Monthly Archives: September 2017

Delta Basic Economy fares permit a larger carry-on bag, so the focus of this story is on American Airlines and United. If you think you can slip by undetected with you rollerboard, be prepared to pay up and lose every penny you saved by buying a Basic Economy fare in the first place.

Let’s first note that both American and United offer exceptions to their “no overhead bin space” Basic Economy policy. Should you have hold an airline-branded credit card, you can take a larger carry-on bag. If you have elite status, you can also take a larger carry-on bag onboard.

But if you don’t qualify for either exception, you’re not going to like the outcome if you’re caught at the gate. On both American and United, it is $25 to check a bag. But if you’re on a Basic Economy fare and you get caught at the gate, your fee is $50. Why? A $25 fee.

United calls it a gate-handling charge. American labels it a gate-service fee. It’s really a penalty on top of a fee.

Unlike others, who can check their bag without cost to their final destination if overhead bin space runs out, the very point of Basic Economy is to help avoid this problem in the first place. That means if you get caught with a bag, you are going to have to pay up.

A Painful Example

United does not allow online or mobile check-in if you purchase a Basic Economy fare and do not pay for a bag. While I’m sure that alleviates the issue for some, it is easy enough for a pair traveling together to take turns checking in while the other stands at a distance with both carry-on bags.

Vishnu Bhargava and his wife were flying on United from San Francisco to Boston in late July and didn’t notice the conditions of Basic Economy tickets. He checked in the night before, paid for one checked bag and planned to bring two carry-ons. He didn’t read the small print.

When they got to the gate, they were told their carry-on bags would have to be checked. His cost $50—the standard bag fee plus the gate handling charge. His wife’s was $60, since she had already checked one bag. United charges $35 for a second bag, plus the extra fee.

“I was shocked,” says Mr. Bhargava, a retired physician from India. “Whatever I saved with Basic Economy, I had to pay more. This fee is not at all fair.”

Oh, it’s fair. It may be stupid, but it’s certainly fair. As long as it was clearly disclosed, which leads me to my final point.

Disclosure Problems

When you buy a Basic Economy fare on united.com, the restrictions could not be clearer. But when buying on many online travel agencies, the prohibitions are not clearly disclosed. Airlines must work with these travel agencies to ensure the restrictions on such fares are transparent. Otherwise, consumers have a right to get angry.

CONCLUSION

This reminds me of fare dodging on the trains in Germany, all of which run on an honor system. Sometimes you can get away without buying a ticket, but get caught and you’ll be slapped with an 80EUR fine…probably eating up all your cost savings and more.

If you’re going to buy a Basic Economy ticket on American or United and don’t qualify for a larger carry-on, check it before or leave it at home. If you get caught not only will you be paying more than a regular economy class fare…it will be embarrassing.

via:  liveandletsfly

Thanks to the FCC chairman, internet providers can now sell Americans’ browsing histories for targeted advertising. ZDNet thought it was only fair to see his — so, we filed a Freedom of Information request.

he Federal Communications Commission has refused to turn over the internet browsing history of its chairman Ajit Pai, weeks after he rolled back rules that prevented internet providers from selling the browsing histories of millions of Americans.

In a response to a request filed by ZDNet under the Freedom of Information Act, the agency said Friday that it had “no responsive documents” to our request. The agency cited a similar decision filed with Homeland Security that found that the law doesn’t require a government agency to create a record in response to a request.

Specifically, we asked for the “web browsing history of all web and mobile browsers used by Ajit Pai on any government network or account,” from the date that the rules were formally revoked by Congress in late March.

The response from the FCC said: “Here, the agency does not have a record that reflects the Chairman’s web browsing history.”

In other words, Pai voted to allow internet providers to turn over your browsing history, but won’t let anyone see his.

Earlier this year, Pai launched his effort to roll back the Obama-era rules that toughened up privacy protections for every American with an internet connection.

But the rule rollback was met with considerable controversy and anger from privacy and rights groups, for fear that internet providers like AT&T, Comcast, and Verizon would be able to gather and sell data about your browsing history to marketers and other companies, including information on customer location, as well as as financial or health status information, and what people shop and search for.

AT&T, Comcast, and Verizon have all said they don’t collect personal information unless customers allow it or share it with third-parties. Critics noted that the named three don’t need the FCC rules to share customer data because they already operate their own advertising networks.

Following the FCC’s rollback, Congress had to vote to approve the changes into law. The measure was passed by the Senate, and later the House.

Though the telecoms and internet provider lobby was largely behind the effort to roll back the rules, it remains unclear how ordinary consumers benefit, if at all, from the changes.

When pressed by reporters, Marsha Blackburn (R-TN, 7th), the sponsor for the House bill, couldn’t say how her bill helps anyone other than the telecoms lobby. According to online publication Vocativ, Blackburn also received over $693,000 in campaign contributions from the telecoms lobby over her 14-year congressional career.

As a member of Congress, Blackburn is exempt from Freedom of Information requests.

You can read the full letter from the FCC below.

—

Federal Communications Commission
Washington, D.C. 20554

May 12, 2017
Mr. Zack Whittaker
CBS
28 B. 28th Street
10th Floor
New York, New York 10016
zack.whittaker@gmail.com

Re: FOIA Control No. 2017-000501

Dear Mr. Whittaker:

This is in response to your Freedom of Information Act (FOIA) request filed on
March 31, 2017, seeking "[t]he web browsing history of all web and mobile browsers
used by Ajit Pai, chairman of the Federal Communications Commission, on any
government network or account for the week beginning Tuesday, March 29[, 2017].(1)
The due date for FOIA 2017-501 is May 12, 2017(2) We are responding to you by this
deadline. As we explain in more detail below, we have no responsive documents to your
request.

As court precedents make clear, the FOIA does not require an agency to create a
record to respond to a FOIA request.(3) Here, the agency does not have a record that
reflects the Chairman's web browsing history. As the Department of Homeland Security
(DHS) found in response to a similar request, "internet browser history. . . files are
presumably constantly changing, machine-readable files (not likely discrete 'documents'
separate from the given web browsing program used) that were automatically generated
based on the particular user's activity."(4) We agree with DHS that an agency is not
required to generate a discrete document that would reflect the internet browser history of
a certain time period or extract the residual data files automatically maintained by the
program.(5)

(1) See FOIAonline (FOIA Request 2017-000501 (submitted and perfected Mar. 31, 2017)).

(2) See email from Joanne Wall to Zack Whittaker (Apr. 27, 2017) (because of the need to consult with
multiple offices within the Commission, the Office of General Counsel extended the date for responding to
the FOIA request to May 12, 2017, pursuant to 47 C.F.R. § 0.461(g)(1)(i)).

(3)See Pollv. US. Office of Special Counsel, No. 99-402 1, 2000 WL 14422, at *5 n.2 (10th Cir. Jan. 10,
2000) (recognizing that FOIA does not require an agency "to create documents or opinions in response to
an individual's request for information") (quoting Hudgins v. IRS, 620 F.Supp. 19, 21 (D.D.C. 1985), affd,
808 F.2d 137 (D.C. Cir. 1987)).

(4)Letter from Curtis E. Renoe, Attorney Advisor, Office of the Administrative Law Judge, United States
Coast Guard, U.S. Dep't of Homeland Security (DHS), to Jason Smathers, MuckRock News, DHS Appeal
Number 2014-HQAP-00068 at 3-4 (July 18, 2014).

(5)1d. 3-4.

 

Pursuant to section 0.466(a)(5)-(7) of the Commission's rules, you have been
classified for fee purposes as category (2), "educational requesters, non-commercial
scientific organizations, or representatives of the news media."(6) As an "educational
requester, non-commercial scientific organization, or representative of the news media,
the Commission assesses charges to recover the cost of reproducing the records
requested, excluding the cost of reproducing the first 100 pages. We did not reproduce
any records and you will therefore not be charged any fees.

If you consider this to be a denial of your FOIA request, you may seek review by
filing an application for review with the Office of General Counsel. An application for
review must be received by the Commission within 90 calendar days of the date of this
letter.(7) You may file an application for review by mailing the application to the Federal
Communications Commission, Office of General Counsel, 445 12t1 St. SW, Washington,
DC 20554, or you may file your application for review electronically by e-mailing it to
FOIA-Appealfcc.gov. Please caption the envelope (or subject line, if via e-mail) and
the application itself as "Review of Freedom of Information Action."

If you would like to discuss this response before filing an application for review
to attempt to resolve your dispute without going through the appeals process, you may
contact the Commission's FOIA Public Liaison for assistance at:

FOIA Public Liaison
Federal Communications Commission, Office of the Managing Director,
Performance Evaluation and Records Management
44 l2 St., SW, Washington, DC 20554
FOIA-Public-Liaisonfcc.gov

If you are unable to resolve your FOIA dispute through the Commission's FOJA
Public Liaison, the Office of Government Information Services (OGIS), the Federal

(6) 47 C.F.R. § 0.466(a)(5)-(7).

(7) See 47 C.F.R. § 0.461(j), 1.115; 47 C.F.R. § 1.7 (documents are considered filed with the Commission
upon their receipt at the location designated by the Commission).

FOJA Ombudsman's office, offers mediation services to help resolve disputes between
FOIA requesters and Federal agencies. The contact information for OGIS is:

Office of Government Information Services
National Archives and Records Administration
8601 Adeiphi Road-OGIS
College Park, MD 20740-600 1
202-741-5770
877-684-6448
ogisnara.gov
ogis.archives.gov

cc: FOIA Officer

---

via:   zdnet

—-

The company said the March vulnerability was exploited by hackers.

Equifax has confirmed that a web server vulnerability in Apache Struts that it failed to patch months ago was to blame for the data breach that affected 143 million consumers.

In a brief statement, the credit rating giant said:

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted.”

“We know that criminals exploited a U.S. website application vulnerability,” the statement added.

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

For its part, Equifax still has not provided any evidence to support the claim.

The cited Apache Struts flaw dates back to March, according to a public vulnerability disclosure. Patches were released for the vulnerability, suggesting that Equifax did not install the security updates.

Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications, including Equifax’s public website.

Earlier, unconfirmed reports had pointed to Struts as the root of the cyber attack. At least one of the reports, citing a research analyst from equity research firm Baird, was subsequently retracted.

The Apache Foundation, which maintains the Apache web software, said days ago in response to media reports — prior to any confirmation from the company — that at the time it was not clear if Struts was to blame for the cyber attack.

The company is said to have enlisted FireEye-owned Mandiant for its incident recovery.

Despite several requests over the past week, the company has not answered specific questions or responded to requests for comment.

via:  zdnet

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it’s overwhelmed. These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.

This all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”

There’s more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.

Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

What can we do about this? Nothing, really. We don’t know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it’s possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the US decides to make an international incident over this, we won’t see any attribution.

But this is happening. And people should know.

This essay previously appeared on Lawfare.com.

Slashdot thread.

Podcast with Bruce Schneier on the topic.

CSO thread.

via:  schneier

US cable giant the latest victim of S3 cloud security brain-fart.

Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech’s Bob Diachenko said.

“Not only could they access the documents, but any ‘authenticated users’ could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work.”

The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.

A spokesperson for TWC parent company Charter said the telly giant was aware of the cockup, and is notifying the customers who were exposed.

“Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them,” Charter said. “There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords.”

BroadSoft did not return a request for comment.

This wouldn’t be the first time errant settings on an AWS S3 instance have left records out in the open. Other poorly configured databases were blamed for leaking data on Chicago voters, Verizon subscribers, and even researchers with the Republican National Committee.

via:  theregister

Internet-of-things are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices. However, such devices could potentially be compromised by hackers.

There are, of course, some really good reasons to connect certain devices to the Internet.

Medical devices are increasingly found vulnerable to hacking. Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers after they were found vulnerable to hackers.

Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued.

An independent security researcher has discovered not just one or two, but eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump, which is manufactured by Minnesota-based specialty medical device maker Smiths Medical.

The devices are used across the world for delivering small doses of medication in acute critical care, such as neonatal and pediatric intensive care and the operating room.

Some of these vulnerabilities discovered by Scott Gayou are high in severity that can easily be exploited by a remote attacker to “gain unauthorized access and impact the intended operation of the pump.”

According to the ICS-CERT, “Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

The most critical vulnerability (CVE-2017-12725) has been given a CVSS score of 9.8 and is related to the use of hard-coded usernames and passwords to automatically establish a wireless connection if the default configuration is not changed.

But does everything need to be connected? Of course, not—especially when it comes to medical devices.

The high-severity flaws include:

• A buffer overflow bug (CVE-2017-12718) that could be exploited for remote code execution on the target device in certain conditions.
  
• Lack of authentication (CVE-2017-12720) if the pump is configured to allow FTP connections.
  
• Presence of hard-coded credentials (CVE-2017-12724) for the pump’s FTP server.
  
• Lack of proper host certificate validation (CVE-2017-12721), leaving the pump vulnerable to man-in-the-middle (MitM) attacks.

The remaining are medium severity flaws which could be exploited by attackers to crash the communications and operational modules of the device, authenticate to telnet using hard-coded credentials, and obtain passwords from configuration files.

These vulnerabilities impact devices that are running versions 1.1, 1.5 and 1.6 of the firmware, and Smiths Medical has planned to release a new product version 1.6.1 in January 2018 to address these issues.

But in the meantime, healthcare organizations are recommended to apply some defensive measures including assigning static IP addresses to pumps, monitoring network activity for malicious servers, installing the pump on isolated networks, setting strong passwords, and regularly creating backups until patches are released.

via:  thehackernews

Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed.

Mainly targeting IP cameras, DVRs and routers that haven’t been properly secured, such botnets attempt to ensnare devices and use them for malicious purposes such as distributed denial of service (DDoS) attacks. Compromised IoT products are also used to scan the Internet for other vulnerable devices and add them to the botnet.

BASHLITE, Mirai, Hajime, Amnesia, Persirai, and similar botnets target DVR and IP camera systems via telnet or SSH attacks, and use a short list of commonly encountered login credentials, such as root: xc3511, root:vizxv, admin: admin, admin:default, and support:support.

According to recent research, there are nearly 7.5 million potentially vulnerable camera systems and around 4 million potentially vulnerable routers connected worldwide.

Prompted by recent news of a list of leaked login credentials associated with a set of thousands of IPs (mostly routers) being posted online, Johannes B. Ullrich, Ph.D., Dean of Research at SANS Technology Institute, exposed a DVR to the Internet for two days and recorded all attempts to login it.

According to him, the device used the root: xc3511 login pair and recorded a total of 1254 login attempts from different IPs over a period of 45 hours. Basically, someone or something would login to it every 2 minutes using the correct credentials, he says.

After performing a Shodan search, Ullrich retrieved information on 592 of the attacking devices, and reveals they were mainly coming from TP-Link, AvTech, Synology, and D-Link. The distribution of attacks matches that previously associated with Mirai, but the researcher notes that dozens of variants hit the device.

Last year, Ullrich performed a similar experiment and revealed that the DVR was being hit every minute and that multiple login pairs were being tried on each attack. His experiment and the emergency of Mirai brought to the spotlight the issue of weak credentials being used in IoT.

“So in short: 1,700 additional vulnerable systems will not matter. We do see a pretty steady set of 100,000-150,000 sources participating in telnet scans. This problem isn’t going away anytime soon,” Ullrich argues.

He also points out that, while malware such as BrickerBot attempted to break the vulnerable devices, the method isn’t effective either, because most of the impacted devices cannot be bricked by overwriting the disk, but only become temporarily unresponsive and recover after a reboot.

“Many of these devices are buggy enough, where the owner is used to regular reboots, and that is probably the only maintenance the owner will perform on these devices,” he says.

via:  securityweek

Threat actors are leveraging malicious PowerPoint files and a recently patched Microsoft Office vulnerability to target UN agencies, foreign ministries, international organizations, and entities interacting with international governments, Fortinet warns.

The attack uses a file named ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsxand exploits the CVE-2017-0199 vulnerability that Microsoft addressed in April, after malicious actors had been abusing it to deliver malware such as Dridex, WingBird, Latentbot and Godzilla. The exploit has been and continues to be used in attacks even after patching.

Last month, the first PowerPoint attacks to exploit CVE-2017-0199 for malware delivery emerged, associated with the distribution of a Trojanized version of the REMCOS legitimate and customizable remote access tool (RAT).

Once the PowerPoint Slide Show is opened, it triggers a script and the exploit downloads remote code from an XML file with JavaScript code from the domain narrowbabwe[.]net. Next, it executes the code using the PowerPoint Show animations feature, Fortinet explains.

The exploit is also able to bypass the User Account Control feature in Windows, by hijacking the registry and then executing eventvwr.exe. The bypass technique was first detailed in August 2016.

The JavaScript inside the XML file would write a file in a directory, masquerading as a legitimate Microsoft Office patch. This, however, is a piece of malware executed with high privilege, which uses WMI ActiveScriptConsumers for persistence. Courtesy of a timer event, the script runs every 12 seconds.

The script also tries to identify if it runs in a virtual environment. If it doesn’t detect a virtual machine, the script proceeds to sending some data to a remote server.

Although the command and control (C&C) server had been already taken down at the time of analysis, the researchers say that the response from the C&C contains arbitrary commands executed with eval() function. After executing the commands the script sends a notification to the server.

“These commands can possibly be download functions to deliver the final payload, and the most commonly used malware for espionage are RATs (Remote Access Trojans),” Fortinet suggests.

Last month, Cisco discovered that attackers were combining Office exploits to avoid detection and ensure higher delivery rate. Fortinet’s new report shows that actors can implement multiple techniques in a single piece of code to evade detection, bypass protections, and escalate privilege. The use of multiple embedded encoded scripts, multiple stages of URL connection, and the embedding of C&C URLs in a jpg file reveal the work of persistent criminals.

via:  securityweek

AT&T’s streaming TV service for cord cutters, DirecTV Now, hasn’t yet publicly launched a cloud DVR feature – something all major rivals today offer – but we now know what it has in store in terms of storage space and functionality. The service will allow customers to save up to 100 hours of video content, according to a recent leak, which TechCrunch confirmed. Customers will also be able to watch and manage recordings from a new “My Library” feature, and add new recordings with a tap of a button.

Screenshots of the DVR in action were first posted to the site Cord Cutters News, and we’ve since confirmed their accuracy.

The images show also the record button in the app, and beta testers say you can swipe on recordings in your “My Library” to quickly delete them.

AT&T had recently announced its plans to test a DVR as part of a larger platform update, but said the feature would first be introduced to beta users before becoming publicly available.

The lack of a cloud DVR at launch put AT&T’s streaming service at somewhat of a disadvantage, compared with its competitors. As more of these alternatives to cable TV enter the market, features like the DVR are becoming the standard.

Dish’s Sling TV, for example, was one of the first streaming TV services to enter the market, but it wasn’t until competition heated up that it debuted its own DVR – something it did back in November.

However, Sling TV charges customers $5 per month for 50 hours of Cloud DVR storage space. (It had only offered 100 hours to beta testers.) Playstation Vue, meanwhile, will delete recordings after 28 days, and only recently made them available outside the home’s network. YouTube TV has an unlimited DVR, but doesn’t allow ad-skipping on most shows, instead switching users to on-demand streams.

Hulu’s Live TV service, meanwhile, makes the DVR option a part of its base package, but offers paying users upgraded functionality. In the main package, it offers 50 hours of recording space for no additional cost, but to get more – 200 hours – you have to pay $15 per month. Its base package consumers can’t fast forward through ads, but those with the paid DVR add-on can.

AT&T hasn’t yet said how the DVR feature will be priced, or if it will be offered as a core feature to all subscribers.

It’s also unclear if it, too, will disable ad-skipping on some, most or all shows, but that seems likely.

By switching customers to on-demand streams, when available, these companies don’t have to actually allocate storage space to saved programming, while still offering a feature that makes it look like they do.

One tester said the DirecTV Now DVR allowed rewind and fast forward in 15 second increments. But it’s not certain yet that such functionality would be available across networks, or when on-demand streams are available, because the option is tied to what sort of deals AT&T can negotiate with content owners.

Disabling ad-skipping is now a common practice across services, in fact, but it’s confusing to end users. It’s not always clear which shows will allow you to fast forward when viewed later after “recording” them. Forum postings for these services are filled with complaints and questions about why fast-forwarding doesn’t work on recordings.

In fact, the inability to skip ads makes these cloud DVRs less compelling alternatives to those offered by traditional cable TV operators, and could ultimately spell trouble for streaming TV services’ staying power.

With cable TV, a key benefit to DVR’ing shows – beyond time-shifting, of course – is the option to skip ads. That’s not to say that consumers will stay with cable – cord cutting is happening more quickly than expected – but they may not see the need to sign up for streaming TV when they can stream commercial-free shows from Netflix, Amazon, HBO, and even through Hulu (on-demand) and CBS All Access which both offer “commercial-free” packages.

via:  techcrunch

Photo: Lucasfilm / Disney

Disney has decided what to do with Marvel and Star Wars films once they leave theaters: keep them exclusive to the company’s upcoming streaming service.

Last month, Disney announced that it would launch a streaming service in 2019 that will focus on the studio’s shows and movies. But it hadn’t been decided at the time whether the service would include all Disney movies — including Marvel and Star Wars films — or just titles focused on younger audiences, like Disney Channel and Pixar properties.

A month later, it seems that Disney has decided. According to CNBC and Deadline, Disney CEO Bob Iger said at a conference today that the two hit film series would be part of the same streaming bundle. “We’re going to launch big, and we’re going to launch hot,” Iger reportedly said.

Keeping Marvel and Star Wars with the rest of Disney’s properties will make the service a lot more appealing and may also mean one fewer subscription that people have to keep up; Disney had considered breaking the two properties out into yet another streaming offering, since their content is so distinct.

The decision also means that Netflix — which currently has an exclusive deal with Disney to stream its new films — may not have any major titles from Disney after 2019, when their partnership ends. When Disney announced its streaming service in August, Netflix said that it continued “to do business with the Walt Disney Company on many fronts,” and it appeared to be negotiating for continued access to some of the studio’s films. Clearly whatever Netflix offered wasn’t enough.

Iger said he plans to discuss pricing for Disney’s streaming service “in the months ahead.” With the service not slated to launch for over a year, though, Disney still has plenty of time to figure that out.

via: theverge