An anonymous reader quotes a report from Ars Technica: On December 16, 2019, Citrix revealed a vulnerability in the company's Application Delivery Controller and Gateway products -- commercial virtual-private-network gateways formerly marketed as NetScaler and used by tens of thousands of companies. The flaw, discovered by Mikhail Klyuchnikov of Positive Technologies, could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request. Citrix has published steps to reduce the risk of the exploit. But these steps, which simply configure a responder to handle requests using the text that targets the flaw, breaks under some circumstances and might interfere with access to the administration portal for the gateways by legitimate users. A permanent patch will not be released until January 20. And as of January 12, over 25,000 servers remain vulnerable, based on scans by Bad Packets. This is not surprising, considering the number of Pulse Secure VPNs that have not yet been patched over six months after a fix was made available, despite Pulse Secure executives saying that they have "worked aggressively" to get customers to patch that vulnerability. And given that vulnerable Pulse Secure servers have been targeted now for ransomware attacks, the same will likely be true for unprotected Citrix VPN servers -- especially since last week, proof-of-concept exploits of the vulnerability began to appear, including at least two published on GitHub, as ZDNet's Catalin Cimpanu reported. "The vulnerability allows the remote execution of commands in just two HTTP requests, thanks to a directory traversal bug in the implementation of the gateway's Web interface," the report adds. "The attacks use a request for the directory '/vpn/../vpns/' to fool the Apache Web server on the gateway to point to the '/vpns/' directory without authentication. The attacks then inject a command based on the template returned from the first request." You can check for the vulnerability here.

Read more of this story at Slashdot.

Visa announced today that it is buying financial services API startup Plaid for $5.3 billion, roughly double the price of its last private valuation. TechCrunch reports: Plaid develops financial services APIs. It is akin to what Stripe does for payments, but instead of facilitating payments, it helps developers share banking and other financial information more easily. It's the kind of service that makes sense for a company like Visa. The startup bought Quovo two years ago to move beyond just banking, and into broader financial services and investments. The idea was to provide a more holistic platform for financial services providers. As the founders wrote in a blog post at the time of the acquisition, "Financial applications have historically used Plaid primarily to interact with checking and savings accounts. In acquiring Quovo, we are extending our capabilities to a wider class of assets." The deal is expected to close in the next three to six months, pending regulatory approval.

Read more of this story at Slashdot.

Something you believe the president has done well?”

DocCast 2.0. This is an interesting medium because unlike other podcasts I've listened to Doc on, in this mode he gets to talk as long as you want and you can pause, and say whatever you want. Anyway I've decided I'm going to build a basketball court so when you visit we can meditate over shooting hoops that I used to do when I was a kid. Focus is the thing. Creating a groove. And making each other more powerful. That's going to be my next chapter. I do want to hear about your experience with Medium. We all have our own stories. I also want to tell you a story about Dave Bunnell. And why walking is the best.

Google announced last week the alternative search engines it will show to new Android users in the EU, with DuckDuckGo the most frequently offered choice and Bing tied for last place. From a report: EU citizens setting up Android devices from March 1 will given a choice of four search engines to use as their default, including Google. Whichever provider they chose will become the default for searches made in Chrome and through Android's home screen search box. A dedicated app for that provider will also be installed on their device.

Read more of this story at Slashdot.

Adobe unveiled a cloud-based system to help clients build websites, bringing one of its last legacy products to the cloud almost a decade after shifting to internet-based software. From a report: The new content management system already is being used by some customers, the San Jose, California-based company said Monday in a statement. The software maker announced the service at the National Retail Federation conference in New York. Adobe is the largest vendor for enterprise customers in a $3.8 billion market for software that builds websites and manages digital assets, according to data from research firm IDC. The company said it's the first to provide a purely cloud-computing based solution to large business clients. The software maker currently manages 15 billion web page visits per day and more than 50 million digital assets, including images and videos, across its customer base. Wix.com and closely held Squarespace are among the competitors in the field.

Read more of this story at Slashdot.

Scientists analysing a meteorite have discovered the oldest material known to exist on Earth.

Scientists discover how the gingko lives to such an old age, surviving for centuries or millennia.

Attorney General William P. Barr declared on Monday that a deadly shooting last month at a naval air station in Pensacola, Fla., was an act of terrorism, and he asked Apple in an unusually high-profile request to provide access to two phones used by the gunman. From a report: Mr. Barr's appeal was an escalation of an ongoing fight between the Justice Department and Apple pitting personal privacy against public safety. "This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence," Mr. Barr said, calling on Apple and other technology companies to find a solution and complaining that Apple has provided no "substantive assistance." Apple has given investigators materials from the iCloud account of the gunman, Second Lt. Mohammed Saeed Alshamrani, a member of the Saudi air force training with the American military, who killed three sailors and wounded eight others on Dec. 6. But the company has refused to help the F.B.I. open the phones themselves, which would undermine its claims that its phones are secure.

Read more of this story at Slashdot.

Through its partnerships with health care providers, Google can view tens of millions of patient records in at least three-quarters of states, the Wall Street Journal reports. From a report: Some of these partnerships allow Google to access identifiable information about patients without their or their doctors' knowledge, raising fears about how this data may be used. Google is developing a new search tool -- designed to be used by doctors, nurses and potentially patients -- that stores and analyzes patient information on its servers. The company and some health systems say argue that data-sharing can improve patient outcomes. Google says its health endeavors aren't connected with its advertising business.

Read more of this story at Slashdot.

The last decade was a big one for artificial intelligence but researchers in the field believe that the industry is about to enter a new phase . From a report: Hype surrounding AI has peaked and troughed over the years as the abilities of the technology get overestimated and then re-evaluated. The peaks are known as AI summers, and the troughs AI winters. The 10s were arguably the hottest AI summer on record with tech giants repeatedly touting AI's abilities. AI pioneer Yoshua Bengio, sometimes called one of the "godfathers of AI", told the BBC that AI's abilities were somewhat overhyped in the 10s by certain companies with an interest in doing so. There are signs, however, that the hype might be about to start cooling off. "I have the sense that AI is transitioning to a new phase," said Katja Hofmann, a principal researcher at Microsoft Research in Cambridge. Given the billions being invested in AI and the fact that there are likely to be more breakthroughs ahead, some researchers believe it would be wrong to call this new phase an AI winter. Robot Wars judge Noel Sharkey, who is also a professor of AI and robotics at Sheffield University, told the BBC that he likes the term "AI autumn" -- and several others agree.

Read more of this story at Slashdot.

The UK's National Cyber Security Centre (NCSC) is warning people of using online banking or accessing sensitive accounts from devices running Windows 7 from Tuesday, 14 January, when Microsoft ends support for the operating system. From a report: The NCSC, the government body for cybersecurity, is encouraging people to upgrade from Windows 7 as soon as possible, due to Microsoft's 2019 decision to stop providing technical support for the software. "The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices," the NCSC spokesperson said. "We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device."

Read more of this story at Slashdot.

The next president should be creating a new social net for governance that involves all the voters who want to be involved. American citizens of voting age only. Doing real things to make America work better in every way, especially politically. I wrote this idea up in 2009 as Obama took office and didn't follow through on the promise (imho) of his campaign. Sanders is a nice guy for sure, but he can't do the organizing we need to do (see below). It's not something you can delegate. I think Bloomberg may get this, but I'm not sure. The politicians running for office are still very old school, and Sanders is the oldest of them.

A presidential candidate who has no apps on his phone is not qualified to be president in 2021 and beyond. Apps are a frontier we crossed ten years ago. Some people, including a columnist at the NYT are impressed. That tells you something about who writes editorials at the Times too.