Encryption

US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com) 249

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
Bitcoin

Feds Shut Down Allegedly Fraudulent Cryptocurrency Offering (arstechnica.com) 47

An anonymous reader quotes a report from Ars Technica: The Securities and Exchange Commission on Monday announced that it was taking action against an initial coin offering (ICO) that the SEC alleges is fraudulent. The announcement represents the first enforcement action by the SEC's recently created cyber fraud unit. In July, the agency fired a warning shot. It announced that a 2016 fundraising campaign had run afoul of securities law, but that the SEC would decline to prosecute those responsible. The hope was to get the cryptocurrency world to take securities laws more seriously without doing anything drastic. Now the SEC is taking the next step by prosecuting what it considers to be one of the most egregious scams in the ICO world. The SEC's complaint, filed in federal court in New York, is against Dominic Lacroix, whom the SEC describes as a "recidivist securities law violator." The SEC considers Lacroix's cryptocurrency project, PlexCoin, to be a "fast-moving Initial Coin Offering (ICO) fraud that raised up to $15 million from thousands of investors since August by falsely promising a 13-fold profit in less than a month." The PlexCoin website has a hilariously vague description of this supposedly revolutionary cryptocurrency. "The PlexCoin's new revolutionary operating structure is safer and much easier to use than any other current cryptocurrency," the site proclaims. "One of the many features of PlexBank will be to secure your cryptocurrency from market variation, which is highly volatile, and invest your money in a place where you can get interesting guaranteed returns." According to Ars, "The SEC isn't impressed and is arguing that PlexCoin has 'all of the characteristics of a full-fledged cyber scam.' The agency is seeking to freeze the assets of the PlexCoin project in hopes of getting investors' funds back to them."
Canada

ISPs and Movie Industry Prepare Canadian Pirate Site Blocking Deal (torrentfreak.com) 86

An anonymous reader quotes a report from TorrentFreak: A coalition of movie industry companies and ISPs, including Bell, Rogers, and Cineplex are discussing a proposal to implement a plan to allow for website blockades without judicial oversight. The Canadian blocklist would be maintained by a new non-profit organization called "Internet Piracy Review Agency" (IPRA) and enforced through the CTRC, Canadaland reports. The plan doesn't come as a total surprise as Bell alluded to a nationwide blocking mechanism during a recent Government hearing. What becomes clear from the new plans, however, is that the telco is not alone. The new proposal is being discussed by various stakeholders including ISPs and local movie companies. As in other countries, major American movie companies are also in the loop, but they will not be listed as official applicants when the plan is submitted to the CRTC. Canadian law professor Micheal Geist is very critical of the plans. Although the proposal would only cover sites that "blatantly, overwhelmingly or structurally" engage in or facilitate copyright infringement, this can be a blurry line.

"Recent history suggests that the list will quickly grow to cover tougher judgment calls. For example, Bell has targeted TVAddons, a site that contains considerable non-infringing content," Geist notes. "It can be expected that many other sites disliked by rights holders or broadcasters would find their way onto the block list," he adds. While the full list of applicants is not ready yet, it is expected that the coalition will file its proposal to the CRTC before the end of the month.

Privacy

Germany Preparing Law for Backdoors in Any Type of Modern Device (bleepingcomputer.com) 251

Catalin Cimpanu, writing for BleepingComputer: German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more. Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND). The man supporting this proposal is Thomas de Maiziere, Germany's Interior Minister, who cites the difficulty law enforcement agents have had in past months investigating the recent surge of terrorist attacks and other crimes.
Privacy

Trump Is Looking at Plans For a Global Network of Private Spies (vice.com) 481

David Gilbert, writing for Vice: The White House is reportedly looking at a proposal to create a ghost network of private spies in hostile countries -- a way of bypassing the intelligence community's "deep state," which Donald Trump believes is a threat to his administration. The network would report directly to the president and CIA Director Mike Pompeo, and would be developed by Blackwater founder Erik Prince, according to multiple current and former officials speaking to The Intercept. "Pompeo can't trust the CIA bureaucracy, so we need to create this thing that reports just directly to him," a former senior U.S. intelligence official with firsthand knowledge of the proposals told the website. Described as "totally off the books," the network would be run by intelligence contractor Amyntor Group and would not share any data with the traditional intelligence community.
Security

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com) 65

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.
Businesses

Gizmodo: Don't Buy Anyone an Amazon Echo Speaker (gizmodo.com) 257

Adam Clark Estes, writing for Gizmodo: Three years ago, we said the Echo was "the most innovative device Amazon's made in years." That's still true. But you shouldn't buy one. You shouldn't buy one for your family. [...] Your family members do not need an Amazon Echo or a Google Home or an AppleHomePod or whatever that one smart speaker that uses Cortana is called. And you don't either. You only want one because every single gadget-slinger on the planet is marketing them to you as an all-new, life-changing device that could turn your kitchen into a futuristic voice-controlled paradise. You probably think that having an always-on microphone in your home is fine, and furthermore, tech companies only record and store snippets of your most intimate conversations. No big deal, you tell yourself. Actually, it is a big deal. The newfound privacy conundrum presented by installing a device that can literally listen to everything you're saying represents a chilling new development in the age of internet-connected things. By buying a smart speaker, you're effectively paying money to let a huge tech company surveil you. And I don't mean to sound overly cynical about this, either. Amazon, Google, Apple, and others say that their devices aren't spying on unsuspecting families. The only problem is that these gadgets are both hackable and prone to bugs.
The Courts

State Board Concedes It Violated Free Speech Rights of Oregon Man Fined For Writing 'I Am An Engineer' (oregonlive.com) 178

According to Oregon Live, "A state panel violated a Beaverton man's free speech rights by claiming he had unlawfully used the title 'engineer' and by fining him when he repeatedly challenged Oregon's traffic-signal timing before local media and policymakers, Oregon's attorney general has ruled." From the report: Oregon's Board of Examiners for Engineering and Land Surveying unconstitutionally applied state law governing engineering practice to Mats Jarlstrom when he exercised his free speech about traffic lights and described himself as an engineer since he was doing so "in a noncommercial'' setting and not soliciting professional business, the state Department of Justice has conceded. "We have admitted to violating Mr. Jarlstrom's rights,'' said Christina L. Beatty-Walters, senior assistant attorney general, in federal court Monday. The state's regulation of Jarlstrom under engineering practice law "was not narrowly tailored to any compelling state interests,'' she wrote in court papers. The state has pledged the board will not pursue the Beaverton man any further when he's not acting in a commercial or professional manner, and on Monday urged a federal judge to dismiss the case. The state also sent a $500 check to Jarlstrom in August, reimbursing him for the state fine.

Jarlstrom and his lawyers argued that's not good enough. They contend Jarlstrom isn't alone in getting snared by the state board's aggressive and "overbroad'' interpretation of state law. They contend others have been investigated improperly and want the court to look broader at the state law and its administrative rules and declare them unconstitutional. In the alternative, the state law should be restricted to only regulating engineering communications that are made as part of paid employment or a contractual agreement.

Censorship

Cloudflare's CEO Has a Plan To Never Censor Hate Speech Again (arstechnica.com) 394

"Cloudflare CEO Matthew Prince hated cutting off service to the infamous neo-Nazi site the Daily Stormer in August," reports Ars Technica. "And he's determined not to do it again. 'I'm almost a free-speech absolutist.' Prince said at an event at the New America Foundation last Wednesday. But in a subsequent interview with Ars, Prince argued that in the case of the Daily Stormer, the company didn't have much choice." From the report: Prince's response was to cut Daily Stormer off while laying the groundwork to make sure he'd never have to make a decision like that again. In a remarkable company-wide email sent shortly after the decision, Prince described his own actions as "arbitrary" and "dangerous." "I woke up this morning in a bad mood and decided to kick them off the Internet," Prince wrote in August. "It was a decision I could make because I'm the CEO of a major Internet infrastructure company." He argued that "it's important that what we did today not set a precedent." Prior to August, Cloudflare had consistently refused to police content published by its customers. Last week, Prince made a swing through DC to help ensure that the Daily Stormer decision does not, in fact, set a precedent. He met with officials from the Federal Communications Commission and with researchers at the libertarian Cato Institute and the left-of-center New America Foundation -- all in an effort to ensure that he'd have the political cover he needed to say no next time he came under pressure to take down controversial content.

The law is strongly on Cloudflare's side here. Internet infrastructure providers like Cloudflare have broad legal immunity for content created by their customers. But legal rights may not matter if Cloudflare comes under pressure from customers to take down content. And that's why Prince is working to cultivate a social consensus that infrastructure providers like Cloudflare should not be in the censorship business -- no matter how offensive its customers' content might be.

Piracy

Gamer Streams Pay-Per-View UFC Fight By Pretending To Play It (theverge.com) 75

WheezyJoe writes: A pay-per-view UFC Match was streamed in its entirety on Twitch and other platforms by a gamer pretending he was "playing" the fight as a game. The gamer, AJ Lester, appearing in the corner of the image holding his game controller, made off like he was controlling the action of the "game" when in fact he was re-broadcasting the fight for free. A tweet showing Lester's antics went viral with over 63,000 retweets and 140,000 likes at the time of publication. Another clip shows him reacting wildly yelling "oooooooooooooooh!!!" and "damnnnnnn!" in response to the match.
Piracy

Not Even Free TV Can Get People To Stop Pirating Movies and TV Shows (qz.com) 221

An anonymous reader quotes a report from Quartz: Since the internet made it easier to illegally download and stream movies and TV shows, Hollywood struggled with people pirating its works online. About $5.5 billion in revenue was lost to piracy globally last year, Digital TV Research found (pdf), and it's expected to approach $10 billion by 2022. Streaming-video services like Netflix and Hulu have made it more affordable to access a wide-range of titles from different TV networks and movie studios. But the availability of cheap content online has done little to curb piracy, according to research published in Management Science (paywall) last month. Customers who were offered free subscriptions to a video-on-demand package (SVOD) were just as likely to turn to piracy to find programming as those without the offering, researchers at Catolica Lisbon School of Business & Economics and Carnegie Mellon University found.

The researchers partnered with an unnamed internet-service provider -- in a region they chose not to disclose -- to offer customers who were already prone to piracy an on-demand package for free for 45 days. About 10,000 households participated in the study, and about half were given the free service. The on-demand service was packaged like Netflix or Hulu in layout, appearance, and scope of programming, but was delivered through a TV set-top box. It had a personalized recommendation engine that surfaced popular programming based on what those customers were already watching illegally through BitTorrent logs, which were obtained from a third-party firm. The study found that while the participants watched 4.6% more TV overall when they had the free on-demand service, they did not stop using BitTorrent to pirate movies and TV shows that were not included in the offering.

Security

PayPal Says 1.6 Million Customer Details Stolen In Breach At Canadian Subsidiary (bleepingcomputer.com) 24

New submitter Kargan shares a report from BleepingComputer: PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers. The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash. PayPal reportedly suspended the operations of TIO's network on November 10th. "PayPal says the intruder(s) got access to the personal information of both TIO customers and customers of TIO billers," reports BleepingComputer. "The company did not reveal what type of information the attacker accessed, but since this is a payment system, attackers most likely obtained both personally-identifiable information (PII) and financial details." The company has started notifying customers and is offering free credit monitoring memberships.
The Internet

FCC Won't Delay Vote, Says Net Neutrality Supporters Are 'Desperate' (arstechnica.com) 347

An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission will move ahead with its vote to kill net neutrality rules next week despite an unresolved court case that could strip away even more consumer protections. FCC Chairman Ajit Pai says that net neutrality rules aren't needed because the Federal Trade Commission can protect consumers from broadband providers. But a pending court case involving AT&T could strip the FTC of its regulatory authority over AT&T and similar ISPs. A few dozen consumer advocacy groups and the City of New York urged Pai to delay the net neutrality-killing vote in a letter today. If the FCC eliminates its rules and the court case goes AT&T's way, there would be a "'regulatory gap' that would leave consumers utterly unprotected," the letter said. When contacted by Ars, Pai's office issued this statement in response to the letter: "This is just evidence that supporters of heavy-handed Internet regulations are becoming more desperate by the day as their effort to defeat Chairman Pai's plan to restore Internet freedom has stalled. The vote will proceed as scheduled on December 14."
Censorship

Apple, Google CEOs Bring Star Power as China Promotes Censorship (bloomberg.com) 38

An anonymous reader shares a Bloomberg report: Apple's Tim Cook and Google's Sundar Pichai made their first appearances at China's World Internet Conference, bringing star power to a gathering the Chinese government uses to promote its strategy of tight controls online. Apple's chief executive officer gave a surprise keynote at the opening ceremony on Sunday, calling for future internet and AI technologies to be infused with privacy, security and humanity. The same day, one of China's most-senior officials called for more aggressive government involvement online to combat terrorism and criminals. Wang Huning, one of seven men on China's top decision-making body, even called for a global response team to go well beyond its borders. It was Cook's second appearance in China in two months, following a meeting with President Xi Jinping in October. The iPhone maker has most of its products manufactured in the country and is trying to regain market share in smartphones against local competitors such as Huawei. "The theme of this conference -- developing a digital economy for openness and shared benefits -- is a vision we at Apple share," Cook said. "We are proud to have worked alongside many of our partners in China to help build a community that will join a common future in cyberspace."
Iphone

Should Apple Share iPhone X Face Data With App Developers? (washingtonpost.com) 66

The Washington Post ran a technology column asking what happens "when the face-mapping tech that powers the iPhone X's cutesy 'Animoji' starts being used for creepier purposes." It's not just that the iPhone X scans 30,000 points on your face to make a 3D model. Though Apple stores that data securely on the phone, instead of sending it to its servers over the Internet, "Apple just started sharing your face with lots of apps." Although their columnist praises Apple's own commitment to privacy, "I also think Apple rushed into sharing face maps with app makers that may not share its commitment, and it isn't being paranoid enough about the minefield it just entered." "I think we should be quite worried," said Jay Stanley, a senior policy analyst at the American Civil Liberties Union. "The chances we are going to see mischief around facial data is pretty high -- if not today, then soon -- if not on Apple then on Android." Apple's face tech sets some good precedents -- and some bad ones... Less noticed was how the iPhone lets other apps now tap into two eerie views from the so-called TrueDepth camera. There's a wireframe representation of your face and a live read-out of 52 unique micro-movements in your eyelids, mouth and other features. Apps can store that data on their own computers.

To see for yourself, use an iPhone X to download an app called MeasureKit. It exposes the face data Apple makes available. The app's maker, Rinat Khanov, tells me he's already planning to add a feature that lets you export a model of your face so you can 3D print a mini-me. "Holy cow, why is this data available to any developer that just agrees to a bunch of contracts?" said Fatemeh Khatibloo, an analyst at Forrester Research.

"From years of covering tech, I've learned this much," the article concludes. "Given the opportunity to be creepy, someone will take it."
Botnet

How 'Grinch Bots' Are Ruining Online Christmas Shopping (nypost.com) 283

Yes, U.S. Senator Chuck Schumer actually called them "Grinch bots." From the New York Post: The senator said as soon as a retailer puts a hard-to-get toy -- like Barbie's Dreamhouse or Nintendo game systems -- for sale on a website, a bot can snatch it up even before a kid's parents finish entering their credit card information... "Bots come in and buy up all the toys and then charge ludicrous prices amidst the holiday shopping bustle," the New York Democrat said on Sunday... For example, Schumer said, the popular Fingerlings -- a set of interactive baby monkey figurines that usually sell for around $15 -- are being snagged by the scalping software and resold on secondary websites for as much as $1,000 a pop...

In December 2016, Congress passed the Better Online Ticket Sales (BOTS) Act, which Schumer sponsored, to crack down on their use to buy concert tickets, but the measure doesn't apply to other consumer products. He wants that law expanded but knows that won't happen in time for this holiday season. In the meantime, Schumer wants the National Retail Federation and the Retail Industry Leaders Association to block the bots and lead the effort to stop them from buying toys at fair retail prices and then reselling them at outrageous markups.

Intel

Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com) 140

An anonymous reader quotes Liliputing.com Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.

The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).

Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
Education

Massive Financial Aid Data Breach Proves Stanford Lied For Years To MBAs (poetsandquants.com) 116

14 terabytes of "highly confidential" data about 5,120 financial aid applications over seven years were exposed in a breach at Stanford's Graduate School of Business -- proving that the school "misled thousands of applicants and donors about the way it distributes fellowship aid and financial assistance to its MBA students," reports Poets&Quants. The information was unearthed by a current MBA student, Adam Allcock, in February of this year from a shared network directory accessible to any student, faculty member or staffer of the business school. In the same month, on Feb. 23, the student reported the breach to Jack Edwards, director of financial aid, and the records were removed within an hour of his meeting with Edwards. Allcock, however, says he spent 1,500 hours analyzing the data and compiling an 88-page report on it...

Allcock's discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any MBA program in the world. That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds.

Half the school's students are awarded financial aid, and though Stanford always insisted it was awarded based only on need, the report concluded the school had been "lying to their faces" for more than a decade, also identifying evidece of "systemic biases against international students."

Besides the embarrassing exposure of their financial aid policies, there's another obvious lesson, writes Slashdot reader twentysixV. "It's actually way too easy for users to improperly secure their files in a shared file system, especially if the users aren't particularly familiar with security settings." Especially since Friday the university also reported another university-wide file-sharing platform had exposed "a variety of information from several campus offices, including Clery Act reports of sexual violence and some confidential student disciplinary information from six to 10 years ago."
Businesses

Shouting 'Pay Your Taxes', Activists Occupy Apple Stores in France (marketwatch.com) 233

An anonymous reader quotes MarketWatch: A group of global activists stormed and occupied several Apple Stores in France on Saturday in a move aimed at pressuring the company to pay up on a €13 billion ($15.5 billion) tax bill to the European Union. In a press release, the France unit of the Association for the Taxation of Financial Transactions and Citizen's Action organization (Attac), said 100 of its members occupied the Opera Apple Store in Paris, demanding the company pay its taxes... Attac said dozens of protests were organized at other Apple store locations throughout France on Saturday. In the Paris store, activists were seen via videos circulating on Twitter, pushing past security and hanging a banner that said "We will stop when Apple pays." Security in Paris reportedly evacuated Apple workers from the building as those protests began.
After three hours they left the store -- leaving behind protest messages on the iPads on display. The group claims that Apple has stashed $230 billion in tax havens around the world, but also hopes to raise awareness about other issues.

"Attac said the action was part of the #PhoneRevolt movement aimed at highlighting unfair practices by Apple, that are not just about taxes, but also pollution via extraction of metals for its phones, worker exploitation and driving a global consumption binge."
The Courts

Free Game Company Sues 14-Year-Old Over 'Cheats' Video -- Claiming DMCA Violation (bbc.co.uk) 237

Bizzeh shared this report from the BBC: A mother has written a letter in defense of her 14-year-old son who is facing a lawsuit over video game cheats in the US. Caleb Rogers is one of two people facing legal action from gaming studio Epic Games for using cheat software to play the free game Fortnite. The studio says it has taken the step because the boy declined to remove a YouTube video he published which promoted how to use the software... "This company is in the process of attempting to sue a 14-year-old child," she wrote in the letter which has been shared online by the news site Torrentfreak.

Ms. Rogers added that she had not given her son parental consent to play the game as stated in its terms and conditions, and that as the game was free to play the studio could not claim loss of profit as a result of the cheats... In a statement given to the website Kotaku, Epic Games said the lawsuit was a result of Mr. Rogers "filing a DMCA counterclaim to a takedown notice on a YouTube video that exposed and promoted Fortnite Battle Royale cheats and exploits... Epic is not OK with ongoing cheating or copyright infringement from anyone at any age," it said.

Cory Doctorow counters that the 14-year-old "correctly asserted that there was no copyright infringement here. Videos that capture small snippets of a videogame do not violate that game creator's copyrights, because they are fair use..."
Transportation

Drone Pilot Arrested After Flying Over Two Stadiums, Dropping Leaflets (cbslocal.com) 108

"A man with an anti-media agenda was arrested in Oakland after he flew a drone over two different stadiums to drop leaflets" last Sunday, writes Slashdot reader execthis. A local CBS station reports: According to investigators, [55-year-old Tracy] Mapes piloted his drone over Levi's Stadium during the second quarter of the 49ers-Seattle game and released a load of pamphlets. He then quickly landed the drone, loaded it up and drove over to Oakland. He flew a similar mission over the Raiders-Broncos game. Santa Clara Police Lt. Dan Moreno said after Mapes was apprehended he defended the illegal action as a form of free speech.
USA Today reports there's now also an ongoing federal investigation "because the Federal Aviation Administration prohibits the flying of drones within five miles of an airport. Both Levi's Stadium and Oakland Coliseum are within that range."

"The San Francisco Chronicle added that the drone was a relatively ineffective messenger because 'most of the drone-dropped leaflets were carried away by the wind.'"
Communications

Volunteers Around the World Build Surveillance-Free Cellular Network Called 'Sopranica' (vice.com) 77

dmoberhaus writes: Motherboard's Daniel Oberhaus spoke to Denver Gingerich, the programmer behind Sopranica, a DIY, community-oriented cell phone network. "Sopranica is a project intended to replace all aspects of the existing cell phone network with their freedom-respecting equivalents," says Gingerich. "Taking out all the basement firmware on the cellphone, the towers that track your location, the payment methods that track who you are and who owns the number, and replacing it so we can have the same functionality without having to give up all the privacy that we have to give up right now. At a high level, it's about running community networks instead of having companies control the cell towers that we connect to." Motherboard interviews Gingerich and shows you how to use the network to avoid cell surveillance. According to Motherboard, all you need to do to join Sopranica is "create a free and anonymous Jabber ID, which is like an email address." Jabber is slang for a secure instant messaging protocol called XMPP that let's you communicate over voice and text from an anonymous phone number. "Next, you need to install a Jabber app on your phone," reports Motherboard. "You'll also need to install a Session Initiation Protocol (SIP) app, which allows your phone to make calls and send texts over the internet instead of the regular cellular network." Lastly, you need to get your phone number, which you can do by navigating to Sopranica's JMP website. (JMP is the code, which was published by Gingerich in January, and "first part of Sopranica.") "These phone numbers are generated by Sopranica's Voice Over IP (VOIP) provider which provides talk and text services over the internet. Click whichever number you want to be your new number on the Sopranica network and enter your Jabber ID. A confirmation code should be sent to your phone and will appear in your Jabber app." As for how JMP protects against surveillance, Gingerich says, "If you're communicating with someone using your JMP number, your cell carrier doesn't actually know what your JMP number is because that's going over data and it's encrypted. So they don't know that that communication is happening."
Government

Tesla Proves To Be Too Pricey For Germany, Loses Tax Subsidies (reuters.com) 121

Tesla has been removed from Germany's list of electric cars eligible for subsidies because its Model S sedan is too expensive for the scheme. Tesla customers cannot order the Model S base version without extra features that pushed the car above the 60,000 euro ($71,500) price limit, a spokesman for the German Federal Office for Economic Affairs and Export Controls (BAFA) said on Friday. From the report: Germany last year launched the incentive scheme worth about 1 billion euros, partly financed by the German car industry, to boost electric car usage. A price cap was included to exempt premium models. "This is a completely false accusation. Anyone in Germany can order a Tesla Model S base version without the comfort package, and we have delivered such cars to customers," Tesla said in a statement. The carmaker said the upper price limit was initially set by the German government to exclude Tesla, but later a compromise was reached "that allows Tesla to sell a low option vehicle that qualifies for the incentive and customers can subsequently upgrade if they wish." It said, however, it would investigate whether any car buyers were denied the no-frills version. Under the subsidy scheme, buyers get 4,000 euros off their all-electric vehicle purchase and 3,000 euros off plug-in hybrids.
Bitcoin

Blockchains Are Poised To End the Password Era (technologyreview.com) 129

schwit1 shares a report from MIT Technology Review: Blockchain technology can eliminate the need for companies and other organizations to maintain centralized repositories of identifying information, and users can gain permanent control over who can access their data (hence "self-sovereign"), says Drummond Reed, chief trust officer at Evernym, a startup that's developing a blockchain network specifically for managing digital identities. Self-sovereign identity systems rely on public-key cryptography, the same kind that blockchain networks use to validate transactions. Although it's been around for decades, the technology has thus far proved difficult to implement for consumer applications. But the popularity of cryptocurrencies has inspired fresh commercial interest in making it more user-friendly.

Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

Businesses

Homeland Security Claims DJI Drones Are Spying For China (engadget.com) 82

A memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) says that the officials assess "with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government." It also says that the information is based on "open source reporting and a reliable source within the unmanned aerial systems industry with first and secondhand access." Engadget reports: Part of the memo focuses on targets that the LA ICE office believes to be of interest to DJI. "DJI's criteria for selecting accounts to target appears to focus on the account holder's ability to disrupt critical infrastructure," it said. The memo goes on to say that DJI is particularly interested in infrastructure like railroads and utilities, companies that provide drinking water as well as weapon storage facilities. The LA ICE office concludes that it, "assesses with high confidence the critical infrastructure and law enforcement entities using DJI systems are collecting sensitive intelligence that the Chinese government could use to conduct physical or cyber attacks against the United States and its population." The accusation that DJI is using its drones to spy on the US and scope out particular facilities for the Chinese government seems pretty wacky and the company itself told the New York Times that the memo was "based on clearly false and misleading claims."
The Internet

Was Your Name Stolen To Support Killing Net Neutrality? (dslreports.com) 128

An anonymous reader quotes a report from DSLReports: New York Attorney General Eric Schneiderman has launched a new tool for users interested in knowing whether their identity was stolen and used to fraudulently support the FCC's attack on popular net neutrality rules. The NY AG's office announced earlier this month that it was investigating identity theft and comment fraud during the FCC's public comment period. Researchers have noted repeatedly how "someone" used a bot to fill the comment proceeding with bogus support for the FCC plan, with many of the names being those of folks who'd never heard of net neutrality -- or were even dead. The new AG tool streamlines the act of searching the FCC proceeding for comments filed falsely in your name, and lets you contribute your findings to the AG's ongoing investigation into identity theft.

"Such conduct likely violates state law -- yet the FCC has refused multiple requests for crucial evidence in its sole possession that is vital to permit that law enforcement investigation to proceed," noted Schneiderman. "We reached out for assistance to multiple top FCC officials, including you, three successive acting FCC General Counsels, and the FCC's Inspector General. We offered to keep the requested records confidential, as we had done when my office and the FCC shared information and documents as part of past investigative work." "Yet we have received no substantive response to our investigative requests," stated the AG. "None." As such, the AG is taking its fight to the public itself.

Piracy

Netflix Is Not Going to Kill Piracy, Research Suggests (torrentfreak.com) 158

Even as more people than ever are tuning to Netflix, Hulu, Amazon Prime and other streaming services to look, piracy too continues to thrive, a research suggests. An anonymous reader shares a report: Intrigued by this interplay of legal and unauthorized viewing, researchers from Carnegie Mellon University and Universidade Catolica Portuguesa carried out an extensive study. They partnered with a major telco, which is not named, to analyze if BitTorrent downloading habits can be changed by offering legal alternatives. The researchers used a piracy-tracking firm to get a sample of thousands of BitTorrent pirates at the associated ISP. Half of them were offered a free 45-day subscription to a premium TV and movies package, allowing them to watch popular content on demand. To measure the effects of video-on-demand access on piracy, the researchers then monitored the legal viewing activity and BitTorrent transfers of the people who received the free offer, comparing it to a control group. The results show that piracy is harder to beat than some would expect. Subscribers who received the free subscription watched more TV, but overall their torrenting habits didn't change significantly. "We find that, on average, households that received the gift increased overall TV consumption by 4.6% and reduced Internet downloads and uploads by 4.2% and 4.5%, respectively. However, and also on average, treated households did not change their likelihood of using BitTorrent during the experiment," the researchers write.
United States

House Panel Advances Bill on Key Surveillance Measure (axios.com) 70

The House Intelligence Committee approved a bill Friday along party lines that would reauthorize a central surveillance law, the Washington Post reports. From a report: It does change the law -- known as Section 702 -- but doesn't satisfy surveillance reform advocates, including in the tech industry. The law is used to authorize the surveillance of electronic communications by foreign nationals abroad, but advocates worry about the programs picking up communications involving Americans as well.
Businesses

Disney Sues Redbox, Hoping To Block Digital Movie Sales (marketwatch.com) 285

phalse phace writes: About 1 month ago, Redbox started selling through their kiosks slips of paper with codes on them that lets the buyer download a digital copy of a Disney movie.But Disney says that's a no-no and this week it sued Redbox in an attempt to stop the code sales. According to Marketwatch: "Walt Disney sued Redbox on Thursday in an attempt to stop the DVD rental company from selling digital copies of its movies. Privately held Redbox last month began offering consumers codes they can use to download a digital copy of a Disney movie. Redbox charges between $7.99 and $14.99 for slips of paper with the codes to download Disney films such as "Cars 3" and "Star Wars: The Force Awakens." That is less than those movies cost to buy and download from Apple's iTunes Store. Redbox is only offering digital copies of Disney movies because it doesn't have a distribution arrangement with the studio and buys retail copies of its discs to rent to customers. Those retail DVDs come with digital download codes."
Government

Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com) 162

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

Intel

System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com) 148

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
Communications

Australian Man Uses Snack Bags As Faraday Cage To Block Tracking By Employer (arstechnica.com) 193

An anonymous reader quotes a report from Ars Technica: A 60-year-old electrician in Perth, Western Australia had his termination upheld by a labor grievance commission when it was determined he had been abusing his position and technical knowledge to squeeze in some recreation during working hours. Tom Colella used mylar snack bags to block GPS tracking via his employer-assigned personal digital assistant to go out to play a round of golf -- more than 140 times -- while he reported he was offsite performing repairs.

In his finding against Colella, Australia Fair Work Commissioner Bernie Riordan wrote: "I have taken into account that Mr Colella openly stored his PDA device in an empty foil 'Twisties' bag. As an experienced electrician, Mr Colella knew that this bag would work as a faraday cage, thereby preventing the PDA from working properly -- especially the provision of regular GPS co-ordinate updates Mr. Colella went out of his way to hide his whereabouts. He was concerned about Aroona tracking him when the Company introduced the PDA into the workplace. He protested about Aroona having this information at that time. Mr Colella then went out of his way to inhibit the functionality of the PDA by placing it in a foil bag to create a faraday cage."

Facebook

Facebook Judge Frowns on Bid To Toss Biometric Face Print Suit (bloomberg.com) 39

Facebook faced a skeptical judge over its second request to get out of a lawsuit alleging its photo scanning technology flouts users' privacy rights. From a report: "The right to say no is a valuable commodity," U.S. District Judge James Donato said Thursday during a hearing in San Francisco. The case concerns the "most personal aspects of your life: your face, your fingers, who you are to the world." The owner of the world's largest social network faces claims that it violated the privacy of millions of users by gathering and storing biometric data without their consent. Alphabet's Google is fighting similar claims in federal court in Chicago.
Medicine

An Unconscious Patient With a 'DO NOT RESUSCITATE' Tattoo (nejm.org) 454

A real-life case study, published on New England Journal of Medicine, documents the ethical dilemma that a Florida hospital faced after a 70-year-old unresponsive patient arrived at the hospital. The medical staff, the journal notes, was taken aback when it discovered the words "DO NOT RESUSCITATE" tattooed onto the man's chest. Furthermore, the word "NOT" was underlined with his signature beneath it. The patient had a history of chronic obstructive pulmonary disease, diabetes mellitus, and atrial fibrillation. Confused and alarmed, the medical staff chose to ignore the apparent DNR request -- but not without alerting the hospital's ethics team, which had a different take on the matter. From the report: We initially decided not to honor the tattoo, invoking the principle of not choosing an irreversible path when faced with uncertainty. This decision left us conflicted owing to the patient's extraordinary effort to make his presumed advance directive known; therefore, an ethics consultation was requested. He was placed on empirical antibiotics, received intravenous fluid resuscitation and vasopressors, and was treated with bilevel positive airway pressure. After reviewing the patient's case, the ethics consultants advised us to honor the patient's do not resuscitate (DNR) tattoo. They suggested that it was most reasonable to infer that the tattoo expressed an authentic preference, that what might be seen as caution could also be seen as standing on ceremony, and that the law is sometimes not nimble enough to support patient-centered care and respect for patients' best interests. A DNR order was written. Subsequently, the social work department obtained a copy of his Florida Department of Health "out-of-hospital" DNR order, which was consistent with the tattoo. The patient's clinical status deteriorated throughout the night, and he died without undergoing cardiopulmonary respiration or advanced airway management.
Google

Google Faces Lawsuit For Gathering Personal Data From Millions of iPhone Users (betanews.com) 35

Mark Wilson writes: A group going by the name Google You Owe Us is taking Google to court in the UK, complaining that the company harvested personal data from 5.4 million iPhone users. The group is led by Richard Lloyd, director of consumer group Which?, and it alleges that Google bypassed privacy settings on iPhones between June 2011 and February 2012. The lawsuit seeks compensation for those affected by what is described as a "violation of trust." Google is accused of breaching UK data protection laws, and Lloyd says that this is "one of the biggest fights of my life." Even if the case is successful, the people represented by Google You Owe Us are not expected to receive more than a few hundred pounds each, and this is not an amount that would make much of an impact on Google's coffers.
Bitcoin

Coinbase Ordered To Report 14,355 Users To the IRS (theverge.com) 141

Nearly a year after the case was initially filed, Coinbase has been ordered to turn over identifying records for all users who have bought, sold, sent, or received more than $20,000 through their accounts in a single year. The digital asset broker estimates that 14,355 users meet the government's requirements. The Verge reports: For each account, the company has been asked to provide the IRS with the user's name, birth date, address, and taxpayer ID, along with records of all account activity and any associated account statements. The result is both a definitive link to the user's identity and a comprehensive record of everything they've done with their Coinbase account, including other accounts to which they've sent money. The order is significantly narrower than the IRS's initial request, which asked for records on every single Coinbase user over the same period. That request would also have required all communications between Coinbase and the user, a measure the judge ultimately found unnecessarily comprehensive. The government made no claim of suspicion against individual users, but instead argued that the order was justified based on the discrepancy between Coinbase users and U.S. citizens reporting Bitcoin gains to the IRS.
Power

EPA Confirms Tesla's Model 3 Has a Range of 310 Miles (theverge.com) 282

Tesla's Model 3 has a confirmed range of 310 miles, according to the Environmental Protection Agency. "That figure applies to the long-range version of the Model 3, and echoes the vehicle specs released by Tesla back in July," reports The Verge. "It also makes the Model 3 one of the most efficient passenger electric vehicles on the market." From the report: The EPA's range is used as the advertised figure for electric vehicles that are sold in the US. The 310-mile range is an estimate of the number of miles the vehicle should be able to travel in combined city and highway driving from a full charge. That's 131 miles per gallon gasoline equivalent (MPGe) for city driving, 120 MPGe on the highway, and 126 MPGe combined. You'll have to pay more to get that extended range, though. Tesla said it would be selling a standard version of the Model 3, with just 220 miles of range, for $35,000. The long-range version will start at $44,000, the automaker says. Production on the standard version isn't expected to begin until 2018.
Facebook

Facebook's New Captcha Test: 'Upload A Clear Photo of Your Face' (wired.com) 302

An anonymous reader shares a report: Facebook may soon ask you to "upload a photo of yourself that clearly shows your face," to prove you're not a bot. The company is using a new kind of captcha to verify whether a user is a real person. According to a screenshot of the identity test shared on Twitter on Tuesday and verified by Facebook, the prompt says: "Please upload a photo of yourself that clearly shows your face. We'll check it and then permanently delete it from our servers." The process is automated, including identifying suspicious activity and checking the photo. To determine if the account is authentic, Facebook looks at whether the photo is unique.
Communications

FCC Chairman Keeps Up Assault on Social Media (axios.com) 193

Republican FCC Chairman Ajit Pai is doubling down on his critique of tech companies, asking whether social media is "a net benefit to American society" in remarks at the Media Institute on Wednesday. "Now, I will tell you upfront that I don't have an answer." From a report: What he said: Pai made the case that social media has been key to the politicization of many aspects of American life. "Everything nowadays is political. Everything. ... This view that politics-is-all is often made worse by social media," he said, per his prepared remarks.
Privacy

Sensitive Personal Information of 246,000 DHS Employees Found on Home Computer (usatoday.com) 59

The sensitive personal information of 246,000 Department of Homeland Security employees was found on the home computer server of a DHS employee in May, according to documents obtained by USA TODAY. From the report: Also discovered on the server was a copy of 159,000 case files from the inspector general's investigative case management system, which suspects in an ongoing criminal investigation intended to market and sell, according to a report sent by DHS Inspector General John Roth on Nov. 24 to key members of Congress. The information included names, Social Security numbers and dates of birth, the report said. The inspector general's acting chief information security officer reported the breach to DHS officials on May 11, while IG agents reviewed the details. Acting DHS Secretary Elaine Duke decided on Aug. 21 to notify affected employees who were employed at the department through the end of 2014 about the breach.
Privacy

This Impenetrable Program Is Transforming How Courts Treat DNA Evidence (wired.com) 186

mirandakatz writes: Probabilistic genotyping is a type of DNA testing that's becoming increasingly popular in courtrooms: It uses complex mathematical formulas to examine the statistical likelihood that a certain genotype comes from one individual over another, and it can work with the subtlest traces of DNA. At Backchannel, Jessica Pishko looks at one company that's caught criminal justice advocates' attention: Cybergenetics, which sells a probabilistic genotyping program called TrueAllele -- and that refuses to reveal its source code. As Pishko notes, some legal experts are arguing that Trueallele revealing its source code 'is necessary in order to properly evaluate the technology. In fact, they say, justice from an unknown algorithm is no justice at all.'
Businesses

Apple Accuses Qualcomm of Patent Infringement in Countersuit (reuters.com) 34

From a report: Apple on Wednesday filed a countersuit against Qualcomm, alleging that Qualcomm's Snapdragon mobile phone chips that power a wide variety of Android-based devices infringe on Apple's patents, the latest development in a long-running dispute. Qualcomm in July accused Apple of infringing several patents related to helping mobile phones get better battery life. Apple has denied the claims that it violated Qualcomm's battery life patents and alleged that Qualcomm's patents were invalid, a common move in such cases. But on Wednesday, in a filing in U.S. District Court in San Diego, Apple revised its answer to Qualcomm's complaint with accusations of its own. Apple alleges it owns at least eight battery life patents that Qualcomm has violated.
Software

Three Quarters of Android Apps Track Users With Third Party Tools, Says Study (theguardian.com) 46

A study by French research organization Exodus Privacy and Yale University's Privacy Lab analyzed the mobile apps for the signatures of 25 known trackers and found that more than three in four Android apps contain at least one third-party "tracker." The Guardian reports: Among the apps found to be using some sort of tracking plugin were some of the most popular apps on the Google Play Store, including Tinder, Spotify, Uber and OKCupid. All four apps use a service owned by Google, called Crashlytics, that primarily tracks app crash reports, but can also provide the ability to "get insight into your users, what they're doing, and inject live social content to delight them." Other less widely-used trackers can go much further. One cited by Yale is FidZup, a French tracking provider with technology that can "detect the presence of mobile phones and therefore their owners" using ultrasonic tones. FidZup says it no-longer uses that technology, however, since tracking users through simple wifi networks works just as well.
Privacy

A Supreme Court Case This Week Could Change US Digital Privacy Standards 74

On November 29th, the U.S. Supreme Court will hear oral arguments in Carpenter v. US, a case essentially asking whether or not authorities need a warrant based on probable cause and signed by a judge to see your cellphone location data. For now, they do not. Given the fact that about 95% of Americans have cellphones, this case has major implications. Quartz reports: Mobile-service providers collect "cell site location information" (CSLI) for all phones, ostensibly to use for things like improving their networks. The U.S. government considers these data "routinely collected business records" rather than private information. That means it can demand the records without proving probable cause. That's what happened in the criminal case of Timothy Carpenter, accused of a series of Detroit, Michigan robberies. At Carpenter's trial, prosecutors presented evidence collected by private companies, obtained by the law without probable cause. They used 127 days-worth of cellphone-location data, amounting to almost 13,000 data points, to tell a circumstantial story of Carpenter comings and goings.

In its brief to the high court, filed in September, the justice department argued that when Carpenter signed onto his cell-phone provider's service, he agreed that his call records weren't private information belonging to him, but rather business records belonging to the company. Therefore, he should have "no reasonable expectation of privacy" when it comes to these records, government attorneys wrote. Carpenter argues that the location evidence was obtained illegally. The Sixth Circuit Court of Appeals denied that claim last year, basing their decision on Supreme Court cases from the 1970s: Smith v. Maryland and US v. Miller . The appeals court concluded that, under what's called the "third-party doctrine," Americans don't have a reasonable expectation of privacy in things like check deposit slips, similar banking records, and dialed telephone numbers.
Bug

MacOS High Sierra Bug Allows Login As Root With No Password (theregister.co.uk) 237

An anonymous reader quotes a report from The Register: A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug is triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings. If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen. The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world -- it's certainly far from a remote hole or a disk decryption technique -- it's just really, really sad to see megabucks Apple drop the ball like this. Developer Lemi Orhan Ergan was the first to alert the world to the flaw. The Register notes: "If you have a root account enabled and a password for it set, the black password trick will not work. So, keep the account enabled and set a root password right now..."
Businesses

Uber Trained Employees on How To 'Impede, Obstruct or Influence' Ongoing Legal Investigations, Ex-employee Says (cnbc.com) 62

From a report on CNBC: Uber faced fresh allegations on Tuesday that it deliberately took steps to keep " unlawful schemes from seeing the light of day." Hours of testimony on Tuesday centered around a letter from a former Uber security analyst's attorney to an Uber lawyer. The former analyst, Richard Jacobs, said in the letter there was a directive for Uber employees to use disappearing chat apps like Wickr, and that Uber sent employees to Pittsburgh (where it's developing its autonomous vehicles) to "educate" them on how to prevent "Uber's unlawful schemes from seeing the light of day." He reportedly made other bombshell allegations in the letter, including that employees at Uber were trained to "impede" ongoing investigations, multiple media outlets reported.
Security

New NSA Leak Exposes Red Disk, the Army's Failed Intelligence System (zdnet.com) 67

Zack Whittaker, reporting for ZDNet: The contents of a highly sensitive hard drive belonging to a division of the National Security Agency have been left online. The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." The disk image belongs to the US Army's Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA. The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.
HP

HP Quietly Installs System-Slowing Spyware On Its PCs, Users Say (computerworld.com) 127

It hasn't been long since Lenovo settled a massive $3.5 million fine for preinstalling adware on laptops without users' consent, and it appears HP is on to the same route already. According to numerous reports gathered by news outlet Computer World, the brand is deploying a telemetry client on customer computers without asking permission. The software, called "HP Touchpoint Analytics Service", appears to replace the self-managed HP Touchpoint Manager solution. To make matter worse, the suite seems to be slowing down PCs, users say. From the report: Dubbed "HP Touchpoint Analytics Service," HP says it "harvests telemetry information that is used by HP Touchpoint's analytical services." Apparently, it's HP Touchpoint Analytics Client version 4.0.2.1435. There are dozens of reports of this new, ahem, service scattered all over the internet. According to Gunter Born, reports of the infection go all the way back to Nov. 15, when poster MML on BleepingComputer said: "After the latest batch of Windows updates, about a half hour after installing the last, I noticed that this had been installed on my computer because it showed up in the notes of my Kaspersky, and that it opened the Windows Dump File verifier and ran a disk check and battery test." According to Gartner, HP was the largest PC vendor in the quarter that ended in September this year.
Privacy

Researchers Identify 44 Trackers in More Than 300 Android Apps (bleepingcomputer.com) 87

Catalin Cimpanu, reporting for BleepingComputer: A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android apps and record user activity, sometimes without user consent. The results of this study come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what's happening on most of today's popular websites. The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps -- such as Uber, Twitter, Tinder, Soundcloud, or Spotify. The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.
Cellphones

White House Weighs Personal Mobile Phone Ban For Staff (bloomberg.com) 113

The White House is considering banning its employees from using personal mobile phones while at work. While President Trump has been vocal about press leaks since taking office, one official said the potential change is driven by cybersecurity concerns. Bloomberg reports: One official said that there are too many devices connected to the campus wireless network and that personal phones aren't as secure as those issued by the federal government. White House Chief of Staff John Kelly -- whose personal phone was found to be compromised by hackers earlier this year -- is leading the push for a ban, another official said. The White House already takes precautions with personal wireless devices, including by requiring officials to leave phones in cubbies outside of meeting rooms where sensitive or classified information is discussed. Top officials haven't yet decided whether or when to impose the ban, and if it would apply to all staff in the executive office of the president. While some lower-level officials support a ban, others worry it could result in a series of disruptive unintended consequences.

Slashdot Top Deals