Amazon has asked a U.S. federal court to stop Microsoft from working with the Pentagon to implement a $10 billion cloud-computing contract, arguing that the project should stall until the courts work out whether Microsoft deserved to receive the lucrative deal. From a report: Amazon is suing the Department of Defense (DOD) over allegations that it allowed President Trump to exert "improper influence" over the contract process, ultimately steering the cloud-computing project away from the online retail giant and towards Microsoft. Amazon was the clear front-runner in the competition before Trump began intervening in the process over the summer. Even as Amazon sues in federal court, Microsoft and the Pentagon have been forging ahead to lay the groundwork for the enormous cloud-computing project. But Amazon says it's improper for the deal to move forward until the U.S. Court of Federal Claims makes the final call. "It is common practice to stay contract performance while a protest is pending and it's important that the numerous evaluation errors and blatant political interference that impacted the JEDI award decision be reviewed," an Amazon Web Services spokesperson said late Wednesday night, adding the company "is absolutely committed to supporting the DoD's modernization efforts and to an expeditious legal process that resolves this matter as quickly as possible."

Kashmir Hill reporting for The New York Times: A mysterious company that has licensed its powerful facial recognition technology to hundreds of law enforcement agencies is facing attacks from Capitol Hill and from at least one Silicon Valley giant. Twitter sent a letter this week to the small start-up company, Clearview AI, demanding that it stop taking photos and any other data from the social media website "for any reason" and delete any data that it previously collected, a Twitter spokeswoman said. The cease-and-desist letter, sent on Tuesday, accused Clearview of violating Twitter's policies.

The New York Times reported last week that Clearview had amassed a database of more than three billion photos from social media sites -- including Facebook, YouTube, Twitter and Venmo -- and elsewhere on the internet. The vast database powers an app that can match people to their online photos and link back to the sites the images came from. The app is used by more than 600 law enforcement agencies, ranging from local police departments to the F.B.I. and the Department of Homeland Security. Law enforcement officials told The Times that the app had helped them identify suspects in many criminal cases. It's unclear what social media sites can do to force Clearview to remove images from its database. "In the past, companies have sued websites that scrape information, accusing them of violating the Computer Fraud and Abuse Act, an anti-hacking law," notes the NYT. "But in September, a federal appeals court in California ruled against LinkedIn in such a case, establishing a precedent that the scraping of public data most likely doesn't violate the law."

A European court has sided with Nintendo's ongoing practice to not let users cancel digital preorders. The Verge reports: According to Norwegian gaming site PressFire, the consumer authorities of Norway and Germany sued Nintendo for not letting users cancel digital preorders purchased from the eShop. The case went to court at the end of last year. This week, the court ruled in favor of Nintendo, meaning it can continue the practice for now. PressFire reports that the German consumer authority has appealed the ruling.

When the Norwegian Consumer Council first formally criticized Nintendo's policy in 2018, it said that Nintendo's policy conflicts with the EU's Consumer Rights Directive, which requires that consumers must be able to cancel online purchases and receive refunds. Nintendo's no-refunds policy is also in place for the U.S. -- in fact, Nintendo states that all sales of digital purchases on the Wii U, Nintendo 3DS, and Nintendo Switch are final -- and Nintendo is the only console maker that doesn't let customers cancel a digital preorder, which the Norwegian Consumer Council noted in its 2018 complaint.

An anonymous reader quotes a report from ZDNet: Microsoft disclosed today a security breach that took place last month in December 2019. In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31. The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other. Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve. The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information. "Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet.

They went on to list several changes to prevent this sort of thing from happening again, such as "auditing the established network security rules for internal resources" and "adding additional alerting to service teams when security rule misconfigurations are detected."

Google researchers have exposed details of multiple security flaws in its rival Apple's Safari web browser that allowed users' browsing behavior to be tracked [Editor's note: the link may be paywalled; alternative source], despite the fact that the affected tool was specifically designed to protect their privacy. From a report: The flaws, which were ironically found in an anti-tracking feature known as Intelligent Tracking Prevention, were first disclosed by Google to Apple in August last year. In a soon-to-be published paper seen by the Financial Times, researchers in Google's cloud team have since identified five different types of potential attack that could have resulted from the vulnerabilities, allowing third parties to obtain "sensitive private information about the user's browsing habits." "You would not expect privacy-enhancing technologies to introduce privacy risks," said Lukasz Olejnik, an independent security researcher who has seen the paper. "If exploited or used, [these vulnerabilities] would allow unsanctioned and uncontrollable user tracking. Apple rolled out Intelligent Tracking Prevention in 2017, with the specific aim of protecting Safari browser users from being tracked around the web by advertisers' and other third-parties' cookies.

Many police departments across the United States already have the ability to crack mobile devices, including the iPhone. From a report: Over the past three months, OneZero sent Freedom of Information Act (FOIA) requests to over 50 major police departments, sheriffs, and prosecutors around the country asking for information about their use of phone-cracking technology. Hundreds of documents from these agencies reveal that law enforcement in at least 11 states spent over $4 million in the last decade on devices and software designed to get around passwords and access information stored on phones. OneZero obtained documents from law enforcement agencies in New York, California, Florida, Texas, Washington, Colorado, Illinois, Ohio, Michigan, New Mexico, and Massachusetts.

These agencies included district attorneys' offices, local police departments, and county sheriffs' offices. The number of offices with access to phone-cracking tools across the country is likely far greater than what OneZero uncovered. Not all agencies responded to OneZero's request for documents. Some departments and offices claimed the records were exempt from public release. Others told OneZero they would need several months and thousands of dollars to provide the information.

New Delhi is inching closer to recommending regulations that would require social media companies and instant messaging app providers to help law enforcement agencies identify users who have posted content -- or sent messages -- it deems questionable, TechCrunch reported Wednesday, citing people familiar with the matter. From the report: India will submit the suggested change to the local intermediary liability rules to the nation's apex court later this month. The suggested change, the conditions of which may be altered before it is finalized, currently says that law enforcement agencies will have to produce a court order before exercising such requests, sources who have been briefed on the matter said. But regardless, asking companies to comply with such a requirement would be "devastating" for international social media companies, a New Delhi-based policy advocate told TechCrunch on the condition of anonymity. WhatsApp executives have insisted in the past that they would have to compromise end-to-end encryption of every user to meet such a demand -- a move they are willing to fight over.

After almost seven years, Nintendo has won a patent case that involved the original Wii. On Tuesday, the company announced that a federal court in Dallas ruled in its favor against iLife Technologies, overturning an earlier 2017 decision that would have forced Nintendo to pay out $10.1 million in damages. Engadget reports: The original suit, which was brought against Nintendo of America in 2013, alleged that the company used iLife's technology to create the Wii's motion-sensing controller. The patent that was at the center of the case described a technology designed to detect when a person falls and monitor babies for symptoms of sudden infant death syndrome. iLife had initially sought $144 million in total damages and an injunction against Nintendo. In this latest ruling, however, the court decided that iLife's claim wasn't specific enough.

Amazon is planning to give more data on counterfeit goods to law enforcement in a further crackdown on fakes listed on its e-commerce sites. Reuters reports: In the past, the world's largest online retailer has informed authorities of counterfeit peddlers when it thought it had enough information for police to pursue a culprit. Now, the company plans to disclose merchant information to European and U.S. federal authorities every time it confirms a counterfeit was sold to customers, increasing the frequency and volume of reporting to law enforcement, according to the person, who spoke on condition of anonymity.

Why the new program was happening now was not immediately clear. In recent weeks, Amazon has held meetings with government authorities and related organizations to discuss its new counterfeit reporting strategy and how the company can further their enforcement efforts, the person said. The hope has been that Amazon's coveted data will help law enforcement make connections about criminals. According to the source, Amazon will report a merchant's name, company name, product and contact information to authorities, after it confirms a business was selling fakes, closes the seller's account, and the account holder does not make a successful appeal via Amazon's typical processes.

According to the Guardian, Amazon CEO Jeff Bezos had his phone "hacked" in 2018 after receiving a WhatsApp message from the personal account of the crown prince of Saudi Arabia. From the report: The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world's richest man, according to the results of a digital forensic analysis. This analysis found it "highly probable" that the intrusion into the phone was triggered by an infected video file sent from the account of the Saudi heir to Bezos, the owner of the Washington Post.

The two men had been having a seemingly friendly WhatsApp exchange when, on May 1 of that year, the unsolicited file was sent, according to sources who spoke to the Guardian on the condition of anonymity. Large amounts of data were exfiltrated from Bezos's phone within hours, according to a person familiar with the matter. The Guardian has no knowledge of what was taken from the phone or how it was used. [...] The disclosure is likely to raise difficult questions for the kingdom about the circumstances around how U.S. tabloid the National Enquirer came to publish intimate details about Bezos's private life -- including text messages -- nine months later. It may also lead to renewed scrutiny about what the crown prince and his inner circle were doing in the months prior to the murder of Jamal Khashoggi, the Washington Post journalist who was killed in October 2018 -- five months after the alleged "hack" of the newspaper's owner.

An anonymous reader quotes a report from Ars Technica: Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that's used in a host of online attacks, researchers said on Tuesday. The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers. The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of "admin:admin" or "root:admin" for remote administration. The exploit causes Tomato routers that haven't been locked down with a strong password to join an IRC server that's used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable.

A large number of Android mobile apps listed on the official Google Play Store contain self-contradictory language in their privacy policies in regards to data collection practices. From a report: In an academic study published last year, researchers created a tool named PolicyLint that analyzed the language used in the privacy policies of 11,430 Play Store apps. They found that 14.2% (1,618 apps) contained a privacy policy with logical contradicting statements about data collection. Examples include privacy policies that stated in one section that they do not collect personal data, only to contradict themselves in subsequent sections, where they state they collect emails or customer names -- which are clearly personally-idenfiable information. While the research team could not determine the app maker's intent in using contradicting statements in their privacy policy, researchers feel the primary purpose was to mislead users if they ever took the time to read the policies.

Apple dropped plans to let iPhone users fully encrypt backups of their devices in the company's iCloud service after the FBI complained that the move would harm investigations, Reuters reported on Tuesday, citing six sources familiar with the matter. From the report: The tech giant's reversal, about two years ago, has not previously been reported. It shows how much Apple has been willing to help U.S. law enforcement and intelligence agencies, despite taking a harder line in high-profile legal disputes with the government and casting itself as a defender of its customers' information. The long-running tug of war between investigators' concerns about security and tech companies' desire for user privacy moved back into the public spotlight last week, as U.S. Attorney General William Barr took the rare step of publicly calling on Apple to unlock two iPhones used by a Saudi Air Force officer who shot dead three Americans at a Pensacola, Florida naval base last month.

U.S. President Donald Trump piled on, accusing Apple on Twitter of refusing to unlock phones used by "killers, drug dealers and other violent criminal elements." Republican and Democratic senators sounded a similar theme in a December hearing, threatening legislation against end-to-end encryption, citing unrecoverable evidence of crimes against children. Apple did in fact did turn over the shooter's iCloud backups in the Pensacola case, and said it rejected the characterization that it "has not provided substantive assistance." Behind the scenes, Apple has provided the U.S. Federal Bureau of Investigation with more sweeping help, not related to any specific probe.

LastPass has been suffering from a major outage as users are reporting being unable to log into their accounts and autofill passwords. What's odd is the company insists that everything is working properly, even though there's an unusually high number of users reporting issues. ZDNet reports: User reports about login issues have been flooding Twitter, but also the company's forum, Reddit, and DownDetector. Users are reporting receiving the following error when trying to log in: "An error has occurred while contacting the LastPass server. Please try again later." Both home and enterprise users are impacted. According to reports, LastPass' support staff has been either non-responsive, or denying reports of any technical issue happening at all. Despite issues being reported as far back as three days, the company has not updated its status page to reflect the incident, nor do they provided any type of explanation or useful help to their userbase.

According to multiple user on Twitter, the problems appear to impact only users with LastPass accounts dating to 2014, or prior. On DownDetector, a company spokesperson said the company was still investigating the incident, stating that there are no glaring issues with its servers -- which suggests the roots of this outage might be in a software component. "We are aware of and actively investigating reports from some LastPass customers who are experiencing issues and receiving errors when attempting to log in. At this time no service issues have been identified." Contacted by ZDNet, the company described the outage as "an isolated issue with limited impact" and said that "engineers are working to resolve the issue."

JustAnotherOldGuy shares a report from PC Magazine: The FBI has shut down a website that offered hackers easy access to 12 billion records stolen in thousands of data breaches. On Thursday, the Justice Department announced it had seized the internet domain to WeLeakInfo.com, a site that was cataloging data taken from more than 10,300 data breaches at various companies and websites over the years. Customers could pay as little as $2 to gain access to the massive trove of data, which was carefully indexed and searchable. In return, subscribers could look up a person's email address to find out what previously leaked passwords, names, phone numbers, and IP addresses had been associated with it. It isn't entirely clear how WeLeakInfo.com was obtaining the data breach records. But hackers routinely sell, trade, and collect such information on dark web marketplaces and forums.