Ashkan Soltani was the Chief Technologist of America's Federal Trade Commission in 2014 — and earlier was a staff technologist in its Division of Privacy and Identity Protection helping investigate tech companies including Google and Facebook

Friday on Twitter he accused another group of privacy violations: the nonprofit rights organization, the American Civil Liberties Union. Yesterday, the ACLU updated their privacy statement to finally disclose that they share constituent information with 'service providers' like Facebook for targeted advertising, flying in the face of the org's public advocacy and statements.

In fact, I was retained by the ACLU last summer to perform a privacy audit after concerns were raised internally regarding their data sharing practices. I only agreed to do this work on the promisee by ACLU's Executive Director that the findings would be made public. Unfortunately, after reviewing my findings, the ACLU decided against publishing my report and instead sat on it for ~6 months before quietly updating their terms of service and privacy policy without explanation for the context or motivations for doing so. While I'm bound by a nondisclosure agreement to not disclose the information I uncovered or my specific findings, I can say with confidence that the ACLU's updated privacy statements do not reflect the full picture of their practices.

For example, public transparency data from Google shows that the ACLU has paid Google nearly half a million dollars to deliver targeted advertisements since 2018 (when the data first was made public). The ACLU also opted to only disclose its advertising relationship with Facebook only began in 2021, when in truth, the relationship spans back years totaling over $5 million in ad-spend. These relationships fly against the principles and public statements of the ACLU regarding transparency, control, and disclosure before use, even as the organization claims to be a strong advocate for privacy rights at the federal and state level. In fact, the NY Attorney General conducted an inquiry into whether the ACLU had violated its promises to protect the privacy of donors and members in 2004. The results of which many aren't aware of. And to be clear, the practices described would very much constitute a 'sale' of members' PII under the California Privacy Rights Act (CPRA).

The irony is not lost on me that the ACLU vehemently opposed the CPRA — the toughest state privacy law in the country — when it was proposed. While I have tremendous respect for the work the ACLU and other NGOs do, it's important that nonprofits are bound by the same privacy standards they espouse for everyone else. (Full disclosure: I'm on the EFF advisory board and was recently invited to join EPIC's board.)

My experience with the ACLU further amplifies the need to have strong legal privacy protections that apply to nonprofits as well as businesses — partially since many of the underlying practices, particularly in the area of fundraising and advocacy, are similar if not worse.
Soltani also re-tweeted an interesting response from Alex Fowler, a former EFF VP who was also Mozilla's chief privacy officer for three years: I'm reminded of EFF co-founder John Gilmore telling me about the Coders' Code: If you find a bug or vulnerability, tell the coder. If coder ignores you or refuses to fix the issue, tell the users.

"OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers," reports Ars Technica: On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

"Anyway, sounds like you can crash most OpenSSL servers on the Internet today," he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server... The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.
Ars Technica also reports that OpenSSL "fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren't digitally signed by a browser-trusted certificate authority."

Microsoft has once again reiterated that VR support for Xbox was not a focus for the company, following reports earlier today that hinted it was working on a VR headset compatible with the Xbox Series X/S. The Verge reports: The rumor first surfaced after IGN Italy reported that some Italian Xbox users received messages, which translated to "[a]n update for the VR headset is available" and "[u]pdate VR headset," when connecting the recently released Xbox Wireless Headset to their Xbox Series X or Series S consoles. A Microsoft representative told The Verge that "the copy in this error message is inaccurate due to a localization bug," while again reiterating that "VR for console is not a focus for us at this time."

Microsoft has yet to explore the VR space for its Xbox consoles. In 2018, the company pulled back on plans to support virtual reality headsets for Xbox in 2018, explaining that it wanted to focus "primarily on experiences you would play on your TV." In late 2019, Xbox boss Phil Spencer tweeted out that although he played "some great VR games" such as Half-Life: Alyx, console VR was not Xbox's focus ahead of the Xbox Series X / S release.

Firefox's "Compact density" option, which reduces the size of the user interface, is set to disappear when Mozilla rolls out its Proton visual redesign for the browser later this year. PCMag reports: A bug was posted on Mozilla's bug tracking system entitled "Remove compact mode inside Density menu of customize palette." The reasons given for its removal include the fact it's "currently fairly hard to discover" and "we assume gets low engagement." The development team wants to "make sure that we design defaults that suit most users and we'll be retiring the compact mode for this reason." The Bugzilla thread highlights a desire for compact density to be retained as an option, but it doesn't seem likely to survive right now.

When Proton arrives, the Normal and Touch density options are expected to remain, with Touch increasing the size of the user interface to make it more finger-friendly. Meanwhile, the development team is optimizing the Normal density for displays that use 768 pixels for height, while most displays now use a higher resolution than that. Hopefully this doesn't mean the UI will be larger than it is now by default.

"If you want a 12 hour break from Twitter just tweet this city name and you will be immediately locked," Swift on Security tweeted today.

"A bug on Twitter is causing users to become temporarily suspended if they tweet the word 'Memphis,'" BleepingComputer has confirmed: This bug started today after users tweeting about the Tennessee city, sports teams, or players suddenly found that they were temporarily suspended for 12 hours after Tweeting the word Memphis.
Several tweets are already mocking the phenomenon...

"Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or you've compromised some service that doesn't have repaired permissions, you can do whatever you want basically," said Adam Nichols, principal of the Software Security practice at GRIMM. While the vulnerabilities "are in code that is not remotely accessible, so this isn't like a remote exploit," said Nichols, they are still troublesome. They take "any existing threat that might be there. It just makes it that much worse," he explained. "And if you have users on the system that you don't really trust with root access it, it breaks them as well."

Referring to the theory that 'many eyes make all bugs shallow,' Linux code "is not getting many eyes or the eyes are looking at it and saying that seems fine," said Nichols. "But, [the bugs] have been in there since the code was first written, and they haven't really changed over the last 15 years...." That the flaws slipped detection for so long has a lot to do with the sprawl of the the Linux kernel. It "has gotten so big" and "there's so much code there," said Nichols. "The real strategy is make sure you're loading as little code as possible."

The bugs are in all Linux distributions, Nichols said, although the kernel driver is not loaded by default. Whether a normal user can load the vulnerable kernel module varies. They can, for instance, on all Red Hat based distros that GRIMM tested, he said. "Even though it's not loaded by default, you can get it loaded and then of course you can exploit it without any trouble...."

The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches.

A security vulnerability in a popular iPhone call recording app exposed thousands of users' recorded conversations. From a report: The flaw was discovered by Anand Prakash, a security researcher and founder of PingSafe AI, who found that the aptly named Call Recorder app allowed anyone to access the call recordings from other users -- by knowing their phone number. But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone. TechCrunch verified Prakash's findings using a spare phone with a dedicated account. The app stores its user's call recordings on a cloud storage bucket hosted on Amazon Web Services. Although the public was open and lists the files inside, the files could not be accessed or downloaded. The bucket was closed by press time.

"In a message to the Linux Kernel Mailing List Wednesday, founding developer Linus Torvalds warned the world not to use the 5.12-rc1 kernel in his public git tree..." writes Ars Technica: As it turns out, when Linus Torvalds flags some code dontuse, he really means it — the problem with this 5.12 release candidate broke swapfile handling in a very unpleasant way. Specifically, the updated code would lose the proper offset pointing to the beginning of the swapfile. Again, in Torvalds' own words, "swapping still happened, but it happened to the wrong part of the filesystem, with the obvious catastrophic end results."

If your imagination is insufficient, this means that when the kernel paged contents of memory out to disk, the data would land on random parts of the same disk and partition the swapfile lived on... not as files, mind you, but as garbage spewed directly to raw sectors on the disk. This means overwriting not only data in existing files, but also rather large chunks of metadata whose corruption would likely render the entire filesystem unmountable and unusable.

Torvalds goes on to point out that if you aren't using swap at all, this problem wouldn't bite you. And if you're using swap partitions, rather than swap files, you'd be similarly unaffected...
Torvalds also advised anyone who'd already pulled his git tree to do a git tag -d v5.12-rc1 "to actually get rid of the original tag name..." — or at least, to not use it for anything.

"I want everybody to be aware..." Torvalds writes, "because _if_ it bites you, it bites you hard, and you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call 'double ungood'."

An anonymous reader quotes a report from Ars Technica: Microsoft has released a new version of source-code editor Visual Studio Code that runs natively on Apple Silicon Macs like the MacBook Air, MacBook Pro, and Mac mini models with Apple M1 chips. The change came in Visual Studio Code 1.54 (now 1.54.1, thanks to a bug fix update), which is available as a universal 64-bit binary, as is standard for apps with Apple Silicon support. That said, Microsoft also offers downloads for x86-64 and Arm64 versions specifically, if desired.

There are no differences in features between the two versions, of course. And the non-Apple Silicon version worked just fine on M1 Macs previously via Rosetta, but Microsoft says M1 users can expect a few optimizations with the new binaries: "We are happy to announce our first release of stable Apple Silicon builds this iteration. Users on Macs with M1 chips can now use VS Code without emulation with Rosetta, and will notice better performance and longer battery life when running VS Code. Thanks to the community for self-hosting with the Insiders build and reporting issues early in the iteration." Other key features in Visual Studio Code 1.54 include the ability to retain terminal processes on window reload, performance improvements in the Windows version, product icon themes, improvements when viewing Git history timeline entries, and various accessibility improvements.

A security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test. TechCrunch reports: The website is part of the West Bengal government's mass coronavirus testing program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to its website containing their test results. But security researcher Sourajeet Majumder found that the link containing the patient's unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser's address bar and view other patients' test results.

The test results contain the patient's name, sex, age, postal address and if the patient's lab test result came back positive, negative or inconclusive for COVID-19. Majumder told TechCrunch that he was concerned a malicious attacker could scrape the site and sell the data. "This is a privacy violation if somebody else gets access to my private information," he said. Majumder reported the vulnerability to India's CERT, the country's dedicated cybersecurity response unit, which acknowledged the issue in an email. He also contacted the West Bengal government's website manager, who did not respond. TechCrunch independently confirmed the vulnerability and also reached out to the West Bengal government, which pulled the website offline, but did not return our requests for comment.

An iPhone hacking team has released a new jailbreak tool for almost every iPhone, including the most recent models, by using the same vulnerability that Apple last month said was under active attack by hackers. TechCrunch reports: The Unc0ver team released its latest jailbreak this weekend, and says it works on iOS 11 (iPhone 5s and later) to iOS 14.3, which Apple released in December. In a tweet, the jailbreak group said it used its âoeown exploitâ for CVE-2021-1782, a kernel vulnerability that Apple said was one of three flaws that "may have been actively exploited" by hackers. By targeting the kernel, the hackers are able to get deep hooks into the underlying operating system.

Apple fixed the vulnerability in iOS 14.4, released last month, which also prevents the jailbreak from working on later versions. It was a rare admission that the iPhone was under active attack by hackers, but the company declined to say who the hackers were and who they were targeting. Apple also granted anonymity to the researcher who submitted the bug.

The far-right social media platform Gab says a trove of its contents has been stolen in a security breach -- including passwords and private communications. Wired reports: On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls GabLeaks, a collection of more than 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says a hacktivist who self-identifies as "JaXpArO and My Little Anonymous Revival Project" siphoned that data out of Gab's backend databases in an effort to expose the platform's largely right-wing users. Those Gab patrons, whose numbers have swelled after Parler went offline, include large numbers of Qanon conspiracy theorists, white nationalists, and promoters of former president Donald Trump's election-stealing conspiracies that resulted in the January 6 riot on Capitol Hill.

DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab's public posts and profiles -- with the exception of any photos or videos uploaded to the site -- but also private group and private individual account posts and messages, as well as user passwords and group passwords. "It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content," Best wrote in a text message interview with WIRED. "It's another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6." DDoSecrets says it's not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers.

According to DDoSecrets' Best, the hacker says that they pulled out Gab's data via a SQL injection vulnerability in the siteâ"a common web bug in which a text field on a site doesn't differentiate between a user's input and commands in the site's code, allowing a hacker to reach in and meddle with its backend SQL database. Despite the hacker's reference to an "Anonymous Revival Project," they're not associated with the loose hacker collective Anonymous, they told Best, but do "want to represent the nameless struggling masses against capitalists and fascists." The company's CEO, Andrew Torba, responded in a public statement on the company's blog that "reporters, who write for a publication that has written many hit pieces on Gab in the past, are in direct contact with the hacker and are essentially assisting the hacker in his efforts to smear our business and hurt you, our users."

Catalin Cimpanu, reporting for The Record: A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain. The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018. [...] The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU. Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security. Software patches were released at the time, but the Meltdown and Spectre disclosures forced Intel to rethink its entire approach to CPU designs going forward.

At the time, the teams behind the Meltdown and Spectre bugs published their work in the form of research papers and some trivial proof-of-concept code to prove their attacks. Shortly after the Meltdown and Spectre publications, experts at AV-TEST, Fortinet, and Minerva Labs spotted a spike in VirusTotal uploads for both CPU bugs. While initially there was a fear that malware authors might be experimenting with the two bugs as a way to steal data from targeted systems, the exploits were classified as harmless variations of the public PoC code published by the Meltdown and Spectre researchers and no evidence was found of in-the-wild attacks. But today, Voisin said he discovered new Spectre exploits -- one for Windows and one for Linux -- different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.

Brave Browser had a privacy issue that leaked the Tor onion URL addresses you visited to your locally configured DNS server, "exposing the dark web websites you visit...", writes Bleeping Computer.

Long-time Slashdot reader AmiMoJo quotes their report: To access Tor onion URLs, Brave added a "Private Window with Tor" mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML. Due to this proxy implementation, Brave's Tor mode does not directly provide the same level of privacy as using the Tor Browser.

When using Brave's Tor mode, it should forward all requests to the Tor proxies and not send any information to any non-Tor Internet devices to increase privacy. However, a bug in Brave's "Private window with Tor" mode is causing the onion URL for any Tor address you visit to also be sent as a standard DNS query to your machine's configured DNS server. This bug was first reported in a Reddit post and later confirmed by James Kettle, the Director of Research at PortSwigger. BleepingComputer has also verified the claims by using Wireshark to view DNS traffic while using Brave's Tor mode.
Brave has since released an update which fixes the bug.

iRobot, maker of the robotic Roomba vacuums, has confirmed that a software update has been causing issues for some users of its i7 and s9 robots and that it's working on another one to prevent future issues. The catch? It might be a bit before things get sorted out, with iRobot expecting the update to roll out "over the next several weeks." From a report: According to users on Reddit and Twitter, the recent 3.12.8 firmware update has been causing navigation issues. One user described their robot cleaner as acting "drunk" after the update: spinning itself around and bumping into furniture, cleaning in strange patterns, getting stuck in an empty area, and not being able to make it home to the dock. What's more, some other users are reporting that the environment maps their Roombas made were wiped out by the update.

According to Arizona Department of Corrections whistleblowers, hundreds of incarcerated people who should be eligible for release are being held in prison because the inmate management software cannot interpret current sentencing laws. From a report: KJZZ is not naming the whistleblowers because they fear retaliation. The employees said they have been raising the issue internally for more than a year, but prison administrators have not acted to fix the software bug. The sources said Chief Information Officer Holly Greene and Deputy Director Joe Profiri have been aware of the problem since 2019. The Arizona Department of Corrections confirmed there is a problem with the software. As of 2019, the department had spent more than $24 million contracting with IT company Business & Decision, North America to build and maintain the software program, known as ACIS, that is used to manage the inmate population in state prisons. One of the software modules within ACIS, designed to calculate release dates for inmates, is presently unable to account for an amendment to state law that was passed in 2019.

New reader allquixotic writes: Since late January, most users running a pre-installed Lenovo image of Windows 10 has been bitten by a bug in Lenovo's System Update Service (SUService.exe) causing it to constantly occupy a CPU thread. This was noticed by many ThinkPad and IdeaPad users as an unexpected increase in fan noise, but many desktop users might not notice the problem. I'm submitting this story to Slashdot because Lenovo does not provide an official support venue for their software, and the problem has persisted for several weeks with no indication of a patch forthcoming. While this bug continues to persist, anyone with a preinstalled Lenovo image of Windows 10 will have greatly reduced battery life on a laptop, and greatly increased power consumption in any case. As a thought experiment, if this causes 1 million systems to increase their idle power consumption by 40 watts, this software bug is currently wasting 40 megawatts, or about 1/20th the output of a typical commercial power station. On my ThinkPad P15, this bug actually wastes 80 watts of power, so the indication is that 40 watts per system is a very conservative number.

Lenovo's official forums and unofficial reddit pages have seen several threads pop up since late January with confused users noticing the issue, but so far Lenovo is yet to issue an official statement. Users have recommended uninstalling the Lenovo System Update Service as a workaround, but that won't stop this power virus from eating up megawatts of power around the world for those who don't notice this power virus's impact on system performance.

A British security researcher has discovered this week that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed. From a report: The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users. Qualys researchers discovered that they could trigger a "heap overflow" bug in the Sudo app to change the current user's low-privileged access to root-level commands, granting the attacker access to the whole system. The only condition to exploit this bug was that an attacker gain access to a system, which researchers said could be done by either planting malware on a device or brute-forcing a low-privileged service account. In their report last week, Qualys researchers said they only tested the issue on Ubuntu, Debian, and Fedora. They said that are UNIX-like operating systems are also impacted, but most security researchers thought the bug might impact BSD, another major OS that also ships with the Sudo app.

Suspected Chinese hackers exploited a flaw in software made by SolarWinds to help break into U.S. government computers last year, Reuters reported Tuesday, citing five people familiar with the matter, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency. From a report: Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised. The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company's Orion network monitoring software. Security researchers have previously said a second group of hackers was abusing SolarWinds' software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.

Early Friday the principal author of GNU Privacy Guard (the free encryption software) warned that version 1.9.0 of its cryptographic library Libgcrypt, released January 19, had a "severe" security vulnerability and should not be used.

A new version 1.9.1, which fixes the flaw, is available for download, Help Net Security reports: He also noted that Fedora 34 (scheduled to be released in April 2021) and Gentoo Linux are already using the vulnerable version... [I]t's a heap buffer overflow due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs.

It was discovered and flagged by Google Project Zero researcher Tavis Ormandy and affects only Libgcrypt v1.9.0.
"Exploiting this bug is simple and thus immediate action for 1.9.0 users is required..." Koch posted on the GnuPG mailing list. "The 1.9.0 tarballs on our FTP server have been renamed so that scripts won't be able to get this version anymore."