Facebook Nears Ad-only Business Model as Game Revenue Falls

Facebook’s growth into a digital advertising power is showing a flip side: The social network is more dependent than ever on the cyclical ad market, even as its rival Google finds new revenue streams in hardware and software.

Facebook reported on Wednesday that 98 percent of its quarterly revenue came from advertising, up from 97 percent a year earlier and 84 percent in 2012. Revenue from non-advertising sources fell to $175 million in the quarter, from $181 million a year earlier.

Facebook has warned for some time about declining non-ad revenue. That part of its business consists almost entirely of video game players on desktop computers buying virtual currency, and it has fallen as gaming has moved to smartphones.

Facebook takes 30 percent of purchases, with the balance going to companies such as Zynga, maker of the game Farmville.

The company’s dependence on advertising is a long-term concern but it has time to find other revenue while building its core ad business, said Clement Thibault, a senior analyst at Investing.com.

“We have to remember it’s still a fairly young business. It’s not like they’re an old-fashioned business that needs to move soon,” he said.

A Facebook spokeswoman declined to comment.

Facebook’s share price hit an all-time high of $153.60 on Tuesday before dipping to close at $150.85 on Thursday.

The lack of diversification stands in contrast to Google, a unit of Alphabet. Its non-advertising revenue, from sources such as cloud services and Pixel smartphones, posted a 49.4 percent jump to $3.1 billion in the most recent quarter and now represents 13 percent of Google’s total revenue, up from 10 percent a year earlier.

Facebook Chief Operating Officer Sheryl Sandberg said during a conference call in February that the company was diversifying revenue by expanding its base of advertisers across geographic regions and industries.

Facebook’s non-advertising products, such as its Oculus virtual reality headset and the Workplace office software, currently generate little revenue.

Some companies diversify through acquisitions, but most of Facebook’s purchases such as Instagram and WhatsApp have been in adjacent markets.

Chief Financial Officer David Wehner said in a conference call for investors on Wednesday that Facebook was not breaking out Instagram revenue as a separate line in financial reports because Instagram ads are sold through the same interface as Facebook ads.

your ad here

Facebook, Twitter, Google Sued Over San Bernardino Attack

Family members of San Bernardino terror attack victims sued Facebook, Google and Twitter, accusing the companies of providing platforms that help the Islamic State group spread propaganda, recruit followers and raise money.

The lawsuit filed Wednesday in federal court in Los Angeles alleges that the companies aided and abetted terrorism, provided material support to terrorist groups, and are liable for the wrongful deaths of three of the 14 victims killed in the Dec. 2, 2015, attack on a health department training event and holiday party.

Syed Rizwan Farook and Tashfeen Malik, the husband-and-wife shooters who carried out the attack with high-powered rifles, were inspired by the Islamic State group, authorities said. Malik had pledged her allegiance to the group on her Facebook page around the time of the shooting, which also wounded 22 people.

The lawsuit mirrors claims targeting social media providers in courts around the country for deaths in attacks abroad and at home. The same lawyers have sued the same companies for the 2016 massacre at the Pulse nightclub in Orlando, Florida.

Some of those lawsuits have been dismissed because federal law shields online providers from responsibility for content posted by users.

Facebook said it sympathizes with the victims and their families and that it quickly removes content by terrorist groups when it’s reported.

“There is no place on Facebook for groups that engage in terrorist activity or for content that expresses support for such activity,” the company said in a statement.

Google and Twitter didn’t immediately respond to requests for comment.

The lawsuit claims the companies don’t do enough to block or remove accounts by the Islamic State group and they profit from ads placed next to IS postings. It also says Google shares revenue with the group.

“Without defendants Twitter, Facebook, and Google [YouTube], the explosive growth of ISIS over the last few years into the most feared terrorist group in the world would not have been possible,” the lawsuit said, using an acronym for Islamic State.

The suit filed by relatives of Sierra Clayborn, Tin Nguyen, and Nicholas Thalasinos seeks unspecified monetary damages.

your ad here

SpaceX to Launch Internet-providing Satellites

Elon Musk’s SpaceX says it will begin launching Internet-providing satellites in 2019.

The move was announced Wednesday by SpaceX vice president of satellite and government affairs, Patricia Cooper, in testimony before the Senate Committee on Commerce, Science and Transportation.

She said the company eventually plans to field 4,425 small satellites into low Earth orbit by 2024 using the company’s partially reusable Falcon 9 rockets.

“SpaceX intends to launch the system onboard our Falcon 9 rocket, leveraging significant launch cost savings afforded by the first stage reusability now demonstrated with the vehicle,” Cooper said, adding the company will field two prototype satellites by the end of 2017 and in early 2018.

Internet access via satellites can be slow, but Cooper said technological advances will make SpaceX able to offer speeds comparable to terrestrial providers.

The company says Internet speed in the U.S. lags behind other developed countries. Furthermore, rural areas are not served by standard broadband providers. The company’s “constellation” of satellites could deliver high speeds without cables.

Cooper added that space-based Internet avoids some of the pitfalls for terrestrial providers.

“In other words, the common challenges associated with sitting, digging trenches, laying fiber and dealing with property rights are materially alleviated through a space-based broadband network,” Cooper said.

your ad here

WhatsApp Back in Service After Global Outage

WhatsApp, a popular messaging service owned by Facebook Inc., suffered a widespread global outage Wednesday that lasted for several hours before being resolved, the company said.

“Earlier today, WhatsApp users in all parts of the world were unable to access WhatsApp for a few hours. We have now fixed the issue and apologize for the inconvenience,” WhatsApp said in an email late Wednesday afternoon.

WhatsApp was down in parts of India, Canada, the United States and Brazil, according to Reuters journalists. It affected people who use the service on Apple Inc’s iOS operating system, Alphabet Inc.’s Android and Microsoft Corp.’s Windows mobile OS.

WhatsApp is used by more than 1.2 billion people around the world and is a key tool for communications and commerce in many countries. The service was acquired by Facebook in 2014 for $19 billion.

your ad here

Don’t Click That Link: Google Docs Ruse an Example of ‘Future of Phishing’

Alphabet Inc. warned its users to beware of emails from known contacts asking them to click on a link to Google Docs after a large number of people turned to social media to complain that their accounts had been hacked.

Google said Wednesday that it had taken steps to protect users from the attacks by disabling offending accounts and removing malicious pages.

The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They did that by getting a logged-in user to grant access to a malicious application posing as Google Docs.

No malware needed

“This is the future of phishing,” said Aaron Higbee, chief technology officer at PhishMe Inc. “It gets attackers to their goal … without having to go through the pain of putting malware on a device.”

He said the hackers had also pointed some users to another site, since taken down, that sought to capture their passwords. Google said its abuse team “is working to prevent this kind of spoofing from happening again.”

Anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents, according to security experts who reviewed the scheme.

Someone else controls your accounts

“This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party,” said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.

Cappos said he received seven of those malicious emails in three hours Wednesday afternoon, an indication that the hackers were using an automated system to perpetuate the attacks.

He said he did not know the objective, but noted that compromised accounts could be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.

your ad here

Facebook to Hire 3,000 to Stop Violent Videos

In the wake of several Facebook videos depicting murder, suicide, rape and other violent acts, the social media giant says it is hiring 3,000 more people to review videos and remove those that violate its terms of service.

The company has been facing increased pressure to stop people from posting and sharing violent videos.

According to Facebook’s terms of service, violent videos are not allowed, but as recent events have shown, it can take the company some time to review and remove them.

The announcement to add staff to the already 4,500 who review videos was made Wednesday on Mark Zuckerberg’s Facebook page.

Facebook’s founder and CEO wrote, “Over the last few weeks, we have seen people hurting themselves and others on Facebook – either live or in video posted later. It is heartbreaking, and I have been reflecting on how we can do better for our community.”

“These reviewers will also help us get better at removing things we don’t allow on Facebook like hate speech and child exploitation, “ Zuckerberg wrote. “And we’ll keep working with local community groups and law enforcement who are in the best position to help someone if they need it – either because they’re about to harm themselves, or because they’re in danger from someone else.”

In addition to more staff, Zuckerberg said the company was going to enhance its software to keep violent videos off the site.

“We’re going to make it simpler to report problems to us, faster for our reviewers to determine which posts violate our standards and easier for them to contact law enforcement if someone needs help,” he wrote, adding the company had recently acted on a report of someone considering suicide on Facebook, preventing them from going through with it.

your ad here

Privacy Group Sues NYPD Over Facial-recognition Documents

A privacy group sued the New York Police Department on Tuesday to demand the release of documents related to its use of facial-recognition technology, which rights groups have criticized as discriminatory and lacking in proper oversight.

The lawsuit is the latest attempt to compel U.S. law enforcement agencies to disclose more about how they rely on searchable facial-recognition databases in criminal investigations.

NYPD has previously produced one document in response to a January 2016 freedom of information request, despite evidence it has frequently used an advanced face-recognition system for more than five years, according to the Center for Privacy & Technology at Georgetown University law school, which filed the suit in New York state court.

“The department’s claim that it cannot find any records about its use of the technology is deeply troubling,” said David Vladeck, the privacy group’s faculty director. He added that an absence of responsive documents, such as contract and purchasing documents, training materials or audits, would be an indication the police force did not possess controls governing its use of facial-recognition software.

NYPD could not be immediately reached for comment on the suit.

Facial-recognition databases are used by police to help identify possible criminal suspects. They typically work by conducting searches of vast troves of known images, such as mug shots, and algorithmically comparing them with other images, such as those taken form a store’s surveillance cameras, that capture an unidentified person believed to be committing a crime.

But the technology has come under increased scrutiny in recent years amid fears that it may lack accuracy, lead to false positives and perpetuate racial bias.

Democratic and Republican lawmakers expressed consternation at the secrecy surrounding facial-recognition technology during a U.S. House Oversight Committee hearing in March.

The Center for Privacy & Technology released a report last year concluding half of America’s adults have their images stored in at least one searchable facial-recognition database used by local, state and federal authorities.

The study, titled “Perpetual Line-Up,” found that states rely on mug shots, driver’s license photos, or both in assembling their databases, and that images are often shared with the Federal Bureau of Investigation.

The U.S. Government Accountability Office estimated last year that more than 400 million facial pictures of Americans were stored in databases kept by law enforcement agencies.

your ad here

Twitter and Bloomberg to Stream News

Twitter and Bloomberg news are teaming up to launch a 24-hour streaming news channel.

In response to a story in the Wall Street Journal about the partnership, Bloomberg Media’s top executive tweeted confirmation of the news.

“We’ll have a lot more to say about this exciting new partnership at Bloomberg Media’s NewFronts on Monday,” tweeted Justin Smith, referring to a meeting the company is holding.

The Journal said Bloomberg would create exclusive content for the streaming channel, but that it would be separate from the company’s television channel.

Twitter did not provide any comment on the story due to an official announcement planned for later Monday.

For Twitter, the deal could help restore user growth which has been slow compared to other social media sites.

The 10-year-old Twitter has never made a profit, and despite tweaks to the format, has only seen modest growth in users. Twitter recently reduced staff and an attempt to sell the company failed. The partnership with Bloomberg could attract more users beyond the core of politicians, journalists and celebrities.

Last week the company gave its quarterly results, which saw another drop in revenue despite seeing a 14 percent spike in users to 328 million. The company said its loss of $62 million was better than last year, which saw the company lose $80 million.

your ad here

Facebook Sought to Target Troubled Teens with Ads

Facebook appears to have targeted vulnerable young people for advertising purposes, according to a report from Australia.

According to The Australian newspaper, which obtained documents about the targeting of young people from Facebook’s Australian office, the company was seeking ways to exploit the feelings of kids as young as 14 to serve up ads to them.

The documents, which were marked as confidential, show how the social media giant could monitor posts from youth to try to figure out how they were feeling. According to the newspaper, these included words like “defeated,” “overwhelmed,” “stressed,” “anxious,” “nervous,” “stupid,” “silly,” “useless” and “failure.”

The so-called sentiment analysis could then be used to target vulnerable kids with advertising based on their perceived mood. The idea was only to be used on young people in Australia and New Zealand.

For example, if a young person was feeling “defeated” because of being overweight, Facebook could show that person an advertisement for an exercise program or workout machine.

“The data on which this research is based was aggregated and presented consistent with applicable privacy and legal protections, including the removal of any personally identifiable information,” Facebook said in a statement to the newspaper.

This is not the first time Facebook has looked at sentiment analysis. The company was harshly criticized in 2012 when it conducted an experiment on nearly 700,000 users, without their knowledge, to see if the company could influence them through positive or negative posts in their newsfeeds.

Neither case appears to be in violation of the company’s Data Use Policy, which says the company “may use the information we receive about you … for internal operations, including troubleshooting, data analysis, testing, research and service improvement.”

your ad here

EV Manufacturers Expect Surge in Demand

Despite lingering anxiety over their range, interest in electric cars is rising, especially in industrialized countries. Manufacturers say they are improving the mileage by building more charging stations, but the industry is still waiting for a major breakthrough in battery technology. VOA’s George Putic reports.

your ad here

IT Workers, Companies Cautious on H1B Visa Program Review

During a recent visit to Wisconsin, President Donald Trump announced he was signing an Executive Order reviewing the visa program that brings many technical workers to the United States, known as the H1B visa. About 85,000 workers come to the United States annually using an H1B visa. More from VOA’s Kane Farabaugh

your ad here

Strato-glider to Explore Little-known Mountain Waves

Later this year, two pilots in a sailplane will try to break the world altitude record for a glider, soaring more than 27 kilometers above sea level. But their primary mission will be to explore the little-known phenomenon called “mountain waves” and to carry a number of experiments designed by school students. VOA’s George Putic reports.

your ad here

Beyond ‘Fake News:’ Facebook Fights ‘Information Operations’

Facebook is acknowledging that governments or other malicious non-state actors are using its social network to sway political sentiment, including elections.

That’s a long way from CEO Mark Zuckerberg’s assertion in November that the idea that bogus information on Facebook influenced the U.S. presidential election was “pretty crazy.” It also illustrates how the world’s biggest social network has been forced to grapple with its outsized role in how the world communicates, for better or for worse.

In an online posting Thursday, the company said that it would monitor efforts to disrupt “civic discourse” on Facebook. It is also looking to identify fake accounts, and says that it will warn people if their accounts have been targeted by cyber-attackers.

your ad here

Apple Cuts Off Payments, Qualcomm Slashes Expectations

Qualcomm slashed its profit expectations Friday by as much as a third after saying that Apple is refusing to pay royalties on technology used in the iPhone.

Its shares hit a low for 2017.

Apple Inc. sued Qualcomm earlier this year, saying that the San Diego chipmaker has abused its control over essential technology and charged excessive licensing fees. Qualcomm said Friday that Apple now says it won’t pay any fees until the dispute is resolved. Apple confirmed Friday that it has suspended payments until the court can determine what is owed.

“We’ve been trying to reach a licensing agreement with Qualcomm for more than five years but they have refused to negotiate fair terms,” Apple said. “As we’ve said before, Qualcomm’s demands are unreasonable and they have been charging higher rates based on our innovation, not their own.”

Qualcomm said it will continue to vigorously defend itself in order to “receive fair value for our technological contributions to the industry.”

But the effect on Qualcomm, whose shares have already slid 15 percent since the lawsuit was filed by Apple in January, was immediate.

Qualcomm now expects earnings per share between 75 and 85 cents for the April to June quarter. Its previous forecast was for earnings per share between 90 cents and $1.15.

Revenue is now expected to be between $4.8 billion and $5.6 billion, down from its previous forecast between $5.3 billion and $6.1 billion.

Shares of Qualcomm Inc. tumbled almost 4 percent at the opening bell to $51.22.

your ad here

Driverless Apple Car Spotted in Silicon Valley

Just weeks after receiving official approval, an Apple self-driving car has been seen making its way through the streets of Silicon Valley.

The Lexus fitted with various sensors is the latest entrant in the quest to make driverless cars commercially viable. Apple, a late comer, likely will face fierce competition from Google’s Waymo, which has carried out millions of miles of road testing, and Uber, which has been testing autonomous cars for months.

Apple’s initiative, officially called Project Titan, is driven by hardware developed by Velodyne Lidar, while Apple is expected to develop the software.

Based on documents obtained by Business Insider, Apple’s cars sound very much like other self-driving cars. The cars are “capable of sending electronic commands for steering, accelerating, and decelerating and may carry out portions of the dynamic driving task,” according to the documents.

As with other driverless cars, humans are still present and can override the self-driving mode at any time.

Despite being somewhat late to the game, Apple may find an opening in the way of a potentially lengthy legal battle between Waymo and Uber, with Waymo alleging that Uber stole its trade secrets.

On Thursday, Uber executive Anthony Levandowski recused himself from work on driverless cars in the wake of the lawsuit, which alleges he stole intellectual property while employed at Google.

your ad here

Robot Takes Recovering Child to Her Seat in Class

“I would like for you to have a pencil out on your desk,” fifth-grade teacher Mary Fucella said to her reading class at Point Pleasant Elementary School in Glen Burnie, Maryland. A kilometer and a half away, in a pink bedroom, Cloe Gray pulled a pencil out, too, and listened.

Cloe, 11, is at home, recuperating from leg surgery. For the first month after the operation, a home tutor visited her. But the precocious child grew withdrawn and didn’t want to leave her bed. She missed routine. She missed her friends. She missed real school.

“You could tell she wasn’t happy,” said Rob Gray, Cloe’s dad.     

The Anne Arundel County school system in Maryland had a cure. Cloe now attends class virtually through a $3,000 robot. Hers, which she named Clo-Bot, was donated by the local Rotary Club. Since she began using it, the learning hasn’t stopped.

Clo-Bot is basically an iPad attached to a pole on wheels. Cloe uses the keyboard on her home computer to remotely control the device, rolling it into and out of the classroom. She speaks through a headset and is heard through the iPad. When the class breaks up into small groups, one classmate holds materials up to the iPad, and Cloe contributes to the project.

Fucella said Cloe was a little shy at first about “raising” Clo-Bot’s hand, “but now I feel like it’s just like having the normal Cloe in the classroom.”

To answer a question, Cloe clicks on a slider, and the iPad raises to the teacher’s eye level. Cloe said the robot had given her confidence to participate. “I’ll try it and I’ll get it right,” she said. “Woo-hoo! Personal victory!”

The Anne Arundel schools have six of the robots. Patrick Malone of the district’s Office of Instructional Technology said he and his colleagues had been stunned at their effectiveness.

“Every kid that uses this technology starts to smile again,” Malone said. “They start to feel like a regular kid again, and I cannot put a price on that.”

Devices like Clo-Bot are the brainchild of Double Robotics, a privately held technology company in Burlingame, California.

The telepresence robot can be used for business or education, anywhere people need a physical presence. Double Robotics co-founder and CEO David Cann said he understood the importance of school attendance, educationally and socially, and that it was humbling “to be able to provide a way for all students to attend school, no matter their situation.”

Double Robotics has 300 of its robots in the United States, with 25 others placed in education facilities in China, Japan, Australia and Canada.

When it’s lunchtime at Point Pleasant, Cloe’s best friend, Kyla Jones, walks with Clo-Bot to the lunchroom. The sight of a fifth-grader walking with an iPad rolling beside her seems like a scene from a science fiction movie.

“At first it was kind of weird because it was Cloe, but not really Cloe,” Kyla said. But now, it’s natural for the two to discuss, well, whatever fifth-graders discuss. On a recent day, the topic was flip-flops.

Cloe uses the device’s 150-degree wide-angle lens to look down as she maneuvers the robot beside the cafeteria table. Cloe’s dad delivers her lunch to her desk at home, and classmates start joining Clo-Bot at the lunch table.

Cloe said it’s sometimes nerve-racking to enter the lunchroom. “Everyone’s like, ‘Hi, Cloe!’ ‘Bye, Cloe!’ ” she said.

Clo-Bot waits until school is over to get its energy. Cloe maneuvers it to a charging station, where it sits until the bell rings the next morning. Then Cloe will happily drive her virtual self back to Ms. Fucella’s class.

your ad here

Robot Takes Sick Child to Class

Think back to grade school. If you were sick, you stayed home. If you had a serious illness, you’d miss weeks, or even months of classes. Technology could change all this, with a robot attending school in place of the sick child. VOA’s Carolyn Presutti introduces us to a Baltimore girl who is homebound no more.

your ad here

Most US Teens Have Taken Social Media Break, Poll Finds

The common stereotype has teens glued to their phones 24-7. But nearly 60 percent of teens in the U.S. have actually taken a break from social media – the bulk of them voluntarily, a new survey found.

The poll, from The Associated Press-NORC Center for Public Affairs Research, surveyed teens aged 13 to 17 and found that most value the feeling of connection with friends and family that social media provides. A much smaller number associate it with negative emotions, such as being overwhelmed or needing to always show their best selves.

The survey, released Thursday, found that teens’ social media breaks are typically a week or longer, and that boys are more likely to take longer breaks.

Teens were allowed to cite multiple reasons for their breaks. Nearly two-thirds of teens who took a break cited at least one voluntary reason. Amanda Lenhart, the lead researcher and an expert on young people and technology use, said she was surprised by this, as it counters the broader narrative that teens are “handcuffed” to their social media profiles.

Today’s teenagers might not recall a time before social media. MySpace was founded in 2003. Had it survived, it would be 14 years old today. Facebook is a year younger. Instagram launched in 2010. For an adult to understand what it might be like for someone who grew up with it to step back from social media, consider disconnecting from email – or your phone – for a couple of weeks.

Among the teens who took voluntary breaks, 38 percent did so because social media was getting in the way of work or school. Nearly a quarter said they were tired of “the conflict and drama” and 20 percent said they were tired of having to keep up with what’s going on.

Nearly half of teens who took a break did so involuntarily. This included 38 percent who said their parents took away their phone or computer and 17 percent who said their phone was lost, broken or stolen.

The involuntary break “is sort of its own challenge,” Lenhart said. “They feel that they are missing out, detached from important social relationships (as well as) news and information.”

About 35 percent of teens surveyed said they have not taken a break, citing such worries as missing out and being disconnected from friends. Some said they need social media for school or extracurricular activities.

“I like to see what my friends and family are up to,” said Lukas Goodwin, 14, who uses Instagram and Snapchat every day. He said he took a break from Instagram “a few years ago” but not recently. Now, he says, “I wouldn’t want to take a break from them.”

Among the survey’s other findings:

– Lower income teens were more likely to take social media breaks than their wealthier counterparts, and their breaks tended to last longer. The study points out that educators who use social media in the classroom need to understand that not every teen is online and connected all the time.

– Boys were more likely to feel overloaded with information on social media, while girls were more likely to feel they always have to show the best version of themselves.

– Teens who took breaks typically did so across the board, checking out of Facebook, Snapchat and all other services all at once. And they were no more or less likely to take breaks from social media based on the type of services they use.

– Although they felt relief and were happy to be away from social media for a while, most teens said things went back to how they were before once they returned to social media.

The AP-NORC poll was conducted online and by phone from Dec. 7 to 31. A sample of parents with teenage children was drawn from a probability-based panel of NORC at the University of Chicago. Parents then gave permission for their children to be interviewed. The panel, AmeriSpeak, is designed to be representative of the U.S. population. The margin of sampling error for all respondents is plus or minus 4.6 percentage points.

your ad here

Hackers Exploited Word Flaw for Months While Microsoft Investigated

To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199.

The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft’s regular monthly security update.

But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time.

Google’s security researchers, for example, give vendors just 90 days’ warning before publishing flaws they find.

Microsoft Corp. declined to say how long it usually takes to patch a flaw.

While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine.

And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.

Those conclusions and other details emerged from interviews with researchers at cyber security firms who studied the events and analyzed versions of the attack code.

Microsoft confirmed the sequence of events.

The tale began last July, when Ryan Hanson, a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc. in Boise, found a weakness in the way that Microsoft Word processes documents from another format. That allowed him to insert a link to a malicious program that would take control of a computer.

Combining flaws

Hanson spent some months combining his find with other flaws to make it more deadly, he said on Twitter. Then in October he told Microsoft. The company often pays a modest bounty of a few thousands dollars for the identification of security risks.

Soon after that point six months ago, Microsoft could have fixed the problem, the company acknowledged. But it was not that simple. A quick change in the settings on Word by customers would do the trick, but if Microsoft notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in.

Alternatively, Microsoft could have created a patch that would be distributed as part of its monthly software updates.

But the company did not patch immediately and instead dug deeper. It was not aware that anyone was using Hanson’s method, and it wanted to be sure it had a comprehensive solution.

“We performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported,” Microsoft said through a spokesman, who answered emailed questions on the condition of anonymity. “This was a complex investigation.”

Hanson declined interview requests.

The saga shows that Microsoft’s progress on security issues, as well as that of the software industry as a whole, remains uneven in an era when the stakes are growing dramatically.

The United States has accused Russia of hacking political party emails to interfere in the 2016 presidential election, a charge Russia denies, while shadowy hacker groups opposed to the U.S. government have been publishing hacking tools used by the Central Intelligence Agency and National Security Agency.

Attack begin

It is unclear how the unknown hackers initially found Hanson’s bug. It could have been through simultaneous discovery, a leak in the patching process, or even hacking against Optiv or Microsoft.

In January, as Microsoft worked on a solution, the attacks began.

The first known victims were sent emails enticing them to click on a link to documents in Russian about military issues in Russia and areas held by Russian-backed rebels in eastern Ukraine, researchers said. Their computers were then infected with eavesdropping software made by Gamma Group, a private company that sells to agencies of many governments.

The best guess of cyber security experts is that one of Gamma’s customers was trying to get inside the computers of soldiers or political figures in Ukraine or Russia; either of those countries, or any of their neighbors or allies, could have been responsible. Such government espionage is routine.

The initial attacks were carefully aimed at a small number of targets and so stayed below the radar. But in March, security researchers at FireEye Inc noticed that a notorious piece of financial hacking software known as Latenbot was being distributed using the same Microsoft bug.

FireEye probed further, found the earlier Russian-language attacks, and warned Microsoft. The company, which confirmed it was first warned of active attacks in March, got on track for an April 11 patch.

Then, what counts as disaster in the world of bug-fixers struck. Another security firm, McAfee, saw some attacks using the Microsoft Word flaw on April 6.

After what it described as “quick but in-depth research,” it established that the flaw had not been patched, contacted Microsoft, and then blogged about its discovery on April 7.

The blog post contained enough detail that other hackers could mimic the attacks.

Other software security professionals were aghast that McAfee did not wait, as Optiv and FireEye were doing, until the patch came out.

McAfee Vice President Vincent Weafer blamed “a glitch in our communications with our partner Microsoft” for the timing. He did not elaborate.

By April 9, a program to exploit the flaw was on sale on underground markets for criminal hackers, said FireEye researcher John Hultquist.

The next day, attacks were mainstream. Someone used it to send documents booby-trapped with Dridex banking-fraud software to millions of computers in Australia.

Finally, on the Tuesday, about six months after hearing from Hanson, Microsoft made the patch available. As always, some computer owners are lagging behind and have not installed it.

Ben-Gurion University employees in Israel were hacked, after the patch, by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts at technology companies and medical professionals, said Michael Gorelik, vice president of cyber security firm Morphisec.

When Microsoft patched, it thanked Hanson, a FireEye researcher and its own staff.

A six-month delay is bad but not unheard of, said Marten Mickos, chief executive of HackerOne, which coordinates patching efforts between researchers and vendors.

“Normal fixing times are a matter of weeks,” Mickos said.

Privately-held Optiv said through a spokeswoman that it usually gives vendors 45 days to make fixes before publishing research when appropriate, and that it “materially followed” that practice in this case.

Optiv is now comparing the details of what Hanson told Microsoft with what the spies and criminals used in the wild, trying to find out if the researcher’s work was partly responsible for the worldwide hacking spree, the spokeswoman said.

The spree included one or more people who created a hacking tool for what FireEye’s Hultquist said is probably a national government – and then appearing to double-dip by also selling it to a criminal group.

If the patching took time, others who learned of the flaw moved quickly.

On the final weekend before the patch, the criminals could have sold it along to the Dridex hackers, or the original makers could have cashed in a third time, Hultquist said, effectively staging a last clearance sale before it lost peak effectiveness.

It is unclear how many people were ultimately infected or how much money was stolen.

 

 

 

your ad here

Scientists Find Ways to Use Wood in Electronic Devices

Wood is usually not associated with water filters, even less with electronic devices. But scientists at the University of Maryland say we have not yet discovered all the possibilities of this cheap, natural and sustainable material. VOA’s George Putic reports.

your ad here