Cellphones

Ask Slashdot: Are My Drone Apps Phoning Home? 132

Slashdot reader bitwraith noticed something suspicious after flying "a few cheap, ready-to-fly quadcopters" with their smartphone apps, including drones from Odyssey and Eachine. I often turn off my phone's Wi-Fi support before plugging it in to charge at night, only to discover it has mysteriously turned on in the morning. After checking the Wi-Fi Control History on my S7, it appears as though the various cookie-cutter apps for these drones wake up to phone home in the night after they are opened, while the phone is charging. I tried contacting the publisher of the Odyssey VR app, with no reply.

I would uninstall the app, but then how would I fly my drone? Why did Google grant permission to control Wi-Fi state implicitly to all apps, including these abusers? Are the apps phoning home to report my flight history?

The original submission asks about similar experiences from other drone-owning Slashdot users -- so leave your best answers in the comments. What's making this phone wake up in the night?

Are the drone apps phoning home?
United States

Net Neutrality Rollback Faces New Criticism From US Congress -- And 16 Million Comments (techcrunch.com) 147

An anonymous reader quotes TechCrunch's newest update on the FCC's attempt to gut net neutrality protections: 10 Representatives who helped craft the law governing the FCC itself have submitted an official comment on the proposal ruthlessly dismantling it... The FCC is well within its rights to interpret the law, and it doesn't have to listen to contrary comments from the likes of you and me. It does, however, have to listen to Congress -- "congressional intent" is a huge factor in determining whether an interpretation of the law is reasonable. And in the comment they've just filed, Representatives Pallon, Doyle et al. make it very clear that their intent was and remains very different from how the FCC has chosen to represent it.

"The law directs the FCC to look at ISP services as distinct from those services that ride over the networks. The FCC's proposal contravenes our intent... While some may argue that this distinction should be abandoned because of changes in today's market, that choice is not the FCC's to make. The decision remains squarely with those of us in Congress -- and we have repeatedly chosen to leave the law as it is."

In another letter Thursday, 15 Congressmen asked FCC Chairman Ajit Pai to extend the time period for comments. They note the proposed changes have received more than 16 million comments, more than four times the number of comments on any previous FCC item. The Hill reports that the previous record was 4 million comments -- during the FCC's last net neutrality proceeding in 2014 -- and "the lawmakers also noted that the comment period for approving net neutrality in 2014 was 60 days. Pai has only allowed a 30-day comment period for his plan to rollback the rules."
The Military

A US Spy Plane Has Been Flying Circles Over Seattle For Days (thedrive.com) 232

turkeydance shares Thursday's report from The Drive: A very unique U.S. Air Force surveillance aircraft has been flying highly defined circles over Seattle and its various suburbs for nine days now... The aircraft, which goes by the callsign "SPUD21" and wears a nondescript flat gray paint job with the only visible markings being a U.S. Air Force serial on its tail, is a CASA CN-235-300 transport aircraft that has been extensively modified... It is covered in a dizzying array of blisters, protrusions, humps and bumps. These include missile approach warning detectors and large fairings on its empennage for buckets of forward-firing decoy flares, as well as both microwave -- the dome antenna behind the wing and flat antenna modification in front of the wing -- and ultra high-frequency satellite communications -- the platter-like antenna behind the dome antenna. A communications intelligence suite also appears to be installed on the aircraft, with the antenna farm on the bottom of its fuselage being a clear indication of such a capability. But what's most interesting is the aircraft's apparent visual intelligence gathering installation...

This particular CN-235, with the serial 96-6042, is one of six that researchers commonly associated with the Air Force's top secret 427th Special Operations Squadron... The 427th occupies the same space with a host of other "black" U.S. military aviation elements, most of which are affiliated to some degree with Joint Special Operations Command and the Intelligence Community... [I]f the military placed the aircraft under civilian control to some degree and with an appropriate legal justification, the U.S. military could possibly fly it in support of a domestic operation or one focused on a foreign suspect or organization operating within the United States... It's also entirely possible, if not probable, that the aircraft could be involved in a realistic training exercise rather than an actual operation... The area could have simply provided a suitable urban area to test existing or new surveillance technologies, too, though this could spark serious privacy concerns if true.

Friday an Air Force Special Operations Command public affairs officer confirmed that the plane was one of theirs, describing its activity as "just a training mission," according to Russia Today.
Government

'Elon Musk's Hyperloop Is Doomed For the Worst Reason' (bloomberg.com) 304

schwit1 quotes a Bloomberg column by Virginia Postrel: What makes Musk's Hyperloop plan seem like fantasy isn't the high-tech part. Shooting passengers along at more than 700 miles per hour seems simple -- engineers pushed 200 miles-per-hour in a test this week -- compared to building a tunnel from New York to Washington. And even digging that enormously long tunnel -- twice as long as the longest currently in existence -- seems straightforward compared to navigating the necessary regulatory approvals... The eye-rolling comes less from the technical challenges than from the bureaucratic ones.

With his premature declaration, Musk is doing public debate a favor. He's reminding us of what the barriers to ambitious projects really are: not technology, not even money, but getting permission to try. "Permits harder than technology," Musk tweeted after talking with Los Angeles mayor Eric Garcetti about building a tunnel network. That's true for the public sector as well as the private... SpaceX and its commercial-spaceflight competitors can experiment because Congress and President Barack Obama agreed to protect them from Federal Aviation Administration standards. usk is betting that his salesmanship will have a similar effect on the ground. He's trying to get the public so excited that the political pressures to allow the Hyperloop to go forward become irresistible. He seems to believe that he can will the permission into being. If he succeeds, he'll upend not merely intercity transit but the bureaucratic process by which things get built. That would be a true science-fiction scenario.

The Courts

Who's Profiting From The WannaCry Ransoms? (cnn.com) 31

CNN reports: For months, the ransom money from the massive WannaCry cyberattack sat untouched in online accounts. Now, someone has moved it. More than $140,000 worth of digital currency bitcoin has been drained from three accounts linked to the ransomware virus that hit hundreds of thousands of computers around the world in May.
Meanwhile, a Ukrainian law firm wants NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software, said to be the point of origin of the NotPetya ransomware outbreak. An anonymous reader quotes BleepingComputer: The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police. A subsequent investigation revealed that Intellect-Service had grossly mismanaged the hacked servers, which were left without updates since 2013 and were backdoored on three different occasions... The Juscutum Attorneys Association says that on Tuesday, Ukrainian Cyber Police confirmed that M.E.Doc servers were backdoor on three different occasions in an official document. The company is now using this document as the primary driving force behind its legal action.
The law firm says victims must pay all of the court fees -- and give them 30% of any awarded damages.
Censorship

Syrian Open Source Developer Bassel Khartabil Believed Executed (www.cbc.ca) 151

TheSync writes: The Syrian open source developer, blogger, entrepreneur, hackerspace founder, and free culture advocate Bassell Khartabil was swept up in a wave of military arrests in March 2012. A CBC report states that his wife wrote on Facebook late Tuesday that she has received confirmation that security services executed Khartabil in October 2015 after torturing him in prison. Before his arrest, his most recent work included a 3D virtual reconstruction of the ancient city of Palmyra in Syria.
At the time of his arrest, Khartabi was 30 years old -- after which he started a blog called "MeInSyrianJail" and a Twitter account called "Live from my cell." Though he spent the last three and half years of his life in prison, he once tweeted that "Jail is not walls, not the executioner and guards. It is the hidden fear in our hearts that makes us prisoners." The latest tweet on his feed says "Rest in power our friend."

Thursday the Creative Commons nonprofit described the developer as "our friend and colleague," and announced the Bassel Khartabil Memorial Fund, "which will support projects in the spirit of Bassel's work."
Chrome

Browser Extensions Are Undermining Privacy (vortex.com) 82

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."
Bug

The NSA Intercepted Microsoft's Windows Bug Reports (schneier.com) 52

Bruce Schneier writes on his security blog: Back in 2013, Der Spiegel reported that the NSA intercepts and collects Windows bug reports... "When Tailored Access Operations selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft... this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer..."

The article talks about the (limited) value of this information with regard to specific target computers, but I have another question: how valuable would this database be for finding new zero-day Windows vulnerabilities to exploit?

The Courts

Volkswagen Executive Faces Jail Time After Guilty Plea (arstechnica.com) 135

An anonymous reader quotes Ars Technica: A former Volkswagen executive has pleaded guilty to two charges related to the company's diesel emissions scandal. He is the second VW Group employee to do so, following retired engineer James Liang pleading guilty last summer. The VW Group executive, Oliver Schmidt, was based outside of Detroit and was in charge of emissions compliance for Volkswagen in the years before the company was caught using illegal software to cheat on federal emissions tests.

Schmidt, a German citizen who was 48 when he was arrested in Miami in January on vacation, was originally charged with 11 felony counts. In accepting a plea deal from US federal officials, Schmidt will only plead guilty to two charges: conspiracy to defraud the US government and violate the Clean Air Act, and making a false statement under the Clean Air Act. Schmidt will be sentenced in December. He could face up to seven years in prison, as well as fines from $40,000 to $400,000, according to the plea agreement. After that, Schmidt could also be required to serve four years of supervised release.

Businesses

Wells Fargo Sued Again For Misbilling Car Owners And Veterans (reuters.com) 75

UnknowingFool writes: A new class action lawsuit from a former Wells Fargo customer claimed the bank charged loan customers for auto insurance they did not need. With auto loans, the bank often requires that full coverage auto insurance be bought when the loan is made. However, lead plaintiff Paul Hancock says that Wells Fargo charged him for auto insurance even though he informed them he already had an insurance policy with another company. Wells Fargo also charged him a late fee when he disputed the charge. Wells Fargo does not dispute that it did this to customers and has offered to refund $80 million to 570,000 customers who were charged for insurance. The lawsuit however is to recoup late fees, delinquency charges, and other fees that the refund would not cover.
NPR describes Wells Fargo actually repossessing the car of a man who was "marked as delinquent for not paying this insurance -- which he didn't want or need or even know about." Friday the bank also revealed the number of "potentially unauthorized accounts" from its earlier fake accounts scandal could be much higher than previous estimates -- and that they're now expecting their legal costs to exceed the $3.3 billion they'd already set aside.

And Reuters reports that the bank will also be paying $108 million "to settle a whistleblower lawsuit claiming it charged military veterans hidden fees to refinance their mortgages, and concealed the fees when applying for federal loan guarantees."
Communications

Is Microsoft Hustling Us With 'White Spaces'? (wired.com) 65

rgh02 writes: Microsoft recently announced their plan to deploy unused television airwaves to solve the digital divide in America. And while the media painted this effort as a noble one, at Backchannel, Susan Crawford reveals the truth: "Microsoft's plans aren't really about consumer internet access, don't actually focus on rural areas, and aren't targeted at the US -- except for political purposes." So what is Microsoft really up to?
The article's author believes Microsoft's real game is "to be the soup-to-nuts provider of Internet of Things devices, software, and consulting services to zillions of local and national governments around the world. Need to use energy more efficiently, manage your traffic lights, target preventative maintenance, and optimize your public transport -- but you're a local government with limited resources and competence? Call Microsoft."

The article argues Microsoft wants to bypass mobile data carriers who "will want a pound of flesh -- a percentage -- in exchange for shipping data generated by Microsoft devices from Point A to Point B... [I]n many places, they are the only ones allowed to use airwave frequencies -- spectrum -- under licenses from local governments for which they have paid hundreds of millions of dollars."
Social Networks

FBI Tracked 'Fake News' Believed To Be From Russia On Election Day (cnn.com) 352

An anonymous reader quotes a report from CNN: The FBI monitored social media on Election Day last year in an effort to track a suspected Russian disinformation campaign utilizing "fake news," CNN has learned. In the months leading up to Election Day, Twitter and Facebook were the feeding grounds for viral "news" stories floating conspiracies and hoaxes, many aimed at spreading negative false claims about Hillary Clinton. On Election Day, dozens of agents and analysts huddled at a command center arrayed with large monitoring screens at the FBI headquarters in Washington watching for security threats, according to multiple sources. That included analysts monitoring cyber threats, after months of mounting Russian intrusions targeting every part of the US political system, from political parties to policy think-tanks to state election systems. On this day, there was also a group of FBI cyber and counterintelligence analysts and investigators watching social media. FBI analysts had identified social media user accounts behind stories, some based overseas, and the suspicion was that at least some were part of a Russian disinformation campaign, according to two sources familiar with the investigation.
Open Source

Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens (theregister.co.uk) 307

An anonymous reader shares a report from The Register: In late June, noted open-source programmer Bruce Perens [a longtime Slashdot reader] warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog. The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference. Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.

Grsecurity used to allow others to redistribute its patches, but the biz ended that practice for stable releases two years ago and for test patches in April this year. It offers its GPLv2 licensed software through a subscription agreement. The agreement says that customers who redistribute the code -- a right under the GPLv2 license -- will no longer be customers and will lose the right to distribute subsequent versions of the software. According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition." A legal complaint (PDF) filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed. Perens isn't arguing that the GPLv2 applies to unreleased software. Rather, he asserts the GPLv2, under section 6, specifically forbids the addition of contractual terms.

Android

BLU Claims Innocence, Gets Phones Reinstated On Amazon (slashgear.com) 43

Earlier this week, Amazon suspended budget phone maker BLU from selling its phones on the site, citing a "potential security issue." A few days have passed and BLU has made its defense. SlashGear reports: AdUps, the Chinese company that provides affordable firmware update software to countless budget Android phones, is not spyware and not even Kryptowire, the security firm that broke the news last year, called it that, insists BLU. To be fair, Kryptowire really didn't. In its 2016 report, it simply described AdUps' OTA software as "FIRMWARE THAT TRANSMITTED PERSONALLY IDENTIFIABLE INFORMATION (PII) WITHOUT USER CONSENT OR DISCLOSURE." Curiously, that is more or less how the FTC defines spyware (PDF). In its 2017 follow-up, it did drop the second part of that phrase and simply reported on "mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties." While BLU, and a few other OEMs, was caught unaware by the first report, it's insisting on its innocence in this second instance. Its defense stems from the argument that it is doing nothing that violates its Privacy Policy and, therefore, doesn't constitute any wrongdoing. Yes, that privacy policy that barely anyone reads, which can't legally be blamed on manufacturers anyway.

In other words, when you agreed to use BLU's devices, you basically agreed that such PII could possibly be transmitted to a third party outside the US. In this particular case, that does apply to the situation with AdUps. Interestingly, the policy's copyright dates back to 2016, when the AdUps issue first came up. The Internet Archives doesn't seem to have any version of that page before April this year. And so we come to BLU's second arguments: everybody's doing it. The data that AdUps collects is the same or even just a fraction of what other OEMs are collecting. Google is hardly the bastion of privacy and other OEMs are also collecting such data and sending it to servers in China, as is the case with Huawei and ZTE. Finally, BLU says that Kryptowire's new report really only identifies the Cubot X16S, from a Chinese OEM, as the only smartphone really spying on its users.
UPDATE: BLU has confirmed that its devices "are now back up for sale on Amazon."
The Internet

Supreme Court Moves Toward Digital With Online Court Filings (thehill.com) 20

An anonymous reader quotes a report from The Hill: Supreme Court case documents will soon be made available for the first time online. The court announced Thursday that it will launch an electronic filing system on Nov. 13 that will make "virtually all new filings" accessible to the public via the court's website for free. Court documents for the lower courts are typically available online through the Public Access to Court Electronics Records, which charges a fee per page. The court's announcement comes just days after the high court unveiled a newly designed website. Court watchers say it's a surprising, but welcome, jump into the 21st century for a court that's been reluctant over the years to advance its technologies.
Government

Apple Owns $52.6 Billion In US Treasury Securities, More Than Mexico, Turkey or Norway (cnbc.com) 93

randomErr shares a report from CNBC: If Apple were a foreign country, CEO Tim Cook might have considerable political clout in the United States. That's because the tech giant owns $52.6 billion in U.S. Treasury securities, which would rank it among the top 25 major foreign holders, according to estimates from the Treasury Department and Apple's SEC filings released Wednesday. Apple's stake in U.S. government securities as of June, up from $41.7 billion as of last September, puts it ahead of Israel, Mexico and the Netherlands, according to Treasury data released last month, which tracks up to May of this year. With $20.1 billion in short-term Treasury securities and $31.35 billion in long-term marketable Treasury securities, Apple still falls far below countries like China and Japan, which hold over a trillion dollars in U.S. government debt each -- which has caused considerable hand-wringing in Washington. Still, Apple is way above other big companies like Amazon, which owns less than $5 billion in U.S. government or agency securities combined, according to regulatory filings.
The Military

US Army Calls Halt On Use of Chinese-Made Drones By DJI (theverge.com) 45

Due to "an increased awareness of cyber vulnerabilities with DJI products," the U.S. Army is asking all units to discontinue the use of DJI drones. The news comes from an internal memo obtained by the editor of SUAS News. It notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017. The Verge reports: SUAS News published a piece back in May of this year that made a number of serious accusations about data gathered by DJI drones. Author Kevin Pomaski starts out writing, "Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent." However, he never follows up with evidence to demonstrate how this data becomes public or can be found through a Google search. Pomaski also point out, correctly, that when DJI users elect to upload data to their SkyPixel accounts through the DJI app, this data can be stored on servers in the U.S., Hong Kong, and China. This data can include videos, photos, and audio recorded by your phone's microphone, and telemetry data detailing the height, distance, and position of your recent flights. DJI provided the following statement to The Verge: "People, businesses and governments around the world rely on DJI's products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have 'issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.' We are surprised and disappointed to read reports of the U.S. Army's unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."
Republicans

Silicon Valley Says Trump Plan To Reduce Immigration Will Hurt Economy (cbslocal.com) 273

An anonymous reader quotes a report from CBS Local: President Donald Trump's push to cut legal immigration to the United States in half is being met by opposition from Silicon Valley leaders, economists, and even some Republicans senators, who all say legal immigration is key to economic prosperity. The Trump administration Wednesday endorsed the Reforming American Immigration for a Strong Economy Act or RAISE Act, a Senate bill introduced by two Republican senators earlier this year, that aims to cut all U.S. immigration in half. Business leaders, especially those in California's tech industry, say the bill will stymie their ability to fill jobs and grow the U.S. economy. California's economy is the sixth largest in the world and many attribute that success, in part, to immigration. The Information Technology Industry Council, which represents companies including Amazon, Apple, Adobe, Dell, Facebook, Hewlett-Packard, Google, Visa, Nokia, and Microsoft railed against the bill.

Dean Garfield, President and CEO of the council said, "This is not the right proposal to fix our immigration system because it does not address the challenges tech companies face, injects more bureaucratic dysfunction, and removes employers as the best judge of the employee merits they need to succeed and grow the U.S. economy." Garfield argues that the tech industry cannot find enough STEM-skilled Americans to fill open positions and that U.S. immigration policy "stops us from keeping the best and brightest innovators here in the U.S. and instead we lose out to our overseas competitors."

Security

ESET Spreading FUD About Torrent Files, Clients (welivesecurity.com) 60

An anonymous reader writes: ESET has taken fear mongering, something that some security firms continue to do, to a new level by issuing a blanket warning to users to view torrent files and clients as a threat. The warning came from the company's so-called security evangelist Ondrej Kubovic, (who used extremely patchy data to try and scare the bejesus out of computer users (Google cache). Like all such attempts at FUD, his treatise ended with a claim that ESET was the one true source whereby users could obtain "knowledge" to protect themselves. "If you want to stay informed and protect yourself by building up your knowledge, read the latest pieces by ESET researchers on WeLiveSecurity," he wrote. Kubovic used the case of Transmission -- a BitTorrent client that was breached in March and August 2016 with malware implanted and aimed at macOS users -- to push his barrow. But to use this one instance to dissuade people from downloading BitTorrent clients en masse is nothing short of scaremongering. There are dozens, if not more, BitTorrent clients which enjoy much wider usage, with uTorrent being one good example. Kubovic then used the old furphy which is resorted to by those who lobby on behalf of the copyright industry -- torrents are mostly illegal files and downloading them is Not The Right Thing To Do. But then he failed to mention that hundreds of thousands of perfectly legitimate files are also offered as torrents -- for instance, this writer regularly downloads images of various GNU/Linux distributions using a BitTorrent client because it is the more community-friendly thing to do, rather than using a direct HTTP link and hogging all the bandwidth available.
The Courts

'Pharma Bro' Martin Shkreli Found Guilty of 3 of 8 Charges, Including Securities Fraud (cnbc.com) 146

Former pharmaceutical chief executive Martin Shkreli has been found guilty of securities fraud. A New York City jury returned the verdict after five days of deliberations. From a report: Shkreli, 34, was convicted of some of the eight criminal counts that he had faced, which had included securities fraud and conspiracy to commit both securities fraud and wire fraud, after a more-than-month-long trial in Brooklyn, New York, federal court. Of the eight counts, Shkreli was found guilty of three. Those included conspiracy to commit securities fraud, and two counts of securities fraud. He was found not guilty of five counts, including those related to wire fraud. He faces up to 20 years in prison when he is sentenced.
Security

The Kronos Indictment: Is it a Crime To Create and Sell Malware? (washingtonpost.com) 199

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.
AI

Chinese Chatbots Apparently Re-educated After Political Faux Pas (reuters.com) 80

A pair of 'chatbots' in China have been taken offline after appearing to stray off-script. In response to users' questions, one said its dream was to travel to the United States, while the other said it wasn't a huge fan of the Chinese Communist Party. From a report: The two chatbots, BabyQ and XiaoBing, are designed to use machine learning artificial intelligence (AI) to carry out conversations with humans online. Both had been installed onto Tencent Holdings Ltd's popular messaging service QQ. The indiscretions are similar to ones suffered by Facebook and Twitter, where chatbots used expletives and even created their own language. But they also highlight the pitfalls for nascent AI in China, where censors control online content seen as politically incorrect or harmful. Tencent confirmed it had taken the two robots offline from its QQ messaging service, but declined to elaborate on reasons.
Communications

The FCC Is Full Again, With Three Republicans and Two Democrats (arstechnica.com) 81

An anonymous reader quotes a report from Ars Technica: The U.S. Senate today confirmed the nominations of Republican Brendan Carr and Democrat Jessica Rosenworcel to fill the two empty seats on the Federal Communications Commission. FCC Chairman Ajit Pai congratulated the commissioners in a statement. "As I know from working with each of them for years, they have distinguished records of public service and will be valuable assets to the FCC in the years to come," Pai said. "Their experience at the FCC makes them particularly well-suited to hit the ground running. I'm pleased that the FCC will once again be at full strength and look forward to collaborating to close the digital divide, promote innovation, protect consumers, and improve the agency's operations."

Carr served as Pai's Wireless, Public Safety and International Legal Advisor for three years. After President Trump elevated Pai to the chairmanship in January, Pai appointed Carr to become the FCC's general counsel. Rosenworcel had to leave the commission at the end of last year when the Republican-led US Senate refused to re-confirm her for a second five-year term. But Democrats pushed Trump to re-nominate Rosenworcel to fill the empty Democratic spot and he obliged. FCC commissioners are nominated by the president and confirmed by the Senate. esides Pai, Carr, and Rosenworcel, the five-member commission includes Republican Michael O'Rielly and Democrat Mignon Clyburn.

The Courts

NotPetya Ransomware Victims Preparing Lawsuit Against Ukrainian Software Firm (bleepingcomputer.com) 25

An anonymous reader writes from a report via Bleeping Computer: The Juscutum Attorneys Association, a Ukrainian law firm, is rallying NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software -- the point of origin of the NotPetya ransomware outbreak. The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police. A subsequent investigation revealed that Intellect-Service had grossly mismanaged the hacked servers, which were left without updates since 2013 and were backdoored on three different occasions. On Tuesday, Ukrainian Cyber Police confirmed that M.E.Doc servers were backdoored on three different occasions in an official document. The company is now using this document as the primary driving force behind its legal action. Juscutum says that victims must pay all court fees, must provide evidence or help with the collection of evidence, and agree to a 30% cut in the case of any awarded damages. The lawsuit is in its incipient stages. Juscutum representatives are currently spreading their message and encouraging victims to join the lawsuit via social media posts and articles in local Ukrainian press.
Security

WikiLeaks Reveals CIA Tool For Hacking Webcams, Microphones (thestack.com) 107

An anonymous reader quotes a report from The Stack: WikiLeaks has released a new set of documents in the CIA Vault 7 leak, outlining the "Dumbo" hacking tool which allows control of webcams and microphones. The release explains that the tool is capable of completely suspending processes on webcams and corrupting video recordings. Dumbo's is tasked specifically with gaining and exploiting physical access to target computers used in CIA field operations, the release notes. According to WikiLeaks, the tool allows for the identification, control and manipulation of monitoring and detection systems, such as webcams and microphones, running the Microsoft Windows operating system. The technology first identifies all installed devices, whether they are connected locally, wirelessly, or across wired networks. Once Dumbo has detected all of these devices, it identifies all the related processes, which may include recording, monitoring or detection of video, audio and network streams. These operations can then be suspended by the operator. "By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation," the release added. Dumbo does require direct access to the target computer and is run from a USB stick. The release states that it supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. However, 64bit Windows XP and Windows versions prior to XP are not supported.
China

China Is Perfecting a New Method For Suppressing Dissent On the Internet (vox.com) 151

An anonymous reader quotes a report from Vox: The art of suppressing dissent has been perfected over the years by authoritarian governments. For most of human history, the solution was simple: force. Punish people severely enough when they step out of line and you deter potential protesters. But in the age of the internet and "fake news," there are easier ways to tame dissent. A new study by Gary King of Harvard University, Jennifer Pan of Stanford University, and Margaret Roberts of the University of California San Diego suggests that China is the leading innovator on this front. Their paper, titled "How the Chinese Government Fabricates Social Media Posts for Strategic Distraction, Not Engaged Argument," shows how Beijing, with the help of a massive army of government-backed internet commentators, floods the web in China with pro-regime propaganda. What's different about China's approach is the content of the propaganda. The government doesn't refute critics or defend policies; instead, it overwhelms the population with positive news (what the researchers call "cheerleading" content) in order to eclipse bad news and divert attention away from actual problems. This has allowed the Chinese government to manipulate citizens without appearing to do so. It permits just enough criticism to maintain the illusion of dissent and only acts overtly when fears of mass protest or collective action arise.
Crime

Man Used DDoS Attacks On Media To Extort Them To Remove Stories (itwire.com) 34

New submitter troublemaker_23 shares a report from iTWire: A 32-year-old man from Seattle who was arrested for mounting a series of distributed denial of service attacks on businesses in Australia, the U.S. and Canada, wanted articles about himself removed from various news sites, including Fairfax Media. According to an FBI chargesheet filed in the U.S. District Court for the Northern District of Texas (Dallas Division), Kamyar Jahanrakhshan tried to get articles removed from the Sydney Morning Herald, a site for legal articles known as Leagle.com, Metronews.ca, a Canadian news website, CBC in Canada and Canada.ca. The chargesheet, filed by FBI special agent Matthew Dosher, said Jahanrakhshan migrated to the U.S. in 1991 and took U.S. citizenship; he then moved to Canada about four years later and became a permanent resident there. He had a conviction for second degree theft in Washington state in 2005 and this was vacated in August 2011; he also had a 2011 conviction for fraud and obstruction in Canada. In each case, Jahanrakhshan, who was deported back to the U.S. as a result of the Canada crime, launched DDoS attacks on the news websites and then contacted them. Further reading: Ars Technica
Software

Cable Giants Step Up Piracy Battle By Interrogating Montreal Software Developer (www.cbc.ca) 185

New submitter wierzpio writes: In more news about TVAddons, Canadian cable companies used a civil search warrant to visit the owner and developer of TVAddons, a library of hundreds of apps known as add-ons that allow people easy access to pirated movies, TV shows, and live TV. According to Adam Lackman, founder of TVAddons and defendant in the copyright lawsuit launched by the television giants, "The whole experience was horrifying. It felt like the kind of thing you would have expected to have happened in the Soviet Union." During the 16 hour-long visit, he was interrogated, denied the right not to answer the questions, and denied the right to consult his answers with his lawyer, who was present. His personal possessions were seized. Adam is fighting back (link to Indiegogo fundraising page) and already the judge declared the search warrant "null and void." "I am of the view that its true purpose was to destroy the livelihood of the defendant, deny him the financial resources to finance a defense to the claim made against him," the judge wrote. "The defendant has demonstrated that he has an arguable case that he is not violating the [Copyright] Act," the judge continued, adding that by the plaintiffs' own estimate, only about one per cent of Lackman's add-ons were allegedly used to pirate content. Lackman's belongings still haven't been returned, and he can't acess the TVAddons website or its social media accounts, which were also seized. "Bell, Rogers and Videotron has appealed the court decision and a Federal Court of Appeal judge has ruled that until the appeal can be hard, Lackman will get nothing back," reports cbc.ca.
Businesses

Font Maker Sues Universal Music Over 'Pirated' The Vamps Logo (torrentfreak.com) 142

An anonymous reader writes: Universal Music Group is being sued by HypeForType, which accuses the record label of using "pirated" copies of its fonts for the logo of The Vamps. The font is widely used for artwork, promotion material and merchandising of the popular British band, and the font creator is looking for a minimum of $1.25 million in damages. The font maker has filed a lawsuit accusing the major label of using its "Nanami Rounded" and "Ebisu Bold" fonts without permission. According to a complaint, filed in a New York federal court, Universal failed to obtain a proper license for its use, so they are essentially using pirated fonts.
Censorship

Joining Apple, Amazon's China Cloud Service Bows To Censors (nytimes.com) 51

Days after Apple yanked anti-censorship tools off its app store in China, another major American technology company is moving to implement the country's tough restrictions on online content. From a report: A Chinese company that operates Amazon's cloud-computing and online services business there said on Tuesday that it told local customers to cease using any software that would allow Chinese to circumvent the country's extensive system of internet blocks (Editor's note: the link could be paywalled; alternative source). The company, called Beijing Sinnet Technology and operator of the American company's Amazon Web Services operations in China, sent one round of emails to customers on Friday and another on Monday. "If users don't comply with the guidance, the offered services and their websites can be shut down," said a woman surnamed Wang who answered a Sinnet service hotline. "We the operators also check routinely if any of our users use these softwares or store illegal content." Ms. Wang said the letter was sent according to recent guidance from China's Ministry of Public Security and the country's telecom regulator. Amazon did not respond to emails and phone calls requesting comment. The emails are the latest sign of a widening push by China's government to block access to software that gets over the Great Firewall -- the nickname for the sophisticated internet filters that China uses to stop its people from gaining access to Facebook, Google and Twitter, as well as foreign news media outlets.
Businesses

New Data On H-1B Visas Prove That IT Outsourcers Hire a Lot But Pay Very Little (qz.com) 233

New submitter FerociousFerret shares a report from Quartz: Hard numbers have been released by the U.S. government agency that screens visas for high-skilled foreign workers, and they are not pretty. Data made available by the U.S. Citizenship and Immigration Services (USCIS) for the first time show that the widely made complaint about the visa program is true: a small number of IT outsourcing companies get a disproportionately high number of H-1B visas and pay below-average wages to their workers. The new data also gives a more accurate picture of salaries of H-1B workers by employer. The top IT outsourcing companies on average paid much lower salaries to their workers. The wage divide is largely a result of different education requirements of H-1B positions. H-1B visas are issued to workers with specialized skills which generally requires a Bachelor's degree or higher. More than 98% of approved H-1B visa positions were awarded to workers with either a Bachelor's or a Master's degree in fiscal year 2016. A closer look at the educations held by H-1B workers at companies like Google, Amazon and Intel -- places with in-house tech staffs -- show that more than 60% had Masters degrees. For most IT outsourcing companies, the majority of H-1B visa holders only had a Bachelor's.
Privacy

NSA Unlawfully Surveilled Kim Dotcom In New Zealand, Says Report (thehill.com) 133

According to new documents from New Zealand's Government Communications Security Bureau (GCSB), the NSA illegally used technology to spy on Megaupload founder Kim Dotcom. "The New Zealand Herald first reported that the GCSB told the nation's high court that it ceased all surveillance of Dotcom in early 2012, but that 'limited' amounts of communications from Dotcom were later intercepted by its technology without the bureau's knowledge," reports The Hill. From the report: Dotcom was surveilled by the NSA and the GCSB in a joint intelligence operation named Operation Debut. According to the Herald, that surveillance was scheduled to end in January 2012, but the United States continued to use New Zealand's technology. According to court documents obtained by the Herald, "Limited interception of some communications continued beyond the detasking date without the knowledge of GCSB staff." The court papers don't explain how the NSA was able to use the GCSB's spying technology without the bureau's knowledge. According to the Herald, "The GCSB documents do contain an admission of NSA involvement, although it was not made outright." Dotcom is facing charges of copyright infringement and money laundering related to Megaupload, a file-sharing website shut down in 2012. He is currently fighting U.S. attempts to extradite him from New Zealand.
Government

Senators Propose Bill Targeting Websites That Facilitate Sex Trafficking (usatoday.com) 187

An anonymous reader quotes a report from USA Today: A bipartisan group of lawmakers introduced legislation Tuesday that aims to make it easier to sue and criminally prosecute operators of online classified sites like Backpage.com that have been used to advertise sex workers. The proposed bill would amend the Communications Decency Act to eliminate a provision that shields operators of websites from being liable for content posted by third-party users. In addition to removing liability protections for websites that facilitate "unlawful sex acts with sex trafficking victims," lawmakers are seeking to amend the CDA to allow state prosecutors -- not just federal law enforcement -- to take action against individuals and businesses that use websites to violate federal sex trafficking laws. "For too long, courts around the country have ruled that Backpage can continue to facilitate illegal sex trafficking online with no repercussions," said Sen. Rob Portman, R-Ohio. "The Communications Decency Act is a well-intentioned law, but it was never intended to help protect sex traffickers who prey on the most innocent and vulnerable among us. This bipartisan, narrowly crafted bill will help protect vulnerable women and young girls from these horrific crimes."
Government

US Senators To Introduce Bill To Secure 'Internet of Things' (reuters.com) 138

Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.
Government

White House Officials Tricked By Email Prankster (cnn.com) 131

Jake Tapper, reporting for CNN: A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited. "Tom, we are arranging a bit of a soiree towards the end of August," the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. "It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening." Bossert wrote back: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted). Bossert did not respond to CNN's request for comment; the email prankster said he was surprised Bossert responded given his expertise. The emails were shared with CNN by the email prankster. White House officials acknowledged the incidents and said they were taking the matter seriously. "We take all cyber related issues very seriously and are looking into these incidents further," White House press secretary Sarah Huckabee Sanders told CNN.
Android

Amazon Suspends Sales of Blu Android Phones Due To Privacy Concerns (cnet.com) 66

CNET reports: Amazon just put budget phone maker Blu in the penalty box. The online retailing giant told CNET that it was suspending sales of phones from Blu, known for making ultra-cheap Android handsets, due to a "potential security issue." The move comes after security firm Kryptowire demonstrated last week how software in Blu's phones collected data and sent it to servers in China without alerting people. Blu defended the software, created by a Chinese company called Shanghai Adups Technology, and denied any wrongdoing. A company spokeswoman said at the time it "has several policies in place which take customer privacy and security seriously." She added there had been no breaches. Blu said it was in a process of review to reinstate the phones at Amazon.
Google

Privacy Watchdog Asks FTC To Look Into Google's Offline Shopping Tracker (arstechnica.com) 26

An anonymous reader quotes a report from Ars Technica: A privacy advocacy group has filed a formal legal complaint with the Federal Trade Commission, asking the agency to begin an investigation "into Google's in-store tracking algorithm to determine whether it adequately protects the privacy of millions of American consumers." In the Monday filing, the Electronic Privacy Information Center (EPIC) said it is concerned with Google's new Store Sales Management program, which debuted in May. The system allows the company to extend its online tracking capabilities into the physical world. The idea is to combine credit card and other financial data acquired from data brokers to create a singular profile as a way to illustrate to companies what goods and services are being searched for online, which result in actual in-person sales. Because the algorithm that Google uses is secret, EPIC says, there is no way to determine how well Google's claimed anonymization feature -- to mask names, credit card numbers, location, and other potentially private data -- actually works. While Google has been cagey about exactly how it does this, the company has previously revealed that the technique is based on CryptDB.
Electronic Frontier Foundation

HP Patents 'Reminder Messages' (eff.org) 68

Daniel Nazer reports via the Electronic Frontier Foundation: On July 25, 2017, the Patent Office issued a patent to HP on reminder messages. Someone needs to remind the Patent Office to look at the real world before issuing patents. United States Patent No. 9,715,680 (the '680 patent) is titled "Reminder messages." While the patent application does suggest some minor tweaks to standard automated reminders, none of these supposed additions deserve patent protection. Although this claim uses some obscure language (like "non-transitory computer-readable storage medium" and "article data"), it describes a quite mundane process. The "article data" is simply additional information associated with an event. For example, "buy a cake" might be included with a birthday reminder. The patent also requires that this extra information be input via a "scanning operation" (e.g. scanning a QR code). The '680 patent comes from an application filed in July 2012. It is supposed to represent a non-obvious advance on technology that existed before that date. Of course, reminder messages were standard many years before the application was filed. And just a few minutes of research reveals that QR codes were already used to encode information for reminder messages. The Patent Office reviewed HP's application for years without ever considering any real-world products. Indeed, the examiner considered only patents and patent applications.
Social Networks

Iranians Use 'Cute Photographer' Profile To Hack Targets In Middle East (securityledger.com) 39

chicksdaddy shares a report from The Security Ledger: Hackers working on behalf of the government of Iran are using alluring social media profiles featuring a young, English photographer to entice and then compromise the systems of high value targets in the oil and gas industry, according to a report by Dell Secureworks. In a report released on Thursday, Secureworks' Counter Threat Unit (CTU) said that it observed an extensive phishing campaign beginning in January and February 2017 that used a polished social media profile of a young, English woman using the name "Mia Ash" to conduct highly targeted spear-phishing and social engineering attacks against employees of Middle Eastern and North Africa firms in industries like telecommunications, government, defense, oil and financial services. The attacks are the work of an advanced persistent threat group dubbed COBALT GYPSY or "Oil Rig" that has been linked to other sophisticated attacks. The attacks, which spread across platforms including LinkedIn and Facebook, as well as email, were highly successful. In some cases, the attacks lasted months -- and long after the compromise of the employee -- with the targets engaged in a flirtation with a woman they believed was a young, attractive female photographer. The Mia Ash persona is a fake identity based loosely on a real person -- a Romanian photographer and student who has posted her work prolifically online. According to a report by Security Ledger, the persona was created specifically with the goal of performing reconnaissance on and establishing relationships with employees of targeted organizations. Victims were targeted with the PupyRAT Trojan, an open source, cross-platform remote access trojan (RAT) used to take control of a victim's system and harvest credentials like logins and passwords from victims, and lured with malware-laden documents such as "photography surveys" (really?). One target was even instructed to make sure to open the document from work because it will "work better," Secureworks said.
Government

FCC Says Its Specific Plan To Stop DDoS Attacks Must Remain Secret (arstechnica.com) 88

An anonymous reader quotes a report from Ars Technica: FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter last month that it was researching "additional solutions" to protect the comment system. Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return.

"Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC's IT staff has worked with commercial cloud providers to implement Internetbased solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs." The CIO's answers to lawmakers' questions were sent along with a letter from Pai to Reps. Frank Pallone, Jr. (D-N.J.), Elijah Cummings (D-Md.), Mike Doyle (D-Penn.), DeGette (D-Colo.), Robin Kelly (D-Ill.), and Gerald Connolly (D-Va.). The letter is dated July 21, and it was posted to the FCC's website on July 28.

Businesses

LinkedIn Says It's Illegal To Scrape Its Website Without Permission (arstechnica.com) 167

A small company called hiQ is locked in a high-stakes battle over web scraping with LinkedIn. It's a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the web. From a report: HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA. James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company. "Lots of businesses are built on connecting data from a lot of sources," Grimmelmann said. He argued that scraping is a key way that companies bootstrap themselves into "having the scale to do something interesting with that data." [...] But the law may be on the side of LinkedIn -- especially in Northern California, where the case is being heard. In a 2016 ruling, the 9th Circuit Court of Appeals, which has jurisdiction over California, found that a startup called Power Ventures had violated the CFAA when it continued accessing Facebook's servers despite a cease-and-desist letter from Facebook.
Privacy

Hackers Break Into HBO's Networks, May Have Leaked 'Game of Thrones' Script (variety.com) 82

An anonymous reader shares a report: Hackers have broken into the networks of HBO and reportedly leaked unreleased episodes of a number of shows, as well as the script for next week's "Game of Thrones" episode. Altogether, they have reportedly obtained a total of 1.5 terabyte of data. HBO confirmed the intrusion in a statement sent to Variety: "HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information. We immediately began investigating the incident and are working with law enforcement and outside cybersecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold."
The Internet

It Is Easy To Expose Users' Secret Web Habits, Say Researchers (bbc.com) 95

An anonymous reader shares a BBC report: Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician. The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather "clickstreams." These are detailed records of everywhere that people go online. The researchers argue such data -- which some firms scoop up and use to target ads -- should be protected. The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals. People's browsing history is often used to tailor marketing campaigns. The results of the research by Svea Eckert and Andreas Dewes were revealed at the Def Con hacking conference in Las Vegas this weekend. The pair found that 95% of the data they obtained came from 10 popular browser extensions. "What these companies are doing is illegal in Europe but they do not care," said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.
Privacy

Russia Bans VPNs To Stop Users From Looking at Censored Sites (cnn.com) 119

Russia is cracking down on software that allows users to view internet sites banned by the government. From a report: President Vladimir Putin has signed a bill that prohibits services, including virtual private networks (VPNs), that enable users to skirt government censorship efforts. The law will take effect on November 1. Russian internet regulator Roskomnadzor maintains a blacklist of thousands of websites. Leonid Levin, chairman of a parliamentary committee on information policy and communications, said the law signed by Putin does not "introduce any new restrictions and especially no censorship." "My colleagues only included the restriction of access to information that is already forbidden by law or a court decision," he told state news agency RIA Novosti earlier this month.
Facebook

Facebook Funds 'Defending Digital Democracy' Initiative At Harvard (diginomica.com) 90

An anonymous reader quotes Diginomica: A fresh initiative aimed at information sharing about election threats and dubbed Defending Digital Democracy has the financial support of Facebook and the academic muscle of Harvard behind it. Will the project succeed where similar initiatives have failed...? On 19 July and backed by a $500,000 initial grant from Facebook, the Belfer Center for Science and International Affairs at Harvard Kennedy School launched a new, bipartisan initiative called the Defending Digital Democracy Project. The project will be co-led by Robby Mook, Democrat Hillary Clinton's 2016 presidential campaign manager, and Matt Rhoades, Republican Mitt Romney's 2012 campaign manager. The hope is that creating a unique and bipartisan team comprised of top-notch political operatives and leaders in the cyber and national security world, the project will be able to to identify and recommend strategies, tools, and technology to protect democratic processes and systems from cyber and information attacks.
The group will also assess new technologies (including blockchain) to secure elections, and wants to create an information sharing infrastructure modeled "on similar efforts within the tech industry to share tech intelligence." The article says Facebook's chief security officer "hopes that election officials who are wary of cooperating with the federal government will be more receptive to working with an independent group tied to Harvard and the tech industy," and the group also includes Google's director for Information Security and Privacy.

"Facebook plans to host state and local election officials at its D.C. office later this year to discuss the information sharing organization, and launch the organization in early 2018."
The Internet

O'Reilly Media Asks: Is It Time To Build A New Internet? (oreilly.com) 305

An anonymous reader shares an article from O'Reilly Media's VP of content strategy: It's high time to build the internet that we wanted all along: a network designed to respect privacy, a network designed to be secure, and a network designed to impose reasonable controls on behavior. And a network with few barriers to entry -- in particular, the certainty of ISP extortion as new services pay to get into the "fast lane." Is it time to start over from scratch, with new protocols that were designed with security, privacy, and maybe even accountability in mind? Is it time to pull the plug on the abusive old internet, with its entrenched monopolistic carriers, its pervasive advertising, and its spam? Could we start over again?

That would be painful, but not impossible... In his deliciously weird novel Someone Comes To Town, Someone Leaves Town, Cory Doctorow writes about an alternative network built from open WiFi access points. It sounds similar to Google's Project Fi, but built and maintained by a hacker underground. Could Doctorow's vision be our future backboneless backbone? A network of completely distributed municipal networks, with long haul segments over some public network, but with low-level protocols designed for security? We'd have to invent some new technology to build that new network, but that's already started.

The article cites the increasing popularity of peer-to-peer functionality everywhere from Bitcoin and Blockchain to the Beaker browser, the Federated Wiki, and even proposals for new file-sharing protocols like IPFS and Upspin. "Can we build a network that can't be monopolized by monopolists? Yes, we can..."

"It's time to build the network we want, and not just curse the network we have."
Stats

Should The Government Fix Slow Internet Access? (fivethirtyeight.com) 315

An anonymous reader quotes a story from Nate Silver's FiveThirtyEight site about "the worst internet in America": FiveThirtyEight analyzed every county's broadband usage using data from researchers at the University of Iowa and Arizona State University and found that Saguache, Colorado was at the bottom. Only 5.6 percent of adults were estimated to have broadband... It has some of the worst internet in the country. That's in part because of the mountains and the isolation they bring... Its population of 6,300 is spread across 3,169 square miles 7,800 feet above sea level, but on land that is mostly flat, so you can almost see the full scope of two mountain ranges as you drive the county's highway...

But Saguache isn't alone in lacking broadband. According to the Federal Communications Commission, 39 percent of rural Americans -- 23 million people -- don't have access. In Pew surveys, those who live in rural areas were about twice as likely not to use the internet as urban or suburban Americans.

In Saguache County download speeds of 12 Mbps (with an upload speed of 2 Mbps) cost $90 a month, and the article points out that when it comes to providing broadband, "small companies and cooperatives are going it more or less alone, without much help yet from the federal government." But that raises an inevitable question. Should the federal government be subsidizing rural internet access?
Cellphones

Honolulu Targets 'Smartphone Zombies' With Crosswalk Ban (reuters.com) 170

Templer421 shares news from Reuters: A ban on pedestrians looking at mobile phones or texting while crossing the street will take effect in Hawaii's largest city in late October, as Honolulu becomes the first major U.S. city to pass legislation aimed at reducing injuries and deaths from "distracted walking." The ban comes as cities around the world grapple with how to protect phone-obsessed "smartphone zombies" from injuring themselves by stepping into traffic or running into stationary objects. Starting Oct. 25, Honolulu pedestrians can be fined between $15 and $99, depending on the number of times police catch them looking at a phone or tablet device as they cross the street, Mayor Kirk Caldwell told reporters gathered near one of the city's busiest downtown intersections on Thursday... People making calls for emergency services are exempt from the ban... Opponents of the Honolulu law argued it infringes on personal freedom and amounts to government overreach.
Meanwhile, the city of London has tried putting pads on their lamp posts "to soften the blow for distracted walkers."
Google

Will 'Smart Cities' Violate Our Privacy? (computerworld.com) 108

An anonymous reader quotes Computerworld's article on the implications of New York City's plan to blanket the city with "smart" kiosks offering ultrafast Wi-Fi. The existence of smart-city implementations like Intersection's LinkNYC means that New Yorkers won't actually need mobile contracts anymore. Most who would otherwise pay for them will no doubt continue to do so for the convenience. But those who could not afford a phone contract in the past will have ubiquitous fast connectivity in the future. This strongly erodes the digital divide within smart cities. A 2015 study conducted by New York City found that more than a quarter of city households had no internet connectivity at home, and more than half a million people didn't own their own computer...

Over the next 15 years, the city will go through the other two phases, where sensor data will be processed by artificial intelligence to gain unprecedented insights about traffic, environment and human behavior and eventually use it to intelligently re-direct traffic and shape other city functions... And as autonomous cars gradually roll out, New York will be well positioned to be one of the first cities to legalize them, because they'll be safer thanks to 5G, sensors and data from all those kiosks.

Intersection, a Google-backed startup, has already installed 1,000 of the kiosks in New York, and is planning to install 7,000 more. The sides of the kiosk have screens which show alerts and other public information -- as well as advertisements, which cover all the costs of the installations and even bring extra money into the city coffers.

New York's move "puts pressure on other U.S. cities to follow suit," the article also points out, adding that privacy policies "are negotiated agreements between the company and the city. So if a city wants to use those cameras and sensors for surveillance, it can."
Security

US Voting Machines Cracked In 90 Minutes At DEFCON (thehill.com) 171

An anonymous reader quotes The Hill: Hackers at at a competition in Las Vegas were able to successfully breach the software of U.S. voting machines in just 90 minutes on Friday, illuminating glaring security deficiencies in America's election infrastructure. Tech minds at the annual "DEF CON" in Las Vegas were given physical voting machines and remote access, with the instructions of gaining access to the software. According to a Register report, within minutes, hackers exposed glaring physical and software vulnerabilities across multiple U.S. voting machine companies' products. Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.
Though some of the machines were out of date, they were all from "major U.S. voting machine companies" like Diebold Nixorf, Sequoia Voting Systems, and WinVote -- and were purchased on eBay or at government auctions. One of the machines apparently still had voter registration data stored in plain text in an SQLite database from a 2008 election, according to event's official Twitter feed.

By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."

Slashdot Top Deals