The internet's screen door strikes again – so get patching

Adobe has emitted software updates to address a critical vulnerability in Flash Player for Windows, Mac, and Linux.

PC owners and admins will want to upgrade their copies of Flash to version or later in order to get the patch – or just dump the damn thing all together.

The November 20 security update addresses a single flaw, designated CVE-2018-15981. It is a type confusion bug that can be exploited to achieve remote code execution. Basically, an attacker could slip the exploit code into a Flash .swf file, put it on a web page, and covertly install malware on any vulnerable machine that visits the page.

Because Adobe does not maintain a fixed patching schedule for Flash Player, this isn't technically considered an out-of-band band-aid. However, the update does come just one week after Adobe pushed out a handful of fixes for Patch Tuesday, including one for an information disclosure vulnerability in Flash Player.

That Adobe would post another update just one week after their last patch should underscore that CVE-2018-15981 is a serious enough vulnerability to be a priority fix for users and admins.

After installing this latest fix, those who are tired of the constant security threats might also want to consider taking the advice of multiple security experts and developers and at least disable Flash by default if not permanently.

The notoriously vulnerable plugin has long since been surpassed by HTML5, and most major websites have already transitioned away from Flash, leaving it only really useful for specific sites and applications.

Even Adobe wants to kill off Flash. The Photoshop giant has said that by 2020 it plans to formally retire the plugin once and for all. 


Fake cryptocurrency wallets found on Play Store

Attackers are not only interested in mobile banking credentials and credit cards information to get access to victim’s funds, but also in cryptocurrency. Recently, I found four fake applications on Google Play Store that tried to trick users either in to luring their credentials or impersonating cryptocurrency wallets. These threats imitate legitimate services for NEO, Tether and MetaMask. I reported these apps to Google security team and they were promptly removed.


These four apps are divided in to two categories. The first one is phishing category where malicious app after launch requests from the user his private key and wallet password. That is the case for fake MetaMask app.
The second category are fake wallets. In this category I found three more apps created by the same attacker – NEO WalletTether Wallet.

Fake cryptocurrency wallets do not create new wallet by generating public address and private key. These malicious apps only display attacker’s public address without user’s access to private key. Private key is owned by the bad guy. Once the fake app is launched, user thinks that app already generated his public address where user can deposit his cryptocurrency. If user send his funds to this wallet, he is not able to withdraw them because, he doesn’t own private key. For this purpose, I created two different accounts, however in both of them app assign me the same public address, including the QR code.


Analysis of fake Cryptocurrency wallets discovered on Google Play Store.

  1. Disclose of two fake wallets on official App Store
  2. Demonstration of the apps functionality
  3. Legitimate VS fake wallets
  4. Code analysis
  5. How to stay safe

What concerns me the most is that these fake wallets were created using Drag-n-Drop app builder service without any coding knowledge required. That means that – once Bitcoin price rises and starts to make it into front pages – than literally anyone can “develop” simple but effective malicious app either to steal credentials or impersonate cryptocurrency wallet.

Read Original Article...

How data bundle prices changed over five years

Data bundle pricing has seen volatility over the past few years, with consumers increasingly calling for prices to come down.

A new report from the Independent  Authority of South Africa (ICASA) compares bundle price fluctuations from SA's four major operators over the past five years.
ICASA has published its latest "-annual Report on the Analysis of Tariff Notifications", with the latest  to 30 June 2018. The regulator provides analysis of the price trends between 2013 and 2018 for prepaid data bundles, valid for 30 days, for operators MTN, Vodacom, Cell C and Telkom Mobile.

When looking at a 100MB data bundle, the figures reveal pricing was volatile during the period of 2013 to 2017. Vodacom, MTN and Telkom Mobile charged relatively the same rate for 100MB in 2013. However, Cell C charged 50% less when compared to its competitors.

The graph below shows a major spike in 2014 by Vodacom, which increased its 100MB data bundle by 69% from R29 to R49, while its competitors' prices remained constant. Vodacom then dropped this rate back down to R29 in 2015.

MTN increased its 100MB bundle by 20.7%, from R29 to R35 in 2015, making it relatively expensive when compared to Cell C and Telkom Mobile. Now, in 2018, all four operators charge the same rate of R29.

In 2013, Cell C's 500MB data bundle, priced at R75, was the cheapest when compared to Vodacom, MTN and Telkom Mobile, which charged R99, R119 and R95, respectively. In 2014, MTN dropped its 500MB by 16.8% from R119 to R99, at the same time Vodacom raised the price of 500MB by 60.6% from R99 to R159. Cell C's prices remained the cheapest in 2014.

From 2015, Telkom Mobile reduced its price by 27.4% from R95 to R69 and has remained the cheapest in the market to date. Cell C increased its 500MB data bundle by 13.3% from R75 to R85 and Vodacom took its price back down to R99. However, MTN increased its 500MB data bundle by 6.1% from R99 to R105.

In 2018, MTN discontinued its 500MB data bundle in the market, as per the notification filed with ICASA on 11 April. The operator is now instead offering a 600MB bundle at R99, which is 6% lower than the rate of the 500MB data bundle which was priced at R105.

500MB data bundle price trends for 2013 to 2018

The popular 1GB bundle has also seen some major changes over the years. In 2013, Telkom Mobile charged the highest price for a 1GB data bundle, at R180 per 1GB. Vodacom and MTN charged R149 and Cell C's 1GB bundle cost R155.

As with the previous bundles, 2014 saw a price spike from Vodacom, which increased its price by 87.2% from R149 to R279. This price was then dropped by Vodacom in 2015 back to R149 and has remained unchanged since.

In 2015, Telkom dramatically reduced its price by 45%, from R180 to R99, and it remained unchanged until 2018, when the price increased by R1 to R100. Vodacom, MTN and Cell C all charge R149 for a 1GB data bundle in 2018.

1GB data bundle price trends for 2013 to 2018

When getting into the higher GB bundles, Telkom Mobile had by far the highest prices on specific bundles five years ago, whereas today it is considered the cheapest mobile operator by most.

MTN was the cheapest 2GB data bundle charging R245 in 2013, followed by Vodacom at R249. Cell C and Telkom Mobile had the most expensive 2GB data bundle price, charging R310 and R349, respectively.

In 2014, Telkom's price dropped radically and it has been charging the cheapest price for a 2GB data bundle since then. In 2014, Cell C also dropped its price to R249, where it has stayed since. Vodacom's price has remained constant over the five years at R249.

ICASA says from 2015 to 2018, 2GB data bundle prices remained relatively stable. In 2018, MTN revised its pricing strategy by discontinuing the 2GB bundle and replaced it with a 1.5GB bundle charged at R189. MTN stated the discontinuation of the 2GB data bundle "was due to commercial reasons".

2GB prepaid data bundle prices over five years

When it comes to 3GB data bundles, all four operators have kept their pricing the same over a period of five years.

The below graph shows the operators with the smaller market share were the cheapest when compared to the bigger operators.

For 3GB, MTN has been the most expensive over the five years, charging R330 for a bundle; Vodacom and Cell C have been charging R299 since 2013; and Telkom has been charging R199.

3GB data bundle prices 2014 vs 2018 period

The 5GB bundle prices show the most dramatic changes when it comes to Telkom Mobile's pricing. In 2013, Telkom charged a whopping R819 for 5GB of data. In 2015, Telkom decreased this drastically to R299.

ICASA says "the action was observed as Telkom Mobile's strategy to attract customers and increase its market share". The price for 5GB on Telkom's network has remained unchanged since.

MTN, Vodacom and Cell C's prices were stable over the period at R430, R399 and R399, respectively.

5GB data bundle prices trends 2013 to 2018

The price trend of Vodacom and Telkom Mobile's 10GB data bundles remained unchanged over a four-year period, at R599 and R499, respectively.

MTN's 10GB data bundle, however, has been declining since 2016 and is currently the lowest at R405. Cell C increased its 10GB data bundle prices by 9.1% from R549 to R599 between 2016 and 2018.

10GB data bundle over a period of four years

In 2015, MTN's 20GB data bundle was the most expensive at R1 250, followed by Cell C, which charged R1 099 and Vodacom at R999. Telkom Mobile had the cheapest bundle offering at R899.

However, MTN reduced its 20GB data bundle by 28.1% from R1 250 in 2017 to R899 in 2018. Cell C also revised its pricing strategy by reducing its 20GB data bundle from R1 099 to R799 in 2017. Telkom's price came down from R899 in 2017 to R599 in 2018. Vodacom's 20GB data bundle price has remained unchanged at R999 since 2015.

20GB data bundle price for the period 2015 to 2018



Somebody got a little trigger happy with the big red Windows Update button last week as a broken Intel audio driver was unleashed on users “by mistake”.

It has been a hellish couple of weeks for the Windows giant following the launch of the troubled October update for its flagship operating system. Not content with Display Audio issuesmysterious file deletions and borking HP computers thanks to a “known incompatibility” with drivers for an obscure bit of hardware (aka the “keyboard”), it seems audio is next in the firing line.

The issue was an updated driver, taking the Intel Audio Controller to version, which left some users shouting on social media while their PCs remained stubbornly silent.

As a sad-faced engineer in a high-visibility vest reset the “days without a Windows Update incident” clock back to zero, Microsoft rapidly pulled the update to work out what was happening.

According to the software giant, the Intel driver was “incorrectly pushed to devices via Windows Update” and advice was published on manually rolling back the borked update.

Microsoft pushed out an update to fix the broken update for version 1709, 1803 and 1809 of Windows 10 over the weekend in the form of KB4468550. Some users, however, may believe that letting the Windows Update bull loose in their OS china shop to glue back together what it broke last time may be a step too far.

Microsoft is to be commended for its swift action in identifying and dealing with the problem. This does not, however, excuse the pushing out of code via Windows Update that, once again, left a portion of users with broken computers. We’ve contacted Microsoft to find out how this driver found its way into the update package and will update when we get a response.


'Do Not Track,' the Privacy Tool Used by Millions of People, Doesn't Do Anything

When you go into the privacy settings on your browser, there’s a little option there to turn on the “Do Not Track” function, which will send an invisible request on your behalf to all the websites you visit telling them not to track you. A reasonable person might think that enabling it will stop a porn site from keeping track of what she watches, or keep Facebook from collecting the addresses of all the places she visits on the internet, or prevent third-party trackers she’s never heard of from following her from site to site. According to a recent survey by Forrester Research, a quarter of American adults use “Do Not Track” to protect their privacy. (Our own stats at Gizmodo Media Group show that 9% of visitors have it turned on.) We’ve got bad news for those millions of privacy-minded people, though: “Do Not Track” is like spray-on sunscreen, a product that makes you feel safe while doing little to actually protect you.

“Do Not Track,” as it was first imagined a decade ago by consumer advocates, was going to be a “Do Not Call” list for the internet, helping to free people from annoying targeted ads and creepy data collection. But only a handful of sites respect the request, the most prominent of which are Pinterest and Medium. (Pinterest won’t use offsite data to target ads to a visitor who’s elected not to be tracked, while Medium won’t send their data to third parties.) The vast majority of sites, including this one, ignore it.

Screenshot: Do Not Track option on various browsers (From top to bottom: Firefox, Safari, Chrome, Brave)

Yahoo and Twitter initially said they would respect it, only to later abandon it. The most popular sites on the internet, from Google and Facebook to Pornhub and xHamster, never honored it in the first place. Facebook says that while it doesn’t respect DNT, it does “provide multiple ways for people to control how we use their data for advertising.” (That is of course only true so far as it goes, as there’s some data about themselves users can’t access.) From the department of irony, Google’s Chrome browser offers users the ability to turn off tracking, but Google itself doesn’t honor the request, a fact Google added to its support page some time in the last year. A Google spokesperson says Chome lets users “control their cookies” and that they can also “opt out of personalized ads via Ad Settings and the AdChoices industry program” which results in a user not having “ads targeted based on inferred interests, and their user identifier will be redacted from the real-time bid request.”

There are other options for people bothered by invasive ads, such as an obscure opt-out offered by an alliance of online advertising companies, but that only stops advertising companies from targeting you based on what they know about you, not from collecting information about you as you browse the web, and if a person who opts out clears their cookies—a good periodic privacy practice—it clears the opt-outs too, which is why technologists suggested the DNT signal as an easier, clearer way of stopping tracking online.

“It is, in many respects, a failed experiment,” said Jonathan Mayer, an assistant computer science professor at Princeton University. “There’s a question of whether it’s time to declare failure, move on, and withdraw the feature from web browsers.”

That’s a big deal coming from Mayer: He spent four years of his life helping to bring Do Not Track into existence in the first place.

Why do we have this meaningless option in browsers? The main reason why Do Not Track, or DNT, as insiders call it, became a useless tool is that the government refused to step in and give it any kind of legal authority. If a telemarketer violates the Do Not Call list, they can be fined up to $16,000 per violation. There is no penalty for ignoring Do Not Track.

Percentage of visitors to Gizmodo Media Group’s sites whose browsers are requesting they not be tracked

In 2010, the Federal Trade Commission endorsed the idea of Do Not Track, but rather than mandating its creation, the Obama administration encouraged industry to figure out how it should work via a “multistakeholder process” that was overseen by W3C, an international non-governmental organization that develops technical standards for the web. It wound up being an absolutely terrible idea.

Technologists quickly came up with the code necessary to say “Don’t track me,” by having the browser send out a “DNT:1" signal along with other metadata, such as what machine the browser is using and what font is being displayed. It was a tool similar to “robots.txt,” which can be inserted into the HTML of a web page to tell search engines not to index that page so it won’t show up in search results. The “stakeholders” involved in the DNT standard-setting process—mainly privacy advocates, technologists, and online advertisers—couldn’t, though, come to an agreement about what a website should actually do in response to the request. (The W3C did come up with a recommendation about what websites and third parties should do when a browser sends the signal—namely, don’t collect their personal data, or de-identify it if you have to—but the people that do the data collection never accepted it as a standard.)

“Do Not Track could have succeeded only if there had been some incentive for the ad tech industry to reach a consensus with privacy advocates and other stakeholders—some reason why a failure to reach a negotiated agreement would be a worse outcome for the industry,” said Arvind Narayanan, a professor at Princeton University who was one of the technologists at the table. “Around 2011, the threat of federal legislation brought them to the negotiating table. But gradually, that threat disappeared. The prolonged negotiations, in fact, proved useful to the industry to create the illusion of a voluntary self-regulatory process, seemingly preempting the need for regulation.”

It is, in many respects, a failed experiment.The biggest obstacle was advertisers who didn’t want to give up delicious data and revenue streams; they insisted that DNT would “kill online growth” and stymied the process. (You can chart the death of Do Not Track by the declining number of emails sent around on the W3C list-serv.) By the time the debate was winding down at the end of 2013, it wasn’t even about not tracking people, just not targeting them, meaning trackers could still collect the data but couldn’t use it to show people intrusive ads based on what they’d collected. The inability to reach a compromise on what DNT should be led sites like Reddit to declare “there is no accepted standard for how a website should respond to [the Do Not Track] signal, [so] we do not take any action in response to this signal.”

To demonstrate their theoretical support for DNT—or from a more skeptical perspective, to garner some positive press—Google, Microsoft, Apple, Mozilla, and others started offering the “Do Not Track” option in their respective browsers, but absent a consensus around the actions required in response to the DNT:1 signal, these browsers are just screaming for privacy into a void.

“It’s really sad that companies are not listening to their users and put weak and misleading pretexts to not respect their choice of privacy,” said Andrés Arrieta, tech projects manager at the Electronic Frontier Foundation, who attempted in 2017 to breathe life back into Do Not Trackby establishing a new standard for what websites should do when they see someone send the DNT:1 signal. (Everyone ignored it.)

“It would have been better for the web if DNT had worked. It was the polite option: Users could signal their preferences and websites would honor those preferences,” said Mayer by phone. “The alternative is the non-polite option of ad-blocking and cookie blocking, which is the way the conversation is now moving. In a world without DNT, ad-blocking has taken off.”

Every year, more people turn on adblockers, much to websites’ chagrin, causing publishers to institute paywalls and use pop-up requests to beg people to turn the blockers off. (You can see the latter by browsing our sites here at Gizmodo Media Group). Apple and Mozilla are both building tools into their browsers to block third-party tracking; in Firefox’s case, it will be by default.

Dennis Buchheim, a senior vice president at online advertising group IAB’s Tech Lab, said in a statement that DNT, as designed, was too blunt an instrument and didn’t allow users to “exempt their trusted sites, effectively limiting users to all-or-nothing.” He calls Apple’s and Mozilla’s new anti-tracking offerings “a poor but logical evolution of the intentions of DNT” and hopes for a more “collaborative approach” that involves users telling sites one-by-one what tracking they’re willing to allow.

Meanwhile, tracking is becoming even more intrusive and spilling over into the real world, with phones emitting ultrasonic sounds and Google tracking Android users’ locations despite their stated preferences. By not giving people a real choice about whether they are willing to be tracked, the internet remains locked in an arms race over privacy, with new tools and methods constantly being created to try to subvert the desires of the party on the other side of the data divide. Meanwhile, lawmakers in D.C. continue their decades of empty talk about passing a federal privacy lawto regulate online data-brokering. If they finally succeed this year, the primary motivation is to overrule a robust privacy law recently passed in California, which is not the purest of motives.

Given that most people involved see Do Not Track as a failed experiment, what do we do with it now? At least one browser is considering getting rid of the option.

“Mozilla has been a strong supporter of the DNT concept but is disappointed by the low rate of adoption across the industry,” said Firefox product lead Peter Dolanjski in a statement sent via email. “That is why we have announced plans for a stronger set of default protections that do not depend on sites independently deciding whether to respect user intent. We will be evaluating what to do with the DNT setting as we implement these protections.”

Many of the technologists and privacy advocates who pushed for the Do Not Track option a decade ago admit that the setting could give users a false expectation of privacy, but they remain stubbornly attached to it.

“The flag gives websites a strong signal of the demand for privacy from their users,” said Narayanan by email.

Some think “Do Not Track” shouldn’t be abandoned because of the hope that it might one day finally be empowered to actually do something.

“We have seen strong Do Not Track adoption by users, rather than by companies, with millions of users’ privacy requests ignored,” said Aleecia McDonald, an assistant professor at Carnegie Mellon University, who helped oversee the DNT process. “The push for privacy in Europe could use Do Not Track as a technical mechanism, as could California’s new Consumer Privacy law.”

In other words, we have a tool that works for telling the internet that a person wants privacy. The problem is that the companies that dominate the internet are, for the most part, plugging their ears and saying, “Nah, nah, nah, nah, I don’t hear you, nah, nah, nah, nah, I don’t hear you,” and will continue to do so until the government forces them to take their fingers out of their ears.

Gabe Weinberg, the founder of the private search engine DuckDuckGo, which doesn’t track any of its users, may have framed it best. He thinks that unless a federal law that “gives some real regulatory teeth to Do Not Track” passes, the option “should be removed from all browsers because it is otherwise misleading, giving people a false sense of security.”

Until that happens, please know that if you turn on “Do Not Track,” it’s not doing anything to protect you unless you’re surfing Pinterest or reading Medium while logged out. It’s one thing to tell someone you want to be left alone, and another to get them to care.

Apple Repairs and Service
Member of the Internet Defense League
Internet Cafe available

BitcoinCash Accepted