Wireless Networking

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 140

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Security

Ask Slashdot: What Are Some Hard Truths IT Must Learn To Accept? (cio.com) 421

snydeq writes: "The rise of shadow IT, shortcomings in the cloud, security breaches -- IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks," writes Dan Tynan in an article on six hard truths IT must learn to accept. "It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything." What are some hard truths your organization has been dealing with? Tynan writes about how the idea of engineering teams sticking a server in a closet and using it to run their own skunkworks has become more open; how an organization can't do everything in the cloud, contrasting the 40 percent of CIOs surveyed by Gartner six years ago who believed they'd be running most of their IT operations in the cloud by now; and how your organization should assume from the get-go that your environment has already been compromised and design a security plan around that. Can you think of any other hard truths IT must learn to accept?
Patents

Apple To Appeal Five-Year-Long Patent Battle After $439.7 Million Loss (theverge.com) 69

Appel has been ordered to pay $439.7 million to the patent-holding firm VirnetX for infringing on four patented technologies that were apparently used in FaceTime and other iOS apps. According to The Verge, Apple plans to appeal the ruling -- continuing this long-running patent battle, which began back in 2012. From the report: VirnetX first filed suit against Apple in 2010, winning $368 million just two years later. It then sued again in 2012, which is the suit that's being ruled on today. Apple initially lost the suit, then filed for a mistrial. It won a new trial, lost that trial, was ordered to pay around $300 million, then lost some more and is now having that amount upped even further. That's because a judge found Apple guilty of willful infringement, bumping its payment amount from $1.20 per infringing Apple device to $1.80 per device. Those include certain iPhones, iPads, and Macs. VirnetX says the ruling is "very reasonable." Apple didn't issue a statement other than to say that it plans to appeal. While $440 million isn't a lot of money for Apple, there's principle at stake here: VirnetX is a patent troll that makes its money from licensing patents and suing other parties. The company's SEC filing states, "Our portfolio of intellectual property is the foundation of our business model."
Google

Google Chrome for Windows Gets Basic Antivirus Features (betanews.com) 55

Google is rolling out a trio of important changes to Chrome for Windows users. From a report: At the heart of these changes is Chrome Cleanup. This feature detects unwanted software that might be bundled with downloads, and provides help with removing it. Google's Philippe Rivard explains that Chrome now has built-in hijack detection which should be able to detect when user settings are changes without consent. This is a setting that has already rolled out to users, and Google says that millions of users have already been protected against unwanted setting changes such as having their search engine altered. But it's the Chrome Cleanup tool that Google is particularly keen to highlight. A redesigned interface makes it easier to use and to see what unwanted software has been detected and singled out for removal.
Security

Millions of High-Security Crypto Keys Crippled by Newly Discovered Flaw (arstechnica.com) 55

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, reports ArsTechnica. From the report: The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. On Monday, officials posted this update. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.
Microsoft

US Supreme Court To Decide Microsoft Email Privacy Dispute (reuters.com) 70

The U.S. Supreme Court on Monday agreed to resolve a major privacy dispute between the Justice Department and Microsoft Corp over whether prosecutors should get access to emails stored on company servers overseas. From a report: The justices will hear the Trump administration's appeal of a lower court's ruling last year preventing federal prosecutors from obtaining emails stored in Microsoft computer servers in Dublin, Ireland in a drug trafficking investigation. That decision by the New York-based 2nd U.S. Court of Appeals marked a victory for privacy advocates and technology companies that increasingly offer cloud computing services in which data is stored remotely. Microsoft, which has 100 data centers in 40 countries, was the first U.S. company to challenge a domestic search warrant seeking data held outside the country. There have been several similar challenges, most brought by Google.
Government

Ask Slashdot: Should Users Uninstall Kaspersky's Antivirus Software? (slashdot.org) 313

First, here's the opinion of two former NSA cybersecurity analysts (via Consumer Reports): "It's a big deal," says Blake Darche, a former NSA cybersecurity analyst and the founder of the cybersecurity firm Area 1. "For any consumers or small businesses that are concerned about privacy or have sensitive information, I wouldn't recommend running Kaspersky." By its very nature antivirus software is an appealing tool for hackers who want to access remote computers, security experts say. Such software is designed to scan a computer comprehensively as it searches for malware, then send regular reports back to a company server. "One of the things people don't realize, by installing that tool you give [the software manufacturer] the right to pull any information that might be interesting," says Chris O'Rourke, another former NSA cybersecurity expert who is the CEO of cybersecurity firm Soteria.
But for that reason, Bloomberg View columnist Leonid Bershidsky suggests any anti-virus software will be targetted by nation-state actors, and argues that for most users, "non-state criminal threats are worse. That's why Interpol this week signed a new information-sharing agreement with Kaspersky despite all the revelations in the U.S. media: The international police cooperation organization deals mainly with non-state actors, including profit-seeking hackers, rather than with the warring intelligence services."

And long-time Slashdot reader freddieb is a loyal Kaspersky user who is wondering what to do, calling the software "very effective and non-intrusive." And in addition, "Numerous recent hacks have gotten my data (Equifax, and others) so I expect I have nothing else to fear except ransomware."

Share your own informed opinions in the comments. Should users uninstall Kaspersky's antivirus software?
Windows

Munich Plans New Vote on Dumping Linux For Windows 10 (techrepublic.com) 412

An anonymous reader quotes TechRepublic: The city of Munich has suggested it will cost too much to carry on using Linux alongside Windows, despite having spent millions of euros switching PCs to open-source software... "Today, with a Linux client-centric environment, we are often confronted with major difficulties and additional costs when it comes to acquiring and operating professional application software," the city council told the German Federation of Taxpayers. Running Linux will ultimately prove unsustainable, suggests the council, due to the need to also keep a minority of Windows machines to run line-of-business software incompatible with Linux. "In the long term, this situation means that the operation of the non-uniform client landscape can no longer be made cost-efficient"... Since completing the multi-year move to LiMux, a custom-version of the Linux-based OS Ubuntu, the city always kept a smaller number of Windows machines to run incompatible software. As of last year it had about 4,163 Windows-based PCs, compared to about 20,000 Linux-based PCs.

The assessment is at odds with a wide-ranging review of the city's IT systems by Accenture last year, which found that most of the problems stem not from the use of open-source software, but from inefficiencies in how Munich co-ordinates the efforts of IT teams scattered throughout different departments. Dr. Florian Roth, leader of the Green Party at Munich City Council, said the review had also not recommended a wholesale shift to Windows. "The Accenture report suggested to run both systems because the complete 'rollback' to Windows and MS Office would mean a waste of experience, technology, work and money," he said... The city's administration is investigating how long it would take and how much it would cost to build a Windows 10 client for use by the city's employees. Once this work is complete, the council will vote again in November on whether this Windows client should replace LiMux across the authority from 2021.

A taxpayer's federation post urged "Penguin, adieu!" -- while also admitting that returning to Windows "will devour further tax money in the millions," according to TechRepublic.

"The federation's post also makes no mention of the licensing and other savings achieved by switching to LiMux, estimated to stand at about €10m."
Bitcoin

Julian Assage Taunts US Government For Forcing Wikileaks To Invest In Bitcoin (facebook.com) 195

Saturday's tweet from Julian Assange says it all: "My deepest thanks to the US government, Senator McCain and Senator Lieberman for pushing Visa, MasterCard, PayPal, AmEx, Moneybookers, et al, into erecting an illegal banking blockade against @WikiLeaks starting in 2010. It caused us to invest in Bitcoin -- with > 50000% return."
Assange's tweet was accompanied by a graph showing the massive spike in the price of bitcoin -- though most of that growth occurred in the last year.
The Military

Pentagon Turns To High-Speed Traders To Fortify Markets Against Cyberattack (wsj.com) 78

Slashdot reader Templer421 quotes the Wall Street Journal's report [non-paywalled version here] on DARPA's "Financial Markets Vulnerabilities Project": Dozens of high-speed traders and others from Wall Street are helping the Pentagon study how hackers could unleash chaos in the U.S. financial system. The Department of Defense's research arm over the past year and a half has consulted executives at high-frequency trading firms and quantitative hedge funds, and people from exchanges and other financial companies, participants in the discussions said. Officials described the effort as an early-stage pilot project aimed at identifying market vulnerabilities... Participants described meetings as informal sessions in which attendees brainstorm about how hackers might try to bring down U.S. markets, then rank the ideas by feasibility.

Among the potential scenarios: Hackers could cripple a widely used payroll system; they could inject false information into stock-data feeds, sending trading algorithms out of whack; or they could flood the stock market with fake sell orders and trigger a market crash... "We started thinking a couple years ago what it would be like if a malicious actor wanted to cause havoc on our financial markets," said Wade Shen, who researched artificial intelligence at the Massachusetts Institute of Technology before joining Darpa as a program manager in 2014.

Crime

Pizza Hut Leaks Credit Card Info On 60,000 Customers (kentucky.com) 76

An anonymous reader quotes McClatchy: Pizza Hut told customers by email on Saturday that some of their personal information may have been compromised. Some of those customers are angry that it took almost two weeks for the fast food chain to notify them. According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed. The "temporary security intrusion" lasted for about 28 hours, the notice said, and it's believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information -- meaning account number, expiration date and CVV number -- were compromised... A call center operator told McClatchy that about 60,000 people across the U.S. were affected.
"[W]e estimate that less than one percent of the visits to our website over the course of the relevant week were affected," read a customer notice sent only to those affected, offering them a free year of credit monitoring. But that hasn't stopped sarcastic tweets like this from the breach's angry victims.

"Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it."
The Almighty Buck

In a Cashless World, You'd Better Pray the Power Never Goes Out (mises.org) 453

schwit1 quotes the Mises Institue: When Hurricane Maria knocked out power in Puerto Rico, residents there realized they were going to need physical cash — and a lot of it. Bloomberg reported that the Fed was forced to fly a planeload of cash to the Island to help avert disaster. "William Dudley, the New York Fed president, put the word out within minutes, and ultimately a jet loaded with an undisclosed amount of cash landed on the stricken island. [Business executives in Puerto Rico] described corporate clients' urgent requests for hundreds of thousands in cash to meet payrolls, and the challenge of finding enough armored cars to satisfy endless demand at ATMs... As early as the day after the storm, the Fed began working to get money onto the island."

For a time, unless one had a hoard of cash stored up in ones home, it was impossible to get cash at all. 85 percent of Puerto Rico is still without power... Bloomberg continues: "When some generator-powered ATMs finally opened, lines stretched hours long, with people camping out in beach chairs and holding umbrellas against the sun." In an earlier article from September 25, Bloomberg noted how, without cash, necessities were simply unavailable:

"Cash only," said Abraham Lebron, the store manager standing guard at Supermax, a supermarket in San Juan's Plaza de las Armas. He was in a well-policed area, but admitted feeling like a sitting duck with so many bills on hand. "The system is down, so we can't process the cards. It's tough, but one finds a way to make it work."


Bitcoin

Ransomware Sales On the Dark Web Spike 2,502% In 2017 (carbonblack.com) 23

Slashdot reader rmurph04 writes: Ransomware is a $6.2 million industry, based on sales generated from a network of more than 6,300 Dark Web marketplaces that sell over 45,000 products, according to a report released Wednesday by cybersecurity firm Carbon Black.
While the authors of the software are earning six-figure incomes, ransom payments totalled $1 billion in 2016, according to FBI estimates -- up from just $24 million in 2015. Carbon Black, which was founded by former U.S. government "offensive security hackers," argues that ransomware's growth has been aided by "the emergence of Bitcoin for ransom payment, and the anonymity network, Tor, to mask illicit activities.. Bitcoin allows money to be transferred in a way that makes it nearly impossible for law enforcement to 'follow the money.'"
Open Source

How Open Source Software Helps The Federal Reserve Bank of New York (hpe.com) 24

Long-time Slashdot reader Esther Schindler quotes Hewlett Packard Enterprise: When you handle trillions of dollars a year in transactions and manage the largest known vault of gold in the world, security and efficiency are top priorities. Open source reusable software components are key to the New York Fed's successful operation, explains Colin Wynd, vice president and head of the bank's Common Service Organization... The nearly 2,000 developers across the Federal Reserve System used to have a disparate set of developer tools. Now, they benefit from a standard toolset and architecture, which also places limits on which applications the bank will consider using. "We don't want a third-party application that isn't compatible with our common architecture," said Wynd.

One less obvious advantage to open source adoption is in career satisfaction and advancement. It gives developers opportunities to work on more interesting applications, said Wynd. Developers can now take on projects or switch jobs more easily across Federal Reserve banks because the New York Fed uses a lot of common open source components and a standard tool set, meaning retraining is minimal if needed at all."

Providing training in-house also creates a more consistent use of best practices. "Our biggest headache is to prove to groups that an application is secure, because we have to defend against nation state attacks."
Crime

Dutch Police Build a Pokemon Go-Style App For Hunting Wanted Criminals (csoonline.com) 62

"How can the police induce citizens to help investigate crime? By trying to make it 'cool' and turning it into a game that awards points for hits," reports CSO. mrwireless writes: Through their 'police of the future' innovation initiative, and inspired by Pokemon Go, the Dutch police are building an app where you can score points by photographing the license plates of stolen cars. When a car is reported stolen the app will notify people in the neighbourhood, and then the game is on! Privacy activists are worried this creates a whole new relationship with the police, as a deputization of citizens blurs boundaries, and institutionalizes 'coveillance' -- citizens spying on citizens. It could be a slippery slope to situations that more resemble the Stasi regime's, which famously used this form of neighborly surveillance as its preferred method of control.
CSO cites Spiegel Online's description of the unofficial 189,000 Stasi informants as "totally normal citizens of East Germany who betrayed others: neighbors reporting on neighbors, schoolchildren informing on classmates, university students passing along information on other students, managers spying on employees and Communist bosses denouncing party members."

The Dutch police are also building another app that allows citizens to search for missing persons.
Government

IRS Suspends $7 Million Contract With Equifax After Malware Discovered (cbsnews.com) 50

After malware was discovered on Equifax's website again, the IRS decided late Thursday that it would temporarily suspend the agency's $7.1 million data security contract with the company. CBS News reports: In September, Equifax revealed that it had exposed 143 million consumer files -- containing names, addresses, Social Security numbers and even bank account information -- to hackers in an unprecedented security lapse. The number of consumer potentially affect by the data breach was later raised to 145.5 million. The company's former CEO blamed a single careless employee for the entire snafu. But even as he was getting grilled in Congress earlier this month, the IRS was awarding the company with a no-bid contract to provide "fraud prevention and taxpayer identification services." "Following new information available today, the IRS temporarily suspended its short-term contract with Equifax for identity proofing services," the agency said in a statement. "During this suspension, the IRS will continue its review of Equifax systems and security." The agency does not believe that any data the IRS has shared with Equifax to date has been compromised, but the suspension was taken as "a precautionary step."
Privacy

Dutch Privacy Regulator Says Windows 10 Breaks the Law (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law. To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn't always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection -- though this language still wasn't explicit about what was collected and why -- and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen. In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10's "Basic" telemetry setting. However, the company has not done so for the "Full" option, and the Full option remains the default. The DPA's complaint doesn't call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to "end all violations," but if the software company fails to do so, it faces sanctions.
Businesses

Qualcomm Seeks China iPhone Ban, Escalating Apple Legal Fight (bloomberg.com) 36

Qualcomm filed lawsuits in China seeking to ban the sale and manufacture of iPhones in the country, the chipmaker's biggest shot at Apple so far in a sprawling and bitter legal fight. From a report: The San Diego-based company aims to inflict pain on Apple in the world's largest market for smartphones and cut off production in a country where most iPhones are made. The product provides almost two-thirds of Apple's revenue. Qualcomm filed the suits in a Beijing intellectual property court claiming patent infringement and seeking injunctive relief, according to Christine Trimble, a company spokeswoman. "Apple employs technologies invented by Qualcomm without paying for them," Trimble said. An Apple spokesman didn't immediately respond to a request for comment on Friday. Qualcomm's suits are based on three non-standard essential patents, it said. They cover power management and a touch-screen technology called Force Touch that Apple uses in current iPhones, Qualcomm said. The inventions "are a few examples of the many Qualcomm technologies that Apple uses to improve its devices and increase its profits," Trimble said. The company made the filings at the Beijing court on Sept. 29. The court has not yet made them public.
Communications

Recordings of the Sounds Heard In the Cuban US Embassy Attacks Released (apnews.com) 300

New submitter chrissfoot shares a report from The Associated Press: The Associated Press has obtained a recording of what some U.S. Embassy workers heard in Havana in a series of unnerving incidents later deemed to be deliberate attacks. The recording, released Thursday by the AP, is the first disseminated publicly of the many taken in Cuba of mysterious sounds that led investigators initially to suspect a sonic weapon. The recordings themselves are not believed to be dangerous to those who listen. Sound experts and physicians say they know of no sound that can cause physical damage when played for short durations at normal levels through standard equipment like a cellphone or computer. What device produced the original sound remains unknown. Americans affected in Havana reported the sounds hit them at extreme volumes. You can listen to the "Dangerous Sound" here via YouTube.
Data Storage

Researcher Turns HDD Into Rudimentary Microphone (bleepingcomputer.com) 65

An anonymous reader writes from Bleeping Computer: Speaking at a security conference, researcher Alfredo Ortega has revealed that you can use your hard disk drive (HDD) as a rudimentary microphone to pick up nearby sounds. This is possible because of how hard drives are designed to work. Sounds or nearby vibrations are nothing more than mechanical waves that cause HDD platters to vibrate. By design, a hard drive cannot read or write information to an HDD platter that moves under vibrations, so the hard drive must wait for the oscillation to stop before carrying out any actions. Because modern operating systems come with utilities that measure HDD operations up to nanosecond accuracy, Ortega realized that he could use these tools to measure delays in HDD operations. The longer the delay, the louder the sound or the intense the vibration that causes it. These read-write delays allowed the researcher to reconstruct sound or vibration waves picked up by the HDD platters. A video demo is here.

"It's not accurate yet to pick up conversations," Ortega told Bleeping Computer in a private conversation. "However, there is research that can recover voice data from very low-quality signals using pattern recognition. I didn't have time to replicate the pattern-recognition portion of that research into mine. However, it's certainly applicable." Furthermore, the researcher also used sound to attack hard drives. Ortega played a 130Hz tone to make an HDD stop responding to commands. "The Linux kernel disconnected it entirely after 120 seconds," he said. There's a video of this demo on YouTube.

Government

FDA Advisers Endorse Gene Therapy To Treat Form of Blindness (cbsnews.com) 15

An anonymous reader quotes a report from CBS News: A panel of U.S. health advisers has endorsed an experimental approach to treating inherited blindness, setting the stage for the likely approval of an innovative new genetic medicine. A panel of experts to the Food and Drug Administration voted unanimously in favor of Spark Therapeutics' injectable therapy, which aims to improve vision in patients with a rare mutation that gradually destroys normal vision. The vote amounts to a recommendation to approve the therapy. According to Spark Therapeutics' website, inherited retinal diseases are a group of rare blinding conditions caused by one of more than 220 genes. Some living with these diseases experience a gradual loss of vision, while others may be born without the ability to see or lose their vision in infancy or early childhood. Genetic testing is the only way to verify the exact gene mutation that is the underlying cause of the disease.
Google

Alphabet's Waymo Demanded $1 Billion In Settlement Talks With Uber (reuters.com) 11

An anonymous reader quotes a report from Reuters: Alphabet's Waymo sought at least $1 billion in damages and a public apology from Uber as conditions for settling its high-profile trade secret lawsuit against the ride-services company, sources familiar with the proposal told Reuters. The Waymo self-driving car unit also asked that an independent monitor be appointed to ensure Uber does not use Waymo technology in the future, the sources said. Uber rejected those terms as non-starters, said the sources, who were not authorized to publicly discuss settlement talks. The precise dollar amount requested by Waymo and the exact time the offer was made could not be learned.

Waymo's tough negotiating stance, which has not been previously reported, reflects the company's confidence in its legal position after months of pretrial victories in a case which may help to determine who emerges in the forefront of the fast-growing field of self-driving cars. The aggressive settlement demands also suggest that Waymo is not in a hurry to resolve the lawsuit, in part because of its value as a distraction for Uber leadership, said Elizabeth Rowe, a trade secret expert at the University of Florida Levin College of Law.

Google

Google Permanently Disables Touch Function On All Home Minis Due To Privacy Concerns (bbc.co.uk) 48

Big Hairy Ian shares a report from BBC: Google has stopped its Home Mini speakers responding when users touch them. It permanently turned off the touch activation feature after it found that sensors primed to spot a finger tap were too sensitive. Early users found that the touch sensors were registering "phantom" touches that turned them on. This meant the speakers were recording everything around them thousands of times a day. Google said it disabled the feature to give users "peace of mind." Google's Home Mini gadgets were unveiled on October 4th as part of a revamp of its line of smart speakers. The intelligent assistant feature on it could be activated two ways -- by either saying "OK, Google" or by tapping the surface. About 4,000 Google Home Mini units were distributed to early reviewers and those who attended Google's most recent launch event. Artem Russakovskii from Android Police first discovered the issue with his unit, ultimately causing Google to "permanently [nerf] all Home Minis" because his spied on everything he said 24/7.
Privacy

DJI Unveils Technology To Identify and Track Airborne Drones (suasnews.com) 61

garymortimer shares a report from sUAS News: DJI, the world's leader in civilian drones and aerial imaging technology, has unveiled AeroScope, its new solution to identify and monitor airborne drones with existing technology that can address safety, security and privacy concerns. AeroScope uses the existing communications link between a drone and its remote controller to broadcast identification information such as a registration or serial number, as well as basic telemetry, including location, altitude, speed and direction. Police, security agencies, aviation authorities and other authorized parties can use an AeroScope receiver to monitor, analyze and act on that information. AeroScope has been installed at two international airports since April, and is continuing to test and evaluate its performance in other operational environments. AeroScope works with all current models of DJI drones, which analysts estimate comprise over two-thirds of the global civilian drone market. Since AeroScope transmits on a DJI drone's existing communications link, it does not require new on-board equipment or modifications, or require extra steps or costs to be incurred by drone operators. Other drone manufacturers can easily configure their existing and future drones to transmit identification information in the same way.
Businesses

Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries (krebsonsecurity.com) 20

Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities," the company said in a statement. "Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates." The hotel chain said the incident affected payment card information -- cardholder name, card number, expiration date and internal verification code -- from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.
Security

US Weapons Data Stolen During Raid of Australian Defense Contractor's Computers (wsj.com) 78

phalse phace writes: Another day, another report of a major breach of sensitive U.S. military and intelligence data. According to a report by The Wall Street Journal (Warning: source may be paywalled; alternative source), "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. The identity and affiliation of the hackers in the Australian attack weren't disclosed, but officials with knowledge of the intrusion said the attack was thought to have originated in China."

The article goes on to state that "Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach." The stolen data also included details of the C-130 Hercules transport aircraft and guided bombs used by the U.S. and Australian militaries as well as design information "down to the captain's chair" on new warships for Australia's navy.

Android

Down the Rabbit Hole With a BLU Phone Infection (threatpost.com) 43

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.
Social Networks

How Facebook Outs Sex Workers (gizmodo.com) 635

An anonymous reader shares a Gizmodo report: Leila has two identities, but Facebook is only supposed to know about one of them. Leila is a sex worker. She goes to great lengths to keep separate identities for ordinary life and for sex work, to avoid stigma, arrest, professional blowback, or clients who might be stalkers (or worse). Her "real identity" -- the public one, who lives in California, uses an academic email address, and posts about politics -- joined Facebook in 2011. Her sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook's "People You May Know" recommendations, Leila (a name I'm using in place of either of the names she uses) was shocked to see some of her regular sex-work clients. Despite the fact that she'd only given Facebook information from her vanilla identity, the company had somehow discerned her real-world connection to these people -- and, even more horrifyingly, her account was potentially being presented to them as a friend suggestion too, outing her regular identity to them. Because Facebook insists on concealing the methods and data it uses to link one user to another, Leila is not able to find out how the network exposed her or take steps to prevent it from happening again. "We're living in an age where you can weaponize personal information against people"Kashmir Hill, the reporter who wrote the above story, a few weeks ago shared another similar incident.
Privacy

US Government Has 'No Right To Rummage' Through Anti-Trump Protest Website Logs, Says Judge (theregister.co.uk) 277

A Washington D.C. judge has told the U.S. Department of Justice it "does not have the right to rummage" through the files of an anti-Trump protest website -- and has ordered the dot-org site's hosting company to protect the identities of its users. The Register reports: Chief Judge Robert E. Morin issued the revised order [PDF] Tuesday following a high-profile back and forth between the site's hosting biz DreamHost and prosecutors over what details Uncle Sam was entitled to with respect to the disruptj20.org website. "As previously observed, courts around the country have acknowledged that, in searches for electronically stored information, evidence of criminal activity will likely be intermingled with communications and other records not within the scope of the search warrant," he noted in his ruling. "Because of the potential breadth of the government's review in this case, the warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities." The order then lists a series of protocols designed to protect netizens "to comply with First Amendment and Fourth Amendment considerations, and to prevent the government from obtaining any identifying information of innocent persons."
Security

Equifax Breach Included 10 Million US Driving Licenses (engadget.com) 66

An anonymous reader quotes a report from Engadget: 10.9 million U.S. driver's licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers' records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver's licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency's system.
Businesses

FCC's Claim That One ISP Counts As 'Competition' Faces Scrutiny In Court (arstechnica.com) 200

Jon Brodkin reports via Ars Technica: A Federal Communications Commission decision to eliminate price caps imposed on some business broadband providers should be struck down, advocacy groups told federal judges last week. The FCC failed to justify its claim that a market can be competitive even when there is only one Internet provider, the groups said. Led by Chairman Ajit Pai, the FCC's Republican majority voted in April of this year to eliminate price caps in a county if 50 percent of potential customers "are within a half mile of a location served by a competitive provider." That means business customers with just one choice are often considered to be located in a competitive market and thus no longer benefit from price controls. The decision affects Business Data Services (BDS), a dedicated, point-to-point broadband link that is delivered over copper-based TDM networks by incumbent phone companies like AT&T, Verizon, and CenturyLink.

But the FCC's claim that "potential competition" can rein in prices even in the absence of competition doesn't stand up to legal scrutiny, critics of the order say. "In 2016, after more than 10 years of examining the highly concentrated Business Data Services market, the FCC was poised to rein in anti-competitive pricing in the BDS market to provide enterprise customers, government agencies, schools, libraries, and hospitals with much-needed relief from monopoly rates," Phillip Berenbroick, senior policy counsel at consumer advocacy group Public Knowledge said. But after Republicans gained the FCC majority in 2017, "the commission illegally reversed course without proper notice and further deregulated the BDS market, leaving consumers at risk of paying up to $20 billion a year in excess charges from monopolistic pricing," Berenbroick said.

Piracy

Pirate Bay is Mining Cryptocurrency Again, No Opt Out (torrentfreak.com) 184

The Pirate Bay is mining cryptocurrency again, causing a spike in CPU usage among many visitors. From a report: For now, the notorious torrent site provides no option to disable it. The new mining expedition is not without risk. CDN provider Cloudflare previously suspended the account of a site that used a similar miner, which means that The Pirate Bay could be next. Last month The Pirate Bay caused some uproar by adding a Javascript-based cryptocurrency miner to its website. The miner utilizes CPU power from visitors to generate Monero coins for the site, providing an extra source of revenue. [...] The Pirate Bay currently has no opt-out option, nor has it informed users about the latest mining efforts. This could lead to another problem since Coinhive said it would crack down on customers who failed to keep users in the loop.
Government

Moscow Has Turned Kaspersky Antivirus Software Into a Global Spy Tool, Using It To Scan Computers For Secret US Data (wsj.com) 267

WSJ has a major scoop today. From a report: The Russian government used a popular antivirus software to secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool (could be paywalled), according to current and former U.S. officials with knowledge of the matter. The software, made by the Moscow-based company Kaspersky Lab, routinely scans files of computers on which it is installed looking for viruses and other malicious software. But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as "top secret," which may be written on classified government documents, as well as the classified code names of U.S. government programs, these people said. The Wall Street Journal reported last week that Russian hackers used Kaspersky's software in 2015 to target a contractor working for the National Security Agency, who had removed classified materials from his workplace and put them on his home computer, which was running the program. The hackers stole highly classified information on how the NSA conducts espionage and protects against incursions by other countries, said people familiar with the matter. But the use of the Kaspersky program to spy on the U.S. is broader and more pervasive than the operation against that one individual, whose name hasn't been publicly released, current and former officials said. This link should get you around WSJ's paywall. Also read: Israeli Spies 'Watched Russian Agents Breach Kaspersky Software'
Australia

Unsent Text On Mobile Counts As a Will, Australian Court Finds (abc.net.au) 144

A court in Australia has accepted an unsent, draft text message on a dead man's mobile phone as an official will. The 55-year-old man had composed a text message addressed to his brother, in which he gave "all that I have" to his brother and nephew. From a report: The Supreme Court in Brisbane heard the 55-year-old took his own life in October 2016, after composing a text addressed to his brother, which indicated his brother and nephew should "keep all that I have," because he was unhappy with this wife. A friend found the text message in the drafts folder of the man's mobile phone, which was found near his body. The unsent message detailed how to access the man's bank account details and where he wanted his ashes to be buried.
Businesses

Israeli Spies 'Watched Russian Agents Breach Kaspersky Software' (bbc.com) 194

Israeli spies looked on as Russian hackers breached Kaspersky cyber-security software two years ago, according to reports. From a report: The Russians were allegedly attempting to gather data on US intelligence programs, according to the New York Times and Washington Post. Israeli agents made the discovery after breaching the software themselves. Kaspersky has said it was neither involved in nor aware of the situation and denies collusion with authorities. Last month, the US government decided to stop using the Russian firm's software on its computers. The Israelis are said to have notified the US, which led to the ban on Kaspersky programs. The New York Times said that the situation had been described by "multiple people who have been briefed on the matter."
Encryption

Justice Department To Be More Aggressive In Seeking Encrypted Data From Tech Companies (wsj.com) 206

An anonymous reader quotes a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): The Justice Department signaled Tuesday it intends to take a more aggressive posture in seeking access to encrypted information from technology companies, setting the stage for another round of clashes in the tug of war between privacy and public safety. Deputy Attorney General Rod Rosenstein issued the warning in a speech in Annapolis, Md., saying that negotiating with technology companies hasn't worked. "Warrant-proof encryption is not just a law enforcement problem," Mr. Rosenstein said at a conference at the U.S. Naval Academy. "The public bears the cost. When our investigations of violent criminal organizations come to a halt because we cannot access a phone, even with a court order, lives may be lost." Mr. Rosenstein didn't say what precise steps the Justice Department or Trump administration would take. Measures could include seeking court orders to compel companies to cooperate or a push for legislation. A Justice Department official said no specific plans were in the works and Mr. Rosenstein's speech was intended to spur public awareness and discussion of the issue because companies "have no incentive to address this on their own."
Operating Systems

OxygenOS Telemetry Lets OnePlus Tie Phones To Individual Users (bleepingcomputer.com) 164

An anonymous reader quotes a report from Bleeping Computer: OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer. A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day. The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.

Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.

Software

Symantec CEO: Source Code Reviews Pose Unacceptable Risk (reuters.com) 172

In an exclusive report from Reuters, Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products. From the report: Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia. Symantec's decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington's adversaries, including Russia and China, according to security experts. While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.
Security

Equifax Increases Number of Britons Affected By Data Breach To 700,000 (telegraph.co.uk) 58

phalse phace writes: You know those 400,000 Britons that were exposed in Equifax's data breach? Well, it turns out the number is actually closer to 700,000. The Telegraph reports: "Equifax has just admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. The company originally estimated that the number of people affected in the UK was 'fewer than 400,000.' But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers."
Cellphones

Security, Privacy Focused Librem 5 Linux Smartphone Successfully Crowdfunded (softpedia.com) 82

prisoninmate shares a report from Softpedia: Believe it or not, Purism's Librem 5 security and privacy-focused smartphone has been successfully crowdfunded a few hours ago when it reached and even passed its goal of $1.5 million, with 13 days left. Librem 5 wants to be an open source and truly free mobile phone designed with security and privacy in mind, powered by a GNU/Linux operating system based on Debian GNU/Linux and running only Open Source software apps on top of a popular desktop environment like KDE Plasma Mobile or GNOME Shell. Featuring a 5-inch screen, Librem 5 is compatible with 2G, 3G, 4G, GSM, UMTS, and LTE mobile networks. Under the hood, it uses an i.MX 6 or i.MX 8 processor with separate baseband modem to offer you the protection you need in today's communication challenges, where you're being monitored by lots of government agencies.
Transportation

Dutch Government Confirms Plan To Ban New Petrol, Diesel Cars By 2030 (electrek.co) 349

An anonymous reader quotes a report from Electrek: Today, the new Dutch government presented its detailed plan for the coming years and it includes making all new cars emission-free by 2030 -- virtually banning petrol- and diesel-powered cars in favor of battery-powered vehicles. The four coalition parties have been negotiating their plans since the election in March and now after over 200 days, they have finally released the plan they agreed upon. NL Times posted all the main points of the plan and in "transportation," it includes: By 2030 all cars in the Netherlands must be emission free. While some local publications are reporting "all cars," we are told that it would be for "all new cars" as it is the case for the countries with similar bans under consideration. The potential for the ban has been under consideration in the country since last year. The year 2025, like in Norway, has been mentioned, but they apparently decided for the less ambitious goal of 2030.
Privacy

Amazon Is Reportedly Building a Doorbell That Lets Drivers Into Your House (cnbc.com) 203

According to CNBC, Amazon is working with Phrame, a maker of smart license plates that allow items to be delivered to a car's trunk, to build a smart doorbell that would give delivery drivers one-time access to a person's home to drop off items. From the report: Phrame's product fits around a license plate and contains a secure box that holds the keys to the car. Users unlock the box with their smartphone, and can grant access to others -- such as delivery drivers -- remotely. The new initiatives are part of Amazon's effort to go beyond convenience and fix problems associated with unattended delivery. As more consumers shop online and have their packages shipped to their homes, valuable items are often left unattended for hours. Web retailers are dealing with products getting damaged by bad weather as well as the rise of so-called porch pirates, who steal items from doorsteps. Amazon also has an incentive to reduce the number of lost packages, as they can be costly.
Government

North Korean Hackers Stole U.S.-South Korean Military Plans, Lawmaker Says (nytimes.com) 110

North Korean hackers stole a vast cache of data, including classified wartime contingency plans jointly drawn by the United States and South Korea, when they breached the computer network of the South Korean military last year, a South Korean lawmaker said Tuesday (alternative source). From a report: One of the plans included the South Korean military's plan to remove the North Korean leader, Kim Jong-un, referred to as a "decapitation" plan, should war break out on the Korean Peninsula, the lawmaker, Rhee Cheol-hee, told reporters. Mr. Rhee, a member of the governing Democratic Party who serves on the defense committee of the National Assembly, said he only recently learned of the scale of the North Korean hacking attack, which was first discovered in September last year. It was not known whether any of the military's top secrets were leaked, although Mr. Rhee said that nearly 300 lower-classification confidential documents were stolen. The military has not yet identified nearly 80 percent of the 235 gigabytes of leaked data, he said.
Movies

It's Illegal to Pirate Films in Iran, Unless You're the Government (vice.com) 35

An anonymous reader shares a report: While legal "pirating" exists in Iran, six administrators of the Iranian pirate movie site TinyMoviez have been arrested by Iranian authorities. This was a website the Iranian national broadcaster had used to download and nationally air movies in the past. The exact date of the arrests are unknown, but Tehran's Prosecutor General announced the arrests on September 26, 2017. The website is still online, but users haven't been able to download content from it since September 19, 2017. Now TinyMoviez administrators are finding themselves on the wrong side of Iran's odd and often pirating friendly copyright laws. Iran's copyright law is a quagmire when it comes to understanding what rights exists for creators of an original piece of work, and what rights exist for those wanting to re-distribute original works, such as movies. Meanwhile, Article 8 gives the government broad powers to reproduce work that is not its own. This means that the government is exempt from Article 23, which criminalizes the theft of another's work.
Microsoft

PSA: Microsoft Is Using Cortana To Read Your Private Skype Conversations (betanews.com) 180

BrianFagioli shares a report from BetaNews: With Cortana's in-context assistance, it's easier to keep your conversations going by having Cortana suggest useful information based on your chat, like restaurant options or movie reviews. And if you're in a time crunch? Cortana also suggests smart replies, allowing you to respond to any message quickly and easily -- without typing a thing," says The Skype Team. The team further says, "Cortana can also help you organize your day -- no need to leave your conversations. Cortana can detect when you're talking about scheduling events or things you have to do and will recommend setting up a reminder, which you will receive on all your devices that have Cortana enabled. So, whether you're talking about weekend plans or an important work appointment, nothing will slip through the cracks."

So, here's the deal, folks. In order for this magical "in-context" technology to work, Cortana is constantly reading your private conversations. If you use Skype on mobile to discuss private matters with your friends or family, Cortana is constantly analyzing what you type. Talking about secret business plans with a colleague? Yup, Microsoft's assistant is reading those too. Don't misunderstand -- I am not saying Microsoft has malicious intent by adding Cortana to Skype; the company could have good intentions. With that said, there is the potential for abuse. Microsoft could use Cortana's analysis to spy on you for things like advertising or worse, and that stinks. Is it really worth the risk to have smart replies and suggested calendar entries? I don't know about you, but I'd rather not have my Skype conversations read by Microsoft.

Privacy

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB (krebsonsecurity.com) 169

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

Iphone

Face ID Is Coming To the iPad Pro Next Year, Says Report (macrumors.com) 73

According to MacRumors, KGI Securities analyst Ming-Chi Kuo said iPad Pro models set to be released in 2018 will come equipped with a TrueDepth Camera and will support Face ID. Apple is believed to be adding TrueDepth cameras to the iPad Pro to introduce a user experience that's consistent with the iPhone X and boost competitiveness. From the report: According to Kuo, TrueDepth Cameras will be limited to the iPad Pro, which is Apple's main flagship tablet device. Kuo also predicts 2018 iPhone models will adopt the new camera technology coming in the iPhone X, as he has mentioned in a previous note: "We predict iOS devices to be equipped with TrueDepth Camera in 2018F will include iPhone X and 2018 new iPhone and iPad models. Because of this, we believe more developers will pay attention to TrueDepth Camera/ facial recognition related applications. We expect Apple's (U.S.) major promotion of facial recognition related applications will encourage the Android camp to also dedicate more resources to developing hardware and facial recognition applications."
Mars

SpaceX's Mars Vision Puts Pressure on NASA's Manned Exploration Programs (marketwatch.com) 142

An anonymous reader shares a report: Entrepreneur Elon Musk's announcement late last month accelerating plans for manned flights to Mars ratchets up political and public relations pressure on NASA's efforts to reach the same goal. With Musk publicly laying out a much faster schedule than NASA -- while contending his vision is less expensive and could be financed primarily with private funds -- a debate unlike any before is shaping up over the direction of U.S. space policy. Industry officials and space experts consider the proposal by Musk's Space Exploration to land people on the red planet around the middle of the next decade extremely optimistic. Some supporters concede the deadline appears ambitious even for reaching the moon, while Musk himself acknowledged some of his projected dates are merely "aspirational." But the National Aeronautics and Space Administration doesn't envision getting astronauts to Mars until at least a decade later, a timeline NASA is finding increasingly hard to defend in the face of criticism that it is too slow.
Advertising

Ask Slashdot: Is Deliberately Misleading People On the Internet Free Speech? 503

Slashdot reader dryriver writes: Before anyone cries "free speech must always be free," let me qualify the question. Under a myriad of different internet sites and blogs are these click-through adverts that promise quick "miracle cures" for everything from toenail fungus to hair loss to tinnitus to age-related skin wrinkles to cancer. A lot of the ads begin with copy that reads "This one weird trick cures....." Most of the "cures" on offer are complete and utter crap designed to lift a few dollars from the credit cards of hundreds of thousands of gullible internet users. The IQ boosting pills that supposedly give you "amazing mental focus after just 2 weeks" don't work at all. Neither do any of the anti-ageing or anti-wrinkle creams, regardless of which "miracle berry" extract they put in them this year. And if you try to cure your cancer with an Internet remedy rather than seeing a doctor, you may actually wind up dead.

So the question -- is peddling this stuff online really "free speech"? You are promising something grandiose in exchange for hard cash that you know doesn't deliver any benefits at all.

Long-time Slashdot reader apraetor counters, "But how do you determine what is 'true'?" And Slashdot reader ToTheStars argues "It's already established that making claims about medicine is subject to scrutiny by the FDA (or the relevant authority in your jurisdiction)." But are other things the equivalent of yelling "fire" in a crowded movie theatre? Leave your best thoughts in the comments. Is deliberately misleading people on the internet free speech?
Businesses

The Case Against Biometric IDs (nakedcapitalism.com) 146

"The White House and Equifax Agree: Social Security Numbers Should Go," reads a headline at Bloomberg. Securities lawyer Jerri-Lynn Scofield tears down one proposed alternative: a universal biometric identity system (possibly using fingerprints and an iris scan) with further numeric verification. Presto Vivace shared the article: Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem. What we're being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out...?

[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.

The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.

Slashdot Top Deals