme creator didn’t have that check in place. So an attacker could send a crafted link, or get a victim who is an administrator to click on a link that would send a specialized form, or have JavaScript send a specialized request, and they could basically edit the theme file on a site or inject a new file on the site containing whatever they wanted: a backdoor, a web shell, anything like that. And at that point, I mean, they would basically own the site.

Kathy:
Right. So this would probably be used in a very targeted attack where an attacker says, “There’s Sally’s cat blog. We like to pick on Sally. There Sally’s cat blog, I want ownership of that so I’m going to mess with Sally and get her to click this.” Is that right?

Ram:
Yeah. And I mean, it is a targeted attack. It’s not the kind of thing that you could easily do as like a bulk exploit attempt. It’s not like the File Manager vulnerability we talked about a while back, but that doesn’t make it any less severe. If this kind of vulnerability is present, and let’s say you have a company with multiple administrators or multiple people with administrative access, an attacker is just going to keep trying until they get one of them to click it.

Kathy:
Yeah. This plugin though, it kind of falls into this category of utility plugins. It’s not necessary for the functionality of the front end of the site. So utility plugins, I kind of think of these as like File Manager that recently had a vulnerability, the Duplicator plugin, which had a vulnerability. These things are not necessary for the site’s front-end functionality, but yet people seem to leave these on their sites fairly frequently. I mean, this particular one has an install base of 30,000. Are these people just leaving this on their site, and what would be your recommendation for that?

Ram:
I mean, it does sound like people are just leaving it on the site. And I mean, how many times do you really need to create a new child theme? Maybe once for every theme that you’re going to install and decide to keep, which might be like two or three themes at most, ever.

Kathy:
Right.

Ram:
If you’re actually going to the trouble of creating a child theme, you’re investing work in that theme. So at that point you’ve more or less decided to keep that theme. So, I mean, once you created the child theme, you don’t really need the plugin anymore. We recommend not just deactivating these plugins, but actually removing them from your site.

Kathy:
Right. Because the file manager plugin, If you deactivated it and it was still resident on your site, you’re still vulnerable, right?

Ram:
Yeah. Yeah. That was the problem with the File Manager plugin. It didn’t matter if it was deactivated or not, because it didn’t actually need to load up in WordPress to be vulnerable. Attackers could just access this one file sitting there in the plugin directory.

Kathy:
And create a lot of havoc, right?

Ram:
Exactly.

Kathy:
Yeah. Interesting. Okay. So if you are using the Child Theme Creator by Orbisius and it is on your site and you’re not using it actively, maybe you’d like to delete it, at the very least you should have it updated.

Kathy:
Looks like we have another story about WordPress 5.6 which is upcoming, is going to introduce application passwords for the REST API. What do you think about this, Ram?

Ram:
I think it’s probably a very good thing. So, okay, the REST API kind of started as a replacement for XML-RPC, which we all know has its own set of problems. Basically, it’s a way for other applications, other programs to communicate with various plugins on the WordPress side, which is well and good as long as it’s properly secured.

Kathy:
Sure.

Ram:
Having application passwords, with 5.5, they actually reduced a requirement for any REST API end points. Basically, anything that tries to access using the WordPress REST API needs to have some kind of authentication check in place saying, “Yes, I checked to make sure that this person is allowed.” You can still just have it return true in all cases if you do want to make a public endpoint, but it is definitely going to help improve best practices on that. But adding passwords to it is going to make it way easier to establish secure ways for other programs to interact with WordPress, and that’s a really good thing.

Kathy:
Yeah. So this is probably going to make application developers say, mailing list providers, or different applications that can be leveraged to provide functionality to a site or getting information in and out of WordPress, it’s going to give them a level of security where they can add additional functionality and ensure that that is secured. So I think that this ultimately is going to add to the usefulness of WordPress and integrations with other software.

Ram:
Definitely. Yeah. I mean, we use the WordPress REST API for Wordfence Central. We had to develop a pretty rock-solid authentication system using some fairly heavy cryptography, but…

Kathy:
Yeah.

Ram:
Yeah. This would have made that a lot easier, but I think we’re still keeping our high-security version, so.

Kathy:
Yeah. Yeah. So this’ll be interesting to see. I’m not sure when WordPress 5.6 is coming, but 5.5 just came out, what? In August, so I’m guessing probably by first part of the year. So this is definitely something cool to watch.

And Ram, you found a cool story about October Patch Tuesday, and what’s going on with Microsoft. You found a wormable RCE bug?

Ram:
Yeah. So first of all, I should probably define a couple of things. Wormable is kind of a problem because it means that if an attacker infects one system, they can then get that system to attack other systems and just sort of spread on its own without human intervention. And RCE is remote code execution, which once an attacker has that, it basically means that, well, they own it. The very least whatever the user they’re attacking can do, which in this case, since it’s the IPStack is, it runs at the kernel level so, pretty much everything.

Kathy:
Yeah. So this is really dangerous in enterprise situations where you have a whole room full of Windows servers that are on the same network?

Ram:
Yeah. It’s actually a lot like the old school “ping of death” attack. You’ve opened up a command prompt and run ping against a site to see if it’s up, right?

Kathy:
Sure.

Ram:
So that uses a special kind of packet called an ICMP packet, and it used to be possible to basically make a malformed version of that packet and send it to a server and crash it. And we called that the ping of death. This is kind of like an IPv6 variant on that, but with a bit more potential capability. So, I mean, the good news is that no one’s actually achieved remote code execution as far as we know yet, but that’s just for the time being. For now, most exploits just result in a blue screen of death so this could still be used for denial of service. There’s more good news, and that’s that a lot of firewalls seem to block ICMPv6 packets by default so it’s not necessarily going to be easy to exploit by an attacker that’s not already inside your network.

Kathy:
When we were talking before you said something about how if it’s going to be exploited, you’re going to see a lot of servers just going down so it’s not really useful for an attacker who wants to maintain persistence in a network, right?

Ram:
Not yet. Not until they get full RCE. Once they do then it might not actually leave any traces, so.

Kathy:
Fascinating. So definitely something to patch and something to watch because I’m sure not everyone’s going to patch. Why is it that we don’t get everyone patching when Patch Tuesday happens?

Ram:
I don’t know. Remember, what was it, zerologin?

Kathy:
Yeah.

Ram:
Yeah. The thing you talked about a couple of weeks ago, apparently there’s already access to Fortune 500 company networks being sold on the dark web because of that vulnerability.

Kathy:
Wow. Just that one vulnerability is exposing companies. Wow. Yeah. Yikes. And didn’t you mention that Linux has a pretty intense vulnerability too?

Ram:
Well, it has a cool name at least, which is “bleedingtooth.” It does mean that the attacker has to be close by a vulnerable computer, but pretty much any Linux computer with Bluetooth enabled running before the current version of the Linux Kernel. I’ve seen some disagreement on the minimum version that’s affected. I’ve seen anywhere from 3.6 to 5.8. So it seems likely that at least some older versions are affected before the second to latest version, but the long and short of it is that if you have a Bluetooth device nearby a Linux computer with Bluetooth enabled, you can attain zero-click remote code execution via the Bluetooth BlueZ stack. Again, that means that someone can own your computer in kernel mode, so yeah.

Kathy:
Wow. So update all of the things, pretty scary vulnerabilities there.

Kathy:
Did you see this article about Canva being used for phishing?

Ram:
Yeah. I just read that yesterday. And wow, I had no idea you could do all that with a graphics design platform.

Kathy:
Did you test it out yet?

Ram:
I have not. If you get any emails from Microsoft, make sure to click them.

Kathy:
Tricky, aren’t you? Yeah. I don’t trust any emails from Microsoft or anyone basically. Especially financial institutions after hanging out with you and Chloe.

Ram:
Hey, I haven’t hacked you yet.

Kathy:
No, you haven’t, yet. Most of the phishing campaigns that we receive are from our Director of Information Security who likes to keep us on our toes. Doesn’t she?

Ram:
Yeah. Hey, we actually passed the last few ones. No one clicked on any of those phishing links.

Kathy:
Yeah. Yeah.

Ram:
So, and that’s-

Kathy:
Yeah, we’re getting good.

Ram:
Yeah. It’s really important to train all your users as to the dangers of phishing so that they don’t actually click on suspicious links because so many corporate vulnerabilities start this way. There’s zerologon and all that stuff and there’s technical flaws but usually attackers get their foot in the door via something called spearphishing.

Kathy:
What is spearphishing exactly?

Ram:
Basically where an attacker does research on your company, in particular, find someone who might be susceptible to clicking on a link and entering in or sharing confidential information. Then crafts a message that looks like it would be from their boss or their co-worker asking for this quarter’s financials or sending them an infected file that claims to be this quarter’s financials.

Kathy:
So very, very targeted. So with the vulnerability we were talking before, the CSRF vulnerability with the Child Theme Creator, that could be used in a spear phishing attempt to really do some damage on a website, right?

Ram:
Oh yeah. I mean the spear phishing is probably the best way to get CSRF executed.

Kathy:
Gotcha. Yeah. A lot of people all talked about different types of vulnerabilities and they always think, well, CSRF means that somebody’s got to do something, so no big deal, right?

Ram:
Hackers are really good at getting people to do things.

Kathy:
They are. It’s really more of a manipulative psychological game than it is the actual vulnerability itself because the weakest link in security is always the human, isn’t it?

Ram:
Well, I mean, I know that I’ve definitely made some cybersecurity mistakes. I’ve gotten hacked a bunch of times in the past, so.

Kathy:
Yeah. Yeah. I think we all have.

So with this Canva design platform, it is being used in credentials phishing. So Canva’s hosting for images and whatnot, it is being used to create landing pages that are then used to redirect phishing victims to fake log-in forms. So I guess the biggest advice is to always verify domains. If you’re going to a financial institution, always type in that domain name, never click on a link in an email because these types of attacks are happening everywhere. And if you think that, “Well, it’s on Canva so then it’s got to be safe.” Well-

Ram:
Maybe not.

Kathy:
… this research is definitely showing that it is not.

Kathy:
And what would you recommend Ram for a company that has a number of employees that have access to sensitive information or to even their WordPress website, should those companies be testing their employees like we do to ensure that they can identify a phishing campaign? Because my Gmail inbox, I never see any phishing. I mean, I don’t even look at the spam folder anymore, but they’re really good at filtering it. So I’m not being tested there.

Ram:
I do think it’s important to test employees, train them to recognize signs of suspicious emails, even if they seem to be coming from someone else in the company. Because some of the test emails we’ve gotten actually looked like spear phishing campaigns, like sharing a report from some platform that we use or that kind of thing. Someone I work with granting me access to something or…

Kathy:
Yeah, and that always sounds really juicy. You want to click that, right?

Ram:
Exactly. And I mean, there’s the old advice that you can hover over links to see where they actually lead but with shortened URLs, that’s kind of hard. Though they do have services that can expand shortened URLs and figure out where they go to but there’s also redirect chains where a URL might redirect to another site, which redirects to another site, and it’s kind of hard to keep track of where it ends.

Kathy:
Yeah, definitely. So it’s just better to basically mistrust every link in an email.

Ram:
If you get an email that seems suspicious from someone you work with, maybe contact them via Slack or Messenger or give them a call and see if they actually sent that to you.

Kathy:
Good points. Very good points. Well, that’s all we got today for Think Like a Hacker, Episode 91. What do you think Ram, was this fun for you?

Ram:
Yeah, this was tons of fun, and it’s always fun thinking like a hacker.

Kathy:
It is. So let’s do this again next week. If you are wanting an alert when Think like a Hacker is posted, you can go to Wordfence.com/podcast, or you can subscribe on one of your podcasting apps on your phone. Keep in touch with us. We’re going to give you all of the latest news in WordPress security and innovation so that you can stay on top of things easily and just kind of walk around your neighborhood, drive to work, whatever you’re doing, drive to the coffee shop, and we’ll keep you updated. So talk to you again next week, right Ram?

Ram:
Yep. See y’all last… Next week. Not last week, next week.

Kathy:
2020 is really just kind of messing with time.

Ram:
It is, I’ll see you all next last week.

Kathy:
That’s what it’ll be. See you next time. Thanks.

Follow Ram on Twitter @ramuelgall or Kathy @kathyzant. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific. Next Tuesday on Wordfence Live, we’ll be talking about how to find and exploit WordPress vulnerabilities.

The post Episode 91: How Hackers Can Use CSRF Vulnerabilities and Spearphishing to Wreak Havoc on WordPress appeared first on Wordfence.

Read More

Get a Canary home security cam for $49 plus home-delivery pet food for 50% off – CNET

canary
Canary

Canary has been making all-in-one home security systems longer than almost anyone, and the Canary View is the company's newer little brother to the original Canary All-in-One. It guards your home with a wide-angle, motion-sensing camera that shoots in HD quality. But it lacks a siren, so it can't sound an audible alarm during a break-in -- but it definitely makes a mean petcam. Canary is leaning into the pet angle with this month's 50%-off deal: You can get a Canary View for $49 along with two weeks of Nom Nom subscription pet food for 50% off. Plus you get three months of Canary's Premium Service Plan for free.

The Canary View usually sells for $99, so you're saving $50 on the security system right out of the gate. It comes with three months of the option premium service, which would ordinarily be an additional $30.

Meanwhile, Nom Nom is a subscription pet food service that produces its own food in-house, using experts including a board-certified veterinary nutritionist to formulate recipes that are intended to be healthy and nutritious. As a part of this deal, you can try Nom Nom (well, actually, your pet can try it) for two weeks for half off.

Interested in keeping an eye on your pooch from the office, and improving their diet at the same time? Scroll down the page to redeem the offers. This deal runs through Nov. 14.


CNET's deal team scours the web for great deals on tech products and much more. Find more great buys on the CNET Deals page and check out our CNET Coupons page for the latest promo codes from Best BuyWalmartAmazon and more. Questions about the Cheapskate blog? Find the answers on our FAQ page.

Let's block ads! (Why?)

Read More

The best resistance bands in 2020 (that you can actually buy right now) – CNET

Resistance band workouts have seen a surge in popularity as more and more people have begun to work out from home due to coronavirus shutdowns. With gyms and fitness studios closed, exercisers turned to simple solutions that could keep them fit and healthy at home. 

Resistance bands proved fruitful because they're inexpensive compared to kettlebells and dumbbells, they don't take up much space, they're not loud (perfect for top-floor apartment dwellers) and they're versatile. 

To be truthful, the best resistance bands are any that you can currently find without a 15-week backorder. More than half a year into the pandemic, the workout-from-home craze has turned from a temporary trend to a necessity (Gym? Who's that?) and equipment manufacturers still face an unhealthy supply chain. 

However, you can still find a few great sets of resistance bands online right now. This article lists the best ones you can currently buy without waiting for weeks. Just know that while we'll do our best to keep this updated, prices and availability can change.

Read more: How to get a great workout with a kettlebell

Hyfit

Since everything is smart these days, it should come as no surprise that there's a smart resistance band set available to fitness enthusiasts. I tried out the Hyfit Gear One and was honestly surprised at how much I enjoyed using it. It struck me as slightly gimmicky, but these resistance bands actually work really well. 

The Hyfit Gear One includes a pair of tubal resistance bands, wrist and ankle straps, a wall anchor, a door anchor and a pair of handles. It's truly a use-anywhere set because not only can you anchor the bands to a door or wall, you can use your own body to create resistance. 

Adjusting the bands is super easy, too: Just press the little red adjuster button to shorten or lengthen them. Between the wrist and ankle straps, door and wall anchors and adjustment mechanism, you might never need another set of resistance bands. 

The resistance bands contain sensors that track your repetitions, volume (total weight lifted) and calories burned. When you pair the bands to your phone and download the Hyfit app, this data collects automatically and you can track your workouts with ease.

To me, the smart aspect is just a bonus -- the wearable resistance band concept alone would've been enough to persuade me to buy this. Once I'm able to take a road trip or go camping again, I'm packing my Gear One so I can easily get in a quick workout on the go without having to lug around a 40-pound kettlebell. 

If the set sells out on Amazon, you can always buy directly from the company

BC Strength

If you're looking for a booty band, stop here. Just one of these mini resistance bands from Bret Contreras (known on Instagram as the "Glute Guy") will last you years because of the tight-woven, high-quality construction. Contreras popularized the hip thruster exercise and the concept of glute training and, as a certified strength and conditioning specialist with a PhD in sports science, I trust that his mini resistance bands work. 

I also know that they work because I've been using them for the last seven months and they've been the savior of my glute and hamstring strength throughout the coronavirus pandemic. I've used these mini resistance bands to make several exercises more challenging, including bodyweight squats and hip thrusts, dumbbell deadlifts and kettlebell swings. I've also used them extensively for glute-focused exercises, such as donkey kicks and hip abductions.

You can purchase Bret Contreras Glute Loops in two sizes (small to medium and large to extra large) and in three resistance levels (light, medium and strong, labeled as one, two and three on the bands). I ordered a full set because I wasn't sure what to expect, and I'm glad I did. I've used all six Glute Loops for various exercises and rep schemes. I do tend to use one band more than any of the others, so most people would probably be fine ordering just one Glute Loop.

Rogue

Having frequented many a CrossFit gym, I've used my fair share of Rogue resistance bands (Rogue is the preferred outfitter of functional fitness equipment). Rogue Monster Bands constitute the best of the best in resistance bands. They come in various levels of resistance and they're constructed of thick, durable natural latex rubber. 

The big problem with resistance bands is they wear out significantly over time and, compared to iron or steel weights, they don't last long at all. I've seen these Rogue bands in use for years, firsthand, and they never seem to show signs of wear. 

Rogue has been struggling with its supply chain for the last several months, so if you're interested in the Monster Bands, I'd purchase them while you can. The full sets are out of stock, but you can pick and choose individual bands. 

I would recommend Monster Bands for anyone who wants to use resistance bands to build muscle, because they go up to 200 pounds in resistance -- much higher than the toughest resistance band from most other brands. 

You can also check out the Rogue Echo Bands, which are slightly less expensive than the Monster Bands. They seem slightly less durable but would more than suffice for the average exerciser who works out at home. The Echo Bands were out of stock at the time of writing, but you can sign up to get notified when Rogue stocks back up.

FitCord

These durable resistance bands from FitCord pack a one-two punch when it comes to longevity. Like I mentioned earlier, resistance bands wear out over time. It's just a fact of the product. However, you can maximize the life of your resistance bands by choosing the right kind. 

Made of dipped latex -- the most durable material for resistance bands -- the FitCord X-Over resistance bands feature a scrunched nylon safety sleeve that protects the latex underneath from UV damage and harsh weather. The sleeve also protects you in the case that your band snaps during use, but that's unlikely with a dipped latex resistance band. 

FitCord makes X-Over bands up to 55 pounds in resistance, which is plenty for the average person who wants to work out with resistance bands. 

TheraBand

If you have a latex allergy, working out with resistance bands might seem impossible. The options definitely diminish when you filter with "non-latex," but if you look hard enough, you can find some non-latex resistance bands. 

TheraBand is known for its professional rehabilitation equipment, including resistance bands, kinesiology tape, foam rollers, muscle wraps and stability balls. The non-latex professional set includes three resistance bands providing up to seven pounds of resistance.

As a bonus, this set comes with basic exercise instructions written by a physical therapist, making it a good option for people who aren't sure where to start with resistance bands. 

I wouldn't recommend these TheraBand resistance bands for advanced exercisers looking to use resistance bands for intense workouts or to build muscle. Because these bands are primarily intended for rehabilitation purposes, they provide minimal resistance and are best suited to beginners or people working around injuries.

The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.

Let's block ads! (Why?)

Read More

A Cut Cable Knocked Out Virginia’s Voter Registration Site

This week the New York Post published a story centered on information stolen from a laptop that purportedly belonged to Hunter Biden, and that has a high likelihood of being part a disinformation operation. Not great! But the way the rest of the media handled the situation was a marked improvement over 2016, when leaks of John Podesta’s hacked emails kicked off a frenzy that played right into Russia’s hands. Here’s to modest progress.

Take it where you can get it. The rest of the security outlook was a little more discouraging. United States Cyber Command mounted an offensive against Trickbot, one of the most dangerous botnets in the world. It didn’t accomplish much, but did set a new precedent of US hackers taking on criminals rather than their military counterparts. That’s all part of the long-term strategy of general Paul Nakasone, leader of both Cybercom and the National Security Agency, whom we profiled at length for the most recent issue of the magazine.

We also took a look at how internet freedom has suffered during Covid-19, as dozens of countries have used used the pandemic as an excuse to increase surveillance and tamp down on digital rights. Speaking of surveillance, Amazon’s latest high-profile product announcements have been pushing the boundaries of data collection in discomfiting ways. (Yes, that includes the drone that flies around your house.)

Researchers have figured out how to make a Tesla Model X hit the brakes by flashing just a few frames of a stop sign image for less than half a second. It’s maybe not the most practical attack, but on the other hand it could do a fair bit of damage on the highway it timed just right. And DDoS extortion is on the rise, including some criminals who have been posing as nation state hackers like Fancy Bear and Lazarus Group to increase the intimidation factor.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

The registration deadline for the state of Virginia was Tuesday, which is why it’s especially unfortunate that an accidentally cut cable knocked Virginia’s voter portal offline for several hours Tuesday morning. Utility workers hit a Verizon fiber line, which was enough to take out the entire system until deep into the afternoon. A judge extended the registration deadline by 48 hours to make up for it, so everyone should still have been able to get their name in. But the incident is an important reminder that for all the concern over hackers disrupting the 2020 election, creaky infrastructure—whether it’s a cut cable or a confusing interface on a decades-old voting machine—poses a more realistic threat to Election Day.

Look, data breaches happen. After the Equifax hack, there’s a good chance that a big chunk of your personal information has already been compromised. The more important question to ask when a major company like Barnes and Noble gets hacked—which it did, according to an email sent to customers this week—is how much the hackers actually got away with. In this case, it seems at least for now like the damage isn’t terrible. The company said purchase histories, email addresses, and shipping information were potentially exposed, which isn’t ideal. But passwords and financial information appear not to have been impacted, according to Barnes and Noble. Sometimes breaches turn out to be worse than first reported—looking at you again, Equifax—but at least for now, it seems like the fallout is about as minimal as you could hope.

The months-long Zoom encryption saga is nearing a resolution. After misrepresenting the level of security its video chat services offered—and then waffling on whom it would make end-to-end encryption available for—Zoom next week will roll out the feature to both free and paid users next week for a 30-day technical preview. Zoom chats with end-to-end encryption can accommodate up to 200 users, an impressive feat especially given the time frame. You have to opt-in to use the feature, and will give up features like live transcription and cloud recording. But if your privacy needs are that pronounced, odds are you wouldn’t want those enabled in the first place.

Ransomware gangs have increasingly taken to posting companies’ data online if they don’t pay up. The latest apparent victims include gaming companies Ubisoft and Crytek, which a gang called Egregor says it has successfully compromised and published apparent files from on a dark web site. None of this is unique, but it’s worth keeping an eye on—especially since the group has threatened to leak the much higher-stakes source code for Ubisoft’s upcoming Watch Dogs: Legion and the company’s game engine.


More Great WIRED Stories

Read More

Want Some Eco-Friendly Tips? A New Study Says No, You Don’t

This story originally appeared on Grist and is part of the Climate Desk collaboration.

Need something else for your growing to-do list? Environmentalists have about a zillion things for you, give or take.

Chances are that you’ve heard a lot of them already: Ditch your car for a bike, take fewer flights, and go vegan. Oh, and install solar panels on your roof, dry your laundry on a clothesline, use less water when you brush your teeth, take shorter showers … hey, where are you going? We’re just getting started!

For decades, we’ve been told that the solution to our planetary crisis starts with us. These “simple” tips are so pervasive, they usually go unquestioned. But that doesn’t mean that most people have the time or motivation to heed them. In fact, new research suggests that hearing eco-friendly tips like these actually makes people less likely to do anything about climate change. Oops! Experts say there are better ways to get people to adopt green habits—and they don’t involve nagging or guilt-tripping.

In the study—titled “Don’t Tell Me What to Do”—researchers at Georgia State University surveyed nearly 2,000 people online to see how they would respond to different messages about climate change. Some saw messages about personal sacrifices, like using less hot water. Others saw statements about policy actions, like laws that would limit carbon emissions, stop deforestation, or increase fuel efficiency standards for cars. The messenger—whether scientist or not—didn’t make much of a difference.

Then the respondents were asked about their thoughts on climate change. The people who read the messages about individual responsibilities were less likely to report that they believed in human-caused climate change, less likely to support climate-friendly political candidates, and less likely to act to reduce their own emissions.

While the advice about personal behavior spurred a negative response from people across the political spectrum, the effect was much stronger among Republicans than Democrats, said Risa Palm, a professor of urban geography at Georgia State and the lead author of the study.

On the other hand, “when the message was linked with policy issues, it didn’t have this kind of negative effect,” she said. Palm’s study reinforces previous research that people prefer wide-scale changes that don’t require them to change their own behavior. They simply don’t feel like anything they could do would make much of a difference.

It’s a valid point of view, according to Sarah McFarland Taylor, the author of Ecopiety: Green Media and the Dilemma of Environmental Virtue. The scope of the proposed eco-friendly solutions—like, say, getting individuals to use less hot water—is simply “absurd” compared to the scope of the problem, she said.

Taylor, an associate professor of religious studies at Northwestern, uses the term “ecopiety” to refer to the voluntary duties that signal a person’s “green” virtue—driving a Toyota Prius, filling up a Nalgene, or ordering a salad instead of a burger. “We are fiddling with all these fiddly little ‘ecopiety’ details while the world is burning,” she said.

“The fact of the matter is, a small cadre of the ‘ecopious’ who have the wherewithal and the resources to do these voluntary individual actions, will do them,” Taylor said. “And the rest of the people will not.”

Why are people so resistant to climate-friendly behavior? It comes down to psychology. When people don’t like the solutions that are presented to them, or when they feel like their freedom is under threat, they may deny that there’s a problem altogether, Palm said.

When the Toyota Prius went worldwide in 2000, it was marketed as a climate-friendly, virtuous purchase, because it ran on gas and electricity. “There was an unintended rebound effect, with certain sectors of the population reacting very hostilely,” Taylor said. Years later, diesel truck owners started “coal-rolling”: removing emissions controls and rigging up their vehicles to spew giant clouds of smoke, targeted at unsuspecting pedestrians, bicyclists, and Prius owners.

Read More

5G is now free on Ryan Reynolds’ carrier Mint Mobile – CNET

Mint Mobile 5G

Mint Mobile has added 5G for free to all phone plans.

Mint Mobile

Mint Mobile now provides 5G access to all customers free of charge, the company announced Tuesday. The carrier, which is owned by actor Ryan Reynolds, uses T-Mobile's 4G LTE and 5G networks for coverage. On all plans, a 5G-compatible phone will switch from 4G to 5G depending on whichever signal is strongest in your current location.

"Every Mint plan has 5G for free ... unlike some of our competitors," Mint Mobile said.

"It seems we may never know what 5G is, so we're just going to give it away for free with every plan until we figure that out," Reynolds said in a video.

Mint Mobile's introductory three-month plans cost $15 a month for 3GB of data, $20 a month for 8GB, $25 a month for 12GB and $30 a month for unlimited data. Pricing is the same on its 12-month plans but is slightly more expensive on a six-month option. Plans also include unlimited talk and text, free calling to Mexico and Canada and free mobile hotspot capabilities.

"No 5G signal goes farther (others can be blocked by things like leaves)," Mint Mobile said, adding it uses low-band 600MHz spectrum "because it's the one that benefits you the most."

Read more: Verizon vs. AT&T vs. T-Mobile compared: How to pick the best 5G carrier for you

The three major US carriers use different radio waves for their 5G networks: Verizon uses high-band millimeter-wave 5G spectrum, which is limited to traveling short distances and being blocked by solid obstacles like buildings and trees, while AT&T uses 850MHz spectrum for its low-band 5G network.

T-Mobile also uses low-band 600MHz spectrum -- which has better range but slower speeds -- but is now also integrating Sprint's midband 2.5GHz spectrum since the carrier's $26.5 billion merger with Sprint went through in April. 

You can check out Mint Mobile's coverage map here to see if there's 5G service in your area.

Let's block ads! (Why?)

Read More

Get this 3-mode electric toothbrush with 8 replacement heads for just $30 – CNET

fairywell-toothbrush
Fairywell

If you're not using an electric toothbrush, you're brushing wrong. That's something my dentist told me years ago, and I've been a loyal sonic toothbrush user ever since. The vibrating head is more effective at removing plaque, and since most electric toothbrushes have a built-in 2-minute timer, it's easier to brush for the recommended amount of time. On the downside, brand-name electric toothbrushes and their replacement heads can be pricey. Here's an inexpensive alternative: Right now, you can get the Fairywill P11 Electric Toothbrush with eight brush heads for $30 when you click the coupon on the product page and apply coupon code FWP11CNET at checkout. When both discounts stack, you get $20 off the regular price of $50.

I had been looking for an alternative to my Philips Sonicare for a while. It works fine, but the replacement brushes are ludicrously expensive. The Fairywell offers a similar brushing experience, and I suspect that I've found my next toothbrush -- it checks virtually all the boxes I need in a toothbrush, at a much lower lifetime cost.

Functionally, the Fairywill works the same way as most electric toothbrushes. It'll run for 2 minutes with short pauses every 30 seconds to remind you to change quadrants so you cover your whole mouth. It offers a trio of brush modes (general cleaning, soft and massage), but I have personally never found much value in changing up the brush mode, so I stick with the default cleaning mode.

The rechargeable battery lasts for about a month of daily use. Priced this low, the Fairywill doesn't come with any sort of charging dock or stand -- it includes a USB charging cable instead. This is a bummer, because it means you have to take the toothbrush into another room to charge every few weeks. The cable plugs into the bottom, which I find awkward since it can't stand up while charging, and it's a proprietary connector, so don't lose the cable.

On the other hand, you get a total of eight brushes in the box, which means you could conceivably use the toothbrush for two years before you ever need to buy replacement brushes. And I love the P11's included travel case, which holds the toothbrush and two different brush heads for convenient travel as a couple. 

Originally published earlier this year. Updated with a new deal. 

Now playing: Watch this: Y-Brush toothbrush brushes all your teeth in just 10...

2:05


CNET's Cheapskate scours the web for great deals on tech products and much more. For the latest deals and updates, follow the Cheapskate on Facebook and Twitter. Find more great buys on the CNET Deals page and check out our CNET Coupons page for the latest promo codes from Best BuyWalmartAmazon and more. Questions about the Cheapskate blog? Find the answers on our FAQ page.

The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.

Let's block ads! (Why?)

Read More

Karma Automotive teases new all-electric GSe6 with pricing and preorders – Roadshow

gse-platform1

The GSe6's body will be mostly Revero, Karma says, but here are its electric guts.

Karma

More and more vehicle manufacturers, especially smaller ones, are focusing on offering their vehicles via preorders. This is a risky proposition for the customer because, as we saw with Tesla's Model 3 reservations, you can be stuck waiting a long time for a car that you ultimately know very little about.

The latest carmaker to give preorders a whirl is Karma Automotive, makers of the Revero, which used to be the Fisker Karma (but now Fisker is its own company again, and it's all very confusing). Here's the thing, though: Karma is going a step further and offering preorders on an $80,000 car that it isn't even showing whole pictures of. That takes chutzpah, friends.

The Karma GSe6 is being marketed as the brand's first fully battery-electric vehicle. Details are suspiciously thin on the ground here, beyond the fact that it will have an aluminum body based mainly on the Revero GT, be capable of one-pedal driving, have adaptive headlights, feature a steering wheel with haptic feedback, offer Level 2 autonomy (nothing to brag about in 2020, btw) and be assembled in California.

karma-gse-6-011

Karma wants to drive preorders for the GSe6 with this as basically the only available photo.

Karma

We know nothing about the GSe6's powertrain, and that's worrying when it's coming from a company best known for making a car for years with minimal changes that they bought off another failing company with someone else's engine in it. Add in that the company hasn't always been in the best financial shape, and it's all kind of worrying.

Now, way back in April, Karma talked about bringing an electric version of the Revero called the GTE to production, but even then, the potential specs being bandied about were a little dubious -- namely, the 400-mile range number.

Karma representatives confirmed that the GSe6 is basically the evolved and iterated-upon current version of what was the GTE. It also confirmed that the reason there aren't any specs is that the charging speeds, range, battery management system and capacities, as well as the inverters and minor design elements, aren't "100% baked."

With its $79,900 asking price, Karma seems to be targeting both the Tesla Model S and the Lucid Air, though it manages to come in slightly above both of those vehicles' current price points, and even then, a prospective buyer would likely have to be pretty bored with current offerings to make that leap.

Now playing: Watch this: 1,100 horsepower Karma SC2 concept makes bold electric...

1:59

Let's block ads! (Why?)

Read More

Footprints from 10,000 years ago reveal treacherous trek of traveler, toddler – CNET

ancient

An artist's representation of what the treacherous journey might have looked like. 

Bournemouth University

Ancient human footprints found in a dried-up New Mexico lakebed present a remarkably detailed snapshot from more than 10,000 years ago. An adolescent or small adult female carries a young child nearly a mile across muddy terrain frequented by mammoths, giant sloths, saber-toothed cats and dire wolves. Then the traveler turns around and makes the journey back, without the child in tow, perhaps having delivered the toddler to its destination.  

The prints, believed to be the longest known trackway of early-human footprints, tell a dramatic story of danger and perseverance. A new study in the online edition of Quaternary Science Reviews details how the tracks at White Sands National Park were discovered and studied, and what they add to the ichnological (trace fossil) record -- and show us about our Ice Age forebears.  

"This research is important in helping us understand our human ancestors, how they lived, their similarities and differences," said Sally Reynolds, senior lecturer in hominin paleoecology at the UK's Bournemouth University and co-author of the study about the prints. "We can put ourselves in the shoes, or footprints, of this person (and) imagine what it was like to carry a child from arm to arm as we walk across tough terrain surrounded by potentially dangerous animals."

An international team working with staff from the National Park Service found the footprints in a lakebed that contains other prints going back between 11,550 and 13,000 years. As the lakebed dried up, it preserved footprints for thousands of years. 

Smaller prints that appear at points along shores of the ancient Lake Otero indicate the caregiver occasionally put down the child, believed to be 3 or younger. The prints show the person carrying the child made a return journey along the same path a few hours later, though the shape of the prints suggest the child was no longer in tow. Taken together, the prints tell the story of a taxing journey, but each track offers even more specific details: of the pace of stride, a slip here, a stretch there to avoid a puddle.  

"The ground was wet and slick with mud and they were walking at speed, which would have been exhausting," Reynolds and fellow Bournemouth researcher Matthew Robert Bennett write in a piece about the discovery in The Conversation

white-sands-human-footprints-adult-and-child.png

Left: Journeys going both ways. Center: A child's prints occasionally appear. Right: A fossilized print of the person, most likely a woman, who carried the child across the muddy terrain of what is now New Mexico.  

National Park Service

White Sands National Park contains a treasure trove of fossilized human and animal footprints. Last year, a team led by Cornell University published a study on using ground-penetrating 3D radar to investigate the movements of mammoths, humans and giant sloths there from 12,000 years ago. One mammoth track showed a human footprint left in the same spot later, giving a rare glimpse into how people and megafauna may have interacted so many years ago.

"We never thought to look under footprints," Thomas Urban of Cornell, who contributed to the 2018 study as well as the new one, said at the time. "But it turns out that the sediment itself has a memory that records the effects of the animal's weight and momentum in a beautiful way. It gives us a way to understand the biomechanics of extinct fauna that we never had before." 

Let's block ads! (Why?)

Read More
Page 3 of 1,615«12345»102030...Last »