A group of filmmakers have sued the State Department for making visa applicants hand over details about their social media accounts. "The lawsuit argues that the requirement unconstitutionally discourages applicants from speaking online -- and, conversely, discourages people who post political speech from trying to enter the U.S.," reports The Verge. From the report: This lawsuit, filed by the Doc Society and the International Documentary Association, challenges the decision on First Amendment grounds. It calls the registration system "the cornerstone of a far reaching digital surveillance regime" that makes would-be visitors provide "effectively a live database of their personal, creative, and political activities online" -- which the government can monitor at any time, long after the application process has been completed. Applicants must even disclose accounts that they use pseudonymously, and if U.S. authorities fail to keep that information secure, it could potentially endanger people who are trying to avoid censorship from a repressive foreign government.

The plaintiffs in this lawsuit say that some non-U.S. members have begun deleting social media content or stopped expressing themselves online because they're afraid it will complicate their ability to enter the U.S. Others have decided to stop working in the country because they don't want to reveal their social media accounts. "The Registration Requirement enables the government to compile a database of millions of people's speech and associations, which it can cross-reference to glean more information about any given visa applicant," warns the suit. And "the government's indefinite retention of information collected through the Registration Requirement further exacerbates the requirement's chilling effect because it facilitates surveillance into the future."

The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. From a report: The scan took place between January and March 2019. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.

Mark Wilson shares a report from BetaNews: When it comes to the extensive and invasive use of biometric data, the USA is one of the worst offenders in the world, faring only slightly better than China. According to research conducted by Comparitech, which rated 50 countries according to how, where and why biometrics were taken and how they are stored, the U.S. ranked as the fourth worst country. Topping the list is China, followed by Malaysia and Pakistan.

While Comparitech did not look at every country in the world, its study did compare 50 of them. To give a country a rating out of 25, each was rated out of five in four categories (storage, CCTV, workplace, and visas) according to how invasive and pervasive and the collection and use of biometrics is. Five questions were also applied to them, with each answer in the affirmative resulting in one point. [The five questions are available in the report.] The U.S. was assigned a score of 20/25 for its heavy use of biometrics, including growing use of facial recognition, without there being specific laws to protect citizens' data. There was concern at the growing use of biometrics in the workplace. At the other end of the league are Ireland and Portugal, both praised for their small or non-existent biometric databases. Both scored 11 points.

Brian Krebs: One of the more curious behaviors of Apple's new iPhone 11 Pro is that it intermittently seeks the user's location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company's own privacy policy. The privacy policy available from the iPhone's Location Services screen says, "If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations."

The policy explains users can disable all location services entirely with one swipe (by navigating to Settings > Privacy > Location Services, then switching "Location Services" to "off"). When one does this, the location services indicator -- a small diagonal upward arrow to the left of the battery icon -- no longer appears unless Location Services is re-enabled. The policy continues: "You can also disable location-based system services by tapping on System Services and turning off each location-based system service." But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location.

"A massive database storing tens of millions of SMS text messages, most of which were sent by businesses to potential customers, has been found online," reports TechCrunch. The database belongs to a company that works with over 990 cell phone operators and reaches more than 5 billion subscribers around the world, according to the researchers.

TechCrunch writes: The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.

The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. Security researchers Noam Rotem and Ran Locar found the exposed database earlier this month as part of their internet scanning efforts... Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts...

One table alone had tens of millions of messages, many of which were message recipients trying to opt-out of receiving text messages.

According to The Register, Oracle is suing the Department of Labor for repeatedly accusing the company of discriminating against and underpaying women and minorities. From the report: In a lawsuit [PDF] filed Wednesday in a Washington DC district court, Big Red accuses the U.S. Department of Labor of "unprecedented overreach by an executive agency," and claims the agency doesn't have the authority to cut Oracle out of government contracts for its discriminatory practices or sue it for underpaying certain staff. With one hand holding the constitution and the other bashing its chest, the database giant warned perilously that "the rise of the modern administrative state has altered our government structure" but that it had "not undone our constitutional structure."

The folks at the Office of Federal Contract Compliance Programs (OFCCP) have "created a coercive administrative enforcement and adjudicative regime" the lawsuit bellows. "Without authority from any Act of Congress - indeed, in contravention of congressional legislation - a group of unelected, unaccountable, and unconfirmed administrative officials have cut from whole cloth this adjudicative agency enforcement scheme." The lawsuit is just the latest in a brutal battle between Oracle and the Labor Department that started in 2017 when the government sued the database biz for pay and employment discrimination. According to federal investigators, Oracle pays its white male employees more than women and minorities even when they are in the same job with the same title. It studied Oracle's hiring practices since 2013 and concluded that there were "gross disparities in pay even after controlling for job title, full-time status, exempt status, global career level, job speciality, estimated prior work experience, and company tenure."

"What tech skills do U.S. employers want? Researchers at job search site Indeed took a deep dive into its database to answer that question," reports IEEE Spectrum: [A]t least for now, expertise in SQL came out on top of the list of most highly sought after skills, followed by Java. Python and Amazon Web Services (AWS) are coming on fast, and, should trends continue, may take over the lead in the next year or two...

Indeed's team considered U.S. English-language jobs posted on the site between September 2014 and September 2019; those postings encompassed 571 tech skills. Over that period, Docker, the enterprise container platform, sits at number 20 on the list today, but that is the result of a dramatic climb over that five-year period. Demand for proficiency in that platform-as-a-service grew more than 4000 percent, from a barely registering share of 0.1 percent of job post mentions in 2014 to 5.1 percent today. Azure jumped more than 1000 percent during that period, from 0.6 percent to 6.9 percent; and the general category of machine learning climbed 439 percent, closely followed by AWS at 418 percent.

Indeed's researchers note that the big jumps in demand for engineers skilled in Python stems from the boom in data scientist and engineer jobs, which disproportionately use Python.
"Python" has overtaken "Linux" in just the last two years, while in the same period "AWS" overtook C++, C, C# and .net.

JustAnotherOldGuy writes: For well over a decade, identity thieves, phishers, and other online scammers have created a black market of stolen and aggregated consumer data that they used to break into people's accounts, steal their money, or impersonate them. In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information -- about 1.2 billion records in all. While the collection is impressive for its sheer volume, the data doesn't include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses. "It's bad that someone had this whole thing wide open," Troia says. "This is the first time I've seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That's a lot of information in one place to get you started."

Password data and other personal information belonging to as many as 2.2 million users of two websites -- one a cryptocurrency wallet service and the other a gaming bot provider -- have been posted online, according to Troy Hunt, the security researcher behind the Have I Been Pwned breach notification service. Ars Technica reports: One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that's among the hardest to crack.

The person posting the 3.72GB Gatehub database said it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes, although GateHub officials said an investigation suggested wallet hashes were not accessed. The EpicBot database, meanwhile, purportedly included usernames and IP addresses. Hunt said he selected a representative sample of accounts from both databases to verify the authenticity of the data. All of the email addresses he checked were registered to accounts of the two sites. [...] While there were 2.2 million unique addresses in the two dumps, it's possible that corresponding password hashes or other data isn't included with each one.

Algorithms identified death notices in old newspaper pages, then another set of algorithms pulled names and other key details into a searchable database. From a report: Ancestry used artificial intelligence to extract obituary details hidden in a half-billion digitized newspaper pages dating back to 1690, data invaluable for customers building their family trees. The family history and consumer-genomics company, based in Lehi, Utah, began the project in late 2017 and introduced the new functionality last month. Through its subsidiary Newspapers.com, the company had a trove of newspaper pages, including obituaries -- but it said that manually finding and importing those death notices to Ancestry.com in a form that was usable for customers would likely have taken years. Instead, Ancestry tasked its 24-person data-science team with having technology pinpoint and make sense of the data. The team trained machine-learning algorithms to recognize obituary content in those 525 million newspaper pages. It then trained another set of algorithms to detect and index key facts from the obituaries, such as names of the deceased's spouse and children, birth dates, birthplaces and more.

Ancestry, which has about 3.5 million subscribers, now offers about 262 million obituaries, up from roughly 40 million two years ago. Its database includes about a billion names associated with obituaries, including names of the deceased and their relatives. Besides analyzing the trove of old newspaper pages, the algorithms were also applied to online obituaries coming into Ancestry's database, making them more searchable. Before the AI overhaul, the roughly 40 million obituaries on Ancestry.com were searchable only by the name of the deceased. That meant a search for "Mary R. Smith," for instance, would yield obituaries only for people with that name -- not other obituaries that mentioned that name as a sibling or child.

An anonymous reader quotes a report from The Intercept: For years, the New York Police Department illegally maintained a database containing the fingerprints of thousands of children charged as juvenile delinquents -- in direct violation of state law mandating that police destroy these records after turning them over to the state's Division of Criminal Justice Services. When lawyers representing some of those youths discovered the violation, the police department dragged its feet, at first denying but eventually admitting that it was retaining prints it was supposed to have destroyed. Since 2015, attorneys with the Legal Aid Society, which represents the majority of youths charged in New York City family courts, had been locked in a battle with the police department over retention of the fingerprint records of children under the age of 16. The NYPD did not answer questions from The Intercept about its handling of the records, but according to Legal Aid, the police department confirmed to the organization last week that the database had been destroyed. To date, the department has made no public admission of wrongdoing, nor has it notified the thousands of people it impacted, although it has changed its fingerprint retention practices following Legal Aid's probing. "The NYPD can confirm that the department destroys juvenile delinquent fingerprints after the prints have been transmitted to DCJS," a police spokesperson wrote in a statement to The Intercept.

Still, the way the department handled the process -- resisting transparency and stalling even after being threatened with legal action -- raises concerns about how police handle a growing number of databases of personal information, including DNA and data obtained through facial recognition technology. As The Intercept has reported extensively, the NYPD also maintains a secretive and controversial "gang database," which labels thousands of unsuspecting New Yorkers -- almost all black or Latino youth -- as "gang members" based on a set of broad and arbitrary criteria. The fact that police were able to violate the law around juvenile fingerprints for years without consequence underscores the need for greater transparency and accountability, which critics say can only come from independent oversight of the department. It's unclear how long the NYPD was illegally retaining these fingerprints, but the report says the state has been using the Automated Fingerprint Identification System since 1989, "and laws protecting juvenile delinquent records have been in place since at least 1977." Legal Aid lawyers estimate that tens of thousands of juveniles could have had their fingerprints illegally retained by police.

Researchers at Intezer and IBM X-Force have detected an unconventional form of ransomware that's being deployed in targeted attacks against enterprise servers. They're calling it PureLocker because it's written in the PureBasic programming language. ZDNet reports: It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms. "Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.

There's currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.' However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.

Long-time Slashdot reader taiwanjohn shared this article from Live Science: The mind-bending calculations required to predict how three heavenly bodies orbit each other have baffled physicists since the time of Sir Isaac Newton. Now artificial intelligence (A.I.) has shown that it can solve the problem in a fraction of the time required by previous approaches.

Newton was the first to formulate the problem in the 17th century, but finding a simple way to solve it has proved incredibly difficult. The gravitational interactions between three celestial objects like planets, stars and moons result in a chaotic system -- one that is complex and highly sensitive to the starting positions of each body. Current approaches to solving these problems involve using software that can take weeks or even months to complete calculations. So researchers decided to see if a neural network -- a type of pattern recognizing A.I. that loosely mimics how the brain works -- could do better.

The algorithm they built provided accurate solutions up to 100 million times faster than the most advanced software program, known as Brutus. That could prove invaluable to astronomers trying to understand things like the behavior of star clusters and the broader evolution of the universe, said Chris Foley, a biostatistician at the University of Cambridge and co-author of a paper to the arXiv database, which has yet to be peer-reviewed.

Freshly Exhumed shares a report from ZDNet: A mysterious hacker has published today a database dump of one of the internet's most infamous neo-nazi meeting places -- the IronMarch forum. The data published today includes a full copy of its content, including sensitive details such as emails, IP addresses, usernames, and private messages. The database dump is currently being analyzed by a multitude of entities, including law enforcement, in the hopes of linking forum members to accounts on other sites and potentially exposing their real-world identities. The drive to unmask forum members comes from the fact that IronMarch, while a little-known site to most internet users, has been the birthplace of two of today's most extreme far-right neo-nazi movements -- the Atomwaffen Division and SIEGE Culture -- with the first being accused of orchestrating at least eight murders around the world. The forum's data was published earlier today via the Internet Archive portal.

"The published information includes a carbon copy of the site, from user details to forum posts, and from private messages to multi-factor authentication settings and forum management logs," reports BleepingComputer. "The forum's database includes details on 3,548 registered profiles. The last user's database ID is 15,218; however, the dump only included details on 3,548 accounts -- most likely due to spam or deleted profiles. The registration date for the last user is November 20, 2017, suggesting the database is a copy of the site near the time it went offline."

The U.S. Department of Homeland Security (DHS) expects to have face, fingerprint, and iris scans of at least 259 million people in its biometrics database by 2022, according to a recent presentation from the agency's Office of Procurement Operations reviewed by Quartz. From the report: That's about 40 million more than the agency's 2017 projections, which estimated 220 million unique identities by 2022, according to previous figures cited by the Electronic Frontier Foundation (EFF), a San Francisco-based privacy rights nonprofit.

A slide deck, shared with attendees at an Oct. 30 DHS industry day, includes a breakdown of what its systems currently contain, as well as an estimate of what the next few years will bring. The agency is transitioning from a legacy system called IDENT to a cloud-based system (hosted by Amazon Web Services) known as Homeland Advanced Recognition Technology, or HART. The biometrics collection maintained by DHS is the world's second-largest, behind only India's countrywide biometric ID network in size. The traveler data kept by DHS is shared with other U.S. agencies, state and local law enforcement, as well as foreign governments.

Mark Wilson shares a report from BetaNews: Security firm Trend Micro has revealed details of an inside scam which led to personal details of its customers being exposed. The security incident dates back to August this year, and the company says that it was made aware of customers being contacted by fake Trend Micro support staff. Following an investigation lasting until the end of October, it was determined that it was a member of staff that had fraudulently gained access to a customer database and sold personal data to a third party.

Trend Micro says that the employee was able to access names, email addresses, support ticket numbers and telephone numbers, stressing that it was an inside job and not an external hack. The finger of blame points squarely at "a Trend Micro employee who improperly accessed the data with a clear criminal intent", and law enforcement is now involved. While the company says that the incident affects less that 1 percent of its 12 million consumer customers, this still means that the details of over 100,000 people could have been exposed.

Over the last 15 years, the United States military has developed a new addition to its arsenal. The weapon is deployed around the world, largely invisible, and grows more powerful by the day. From a report: That weapon is a vast database, packed with millions of images of faces, irises, fingerprints, and DNA data -- a biometric dragnet of anyone who has come in contact with the U.S. military abroad. The 7.4 million identities in the database range from suspected terrorists in active military zones to allied soldiers training with U.S. forces. "Denying our adversaries anonymity allows us to focus our lethality. It's like ripping the camouflage netting off the enemy ammunition dump," wrote Glenn Krizay, director of the Defense Forensics and Biometrics Agency, in notes obtained by OneZero. The Defense Forensics and Biometrics Agency (DFBA) is tasked with overseeing the database, known officially as the Automated Biometric Information System (ABIS).

DFBA and its ABIS database have received little scrutiny or press given the central role they play in U.S. military's intelligence operations. But a newly obtained presentation and notes written by the DFBA's director, Krizay, reveals how the organization functions and how biometric identification has been used to identify non-U.S. citizens on the battlefield thousands of times in the first half of 2019 alone. ABIS also allows military branches to flag individuals of interest, putting them on a so-called "Biometrically Enabled Watch List" (BEWL). Once flagged, these individuals can be identified through surveillance systems on battlefields, near borders around the world, and on military bases. The presentation also sheds light on how military, state, and local law enforcement biometrics systems are linked. According to Krizay's presentation, ABIS is connected to the FBI's biometric database, which is in turn connected to databases used by state and local law enforcement.

An anonymous reader quotes a report from The New York Times: Last week, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users. Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy. "That's a huge game-changer," said Erin Murphy, a law professor at New York University. "The company made a decision to keep law enforcement out, and that's been overridden by a court. It's a signal that no genetic information can be safe."

DNA policy experts said the development was likely to encourage other agencies to request similar search warrants from 23andMe, which has 10 million users, and Ancestry.com, which has 15 million. If that comes to pass, the Florida judge's decision will affect not only the users of these sites but huge swaths of the population, including those who have never taken a DNA test. That's because this emerging forensic technique makes it possible to identify a DNA profile even through distant family relationships. [...] Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as "Don't rock the boat." A spokesman for 23andMe said in a statement: "We never share customer data with law enforcement unless we receive a legally valid request such as a search warrant or written court order. Upon receipt of an inquiry from law enforcement, we use all practical legal measures to challenge such requests in order to protect our customers' privacy." Ancestry.com did not respond to request for comment.

schwit1 writes: A private DNA ancestry database that's been used by police to catch criminals is a security risk from which a nation-state could steal DNA data on a million Americans, according to security researchers. Security flaws in the service, called GEDmatch, not only risk exposing people's genetic health information but could let an adversary such as China or Russia create a powerful biometric database useful for identifying nearly any American from a DNA sample. GEDMatch, which crowdsources DNA profiles, was created by genealogy enthusiasts to let people search for relatives and is run entirely by volunteers. It shows how a trend toward sharing DNA data online can create privacy risks affecting everyone, even people who don't choose to share their own information.

"You can replace your credit card number, but you can't replace your genome," says Peter Ney, a postdoctoral researcher in computer science at the University of Washington. Ney, along with professors and DNA security researchers Luis Ceze and Tadayoshi Kohno, described in a report posted online how they developed and tested a novel attack employing DNA data they uploaded to GEDmatch. Using specially designed DNA profiles, they say, they were able to run searches that let them guess more than 90% of the DNA data of other users. The founder of GEDmatch, Curtis Rogers, confirmed that the researchers alerted him to the threat during the summer. "The same attack wouldn't work on other genealogy sites, like 23andMe, because they don't permit data uploads," the report notes. "Others, like MyHeritage, do allow uploads but don't give users as much information about their matches."

"The problem with GEDmatch is the browser is too good, and searches too deeply," says Erlich. "If I were them, I would remove it, fix it, then put it back."

An anonymous reader quotes a report from CBS News: New details about how Uber responded to a massive hack attack in 2016 raise questions about the way it handled sensitive customer information. Instead of reporting the hackers to police, the company allegedly paid $100,000 in exchange for a promise to delete 57 million user files the men stole off a third party server, prosecutors said. Within weeks of paying the ransom, Uber employees showed up at Brandon Glover's Winter Park, Florida, home and found Vasile Mereacre at a hotel restaurant in Toronto, Canada, the Justice Department said. The pair admitted their crimes, but Uber didn't turn them over to the cops. Instead, they had the hackers sign non-disclosure agreements, promising to keep quiet. The two hackers pleaded guilty on Wednesday.

But there was a third person involved who was unknown to Uber, U.S. attorney for Northern California Dave Anderson told CBS News correspondent Kris Van Cleave in an exclusive interview. Anderson, who investigated the hack, said there's "no way to know definitively" what actually happened to the stolen data. [...] The hackers also targeted a company owned by LinkedIn in December of 2016, but prosecutors say LinkedIn did not pay and promptly reported the hack to police. Uber eventually did as well -- a year after the hack, when new CEO, Dara Khosrowshahi, publicly disclosed the attack. The two known hackers were eventually arrested and pleaded guilty on Wednesday to conspiracy to commit extortion charges. They face a maximum of five years in prison. The third person involved remains at large.