Businesses

Wisconsin State Legislature Signs Off On $3 Billion Foxconn Incentive Package (venturebeat.com) 158

On Thursday, legislators in the state of Wisconsin approved a nearly $3 billion incentive package for the Taiwanese electronics manufacturer, Foxconn, in exchange for it investing approximately $10 billion in the state and building a factory that could employ up to 13,000 workers. The legislation is now headed to Republican Governor Scott Walker's desk, where he is expected to give it his seal of approval. VentureBeat reports: The bill passed the Wisconsin State Assembly on a 64-31 vote, after previously passing the state senate on a 20-13 vote. The move signals the start of what will likely be an important experiment in just how much generous incentive packages can do to help create new tech hubs. Governor Walker has said that the Foxconn factory â" the company's first in the United States -- will help transform Wisconsin into "Wisconn Valley." While on a trade mission this week to Japan and South Korea, Governor Walker told reporters that many of the companies he met with on the trip were already "every interested in how they could come to Wisconsin and partner for that new ecosystem." However, there are still a few details that need to be finalized before Foxconn can start breaking ground -- most notably, where the company will build the factory. The factory was set to be built in either Kenosha or Racine County, Wisconsin, before Kenosha dropped out of the running earlier this week.
Facebook

Spain Fines Facebook Over Tracking Users Without Consent (tomshardware.com) 41

Spain's Data Protection Authority has issued a 1.2 million euro fine against Facebook after it found three instances when the company collected data without informing users, as required by European Union privacy laws. Tom's Hardware reports: The AEPD found multiple issues with how Facebook gathered data on Spanish users. One of the issues was that Facebook collects data on ideology, sex, and religious beliefs, as well as personal tastes and web surfing habits without informing the users about how that data will be used. A second issue was that Facebook wasn't obtaining specific and informed consent from the users because the data it was offering them about the collection was not sufficiently clear. The company has been tracking both users and non-users of the service through the Like button across the web without informing them about this sort of tracking, nor about what it plans to do with the data. The company has said that the collection is done for advertising purposes before, but some purposes remain secret, according to the Spanish Data Protection Authority. The AEPD said this sort of collection doesn't comply with the EU's data protection regulations.

Finally, the AEPD also noticed that Facebook has not been completely purging the data about users who had already deleted their accounts and that Facebook was making use of accounts' data that have been deleted for more than 17 months. Considering the data that has remained behind is no longer useful for the purpose for which it was collected, the agency considered this another serious infringement of EU privacy laws.

Security

ISPs Claim a Privacy Law Would Weaken Online Security, Increase Pop-Ups (arstechnica.com) 86

An anonymous reader quotes a report from Ars Technica: The country's biggest Internet service providers and advertising industry lobby groups are fighting to stop a proposed California law that would protect the privacy of broadband customers. AT&T, Comcast, Charter, Frontier, Sprint, Verizon, and some broadband lobby groups urged California state senators to vote against the proposed law in a letter Tuesday. The bill would require Internet service providers to obtain customers' permission before they use, share, or sell the customers' Web browsing and application usage histories. California lawmakers could vote on the bill Friday of this week, essentially replicating federal rules that were blocked by the Republican-controlled Congress and President Trump before they could be implemented. The text and status of the California bill, AB 375, are available here.

The letter claims that the bill would "lead to recurring pop-ops to consumers that would be desensitizing and give opportunities to hackers" and "prevent Internet providers from using information they have long relied upon to prevent cybersecurity attacks and improve their service." The Electronic Frontier Foundation picked apart these claims in a post yesterday. The proposed law won't prevent ISPs from taking security measures because the bill "explicitly says that Internet providers can use customer's personal information (including things like IP addresses and traffic records) 'to protect the rights or property of the BIAS [Broadband Internet Access Service] provider, or to protect users of the BIAS and other BIAS providers from fraudulent, abusive, or unlawful use of the service,'" EFF Senior Staff Technologist Jeremy Gillula wrote.

Google

Google Hit With Gender Pay Discrimination Lawsuit (axios.com) 244

An anonymous reader shares a report: Three female former Google employees have filed a lawsuit against the search giant alleging gender-based pay discrimination, as the Associated Press reported. The former employees, Kelly Ellis, Holly Pease and Kelli Wisuri, all left the company after being put on career paths within the company that they say would pay them less than their male counterparts.
Government

In a Highly Unusual Move, FTC Confirms It Is Investigating Equifax (reuters.com) 117

The Federal Trade Commission (FTC) on Thursday confirmed it is investigating Equifax's handling of a data breach affecting 143m Americans. "The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach," said Peter Kaplan, the commission's acting director of public affairs. Washington Post reporter tweeted: "To put a finer point on it, this is really, really unusual -- the FTC hardly ever says anything about ongoing probes."
Businesses

Silicon Valley Bosses Are Globalists, Not Libertarians (economist.com) 308

From a report via The Economist: In a recently published survey of 600 entrepreneurs and executives in Silicon Valley, conducted by David Broockman and Neil Malhotra of Stanford University and Gregory Ferenstein, a journalist, three-quarters of respondents said they supported Hillary Clinton during the 2016 presidential election. But although technology-firm leaders hold views that in general hew much closer to Democratic positions than Republican ones, they are far from reliable partisan ideologues. As you might expect from captains of industry, Silicon Valley executives are much more likely to support free trade and to oppose government regulation of businesses than your average Democrat is. For example, just 30% of tech bosses believe that ride-hailing companies need to be regulated like the taxi industry, compared with 60% of Democrats.

Given their combination of socially liberal attitudes and a preference for free markets, you might call Silicon Valley executives libertarians. However, libertarians generally advocate shrinking the state as a share of the economy, which technology bosses resolutely do not. When asked if they "would like to live in a society where government does nothing except provide national defense and police protection, so that people could be left alone to earn whatever they could," just 24% agreed. In contrast, 68% of Republican donors concurred with that statement. Moreover, Silicon Valley entrepreneurs are just as likely to favor redistributive economic policies, such as universal health care and higher taxes on the rich, as an average Democrat is. The outlook of our new robot-building overlords is far more communitarian than, say, the doctrines of Ayn Rand.

Security

Backdoor Found In WordPress Plugin With More Than 200,000 Installations (bleepingcomputer.com) 84

According to Bleeping Computer, a WordPress plug that goes by the name Display Widgets has been used to install a backdoor on WordPress sites across the internet for the past two and a half months. While the WordPress.org team removed the plugin from the official WordPress Plugins repository, the plugin managed to be installed on more than 200,000 sites at the time of its removal. The good news is that the backdoor code was only found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2), so it's unlikely everyone who installed the plugin is affected. WordPress.org staff members reportedly removed the plugin three times before for similar violations. Bleeping Computer has compiled a history of events in its report, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence. The report adds: The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites. Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase. A month after buying the plugin in May, its new owner released a first new version -- v2.6.0 -- on June 21.
Music

Apple's 'Shoddy' Beats Headphones Get Slammed In Lawsuit (theregister.co.uk) 190

A lawsuit (PDF) filed Tuesday in U.S. District Court in Oakland, California, recounts the frustrations of five plaintiffs who found that Apple's Powerbeats 2 and Powerbeats 3 headphones did not perform as advertised. They are also claiming the company is refusing to honor warranty commitments to repair or replace the failed units. The Register reports: The complaint seeks $5,000,000 in damages and class action certification, in order to represent thousands of similarly afflicted Beats customers who are alleged to exist. "In widespread advertising and marketing campaigns, Apple touts that its costly Powerbeats (which retail for $199.95) are 'BUILT TO ENDURE' and are the 'BEST HEADPHONES FOR WORKING OUT,'" the complaint says. "But these costly headphones are neither 'built to endure' nor 'sweat & water resistant,' and certainly do not have a battery that lasts for six or twelve hours. Instead, these shoddy headphones contain a design defect that causes the battery life to diminish and eventually stop retaining a charge."

The complaint attributes the shoddiness of Apple's Powerbeats headphones to cheap components. Citing an estimate in a recent Motley Fool article, the complaint contends that Apple's Beats Solo headphones cost $16.89 to make and retail for $199.95: a markup of more than 1,000 per cent. That figure actually comes from a Medium post by Avery Louie, from hardware prototyping biz Bolt.

EU

EU Set To Demand Internet Firms Act Faster To Remove Illegal Content (reuters.com) 60

Companies including Google, Facebook and Twitter could face European Union laws forcing them to be more proactive in removing illegal content if they do not do more to police what is available on the Internet. From a report: The European Union executive outlines in draft guidelines reviewed by Reuters how Internet firms should step up efforts with measures such as establishing trusted flaggers and taking voluntary measures to detect and remove illegal content. Proliferating illegal content, whether because it infringes copyright or incites terrorism, has sparked heated debate in Europe between those who want online platforms to do more to tackle it and those who fear it could impinge on free speech. The companies have significantly stepped up efforts to tackle the problem of late, agreeing to an EU code of conduct to remove hate speech within 24 hours and forming a global working group to combine their efforts remove terrorist content from their platforms.
Government

Kaspersky Software Banned From US Government Systems Over Concerns About Russia (betanews.com) 91

Mark Wilson writes: The Department of Homeland Security has told US government agencies to remove Kaspersky software from their systems. The directive was issued because of concerns about influence exerted over the company by the Russian government. Government agencies have been given three months to identify and start to remove Kaspersky's security products. Kaspersky has constantly denied connections to the Russian government, but the US is simply not willing to take the risk.
Microsoft

Windows 10 Will Soon Give Users More Control Over App Permissions (engadget.com) 76

An anonymous reader shares a report: The software giant has revealed that you'll get much more control over what apps are allowed to do with your device. Where you previously only had control over location sharing, the Fall Creators Update will ask you to grant permission before accessing all kinds of potentially sensitive hardware and software features. It'll ask to use your camera and microphone if you have a video recording app, for instance, or check before offering access to your calendar and contacts. You'll only get these prompts for apps installed after you move to the Fall Creators Update; you'll have to dive into your privacy settings to review permissions for apps you already have. Even so, it's an important boost to Windows' privacy security levels. Much as on phones, where fine-grained permissions are already fairly commonplace, you might not have to worry as much about malicious apps spamming your contacts or hijacking the camera.
Privacy

Trump Administration Sued Over Phone Searches at US Borders (reuters.com) 138

The Trump administration has engaged in an unconstitutional practice of searching without a warrant the phones and laptops of Americans who are stopped at the border, a lawsuit filed on Wednesday alleged. From a report: Ten U.S. citizens and one lawful permanent resident sued the Department of Homeland Security in federal court, saying the searches and prolonged confiscation of their electronic devices violate privacy and free speech protections of the U.S. Constitution. DHS could not be immediately reached for comment. The lawsuit comes as the number of searches of electronic devices has surged in recent years, alarming civil rights advocates.
Botnet

At Least 1.65 Million Computers Are Mining Cryptocurrency For Hackers So Far This Year (vice.com) 37

According to new statistics released on Tuesday by Kaspersky Lab, a prominent Russian information security firm, 2017 is on track to beat 2016 -- and every year since 2011 -- in terms of the sheer number of computers infected with malware that installs mining software. From a report: So far in 2017, the company says it has detected 1.65 million infected machines. The total amount of infected computers for all of the previous year was roughly 1.8 million. The infected machines are not just home computers, the firm stated in a blog post, but company servers as well. "The main effect for a home computer or organization infrastructure is reduced system performance," Anton Ivanov, a security researcher for Kaspersky, wrote me in an email. "Also some miners could download modules from a threat actor's infrastructure, and these modules could contain other malware such as Trojans [malware that disguises itself as legitimate software]." Ivanov said that the firm doesn't know how much money has been made overall with this scheme, but a digital wallet for one mining botnet that the company identified currently contains over $200,000 USD.
Government

Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security (helpnetsecurity.com) 51

Orome1 shares a report from Help Net Security: Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE's National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation's critical energy infrastructure, including the electric grid and oil and natural gas infrastructure. The electricity system must continue to evolve to address a variety of challenges and opportunities such as severe weather and the cyber threat, a changing mix of types of electric generation, the ability for consumers to participate in electricity markets, the growth of the Internet of Things, and the aging of the electricity infrastructure. The seven Resilient Distribution Systems projects awarded through DOE's Grid Modernization Laboratory Consortium (GMLC) will develop and validate innovative approaches to enhance the resilience of distribution systems -- including microgrids -- with high penetration of clean distributed energy resources (DER) and emerging grid technologies at regional scale. The project results are expected to deliver credible information on technical and economic viability of the solutions. The projects will also demonstrate viability to key stakeholders who are ultimately responsible for approving and investing in grid modernization activities. In addition, the Department of Energy "is also announcing 20 cybersecurity projects that will enhance the reliability and resilience of the Nation's electric grid and oil and natural gas infrastructure through innovative, scalable, and cost-effective research and development of cybersecurity solutions."
Microsoft

Researchers Catch Microsoft Zero-Day Used To Install Government Spyware (vice.com) 83

An anonymous reader quotes a report from Motherboard: Government hackers were using a previously-unknown vulnerability in Microsoft's .NET Framework, a development platform for building apps, to hack targets and infect them with spyware, according to security firm FireEye. The firm revealed the espionage campaign on Tuesday, on the same day Microsoft patched the vulnerability. According to FireEye, the bug, which until today was a zero-day, was being used by a customer of FinFisher, a company that sells surveillance and hacking technologies to governments around the world. The hackers sent a malicious Word RTF document to a "Russian speaker," according to Ben Read, FireEye's manager of cyber espionage research. The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher. The spyware masqueraded as an image file called "left.jpg," according to FireEye.
Communications

The Only Safe Email is Text-Only Email (theconversation.com) 174

Sergey Bratus, Research Associate Professor of Computer Science, Dartmouth College, and Anna Shubina, Post-doctoral Associate in Computer Science, Dartmouth College write: The real issue is that today's web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It's not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way. Simply put, safe email is plain-text email -- showing only the plain words of the message exactly as they arrived, without embedded links or images. Webmail is convenient for advertisers (and lets you write good-looking emails with images and nice fonts), but carries with it unnecessary -- and serious -- danger, because a webpage (or an email) can easily show one thing but do another. Returning email to its origins in plain text may seem radical, but it provides radically better security. Even the federal government's top cybersecurity experts have come to the startling, but important, conclusion that any person, organization or government serious about web security should return to plain-text email (PDF).
The Almighty Buck

Chatbot Lets You Sue Equifax For Up To $25,000 Without a Lawyer (theverge.com) 111

Shannon Liao reports via The Verge: If you're one of the millions affected by the Equifax breach, a chatbot can now help you sue Equifax in small claims court, potentially letting you avoid hiring a lawyer for advice. Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee. The bot, which launched in all 50 states in July, is mainly known for helping with parking tickets. But with this new update, its creator, Joshua Browder, who was one of the 143 million affected by the breach, is tackling a much bigger target, with larger aspirations to match. He says, "I hope that my product will replace lawyers, and, with enough success, bankrupt Equifax."

Not that the bot helps you do anything you can't already do yourself, which is filling out a bunch of forms -- you still have to serve them yourself. Unfortunately, the chatbot can't show up in court a few weeks later to argue your case for you either. To add to the headache, small claims court rules differ from state to state. For instance, in California, a person needs to demand payment from Equifax or explain why they haven't demanded payment before filing the form.

Encryption

Virginia Scraps Electronic Voting Machines Hackers Destroyed At DefCon (theregister.co.uk) 194

Following the DefCon demonstration in July that showed how quickly Direct Recording Electronic voting equipment could be hacked, Virginia's State Board of Elections has decided it wants to replace their electronic voting machines in time for the gubernatorial election due on November 7th, 2017. According to The Register, "The decision was announced in the minutes of the Board's September 8th meeting: 'The Department of Elections officially recommends that the State Board of Elections decertify all Direct Recording Electronic (DRE or touchscreen) voting equipment." From the report: With the DefCon bods showing some machines shared a single hard-coded password, Virginia directed the Virginia Information Technology Agency (VITA) to audit the machines in use in the state (the Accuvote TSX, the Patriot, and the AVC Advantage). None passed the test. VITA told the board "each device analyzed exhibited material risks to the integrity or availability of the election process," and the lack of a paper audit trail posed a significant risk of lost votes. Local outlet The News Leader notes that many precincts had either replaced their machines already, or are in the process of doing so. The election board's decision will force a change-over on the 140 precincts that haven't replaced their machines, covering 190,000 of Virginia's ~8.4m population.
Chrome

Google Details Plan To Distrust Symantec Certificates (tomshardware.com) 140

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.
Government

ShadowBrokers Releases NSA UNITEDRAKE Manual That Targets Windows Machines (schneier.com) 99

AmiMoJo shares a report from Schneier on Security: The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines: "Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information. UNITEDRAKE, described as a 'fully extensible remote collection system designed for Windows targets,' also gives operators the opportunity to take complete control of a device. The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed."
Google

Google Accused of Trying To Patent Public Domain Technology (bleepingcomputer.com) 101

An anonymous reader shares a report: A Polish academic is accusing Google of trying to patent technology he invented and that he purposely released into the public domain so companies like Google couldn't trap it inside restrictive licenses. The technology's name is Asymmetric Numeral Systems (ANS), a family of entropy coding methods that Polish assistant professor Jarosaw (Jarek) Duda developed in the early 2000s, and which is now hot tech at companies like Apple, Google, and Facebook, mostly because it can improve data compression from 3 to 30 times. Duda says that Google is now trying to register a patent that includes most of the ANS basic principles. Ironically, most of the technology described in the patent, Duda said he explained to Google engineers in a Google Groups discussion from 2014. The researcher already filed a complaint, to which WIPO ISA responded by calling out Google for not coming up with "an inventive contribution over the prior art, because it is no more than a straightforward application of known coding algorithms." A Google spokesperson refused to comment, and the mystery remains surrounding Google's decision to patent something that's in the public domain since 2014.
Government

Government Officials Begin Investigating Equifax Breach (thehill.com) 142

An anonymous reader quotes the Hill: The massive breach of credit rating firm Equifax is attracting scrutiny from government officials across the country. Lawmakers from both parties have expressed concern over the hack, which could have left vulnerable sensitive personal information for as many as 143 million people. The New York, Pennsylvania and Illinois attorneys general have announced formal investigations into the hack...

The Senate Commerce Committee announced on Thursday that it sent a letter to Equifax seeking answers about the extent of the breach and what Equifax is doing to mitigate its impact. In the House, Financial Services Committee Chairman Jeb Hensarling (R-Texas) said that his committee would hold a hearing on the hacks at a to-be-determined date. Hensarling noted in a statement that such breaches are becoming "too common" and that consumers "deserve answers." House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) said that his committee would hold a separate hearing on the matter as well.

Security

Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com) 193

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
AI

America's Data-Swamped Spy Agencies Pin Their Hopes On AI (phys.org) 62

An anonymous reader quotes Phys.org: Swamped by too much raw intel data to sift through, US spy agencies are pinning their hopes on artificial intelligence to crunch billions of digital bits and understand events around the world. Dawn Meyerriecks, the Central Intelligence Agency's deputy director for technology development, said this week the CIA currently has 137 different AI projects, many of them with developers in Silicon Valley. These range from trying to predict significant future events, by finding correlations in data shifts and other evidence, to having computers tag objects or individuals in video that can draw the attention of intelligence analysts. Officials of other key spy agencies at the Intelligence and National Security Summit in Washington this week, including military intelligence, also said they were seeking AI-based solutions for turning terabytes of digital data coming in daily into trustworthy intelligence that can be used for policy and battlefield action.
EU

Four EU Countries Seek Higher Taxes On Google and Amazon (reuters.com) 205

An anonymous reader quotes Reuters: France, Germany, Italy and Spain want digital multinationals like Amazon and Google to be taxed in Europe based on their revenues, rather than only profits as now, their finance ministers said in a joint letter. France is leading a push to clamp down on the taxation of such companies, but has found support from other countries also frustrated at the low tax they receive under current international rules. Currently such companies are often taxed on profits booked by subsidiaries in low-tax countries like Ireland even though the revenue originated from other EU countries. "We should no longer accept that these companies do business in Europe while paying minimal amounts of tax to our treasuries," the four ministers wrote in a letter seen by Reuters.
The Courts

Should British Hacker Lauri Love Be Tried In America? (theguardian.com) 254

A 31-year-old autistic man in the U.K. is suspected of hacking U.S. government computer systems in 2013 -- and he has one final chance to appeal his extradition. An anonymous reader quotes the Guardian Even if Love is guilty, however, there are important legal and moral questions about whether he should be extradited to the US -- a nation that has prosecuted hackers with unrivalled severity, and one where Love could be sentenced to spend the rest of his life in prison... His remaining hope for mercy is a final appeal against extradition in the high court in November. Love's hope is for a full and fair trial in Britain.

Even if he is found guilty in a British court of the most serious crimes in the US government's indictment, his legal team estimate that he faces just a few months in prison. Failure means Love will be flown to a holding facility in New York, placed on suicide watch and probably forced to take antidepressants, prior to a trial. If he refuses to accept a plea deal and is convicted, he will face $9m (£6.8m) in fines and, experts estimate, a prison term of up to 99 years, a punishment illustrative of the US's aggressive sentencing against hackers under the controversial Computer Fraud and Abuse Act.

Naomi Colvin, from the human rights group the Courage Foundation, tells the Guardian that "Lauri's case is critically important in determining the reach of America's unusually harsh punitive sanctions for computer crimes."
Privacy

TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results (techcrunch.com) 176

An anonymous reader quotes security researcher Brian Krebs: The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach -- equifaxsecurity2017.com -- is completely broken at best, and little more than a stalling tactic or sham at worst. In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."
The Courts

The Teen Malware Career Of Marcus Hutchins (itwire.com) 48

Slashdot reader troublemaker_23 writes, "A number of security researchers have dismissed an article by reporter Brian Krebs about Marcus Hutchins, the Briton who is awaiting trial in the US on charges of writing and distributing the Kronos banking malware, by pointing out that it has nothing to do with the case." An anonymous reader writes: Krebs investigated dozens of hacker forum pseudonyms, concluding "The clues suggest that Hutchins began developing and selling malware in his mid-teens -- only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror." Krebs believes 15-year-old Hutchins registered a domain he'd later advertise as "mainly for blackhats wanting to phish," and in 2010 may have filmed YouTube videos about password-stealing malware. Krebs says the early activities are "fairly small-time -- and hardly rise to the level of coding from scratch a complex banking trojan and selling it to cybercriminals," though he believes Hutchins moved on to advertising exploit kits, password-stealers, and bot rentals.

Krebs also talked to 27-year-old Brendan Johnston, a friend of Hutchins who did time in prison in 2014 for selling Trojans, who "said his old friend sincerely tried to turn things around in late 2012... 'I feel like I know Marcus better than most people do online, and when I heard about the accusations I was completely shocked,. He tried for such a long time to steer me down a straight and narrow path that seeing this tied to him didn't make sense to me at all." Krebs stresses that Hutchins didn't try to hide the fact that he'd written malware, "which in the United States at least is a form of protected speech." And his essay concludes, "Let me be clear: I have no information to support the claim that Hutchins authored or sold the Kronos banking trojan."

Symantec's former cybersecurity czar Tarah Wheeler has now set up a new legal fund after it was discovered that most of the online donations to Hutchins' previous defense fund came from stolen or fake credit card numbers. Hutchins returns to court in October, and the new fund has already received more than $16,000 in donations from more than 200 contributors.
Canada

Kodi Is Fighting Trademark Trolls (betanews.com) 92

Friday the makers of an open source media player Kodi called out trademark trolls who they say have "attempted to register the Kodi name in various countries outside the United States with the goal of earning money off the Kodi name without doing any work beyond sending threatening letters." BrianFagioli shares an article in which BetaNews quotes Kodi community and project manager Nathan Betzen: "At least one trademark troll has so far not agreed to voluntarily release their grasp on their registration of our trademark and is actively blackmailing hardware vendors in an entire country, trying to become as rich as possible off of our backs and the backs of Kodi volunteers everywhere. His name is Geoff Gavora. He had written several letters to the Foundation over the years, expressing how important XBMC and Kodi were to him and his sales. And then, one day, for whatever reason, he decided to register the Kodi trademark in his home country of Canada. We had hoped, given the positive nature of his past emails, that perhaps he was doing this for the benefit of the Foundation. We learned, unfortunately, that this was not the case," says Nathan Betzen, Kodi Project Manager.

"Instead, companies like Mygica and our sponsor Minix have been delisted by Gavora on Amazon, so that only Gavora's hardware can be sold, unless those companies pay him a fee to stay on the store. Now, if you do a search for Kodi on Amazon.ca, there's a very real chance that every box you see is giving Gavora money to advertise that they can run what should be the entirely free and open Kodi. Gavora and his company are behaving in true trademark troll fashion."

Government

Should Congress Force Social Media To Investigate Foreign Propaganda Trolls? (politico.com) 266

"I fought foreign propaganda for the FBI," writes a former special agent from its Counterintelligence Division. Now an associate dean at Yale Law School, he's warning that "the tools we had won't work anymore." An anonymous reader quotes Politico: The bureau is now faced with huge private companies, like Facebook and Twitter, which are ostensibly neutral and have no professional or ethical obligation to vet the material they distribute. Further, foreign intelligence service propaganda agents are no longer human operatives on American soil -- they are invisible "trolls," often operating from a foreign country and behind social media accounts that make them impossible for the FBI to approach directly. Or, in the case of so-called bots -- software programs designed to simulate humans -- they might not even be people at all... [S]ocial media platforms can reach an almost limitless audience, often within days or hours, more or less for free: Russia's Facebook ads alone reached between 23 million and 70 million viewers.

Without any direct way to investigate and identify the source of the private accounts that generate this "fake news," there's literally nothing the FBI can do to stop a propaganda operation that can occur on such a massive scale... But Congress could pass legislation that requires social media companies to cooperate with counterintelligence in the same ways they do with law enforcement. For example, the Communications Assistance for Law Enforcement Act requires telecommunications companies to design their digital networks in such a way that would permit wiretaps for criminal cases. Similarly, requiring social media platforms to develop ways to vet and authenticate foreign users and proactively report potential bots to the FBI would enable the FBI to identify perception management operations as they are occurring. In addition to monitoring these specific FIS-based accounts, the FBI could publicly expose the source of particular accounts, ads or news...

"At this point, we have no choice: It's clear that our current counterintelligence strategy hasn't caught up to the age of asymmetrical information warfare," the former counterintelligence agent concludes. "Until it does, we'll be silently allowing our freedoms to be manipulated...."
Government

FDA Slams EpiPen Maker For Doing Nothing While Hundreds Failed, People Died (arstechnica.com) 80

An anonymous reader quotes a report from Ars Technica: The manufacturer of EpiPen devices failed to address known malfunctions in its epinephrine auto-injectors even as hundreds of customer complaints rolled in and failures were linked to deaths, according to the Food and Drug Administration. The damning allegations came to light today when the FDA posted a warning letter it sent September 5 to the manufacturer, Meridian Medical Technologies, Inc. The company (which is owned by Pfizer) produces EpiPens for Mylan, which owns the devices and is notorious for dramatically raising prices by more than 400 percent in recent years. The auto-injectors are designed to be used during life-threatening allergic reactions to provide a quick shot of epinephrine. If they fail to fire, people experiencing a reaction can die or suffer serious illnesses. According to the FDA, that's exactly what happened for hundreds of customers. In the letter, the agency wrote: "In fact, your own data show that you received hundreds of complaints that your EpiPen products failed to operate during life-threatening emergencies, including some situations in which patients subsequently died."

The agency goes on to lambast Meridian Medical for failing to investigate problems with the devices, recall bad batches, and follow-up on problems found. For instance, a customer made a complaint in April 2016 that an EpiPen failed. When Meridian disassembled the device, it found a deformed component that led to the problem -- the exact same defect it had found in February when another unit failed.

Privacy

Ask Slashdot: What's a Practical Response To the Equifax Breach? 217

In response to the massive Equifax cybersecurity incident impacting approximately 143 million U.S. consumer -- making it possibly the worst leak of personal info ever -- Slashdot reader AdamStarks asks: What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
Software

Uber Faces FBI Probe Over Program Targeting Rival Lyft (wsj.com) 13

cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), Uber is under investigation by federal law-enforcement authorities for using a program called "Hell" to illegally interfere with the competition by creating fake Lyft accounts, initiating phony ride requests for Lyft drivers, and offering cash bonuses for drivers who drive for both services to leave Lyft. This is creating a new headache for incoming CEO Dara Khosrowshahi to deal with. From the report: "Federal law-enforcement authorities in New York are investigating whether Uber Technologies Inc. used software to interfere illegally with its competitors, according to people familiar with the investigation, adding to legal pressures facing the embattled ride-hailing company and its new chief executive. The investigation, led by the Federal Bureau of Investigation's New York office and the Manhattan U.S. attorney's office, is focused on a defunct Uber program, known internally as 'Hell,' that could track drivers working for rival service Lyft Inc., the people said. 'We are cooperating with the SDNY investigation,' said an Uber spokesman, referring to New York's Southern District. He declined to offer additional details. Uber has never publicly discussed the details of the program. But people familiar with the matter said 'Hell' worked like this: Uber created fake Lyft customer accounts, tricking Lyft's system into believing prospective customers were seeking rides in various locations around a city. That allowed Uber to see which Lyft drivers were nearby and what prices they were offering for various routes, similar to how such information appears when an authentic Lyft app is opened on a user's smartphone, these people said. The program was also used to glean data on drivers who worked for both companies, and whom Uber could target with cash incentives to get them to leave Lyft, said these people, who added that the program was discontinued last year."
Earth

UN Aviation Agency To Call For Global Drone Registry (reuters.com) 47

An anonymous reader quotes a report from Reuters: The United Nations' aviation agency is backing the creation of a single global drone registry, as part of broader efforts to come up with common rules for flying and tracking unmanned aircraft. While the International Civil Aviation Organization cannot impose regulations on countries, ICAO has proposed formation of the registry during a Montreal symposium this month to make data accessible in real time, said Stephen Creamer, director of ICAO's air navigation bureau. The single registry would eschew multiple databases in favor of a one-stop-shop that would allow law enforcement to remotely identify and track unmanned aircraft, along with their operator and owner. It's not yet clear who would operate such a database, although ICAO could possibly fill that role. The proposal, however, could face push back from users, after hobbyists successfully challenged the creation of a U.S. drone registry by the Federal Aviation Administration in court earlier this year.
Security

Mexican Tax Refund Site Left 400GB of Sensitive Customer Info Wide Open (theregister.co.uk) 18

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database. From a report: A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.
Government

Seoul Is Reinventing Itself As a Techno-Utopia (wired.com) 68

mirandakatz writes: Seoul is struggling: Its birth rate is at an all-time low, college graduates are having enormous trouble finding jobs, and trust in government is not high. But South Korea is also, in many ways, cutting edge -- and it wants to use that future-thinking power to build its capital into a techno-utopia. As Susan Crawford details at Backchannel, that begins with a powerful data analysis tool known as the "The Digital Civic Mayor's Office." Crawford writes that "this dashboard seemed like a potential green shoot of democracy -- a city doing what it can to show citizens why government should be trusted and that their quality of life, including the quality of the air they breathe, the prices of the apples they eat, and the traffic jams they face daily, is important."
Privacy

Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com) 401

The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely. Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.

UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
Bug

Bug In Windows Kernel Could Prevent Security Software From Identifying Malware (bleepingcomputer.com) 75

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.
Businesses

VR Company Upload Settles Sexual Harassment Lawsuit (techcrunch.com) 83

An anonymous reader quotes a report from TechCrunch: Upload, formerly UploadVR, the virtual reality startup at the center of a sexual harassment and wrongful termination lawsuit filed earlier this year, has settled the case with its former employee and is aiming to put the ensuing damage behind it. The lawsuit, filed against the startup and its co-founders by former director of digital and social media Elizabeth Scott, alleged that the company had sought to create a "boy's club" environment and described "rampant" sexual behavior in the office, allegations that co-founders Will Mason and Taylor Freeman denied as "entirely without merit." The lawsuit is now over, according to people familiar with the matter, and though the terms of the agreement were undisclosed, some in the virtual reality community feel that the company has dodged a bullet in reaching some conclusion over the litigation.

"The matter has been concluded," was Upload's official statement. Neither Scott, nor her legal counsel, responded to a request for comment for this story. Upload has also released the following statement around the conclusion of the legal case. "Our primary focus at Upload is education, which we believe is the key to growing the mixed reality ecosystem. We are deeply committed to creating an inclusive community to empower the pioneers building the future."

Security

Credit Reporting Firm Equifax Announces 'Cybersecurity Incident Impacting Approximately 143 Million US Consumers' (cnbc.com) 299

Equifax, which supplies credit information and other information services, said Thursday that a cybersecurity incident discovered on July 29 could have potentially affected 143 million consumers in the U.S. "The leaked data includes names, birth dates, social security numbers, addresses and potentially drivers licenses," reports CNBC. "209,000 U.S. credit card numbers were also obtained, in addition to 'certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

Chairman and Chief Executive Officer, Richard F. Smith said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident." Equifax is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities.

UPDATE (9/7/17): According to Bloomberg, "three Equifax senior executives sold shares worth almost $1.8 million" in the days after the company discovered the security breach. Regulatory filings show that three days after the breach was discovered on July 29th, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099." Meanwhile, "Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2."
The Courts

Judge Dismisses 'Inventor of Email' Lawsuit Against Techdirt (arstechnica.com) 127

A federal judge in Massachusetts has dismissed a libel lawsuit filed earlier this year against tech news website Techdirt. From a report: The claim was brought by Shiva Ayyadurai, who has controversially claimed that he invented e-mail in the late 1970s. Techdirt (and its founder and CEO, Mike Masnick) has been a longtime critic of Ayyadurai and institutions that have bought into his claims. "How The Guy Who Didn't Invent Email Got Memorialized In The Press & The Smithsonian As The Inventor Of Email," reads one Techdirt headline from 2012. One of Techdirt's commenters dubbed Ayyadurai a "liar" and a "charlatan," which partially fueled Ayyadurai's January 2017 libel lawsuit. In the Wednesday ruling, US District Judge F. Dennis Saylor found that because it is impossible to define precisely and specifically what e-mail is, Ayyadurai's "claim is incapable of being proved true or false."
EU

Intel's $1.3 Billion Fine In Europe Requires Review, Court Says (nytimes.com) 72

cdreimer writes: According to a report in The New York Times (Warning: source may be paywalled; alternative source), the Court of Justice in the European Union has ordered the lower courts to revisit the $1.3 billion anti-trust fine levied against Intel in 2009, giving hope to Google and other American technology firms to avoid being fined for being dominant in the EU markets. From the report: "The highest court in the European Union ordered on Wednesday that a $1.3 billion antitrust fine doled out against Intel nearly a decade ago be revisited, a ruling that could give hope to Google and other American technology giants facing challenges to their dominance in the region. The decision to send the case back to a lower court for re-examination is a blow to regional competition regulators, whose oversight of digital services has been among the world's most aggressive. It could also embolden American technology companies, which have long complained that antitrust officials in Europe target them unfairly, to challenge rulings and investigations against them. The move by the Court of Justice of the European Union raises the prospect that the 1.06 billion euro fine on Intel in 2009, equivalent to $1.26 billion at current exchange rates, could be reduced or scrapped entirely. The penalty -- at the time the largest of its kind -- was upheld by European courts in 2014 and will most likely be the subject of legal battles for years to come. That record fine was overtaken by a 2.4 billion euro penalty against Google in June. The Silicon Valley giant was accused of using its dominant position in online search to give preferential treatment to its internet shopping service over those of its rivals."
AI

Hackers Can Take Control of Siri and Alexa By Whispering To Them in Frequencies Humans Can't Hear (fastcodesign.com) 116

Chinese researchers have discovered a vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon's Alexa assistant. From a report: Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear. The researchers didn't just activate basic commands like "Hey Siri" or "Okay Google," though. They could also tell an iPhone to "call 1234567890" or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to "open the backdoor." Even an Audi Q3 could have its navigation system redirected to a new location. "Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user," the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.
United States

House Passes Bill To Speed Deployment of Self-driving Cars (go.com) 176

The House voted Wednesday to speed the introduction of self-driving cars by giving the federal government authority to exempt automakers from safety standards not applicable to the technology, and to permit deployment of up to 100,000 of the vehicles annually over the next several years. From a report: The bill was passed by a voice vote. State and local officials have said it usurps their authority by giving to the federal government sole authority to regulate the vehicles' design and performance. States would still decide whether to permit self-driving cars on their roads. Automakers have complained that a patchwork of laws states have passed in recent years would hamper deployment of the vehicles, which they see as the future of the industry. Self-driving cars are forecast to dramatically lower traffic fatalities once they are on roads in significant numbers, among other benefits. Early estimates indicate there were more than 40,000 traffic fatalities last year. The National Highway Traffic Safety Administration says 94 percent of crashes involve human error.
EU

EU Presidency Calls For Massive Internet Filtering, Leaked Document Shows (edri.org) 236

An anonymous reader shares a report: A Council of the European Union document leaked by Statewatch on 30 August reveals that during the summer months, that Estonia (current EU Presidency) has been pushing the other Member States to strengthen indiscriminate internet surveillance, and to follow in the footsteps of China regarding online censorship. Standing firmly behind its belief that filtering the uploads is the way to go, the Presidency has worked hard in order to make the proposal for the new copyright Directive even more harmful than the Commission's original proposal, and pushing it further into the realms of illegality. According to the leaked document, the text suggests two options for each of the two most controversial proposals: the so-called "link tax" or ancillary copyright and the upload filter.
Piracy

Sci-Hub Faces $4.8 Million Piracy Damages and ISP Blocking (torrentfreak.com) 142

The American Chemical Society (ACS), a leading source of academic publications in the field of chemistry, accused Sci-Hub of mass copyright infringement and is demanding $4.8 million in piracy damages. "Sci-Hub was made aware of the legal proceedings but did not appear in court," reports Torrent Freak. "As a result, a default was entered against the site, and a few days ago ACS specified its demands, which include $4.8 million in piracy damages." The complaint comes soon after the pirate site was ordered to pay $15 million in piracy damages to academic publisher Elsevier. From the report: "Here, ACS seeks a judgment against Sci-Hub in the amount of $4,800,000 -- which is based on infringement of a representative sample of publications containing the ACS Copyrighted Works multiplied by the maximum statutory damages of $150,000 for each publication," they write. "Sci-Hub's unabashed flouting of U.S. Copyright laws merits a strong deterrent. This Court has awarded a copyright holder maximum statutory damages where the defendant's actions were "clearly willful' and maximum damages were necessary to 'deter similar actors in the future.'" The publisher notes that the maximum statutory damages are only requested for 32 of its 9,000 registered works. This still adds up to a significant sum of money, of course, but that is needed as a deterrent, ACS claims.

Although the deterrent effect may sound plausible in most cases, another $4.8 million in debt is unlikely to worry Sci-Hub's owner, as she can't pay it off anyway. However, there's also a broad injunction on the table that may be more of a concern. The requested injunction prohibits Sci-Hub's owner to continue her work on the site. In addition, it also bars a wide range of other service providers from assisting others to access it. Specifically, it restrains "any Internet search engines, web hosting and Internet service providers, domain name registrars, and domain name registries, to cease facilitating access to any or all domain names and websites through which Defendant Sci-Hub engages in unlawful access to [ACS's works]."

Bug

A Critical Apache Struts Security Flaw Makes It 'Easy' To Hack Fortune 100 Firms (zdnet.com) 42

An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.
Privacy

Two-Thirds of Tech Workers Now Use a VPN, Survey Finds (9to5mac.com) 87

An anonymous reader shares a report: According to a survey, 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both. While much of that usage will be because it's installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes. The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices.
Businesses

Lenovo Won't Pay a Fine For Preinstalling Superfish Adware (theverge.com) 86

An anonymous reader shares a report: In 2014, Lenovo began bundling a third-party adware program called "Superfish" into its consumer PCs. Now, nearly three years later, the company is facing the consequences. Today, Lenovo settled a lawsuit by the Federal Trade Commission over the Superfish adware, agreeing to get affirmative consent for any future adware programs, as well as audited security checks of their software for the next 20 years. Installed on Lenovo laptops between September 2014 and January 2015, Superfish was granted root certificate access, allowing it to insert ads into even HTTPS-protected webpages. According to the FTC's indictment, breaking HTTPS presented a clear risk to consumers -- but Lenovo isn't going to have to pay for putting customers at risk. Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.
China

Chinese Man Jailed For Helping Net Users Evade State Blocks (bbc.com) 47

An anonymous reader shares a report: A Chinese man has been given a nine-month jail sentence for helping people evade government controls on where they can go online. Deng Jiewei, from Guangdong, was charged with illegally selling programs known as virtual private networks (VPNs), according to court papers. VPNs are illegal in China because they let people avoid government monitoring of what they are doing. The sentence is part of a larger crackdown on the use of VPNs in China. Deng started selling VPNs in late 2015 and was arrested in August 2016 for selling software which lets users "visit foreign websites that could not be accessed by a mainland IP address," reported the South China Morning Post. The Chinese government operates a massive monitoring system, known as the "great firewall," that watches what people do and say online. It also blocks access to sites, such as Facebook and YouTube, that are popular outside the country.

Slashdot Top Deals