Government

Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security (helpnetsecurity.com) 51

Orome1 shares a report from Help Net Security: Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE's National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation's critical energy infrastructure, including the electric grid and oil and natural gas infrastructure. The electricity system must continue to evolve to address a variety of challenges and opportunities such as severe weather and the cyber threat, a changing mix of types of electric generation, the ability for consumers to participate in electricity markets, the growth of the Internet of Things, and the aging of the electricity infrastructure. The seven Resilient Distribution Systems projects awarded through DOE's Grid Modernization Laboratory Consortium (GMLC) will develop and validate innovative approaches to enhance the resilience of distribution systems -- including microgrids -- with high penetration of clean distributed energy resources (DER) and emerging grid technologies at regional scale. The project results are expected to deliver credible information on technical and economic viability of the solutions. The projects will also demonstrate viability to key stakeholders who are ultimately responsible for approving and investing in grid modernization activities. In addition, the Department of Energy "is also announcing 20 cybersecurity projects that will enhance the reliability and resilience of the Nation's electric grid and oil and natural gas infrastructure through innovative, scalable, and cost-effective research and development of cybersecurity solutions."
Microsoft

Researchers Catch Microsoft Zero-Day Used To Install Government Spyware (vice.com) 83

An anonymous reader quotes a report from Motherboard: Government hackers were using a previously-unknown vulnerability in Microsoft's .NET Framework, a development platform for building apps, to hack targets and infect them with spyware, according to security firm FireEye. The firm revealed the espionage campaign on Tuesday, on the same day Microsoft patched the vulnerability. According to FireEye, the bug, which until today was a zero-day, was being used by a customer of FinFisher, a company that sells surveillance and hacking technologies to governments around the world. The hackers sent a malicious Word RTF document to a "Russian speaker," according to Ben Read, FireEye's manager of cyber espionage research. The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher. The spyware masqueraded as an image file called "left.jpg," according to FireEye.
Communications

The Only Safe Email is Text-Only Email (theconversation.com) 174

Sergey Bratus, Research Associate Professor of Computer Science, Dartmouth College, and Anna Shubina, Post-doctoral Associate in Computer Science, Dartmouth College write: The real issue is that today's web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It's not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way. Simply put, safe email is plain-text email -- showing only the plain words of the message exactly as they arrived, without embedded links or images. Webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), but carries with it unnecessary -- and serious -- danger, because a webpage (or an email) can easily show one thing but do another. Returning email to its origins in plain text may seem radical, but it provides radically better security. Even the federal government's top cybersecurity experts have come to the startling, but important, conclusion that any person, organization or government serious about web security should return to plain-text email (PDF).
The Almighty Buck

Chatbot Lets You Sue Equifax For Up To $25,000 Without a Lawyer (theverge.com) 111

Shannon Liao reports via The Verge: If you're one of the millions affected by the Equifax breach, a chatbot can now help you sue Equifax in small claims court, potentially letting you avoid hiring a lawyer for advice. Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee. The bot, which launched in all 50 states in July, is mainly known for helping with parking tickets. But with this new update, its creator, Joshua Browder, who was one of the 143 million affected by the breach, is tackling a much bigger target, with larger aspirations to match. He says, "I hope that my product will replace lawyers, and, with enough success, bankrupt Equifax."

Not that the bot helps you do anything you can't already do yourself, which is filling out a bunch of forms -- you still have to serve them yourself. Unfortunately, the chatbot can't show up in court a few weeks later to argue your case for you either. To add to the headache, small claims court rules differ from state to state. For instance, in California, a person needs to demand payment from Equifax or explain why they haven't demanded payment before filing the form.

Encryption

Virginia Scraps Electronic Voting Machines Hackers Destroyed At DefCon (theregister.co.uk) 194

Following the DefCon demonstration in July that showed how quickly Direct Recording Electronic voting equipment could be hacked, Virginia's State Board of Elections has decided it wants to replace their electronic voting machines in time for the gubernatorial election due on November 7th, 2017. According to The Register, "The decision was announced in the minutes of the Board's September 8th meeting: 'The Department of Elections officially recommends that the State Board of Elections decertify all Direct Recording Electronic (DRE or touchscreen) voting equipment." From the report: With the DefCon bods showing some machines shared a single hard-coded password, Virginia directed the Virginia Information Technology Agency (VITA) to audit the machines in use in the state (the Accuvote TSX, the Patriot, and the AVC Advantage). None passed the test. VITA told the board "each device analyzed exhibited material risks to the integrity or availability of the election process," and the lack of a paper audit trail posed a significant risk of lost votes. Local outlet The News Leader notes that many precincts had either replaced their machines already, or are in the process of doing so. The election board's decision will force a change-over on the 140 precincts that haven't replaced their machines, covering 190,000 of Virginia's ~8.4m population.
Chrome

Google Details Plan To Distrust Symantec Certificates (tomshardware.com) 140

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.
Government

ShadowBrokers Releases NSA UNITEDRAKE Manual That Targets Windows Machines (schneier.com) 99

AmiMoJo shares a report from Schneier on Security: The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines: "Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information. UNITEDRAKE, described as a 'fully extensible remote collection system designed for Windows targets,' also gives operators the opportunity to take complete control of a device. The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed."
Google

Google Accused of Trying To Patent Public Domain Technology (bleepingcomputer.com) 101

An anonymous reader shares a report: A Polish academic is accusing Google of trying to patent technology he invented and that he purposely released into the public domain so companies like Google couldn't trap it inside restrictive licenses. The technology's name is Asymmetric Numeral Systems (ANS), a family of entropy coding methods that Polish assistant professor Jarosaw (Jarek) Duda developed in the early 2000s, and which is now hot tech at companies like Apple, Google, and Facebook, mostly because it can improve data compression from 3 to 30 times. Duda says that Google is now trying to register a patent that includes most of the ANS basic principles. Ironically, most of the technology described in the patent, Duda said he explained to Google engineers in a Google Groups discussion from 2014. The researcher already filed a complaint, to which WIPO ISA responded by calling out Google for not coming up with "an inventive contribution over the prior art, because it is no more than a straightforward application of known coding algorithms." A Google spokesperson refused to comment, and the mystery remains surrounding Google's decision to patent something that's in the public domain since 2014.
Government

Government Officials Begin Investigating Equifax Breach (thehill.com) 142

An anonymous reader quotes the Hill: The massive breach of credit rating firm Equifax is attracting scrutiny from government officials across the country. Lawmakers from both parties have expressed concern over the hack, which could have left vulnerable sensitive personal information for as many as 143 million people. The New York, Pennsylvania and Illinois attorneys general have announced formal investigations into the hack...

The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.

Security

Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com) 193

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
AI

America's Data-Swamped Spy Agencies Pin Their Hopes On AI (phys.org) 62

An anonymous reader quotes Phys.org: Swamped by too much raw intel data to sift through, US spy agencies are pinning their hopes on artificial intelligence to crunch billions of digital bits and understand events around the world. Dawn Meyerriecks, the Central Intelligence Agency's deputy director for technology development, said this week the CIA currently has 137 different AI projects, many of them with developers in Silicon Valley. These range from trying to predict significant future events, by finding correlations in data shifts and other evidence, to having computers tag objects or individuals in video that can draw the attention of intelligence analysts. Officials of other key spy agencies at the Intelligence and National Security Summit in Washington this week, including military intelligence, also said they were seeking AI-based solutions for turning terabytes of digital data coming in daily into trustworthy intelligence that can be used for policy and battlefield action.
EU

Four EU Countries Seek Higher Taxes On Google and Amazon (reuters.com) 205

An anonymous reader quotes Reuters: France, Germany, Italy and Spain want digital multinationals like Amazon and Google to be taxed in Europe based on their revenues, rather than only profits as now, their finance ministers said in a joint letter. France is leading a push to clamp down on the taxation of such companies, but has found support from other countries also frustrated at the low tax they receive under current international rules. Currently such companies are often taxed on profits booked by subsidiaries in low-tax countries like Ireland even though the revenue originated from other EU countries. "We should no longer accept that these companies do business in Europe while paying minimal amounts of tax to our treasuries," the four ministers wrote in a letter seen by Reuters.
The Courts

Should British Hacker Lauri Love Be Tried In America? (theguardian.com) 254

A 31-year-old autistic man in the U.K. is suspected of hacking U.S. government computer systems in 2013 -- and he has one final chance to appeal his extradition. An anonymous reader quotes the Guardian Even if Love is guilty, however, there are important legal and moral questions about whether he should be extradited to the US -- a nation that has prosecuted hackers with unrivalled severity, and one where Love could be sentenced to spend the rest of his life in prison... His remaining hope for mercy is a final appeal against extradition in the high court in November. Love's hope is for a full and fair trial in Britain.

Even if he is found guilty in a British court of the most serious crimes in the US government's indictment, his legal team estimate that he faces just a few months in prison. Failure means Love will be flown to a holding facility in New York, placed on suicide watch and probably forced to take antidepressants, prior to a trial. If he refuses to accept a plea deal and is convicted, he will face $9m (£6.8m) in fines and, experts estimate, a prison term of up to 99 years, a punishment illustrative of the US's aggressive sentencing against hackers under the controversial Computer Fraud and Abuse Act.

Naomi Colvin, from the human rights group the Courage Foundation, tells the Guardian that "Lauri's case is critically important in determining the reach of America's unusually harsh punitive sanctions for computer crimes."
Privacy

TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results (techcrunch.com) 176

An anonymous reader quotes security researcher Brian Krebs: The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach -- equifaxsecurity2017.com -- is completely broken at best, and little more than a stalling tactic or sham at worst. In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."
The Courts

The Teen Malware Career Of Marcus Hutchins (itwire.com) 48

Slashdot reader troublemaker_23 writes, "A number of security researchers have dismissed an article by reporter Brian Krebs about Marcus Hutchins, the Briton who is awaiting trial in the US on charges of writing and distributing the Kronos banking malware, by pointing out that it has nothing to do with the case." An anonymous reader writes: Krebs investigated dozens of hacker forum pseudonyms, concluding "The clues suggest that Hutchins began developing and selling malware in his mid-teens -- only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror." Krebs believes 15-year-old Hutchins registered a domain he'd later advertise as "mainly for blackhats wanting to phish," and in 2010 may have filmed YouTube videos about password-stealing malware. Krebs says the early activities are "fairly small-time -- and hardly rise to the level of coding from scratch a complex banking trojan and selling it to cybercriminals," though he believes Hutchins moved on to advertising exploit kits, password-stealers, and bot rentals.

Krebs also talked to 27-year-old Brendan Johnston, a friend of Hutchins who did time in prison in 2014 for selling Trojans, who "said his old friend sincerely tried to turn things around in late 2012... 'I feel like I know Marcus better than most people do online, and when I heard about the accusations I was completely shocked,. He tried for such a long time to steer me down a straight and narrow path that seeing this tied to him didn't make sense to me at all." Krebs stresses that Hutchins didn't try to hide the fact that he'd written malware, "which in the United States at least is a form of protected speech." And his essay concludes, "Let me be clear: I have no information to support the claim that Hutchins authored or sold the Kronos banking trojan."

Symantec's former cybersecurity czar Tarah Wheeler has now set up a new legal fund after it was discovered that most of the online donations to Hutchins' previous defense fund came from stolen or fake credit card numbers. Hutchins returns to court in October, and the new fund has already received more than $16,000 in donations from more than 200 contributors.
Canada

Kodi Is Fighting Trademark Trolls (betanews.com) 92

Friday the makers of an open source media player Kodi called out trademark trolls who they say have "attempted to register the Kodi name in various countries outside the United States with the goal of earning money off the Kodi name without doing any work beyond sending threatening letters." BrianFagioli shares an article in which BetaNews quotes Kodi community and project manager Nathan Betzen: "At least one trademark troll has so far not agreed to voluntarily release their grasp on their registration of our trademark and is actively blackmailing hardware vendors in an entire country, trying to become as rich as possible off of our backs and the backs of Kodi volunteers everywhere. His name is Geoff Gavora. He had written several letters to the Foundation over the years, expressing how important XBMC and Kodi were to him and his sales. And then, one day, for whatever reason, he decided to register the Kodi trademark in his home country of Canada. We had hoped, given the positive nature of his past emails, that perhaps he was doing this for the benefit of the Foundation. We learned, unfortunately, that this was not the case," says Nathan Betzen, Kodi Project Manager.

"Instead, companies like Mygica and our sponsor Minix have been delisted by Gavora on Amazon, so that only Gavora's hardware can be sold, unless those companies pay him a fee to stay on the store. Now, if you do a search for Kodi on Amazon.ca, there's a very real chance that every box you see is giving Gavora money to advertise that they can run what should be the entirely free and open Kodi. Gavora and his company are behaving in true trademark troll fashion."

Government

Should Congress Force Social Media To Investigate Foreign Propaganda Trolls? (politico.com) 266

"I fought foreign propaganda for the FBI," writes a former special agent from its Counterintelligence Division. Now an associate dean at Yale Law School, he's warning that "the tools we had won't work anymore." An anonymous reader quotes Politico: The bureau is now faced with huge private companies, like Facebook and Twitter, which are ostensibly neutral and have no professional or ethical obligation to vet the material they distribute. Further, foreign intelligence service propaganda agents are no longer human operatives on American soil -- they are invisible "trolls," often operating from a foreign country and behind social media accounts that make them impossible for the FBI to approach directly. Or, in the case of so-called bots -- software programs designed to simulate humans -- they might not even be people at all... [S]ocial media platforms can reach an almost limitless audience, often within days or hours, more or less for free: Russia's Facebook ads alone reached between 23 million and 70 million viewers.

Without any direct way to investigate and identify the source of the private accounts that generate this "fake news," there's literally nothing the FBI can do to stop a propaganda operation that can occur on such a massive scale... But Congress could pass legislation that requires social media companies to cooperate with counterintelligence in the same ways they do with law enforcement. For example, the Communications Assistance for Law Enforcement Act requires telecommunications companies to design their digital networks in such a way that would permit wiretaps for criminal cases. Similarly, requiring social media platforms to develop ways to vet and authenticate foreign users and proactively report potential bots to the FBI would enable the FBI to identify perception management operations as they are occurring. In addition to monitoring these specific FIS-based accounts, the FBI could publicly expose the source of particular accounts, ads or news...

"At this point, we have no choice: It's clear that our current counterintelligence strategy hasn't caught up to the age of asymmetrical information warfare," the former counterintelligence agent concludes. "Until it does, we'll be silently allowing our freedoms to be manipulated...."
Government

FDA Slams EpiPen Maker For Doing Nothing While Hundreds Failed, People Died (arstechnica.com) 80

An anonymous reader quotes a report from Ars Technica: The manufacturer of EpiPen devices failed to address known malfunctions in its epinephrine auto-injectors even as hundreds of customer complaints rolled in and failures were linked to deaths, according to the Food and Drug Administration. The damning allegations came to light today when the FDA posted a warning letter it sent September 5 to the manufacturer, Meridian Medical Technologies, Inc. The company (which is owned by Pfizer) produces EpiPens for Mylan, which owns the devices and is notorious for dramatically raising prices by more than 400 percent in recent years. The auto-injectors are designed to be used during life-threatening allergic reactions to provide a quick shot of epinephrine. If they fail to fire, people experiencing a reaction can die or suffer serious illnesses. According to the FDA, that's exactly what happened for hundreds of customers. In the letter, the agency wrote: "In fact, your own data show that you received hundreds of complaints that your EpiPen products failed to operate during life-threatening emergencies, including some situations in which patients subsequently died."

The agency goes on to lambast Meridian Medical for failing to investigate problems with the devices, recall bad batches, and follow-up on problems found. For instance, a customer made a complaint in April 2016 that an EpiPen failed. When Meridian disassembled the device, it found a deformed component that led to the problem -- the exact same defect it had found in February when another unit failed.

Privacy

Ask Slashdot: What's a Practical Response To the Equifax Breach? 217

In response to the massive Equifax cybersecurity incident impacting approximately 143 million U.S. consumer -- making it possibly the worst leak of personal info ever -- Slashdot reader AdamStarks asks: What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
Software

Uber Faces FBI Probe Over Program Targeting Rival Lyft (wsj.com) 13

cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), Uber is under investigation by federal law-enforcement authorities for using a program called "Hell" to illegally interfere with the competition by creating fake Lyft accounts, initiating phony ride requests for Lyft drivers, and offering cash bonuses for drivers who drive for both services to leave Lyft. This is creating a new headache for incoming CEO Dara Khosrowshahi to deal with. From the report: "Federal law-enforcement authorities in New York are investigating whether Uber Technologies Inc. used software to interfere illegally with its competitors, according to people familiar with the investigation, adding to legal pressures facing the embattled ride-hailing company and its new chief executive. The investigation, led by the Federal Bureau of Investigation's New York office and the Manhattan U.S. attorney's office, is focused on a defunct Uber program, known internally as 'Hell,' that could track drivers working for rival service Lyft Inc., the people said. 'We are cooperating with the SDNY investigation,' said an Uber spokesman, referring to New York's Southern District. He declined to offer additional details. Uber has never publicly discussed the details of the program. But people familiar with the matter said 'Hell' worked like this: Uber created fake Lyft customer accounts, tricking Lyft's system into believing prospective customers were seeking rides in various locations around a city. That allowed Uber to see which Lyft drivers were nearby and what prices they were offering for various routes, similar to how such information appears when an authentic Lyft app is opened on a user's smartphone, these people said. The program was also used to glean data on drivers who worked for both companies, and whom Uber could target with cash incentives to get them to leave Lyft, said these people, who added that the program was discontinued last year."
Earth

UN Aviation Agency To Call For Global Drone Registry (reuters.com) 47

An anonymous reader quotes a report from Reuters: The United Nations' aviation agency is backing the creation of a single global drone registry, as part of broader efforts to come up with common rules for flying and tracking unmanned aircraft. While the International Civil Aviation Organization cannot impose regulations on countries, ICAO has proposed formation of the registry during a Montreal symposium this month to make data accessible in real time, said Stephen Creamer, director of ICAO's air navigation bureau. The single registry would eschew multiple databases in favor of a one-stop-shop that would allow law enforcement to remotely identify and track unmanned aircraft, along with their operator and owner. It's not yet clear who would operate such a database, although ICAO could possibly fill that role. The proposal, however, could face push back from users, after hobbyists successfully challenged the creation of a U.S. drone registry by the Federal Aviation Administration in court earlier this year.
Security

Mexican Tax Refund Site Left 400GB of Sensitive Customer Info Wide Open (theregister.co.uk) 18

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database. From a report: A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.
Government

Seoul Is Reinventing Itself As a Techno-Utopia (wired.com) 68

mirandakatz writes: Seoul is struggling: Its birth rate is at an all-time low, college graduates are having enormous trouble finding jobs, and trust in government is not high. But South Korea is also, in many ways, cutting edge -- and it wants to use that future-thinking power to build its capital into a techno-utopia. As Susan Crawford details at Backchannel, that begins with a powerful data analysis tool known as the "The Digital Civic Mayor's Office." Crawford writes that "this dashboard seemed like a potential green shoot of democracy -- a city doing what it can to show citizens why government should be trusted and that their quality of life, including the quality of the air they breathe, the prices of the apples they eat, and the traffic jams they face daily, is important."
Privacy

Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com) 401

The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
Bug

Bug In Windows Kernel Could Prevent Security Software From Identifying Malware (bleepingcomputer.com) 75

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.
Businesses

VR Company Upload Settles Sexual Harassment Lawsuit (techcrunch.com) 83

An anonymous reader quotes a report from TechCrunch: Upload, formerly UploadVR, the virtual reality startup at the center of a sexual harassment and wrongful termination lawsuit filed earlier this year, has settled the case with its former employee and is aiming to put the ensuing damage behind it. The lawsuit, filed against the startup and its co-founders by former director of digital and social media Elizabeth Scott, alleged that the company had sought to create a "boy's club" environment and described "rampant" sexual behavior in the office, allegations that co-founders Will Mason and Taylor Freeman denied as "entirely without merit." The lawsuit is now over, according to people familiar with the matter, and though the terms of the agreement were undisclosed, some in the virtual reality community feel that the company has dodged a bullet in reaching some conclusion over the litigation.

"The matter has been concluded," was Upload's official statement. Neither Scott, nor her legal counsel, responded to a request for comment for this story. Upload has also released the following statement around the conclusion of the legal case. "Our primary focus at Upload is education, which we believe is the key to growing the mixed reality ecosystem. We are deeply committed to creating an inclusive community to empower the pioneers building the future."

Security

Credit Reporting Firm Equifax Announces 'Cybersecurity Incident Impacting Approximately 143 Million US Consumers' (cnbc.com) 299

Equifax, which supplies credit information and other information services, said Thursday that a cybersecurity incident discovered on July 29 could have potentially affected 143 million consumers in the U.S. "The leaked data includes names, birth dates, social security numbers, addresses and potentially drivers licenses," reports CNBC. "209,000 U.S. credit card numbers were also obtained, in addition to 'certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident." Equifax is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities.

UPDATE (9/7/17): According to Bloomberg, "three Equifax senior executives sold shares worth almost $1.8 million" in the days after the company discovered the security breach. Regulatory filings show that three days after the breach was discovered on July 29th, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099." Meanwhile, "Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2."
The Courts

Judge Dismisses 'Inventor of Email' Lawsuit Against Techdirt (arstechnica.com) 127

A federal judge in Massachusetts has dismissed a libel lawsuit filed earlier this year against tech news website Techdirt. From a report: The claim was brought by Shiva Ayyadurai, who has controversially claimed that he invented e-mail in the late 1970s. Techdirt (and its founder and CEO, Mike Masnick) has been a longtime critic of Ayyadurai and institutions that have bought into his claims. "How The Guy Who Didn't Invent Email Got Memorialized In The Press & The Smithsonian As The Inventor Of Email," reads one Techdirt headline from 2012. One of Techdirt's commenters dubbed Ayyadurai a "liar" and a "charlatan," which partially fueled Ayyadurai's January 2017 libel lawsuit. In the Wednesday ruling, US District Judge F. Dennis Saylor found that because it is impossible to define precisely and specifically what e-mail is, Ayyadurai's "claim is incapable of being proved true or false."
EU

Intel's $1.3 Billion Fine In Europe Requires Review, Court Says (nytimes.com) 72

cdreimer writes: According to a report in The New York Times (Warning: source may be paywalled; alternative source), the Court of Justice in the European Union has ordered the lower courts to revisit the $1.3 billion anti-trust fine levied against Intel in 2009, giving hope to Google and other American technology firms to avoid being fined for being dominant in the EU markets. From the report: "The highest court in the European Union ordered on Wednesday that a $1.3 billion antitrust fine doled out against Intel nearly a decade ago be revisited, a ruling that could give hope to Google and other American technology giants facing challenges to their dominance in the region. The decision to send the case back to a lower court for re-examination is a blow to regional competition regulators, whose oversight of digital services has been among the world's most aggressive. It could also embolden American technology companies, which have long complained that antitrust officials in Europe target them unfairly, to challenge rulings and investigations against them. The move by the Court of Justice of the European Union raises the prospect that the 1.06 billion euro fine on Intel in 2009, equivalent to $1.26 billion at current exchange rates, could be reduced or scrapped entirely. The penalty -- at the time the largest of its kind -- was upheld by European courts in 2014 and will most likely be the subject of legal battles for years to come. That record fine was overtaken by a 2.4 billion euro penalty against Google in June. The Silicon Valley giant was accused of using its dominant position in online search to give preferential treatment to its internet shopping service over those of its rivals."
AI

Hackers Can Take Control of Siri and Alexa By Whispering To Them in Frequencies Humans Can't Hear (fastcodesign.com) 116

Chinese researchers have discovered a vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon's Alexa assistant. From a report: Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear. The researchers didn't just activate basic commands like "Hey Siri" or "Okay Google," though. They could also tell an iPhone to "call 1234567890" or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to "open the backdoor." Even an Audi Q3 could have its navigation system redirected to a new location. "Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user," the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.
United States

House Passes Bill To Speed Deployment of Self-driving Cars (go.com) 176

The House voted Wednesday to speed the introduction of self-driving cars by giving the federal government authority to exempt automakers from safety standards not applicable to the technology, and to permit deployment of up to 100,000 of the vehicles annually over the next several years. From a report: The bill was passed by a voice vote. State and local officials have said it usurps their authority by giving to the federal government sole authority to regulate the vehicles' design and performance. States would still decide whether to permit self-driving cars on their roads. Automakers have complained that a patchwork of laws states have passed in recent years would hamper deployment of the vehicles, which they see as the future of the industry. Self-driving cars are forecast to dramatically lower traffic fatalities once they are on roads in significant numbers, among other benefits. Early estimates indicate there were more than 40,000 traffic fatalities last year. The National Highway Traffic Safety Administration says 94 percent of crashes involve human error.
EU

EU Presidency Calls For Massive Internet Filtering, Leaked Document Shows (edri.org) 236

An anonymous reader shares a report: A Council of the European Union document leaked by Statewatch on 30 August reveals that during the summer months, that Estonia (current EU Presidency) has been pushing the other Member States to strengthen indiscriminate internet surveillance, and to follow in the footsteps of China regarding online censorship. Standing firmly behind its belief that filtering the uploads is the way to go, the Presidency has worked hard in order to make the proposal for the new copyright Directive even more harmful than the Commission's original proposal, and pushing it further into the realms of illegality. According to the leaked document, the text suggests two options for each of the two most controversial proposals: the so-called "link tax" or ancillary copyright and the upload filter.
Piracy

Sci-Hub Faces $4.8 Million Piracy Damages and ISP Blocking (torrentfreak.com) 142

The American Chemical Society (ACS), a leading source of academic publications in the field of chemistry, accused Sci-Hub of mass copyright infringement and is demanding $4.8 million in piracy damages. "Sci-Hub was made aware of the legal proceedings but did not appear in court," reports Torrent Freak. "As a result, a default was entered against the site, and a few days ago ACS specified its demands, which include $4.8 million in piracy damages." The complaint comes soon after the pirate site was ordered to pay $15 million in piracy damages to academic publisher Elsevier. From the report: "Here, ACS seeks a judgment against Sci-Hub in the amount of $4,800,000 -- which is based on infringement of a representative sample of publications containing the ACS Copyrighted Works multiplied by the maximum statutory damages of $150,000 for each publication," they write. "Sci-Hub's unabashed flouting of U.S. Copyright laws merits a strong deterrent. This Court has awarded a copyright holder maximum statutory damages where the defendant's actions were "clearly willful' and maximum damages were necessary to 'deter similar actors in the future.'" The publisher notes that the maximum statutory damages are only requested for 32 of its 9,000 registered works. This still adds up to a significant sum of money, of course, but that is needed as a deterrent, ACS claims.

Although the deterrent effect may sound plausible in most cases, another $4.8 million in debt is unlikely to worry Sci-Hub's owner, as she can't pay it off anyway. However, there's also a broad injunction on the table that may be more of a concern. The requested injunction prohibits Sci-Hub's owner to continue her work on the site. In addition, it also bars a wide range of other service providers from assisting others to access it. Specifically, it restrains "any Internet search engines, web hosting and Internet service providers, domain name registrars, and domain name registries, to cease facilitating access to any or all domain names and websites through which Defendant Sci-Hub engages in unlawful access to [ACS's works]."

Bug

A Critical Apache Struts Security Flaw Makes It 'Easy' To Hack Fortune 100 Firms (zdnet.com) 42

An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.
Privacy

Two-Thirds of Tech Workers Now Use a VPN, Survey Finds (9to5mac.com) 87

An anonymous reader shares a report: According to a survey, 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both. While much of that usage will be because it's installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes. The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices.
Businesses

Lenovo Won't Pay a Fine For Preinstalling Superfish Adware (theverge.com) 86

An anonymous reader shares a report: In 2014, Lenovo began bundling a third-party adware program called "Superfish" into its consumer PCs. Now, nearly three years later, the company is facing the consequences. Today, Lenovo settled a lawsuit by the Federal Trade Commission over the Superfish adware, agreeing to get affirmative consent for any future adware programs, as well as audited security checks of their software for the next 20 years. Installed on Lenovo laptops between September 2014 and January 2015, Superfish was granted root certificate access, allowing it to insert ads into even HTTPS-protected webpages. According to the FTC's indictment, breaking HTTPS presented a clear risk to consumers -- but Lenovo isn't going to have to pay for putting customers at risk. Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.
China

Chinese Man Jailed For Helping Net Users Evade State Blocks (bbc.com) 47

An anonymous reader shares a report: A Chinese man has been given a nine-month jail sentence for helping people evade government controls on where they can go online. Deng Jiewei, from Guangdong, was charged with illegally selling programs known as virtual private networks (VPNs), according to court papers. VPNs are illegal in China because they let people avoid government monitoring of what they are doing. The sentence is part of a larger crackdown on the use of VPNs in China. Deng started selling VPNs in late 2015 and was arrested in August 2016 for selling software which lets users "visit foreign websites that could not be accessed by a mainland IP address," reported the South China Morning Post. The Chinese government operates a massive monitoring system, known as the "great firewall," that watches what people do and say online. It also blocks access to sites, such as Facebook and YouTube, that are popular outside the country.
Communications

European Court Rules Companies Must Tell Employees of Email Checks (reuters.com) 103

Companies must tell employees in advance if their work email accounts are being monitored and such checks must not unduly infringe workers' privacy, the European Court of Human Rights ruled on Tuesday. From a report: In a judgment in the case of a man fired 10 years ago for using a work messaging account to communicate with his family, the judges found that Romanian courts failed to protect Bogdan Barbulescu's private correspondence because his employer had not given him prior notice it was monitoring his communications. Email privacy has become a hotly contested issue as more people use work addresses for personal correspondence even as employers demand the right to monitor email and computer usage to ensure staff use work email appropriately. Courts in general have sided with employers on this issue.
Verizon

Verizon Up Offers Rewards in Exchange For Customers' Personal Information (wsj.com) 74

An anonymous reader shares a report: A new Verizon rewards program, Verizon Up, provides credits that wireless subscribers can use for concert tickets, movie premieres and phone upgrades. But it comes with a catch: Customers must give the carrier access to their web-browsing history, app usage and location data, which Verizon says it uses to personalize the rewards and deliver targeted advertising as its customers browse the web. The trade-off is part of Verizon's effort to build a digital advertising business to compete with web giants Facebook and Google, which often already possess much of the same customer information. Even though Congress earlier this year dismantled tough privacy regulations on telecommunications providers, Verizon still wants customers to opt-in to its most comprehensive advertising program, called Verizon Selects. Data collected under the program is shared with Oath, the digital-media unit Verizon created when it bought AOL and Yahoo. Since access to data from customers could make it easier to tailor ads to their liking, Verizon hopes the information will help it gain advertising revenue to offset sluggish growth in its cellular business.See a current list of Verizon plans here.
Android

Vulnerabilities Discovered In Mobile Bootloaders of Major Vendors (bleepingcomputer.com) 76

An anonymous reader writes: Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the Android OS boot-up sequence, opening devices to attacks. The vulnerabilities were discovered with a new tool called BootStomp, developed by nine computer scientists from the University of California, Santa Barbara. Researchers analyzed five bootloaders from four vendors (NVIDIA, Qualcomm, MediaTek, and Huawei/HiSilicon). Using BootStomp, researchers identified seven security flaws, six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged five and are working on a fix. "Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said (PDF). "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."
Businesses

80% of UK Government IT Projects Suffer Delays Due To Tax Clampdown (theregister.co.uk) 88

An anonymous reader shares a report: The vast majority of UK government IT projects are suffering delays due to freelancers quitting over the IR35 tax clampdown, according to a survey of contractors. Of 405 IT freelancers surveyed by Contractor Calculator, 79 per cent said the projects they have been working on were delayed as a result of contractors leaving. In April, the government shifted responsibility for compliance with the IR35 legislation from the individual contractor to the public body or recruitment agency. The Treasury says it hopes to raise $240m for 2017/18 by bringing public sector contractors within the scope of the legislation. However, the overall number of freelancers leaving as a result of the changes is lower than previously thought, with 48 per cent jumping ship. In previous surveys more than 80 per cent had threatened to walk once the changes came into force. Half of the contractors who decided to stay managed to find a way of working outside the IR35 changes, with a further 13 per cent working within the scope of IR35 but negotiating a rate increase. The rest seemingly took the changes on the chin.
Piracy

Amid Crackdown On Torrent Websites, Some Users Move To Google Drive To Distribute Movies and Shows (ndtv.com) 84

An anonymous reader shares a report: As crackdown on torrent sites continues around the world, people who are pirating TV shows and movies are having to get a little more creative. Cloud storage services such as Google Drive, Dropbox, and Kim Dotcom's Mega are some of the popular ones that are being used to distribute copyrighted content, according to DMCA takedown requests reviewed by Gadgets 360. Google Drive seems most popular among such users, with nearly five thousand DMCA takedown requests filed by Hollywood studios and other copyright holders just last month. Each DMCA requests had listed a few hundred Google Drive links that the content owners wanted pulled. What's interesting though is that while at times pirates upload full movies to Google Drive or other cloud services, in other cases, these Google Drive links are empty and just have a YouTube video embedded.
AI

AI Could Lead To Third World War, Elon Musk Says (theguardian.com) 244

An anonymous reader shares a report: Elon Musk has said again that artificial intelligence could be humanity's greatest existential threat, this time by starting a third world war. The prospect clearly weighs heavily on Musk's mind, since the SpaceX, Tesla and Boring Company chief tweeted at 2.33am Los Angeles time about how AI could led to the end of the world -- without the need for the singularity. His fears were prompted by a statement from Vladimir Putin that "artificial intelligence is the future, not only for Russia, but for all humankind ... It comes with colossal opportunities, but also threats that are difficult to predict. Whoever becomes the leader in this sphere will become the ruler of the world." Hashing out his thoughts in public, Musk clarified that he was not just concerned about the prospect of a world leader starting the war, but also of an overcautious AI deciding "that a [pre-emptive] strike is [the] most probable path to victory." Musk added, "Competition for AI superiority at national level most likely cause of WW3 in my opinion. [...] Govts don't need to follow normal laws. They will obtain AI developed by companies at gunpoint, if necessary."
Wii

Jury Finds Nintendo Wii Infringes Dallas Inventor's Patent, Awards $10 Million (arstechnica.com) 113

A jury has ruled that Nintendo must pay $10.1 million because its Wii and Wii U systems infringe a patent belonging to a Dallas medical motion-detection company. Ars Technica reports: iLife sued Nintendo (PDF) in 2013 after filing lawsuits against four other companies in 2012. The case went to a jury trial in Dallas, and yesterday the jury returned its verdict (PDF). They found that Nintendo infringed U.S. Patent No. 6,864,796, first filed in 1999, which describes "systems and methods for evaluating movement of a body relative to an environment." The patent drawings show a body-mounted motion detector that could detect falls in the elderly, which is the market that iLife was targeting, according to its now defunct website. The $10.1 million was less than 10 percent of what iLife's attorneys had been asking for. When the trial began in Dallas on August 21, Law360 reported that iLife lawyers asked the jury for a $144 million payout. That damage demand was based on a royalty of $4 per Wii unit, multiplied by 36 million systems sold in the six years before the lawsuit was filed.
Government

Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com) 115

According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."

Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.

China

'Pay With Your Face' Technology Tested in a KFC Store In China (qz.com) 59

An anonymous reader quotes Quartz: Ant Financial, the financial services spinoff of e-commerce giant Alibaba, announced Friday it has rolled out a service with a KFC branch in Hangzhou, in eastern China, that lets customer pay for orders with their faces. It works just as one might expect -- diners approach a virtual menu, select the item they want to purchase, and then choose "facial scan" as a payment option. Users must input their phone numbers as an extra layer of verification, but the technology still works even if one's phone is turned off, an Ant Financial spokesperson tells Quartz.

A promotional video shows a young female customer scanning her face while donning a wig and appearing with friends, to tout that the technology can recognize an individual even if they are disguised or in a group... [T]he KFC partnership marks the first time it has been rolled out for commerce. An Ant Financial spokesperson tells Quartz that it intends to roll out the scanning at more locations later.

There's rumors of a similar service coming from Jd.com, according to the article, which also provides several examples of facial recognition technology being used by the Chinese government. "The Communist Party, facing no political opposition or democratic checks, can implement controversial technology with little pushback. This all means that facial recognition in China looks set to steadily move beyond a few novelty cases toward near ubiquity."
The Media

Police Allegedly Arrest UK News Photographer For Standing In A Field (wordpress.com) 216

Long-time Slashdot reader Andy Smith, a Scotland-based news photographer, writes: I'm a press photographer. Slashdot has previously covered how the police used underhanded tactics to seize some of my work photos. But that was far from the end of the story. Several months of harassment culminated in me being arrested for standing in a field, something protected by law here in Scotland. I was given a police caution, which is a formal alternative to prosecution, but the police then cancelled the caution and prosecuted me anyway. Ironically, I was meant to be joining the police this month as a volunteer, but that has now been delayed by at least six months.
Earlier Andy had filmed the same police sergeant warning him not to photograph a minor traffic accident -- which had "seemed to anger him."
Privacy

US Cops Can't Keep License Plate Data Scans Secret Without Reason, Court Rules (theregister.co.uk) 60

An anonymous reader quotes a report from The Register: Police departments cannot categorically deny access to data collected through automated license plate readers, California's Supreme Court said on Thursday -- a ruling that may help privacy advocates monitor government data practices. The ACLU Foundation of Southern California and the Electronic Frontier Foundation sought to obtain some of this data in 2012 from the Los Angeles Police Department and Sheriff's Department, but the agencies refused, on the basis that investigatory data is exempt from disclosure laws. So the following year, the two advocacy groups sued, hoping to understand more about how this data hoard is handled. The LAPD, according to court documents, collects data from 1.2 million vehicles per week and retains that data for five years. The LASD captures data from 1.7 to 1.8 million vehicles per week, which it retains for two years. The ACLU contends [PDF] that indiscriminate license plate data harvesting presents a risk to civil liberties and privacy. It argues that constant monitoring has the potential to chill rights of free speech and association and that databases of license plate numbers invite institutional abuse, not to mention security risks.
Bitcoin

Nearly 3,000 Bitcoin Miners Exposed Online Via Telnet Ports, Without Passwords (bleepingcomputer.com) 43

An anonymous reader quotes a report from Bleeping Computer: Dutch security researcher Victor Gevers has discovered 2,893 Bitcoin miners left exposed on the internet with no passwords on their Telnet port. Gevers told Bleeping Computer in a private conversation that all miners process Bitcoin transactions in the same mining pool and appear to belong to the same organization. "The owner of these devices is most likely a state sponsored/controlled organization part of the Chinese government, " Gevers says, basing his claims on information found on the exposed miners and IP addresses assigned to each device. "At the speed they were taken offline, it means there must be serious money involved," Gevers added. "A few miners is not a big deal, but 2,893 [miners] working in a pool can generate a pretty sum." According to a Twitter user, the entire network of 2,893 miners Gevers discovered could generate an income of just over $1 million per day, if mining Litecoin.
Network

Comcast Sues Vermont To Avoid Building 550 Miles of New Cable Lines (arstechnica.com) 201

An anonymous reader quotes a report from Ars Technica: Comcast has sued the state of Vermont to try to avoid a requirement to build 550 miles of new cable lines. Comcast's lawsuit against the Vermont Public Utility Commission (VPUC) was filed Monday in U.S. District Court in Vermont and challenges several provisions in the cable company's new 11-year permit to offer services in the state. One of the conditions in the permit says that "Comcast shall construct no less than 550 miles of line extensions into un-cabled areas during the [11-year] term." Comcast would rather not do that. The company's court complaint says that Vermont is exceeding its authority under the federal Cable Act while also violating state law and Comcast's constitutional rights: "The VPUC claimed that it could impose the blanket 550-mile line extension mandate on Comcast because it is the 'largest' cable operator in Vermont and can afford it. These discriminatory conditions contravene federal and state law, amount to undue speaker-based burdens on Comcast's protected speech under the First Amendment of the United States Constitution... and deprive Comcast and its subscribers of the benefits of Vermont law enjoyed by other cable operators and their subscribers without a just and rational basis, in violation of the Common Benefits Clause of the Vermont Constitution."

Slashdot Top Deals