Education

The House's Tax Bill Levies a Tax On Graduate Student Tuition Waivers (nytimes.com) 578

Camel Pilot writes: The new GOP tax plan -- which just passed the House -- will tax tuition waivers as income. Graduate students working as research assistants on meager stipends would have to declare tuition waivers as income on the order of $80,000 income. This will force many graduate students of modest means to quit their career paths and walk away from their research. These are the next generation of scientists, engineers, inventors, educators, medical miracle workers and market makers. As Prof Claus Wilke points out: "This would be a disaster for U.S. STEM Ph.D. education." Slashdot reader Camel Pilot references a report via The New York Times, where Erin Rousseau explains how the House of Representatives' recently passed tax bill affects graduate research in the United States. Rousseau is a graduate student at M.I.T. who studies the neurological basis of mental health disorders. "My peers and I work between 40 and 80 hours a week as classroom teachers and laboratory researchers, and in return, our universities provide us with a tuition waiver for school. For M.I.T. students, this waiver keeps us from having to pay a tuition bill of about $50,000 every year -- a staggering amount, but one that is similar to the fees at many other colleges and universities," he writes. "No money from the tuition waivers actually ends up in our pockets, so under Section 117(d)(5), it isn't counted as taxable income." Rousseau continues by saying his tuition waivers will be taxed under the House's tax bill. "This means that M.I.T. graduate students would be responsible for paying taxes on an $80,000 annual salary, when we actually earn $33,000 a year. That's an increase of our tax burden by at least $10,000 annually."
The Military

Massive US Military Social Media Spying Archive Left Wide Open In AWS S3 Buckets (theregister.co.uk) 85

An anonymous reader quotes a report from The Register: Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages -- all scraped from around the world by the U.S. military to identify and profile persons of interest. The archives were found by veteran security breach hunter UpGuard's Chris Vickery during a routine scan of open Amazon-hosted data silos, and these ones weren't exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive. CENTCOM is the common abbreviation for the U.S. Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for U.S. Pacific Command, covering the rest of southern Asia, China and Australasia.

"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate." Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens. The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the U.S. government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Television

FCC Approves Next-Gen ATSC 3.0 TV Standard (reuters.com) 158

New submitter mikeebbbd writes: "U.S. regulators on Thursday approved the use of new technology that will improve picture quality on mobile phones, tablets and television, but also raises significant privacy concerns by giving advertisers dramatically more data about viewing habits," reports Reuters. ATSC3.0 will apparently make personal data collection and targeted ads possible. New TVs will be necessary, and broadcasters will need to transmit both ATSC 2.0 (the current standard) for 3 to 5 years before turning off the older system. For now, the conversion is voluntary. There appears to be no requirement (as there was when ATSC 2.0 came out) for low-cost adapter boxes to make older TVs work; once a channel goes ATSC 3.0-only, your old TV will not display it any more.
Privacy

Germany Bans Children's Smartwatches (bbc.com) 44

A German regulator has banned the sale of smartwatches aimed at children, describing them as spying devices. From a report: It had previously banned an internet-connected doll called, My Friend Cayla, for similar reasons. Telecoms regulator the Federal Network Agency urged parents who had such watches to destroy them. One expert said the decision could be a "game-changer" for internet-connected devices. "Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids' GPS tracking watches - the very watches that are supposed to help keep them safe," said Ken Munro, a security expert at Pen Test Partners.
Privacy

Why is this Company Tracking Where You Are on Thanksgiving? (theoutline.com) 98

Earlier this week, several publications published a holiday-themed data study about how families that voted for opposite parties spent less time together on Thanksgiving, especially in areas that saw heavy political advertising. The data came from a company called SafeGraph that supplied publications with 17 trillion location markets for 10 million smartphones. A report looks at the bigger picture: The data wasn't just staggering in sheer quantity. It also appears to be extremely granular. Researchers "used this data to identify individuals' home locations, which they defined as the places people were most often located between the hours of 1 and 4 a.m.," wrote The Washington Post. The researchers also looked at where people were between 1 p.m. and 5 p.m. on Thanksgiving Day in order to see if they spent that time at home or traveled, presumably to be with friends or family. "Even better, the cellphone data shows you exactly when those travelers arrived at a Thanksgiving location and when they left," the Post story says. To be clear: This means SafeGraph is looking at an individual device and tracking where its owner is going throughout their day. A common defense from companies that creepily collect massive amounts of data is that the data is only analyzed in aggregate; for example, Google's database BigQuery, which allows organizations to upload big data sets and then query them quickly, promises that all its public data sets are "fully anonymized" and "contain no personally-identifying information." In multiple press releases from SafeGraph's partners, the company's location data is referred to as "anonymized," but in this case they seem to be interpreting the concept of anonymity quite liberally given the specificity of the data.
Social Networks

Report Claims That 18 Nation's Elections Were Impacted By Social Engineering Last Year (bbc.com) 235

sqorbit writes: Independent watchdog group Freedom House released a report that claims that 18 nation's elections were "hacked." Of the 65 countries that Freedom House monitors, 30 appear to be using social media in order to affect elections by attempting to control online discussions. The report covers fake news posts, paid online opinion writers and trolling tactics. Other items in the report speak to online censorship and VPN blocking that blocks information within countries to interfere with elections. The report says net freedom could be aided by: large-scale programs that showed people how to spot fake news; putting tight controls on political adverts; and making social media giants do more to remove bots and tune algorithms to be more objective.
Security

Bluetooth Hack Affects 20 Million Amazon Echo, Google Home Devices (thehackernews.com) 40

In September, security researchers discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. We have now learned that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. The Hacker News reports: Amazon Echo is affected by the following two vulnerabilities: a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251); and an information disclosure flaw in the SDP server (CVE-2017-1000250). Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability: information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. The security firm [Armis, who disclosed the issue] notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.
Businesses

FCC Repeals Decades-Old Rules Blocking Broadcast Media Mergers (variety.com) 146

An anonymous reader quotes a report from The Washington Post (Warning: source may be paywalled; alternative source): Federal regulators rolled back decades-old rules on Thursday, making it far easier for media outlets to be bought and sold -- potentially leading to more newspapers, radio stations and television broadcasters being owned by a handful of companies. The regulations, eliminated in a 3-to-2 vote by the Federal Communications Commission, were first put in place in the 1970s to ensure that a diversity of voices and opinions could be heard on the air or in print. But now those rules represent a threat to small outlets that are struggling to survive in a vastly different media world, according to FCC Chairman Ajit Pai. One long-standing rule repealed Thursday prevented one company in a given media market from owning both a daily newspaper and a TV station. Another rule blocked TV stations in the same market from merging with each other if the combination would leave fewer than eight independently owned stations. The agency also took aim at rules restricting the number of TV and radio stations that any media company could simultaneously own in a single market. A major beneficiary of the deregulatory moves, analysts say, is Sinclair, a conservative broadcasting company that is seeking to buy up Tribune Media for $3.9 billion.
Twitter

Jack Dorsey Responds To Serial Killer Who Found His Victims Through Suicidal Twitter Posts (nhk.or.jp) 73

AmiMoJo shares a report from NHK WORLD: Twitter's CEO is reacting to a grisly case in Japan where a suspected serial killer allegedly found his victims through their suicidal posts on the social media platform. In an interview with NHK, Jack Dorsey said it is unrealistic and impossible to remove suicidal tweets. But he said he hoped Twitter could become a tool for prevention. Last month, the dismembered bodies of 9 people were found in 27-year-old Takahiro Shiraishi's apartment near Tokyo. Police say he admitted to the killings. They believe he preyed on people who posted about wanting to kill themselves on Twitter. Recently, Twitter updated its rules regarding posts about self-harm: "You may not promote or encourage suicide or self-harm. When we receive reports that a person is threatening suicide or self-harm, we may take a number of steps to assist them, such as reaching out to that person and providing resources such as contact information for our mental health partners."
EU

New EU Consumer Protection Law Contains a Vague Website Blocking Clause (bleepingcomputer.com) 45

An anonymous reader quotes a report from Bleeping Computer: The European Union (EU) has voted on Tuesday, November 14, to pass the new Consumer Protection Cooperation regulation, a new EU-wide applicable law that gives extra power to national consumer protection agencies, but which also contains a vaguely worded clause that also grants them the power to block and take down websites without judicial oversight. The new law "establishes overreaching Internet blocking measures that are neither proportionate nor suitable for the goal of protecting consumers and come without mandatory judicial oversight," Member of the European Parliament Julia Reda said in a speech in the European Parliament Plenary during a last ditch effort to amend the law. "According to the new rules, national consumer protection authorities can order any unspecified third party to block access to websites without requiring judicial authorization," Reda added later in the day on her blog. This new law is an EU regulation and not a directive, meaning its obligatory for all EU states, which do not have to individually adopt it.
Privacy

Federal Extreme Vetting Plan Castigated By Tech Experts (apnews.com) 160

An anonymous reader shares an Associated Press report: Leading researchers castigated a federal plan that would use artificial intelligence methods to scrutinize immigrants and visa applicants, saying it is unworkable as written and likely to be "inaccurate and biased" if deployed. The experts, a group of more than 50 computer and data scientists, mathematicians and other specialists in automated decision-making, urged the Department of Homeland Security to abandon the project, dubbed the "Extreme Vetting Initiative." That plan has its roots in President Donald Trump's repeated pledge during the 2016 campaign to subject immigrants seeking admission to the United States to more intense ideological scrutiny -- or, as he put it, "extreme vetting." Over the summer, DHS published a "statement of objectives" for a system that would use computer algorithms to scan social media and other material in order to automatically flag undesirable entrants -- and to continuously scan the activities of those allowed into the U.S.
Firefox

Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature (bleepingcomputer.com) 70

Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.
Piracy

Hollywood Strikes Back Against Illegal Streaming Kodi Add-ons (engadget.com) 77

An anonymous reader shares a report: An anti-piracy alliance supported by many major US and UK movie studios, broadcasters and content providers has dealt a blow to the third-party Kodi add-on scene after it successfully forced a number of popular piracy-linked streaming tools offline. In what appears to be a coordinated crackdown, developers including jsergio123 and The_Alpha, who are responsible for the development and hosting of add-ons like urlresolver, metahandler, Bennu, DeathStreams and Sportie, confirmed that they will no longer maintain their Kodi creations and have immediately shut them down.
Security

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com) 106

Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.
The Internet

China Cyber Watchdog Rejects Censorship Critics, Says Internet Must Be 'Orderly' (reuters.com) 78

China's top cyber authority on Thursday rejected a recent report ranking it last out of 65 countries for press freedom, saying the internet must be "orderly" and the international community should join it in addressing fake news and other cyber issues. From a report: Ren Xianliang, vice minister of the Cyberspace Administration of China (CAC), said the rapid development of the country's internet over two decades is proof of its success and that it advocates for the free flow of information. "We should not just make the internet fully free, it also needs to be orderly... The United States and Europe also need to deal with these fake news and rumors," Ren told journalists without elaborating.
Businesses

The Brutal Fight To Mine Your Data and Sell It To Your Boss (bloomberg.com) 75

An anonymous reader shares a report from Bloomberg, explaining how Silicon Valley makes billions of dollars peddling personal information, supported by an ecosystem of bit players. Editor Drake Bennett highlights the battle between an upstart called HiQ and LinkedIn, who are fighting for your lucrative professional identity. Here's an excerpt from the report: A small number of the world's most valuable companies collect, control, parse, and sell billions of dollars' worth of personal information voluntarily surrendered by their users. Google, Facebook, Amazon, and Microsoft -- which bought LinkedIn for $26.2 billion in 2016 -- have in turn spawned dependent economies consisting of advertising and marketing companies, designers, consultants, and app developers. Some operate on the tech giants' platforms; some customize special digital tools; some help people attract more friends and likes and followers. Some, including HiQ, feed off the torrents of information that social networks produce, using software bots to scrape data from profiles. The services of the smaller companies can augment the offerings of the bigger ones, but the power dynamic is deeply asymmetrical, reminiscent of pilot fish picking food from between the teeth of sharks. The terms of that relationship are set by technology, economics, and the vagaries of consumer choice, but also by the law. LinkedIn's May 23 letter to HiQ wasn't the first time the company had taken legal action to prevent the perceived hijacking of its data, and Facebook and Craigslist, among others, have brought similar actions. But even more than its predecessors, this case, because of who's involved and how it's unfolded, has spoken to the thorniest issues surrounding speech and competition on the internet.
Privacy

Consumers Are Holding Off On Buying Smart-Home Gadgets Due To Security, Privacy Fears (businessinsider.com) 143

According to a new survey from consulting firm Deloitte, consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes. The firm found that consumer interest in connected home technology lags behind their interest in other types of IoT devices. Business Insider reports: "Consumers are more open to, and interested in, the connected world," the firm said in its report. Noting the concerns about smart home devices, it added: "But not all IoT is created equal." Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives. Meanwhile, the vast majority of consumers think gadget makers weren't doing a good job of telling them about security risks. Fewer than 20% of survey respondents said they were very well informed about such risks and almost 40% said they weren't informed at all.
The Internet

FCC Plans December Vote To Kill Net Neutrality Rules (bloomberg.com) 116

An anonymous reader quotes a report from Bloomberg: The U.S. Federal Communications Commission under its Republican chairman plans to vote in December to kill the net neutrality rules passed during the Obama era, said two people briefed on the plans. Chairman Ajit Pai in April proposed gutting the rules that he blamed for depressing investment in broadband, and said he intended to "finish the job" this year. The chairman has decided to put his proposal to a vote at the FCC next month, said the people. The agency's monthly meeting is to be held Dec. 14. The people asked not to be identified because the plan hasn't been made public. It's not clear what language Pai will offer to replace the rules that passed with only Democratic votes at the FCC in 2015. He has proposed that the FCC end the designation of broadband companies such as AT&T Inc. and Comcast Corp. as common carriers. That would remove the legal authority that underpins the net neutrality rules. One of the people said Pai may call for vacating the rules except for portions that mandate internet service providers inform customers about their practices. The current regulations forbid broadband providers from blocking or slowing web traffic, or from charging higher fees in return for quicker passage over their networks.
Transportation

Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says (aviationtoday.com) 140

schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.
Google

Why Google Should Be Afraid of a Missouri Republican's Google Probe (arstechnica.com) 231

An anonymous reader quotes a report from Ars Technica: The Republican attorney general of Missouri has launched an investigation into Google's business practices. Josh Hawley wants to know how Google handles user data. And he plans to look into whether Google is using its dominance in the search business to harm companies in other markets where Google competes. It's another sign of growing pressure Google is facing from the political right. Grassroots conservatives increasingly see Google as falling on the wrong side of the culture wars. So far that hasn't had a big impact in Washington policymaking. But with Hawley planning to run for the U.S. Senate next year, we could see more Republican hostility toward Google -- and perhaps other big technology companies -- in the coming years. The Hawley investigation will dig into whether Google violated Missouri's consumer-protection and antitrust laws. Specifically, Hawley will investigate: "Google's collection, use, and disclosure of information about Google users and their online activities," "Google's alleged misappropriation of online content from the websites of its competitors," and "Google's alleged manipulation of search results to preference websites owned by Google and to demote websites that compete with Google." States like Missouri have their own antitrust laws and the power to investigate company business conduct independently of the feds. So Hawley seems to be taking yet another look at those same issues to see if Google's conduct runs afoul of Missouri law.

We don't know if Hawley will get the Republican nomination or win his challenge to Sen. Claire McCaskill (D-Mo.) next year, but people like him will surely be elected to the Senate in the coming decade. Hawley's decision to go after Google suggests that he sees some upside in being seen as an antagonist to a company that conservatives increasingly view with suspicion. More than that, it suggests that Hawley believes it's worth the risk of alienating the GOP's pro-business wing, which takes a dim view of strict antitrust enforcement even if it targets a company with close ties to Democrats.

Privacy

Yelp Ordered To Identify User Accused of Defaming a Tax Preparer (bloomberg.com) 142

mi writes: California State Appeals Court ruled this week that Yelp can't shield the identify of an anonymous reviewer who posted allegedly defamatory statements about a tax preparer. "The three-judge appeals panel in Santa Ana agreed with Yelp that it could protect the First Amendment rights of its anonymous reviewer but it still had to turn over the information," reports Bloomberg. "The panel reasoned that the accountant had made a showing that the review was defamatory in that it went beyond expressing an opinion and allegedly included false statements."
Medicine

FDA Approves Digital Pill That Tracks If Patients Have Ingested Their Medication (nytimes.com) 72

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): For the first time, the Food and Drug Administration has approved a digital pill -- a medication embedded with a sensor that can tell doctors whether, and when, patients take their medicine. The approval, announced late on Monday, marks a significant advance in the growing field of digital devices designed to monitor medicine-taking and to address the expensive, longstanding problem that millions of patients do not take drugs as prescribed. Experts estimate that so-called nonadherence or noncompliance to medication costs about $100 billion a year, much of it because patients get sicker and need additional treatment or hospitalization. Patients who agree to take the digital medication, a version of the antipsychotic Abilify, can sign consent forms allowing their doctors and up to four other people, including family members, to receive electronic data showing the date and time pills are ingested. A smartphone app will let them block recipients anytime they change their mind. Although voluntary, the technology is still likely to prompt questions about privacy and whether patients might feel pressure to take medication in a form their doctors can monitor.
Government

Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com) 99

"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
The Courts

Tesla Is a 'Hotbed For Racist Behavior,' Worker Claims In Lawsuit (bloomberg.com) 300

An African-American employee has filed a lawsuit against Tesla, claiming their production floor is a "hotbed for racist behavior" and that black workers at the electric carmaker suffer severe and pervasive harassment. "The employee says he's one of more than 100 African-American Tesla workers affected and is seeking permission from a judge to sue on behalf of the group," reports Bloomberg. "He's seeking unspecified general and punitive monetary damages as well as an order for Tesla to implement policies to prevent and correct harassment." From the report: "Although Tesla stands out as a groundbreaking company at the forefront of the electric car revolution, its standard operating procedure at the Tesla factory is pre-Civil Rights era race discrimination," the employee said in the complaint, filed Monday in California's Alameda County Superior Court. The lawsuit was filed on behalf of Marcus Vaughn, who worked in the Fremont factory from April 23 to Oct. 31. Vaughn alleged that employees and supervisors regularly used the "N word" around him and other black colleagues. Vaughn said he complained in writing to human resources and Musk and was terminated in late October for "not having a positive attitude."
Communications

Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com) 32

An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
Android

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (bleepingcomputer.com) 73

Catalin Cimpanu, writing for BleepingComputer: Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers. The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson -- the name of the main character in the Mr. Robot TV series. Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.
The Almighty Buck

Study Finds SpaceX Investment Saved NASA Hundreds of Millions (popularmechanics.com) 156

schwit1 shares a report from Popular Mechanics: When a SpaceX Dragon spacecraft connected with the International Space Station on May 25, 2012, it made history as the first privately-built spacecraft to reach the ISS. The Dragon was the result of a decision 6 years prior -- in 2006, NASA made an "unprecedented" investment in SpaceX technology. A new financial analysis shows that the investment has paid off, and the government found one of the true bargains of the 21st century when it invested in SpaceX. A new research paper by Edgar Zapata, who works at Kennedy Space Center, looks closely at the finances of SpaceX and NASA. "There were indications that commercial space transportation would be a viable option from as far back as the 1980s," Zapata writes. "When the first components of the ISS were sent into orbit 1998, NASA was focused on "ambitious, large single stage-to-orbit launchers with large price tags to match." For future commercial crew missions sending astronauts into space, Zapata estimates that it will cost $405 million for a SpaceX Dragon crew deployment of 4 and $654 million for a Boeing Starliner, which is scheduled for its first flight in 2019. That sounds like a lot, and it is, but Zapata estimates that its only 37 to 39 percent of what it would have cost the government.
Google

Google Subpoenaed Over Data Privacy, Antitrust in Missouri (cnbc.com) 18

Google is facing a new front in its regulatory battles after Missouri's attorney general on Monday launched a broad investigation into whether the company's business practices violate the state's consumer-protection and antitrust laws. From a report: Attorney General Josh Hawley's office said on Monday that it issued a subpoena to investigate if Google's use of information that it collects about consumers is appropriate and if the company stifles competing websites in search results. Google has largely steered clear of antitrust problems in the U.S. That's not the case in Europe, where the company faces a fine of about $2.7 billion over the display of its shopping ads.
Security

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files (bbc.com) 36

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."
The Military

North Korean Hackers Are Targeting US Defense Contractors (wpengine.com) 146

chicksdaddy quotes Security Ledger: North Korean hackers have stepped up their attacks on U.S. defense contractors in an apparent effort to gain intelligence on weapon systems and other assets that might be used against the country in an armed conflict with the United States and its allies, The Security Ledger is reporting. Security experts and defense industry personnel interviewed by The Security Ledger say that probes and attacks by hacking groups known to be associated with the government of the Democratic People's Republic of Korea (DPRK) have increased markedly as hostilities between that country and the United States have ratcheted up in the last year. The hacking attempts seem to be aimed at gaining access to intellectual property belonging to the companies, including weapons systems deployed on the Korean peninsula.

"As the situation between the DPRK and the US has become more tense, we've definitely seen an increase in number of probe attempts from cyber actors coming out of the DPRK," an official at an aerospace and defense firm told Security Ledger. The so-called "probes" were targeting the company's administrative network and included spear phishing attacks via email and other channels. The goal was to compromise computers on the corporate network... So far, the attacks have targeted "weakest links" within the firms, such as Human Resources personnel and general inquiry mailboxes, rather than targeting technical staff directly. However, experts who follow the DPRK's fast evolving cyber capabilities say that the country may have more up their sleeve.

CNBC also reports that America's congressional defense committees have authorized a last-minute request for $4 billion in extra spending for "urgent missile defeat and defense enhancements to counter the threat of North Korea."

Other countries newly interested in purchasing missile defense systems include Japan, Sweden, Poland, and Saudi Arabia.
Transportation

US Airports Still Fail New Security Tests (go.com) 182

schwit1 quotes ABC News: In recent undercover tests of multiple airport security checkpoints by the Department of Homeland Security, inspectors said screeners, their equipment or their procedures failed more than half the time, according to a source familiar with the classified report. When ABC News asked the source if the failure rate was 80 percent, the response was, "You are in the ballpark." In a public hearing after a private classified briefing to the House Committee on Homeland Security, members of Congress called the failures by the Transportation Security Administration disturbing. Rep. Mike Rogers went as far as to tell TSA Administrator David Pekoske, "This agency that you run is broken badly, and it needs your attention."
Businesses

Equifax Tells Investors They Could Be Breached Again - And That They're Still Profitable (nypost.com) 90

"Equifax executives will forgo their 2017 bonuses," reports CNBC. But according to the New York Post, the company "hasn't lost any significant business customers... Equifax largely does business with banks and other financial institutions -- not with the people they collect information on."

Even though it's facing more than 240 class-action lawsuits, Equifax's revenue actually increased 3.8% from July to September, to a whopping $834.8 million, while their net income for that period was $96.3 million -- which is still more than the $87.5 million that the breach cost them, according to a new article shared by chicksdaddy: The disclosure, made as part of the company's quarterly filing with the US Securities and Exchange Commission, is the first public disclosure of the direct costs of the incident, which saw the company's stock price plunge by more than 30% and wiped out billions of dollars in value to shareholders. Around $55.5m of the $87.5m in breach-related costs stems from product costs â" mostly credit monitoring services that it is offering to affected individuals. Professional fees added up to another $17.1m for Equifax and consumer support costs totaled $14.9m, the company said. Equifax also said it has spent $27.3 million of pretax expenses stemming from the cost of investigating and remediating the hack to Equifax's internal network as well as legal and other professional expenses.

But the costs are likely to continue. Equifax is estimating costs of $56 million to $110 million in "contingent liability" in the form of free credit monitoring and identity theft protection to all U.S. consumers as a good will gesture. The costs provided by Equifax are an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. So far, however, the company has only incurred $4.7 million through the end of September. So, while the upper bound of those contingent liability costs is high, there's good reason to believe that they will never be reached.

The Post reports that some business customers "have delayed new contracts until Equifax proves that they've done enough to shore up their cybersecurity."

But in their regulatory filing Thursday, Equifax admitted that "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again."
Encryption

iPhone Encryption Hampers Investigation of Texas Shooter, Says FBI (chron.com) 240

"FBI officials said Tuesday they have been stymied in their efforts to unlock the cellphone of the man who shot and killed at least 26 people at a church here on Sunday," reports the Houston Chronicle. Slashdot reader Anon E. Muss writes: The police obtained a search warrant for the phone, but so far they've been unable to unlock it. The phone has been sent to the FBI, in the hope that they can break in... If it is secure, and the FBI can't open it, expect all hell to break loose. The usual idiots (e.g. politicians) will soon be ranting hysterically about the evil tech industry, and how they're refusing to help law enforcement.
FBI special agent Christopher Combs complained to the Chronicle that "law enforcement increasingly cannot get in to these phones."

A law professor at the Georgia Institute of Technology argues there's other sources of information besides a phone, and police officers might recognize this with better training. As just one example, Apple says the FBI could've simply just used the dead shooter's fingerprint to open his iPhone. But after 48 hours, the iPhone's fingerprint ID stops working.
United States

H1-B Administrators Are Challenging An Unusually Large Number of Applications (bloomberg.com) 304

Long-time Slashdot reader decaffeinated quotes Bloomberg: Starting this summer, employers began noticing that U.S. Citizenship and Immigration Services was challenging an unusually large number of H-1B applications. Cases that would have sailed through the approval process in earlier years ground to a halt under requests for new paperwork. The number of challenges -- officially known as "requests for evidence" or RFEs -- are up 44 percent compared to last year, according to statistics from USCIS...

"We're entering a new era," said Emily Neumann, an immigration lawyer in Houston who has been practicing for 12 years. "There's a lot more questioning, it's very burdensome." She said in past years she's counted on 90 percent of her petitions being approved by Oct. 1 in years past. This year, only 20 percent of the applications have been processed. Neumann predicts she'll still have many unresolved cases by the time next year's lottery happens in April 2018.

Security

The Computer Scientist Who Prefers Voting With Paper (theatlantic.com) 219

Geoffrey.landis writes: The Atlantic profiles a computer scientist: Barbara Simons, who has been on the forefront of the pushback against electronic voting as a technology susceptible to fraud and hacking. When she first started writing articles about the dangers of electronic voting with no paper trail, the idea that software could be manipulated to rig elections was considered a fringe preoccupation; but Russia's efforts to influence the 2016 presidential election have reversed Simons's fortunes. According to the Department of Homeland Security, those efforts included attempts to meddle with the electoral process in 21 states; while a series of highly publicized hacks -- at Sony, Equifax, the U.S. Office of Personnel Management -- has driven home the reality that very few computerized systems are truly secure. Simons is a former President of the Association for Computing Machinery (ACM); and the group she helps run, Verified Voting, has been active in educating the public about the dangers of unverified voting since 2003.
Bug

Sex Toy Company Admits To Recording Users' Remote Sex Sessions, Calls It a 'Minor Bug' (theverge.com) 81

According to Reddit user jolioshmolio, Hong Kong-based sex toy company Lovense's remote control vibrator app (Lovense Remote) recorded a use session without their knowledge. "An audio file lasting six minutes was stored in the app's local folder," reports The Verge. "The user says he or she gave the app access to the mic and camera but only to use with the in-app chat function and to send voice clips on command -- not constant recording when in use." The app's behavior appears to be widespread as several others confirmed it too. From the report: A user claiming to represent Lovense responded and called this recording a "minor bug" that only affects Android users. Lovense also says no information or data was sent to the company's servers, and that this audio file exists only temporarily. An update issued today should fix the bug. This isn't Lovense's first security flub. Earlier this year, a butt plug made by the company -- the Hush -- was also found to be hackable. In the butt plug's case, the vulnerability had to do with Bluetooth, as opposed to the company spying on users.
Facebook

This Time, Facebook Is Sharing Its Employees' Data (fastcompany.com) 45

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

Encryption

Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted (techtarget.com) 104

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

Encryption

DOJ: Strong Encryption That We Don't Have Access To Is 'Unreasonable' (arstechnica.com) 510

An anonymous reader quotes a report from Ars Technica: Just two days after the FBI said it could not get into the Sutherland Springs shooter's seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the "government's unexpected encryption warrior." According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying. "We have an ongoing dialogue with a lot of tech companies in a variety of different areas," he told Politico Pro. "There's some areas where they are cooperative with us. But on this particular issue of encryption, the tech companies are moving in the opposite direction. They're moving in favor of more and more warrant-proof encryption." "I want our prosecutors to know that, if there's a case where they believe they have an appropriate need for information and there is a legal avenue to get it, they should not be reluctant to pursue it," Rosenstein said. "I wouldn't say we're searching for a case. I''d say we're receptive, if a case arises, that we would litigate."

In the interview, Rosenstein also said he "favors strong encryption." "I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud," he explained. "And I'm in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I'm in favor of strong encryption." "This is, obviously, a related issue, but it's distinct, which is, what about cases where people are using electronic media to commit crimes? Having access to those devices is going to be critical to have evidence that we can present in court to prove the crime. I understand why some people merge the issues. I understand that they're related. But I think logically, we have to look at these differently. People want to secure their houses, but they still need to get in and out. Same issue here." He later added that the claim that the "absolutist position" that strong encryption should be by definition, unbreakable, is "unreasonable." "And I think it's necessary to weigh law enforcement equities in appropriate cases against the interest in security," he said.

Businesses

Monopoly Critics Decry 'Amazon Amendment' (thehill.com) 52

schwit1 shares a report from The Hill: The amendment, Section 801 of the National Defense Authorization Act (NDAA), would help Amazon establish a tight grip on the lucrative, $53 billion government acquisitions market, experts say. The provision, dubbed the "Amazon amendment" by experts, according to an article in The Intercept, would allow for the creation of an online portal that government employees could use to purchase everyday items such as office supplies or furniture. This government-only version of Amazon, which could potentially include a few other websites, would give participating companies direct access to the $53 billion market for government acquisitions of commercial products. "It hands an enormous amount of power over to Amazon," said Stacy Mitchell of the Institute for Local Self-Reliance, a research group that advocates for local businesses. Mitchell said that the provision could allow Amazon to gain a monopoly or duopoly on the profitable world of commercial government purchases, leaving smaller businesses behind and further consolidating the behemoth tech firm's power.

schwit1 adds: "Well, this is a two-edged sword, isn't it? Government spends too much and takes too long to buy its simple office needs, but streamlining that process and cutting costs puts more money in the pocket of Jeff Bezos."

Security

WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools (vice.com) 102

An anonymous reader quotes a report from Motherboard: WikiLeaks published new alleged material from the CIA on Thursday, releasing source code from a tool called Hive, which allows its operators to control malware it installed on different devices. WikiLeaks previously released documentation pertaining to the tool, but this is the first time WikiLeaks has released extensive source code for any CIA spying tool. This release is the first in what WikiLeaks founder Julian Assange says is a new series, Vault 8, that will release the code from the CIA hacking tools revealed as part of Vault 7. "This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components," WikiLeaks said in its press release for Vault 8. "Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention." In its release, WikiLeaks said that materials published as part of Vault 8 will "not contain zero-days or similar security vulnerabilities which could be repurposed by others."
Crime

Federal Prosecutors Charge Man With Hiring Hackers To Sabotage Former Employer (apnews.com) 18

According to the Associated Press, federal prosecutors have charged a man with paying computer hackers to sabotage websites affiliated with his former employer. From the report: The FBI says the case represents a growing form of cybercrime in which professional hackers are paid to inflict damage on individuals, businesses and others who rely on digital devices connected to the web. Prosecutors say 46-year-old John Kelsey Gammell hired hackers to bring down Washburn Computer Group in Monticello, but also made monthly payments between July 2015 and September 2016 to damage web networks connected to the Minnesota Judicial Branch, Hennepin County and several banks. The Star Tribune reports Gammell's attorney, Rachel Paulose, has argued her client didn't personally attack Washburn. Paulose has asked a federal magistrate to throw out evidence the FBI obtained from an unnamed researcher because that data could have been obtained by hacking.
Bitcoin

Nearly a Third of Millennials Say They'd Rather Own Bitcoin Than Stocks (bloomberg.com) 312

An anonymous reader quotes a report from Bloomberg: A survey by venture capital firm Blockchain Capital found that about 30 percent of those in the 18-to-34 age range would rather own $1,000 worth of Bitcoin than $1,000 of government bonds or stocks. The study of more than 2,000 people found that 42 percent of millennials are at least somewhat familiar with bitcoin, compared with 15 percent among those ages 65 and up. Bitcoin rose more than 6 percent Wednesday to as much as $7,545, helping to push the value of the total cryptocurrency market above $200 billion for the first time, according to CoinMarketcap. The digital asset has soared more than 600 percent this year, compared with gains of 15 percent for the S&P 500 Index -- which might explain millennials' attraction.
The Internet

Nearly Half of Colorado Counties Have Rejected a Comcast-Backed Law Restricting City-Run Internet (vice.com) 128

bumblebaetuna shares a report from Motherboard: In Tuesday's Coordinated Election, two Colorado counties voted on ballot measures to exempt themselves from a state law prohibiting city-run internet services. Both Eagle County and Boulder County voters approved the measures, bringing the total number of Colorado counties that have rejected the state law to 31 -- nearly half of the state's 64 counties. Senate Bill 152 -- which was lobbied for by Big Telecom -- became law in Colorado in 2005, and prohibits municipalities in the state from providing city-run broadband services.

Some cities prefer to build their own broadband network, which delivers internet like a utility to residents, and is maintained through subscription costs. But ever since SB 152 was enacted, Colorado communities have to first bring forward a ballot measure asking voters to exempt the area from the state law before they can even consider starting a municipal broadband service. So that's what many of them have done. In addition to the 31 counties that have voted to overrule the state restrictions, dozens of municipalities in the state have also passed similar ballot measures. Including cities, towns, and counties, more than 100 communities in Colorado have pushed back against the 12-year-old prohibition, according to the Institute for Local Self Reliance.

AT&T

Justice Department Tells Time Warner It Must Sell CNN Or DirecTV To Approve Its AT&T Merger (nytimes.com) 118

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): The Justice Department has called on AT&T and Time Warner to sell Turner Broadcasting, the group of cable channels that includes CNN, as a potential requirement for approving the companies' pending $85.4 billion deal, people briefed on the matter said on Wednesday. The other potential way the merger could win approval would be for AT&T to sell its DirecTV division, two of these people added. As originally envisioned, combining AT&T and Time Warner would yield a giant company offering wireless and broadband internet service, DirecTV, the Warner Brothers movie studio and cable channels like HBO and CNN. If the Justice Department formally makes either demand a requisite for approval, AT&T and Time Warner would almost certainly take the matter to court to challenge the government's legal basis for blocking their deal.
Encryption

Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed (arstechnica.com) 76

An anonymous reader quotes a report from Ars Technica: A crippling flaw affecting millions -- and possibly hundreds of millions -- of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents. The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key. Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.

On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.

Iphone

Israeli Company Sues Apple Over Dual-Lens Cameras In iPhone 7 Plus, iPhone 8 Plus (macrumors.com) 56

Corephotonics, an Israeli maker of dual-lens camera technologies for smartphones, has filed a lawsuit against Apple this week alleging that the iPhone 7 Plus and iPhone 8 Plus infringe upon four of its patents. Mac Rumors reports: The patents, filed with the U.S. Patent and Trademark Office between November 2013 and June 2016, relate to dual-lens camera technologies appropriate for smartphones, including optical zoom and a mini telephoto lens assembly: U.S. Patent No. 9,402,032; U.S. Patent No. 9,568,712; U.S. Patent No. 9,185,291; U.S. Patent No. 9,538,152. Corephotonics alleges that the two iPhone models copy its patented telephoto lens design, optical zoom method, and a method for intelligently fusing images from the wide-angle and telephoto lenses to improve image quality. iPhone X isn't listed as an infringing product, despite having a dual-lens camera, perhaps because the device launched just four days ago.
Earth

The US Is Now the Only Country In the World To Reject the Paris Climate Deal 719

An anonymous reader quotes a report from The Verge: Today, Syria announced that it would sign the Paris climate agreement -- a landmark deal that commits almost 200 countries to reducing greenhouse gas emissions to fight global warming. With Nicaragua also joining the deal last month, the United States is now the only country in the world that opposes it. In June, President Donald Trump announced that the U.S. will withdraw from the Paris climate accord, unless it is renegotiated to be "fair" to the United States. But other countries in the deal, such as France, Germany, and Italy, said that's not possible. The Trump administration is also taking steps to roll back regulations passed under former President Barack Obama to achieve the emissions reduction goals set under the Paris deal. The U.S. is the second largest emitter of heat-trapping greenhouse gases in the world after China. "With Syria's decision, the relentless commitment of the global community to deliver on Paris is more evident than ever," Paula Caballero, director of the climate change program at the World Resources Institute, told the Times. "The U.S.'s stark isolation should give Trump reason to reconsider his ill-advised announcement and join the rest of the world in tackling climate change."
Encryption

How Cloudflare Uses Lava Lamps To Encrypt the Internet (zdnet.com) 110

YouTuber Tom Scott was invited to visit Cloudflare's San Francisco headquarters to check out the company's wall of lava lamps. These decorative novelty items -- while neat to look at -- serve a special purpose for the internet security company. Cloudflare takes pictures and video of the lava lamps to turn them into "a stream of random, unpredictable bytes," which is used to help create the keys that encrypt the traffic that flow through Cloudflare's network. ZDNet reports: Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services. Cloudflare is known for providing good standards of encryption, but it seems the secret is out -- this reputation is built in part on lava lamps. Roughly 10 percent of the Internet's traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required. According to Nick Sullivan, Cloudfare's head of cryptography, this is where the lava lamps shine. Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken. The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic. "Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data." Cloudflare also reportedly uses a "chaotic pendulum" in its London office to generate randomness, and in Singapore, they use a radioactive source.
Facebook

How Facebook Figures Out Everyone You've Ever Met (gizmodo.com) 219

"I deleted Facebook after it recommended as People You May Know a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email," an attorney told Gizmodo. Kashmir Hill, a reporter at the news outlet, who recently documented how Facebook figured out a connection between her and a family member she did not know existed, shares several more instances others have reported and explains how Facebook gathers information. She reports: Behind the Facebook profile you've built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you've never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections. Because shadow-profile connections happen inside Facebook's algorithmic black box, people can't see how deep the data-mining of their lives truly is, until an uncanny recommendation pops up. Facebook isn't scanning the work email of the attorney above. But it likely has her work email address on file, even if she never gave it to Facebook herself. If anyone who has the lawyer's address in their contacts has chosen to share it with Facebook, the company can link her to anyone else who has it, such as the defense counsel in one of her cases. Facebook will not confirm how it makes specific People You May Know connections, and a Facebook spokesperson suggested that there could be other plausible explanations for most of those examples -- "mutual friendships," or people being "in the same city/network." The spokesperson did say that of the stories on the list, the lawyer was the likeliest case for a shadow-profile connection. Handing over address books is one of the first steps Facebook asks people to take when they initially sign up, so that they can "Find Friends." The problem with all this, Hill writes, is that Facebook doesn't explicitly say the scale at which it would be using the contact information it gleans from a user's address book. Furthermore, most people are not aware that Facebook is using contact information taken from their phones for these purposes.

Slashdot Top Deals