Technology

Lithium

Klout, a service that tracks how much social media attention its users draw and rates their expertise based on the content of their posts, will be switched off on May 25—an announcement that has ironically had Klout trending on Twitter today.

The service, which launched in 2008, also offered an application-programming interface that allowed businesses to collect analytics data about their audiences. Klout also offered "perks" to individuals based on their scores and demographics.

Enlarge / Researchers used a network card like this one in a Rowhammer attack that needed only packets sent over a LAN to work. (credit: Mellanox)

For the first time, researchers have exploited the Rowhammer memory-chip weakness using nothing more than network packets sent over a local area network. The advance is likely to further lower the bar for triggering bit flips that change critical pieces of data stored on vulnerable computers and servers.

Until now, Rowhammer exploits had to execute code on targeted machines. That hurdle required attackers to either sneak the unprivileged code onto the machines or lure end users to a website that hosted malicious JavaScript. In a paper published Thursday, researchers at the Vrije Universiteit Amsterdam and the University of Cyprus showed that standard packets sent over networks used by many cloud services, universities, and others were sufficient. The secret to the new technique: increasingly fast network speeds that allow hackers to send specially designed packets in rapid succession.

"Thus far, Rowhammer has been commonly perceived as a dangerous hardware bug that allows attackers capable of executing code on a machine to escalate their privileges," the researchers wrote. "In this paper, we have shown that Rowhammer is much more dangerous and also allows for remote attacks in practical settings. We show that even at relatively modest network speeds of 10Gbps, it is possible to flip bits in a victim machine from across the network."

Enlarge / You may want to nicely ask your friends who use Signal on the Mac desktop to change their notification settings. (credit: Signal)

Signal, the privacy-focused voice and text-messaging application, offers an attractive bit of operational security: ephemeral text messages that "self-delete" after a predetermined amount of time. There is just one small problem, however, with that feature on the Mac desktop version of the application, as information security consultant Alec Muffett discovered: if you send a self-deleting message to someone using the macOS application, the message lives on in macOS' Notifications history.

#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are "disappearing" messages which have been deleted/expunged from the app. pic.twitter.com/CVVi7rfLoY

— Alec Muffett (@AlecMuffett) May 8, 2018

Ars reproduced the problem, which Patrick Wardle of Objective See conducted a particularly deep dive on—revealing that the problem is, in part, a bug in the way Signal handles calls to the macOS notification system and, in part, is just how macOS notifications work.