Connect with us

Biz & IT

Duck.com now points to DuckDuckGo, not Google

Published

on

Non-tracking search engine, DuckDuckGo, is now a little easier to find online after the company acquired the premium generic domain name  duck.com — thereby shaving a few letters off its usual URL.

This means browsing to duck.com now automatically redirects to DuckDuckGo .com.

The twist in this tale is that duck.com’s prior owner was Google. And DDG had accused the search giant of anti-competitive behavior — by pointing duck.com to its own search engine, Google.com, and thus “consistently” confusing DDG users (duck.co having long pointed to the DDG community page.)…

The domain name transfer was spotted earlier by namePros which got confirmation from DDG founder Gabriel Weinberg.

“We’re pleased Google has chosen to transfer ownership of Duck.com to DuckDuckGo. Having Duck.com will make it easier for people to use DuckDuckGo,” he told it.

We reached out to DDG and to Google with questions — because, well, we have a few.

Google did not engage with the substance of our questions. Instead it emailed a statement, attributed to a spokesperson, in which it confirmed the transfer of the duck.com domain and rights — writing:

Google has agreed with DuckDuckGo, Inc. to transfer ownership and rights of the duck.com domain to DuckDuckGo.

DDG also would not comment beyond Weinberg’s earlier statement.

But in an interview with the TNW back in 2012, Weinberg said he first enquired about trying to buy duck.com on 11/4/09 — only to be told shortly afterwards that “management” didn’t want to sell.

He also made the point then that while the URL of the company Google had acquired the duck.com domain from (On2) pointed to a Google explanation page about that acquisition, http://duck.com/ pointed “directly to Google search”.

So, well, … 

The timing of the transfer certainly looks interesting, with Google CEO Sundar Pichai only yesterday facing some competition-flavored questions from policymakers in Congress. (Though it’s not clear exactly when the duck.com domain name was transferred.)

In recent years Google has faced some major antitrust scrutiny and enforcement internationally, including in the European Union — where it has had to make changes to how it displays search results for products after a 2017 Commission decision that found it had abused its dominance in general Internet search to give itself an illegal advantage.

This summer the EC also found Google’s Android OS to be in breach of its competition rules, leading to further regional tweaks — in that case to licensing terms.

Google is appealing both antitrust decisions.

But the Commission has another competition probe (into Google AdSense) ongoing, and continues to eye other Google product verticals with concerns.

Meanwhile, calls for antitrust scrutiny of tech giants have been rising in the US. And Google’s dominant position in Internet search and smartphone platforms, along with its pincer grip (along with Facebook) on the online ad market, position it for some special attention on that front.

So the company quietly passing off duck.com now — after using it to redirect to Google.com for close to a decade — to a pro-privacy search rival smacks of concern over competition optics, at the very least.

Additionally, yesterday an even more sustained line of questioning from Congress to Google’s CEO was around privacy, with Pichai fielding questions such as whether Google’s own settings are clear enough for users to understand.

You can imagine some awkward questions could also have been asked by lawmakers about why Google.com was squatting on a domain name containing the word “duck”.

A word that not only means a waterfowl or to crouch down to avoid something but which has been intrinsic to the branding of its non-tracking rival, DuckDuckGo, since that company was founded all the way back in 2008.

So, well, if it walks like a duck, and it quacks like a duck… 

 

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Home alarm tech backdoored security cameras to spy on customers having sex

Published

on

Getty Images / Aurich Lawson

A home security technician has admitted he repeatedly broke into cameras he installed and viewed customers engaging in sex and other intimate acts.

Telesforo Aviles, a 35-year-old former employee of home and small office security company ADT, said that over a five-year period, he accessed the cameras of roughly 200 customer accounts on more than 9,600 occasions—all without the permission or knowledge of customers. He said he took note of homes with women he found attractive and then viewed their cameras for sexual gratification. He said he watched nude women and couples as they had sex.

Aviles made the admissions Thursday in US District Court for the District of Northern Texas, where he pleaded guilty to one count of computer fraud and one count of invasive visual recording. He faces a maximum of five years in prison.

Aviles told prosecutors that he routinely added his email address to the list of users authorized to access customers’ ADT Pulse accounts, which allow customers to remotely connect to the ADT home security system so they can turn on or off lights, arm or disarm alarms, and view feeds from security cameras. In some cases, he told customers that he had to add himself temporarily so he could test the system. Other times, he added himself without their knowledge.

More legal fallout

An ADT spokesman said the company brought the illegal conduct to the attention of prosecutors last April after learning Aviles gained unauthorized access to the accounts of 220 customers in the Dallas area. The security company then contacted each customer “to help make this right.” The company has already resolved disputes with some of the customers. ADT published this statement last April and has continued to update it.

“We are grateful to the Dallas FBI and the US Attorney’s Office for holding Telesforo Aviles responsible for a federal crime,” the company wrote in an update posted on Friday.

In the aftermath of the breach discovery, ADT has been hit by at least two proposed class-action lawsuits, one on behalf of ADT customers and the other on behalf of minors and others living inside the homes. A plaintiff in one of the suits was allegedly a teenager at the time that the breach occurred. ADT informed her family that the technician spied on her home almost 100 times, according to the lawsuit.

The suits alleged that ADT marketed its camera systems as a way for parents to use smartphones to check in on kids and pets. ADT, the plaintiffs said, failed to implement safeguards—including as two-factor authentication or text alerts when new parties access the accounts—that could have alerted customers to the invasion. The breach was discovered when a customer noticed an unauthorized email among addresses that had permission to access the security system.

Continue Reading

Biz & IT

Chrome and Edge want to help with that password problem of yours

Published

on

Enlarge / Please don’t do this.

Getty Images

If you’re like lots of people, someone has probably nagged you to use a password manager and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.

Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. People can then have the password pushed to their other devices using the Edge password sync feature.

As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.

“Microsoft Edge offers a built-in strong password generator that you can use when signing up for a new account or when changing an existing password,” members of Microsoft’s Edge team wrote. “Just look for the browser-suggested password drop down in the password field and when selected, it will automatically save to the browser and sync across devices for easy future use.”

Edge 88 is also rolling out a feature called the “password monitor.” As the name suggests, it monitors saved passwords to make sure none of them are included in lists compiled from website compromises or phishing attacks. When turned on, the password monitor will alert users when a password matches lists published online.

Checking passwords in a secure way is a difficult task. The browser needs to be able to check a password against a large, always-changing list without sending sensitive information to Microsoft or information that could be sniffed by someone monitoring the connection between the user and Microsoft.

In an accompanying post also published Thursday, Microsoft explained how that’s done:

Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first. For example, suppose we are given two ciphertexts, one encrypting 5 and the other encrypting 7. Normally, it does not make sense to “add” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, then there is a public operation that “adds” these ciphertexts and returns an encryption of 12, the sum of 5 and 7.

First, the client communicates with the server to obtain a hash H of the credential, where H denotes a hash function that only the server knows. This is possible using a cryptographic primitive known as an Oblivious Pseudo-Random Function (OPRF). Since only the server knows the hash function H, the client is prevented from performing an efficient dictionary attack on the server, a type of brute force attack that uses a large combination of possibilities to determine a password. The client then uses homomorphic encryption to encrypt H(k) and send the resulting ciphertext Enc(H(k)) to the server. The server then evaluates a matching function on the encrypted credential, obtaining a result (True or False) encrypted under the same client key. The matching function operation looks like this: computeMatch(Enc(k), D). The server forwards the encrypted result to the client, who decrypts it and obtains the result.

In the above framework, the main challenge is to minimize the complexity of the computeMatch function to obtain good performance when this function is evaluated on encrypted data. We utilized many optimizations to achieve performance that scales to users’ needs.

Not to be outdone, members of the Google Chrome team this week unveiled password protections of their own. Chief among them is a fuller-featured password manager that’s built into the browser.

“Chrome can already prompt you to update your saved passwords when you log in to websites,” Chrome team members wrote. “However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too).”

Chrome 88 is also making it easier to check if any saved passwords have wound up on password dumps. While password auditing came to Chrome last year, the feature can now be accessed using a security check similar to the one shown below:

Google

Many people are more comfortable using a dedicated password manager because they offer more capabilities than those baked into their browser. Most dedicated managers, for instance, make it easy to use dice words in a secure way. With the line between browsers and password managers beginning to blur, it’s likely only a matter of time until browsers offer more advanced management capabilities.

Continue Reading

Biz & IT

Phishing scam had all the bells and whistles—except for one

Published

on

Enlarge / The query window for username and password on a webpage can be seen on the monitor of a laptop.

Criminals behind a recent phishing scam had assembled all the important pieces. Malware that bypassed antivirus—check. An email template that got around Microsoft Office 365 Advanced Threat Protection—check. A supply of email accounts with strong reputations from which to send scam mails—check.

It was a recipe that allowed the scammers to steal more than 1,000 corporate employee credentials. There was just one problem: the scammers stashed their hard-won passwords on public servers where anyone—including search engines—could (and did) index them.

“Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers,” researchers from security firm Check Point wrote in a post published Thursday. “With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker.”

Check Point researchers found the haul as they investigated a phishing campaign that began in August. The scam arrived in emails that purported to come from Xerox or Xeros. The emails were sent by addresses that, prior to being hijacked, had high reputational scores that bypass many antispam and antiphishing defenses. Attached to the messages was a malicious HTML file that didn’t trigger any of the 60 most-used antimalware engines.

The email looked like this:

Check Point

Once clicked, the HTML file displayed a document that looked like this:

Check Point

When recipients were fooled and logged into a fake account, the scammers stored the credentials on dozens of WordPress websites that had been compromised and turned into so-called drop-zones. The arrangement made sense since the compromised sites were likely to have a higher reputational score than would be the case for sites owned by the attackers.

The attackers, however, failed to designate the sites as off-limits to Google and other search engines. As a result, Web searches were able to locate the data and lead security researchers to the cache of compromised credentials.

“We found that once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google,” Thursday’s post from Check Point read. “This allowed anyone access to the stolen email address credentials with a simple Google search.”

Based on the analysis of roughly 500 of the compromised credentials, Check Point was able to compile the following breakdown of the industries targeted.

Simple Web searches show that some of the data stashed on the drop-zone servers remained searchable at the time this post was going live. Most of these passwords followed the same format, making it possible that the credentials didn’t belong to real-world accounts. Check Point’s discovery, however, is a reminder that, like so many other things on the Internet, stolen passwords are ripe for the picking.

Continue Reading

Trending