Google

Why Google Should Be Afraid of a Missouri Republican's Google Probe (arstechnica.com) 231

An anonymous reader quotes a report from Ars Technica: The Republican attorney general of Missouri has launched an investigation into Google's business practices. Josh Hawley wants to know how Google handles user data. And he plans to look into whether Google is using its dominance in the search business to harm companies in other markets where Google competes. It's another sign of growing pressure Google is facing from the political right. Grassroots conservatives increasingly see Google as falling on the wrong side of the culture wars. So far that hasn't had a big impact in Washington policymaking. But with Hawley planning to run for the U.S. Senate next year, we could see more Republican hostility toward Google -- and perhaps other big technology companies -- in the coming years. The Hawley investigation will dig into whether Google violated Missouri's consumer-protection and antitrust laws. Specifically, Hawley will investigate: "Google's collection, use, and disclosure of information about Google users and their online activities," "Google's alleged misappropriation of online content from the websites of its competitors," and "Google's alleged manipulation of search results to preference websites owned by Google and to demote websites that compete with Google." States like Missouri have their own antitrust laws and the power to investigate company business conduct independently of the feds. So Hawley seems to be taking yet another look at those same issues to see if Google's conduct runs afoul of Missouri law.

We don't know if Hawley will get the Republican nomination or win his challenge to Sen. Claire McCaskill (D-Mo.) next year, but people like him will surely be elected to the Senate in the coming decade. Hawley's decision to go after Google suggests that he sees some upside in being seen as an antagonist to a company that conservatives increasingly view with suspicion. More than that, it suggests that Hawley believes it's worth the risk of alienating the GOP's pro-business wing, which takes a dim view of strict antitrust enforcement even if it targets a company with close ties to Democrats.

Privacy

Yelp Ordered To Identify User Accused of Defaming a Tax Preparer (bloomberg.com) 142

mi writes: California State Appeals Court ruled this week that Yelp can't shield the identify of an anonymous reviewer who posted allegedly defamatory statements about a tax preparer. "The three-judge appeals panel in Santa Ana agreed with Yelp that it could protect the First Amendment rights of its anonymous reviewer but it still had to turn over the information," reports Bloomberg. "The panel reasoned that the accountant had made a showing that the review was defamatory in that it went beyond expressing an opinion and allegedly included false statements."
Medicine

FDA Approves Digital Pill That Tracks If Patients Have Ingested Their Medication (nytimes.com) 72

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): For the first time, the Food and Drug Administration has approved a digital pill -- a medication embedded with a sensor that can tell doctors whether, and when, patients take their medicine. The approval, announced late on Monday, marks a significant advance in the growing field of digital devices designed to monitor medicine-taking and to address the expensive, longstanding problem that millions of patients do not take drugs as prescribed. Experts estimate that so-called nonadherence or noncompliance to medication costs about $100 billion a year, much of it because patients get sicker and need additional treatment or hospitalization. Patients who agree to take the digital medication, a version of the antipsychotic Abilify, can sign consent forms allowing their doctors and up to four other people, including family members, to receive electronic data showing the date and time pills are ingested. A smartphone app will let them block recipients anytime they change their mind. Although voluntary, the technology is still likely to prompt questions about privacy and whether patients might feel pressure to take medication in a form their doctors can monitor.
Government

Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com) 99

"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
The Courts

Tesla Is a 'Hotbed For Racist Behavior,' Worker Claims In Lawsuit (bloomberg.com) 300

An African-American employee has filed a lawsuit against Tesla, claiming their production floor is a "hotbed for racist behavior" and that black workers at the electric carmaker suffer severe and pervasive harassment. "The employee says he's one of more than 100 African-American Tesla workers affected and is seeking permission from a judge to sue on behalf of the group," reports Bloomberg. "He's seeking unspecified general and punitive monetary damages as well as an order for Tesla to implement policies to prevent and correct harassment." From the report: "Although Tesla stands out as a groundbreaking company at the forefront of the electric car revolution, its standard operating procedure at the Tesla factory is pre-Civil Rights era race discrimination," the employee said in the complaint, filed Monday in California's Alameda County Superior Court. The lawsuit was filed on behalf of Marcus Vaughn, who worked in the Fremont factory from April 23 to Oct. 31. Vaughn alleged that employees and supervisors regularly used the "N word" around him and other black colleagues. Vaughn said he complained in writing to human resources and Musk and was terminated in late October for "not having a positive attitude."
Communications

Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com) 32

An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
Android

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (bleepingcomputer.com) 73

Catalin Cimpanu, writing for BleepingComputer: Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers. The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson -- the name of the main character in the Mr. Robot TV series. Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.
The Almighty Buck

Study Finds SpaceX Investment Saved NASA Hundreds of Millions (popularmechanics.com) 156

schwit1 shares a report from Popular Mechanics: When a SpaceX Dragon spacecraft connected with the International Space Station on May 25, 2012, it made history as the first privately-built spacecraft to reach the ISS. The Dragon was the result of a decision 6 years prior -- in 2006, NASA made an "unprecedented" investment in SpaceX technology. A new financial analysis shows that the investment has paid off, and the government found one of the true bargains of the 21st century when it invested in SpaceX. A new research paper by Edgar Zapata, who works at Kennedy Space Center, looks closely at the finances of SpaceX and NASA. "There were indications that commercial space transportation would be a viable option from as far back as the 1980s," Zapata writes. "When the first components of the ISS were sent into orbit 1998, NASA was focused on "ambitious, large single stage-to-orbit launchers with large price tags to match." For future commercial crew missions sending astronauts into space, Zapata estimates that it will cost $405 million for a SpaceX Dragon crew deployment of 4 and $654 million for a Boeing Starliner, which is scheduled for its first flight in 2019. That sounds like a lot, and it is, but Zapata estimates that its only 37 to 39 percent of what it would have cost the government.
Google

Google Subpoenaed Over Data Privacy, Antitrust in Missouri (cnbc.com) 18

Google is facing a new front in its regulatory battles after Missouri's attorney general on Monday launched a broad investigation into whether the company's business practices violate the state's consumer-protection and antitrust laws. From a report: Attorney General Josh Hawley's office said on Monday that it issued a subpoena to investigate if Google's use of information that it collects about consumers is appropriate and if the company stifles competing websites in search results. Google has largely steered clear of antitrust problems in the U.S. That's not the case in Europe, where the company faces a fine of about $2.7 billion over the display of its shopping ads.
Security

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files (bbc.com) 36

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."
The Military

North Korean Hackers Are Targeting US Defense Contractors (wpengine.com) 146

chicksdaddy quotes Security Ledger: North Korean hackers have stepped up their attacks on U.S. defense contractors in an apparent effort to gain intelligence on weapon systems and other assets that might be used against the country in an armed conflict with the United States and its allies, The Security Ledger is reporting. Security experts and defense industry personnel interviewed by The Security Ledger say that probes and attacks by hacking groups known to be associated with the government of the Democratic People's Republic of Korea (DPRK) have increased markedly as hostilities between that country and the United States have ratcheted up in the last year. The hacking attempts seem to be aimed at gaining access to intellectual property belonging to the companies, including weapons systems deployed on the Korean peninsula.

"As the situation between the DPRK and the US has become more tense, we've definitely seen an increase in number of probe attempts from cyber actors coming out of the DPRK," an official at an aerospace and defense firm told Security Ledger. The so-called "probes" were targeting the company's administrative network and included spear phishing attacks via email and other channels. The goal was to compromise computers on the corporate network... So far, the attacks have targeted "weakest links" within the firms, such as Human Resources personnel and general inquiry mailboxes, rather than targeting technical staff directly. However, experts who follow the DPRK's fast evolving cyber capabilities say that the country may have more up their sleeve.

CNBC also reports that America's congressional defense committees have authorized a last-minute request for $4 billion in extra spending for "urgent missile defeat and defense enhancements to counter the threat of North Korea."

Other countries newly interested in purchasing missile defense systems include Japan, Sweden, Poland, and Saudi Arabia.
Transportation

US Airports Still Fail New Security Tests (go.com) 182

schwit1 quotes ABC News: In recent undercover tests of multiple airport security checkpoints by the Department of Homeland Security, inspectors said screeners, their equipment or their procedures failed more than half the time, according to a source familiar with the classified report. When ABC News asked the source if the failure rate was 80 percent, the response was, "You are in the ballpark." In a public hearing after a private classified briefing to the House Committee on Homeland Security, members of Congress called the failures by the Transportation Security Administration disturbing. Rep. Mike Rogers went as far as to tell TSA Administrator David Pekoske, "This agency that you run is broken badly, and it needs your attention."
Businesses

Equifax Tells Investors They Could Be Breached Again - And That They're Still Profitable (nypost.com) 90

"Equifax executives will forgo their 2017 bonuses," reports CNBC. But according to the New York Post, the company "hasn't lost any significant business customers... Equifax largely does business with banks and other financial institutions -- not with the people they collect information on."

Even though it's facing more than 240 class-action lawsuits, Equifax's revenue actually increased 3.8% from July to September, to a whopping $834.8 million, while their net income for that period was $96.3 million -- which is still more than the $87.5 million that the breach cost them, according to a new article shared by chicksdaddy: The disclosure, made as part of the company's quarterly filing with the US Securities and Exchange Commission, is the first public disclosure of the direct costs of the incident, which saw the company's stock price plunge by more than 30% and wiped out billions of dollars in value to shareholders. Around $55.5m of the $87.5m in breach-related costs stems from product costs â" mostly credit monitoring services that it is offering to affected individuals. Professional fees added up to another $17.1m for Equifax and consumer support costs totaled $14.9m, the company said. Equifax also said it has spent $27.3 million of pretax expenses stemming from the cost of investigating and remediating the hack to Equifax's internal network as well as legal and other professional expenses.

But the costs are likely to continue. Equifax is estimating costs of $56 million to $110 million in "contingent liability" in the form of free credit monitoring and identity theft protection to all U.S. consumers as a good will gesture. The costs provided by Equifax are an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. So far, however, the company has only incurred $4.7 million through the end of September. So, while the upper bound of those contingent liability costs is high, there's good reason to believe that they will never be reached.

The Post reports that some business customers "have delayed new contracts until Equifax proves that they've done enough to shore up their cybersecurity."

But in their regulatory filing Thursday, Equifax admitted that "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again."
Encryption

iPhone Encryption Hampers Investigation of Texas Shooter, Says FBI (chron.com) 240

"FBI officials said Tuesday they have been stymied in their efforts to unlock the cellphone of the man who shot and killed at least 26 people at a church here on Sunday," reports the Houston Chronicle. Slashdot reader Anon E. Muss writes: The police obtained a search warrant for the phone, but so far they've been unable to unlock it. The phone has been sent to the FBI, in the hope that they can break in... If it is secure, and the FBI can't open it, expect all hell to break loose. The usual idiots (e.g. politicians) will soon be ranting hysterically about the evil tech industry, and how they're refusing to help law enforcement.
FBI special agent Christopher Combs complained to the Chronicle that "law enforcement increasingly cannot get in to these phones."

A law professor at the Georgia Institute of Technology argues there's other sources of information besides a phone, and police officers might recognize this with better training. As just one example, Apple says the FBI could've simply just used the dead shooter's fingerprint to open his iPhone. But after 48 hours, the iPhone's fingerprint ID stops working.
United States

H1-B Administrators Are Challenging An Unusually Large Number of Applications (bloomberg.com) 304

Long-time Slashdot reader decaffeinated quotes Bloomberg: Starting this summer, employers began noticing that U.S. Citizenship and Immigration Services was challenging an unusually large number of H-1B applications. Cases that would have sailed through the approval process in earlier years ground to a halt under requests for new paperwork. The number of challenges -- officially known as "requests for evidence" or RFEs -- are up 44 percent compared to last year, according to statistics from USCIS...

"We're entering a new era," said Emily Neumann, an immigration lawyer in Houston who has been practicing for 12 years. "There's a lot more questioning, it's very burdensome." She said in past years she's counted on 90 percent of her petitions being approved by Oct. 1 in years past. This year, only 20 percent of the applications have been processed. Neumann predicts she'll still have many unresolved cases by the time next year's lottery happens in April 2018.

Security

The Computer Scientist Who Prefers Voting With Paper (theatlantic.com) 219

Geoffrey.landis writes: The Atlantic profiles a computer scientist: Barbara Simons, who has been on the forefront of the pushback against electronic voting as a technology susceptible to fraud and hacking. When she first started writing articles about the dangers of electronic voting with no paper trail, the idea that software could be manipulated to rig elections was considered a fringe preoccupation; but Russia's efforts to influence the 2016 presidential election have reversed Simons's fortunes. According to the Department of Homeland Security, those efforts included attempts to meddle with the electoral process in 21 states; while a series of highly publicized hacks -- at Sony, Equifax, the U.S. Office of Personnel Management -- has driven home the reality that very few computerized systems are truly secure. Simons is a former President of the Association for Computing Machinery (ACM); and the group she helps run, Verified Voting, has been active in educating the public about the dangers of unverified voting since 2003.
Bug

Sex Toy Company Admits To Recording Users' Remote Sex Sessions, Calls It a 'Minor Bug' (theverge.com) 81

According to Reddit user jolioshmolio, Hong Kong-based sex toy company Lovense's remote control vibrator app (Lovense Remote) recorded a use session without their knowledge. "An audio file lasting six minutes was stored in the app's local folder," reports The Verge. "The user says he or she gave the app access to the mic and camera but only to use with the in-app chat function and to send voice clips on command -- not constant recording when in use." The app's behavior appears to be widespread as several others confirmed it too. From the report: A user claiming to represent Lovense responded and called this recording a "minor bug" that only affects Android users. Lovense also says no information or data was sent to the company's servers, and that this audio file exists only temporarily. An update issued today should fix the bug. This isn't Lovense's first security flub. Earlier this year, a butt plug made by the company -- the Hush -- was also found to be hackable. In the butt plug's case, the vulnerability had to do with Bluetooth, as opposed to the company spying on users.
Facebook

This Time, Facebook Is Sharing Its Employees' Data (fastcompany.com) 45

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

Encryption

Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted (techtarget.com) 104

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

Encryption

DOJ: Strong Encryption That We Don't Have Access To Is 'Unreasonable' (arstechnica.com) 510

An anonymous reader quotes a report from Ars Technica: Just two days after the FBI said it could not get into the Sutherland Springs shooter's seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the "government's unexpected encryption warrior." According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying. "We have an ongoing dialogue with a lot of tech companies in a variety of different areas," he told Politico Pro. "There's some areas where they are cooperative with us. But on this particular issue of encryption, the tech companies are moving in the opposite direction. They're moving in favor of more and more warrant-proof encryption." "I want our prosecutors to know that, if there's a case where they believe they have an appropriate need for information and there is a legal avenue to get it, they should not be reluctant to pursue it," Rosenstein said. "I wouldn't say we're searching for a case. I''d say we're receptive, if a case arises, that we would litigate."

In the interview, Rosenstein also said he "favors strong encryption." "I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud," he explained. "And I'm in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I'm in favor of strong encryption." "This is, obviously, a related issue, but it's distinct, which is, what about cases where people are using electronic media to commit crimes? Having access to those devices is going to be critical to have evidence that we can present in court to prove the crime. I understand why some people merge the issues. I understand that they're related. But I think logically, we have to look at these differently. People want to secure their houses, but they still need to get in and out. Same issue here." He later added that the claim that the "absolutist position" that strong encryption should be by definition, unbreakable, is "unreasonable." "And I think it's necessary to weigh law enforcement equities in appropriate cases against the interest in security," he said.

Businesses

Monopoly Critics Decry 'Amazon Amendment' (thehill.com) 52

schwit1 shares a report from The Hill: The amendment, Section 801 of the National Defense Authorization Act (NDAA), would help Amazon establish a tight grip on the lucrative, $53 billion government acquisitions market, experts say. The provision, dubbed the "Amazon amendment" by experts, according to an article in The Intercept, would allow for the creation of an online portal that government employees could use to purchase everyday items such as office supplies or furniture. This government-only version of Amazon, which could potentially include a few other websites, would give participating companies direct access to the $53 billion market for government acquisitions of commercial products. "It hands an enormous amount of power over to Amazon," said Stacy Mitchell of the Institute for Local Self-Reliance, a research group that advocates for local businesses. Mitchell said that the provision could allow Amazon to gain a monopoly or duopoly on the profitable world of commercial government purchases, leaving smaller businesses behind and further consolidating the behemoth tech firm's power.

schwit1 adds: "Well, this is a two-edged sword, isn't it? Government spends too much and takes too long to buy its simple office needs, but streamlining that process and cutting costs puts more money in the pocket of Jeff Bezos."

Security

WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools (vice.com) 102

An anonymous reader quotes a report from Motherboard: WikiLeaks published new alleged material from the CIA on Thursday, releasing source code from a tool called Hive, which allows its operators to control malware it installed on different devices. WikiLeaks previously released documentation pertaining to the tool, but this is the first time WikiLeaks has released extensive source code for any CIA spying tool. This release is the first in what WikiLeaks founder Julian Assange says is a new series, Vault 8, that will release the code from the CIA hacking tools revealed as part of Vault 7. "This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components," WikiLeaks said in its press release for Vault 8. "Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention." In its release, WikiLeaks said that materials published as part of Vault 8 will "not contain zero-days or similar security vulnerabilities which could be repurposed by others."
Crime

Federal Prosecutors Charge Man With Hiring Hackers To Sabotage Former Employer (apnews.com) 18

According to the Associated Press, federal prosecutors have charged a man with paying computer hackers to sabotage websites affiliated with his former employer. From the report: The FBI says the case represents a growing form of cybercrime in which professional hackers are paid to inflict damage on individuals, businesses and others who rely on digital devices connected to the web. Prosecutors say 46-year-old John Kelsey Gammell hired hackers to bring down Washburn Computer Group in Monticello, but also made monthly payments between July 2015 and September 2016 to damage web networks connected to the Minnesota Judicial Branch, Hennepin County and several banks. The Star Tribune reports Gammell's attorney, Rachel Paulose, has argued her client didn't personally attack Washburn. Paulose has asked a federal magistrate to throw out evidence the FBI obtained from an unnamed researcher because that data could have been obtained by hacking.
Bitcoin

Nearly a Third of Millennials Say They'd Rather Own Bitcoin Than Stocks (bloomberg.com) 312

An anonymous reader quotes a report from Bloomberg: A survey by venture capital firm Blockchain Capital found that about 30 percent of those in the 18-to-34 age range would rather own $1,000 worth of Bitcoin than $1,000 of government bonds or stocks. The study of more than 2,000 people found that 42 percent of millennials are at least somewhat familiar with bitcoin, compared with 15 percent among those ages 65 and up. Bitcoin rose more than 6 percent Wednesday to as much as $7,545, helping to push the value of the total cryptocurrency market above $200 billion for the first time, according to CoinMarketcap. The digital asset has soared more than 600 percent this year, compared with gains of 15 percent for the S&P 500 Index -- which might explain millennials' attraction.
The Internet

Nearly Half of Colorado Counties Have Rejected a Comcast-Backed Law Restricting City-Run Internet (vice.com) 128

bumblebaetuna shares a report from Motherboard: In Tuesday's Coordinated Election, two Colorado counties voted on ballot measures to exempt themselves from a state law prohibiting city-run internet services. Both Eagle County and Boulder County voters approved the measures, bringing the total number of Colorado counties that have rejected the state law to 31 -- nearly half of the state's 64 counties. Senate Bill 152 -- which was lobbied for by Big Telecom -- became law in Colorado in 2005, and prohibits municipalities in the state from providing city-run broadband services.

Some cities prefer to build their own broadband network, which delivers internet like a utility to residents, and is maintained through subscription costs. But ever since SB 152 was enacted, Colorado communities have to first bring forward a ballot measure asking voters to exempt the area from the state law before they can even consider starting a municipal broadband service. So that's what many of them have done. In addition to the 31 counties that have voted to overrule the state restrictions, dozens of municipalities in the state have also passed similar ballot measures. Including cities, towns, and counties, more than 100 communities in Colorado have pushed back against the 12-year-old prohibition, according to the Institute for Local Self Reliance.

AT&T

Justice Department Tells Time Warner It Must Sell CNN Or DirecTV To Approve Its AT&T Merger (nytimes.com) 118

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): The Justice Department has called on AT&T and Time Warner to sell Turner Broadcasting, the group of cable channels that includes CNN, as a potential requirement for approving the companies' pending $85.4 billion deal, people briefed on the matter said on Wednesday. The other potential way the merger could win approval would be for AT&T to sell its DirecTV division, two of these people added. As originally envisioned, combining AT&T and Time Warner would yield a giant company offering wireless and broadband internet service, DirecTV, the Warner Brothers movie studio and cable channels like HBO and CNN. If the Justice Department formally makes either demand a requisite for approval, AT&T and Time Warner would almost certainly take the matter to court to challenge the government's legal basis for blocking their deal.
Encryption

Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed (arstechnica.com) 76

An anonymous reader quotes a report from Ars Technica: A crippling flaw affecting millions -- and possibly hundreds of millions -- of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents. The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key. Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.

On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.

Iphone

Israeli Company Sues Apple Over Dual-Lens Cameras In iPhone 7 Plus, iPhone 8 Plus (macrumors.com) 56

Corephotonics, an Israeli maker of dual-lens camera technologies for smartphones, has filed a lawsuit against Apple this week alleging that the iPhone 7 Plus and iPhone 8 Plus infringe upon four of its patents. Mac Rumors reports: The patents, filed with the U.S. Patent and Trademark Office between November 2013 and June 2016, relate to dual-lens camera technologies appropriate for smartphones, including optical zoom and a mini telephoto lens assembly: U.S. Patent No. 9,402,032; U.S. Patent No. 9,568,712; U.S. Patent No. 9,185,291; U.S. Patent No. 9,538,152. Corephotonics alleges that the two iPhone models copy its patented telephoto lens design, optical zoom method, and a method for intelligently fusing images from the wide-angle and telephoto lenses to improve image quality. iPhone X isn't listed as an infringing product, despite having a dual-lens camera, perhaps because the device launched just four days ago.
Earth

The US Is Now the Only Country In the World To Reject the Paris Climate Deal 719

An anonymous reader quotes a report from The Verge: Today, Syria announced that it would sign the Paris climate agreement -- a landmark deal that commits almost 200 countries to reducing greenhouse gas emissions to fight global warming. With Nicaragua also joining the deal last month, the United States is now the only country in the world that opposes it. In June, President Donald Trump announced that the U.S. will withdraw from the Paris climate accord, unless it is renegotiated to be "fair" to the United States. But other countries in the deal, such as France, Germany, and Italy, said that's not possible. The Trump administration is also taking steps to roll back regulations passed under former President Barack Obama to achieve the emissions reduction goals set under the Paris deal. The U.S. is the second largest emitter of heat-trapping greenhouse gases in the world after China. "With Syria's decision, the relentless commitment of the global community to deliver on Paris is more evident than ever," Paula Caballero, director of the climate change program at the World Resources Institute, told the Times. "The U.S.'s stark isolation should give Trump reason to reconsider his ill-advised announcement and join the rest of the world in tackling climate change."
Encryption

How Cloudflare Uses Lava Lamps To Encrypt the Internet (zdnet.com) 110

YouTuber Tom Scott was invited to visit Cloudflare's San Francisco headquarters to check out the company's wall of lava lamps. These decorative novelty items -- while neat to look at -- serve a special purpose for the internet security company. Cloudflare takes pictures and video of the lava lamps to turn them into "a stream of random, unpredictable bytes," which is used to help create the keys that encrypt the traffic that flow through Cloudflare's network. ZDNet reports: Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services. Cloudflare is known for providing good standards of encryption, but it seems the secret is out -- this reputation is built in part on lava lamps. Roughly 10 percent of the Internet's traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required. According to Nick Sullivan, Cloudfare's head of cryptography, this is where the lava lamps shine. Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken. The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic. "Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data." Cloudflare also reportedly uses a "chaotic pendulum" in its London office to generate randomness, and in Singapore, they use a radioactive source.
Facebook

How Facebook Figures Out Everyone You've Ever Met (gizmodo.com) 219

"I deleted Facebook after it recommended as People You May Know a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email," an attorney told Gizmodo. Kashmir Hill, a reporter at the news outlet, who recently documented how Facebook figured out a connection between her and a family member she did not know existed, shares several more instances others have reported and explains how Facebook gathers information. She reports: Behind the Facebook profile you've built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you've never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections. Because shadow-profile connections happen inside Facebook's algorithmic black box, people can't see how deep the data-mining of their lives truly is, until an uncanny recommendation pops up. Facebook isn't scanning the work email of the attorney above. But it likely has her work email address on file, even if she never gave it to Facebook herself. If anyone who has the lawyer's address in their contacts has chosen to share it with Facebook, the company can link her to anyone else who has it, such as the defense counsel in one of her cases. Facebook will not confirm how it makes specific People You May Know connections, and a Facebook spokesperson suggested that there could be other plausible explanations for most of those examples -- "mutual friendships," or people being "in the same city/network." The spokesperson did say that of the stories on the list, the lawyer was the likeliest case for a shadow-profile connection. Handing over address books is one of the first steps Facebook asks people to take when they initially sign up, so that they can "Find Friends." The problem with all this, Hill writes, is that Facebook doesn't explicitly say the scale at which it would be using the contact information it gleans from a user's address book. Furthermore, most people are not aware that Facebook is using contact information taken from their phones for these purposes.
Businesses

Many Employers Are Using Tools To Monitor Their Staff's Web-browsing Patterns, Keystrokes, Social Media Posts (theguardian.com) 187

Olivia Solon, reporting for The Guardian: How can an employer make sure its remote workers aren't slacking off? In the case of talent management company Crossover, the answer is to take photos of them every 10 minutes through their webcam. The pictures are taken by Crossover's productivity tool, WorkSmart, and combine with screenshots of their workstations along with other data -- including app use and keystrokes -- to come up with a "focus score" and an "intensity score" that can be used to assess the value of freelancers. Today's workplace surveillance software is a digital panopticon that began with email and phone monitoring but now includes keeping track of web-browsing patterns, text messages, screenshots, keystrokes, social media posts, private messaging apps like WhatsApp and even face-to-face interactions with co-workers. Crossover's Sanjeev Patni insists that workers get over the initial self-consciousness after a few days and accept the need for such monitoring as they do CCTV in shopping malls.
Microsoft

Microsoft Releases Standards For Highly Secure Windows 10 Devices (bleepingcomputer.com) 173

An anonymous reader writes from a report via BleepingComputer: Yesterday, Microsoft released new standards that consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included with Windows 10 systems and the minimum firmware features. The hardware standards are broken up into 6 categories, which are minimum specs for processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM. Similarly, firmware features should support at least UEFI 2.4 or later, Secure Boot, Secure MOR 2 or later, and support the Windows UEFI Firmware Capsule Update specification.
Piracy

US Court Grants ISPs and Search Engine Blockade of Sci-Hub (torrentfreak.com) 165

Sci-Hub, a scientific research piracy site home to thousands of research papers, has suffered another blow in a U.S. federal court. According to TorrentFreak, "The American Chemical Society has won a default judgment of $4.8 million for alleged copyright infringement against the site. In addition, the publisher was granted an unprecedented injunction which requires search engines and ISPs to block the platform." This comes after a $15 million fine was imposed on Sci-Hub by a New York federal judge earlier this year. From the report: Just before the weekend, U.S. District Judge Leonie Brinkema issued a final decision which is a clear win for ACS. The publisher was awarded the maximum statutory damages of $4.8 million for 32 infringing works, as well as a permanent injunction. The injunction is not limited to domain name registrars and hosting companies, but expands to search engines, ISPs and hosting companies too, who can be ordered to stop linking to or offering services to Sci-Hub. The injunction means that Internet providers, such as Comcast, can be requested to block users from accessing Sci-Hub. That's a big deal since pirate site blockades are not common in the United States. The same is true for search engine blocking of copyright-infringing sites.

"Ordered that any person or entity in active concert or participation with Defendant Sci-Hub and with notice of the injunction, including any Internet search engines, web hosting and Internet service providers, domain name registrars, and domain name registries, cease facilitating access to any or all domain names and websites through which Sci-Hub engages in unlawful access to, use, reproduction, and distribution of ACS's trademarks or copyrighted works," the injunction reads.

Security

Should Private Companies Be Allowed To Hit Back At Hackers? (vice.com) 141

An anonymous reader quotes a report from Motherboard: The former director of the NSA and the U.S. military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers. "If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday. During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own.

Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

Patents

Apple Wins $120 Million From Samsung In Slide-To-Unlock Patent Battle (theverge.com) 72

Apple has finally claimed victory over Samsung to the count of $120 million. "The Supreme Court said today that it wouldn't hear an appeal of the patent infringement case, first decided in 2014, which has been bouncing through appeals courts in the years since," reports The Verge. From the report: The case revolved around Apple's famous slide-to-unlock patent and, among others, its less-famous quick links patent, which covered software that automatically turned information like a phone number into a tappable link. Samsung was found to have infringed both patents. The ruling was overturned almost two years later, and then reinstated once again less than a year after that. From there, Samsung appealed to the Supreme Court, which is where the case met its end today. Naturally, Samsung isn't pleased with the outcome. "Our argument was supported by many who believed that the Court should hear the case to reinstate fair standards that promote innovation and prevent abuse of the patent system," a Samsung representative said in a statement. The company also said the ruling would let Apple "unjustly profit" from an invalid patent.
Privacy

One in Four UK Workers Maliciously Leaks Business Data Via Email, Study Says (betanews.com) 30

From a report: New research into insider threats reveals that 24 percent of UK employees have deliberately shared confidential business information outside their company. The study from privacy and risk management specialist Egress Software Technologies also shows that almost half (46 percent) of respondents say they have received a panicked email recall request, which is not surprising given more than a third (37 percent) say they don't always check emails before sending them. The survey of 2,000 UK workers who regularly use email as part of their jobs shows the biggest human factor in sending emails in error is listed as 'rushing' (68 percent). However alcohol also plays a part in eight percent of all wrongly sent emails -- where are these people working!? Autofill technology, meanwhile, caused almost half (42 percent) to select the wrong recipient in the list.
Censorship

Afghanistan Clarifies It Will Not Block WhatsApp, Telegram (reuters.com) 18

The Afghan government will not block the instant messaging services WhatsApp and Telegram, a spokesman told news agency Reuters on Monday, following days of controversy after reports the services would be suspended. From a report: "Government of Afghanistan isn't going to ban any social media platforms. WhatsApp and Telegram to continue operating in Afghanistan," Javid Faisal, deputy spokesman to government Chief Executive Abdullah Abdullah wrote on Twitter. The row over instant messaging services began after a letter from Afghanistan's telecoms regulator to Internet service providers telling them to block the services "without delay" was circulated on social media platforms last week.
Government

'Panama Papers' Group Strikes Again with 'Paradise Papers' (theguardian.com) 402

Long-time Slashdot reader Freshly Exhumed tipped us off to a new document leak that's just revealed massive tax havens used by the world's most wealthy and powerful people. An anonymous reader quotes the Guardian: The material, which has come from two offshore service providers and the company registries of 19 tax havens, was obtained by the German newspaper Suddeutsche Zeitung and shared by the International Consortium of Investigative Journalists with partners including the Guardian, the BBC and the New York Times. The project has been called the Paradise Papers.
It's the same group responsible for the Panama Papers, and the Guardian reports that in these 13.4 million new files, journalists have discovered:
  • "Aggressive tax avoidance by multinational corporations, including Nike and Apple."

"The publication of this investigation, for which more than 380 journalists have spent a year combing through data that stretches back 70 years, comes at a time of growing global income inequality," reports the Guardian. "Meanwhile, multinational companies are shifting a growing share of profits offshore -- €600 billion in the last year alone -- the leading economist Gabriel Zucman will reveal in a study to be published later this week. "Tax havens are one of the key engines of the rise in global inequality," he said."


Software

Fake WhatsApp App Downloaded 1 Million Times (fortune.com) 51

An anonymous reader quotes Fortune: Reddit users yesterday spotted an extremely convincing spoofed copy of the popular WhatsApp messenger on Google Play. The fake was downloaded by more than 1 million users, who instead of a messaging tool wound up with a bundle of ads... The fake WhatsApp was nearly indistinguishable from the real thing thanks to an invisible space placed at the end of the developer's name.

One of the security hounds discussing the case on Reddit pointed out that this was not an isolated incident, even for WhatsApp. A search for "WhatsApp" on Google Play currently shows no fewer than seven spoof apps using slight variations on the developer name "WhatsApp Inc.", including versions with extra spaces, asterisks, or commas. All of them have four-star review averages, presumably thanks to industrial-scale subversion of Play's review system.

The Courts

Advice To Twitter Worker Who Deactivated Trump's Account: 'Get A Lawyer' (thehill.com) 271

An anonymous reader quotes The Hill: A prominent attorney for cybersecurity issues has this advice to the unnamed Twitter worker said to have pulled the plug on President Trump's Twitter account: "Don't say anything and get a lawyer." Tor Ekeland told The Hill that while the facts of the case are still unclear and the primary law used to prosecute hackers is murky and unevenly applied, there is a reasonable chance the Twitter worker violated the Computer Fraud and Abuse Act...widely considered to be, as Ekeland explained it, "a mess." Various courts around the country have come up with seemingly contradictory rulings on what unauthorized access actually means. Ekeland said the Ninth Circuit, covering the state of California, has itself issued rulings at odds with itself that would have an impact on the Trump Twitter account fiasco as a potential case. The Ninth Circuit ruled that employees do not violate the law if they exceed their workplace computer policies. It has also ruled that employees who have been told they do not have permission to access a system cannot legally access it. Depending on which ruling a court leans on the hardest, a current Twitter employee without permission to shutter accounts may have violated the law by nixing Trump's account.
Ekeland points out that just $5,000 worth of damage could carry a 10-year prison sentence.

Friday the New York Times also reported that the worker responsible wasn't even a Twitter employee, but a hired contractor, adding that "nearly every" major tech company uses contractors for non-technical positions, including Google, Apple, and Facebook.
The Courts

Appeals Court Rules: SCO v. IBM Case Can Continue (arstechnica.com) 131

Long-time Slashdot reader Freshly Exhumed quotes Ars Technica: A federal appeals court has now partially ruled in favor of the SCO Group, breathing new life into a lawsuit and a company (now bankrupt and nearly dead) that has been suing IBM for nearly 15 years.

Last year, U.S. District Judge David Nuffer had ruled against SCO (whose original name was Santa Cruz Operation) in two summary judgment orders, and the court refused to allow SCO to amend its initial complaint against IBM. SCO soon appealed. On Monday, the 10th US Circuit Court of Appeals found that SCO's claims of misappropriation could go forward while also upholding Judge Nuffer's other two orders.

Here's Slashdot's first story about the trial more than 14 years ago, and a nice timeline from 2012 of the next nine years of legal drama.
Cloud

Are You OK With Google Reading Your Data? (infoworld.com) 154

Remember when Google randomly flagged files in Google Docs for violating its terms of service? An anonymous reader quotes InfoWorld: Many people worried that Google was scanning users' documents in real time to determine if they're being mean or somehow bad. You actually agree to such oversight in Google G Suite's terms of service. Those terms include personal conduct stipulations and copyright protection, as well as adhering to "program policies"... Even though this is spelled out in the terms of service, it's uncomfortably Big Brother-ish, and raises anew questions about how confidential and secure corporate information really is in the cloud.

So, do SaaS, IaaS, and PaaS providers make it their business to go through your data? If you read their privacy policies (as I have), the good news is that most don't seem to. But have you actually read through them to know who, like Google, does have the right to scan and act on your data? Most enterprises do a good legal review for enterprise-level agreements, but much of the use of cloud services is by individuals or departments who don't get such IT or legal review. Enterprises need to be proactive about reading the terms of service for cloud services used in their company, including those set up directly by individuals and departments. It's still your data, after all, and you should know how it is being used and could be used...

The article argues that "Chances are you or your employees have signed similar terms in the many agreements that people accept without reading."
Firefox

Firefox Borrows From Tor Browser Again, Blocks Canvas Fingerprinting (bleepingcomputer.com) 92

An anonymous reader writes: Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element. The technique is widely used in the advertising industry to track users across sites. Firefox 58 is scheduled for release on January 16, 2018.

Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.

Open Source

Software Freedom Law Center Launches Trademark War Against Software Freedom Conservancy (sfconservancy.org) 113

Long-time Slashdot reader Bruce Perens writes: The Software Freedom Law Center, a Linux-Foundation supported organization, has asked USPTO to cancel the trademark of the name of the Software Freedom Conservancy, an organization that assists and represents Free Software / Open Source developers.

What makes this bizzare is that SFLC started SFC, SFLC was SFC's law firm and filed for the very same trademark on their behalf, and both organizations were funded by Linux Foundation at the start.

There are a few other wild things that have happened related to this. Eben Moglen, president of SFLC and for decades the General Counsel of the Free Software Foundation, is no longer associated with FSF. Linux Foundation has on its executive board a company that is being sued in Germany for violating the GPL, with the case presently under appeal, and the lawsuit is funded by SFC. And remember when Linux Foundation removed the community representative from its executive board, when Karen Sandler, executive director of SFC, said she'd run?

If you need a clue, the SFC are the good guys in this. There's a lot to look into.

Security

Experts Propose Standard For IoT Firmware Updates (bleepingcomputer.com) 61

An anonymous reader quotes a report from Bleeping Computer: Security experts have filed a proposal with the Internet Engineering Task Force (IETF) that defines a secure framework for delivering firmware updates to Internet of Things (IoT) devices. Filed on Monday by three ARM employees, their submission has entered the first phase of a three-stage process for becoming an official Internet standard. Titled "IoT Firmware Update Architecture," their proposal -- if approved -- puts forward a series of ground rules that device makers could implement when designing the firmware update mechanism for their future devices. The proposed rules are nothing out of the ordinary, and security experts have recommended and advocated for most of these measures for years. Some hardware vendors are most likely already compliant with the requirements included in this IETF draft. Nonetheless, the role of this proposal is to have the IETF put forward an official document that companies could use as a baseline when designing the architecture of future products. This document could also serve as a general guideline for lawmakers who could draft regulations forcing manufacturers to adhere to this baseline. Some of the main requirements put forward by three ARM engineers in their IETF draft include: The update mechanism must work the same even if the firmware binary is delivered via Bluetooth, WiFi, UART, USB, or other mediums; The update mechanism must work in a broadcast type of delivery, allowing updates to reach multiple users at once; End-to-end security (public key cryptography) must be used to verify and validate firmware images.
Security

Equifax Investigation Clears Execs Who Dumped Stock Before Hack Announcement (gizmodo.com) 155

An anonymous reader quotes a report from Gizmodo: Equifax discovered on July 29th that it had been hacked, losing the Social Security numbers and other personal information of 143 million Americans -- and then just a few days later, several of its executives sold stock worth a total of nearly $1.8 million. When the hack was publicly announced in September, Equifax's stock promptly tanked, which made the trades look very, very sketchy. At the time, Equifax claimed that its executives had no idea about the massive data breach when they sold their stock. Today, the credit reporting company released further details about its internal investigation that cleared all four executives of any wrongdoing.

The report, prepared by a board-appointed special committee, concludes that "none of the four executives had knowledge of the incident when their trades were made, that preclearance for the four trades was appropriately obtained, that each of the four trades at issue comported with Company policy, and that none of the four executives engaged in insider trading." The committee says it reviewed 55,000 documents to reach its conclusions, including emails and text messages, and conducted 62 in-person interviews. "The review was designed to pinpoint the date on which each of the four senior officers first learned of the security investigation that uncovered the breach and to determine whether any of those officers was informed of or otherwise learned of the security investigation before his trades were executed," the report states.

Communications

Chelsea Manning Archivist Excludes Hacktivist Jailed By Carmen Ortiz From Aaron Swartz Day (huffingtonpost.com) 124

New submitter Danngggg writes: As you may recall from Slashdot last year, alleged Anonymous hacktivist Martin Gottesfeld has been imprisoned without bail since federal agents arrested him on board a Disney Cruise ship in February of 2016 to face hacking charges brought by controversial former U.S. attorney Carmen Ortiz. Though he's the only activist after Aaron Swartz to face a felony CFAA indictment from Ortiz, apparently Aaron Swartz Day organizer and Chelsea Manning archivist Lisa Rein don't want to include Gottesfeld in the festivities this year. So, he has taken to Huffington Post to argue that his story should be told this November 4th and, perhaps with a sense of irony, to publish some potentially scandalous Signal messages allegedly sent by Rein to his wife revealing what seems to be disdain for hacking in general and Anonymous in particular. Indeed, Rein seems to borrow from the movie Mean Girls in her contemptuous rejection of Mrs. Gottesfeld's appeals on behalf of her embattled husband. What does the Slashdot crowd have to say about whether Gottesfeld's story belongs at Aaron Swartz Day as well as Rein's alleged attitude towards his significant other?

"One might think that my voice would be welcomed at Aaron Swartz Day given all that the late internet/freedom of information activist and I share in common," writes Gottesfeld. "For starters, we were both indicted under the same controversial federal law, the CFAA, by the same Boston U.S. Attorney's Office and indeed under the tenure of the same notorious U.S. Attorney, Carmen Ortiz. Both of us have been persecuted for doing the moral thing; Aaron for trying to make taxpayer-funded research available to the general public and me for stopping the torture of an innocent child."

Security

TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released (bleepingcomputer.com) 21

Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue -- which he codenamed TorMoil -- to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.
The Courts

Alphabet Loses Another Trade Secret Claim In Its Lawsuit Against Uber (recode.net) 10

In a new order dated Nov. 2, Judge William Alsup said that Alphabet's self-driving arm Waymo cannot pursue one of the nine trade secrets it had accused Uber of misappropriating. The company had already been ordered to narrow its more than 120 trade secrets down to nine. Recode reports: The judge said, among other things, that the expert opinion that Alphabet used to assert this claim was unreliable. While the other eight trade secrets remain intact, it's worth mentioning this was the same expert that Waymo relied on to substantiate those claims. "Waymo's case continues to shrink," an Uber spokesperson said. "After dropping their patent claims, this week Waymo lost one of the trade secrets they claimed was most important, had their damages expert excluded, and saw an entire defendant removed from the case -- and all this before the trial has even started." An Alphabet spokesperson said the document did provide additional evidence to bolster its remaining claims. Additionally, Alphabet's case for the monetary damages it wanted -- more than $1 billion for a single trade secret -- will rest squarely on its own arguments. In a yet-unsealed document, the judge said that Alphabet could not call on its damages expert during the trial.

Slashdot Top Deals