British bank Natwest is trialing the use of a new NFC payment card with a built-in fingerprint scanner. "The trial, which will include 200 customers when it begins in mid-April, will allow its participants to make NFC payments (called 'contactless' in the UK) without needing to input a PIN or offer a signature," reports The Verge. "The standard [30 British pound] limit for contactless payments will not apply when the fingerprint is used." From the report: Currently, anyone can make a contactless payment in the UK by tapping their card on the terminal to make a payment. As a result of this lack of security, a [30 British pound] limit is applied to such payments, with retailers requiring you to place your card into the card reader and enter a PIN for more expensive purchases (commonly referred to as the "Chip and PIN" method). Although mobile payments require authentication, customers often find they're subject to the same [30 British pound] limit. The fingerprint data is stored locally on the card, meaning there's no security information for a hacker to be able to steal from a bank's central database. It's not foolproof -- there's always the risk a sufficiently determined thief could steal and imitate your fingerprint -- but it's much more secure than a PIN that someone could learn by simply looking over your shoulder as you enter it.

Ten days ago 66-year-old tech pundit Robert Cringely revealed the first of what may be his final set of annual predictions for the technology industry -- but he's not done yet. Thursday Cringely predicted that "the Virtual Private Cloud (VPC) solution based on Open Source using Linux will change the Internet-as-a-Service Cloudscape to VPC-only during 2019" -- and that there'll be an industry-wide shakeout.

Long-time Slashdot reader supremebob, a Connecticut-based sys-admin, writes: He seems to believe that IBM Cloud and Oracle Cloud and doomed to fail, and Alibaba will only survive because of its strong Chinese presence. These seem like safe predictions, but his comments on Google Cloud are somewhat controversial...
After AWS, Alibaba, and Microsoft, "All the others will eventually disappear," Cringely writes, adding "Remember you read it first here." Google's largest cloud customer will always be Google and that will inevitably lead to poorer service for outside customers. That's why I think of Google Cloud as half of a player. Feel free to prove me wrong by delighting customers, Google... I don't see the marketing effort to help clients migrate. Lots of handholding is needed that IBM and Microsoft are happy to provide. Google does not understand customers whose IQs are sub-200. As such, Google doesn't have (and likely won't) have a history of winning outside of search advertising.

For IBM, their VPC roll-out is coming in the next month or two, but it's more marketing than an actual product. Big Blue simply has no capital to build out a unique offering. And Oracle? Well the new head of Google Cloud came from Oracle, where not enough was happening.
Cringely also predicts the U.S. government will try to force Amazon to spin-off its near-monopoly cloud business, noting that "the larger customers of AWS (those not operating on a credit card) generally hate Amazon because of its ruthless business behavior."

Lots of pressure will come to bear in this case from IBM, Microsoft, and Oracle, who are all suffering from a very specific database problem competing with AWS. Each of these companies sells their own database (DB2, SQL Server, and Oracle, respectively) that they've rolled into their cloud services. AWS's RDB, in contrast, is based on MySQL and costs Amazon almost nothing to support, giving the biggest cloud player a clear pricing advantage.

Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper [PDF] describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described. From a report: They found that Twitter can not only predict the majority of security flaws that will show up days later on the National Vulnerability Database -- the official register of security vulnerabilities tracked by the National Institute of Standards and Technology -- but that they could also use natural language processing to roughly predict which of those vulnerabilities will be given a "high" or "critical" severity rating with better than 80 percent accuracy.

"We think of it almost like Twitter trending topics," says Alan Ritter, an Ohio State professor who worked on the research and will be presenting it at the North American Chapter of the Association for Computational Linguistics in June. "These are trending vulnerabilities." A work-in-progress prototype they've put online, for instance, surfaces tweets from the last week about a fresh vulnerability in MacOS known as "BuggyCow," as well as an attack known as SPOILER that could allow webpages to exploit deep-seated vulnerabilities in Intel chips. Neither of the attacks, which the researchers' Twitter scanner labeled "probably severe," has shown up yet in the National Vulnerability Database.

Security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150GB of detailed, plaintext marketing data -- including hundreds of millions of unique email addresses. An anonymous Slashdot reader shares Diachenko's findings, which were made public today: On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII). This database contained four separate collections of data and combined was an astounding 808,539,939 records. As part of the verification process I cross-checked a random selection of records with Troy Hunt's HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another "Collection" of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records.

In addition to the email databases, this unprotected Mongo instance also uncovered details on the possible owner of the database -- a company named "Verifications.io" -- which offered the services of "Enterprise Email Validation." Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.

According to a senior Republican congressional aide, the National Security Agency has quietly shut down a system that analyzes logs of Americans' domestic calls and texts. "The agency has not used the system in months, and the Trump administration might not ask Congress to renew its legal authority, which is set to expire at the end of the year, according to the aide, Luke Murry, the House minority leader's national security adviser," reports The New York Times. From the report: In a raw assertion of executive power, President George W. Bush's administration started the program as part of its intense pursuit for Qaeda conspirators in the weeks after the 2001 terrorist attacks, and a court later secretly blessed it. The intelligence contractor Edward J. Snowden disclosed the program's existence in 2013, jolting the public and contributing to growing awareness of how both governments and private companies harvest and exploit personal data. The way that intelligence analysts have gained access to bulk records of Americans' phone calls and texts has evolved, but the purpose has been the same: They analyze social links to hunt for associates of known terrorism suspects.

Congress ended and replaced the program disclosed by Mr. Snowden with the U.S.A. Freedom Act of 2015, which will expire in December. Security and privacy advocates have been gearing up for a legislative battle over whether to extend or revise the program -- and with what changes, if any. Mr. Murry, who is an adviser for Representative Kevin McCarthy of California, raised doubts over the weekend about whether that debate will be necessary. His remarks came during a podcast for the national security website Lawfare. Mr. Murry brought up the pending expiration of the Freedom Act, but then disclosed that the Trump administration "hasn't actually been using it for the past six months." "I'm actually not certain that the administration will want to start that back up," Mr. Murry said. He referred to problems that the National Security Agency disclosed last year. "Technical irregularities" had contaminated the agency's database with message logs it had no authority to collect, so officials purged hundreds of millions of call and text records gathered from American telecommunications firms. A spokesman for Mr. McCarthy's office said that Mr. Murry "was not speaking on behalf of administration policy or what Congress intends to do on this issue."

Hundreds of millions of private chat logs from Chinese users have been left exposed on the internet, a researcher has found, in another worrying case of weak data protection in China. Financial Times reports: Victor Gevers, a security researcher at the cyber-security organisation GDI Foundation, said that he had found a database of 364m records [Editor's note: the link may be paywalled; alternative source.], containing social media profiles and chat logs linked to names and identity card numbers.

The database was freely accessible online to anyone who searched for its IP address, and user profiles were stored together with photographs, addresses and locations, said Mr Gevers. The main database was piping data to 17 other servers depending on which area the data came from, Mr Gevers said. [...] A large number of the records had the names and addresses of web cafes on them. Chinese cyber-security experts have long warned that web cafes collect vast amounts of customer data.

Long-time Slashdot reader retroworks shared this EFF article: Although relatively little news gets out of Xinjiang to the rest of the world, we've known for over a year that China has been testing facial-recognition tracking and alert systems across Xinjiang and mandating the collection of biometric data -- including DNA samples, voice samples, fingerprints, and iris scans -- from all residents between the ages of 12 and 65... Earlier this month, security researcher Victor Gevers found and disclosed an exposed database live-tracking the locations of about 2.6 million residents of Xinjiang, China, offering a window into what a digital surveillance state looks like in the 21st century...

Over a period of 24 hours, 6.7 million individual GPS coordinates were streamed to and collected by the database, linking individuals to various public camera streams and identification checkpoints associated with location tags such as "hotel," "mosque," and "police station." The GPS coordinates were all located within Xinjiang. This database is owned by the company SenseNets, a private AI company advertising facial recognition and crowd analysis technologies. A couple of days later, Gevers reported a second open database tracking the movement of millions of cars and pedestrians. Violations like jaywalking, speeding, and going through a red-light are detected, trigger the camera to take a photo, and ping a WeChat API, presumably to try and tie the event to an identity.

China may have a working surveillance program in Xinjiang, but it's a shockingly insecure security state. Anyone with an Internet connection had access to this massive honeypot of information... Even poorly-executed surveillance is massively expensive, and Beijing is no doubt telling the people of Xinjiang that these investments are being made in the name of their own security. But the truth, revealed only through security failures and careful security research, tells a different story: China's leaders seem to care little for the privacy, or the freedom, of millions of its citizens.
EFF also reports that a Chinese cybersecurity firm also recently discovered 468 exposed MongoDB servers on the internet, including databases containing detailed information about remote access consoles owned by China General Nuclear Power Group.

Meanwhile, ZDNet suggests that SenseNets may actually be "a government contractor, helping authorities track the Muslim minority, rather than a private company selling its product to another private entity. Otherwise, it would be hard to explain how SenseNets has access to ID card information and camera feeds from police stations and other government buildings."

Long-time Slashdot reader dryriver sees it like this: Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

Would I be breaking the law if John D. has not given me explicit permission to do this? Very likely. If this is the case for "meatspace data gathering", how can websites justify gathering information about visitors, and selling that information to third parties?
How would you answer this question? Attempt your own best explantions in the comments. How is your country balancing the need for online privacy with actual laws governing what can and can't be collected?

How is it even legal for web sites to gather and sell users' data?

Big cloud companies are "strip-mining open-source technologies and companies," complains Michael Howard, CEO of MariaDB. At their developer conference, Howard accused "big cloud" of "really abusing the license and privilege [of open source], by not giving back to the community." ZDNet reports: Even as MariaDB grows by leaps and bounds in enterprise computing at Oracle's expense, Howard sees Oracle and Amazon fighting against it. "Oracle as the example of on-premise lock-in and Amazon being the example of cloud lock-in. You could interchange the names, you can honestly say now that Amazon should just be called Oracle Prime...."

In the first keynote, Austin Rutherford, MariaDB's VP of Customer Success, showed the result of a HammerDB benchmark on AWS EC2... In these tests, AWS's default MariaDB instances did poorly, while AWS homebrew Aurora, which is built on top of MySQL, consistently beat them. The top-performing database management system of all was MariaDB Managed Services on AWS. "My first reaction when I looked at the benchmarks," said Howard, was "maybe there's incompetence going on. Maybe they just don't know how to optimize a DBMS." He observed that one MariaDB customer, one of the biggest retail drug companies in the world, had told MariaDB that "Amazon offers the most vanilla MariaDB around. There's nothing enterprise about it. We could just install MariaDB from source on EC2 and do as well."

He then "began to wonder, Is there something that they're deliberately crippling?" Howard wouldn't go so far as to say AWS is consciously doing a poor job of implementing its MariaDB instances. Howard did say, "And then it became clear that, however, you want to articulate this, there is something not kosher happening." Howard doesn't have much against AWS promoting its own brands... But, if AWS's going out of its way to make a rival service look inferior to its own, well, Howard's not happy about that.
ZDNet adds that "it's also quite possible that unoptimized generic MariaDB instance will simply lag behind AWS-optimized Aurora.

"That said, even in this most innocent take on the benchmark results, cloud customers would be wise to take into consideration that cloud instances of any specific software service may not be created equal."

An anonymous reader quotes a report from Motherboard: Police, social services, and health workers in Canada are using shared databases to track the behavior of vulnerable people -- including minors and people experiencing homelessness -- with little oversight and often without consent. Documents obtained by Motherboard from Ontario's Ministry of Community Safety and Correctional Services (MCSCS) through an access to information request show that at least two provinces -- Ontario and Saskatchewan -- maintain a "Risk-driven Tracking Database" that is used to amass highly sensitive information about people's lives. Information in the database includes whether a person uses drugs, has been the victim of an assault, or lives in a "negative neighborhood."

The Risk-driven Tracking Database (RTD) is part of a collaborative approach to policing called the Hub model that partners cops, school staff, social workers, health care workers, and the provincial government. Information about people believed to be "at risk" of becoming criminals or victims of harm is shared between civilian agencies and police and is added to the database when a person is being evaluated for a rapid intervention intended to lower their risk levels. Interventions can range from a door knock and a chat to forced hospitalization or arrest. Data from the RTD is analyzed to identify trends -- for example, a spike in drug use in a particular area -- with the goal of producing planning data to deploy resources effectively, and create "community profiles" that could accelerate interventions under the Hub model, according to a 2015 Public Safety Canada report. Saskatchewan and Ontario officials say the data in the database is "de-identified" by removing details such as people's names and birthdates, but experts Motherboard spoke to say that scrubbing data so it may never be used to identify an individual is difficult if not impossible.

You can tell a lot of things from the way someone walks. Chinese artificial intelligence start-up Watrix says its softwares can identify a person from 50 meters away -- even if they have covered their face or have their back to a camera -- making it more than a match for Sherlock Holmes. From a report: Known as gait recognition, the technology works by analyzing thousands of metrics about a person's walk, from body contour to the angle of arm movement to whether a person has a toe-in or toe-out gait, to then build a database. "With facial recognition people need to look into a camera -- cooperation is not needed for them to be recognized [by our technology]," said Huang Yongzhen, co-founder and chief executive of Watrix, in an interview in Beijing. Features like this have given Watrix an edge in catching runaway criminals, who tend to avoid surveillance, said Huang. Police on the streets of Beijing, Shanghai and Chongqing, have already run trials of gait recognition technology, said Huang, and the company officially launched its 2.0 version last week, which supports analysis of real-time camera feeds at a mega-city level.

theodp writes: Facebook may be facing the threat of a multi-billion dollar FTC fine for privacy lapses that included allowing companies to obtain users' email addresses from their friends, but that didn't discourage Bill Gates from taking to Twitter to urge his 46.5 million followers to give up the names and email addresses of teachers so they can be contacted by tech-bankrolled Code.org for a chance to receive a "Computer Science Scholarship" (attend Professional Development workshops). Or Amazon. Or Google. "The success of our professional learning program depends on the work of our partners to spread the word," explained Code.org in a Medium Post. "Corporate partners like Amazon, Infosys, and Google are rallying their employees and communities to nominate a teacher, and so are fellow teachers, parents, and students. We couldn't do it without you! [...] Code.org (and these scholarships) are supported by: Amazon, Bill and Melinda Gates Foundation, Facebook, Google, Infosys Foundation USA, Microsoft [...] Code.org has prepared almost 100,000 educators to teach our courses, and they give our program rave reviews. We welcome teachers from all subject areas-no CS experience needed!"

In May, Code.org announced it was crowdsourcing a database of U.S. K-12 schools that teach -- or don't teach -- CS, with a goal to "gather data for 100% of U.S. schools by the end of 2018." The database would be used by the nonprofit and the CS community to "make our shared vision [for every school to teach computer science] a reality." Several months later, Amazon disclosed its involvement with the data collection effort, explaining it "will help us bring access to the schools that need it most." Amazon on Thursday announced it had selected 1,000 high schools to receive Amazon-funded CS classes and will be tapping another lucky 1,000 schools in the next few months. An Amazon press release said the company hopes to "inspire and educate 10 million children and young adults each year from underprivileged, underrepresented, and underserved communities to pursue careers in the fast-growing field of computer science and coding" through its Amazon Future Engineer program, which the e-tailer describes as "a four-part, childhood-to-career program."

Slashdot reader krenaud tipped us off to this story from The Next Web: The audio recordings of 2.7 millions calls made to 1177 Vardguiden -- Sweden's healthcare hotline -- were left exposed to anyone online, according to Swedish tech publication Computer Sweden. The 170,000 hours of incredibly sensitive calls were stored on an open web server without any encryption or authentication, leaving personal information completely exposed for anyone with a web browser....

The calls included sensitive information about patients' diseases and ailments, medication, and medical history. Some examples had people describing their children's symptoms and giving their social security numbers. Some of the files include the phone numbers the calls were made from. Around 57,000 numbers appear in the database and many of those are the callers' personal numbers, making it easy to match information with a particular person.
When reached for comment, the CEO of the subcontractor receiving the calls "denied it happened."

An anonymous reader writes: The Verge reports that San Francisco Bay Area police "pulled over a California privacy advocate and held him at gunpoint after a database error caused a license plate reader to flag a car as stolen, a lawsuit alleges." Brian Hofer, the chairman of Oakland's Privacy Advisory Commission, was handcuffed and surrounded by multiple police cars, and says a police deputy injured his brother by throwing him to the ground. They were finally released -- 40 minutes later. But ironically, Hofer has been a staunch critic of license plate readers, "which he points out have led to wrongful detentions, invasions of privacy and potentially costly lawsuits." (California bus driver Denise Green was detained at gunpoint when her own car was incorrectly identified as stolen -- leading to a lawsuit which she eventually settled for nearly $500,000.) And at least one thief simply swapped license plates with an innocent driver.

The executive director of Northern California Regional Intelligence Center, a state government program, acknowledged that the accuracy rate of the license plate readers is about 90 percent, yet "added that in some cases, the technology has actually exonerated people, or given potential suspects alibis. But there is no way for the public to know just how effective the license plate reader technology is in capturing criminals" -- apparently because police departments aren't capturing that data. Only one of the region's police departments, in Piedmont, California, reported its "efficacy metrics" to the agency -- with 7,500 "hits" which over 11 months led to 28 arrests (and the recovery of 39 cars) after reading 21.3 million license plates. The license plate readers cost $20,000 per patrol car.

In Hofer's case, he was driving a rental car which had previously been reported as stolen but then later recovered -- though for some reason the police or rental car agency failed to update their database. But he criticizes the fact that "somebody could pull a gun on your because of an alert that a computer system gave them."
"They're just pulling guns and going cowboy on us," Hofer says. "It's a pretty terrifying position to be in....

"This is happening more frequently than it should be. They're not ensuring the accuracy of their data and people's lives are literally at risk."

"Redis Labs is dropping its Commons Clause license in favor of its new 'available-source' license: Redis Source Available License (RSAL)," reports ZDNet -- adding "This is not an open-source license." Redis Labs had used Commons Clause on top of the open-source Apache License to protect its rights to modules added to its 3-Clause-BSD-licensed Redis, the popular open-source in-memory data structure store. But, as Manish Gupta, Redis Labs' CMO, explained, "It didn't work. Confusion reigned over whether or not the modules were open source. They're not open-source." So, although it hadn't wanted to create a new license, that's what Redis Labs ended up doing....

The RSAL grants, Gupta said, equivalent rights to permissive open-source licenses for the vast majority of users. With the RSAL, developers can: Use the software; modify the source code; integrate it with an application; and use, distribute, support, or sell their application. But -- and this is big -- the RSAL forbids you from using any application built with these modules in a database, a caching engine, a stream processing engine, a search engine, an indexing engine, or a machine learning/artificial intelligence serving engine. In short, all the ways that Redis Labs makes money from Redis. Gupta wants to make it perfectly clear: "We're not calling it open source. It's not."
Earlier this month the Open Source Initiative had reaffirmed its commitment to open source's original definition, adding "There is no trust in a world where anyone can invent their own definition for open source, and without trust there is no community, no collaboration, and no innovation."

And earlier this week on Twitter a Red Hat open-source evangelist said they wondered whether Redis was just "clueless. There are a lot of folks entering #opensource today who are unwilling to do the research and reading, and assume that these are all new problems."

chiefcrash shares a report from ZDNet: Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that "exposed the data they are designed to protect."

The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same. The report has summarized the main findings based on each password management solution. Here's what ISE had to say about LastPass and KeePass -- two of the most popular password managers available:

"LastPass obfuscates the master password while users are typing in the entry, and when the password manager enters an unlocked state, database entries are only decrypted into memory when there is user interaction. However, ISE reported that these entries persist in memory after the software enters a locked state. It was also possible for the researchers to extract the master password and interacted-with password entries due to a memory leak."

"KeePass scrubs the master password from memory and is not recoverable. However, errors in workflows permitted the researchers from extracting credential entries which have been interacted with. In the case of Windows APIs, sometimes, various memory buffers which contain decrypted entries may not be scrubbed correctly."

technology_dude writes: One by one, thresholds are being crossed where the collection and storage of personal data is accepted as routine. Being recorded by cameras at business locations, in public transportation, in schools, churches, and every other place imaginable. Recent headlines include "Singapore Airlines having cameras built into the seat back of personal entertainment systems," and "Arizona considering a bill to force some public workers to give up DNA samples (and even pay for it)." It seems to be a daily occurrence where we have crossed another line in how far we will go to accept massive surveillance as normal. Do we even have a line the sand that we would defend? Do we even see anything wrong with it? Absolute power corrupts absolutely and we continue to give knowledge of our personal lives (power) to others. If we continue down the same path, I suppose we deserve what we get? I want to shout "Stop the train, I want off!" but I fear my plea would be ignored. So who out there is more optimistic than I and can recommend some reading that will give me hope? Bill 1475 was introduced by Republican State Senator David Livingston and would require teachers, police officers, child day care workers, and many others to submit their DNA samples along with fingerprints to be stored in a database maintained by the Department of Public Safety. "While the database would be prohibited from storing criminal or medical records alongside the DNA samples, it would require the samples be accompanied by the person's name, Social Security number, date of birth and last known address," reports Gizmodo. "The living will be required to pay [a $250 processing fee] for this invasion of their privacy, but any dead body that comes through a county medical examiner's office would also be fair game to be entered into the database."

Yes, we're all overwhelmed with email. One recent survey suggested that the average American's inbox has 199 unread messages. But volume isn't an excuse for not replying. Ignoring email is an act of incivility, reads an opinion piece. From the story: "I'm too busy to answer your email" really means "Your email is not a priority for me right now." That's a popular justification for neglecting your inbox: It's full of other people's priorities. But there's a growing body of evidence that if you care about being good at your job, your inbox should be a priority. When researchers compiled a huge database of the digital habits of teams at Microsoft, they found that the clearest warning sign of an ineffective manager was being slow to answer emails. Responding in a timely manner shows that you are conscientious -- organized, dependable and hardworking. And that matters. In a comprehensive analysis of people in hundreds of occupations, conscientiousness was the single best personality predictor of job performance. (It turns out that people who are rude online tend to be rude offline, too.)

I'm not saying you have to answer every email. Your brain is not just sitting there waiting to be picked. If senders aren't considerate enough to do their homework and ask a question you're qualified to answer, you don't owe them anything back. How do you know if an email you've received -- or even more important, one you're considering writing -- doesn't deserve a response? After all, sending an inappropriate email can be as rude as ignoring a polite one. [...] Whatever boundaries you choose, don't abandon your inbox altogether. Not answering emails today is like refusing to take phone calls in the 1990s or ignoring letters in the 1950s. Email is not household clutter and you're not Marie Kondo. Ping!

A 44-year-old living in Maine has just been arrested and charged with committing a murder when he was 18, the Washington Post reports: The April 1993 slaying of Sophie Sergie, an Alaska Native, was one of the state's most notorious cold cases until Friday, when authorities announced that DNA genealogical mapping helped triangulate a genetic match... Police recovered the suspect's DNA from Sergie's body. At the time, the district court filing said, DNA processing technology had not been introduced in Alaska. A DNA profile confirming the suspect as male was uploaded in 2000, but it did not match anyone in the FBI's database. The case went dormant for years...

Then the alleged "Golden State Killer" was captured [after searching commercial online genealogy databases for relatives who matched DNA found at a crime scene]. The publicity of the feat, state troopers said, sparked the idea for investigators in the Sergie case. Why not try the same? A forensic genealogist prepared a report on Dec. 18, comparing the suspect's genetic material from the crime scene to likely relatives. A woman's DNA profile emerged in the search. Investigators found their link: She was an aunt of Downs's.
Downs had been a student at the college where the murder took place. He's also been charged with sexual assault -- and with being a fugitive from justice for the last 25 years.

20-year-old Timothy Dalton Vaughn from Winston-Salem, N.C now faces 80 years in federal prison, reports KrebsOnSecurity.com: Federal authorities this week arrested a North Carolina man who allegedly ran with a group of online hooligans that attacked Web sites (including this one), took requests on Twitter to call in bomb threats to thousands of schools, and tried to frame various online gaming sites as the culprits. In an ironic twist, the accused -- who had fairly well separated his real life identity from his online personas -- appears to have been caught after a gaming Web site he frequented got hacked...

[T]he real-life identity of HDGZero remained a mystery...as there was little publicly available information at the time connecting that moniker to anyone. That is, until early January 2019, when news broke that hackers had broken into the servers of computer game maker BlankMediaGames and made off with account details of some 7.6 million people who had signed up to play "Town of Salem," the company's browser-based role playing game. That stolen information has since been posted and resold in underground forums. A review of the leaked BlankMediaGames user database shows that in late 2018, someone who selected the username "hdgzero" signed up to play Town of Salem... The data also shows this person registered at the site using a Sprint mobile device with an Internet address that traced back to the Carolinas.
This week America's Justice Department released an indictment of Vaughn and co-conspirator George Duke-Cohan for spoofed bomb threat emails to more than 2,400 schools, according to Krebs, adding that the government also alleges the two reported a fake hijacking of an airline bound for the United States. "That flight, which had almost 300 passengers on board, was later quarantined for four hours in San Francisco pending a full security check."

The two now face charges of conspiracy and eight additional felony offenses, "including making threats to injure in interstate commerce and making interstate threats involving explosives."