sinij shares a report from CBC.ca: American technology firm Clearview AI violated Canadian privacy laws by collecting photos of Canadians without their knowledge or consent, an investigation by four of Canada's privacy commissioners has found. The report found that Clearview's technology created a significant risk to individuals by allowing law enforcement and companies to match photos against its database of more than three billion images, including Canadians and children.

The commissioners called for Clearview to stop offering its technology in Canada, stop collecting images of Canadians and to delete the photos of Canadians it had already collected in its database. If the company refuses to follow the recommendations, the four privacy commissioners will "pursue other actions available under their respective acts to bring Clearview into compliance with Canadian laws," the statement said. However, the four acknowledged that under current laws, and even under proposed changes to federal privacy laws, their ability to penalize the company or force it to comply with Canadian orders is limited. "What Clearview does, is mass surveillance and it is illegal," federal privacy commissioner Daniel Therrien told reporters Wednesday. "It is an affront to individuals' privacy rights and inflicts broad based harm on all members of society who find themselves continually in a police lineup." "This is completely unacceptable."

Long-time Slashdot reader cusco quotes a new report from IEEE Spectrum: In August 2018, a passenger aircraft in Idaho, flying in smoky conditions, reportedly suffered GPS interference from military tests and was saved from crashing into a mountain only by the last-minute intervention of an air traffic controller. "Loss of life can happen because air traffic control and a flight crew believe their equipment are working as intended, but are in fact leading them into the side of the mountain," wrote the controller. "Had [we] not noticed, that flight crew and the passengers would be dead...."

There are some 90 reports on NASA's Aviation Safety Reporting System forum detailing GPS interference in the United States over the past eight years, the majority of which were filed in 2019 and 2020. Now IEEE Spectrum has new evidence that GPS disruption to commercial aviation is much more common than even the ASRS database suggests. Previously undisclosed Federal Aviation Administration data for a few months in 2017 and 2018 detail hundreds of aircraft losing GPS reception in the vicinity of military tests. On a single day in March 2018, 21 aircraft reported GPS problems to air traffic controllers near Los Angeles. These included a medevac helicopter, several private planes, and a dozen commercial passenger jets. Some managed to keep flying normally; others required help from air traffic controllers. Five aircraft reported making unexpected turns or navigating off course. In all likelihood, there are many hundreds, possibly thousands, of such incidents each year nationwide, each one a potential accident. The vast majority of this disruption can be traced back to the U.S. military, which now routinely jams GPS signals over wide areas on an almost daily basis somewhere in the country.

The military is jamming GPS signals to develop its own defenses against GPS jamming. Ironically, though, the Pentagon's efforts to safeguard its own troops and systems are putting the lives of civilian pilots, passengers, and crew at risk... Todd E. Humphreys, director of the Radionavigation Laboratory at the University of Texas at Austin, says. "When something works well 99.99 percent of the time, humans don't do well in being vigilant for that 0.01 percent of the time that it doesn't."

An anonymous reader quotes a report from ZDNet: A well-known hacker has leaked the details of more than 2.28 million users registered on MeetMindful.com, a dating website founded in 2014, ZDNet has learned this week from a security researcher. The dating site's data has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases. The leaked data, a 1.2 GB file, appears to be a dump of the site's users database.

The content of this file includes a wealth of information that users provided when they set up profiles on the MeetMindful site and mobile apps. Some of the most sensitive data points included in the file include: Real names; Email addresses; City, state, and ZIP details; Body details; Dating preferences; Marital status; Birth dates; Latitude and longitude; IP addresses; Bcrypt-hashed account passwords; Facebook user IDs; and Facebook authentication tokens. Messages exchanged by users were not included in the leaked file; however, this does not make the entire incident less sensitive. The data leak, which is still available for download, was released by a threat actor who goes by the name of ShinyHunters. They also were responsible for leaking the details of millions of users registered on Teespring.

An anonymous reader quotes a report from The New York Times: A military arm of the intelligence community buys commercially available databases containing location data from smartphone apps and searches it for Americans' past movements without a warrant, according to an unclassified memo obtained by The New York Times. Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past two and a half years, agency officials disclosed in a memo they wrote for Senator Ron Wyden, Democrat of Oregon.

The disclosure sheds light on an emerging loophole in privacy law during the digital age: In a landmark 2018 ruling known as the Carpenter decision, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers. But the government can instead buy similar data from a broker -- and does not believe it needs a warrant to do so. "D.I.A. does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes," the agency memo said.

Mr. Wyden has made clear that he intends to propose legislation to add safeguards for Americans' privacy in connection with commercially available location data. In a Senate speech this week, he denounced circumstances "in which the government, instead of getting an order, just goes out and purchases the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law." He called the practice unacceptable and an intrusion on constitutional privacy rights. "The Fourth Amendment is not for sale," he said.

The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping $12.6 million for keeping its employees under constant video surveillance at all times for the past two years without a legal basis. From a report: The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well. The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and retail chain dedicated to selling laptops and other IT supplies. The State Commissioner for Data Protection (LfD) for the state of Lower Saxony said that the company installed two years ago a video monitoring system inside its warehouses, salesrooms, and common workspaces for the purpose of preventing and investigating thefts and tracking product movements. Officials said the video surveillance system was active at all times, and recordings were saved for as much as 60 days in the company's database.

Wine 6.0 has been released today and contains over 8,300 changes, according to its full release notes. Windows Central reports: The new release of version 6.0 has thousands of changes, but Wine's website highlights some of the biggest improvements: Core modules in PE format; Vulkan backend for WineD3D; DirectShow and Media Foundation support; and Text console redesign. The full release notes for Wine 6.0 explain that the core DLLs, which include NTDLL, KERNEL32, GDI32, and USER32 are now built in the Portable Executable (PE) format. As a result, people should see improvements for certain copy protection schemes.

The update also includes a new mechanism to associate a Unix library with the PE module. This change makes it so systems can call Unix libraries from PE when trying to perform a function that can't be handled by Win32 APIs. Wine 6.0 also includes an experimental Vulkan rendered that translates Direct3D shaders to SPIR-V shaders. In another change related to Direct3D, the Direct3D graphics card database now recognizes more graphics cards and includes updated driver versions.

The OpenWRT forum, a large community of enthusiasts of alternative, open-source operating systems for routers, announced a data breach over the weekend. Bleeping Computer reports: The attack occurred on Saturday, around 04:00 (GMT), when an unauthorized third party gained admin access to and copied a list with details about forum users and related statistical information. The intruder used the account of an OpenWRT administrator. Although the account had "a good password," additional security provided by two-factor authentication (2FA) was not active. Email addresses and handles of the forum users have been stolen, the moderators say. They add that they believe the attacker was not able to download the forum database, meaning that passwords should be safe. However, they reset all the passwords on the forum just to be on the safe side and invalidated all the API keys used for project development processes.

Users have to set the new password manually from the login menu by providing their user name and following the "get a new password" instructions. Those logging in using GitHub credentials are advised to reset or refresh it. The OpenWRT forum credentials are separate from the Wiki. Currently, there is no suspicion that the Wiki credentials have been compromised in any way. OpenWRT forum administrators warn that since this breach exposed email addresses, users may become targets of credible phishing attempts.

Early last decade, Matthew Buchanan and Karl von Randow, web designers based in Auckland, New Zealand, were seeking a passion project. Their business, a boutique web design studio called Cactuslab, developed apps and websites for various clients, but they wanted a project of their own that their team could plug away at when there wasn't much else to do. From a report: Buchanan had an idea for a social media site about movies. At the time, he reflected, he used Flickr to share photos and Last.fm to share his taste in music. IMDb was a database; it wasn't, in essence, social. That left a gap in the field. The result was an app and social media network called Letterboxd, which its website describes, aptly, as "Goodreads for film." After it was introduced at the web conference Brooklyn Beta in the fall of 2011, Letterboxd steadily developed a modest but passionate following of film fans eager to track their movie-watching habits, create lists of favorites, and write and publish reviews. In 2020, however, the site's growth was explosive. Letterboxd has seen its user base nearly double since the beginning of the pandemic: They now have more than 3 million member accounts, according to the company, up from 1.7 million at this time last year.

The pandemic has ravaged the movie industry, as theaters have remained mostly shuttered and high-profile would-be blockbusters like "Tenet" have drastically underperformed. But for Letterboxd, all that time at home has been a boon. "We love talking about movies," said Gemma Gracewood, Letterboxd's editor in chief. "And we're talking even more about what we love lately because we're all stuck indoors." In the beginning, Letterboxd mainly attracted film obsessives: hard-core cinephiles, stats fanatics and professional critics looking to house their published work under one roof. Mike D'Angelo, a longtime contributor to Entertainment Weekly and Esquire, used Letterboxd to retroactively log every movie he has seen, by date, since January 1992. In addition to uploading his old reviews to the platform, he uses the site as a kind of diary for more off-the-cuff musings.

An anonymous reader quotes a report from The Register: Failed blood-testing unicorn Theranos trashed vital incriminating evidence of its fraud, prosecutors said on Monday. The imploded startup's extensive testing data over three years, including its accuracy and failure rate, was "stored on a specially-developed SQL database called the Laboratory Information System (LIS)," according to a filing [PDF] in the fraud case against Theranos's one-time CEO Elizabeth Holmes and COO Sunny Balwani. The database "even flagged blood test results that might require immediate medical attention, and communicated this to the patient's physician," we're told.

Theranos claimed to have perfected technology that would allow industry standard blood tests to be run at great speed and with just a drop of blood, revolutionizing the health industry, and causing the business to be valued at $10bn. The reality, however, was that for one set of tests, the failure rate was 51.3 per cent. What does that mean? Prosecutors explain: "In other words, Theranos's TT3 blood test results were so inaccurate, it was essentially a coin toss whether the patient was getting the right result. The data was devastating."

So devastating that the database was subpoenaed by a grand jury digging into fraud claims against Holmes and Balwani. But when investigators turned to take a copy of the database, guess what? From the filing: "On or about August 31, 2018 -- three months after a federal grand jury issued a subpoena requesting a working copy of this database -- the LIS was destroyed. The government has never been provided with the complete records contained in the LIS, nor been given the tools, which were available within the database, to search for such critical evidence as all Theranos blood tests with validation errors. The data disappeared."

chicksdaddy shares a report from The Security Ledger: Independent security researchers testing the security of the United Nations were able to compromise public-facing servers and a cloud-based GitHub development account used by the U.N. and lift data on more than 100,000 staff and employees, according to a report by The Security Ledger. Researchers affiliated with Sakura Samurai, a newly formed collective of independent security experts, exploited an exposed GitHub repository belonging to the International Labour Organization and the U.N.'s Environment Programme (UNEP) to obtain "multiple sets of database and application credentials" for UNEP applications, according to a blog post by one of the Sakura Samurai researchers, John Jackson, explaining the group's work.

Specifically, the group was able to obtain access to database backups for private UNEP projects that exposed a wealth of information on staff and operations. That includes a document with more than 1,000 U.N. employee names, emails; more than 100,000 employee travel records including destination, length of stay and employee ID numbers; more than 1,000 U.N. employee records and so on. The researchers stopped their search once they were able to obtain personally identifying information. However, they speculated that more data was likely accessible.

An anonymous reader quotes a report from ZDNet: President-elect Joe Biden's transition team announced that David Recordon, one of OpenId and oAuth's developers, has been named the White House Director of Technology. Recordon most recently was the VP of infrastructure and security at the non-profit Chan Zuckerberg Initiative Foundation. Before that, Recordon was Facebook's engineer director. There, he had led Facebook's open-source initiatives and projects. Among other programs, this included Phabricator, a suite of code review web apps, which Facebook used for its own development. He also led efforts on Cassandra, the Apache open-source distributed database management system; HipHop, a PHP to C++ source code translator; and Apache Thrift, a software framework, for scalable cross-language services development. In short, he's both a programmer and manager who knows open-source from the inside out.

Recordon learned to program at a public elementary school. According to the Biden-Harris transition team, he's spent his almost two-decade career working at the intersection of technology, security, open-source software, public service, and philanthropy. Looking forward to the challenges Recordon faces in his new position, he wrote on LinkedIn: "The pandemic and ongoing cybersecurity attacks present new challenges for the entire Executive Office of the President, but ones I know that these teams can conquer in a safe and secure manner together." The report notes that Recordon served as the first Director of White House Information Technology during President Barack Obama's term of office, working on IT modernization and cybersecurity issues. He's also served as the Biden-Harris transition team's deputy CTO.

Ho Mobile, an Italian mobile operator, owned by Vodafone, has confirmed a massive data breach on Monday and is now taking the rare step of offering to replace the SIM cards of all affected customers. From a report: The breach is believed to have impacted roughly 2.5 million customers. It first came to light last month on December 28 when a security analyst spotted the telco's database being offered for sale on a dark web forum. While the company initially played down these initial reports, Ho confirmed the incident on Monday, in a message posted on its official website and via SMS messages sent to all impacted customers. Ho's statement confirms the security researcher's assessment that hackers broke into Ho's servers and stole details on Ho customers, including full names, telephone numbers, social security numbers, email addresses, dates and places of birth, nationality, and home addresses. While the telco said no financial data or call details were stolen in the intrusion, Ho admitted that hackers got their hands on details related to customers' SIM cards.

An anonymous reader shares a report: Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location. While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer. However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first. This second technique relies on grabbing the infected user's BSSID. Known as a "Basic Service Set Identifier," the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi. You can see the BSSID on Windows systems by running the command: netsh wlan show interfaces | find "BSSID" Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

A marine biologist's ideas for singling out sharks that attack humans have prompted objections from other shark scientists. From a report: The war on sharks has been waged with shock and awe at times. When a shark bit or killed a swimmer, people within the past century might take out hundreds of the marine predators to quell the panic, like executing everyone in a police lineup in order to ensure justice was dispensed on the guilty party. Eric Clua, a professor of marine biology at the Ecole Pratique des Hautes Etudes in Paris, said the rationale behind shark culls in the past was simple: fewer sharks, fewer attacks. That reasoning also drives methods such as shark nets and baited hooks, which are currently in use at a number of Australian and South African beaches that are frequently visited by sharks. Nature, he notes, pays too great a price. "They are killing sharks that are guilty of nothing," said Dr. Clua, who studies the ocean predators up close in the South Pacific.

Dr. Clua said he has found a way to make precision strikes on sharks that have attacked people through a form of DNA profiling he calls "biteprinting." He believes it's usually just solo "problem sharks" that attack humans repeatedly, analogizing them to terrestrial predators that have been documented behaving the same way. Instead of culling every bear, tiger or lion when only one has serially attacked people, wildlife managers on land usually focus their ire on the culprit. Dr. Clua said that problem sharks could be dispatched the same way. This summer, Dr. Clua and several colleagues published their latest paper on collecting DNA from the biteprints of large numbers of sharks. Once a database is built, DNA could be collected from the wounds of people who were bitten by sharks, and matched to a known shark. The offending fish would then need to be found and killed. Critics have taken issue with every facet of this plan.

Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demonstrated its new COVID-19 contact-tracing system to governments and journalists, researchers have concluded. From a report: NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions "without compromising individual privacy." But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works -- the same demo seen by reporters weeks earlier. TechCrunch reported the apparent security lapse to NSO, which quickly secured the database, but said that the location data was "not based on real and genuine data." NSO's claim that the location data wasn't real differed from reports in Israeli media, which said NSO had used phone location data obtained from advertising platforms, known as data brokers, to "train" the system. Academic and privacy expert Tehilla Shwartz Altshuler, who was also given a demo of Fleming, said NSO told her that the data was obtained from data brokers, which sell access to vast troves of aggregate location data collected from the apps installed on millions of phones.

The Guardian reports: The mass die-off of thousands of songbirds in south-western U.S. was caused by long-term starvation, made worse by unseasonably cold weather probably linked to the climate crisis, scientists have said.

Flycatchers, swallows and warblers were among the migratory birds "falling out of the sky" in September, with carcasses found in New Mexico, Colorado, Texas, Arizona and Nebraska. A USGS National Wildlife Health Center necropsy has found 80% of specimens showed typical signs of starvation... The remaining 20% were not in good enough condition to carry out proper tests. Nearly 10,000 dead birds were reported to the wildlife mortality database by citizens, and previous estimates suggest hundreds of thousands may have died...

"It looks like the immediate cause of death in these birds was emaciation as a result of starvation," said Jonathan Sleeman, director of the USGS National Wildlife Health Center in Madison, Wisconsin, which received 170 bird carcasses and did necropsies on 40 of them. "It's really hard to attribute direct causation, but given the close correlation of the weather event with the death of these birds, we think that either the weather event forced these birds to migrate prior to being ready, or maybe impacted their access to food sources during their migration...."

Most deaths happened around 9 and 10 September during a bout of cold weather that probably meant food was particularly scarce...

With their savvy interfaces, smart features and oodles of VC money, digital banks have become the poster-child for fintech. There are now almost 300 so-called "neobanks" live worldwide, with nearly half concentrated in Europe. From a report: Meanwhile, new players are continuing to join the ranks, particularly in Latin America, Africa and the Middle East. This boom is being fuelled by ongoing investor enthusiasm for the sector, with neobanks raising over $2bn in venture capital globally this year alone. Customers are also riding the neobank wave. PitchBook estimates that by 2024, 145m of us will be using these apps across North America and Europe alone. To help keep track of the global neobank landscape, we have broken down the key data and trends. For clarity, 'neobank' is defined here as an app that i) offers its own retail banking services (i.e. prepaid, debit, credit cards), ii) launched after 2010, and iii) is mobile-centric. This definition does not distinguish between regulatory status, but it's worth noting that only a handful have official bank licences.

Here is the story of the world's neobanks, as told in numbers. The neobank boom: At its peak? The number of neobanks worldwide has tripled since 2017, climbing from 100 to nearly 300 worldwide. That means, over the last three years, a neobank launched every five days somewhere in the world (!), according to Exton, a consultancy firm which manages a global database of consumer banking apps. In 2019 alone, more than 70 neobanks went live globally. But Cristoph Stegmeier, a partner at Exton, says we may finally have reached a peak, with 2020 seeing a slowdown. "I expect we will see less from now," he told Sifted. He explained this year's launch decline went beyond simply the 'Covid effect' and stems from the growing saturation of neobanks. Indeed, 30 neobanks have been wound down since 2015, according to Stegmeier. Still, the neobank boom hasn't totally stalled. Over 30 neobanks launched in the face of the pandemic, including Zelf, Daylight (a US bank for LGBT+ members) and Tenpo in Chile. Meanwhile, dozens of new players are still planning to go live in 2021 -- including Greece's Woli and France's Vybe.

An anonymous reader shares a report: On an earnings call two months ago, SolarWinds Chief Executive Kevin Thompson touted how far the company had gone during his 11 years at the helm. There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call. "We don't think anyone else in the market is really even close in terms of the breadth of coverage we have," he said. "We manage everyone's network gear." Now that dominance has become a liability -- an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers. On Monday, SolarWinds confirmed that Orion -- its flagship network management software -- had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

[...] Cybersecurity experts across government and private industry are still struggling to understand the scope of the damage, which some are already calling one of the most consequential breaches in recent memory. [...] Experts are reviewing their notes to find old examples of substandard security at the company. Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds' update server by using the password "solarwinds123" "This could have been done by any attacker, easily," Kumar said. Others -- including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress -- noticed that, even days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

An anonymous Slashdot reader writes: For the past year, hackers have been breaking into MySQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back. If database owners don't respond and ransom their data back in nine days, the databases are then put up on auction on a dark web portal.
"More than 85,000 MySQL databases are currently on sale on a dark web portal for a price of only $550/database," reports ZDNet: This suggests that both the DB intrusions and the ransom/auction web pages are automated and that attackers don't analyze the hacked databases for data that could contain a higher concentration of personal or financial information. Signs of these ransom attacks have been piling up over the course of 2020, with the number of complaints from server owners finding the ransom note inside their databases popping up on Reddit, the MySQL forums, tech support forums, Medium posts, and private blogs.

Oracle said on Friday it's moving its headquarters from the Silicon Valley to Austin, Texas. CNBC reports: "Oracle is implementing a more flexible employee work location policy and has changed its Corporate Headquarters from Redwood City, California to Austin, Texas. We believe these moves best position Oracle for growth and provide our personnel with more flexibility about where and how they work," a spokesperson confirmed to CNBC. A bulk of employees can choose their office location, or continue to work from home part time or full time, the company said.

"In addition, we will continue to support major hubs for Oracle around the world, including those in the United States such as Redwood City, Austin, Santa Monica, Seattle, Denver, Orlando and Burlington, among others, and we expect to add other locations over time," Oracle said. "By implementing a more modern approach to work, we expect to further improve our employees' quality of life and quality of output." Oracle is one of Silicon Valley's older success stories, founded in Santa Clara in 1977. It moved into its current headquarters in 1989. Several of the buildings on its campus there are constructed in the shape of a squat cylinder, which is the classic symbol in computer systems design for a database, the product on which Oracle built its empire.