Data Storage

Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor (betanews.com) 160

BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.
The Internet

Senate Will Force Vote On Overturning Net Neutrality Repeal (theverge.com) 143

An anonymous reader quotes a report from The Verge: Senator Ed Markey (D-MA) has mustered the 30 votes necessary to force a vote on the FCC's decision to repeal net neutrality. Senator Claire McCaskill (D-MO) announced that she's signed onto Markey's request to overturn the new rules, under the Congressional Review Act -- which lets Congress nullify recently passed regulations with a simple majority. Markey announced his intention to file a resolution of disapproval in December, just after the FCC voted on new rules that killed net neutrality protections from 2015. These new rules were officially published last week, and with 30 sponsors, Markey can make the Senate vote on whether to consider overturning them. If this happens, it would lead to a debate and final vote. That's not remotely the end of the process: if it's approved, the resolution will go to the House, and if it passes there, the desk of Donald Trump, who seems unlikely to approve it.
Businesses

After Iceland and Germany, Now France Declares War on the Gender Wage Gap (fastcompany.com) 293

France says it wants to make good on at least one-third of its motto of "liberte, egalite, and fraternite," by ensuring pay equality. From a report: The French government announced it is devising a "tough, concrete" plan to make the gender pay gap as much a thing of the past as Madame DeFarge's knitting habit. Per the Associated Press, France's plan for pay equity is still a work in progress. However, legislators may require companies to release the average salaries of their male and female employees and analyze them for disparities.
Google

James Damore Sues Google For Allegedly Discriminating Against Conservative White Men (theverge.com) 1175

An anonymous reader shares a report: The author of the controversial memo that upended Google in August is suing the company, alleging that white, male conservatives are systematically discriminated against by Google. James Damore was fired as an engineer after a manifesto questioning the benefits of diversity programs was widely passed around the company. In a new lawsuit, he and another fired engineer claim that "employees who expressed views deviating from the majority view at Google on political subjects raised in the workplace and relevant to Google's employment policies and its business, such as 'diversity' hiring policies, 'bias sensitivity,' or 'social justice,' were/are singled out, mistreated, and systematically punished and terminated from Google, in violation of their legal rights."
Businesses

SpaceX Completes First Launch of 2018: Secretive 'Zuma' Spacecraft (cnn.com) 103

SpaceX's first launch of 2018 was "a secretive spacecraft commissioned by the U.S. government for an undisclosed mission," reports TechCrunch. An anonymous reader quotes CNN: After more than a month of delays, a SpaceX Falcon 9 rocket vaulted toward the skies at 8 p.m. ET Sunday with the secretive payload. It launched from Cape Canaveral Air Force Station in Florida... The company [then] executed its signature move: guiding the first-stage rocket booster back to Earth for a safe landing. Just over two minutes after liftoff Sunday, the first-stage booster separated from the second stage and fired up its engines. The blaze allowed the rocket to safely cut back through the Earth's atmosphere and land on a pad at the Cape Canaveral Air Force Station... The company completed a record-setting 18 launches last year, and SpaceX plans to do even more this year, according to spokesman James Gleeson.
Crime

Kansas 'Swat' Perpetrator Had Already Been To Prison For Fake Bomb Threats (go.com) 315

More details are emerging about an online gamer whose fake call to Kansas police led to a fatal shooting:
  • "After phoning in a false bomb threat to a Glendale, California TV station in 2015, Tyler Barriss threatened to kill his grandmother if she reported him, according to local reports and court documents." -- The Wichita Eagle
  • "The Glendale Police Department confirmed to ABC News that Tyler Barriss made about 20 calls to universities and media outlets throughout the country around the time he was arrested for a bomb threat to Los Angeles ABC station KABC in 2015... He was sentenced to two years and eight months in jail, court records show." -- ABC News
  • "Within months of his release in August, he had already become the target of a Los Angeles Police Department investigation into similar hoax calls... LAPD detectives were planning to meet with federal prosecutors to discuss their investigation..." -- The Los Angeles Times
  • The Wichita Eagle reports that even after the police had fatally shot the person SWauTistic was pretending to be, he continued his phone call with the 911 operator for another 16 minutes -- on a call which lasted over half an hour.
  • Brian Krebs reports that police may have been aided in their investigation by another reformed SWAT perpetrator -- adding that SWauTistic privately claimed to have already called in fake emergencies at approximately 100 schools and 10 homes.

Just last month SWauTistic's Twitter account showed him bragging about a bomb threat which caused the evacuation of a Dallas convention center, according to the Daily Beast -- after which SWauTistic encouraged his Twitter followers to also follow him on a second account, "just in case twitter suspends me for being a god." Later the 25-year-old tweeted that "if you can't pull off a swat without getting busted you're not a leet hacking God its that simple."

Barriss remains in jail in Los Angeles with no bond, though within three weeks he's expected to be extradited to Kansas for his next trial.


Intel

Intel Hit With Three Class-Action Lawsuits Over Meltdown and Spectre Bugs (theguardian.com) 220

An anonymous reader quotes a report from The Guardian: Intel has been hit with at least three class-action lawsuits over the major processor vulnerabilities revealed this week. Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel's delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it "can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment." The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns, which Intel disputes is a major factor. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel said in an earlier statement.
Twitter

Why Twitter Hasn't Banned President Trump (theverge.com) 449

An anonymous reader quotes a report from The Verge: Amid vocal calls for the company to act, Twitter today offered its first explanation for why it hasn't banned President Donald Trump -- without ever saying the man's name. "Elected world leaders play a critical role in that conversation because of their outsized impact on our society," the company said in a blog post. "Blocking a world leader from Twitter or removing their controversial Tweets, would hide important information people should be able to see and debate. It would also not silence that leader, but it would certainly hamper necessary discussion around their words and actions." In its blog post, Twitter reiterated its previous statement that all accounts still must follow the company's rules. The statement seemed to leave open the possibility that it might one day take action against Trump's account, or the accounts of other world leaders who might use the platform to incite violence or otherwise break its rules. "We review Tweets by leaders within the political context that defines them, and enforce our rules accordingly," it said. In response to the claims that Twitter doesn't ban President Trump because he draws attention -- and ad revenue -- to the company, Twitter said: "No one person's account drives Twitter's growth, or influences these decisions. We work hard to remain unbiased with the public interest in mind."
Piracy

Don't Pirate Or We'll Mess With Your Connected Thermostats, Warns East Coast ISP (engadget.com) 252

Internet service provider Armstrong Zoom has roughly a million subscribers in the Northeastern part of the U.S. and is keen to punish those it believes are using file-sharing services. According to Engadget, "the ISP's response to allegedly naughty customers is bandwidth throttling, which is when an ISP intentionally slows down your internet service based on what you're doing online. Armstrong Zoom's warning letter openly threatens its suspected file-sharing customers about its ability to use or control their webcams and connected thermostats." From the report: The East Coast company stated: "Please be advised that this may affect other services which you may have connected to your internet service, such as the ability to control your thermostat remotely or video monitoring services." All U.S. states served by Armstrong Zoom will be experiencing temperatures around or under freezing over the weekend and into the near future. Bandwidth throttling for customers in those areas who have connected thermostats could mean the difference between sickness and health, or even life and death. Seems like an extreme punishment for any allegedly downloaded Game of Thrones cam rips.
Cloud

New US Customs Guidelines Limit Copying Files and Searching Cloud Data (theverge.com) 71

The U.S. Customs and Border Protection Agency has updated its guidelines for electronic border searches, adding new detail to border search rules that were last officially updated in 2009. The Verge reports: Officers can still request that people unlock electronic devices for inspection when they're entering the U.S., and they can still look through any files or apps on those devices. But consistent with a statement from acting commissioner Kevin McAleenan last summer, they're explicitly banned from accessing cloud data -- per these guidelines, that means anything that can't be accessed while the phone's data connection is disabled. The guidelines also draw a distinction between "basic" and "advanced" searches. If officers connect to the phone (through a wired or wireless connection) and copy or analyze anything on it using external devices, that's an advanced search, and it can only be carried out with reasonable suspicion of illegal activity or a national security concern. A supervisor can approve the search, and "many factors" might create reasonable suspicion, including a terrorist watchlist flag or "other articulable factors."
Operating Systems

Eben Upton Explains Why Raspberry Pi Isn't Vulnerable To Spectre Or Meltdown (raspberrypi.org) 116

Raspberry Pi founder and CEO Eben Upton says the Raspberry Pi isn't susceptible to the "Spectre" or "Meltdown" vulnerabilities because of the particular ARM cores they use. "Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel's address space (which should normally be inaccessible to user programs)," Upton writes. He goes on to provide a "primer on some concepts in modern processor design" and "illustrate these concepts using simple programs in Python syntax..."

In conclusion: "Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve," writes Upton. "Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality. The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort."
AI

Ex-NSA Hacker Is Building an AI To Find Hate and Far-Right Symbols on Twitter and Facebook (vice.com) 509

Motherboard reporter Lorenzo Franceschi-Bicchierai has interviewed Emily Crose, a former NSA hacker, who has built NEMESIS, an AI-powered program that can help spot symbols that have been co-opted by hate groups to signal to each other in plain sight. Crose, who has also moderated Reddit in the past, thought of building NEMESIS after the Charlottesville, Virginia incident last year. From the report: Crose's motivation is to expose white nationalists who use more or less obscure, mundane, or abstract symbols -- or so-called dog whistles -- in their posts, such as the Black Sun and certain Pepe the frog memes. Crose's goal is not only to expose people who use these symbols online but hopefully also push the social media companies to clamp down on hateful rhetoric online. "The real goal is to educate people," Crose told me in a phone call. "And a secondary goal: I'd really like to get the social media platforms to start thinking how they can enforce some decency on their own platforms, a certain level of decorum." [...]

At a glance, the way NEMESIS works is relatively simple. There's an "inference graph," which is a mathematical representation of trained images, classified as Nazi or white supremacist symbols. This inference graph trains the system with machine learning to identify the symbols in the wild, whether they are in pictures or videos. In a way, NEMESIS is dumb, according to Crose, because there are still humans involved, at least at the beginning. NEMESIS needs a human to curate the pictures of the symbols in the inference graph and make sure they are being used in a white supremacist context. For Crose, that's the key to the whole project -- she absolutely does not want NEMESIS to flag users who post Hindu swastikas, for example -- so NEMESIS needs to understand the context. "It takes thousands and thousands of images to get it to work just right," she said.

Businesses

Leading Lobbying Group for Amazon, Facebook, Google and Other Tech Giants is Joining the Legal Battle To Restore Net Neutrality (recode.net) 77

A leading lobbying group for Amazon, Facebook, Google, Netflix, Twitter and other tech giants said Friday that it would be joining the coming legal crusade to restore the U.S. government's net neutrality rules. From a report: The Washington, D.C.-based Internet Association specifically plans to join a lawsuit as an intervening party, aiding the challenge to FCC Chairman Ajit Pai's vote in December to repeal regulations that required internet providers like AT&T and Comcast to treat all web traffic equally, its leader confirmed to Recode. Technically, the Internet Association isn't filing its own lawsuit. That task will fall to companies like Etsy, public advocates like Free Press and state attorneys general, all of which plan to contend they are most directly harmed by Pai's decision, as Recode first reported this week. As an intervener, though, the Internet Association still will play a crucial role, filing legal arguments in the coming case. And in formally participating, tech giants will have the right to appeal a judge's decision later if Silicon Valley comes out on the losing end. "The final version of Chairman Pai's rule, as expected, dismantles popular net neutrality protections for consumers," said the group's chief, Michael Beckerman, in a statement. "This rule defies the will of a bipartisan majority of Americans and fails to preserve a free and open internet."
Businesses

What Happens When States Have Their Own Net Neutrality Rules? (bloomberg.com) 179

Last month FCC Chairman Ajit Pai dismantled Obama-era rules on net neutrality. A handful of lawmakers in liberal-leaning U.S. states plan to spend this year building them back up. FCC anticipated the move -- the commission's rules include language forbidding states from doing this, warning against an unwieldy patchwork of regulations. But lawmakers in New York and California aren't aiming to be exceptions to the national rules; they're looking to, in effect, create their own. From a report: In New York, Assemblywoman Patricia Fahy introduced a bill that would make it a requirement for internet providers to adhere to the principles of net neutrality as a requirement for landing state contracts. This would mean they couldn't block or slow down certain web traffic, and couldn't offer faster speeds to companies who pay them directly. Fahy said the restrictions on contractors would apply even if the behaviors in question took place outside New York. She acknowledged that the approach could run afoul of limits on states attempting to regulate interstate commerce, but thought the bill could "thread the needle." Even supporters of state legislation on net neutrality think this may go too far. California State Senator Scott Wiener introduced a bill this week that would only apply to behavior within the state, saying any other approach would be too vulnerable to legal challenge.

But this wouldn't be the first time a large state threw around its weight in ways that reverberate beyond its borders. The texbook industry, for instance, has long accommodated the standards of California and Texas. [...] The internet doesn't lend itself cleanly to state lines. It could be difficult for Comcast or Verizon to accept money from services seeking preferential treatment in one state, then make sure that its network didn't reflect those relationships in places where state lawmakers forbade them, said Geoffrey Manne, executive director of the International Center for Law & Economics, a research group.

AI

Amazon Alexa is Coming To Headphones, Smart Watches, Bathrooms and More (cnbc.com) 89

An anonymous reader shares a CNBC report: Amazon announced new tools on Friday that will allow gadget-makers to include the smart voice assistant in a whole array of new products. Alexa is Amazon's smart voice assistant and it has slowly made its way from the Amazon Echo into third-party speakers, refrigerators and, soon, even microwaves. Now, with Amazon's Alexa Mobile Accessory Kit, device makers will be able to build Alexa into headphones, smart watches, fitness trackers and more. That means you may soon be able to look down at your wrist and ask Alexa the weather, or to remind you to pick up eggs at the grocery store. CNET reports Kohler, a company that makes plumbing products, wants to bring Alexa to your bathroom as well.
Government

The FCC Is Preparing To Weaken the Definition of Broadband (dslreports.com) 217

An anonymous reader quotes a report from DSLReports: Under Section 706 of the Telecommunications Act, the FCC is required to consistently measure whether broadband is being deployed to all Americans uniformly and "in a reasonable and timely fashion." If the FCC finds that broadband isn't being deployed quickly enough to the public, the agency is required by law to "take immediate action to accelerate deployment of such capability by removing barriers to infrastructure investment and by promoting competition in the telecommunications market." Unfortunately whenever the FCC is stocked by revolving door regulators all-too-focused on pleasing the likes of AT&T, Verizon and Comcast -- this dedication to expanding coverage and competition often tends to waver.

What's more, regulators beholden to regional duopolies often take things one-step further -- by trying to manipulate data to suggest that broadband is faster, cheaper, and more evenly deployed than it actually is. We saw this under former FCC boss Michael Powell (now the top lobbyist for the cable industry), and more recently when the industry cried incessantly when the base definition of broadband was bumped to 25 Mbps downstream, 4 Mbps upstream. We're about to see this effort take shape once again as the FCC prepares to vote in February for a new proposal that would dramatically weaken the definition of broadband. How? Under this new proposal, any area able to obtain wireless speeds of at least 10 Mbps down, 1 Mbps would be deemed good enough for American consumers, pre-empting any need to prod industry to speed up or expand broadband coverage.

Censorship

France's President Macron Wants To Block Websites During Elections To Fight 'Fake News' (gizmodo.com) 299

French President Emmanuel Macron has a rather extreme approach to combat fake news: ban entire websites. In a speech to journalists on Wednesday, Macron said he planned to introduce new legislation to strictly regulate fake news during online political campaigns. Gizmodo reports: His proposal included a number of measures, most drastically "an emergency legal action" that could enable the government to either scrap "fake news" from a website or even block a website altogether. "If we want to protect liberal democracies, we must be strong and have clear rules," Macron said. "When fake news are spread, it will be possible to go to a judge... and if appropriate have content taken down, user accounts deleted and ultimately websites blocked."

Macron, himself a target of election interference, also outlined some less extreme measures in his speech yesterday. He proposed more rigid requirements around transparency, specifically in relation to online ads during elections. According to the Guardian, Macron said the legislation would force platforms to publicly identify who their advertisers are, as well as limit how much they can spend on ads over the course of an election campaign.

Cellphones

White House Bans Use of Personal Devices From West Wing (cbsnews.com) 205

In the wake of damaging reports of a chaotic Trump administration detailed in a new book from Michael Wolff, the White House is instituting new policies on the use of personal cellphones in the West Wing. CBS News reports: White House Press Secretary Sarah Huckabee Sanders released the following statement on the policy change: "The security and integrity of the technology systems at the White House is a top priority for the Trump administration and therefore starting next week the use of all personal devices for both guests and staff will no longer be allowed in the West Wing. Staff will be able to conduct business on their government-issued devices and continue working hard on behalf of the American people."

Wolff reportedly gained access to the White House where he conducted numerous interviews with staffers on the inner-workings of the Trump campaign and West Wing operations. Sanders told reporters Wednesday that there were about "a dozen" interactions between Wolff and White House officials, which she said took place at Bannon's request. The White House swiftly slammed the book and those who cooperated with Wolff.

Intel

How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found (reuters.com) 138

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.

Google

Google Blocks Pirate Search Results Prophylactically (torrentfreak.com) 38

Google is accepting "prophylactic" takedown requests to keep pirated content out of its search results, an anonymous reader writes, citing a TorrentFreak report. From the article: Over the past year, we've noticed on a few occasions that Google is processing takedown notices for non-indexed links. While we assumed that this was an 'error' on the sender's part, it appears to be a new policy. "Google has critically expanded notice and takedown in another important way: We accept notices for URLs that are not even in our index in the first place. That way, we can collect information even about pages and domains we have not yet crawled," Caleb Donaldson, copyright counsel at Google writes. In other words, Google blocks URLs before they appear in the search results, as some sort of piracy vaccine. "We process these URLs as we do the others. Once one of these not-in-index URLs is approved for takedown, we prophylactically block it from appearing in our Search results, and we take all the additional deterrent measures listed above." Some submitters are heavily relying on the new feature, Google found. In some cases, the majority of the submitted URLs in a notice are not indexed yet.
Security

Personal Data of a Billion Indians Sold Online For $8, Report Claims (theguardian.com) 74

Michael Safi, reporting for The Guardian: The personal information of more than a billion Indians stored in the world's largest biometric database can be bought online for less than $8, according to an investigation by an Indian newspaper. The reported breach is the latest in a series of alleged leaks from the Aadhaar database, which has been collecting the photographs, thumbprints, retina scans and other identifying details of every Indian citizen. The report in the Chandigarh-based Tribune newspaper claimed that software is also being sold online that can generate fake Aadhaar cards, an identity document that is required to access a growing number of government services including free meals and subsidised grain. The Unique Identification Authority of India (UIDAI), which administers the Aadhaar system, said it appeared the newspaper had accessed only limited details through a search facility that had been made available to government officials.
The Internet

Ajit Pai Backs Out of Planned CES 2018 Appearance (techcrunch.com) 277

New submitter sdinfoserv writes: Ajit Pai, the most hated person in tech since Darl McBride, backed out of a speaking engagement at CES 2018. Apparently he lacks the spine to justify himself before the group of individuals his decisions affect most. Consumer Technology Association head Gary Shapiro announced: "Unfortunately, Federal Communications Commission Chairman Ajit Pai is unable to attend CES 2018. We look forward to our next opportunity to host a technology policy discussion with him before a public audience."
The Internet

After Beating Cable Lobby, Colorado City Moves Ahead With Muni Broadband (arstechnica.com) 198

Last night, the city council in Fort Collins, Colorado, voted to move ahead with a municipal fiber broadband network providing gigabit speeds, two months after the cable industry failed to stop the project. Ars Technica reports: Last night's city council vote came after residents of Fort Collins approved a ballot question that authorized the city to build a broadband network. The ballot question, passed in November, didn't guarantee that the network would be built because city council approval was still required, but that hurdle is now cleared. Residents approved the ballot question despite an anti-municipal broadband lobbying campaign backed by groups funded by Comcast and CenturyLink. The Fort Collins City Council voted 7-0 to approve the broadband-related measures, a city government spokesperson confirmed to Ars today.

While the Federal Communications Commission has voted to eliminate the nation's net neutrality rules, the municipal broadband network will be neutral and without data caps. "The network will deliver a 'net-neutral' competitive unfettered data offering that does not impose caps or usage limits on one use of data over another (i.e., does not limit streaming or charge rates based on type of use)," a new planning document says. "All application providers (data, voice, video, cloud services) are equally able to provide their services, and consumers' access to advanced data opens up the marketplace." The city will also be developing policies to protect consumers' privacy. The city intends to provide gigabit service for $70 a month or less and a cheaper Internet tier.

Privacy

2 Years Later, Security Holes Linger In GPS Services Used By Millions of Devices (securityledger.com) 12

chicksdaddy quotes a report from The Security Ledger: Security researchers say that serious security vulnerabilities linger in GPS software by the China-based firm ThinkRace more than two years after the hole was discovered and reported to the firm, The Security Ledger reports. Data including a GPS enabled device's location, serial number, assigned phone number and model and type of device can be accessed by any user with access to the GPS service. In some cases, other information is available including the device's location history going back 1 week. In some cases, malicious actors could also send commands to the device via SMS including those used to activate or deactivate GEO fencing alarms features, such as those used on child-tracking devices.

The vulnerabilities affect hundreds of thousands of connected devices that use the GPS services, from smart watches, to vehicle GPS trackers, fitness trackers, pet trackers and more. At issue are security holes in back-end GPS tracking services that go by names like amber360.com, kiddo-track.com, carzongps.com and tourrun.net, according to Michael Gruhn, an independent security researcher who noted the insecure behavior in a location tracker he acquired and has helped raise awareness of the widespread flaws. Working with researcher Vangelis Stykas, Gruhn discovered scores of seemingly identical GPS services, many of which have little security, allowing low-skill hackers to directly access data on GPS tracking devices.

Alas, news about the security holes is not new. In fact, the security holes in ThinkRace's GPS services are identical to those discovered by New Zealand researcher Lachlan Temple in 2015 and publicly disclosed at the time. Temple's research focused on one type of device: a portable GPS tracker that plugged into a vehicle's On Board Diagnostic (or OBD) port. However, Stykas and Gruhn say that they have discovered the same holes spread across a much wider range of APIs (application program interfaces) and services linked to ThinkRace.

Intel

Intel Responds To Alleged Chip Flaw, Claims Effects Won't Significantly Impact Average Users (hothardware.com) 375

An anonymous reader quotes a report from Hot Hardware: The tech blogosphere lit up yesterday afternoon after reports of a critical bug in modern Intel processors has the potential to seriously impact systems running Windows, Linux and macOS. The alleged bug is so severe that it cannot be corrected with a microcode update, and instead, OS manufacturers are being forced to address the issue with software updates, which in some instances requires a redesign of the kernel software. Some early performance benchmarks have even suggested that patches to fix the bug could result in a performance hit of as much as 30 percent. Since reports on the issues of exploded over the past 24 hours, Intel is looking to cut through the noise and tell its side of the story. The details of the exploit and software/firmware updates to address the matter at hand were scheduled to go live next week. However, Intel says that it is speaking out early to combat "inaccurate media reports."

Intel acknowledges that the exploit has "the potential to improperly gather sensitive data from computing devices that are operating as designed." The company further goes on state that "these exploits do not have the potential to corrupt, modify or delete data." The company goes on to state that the "average computer user" will be negligibly affected by any software fixes, and that any negative performance outcomes "will be mitigated over time." In a classic case of trying to point fingers at everyone else, Intel says that "many different vendors' processors" are vulnerable to these exploits.
You can read the full statement here.
Firefox

Mozilla Will Delete Firefox Crash Reports Collected by Accident (bleepingcomputer.com) 38

Catalin Cimpanu, writing for BleepingComputer: Mozilla said last week it would delete all telemetry data collected because of a bug in the Firefox crash reporter. According to Mozilla engineers, Firefox has been collecting information on crashed background tabs from users' browsers since Firefox 52, released in March 2017. Firefox versions released in that time span did not respect user-set privacy settings and automatically auto-submitted crash reports to Mozilla servers. The browser maker fixed the issue with the release of Firefox 57.0.3. Crash reports are not fully-anonymized.
The Internet

The FCC Is Still Tweaking Its Net Neutrality Repeal (techcrunch.com) 68

An anonymous reader quotes a report from TechCrunch: You may think, from the pomp accompanying the FCC's vote in December to repeal the 2015 net neutrality rules, that the deed was accomplished. Not so -- in fact, the order hasn't even reached its final form: the Commission is still working on it. But while it may be frustrating, this is business as usual for regulations like this, and concerned advocates should conserve their outrage for when it's really needed. The "Restoring Internet Freedom" rule voted on last month was based on a final draft circulated several weeks before the meeting at which it would be adopted. But as reports at the time noted, significant edits (i.e. not fixing typos) were still going into the draft the day before the FCC voted. Additional citations, changes in wording and more serious adjustments may be underway. It may sound like some serious shenanigans are being pulled, but this is how the sausage was always made, and it's actually one of Chairman Ajit Pai's handful of commendable efforts that the process is, in some ways at least, more open to the public. The question of exactly what is being changed, however, we will have ample time to investigate: The rules will soon be entered into the federal register, at which point they both come into effect and come under intense scrutiny and legal opposition.
The Courts

Spotify Hit With $1.6 Billion Copyright Lawsuit (spin.com) 132

The Wixen Music Publishing company, which administers song compositions by Tom Petty, Dan Auerbach, Rivers Cuomo, Stevie Nicks, Neil Young, and others, has hit Spotify with a copyright lawsuit seeking $1.6 billion in damages. The publishing company filed the lawsuit on December 29, alleging the streaming giant is using Petty's "Free Fallin" and tens of thousands of other songs without license or compensation. SPIN reports: Back in September, Wixen objected to a $43 million settlement Spotify had arranged over another class action lawsuit brought by David Lowery (of Cracker and Camper van Beethoven) and Melissa Ferrick, stating it was "procedurally and substantively unfair to Settlement Class Members because it prevents meaningful participation by rights holders and offers them an unfair dollar amount in light of Spotify's ongoing, willful copyright infringement of their works." A judge has yet to rule on that settlement, and in the meantime, Wixen has moved to file its own lawsuit, which purports "as much as 21 percent of the 30 million songs on Spotify are unlicensed," according to The Hollywood Reporter.

"Spotify brazenly disregards United States Copyright law and has committed willful, ongoing copyright infringement," the complaint reads. "Wixen notified Spotify that it had neither obtained a direct or compulsory mechanical license for the use of the Works. For these reasons and the foregoing, Wixen is entitled to the maximum statutory relief."

Censorship

US Calls On Iran To Unblock Social Media Sites Amid Protests (go.com) 135

The Trump administration is calling on the government of Iran to stop blocking Instagram and other social media sites while encouraging Iranians to use special software to circumvent controls. "The great Iranian people have been repressed for many years," President Trump tweeted yesterday. "They are hungry for food & for freedom. Along with human rights, the wealth of Iran is being looted. Time for change!" ABC News reports: Undersecretary of State Steve Goldstein, in charge of public diplomacy, said the U.S. wants Iran's government to "open these sites" including the photo-sharing platform Instagram and the messaging app Telegram. "They are legitimate avenues for communication," Goldstein said. "People in Iran should be able to access those sites." Iranians seeking to evade the blocks can use virtual private networks, Goldstein said. Known as VPNs, the services create encrypted data "tunnels" between computers and are used in many countries to access overseas websites blocked by the local government. Despite the blocks, the United States is working to maintain communication with Iranians in the Farsi language, including through official accounts on Facebook, Twitter and other platforms. The State Department also was to distribute videos of top U.S. officials encouraging the protesters through those and other sites.
Democrats

New Bill Could Finally Get Rid of Paperless Voting Machines (arstechnica.com) 391

An anonymous reader quotes a report from Ars Technica: A bipartisan group of six senators has introduced legislation that would take a huge step toward securing elections in the United States. Called the Secure Elections Act, the bill aims to eliminate insecure paperless voting machines from American elections while promoting routine audits that would dramatically reduce the danger of interference from foreign governments. "With the 2018 elections just around the corner, Russia will be back to interfere again," said co-sponsor Sen. Kamala Harris (D-Calif.). So a group of senators led by James Lankford (R-Okla.) wants to shore up the security of American voting systems ahead of the 2018 and 2020 elections. And the senators have focused on two major changes that have broad support from voting security experts.

The first objective is to get rid of paperless electronic voting machines. Computer scientists have been warning for more than a decade that these machines are vulnerable to hacking and can't be meaningfully audited. States have begun moving away from paperless systems, but budget constraints have forced some to continue relying on insecure paperless equipment. The Secure Elections Act would give states grants specifically earmarked for replacing these systems with more secure systems that use voter-verified paper ballots. The legislation's second big idea is to encourage states to perform routine post-election audits based on modern statistical techniques. Many states today only conduct recounts in the event of very close election outcomes. And these recounts involve counting a fixed percentage of ballots. That often leads to either counting way too many ballots (wasting taxpayer money) or too few (failing to fully verify the election outcome). The Lankford bill would encourage states to adopt more statistically sophisticated procedures to count as many ballots as needed to verify an election result was correct -- and no more.

China

Toutiao, One of China's Most Popular News Apps, is Discovering the Risks Involved in Giving People Exactly What They Want Online (nytimes.com) 29

The New York Times reports: One of the world's most valuable start-ups got that way by using artificial intelligence to satisfy Chinese internet users' voracious appetite for news and entertainment. Every day, its smartphone app feeds 120 million people personalized streams of buzzy news stories, videos of dogs frolicking in snow, GIFs of traffic mishaps and listicles such as "The World's Ugliest Celebrities." Now the company is discovering the risks involved, under China's censorship regime, in giving the people exactly what they want. The makers of the popular news app Jinri Toutiao unveiled moves this week to allay rising concerns from the authorities (Editor's note: the link may be paywalled; alternative source).

Last week, the Beijing bureau of China's top internet regulator accused Toutiao of "spreading pornographic and vulgar information" and "causing a negative impact on public opinion online," and ordered that updates to several popular sections of the app be halted for 24 hours. In response, the app's parent company, Beijing Bytedance Technology, took down or temporarily suspended the accounts of more than 1,100 bloggers that it said had been publishing "low-quality content" on the app. It also replaced Toutiao's "Society" section with a new section called "New Era," which is heavy on state media coverage of government decisions.

Microsoft

Big Tech and Democracy Need To Work Together, Microsoft Executives Say (axios.com) 89

From a report: It's not often that Big Tech calls for more government action. But two top Microsoft executives -- Brad Smith, president and chief legal officer, and Carol Ann Browne, director of executive communications -- write in a tech trends forecast out today. "2018 will be a year when democratic governments can either work together to safeguard electoral processes or face a future where democracy is more fragile. [T]his needs to include work to protect campaigns from hacking, address social media issues, ensure the integrity of voting results, and protect vital census processes," they wrote.
China

China's WeChat Denies Storing User Chats (reuters.com) 49

WeChat, China's most popular messenger app, on Tuesday denied storing users' chat histories, after a top businessman was quoted in media reports as saying he believed Tencent was monitoring everyone's account. From a report: " WeChat does not store any users' chat history. That is only stored in users' mobiles, computers and other terminals," WeChat said in a post on the social media platform. "WeChat will not use any content from user chats for big data analysis. Because of WeChat's technical model that does not store or analyse user chats, the rumour that 'we are watching your WeChat everyday' is pure misunderstanding." More than 900 million people use WeChat.
Businesses

People Are Using PornHub To Stream 'Hamilton' and 'Zootopia' (qz.com) 92

An anonymous reader shares a report: There's more on PornHub than pornography. People are using the streaming-video site -- a sort of YouTube for pornography where users can upload and watch adult videos -- to stream pirated copies of high-profile titles like the Broadway musical Hamilton and Disney's animated movie Zootopia. Where YouTube has been fighting for years to keep pornography off its site, PornHub now finds itself in the position of having to purge its platform of videos that are decidedly safe for work. The full, 75-minute first act of the historical, Tony Award-winning play, Hamilton -- with its original cast, including creator and star Lin-Manuel Miranda -- is on PornHub, one Twitter user discovered. As the most sought after ticket in town, the play just set a new high-water mark (paywall) for Broadway after taking in $3.8 million at the box office for the week ending Dec. 24.
Censorship

Germany Starts Enforcing Hate Speech Law (bbc.com) 545

Germany is set to start enforcing a law that demands social media sites move quickly to remove hate speech, fake news and illegal material. From a report: Sites that do not remove "obviously illegal" posts could face fines of up to 50m euro ($60m). The law gives the networks 24 hours to act after they have been told about law-breaking material. Social networks and media sites with more than two million members will fall under the law's provisions. Facebook, Twitter and YouTube will be the law's main focus but it is also likely to be applied to Reddit, Tumblr and Russian social network VK. Other sites such as Vimeo and Flickr could also be caught up in its provisions.
Government

Congo Shuts Down Internet Services 'Indefinitely' (nytimes.com) 88

On Saturday Engadget wrote: Authoritarian leaders are fond of severing communications in a bid to hold on to power, and that tradition sadly isn't going away. The Democratic Republic of Congo's government has ordered telecoms to cut internet and SMS access ahead of planned mass protests against President Joseph Kabila, whose administration has continuously delayed elections to replace him. Telecom minister Emery Okundji told Reuters that it was a response to "violence that is being prepared," but people aren't buying that argument. Officials had already banned demonstrations, and the country has history of cutting communications and blocking social network access in a bid to quash dissent.
And today in the wake of deadly protests, Congo announced that the internet shutdown will continue "indefinitely." The New York Times reports: At least eight people were killed and a dozen altar boys arrested in the Democratic Republic of Congo on Sunday after security forces cracked down on planned church protests against President Joseph Kabila's refusal to leave office before coming elections... Congolese security forces set up checkpoints across Kinshasa, and the government issued an order to shut down text messaging and internet services indefinitely across the country for what it called "reasons of state security."
Electronic Frontier Foundation

EFF Applauds 'Massive Change' to HTTPS (eff.org) 214

"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.

Crime

Kansas Swatting Perpetrator 'SWauTistic' Interviewed on Twitter (krebsonsecurity.com) 434

"That kids house that I swatted is on the news," tweeted "SWauTistic" -- before he realized he'd gotten somebody killed. Security researcher Brian Krebs reveals what happened next. When it became apparent that a man had been killed as a result of the swatting, Swautistic tweeted that he didn't get anyone killed because he didn't pull the trigger. Swautistic soon changed his Twitter handle to @GoredTutor36, but KrebsOnSecurity managed to obtain several weeks' worth of tweets from Swautistic before his account was renamed. Those tweets indicate that Swautistic is a serial swatter -- meaning he has claimed responsibility for a number of other recent false reports to the police. Among the recent hoaxes he's taken credit for include a false report of a bomb threat at the U.S. Federal Communications Commission (FCC) that disrupted a high-profile public meeting on the net neutrality debate. Swautistic also has claimed responsibility for a hoax bomb threat that forced the evacuation of the Dallas Convention Center, and another bomb threat at a high school in Panama City, Fla, among others.

After tweeting about the incident extensively Friday afternoon, KrebsOnSecurity was contacted by someone in control of the @GoredTutor36 Twitter account. GoredTutor36 said he's been the victim of swatting attempts himself, and that this was the reason he decided to start swatting others. He said the thrill of it "comes from having to hide from police via net connections." Asked about the FCC incident, @GoredTutor36 acknowledged it was his bomb threat. "Yep. Raped em," he wrote. "Bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that," he wrote. "But I began making $ doing some swat requests."

Krebs' article also links to a police briefing with playback from the 911 call. "There is no question that police officers and first responders across the country need a great deal more training to bring the number of police shootings way down..." Krebs argues. "Also, all police officers and dispatchers need to be trained on what swatting is, how to spot the signs of a hoax, and how to minimize the risk of anyone getting harmed when responding to reports about hostage situations or bomb threats."

But he also argues that filing a false police report should be reclassified as a felony in all states.
Crime

Tech Bros Bought Sex Trafficking Victims Using Amazon and Microsoft Work Emails (newsweek.com) 321

An anonymous reader writes: Newsweek's National Politics Correspondent reports on "a horny nest of prostitution 'hobbyists' at tech giants Microsoft, Amazon and other firms in Seattle," citing "hundreds" of emails "fired off by employees at major tech companies hoping to hook up with trafficked Asian women" between 2014 and 2016, "67 sent from Microsoft, 63 sent from Amazon email accounts and dozens more sent from some of Seattle's premier tech companies and others based elsewhere but with offices in Seattle, including T-Mobile and Oracle, as well as many local, smaller tech firms." Many of the emails came from a sting operation against online prostitution review boards, and were obtained through a public records request to the King County Prosecutor's Office.

"They were on their work accounts because Seattle pimps routinely asked first-time sex-buyers to prove they were not cops by sending an employee email or badge," reports Newsweek, criticizing "the widespread and often nonchalant attitude toward buying sex from trafficked women, a process made shockingly more efficient by internet technology... A study commissioned by the Department of Justice found that Seattle has the fastest-growing sex industry in the United States, more than doubling in size between 2005 and 2012. That boom correlates neatly with the boom of the tech sector there... Some of these men spent $30,000 to $50,000 a year, according to authorities." A lawyer for some of the men argues that Seattle's tech giants aren't conducting any training to increase employees' compassion for trafficked women in brothels. The director of research for a national anti-trafficking group cites the time Uber analyzed ride-sharing data and reported a correlation between high-crime neighborhoods and frequent Uber trips -- including people paying for prostitutes. "They made a map using their ride-share data, like it was a funny thing they could do with their data. It was done so flippantly."

Censorship

Iran Cuts Internet Access and Threatens Telegram Following Mass Protests (bbc.com) 156

Long-time Slashdot reader cold fjord writes: As seething discontent has boiled over in Iran leading to mass protests, protesters have taken to the streets and social media to register their discontent... The government has been closing schools and shutting down transportation.

Now, as mass protests in Iran go into their third day there are reports that internet access is being cut in cities with protests occurring. Social media has been a tool for documenting the protests and brutal crackdowns against them. Iran previously cut off internet access during the Green Movement protests following the 2009 elections. At the same time the Iranian government is cutting internet access they have called on Telegram, reportedly used by more than 40 million Iranians, to close the channels used by protesters. Telegram is now closing channels used by the protesters while Telegram itself may be shut down in Iran.

Crime

Louisana Police Bust an Infamous Nigerian Email Spam Scammer (hothardware.com) 66

MojoKid writes: You have probably at some point been contacted via email spam by someone claiming you are the beneficiary in a will of a Nigerian prince. As the scam goes, all you have to do is submit your personal information and Western Union some funds to process the necessary paperwork, and in return you will receive millions of dollars. One of the people behind the popular scam, Michael Neu, has been arrested by police in Slidell, Louisiana.

This may come as a shocker, but Neu is not a prince, nor is he Nigerian. He is a 67-year-old male possibly of German descent (based on his last name) who is facing 269 counts of wire fraud and money laundering for his alleged role as a middle man in the scheme. According to Slidell police, some of the money obtained by Neu was wired to co-conspirators who do actually live in Nigera.

Crime

Call of Duty Gaming Community Points To 'Swatting' In Wichita Police Shooting (dailydot.com) 681

schwit1 shares a report from The Daily Dot: A man was killed by police Thursday night in Wichita, Kansas, when officers responded to a false report of a hostage situation. The online gaming community is saying the dead man was the victim of a swatting prank, where trolls call in a fake emergency and force SWAT teams to descend on a target's house. If that's true, this would be the first reported swatting-related death. Wichita deputy police chief Troy Livingston told the Wichita Eagle that police were responding to a report that a man fighting with his parents had accidentally shot his dad in the head and was holding his mom, brother and sister hostage. When police arrived, "A male came to the front door," Livingston told the Eagle. "As he came to the front door, one of our officers discharged his weapon." The man at the door was identified by the Eagle as 28-year-old Andrew Finch. Finch's mother told reporters "he was not a gamer," but the online Call of Duty community claims his death was the result of a gamer feud which Finch may not have even been a part of.
UPDATE: The New York Daily News reports police in Los Angeles have now arrested 25-year-old gamer Tyler Barriss, who the paper describes as "an alleged serial 'prankster'..."

"Barriss gave cops Finch's address, mistakenly believing it belonged to a person he had feuded with over a $1 or $2 Call of Duty wager."
Media

Kodi Media Player Arrives On the Xbox One (theverge.com) 57

The Kodi media player is now available to download on your Xbox One, making it one of the best Xbox One exclusives of the year. The Verge reports: Kodi is a very capable player that's highly expandable thanks to third-party add-ons like live TV and DVR services -- something Microsoft isn't going to provide. But Kodi is perhaps best known as the go to app for piracy due to a wide variety of plugins that let you illegally stream television shows, professional sports, and films from the comfort of your living room. This has led to a cottage industry of so-called "Kodi boxes," often built around cheap HDMI dongles like Amazon's Fire TV sticks. While the XBMC Foundation has attempted to distance itself from the illegal third-party plugins, it's also benefited from the exposure. In a blog post, Kodi warns that the Xbox One download isn't finished and may contain missing features and bugs. Fun fact: Kodi began life fifteen years ago as the XBMP (Xbox Media Player). The only way to get the open-source player running on an original Xbox was to hack the console. XBMP eventually evolved into XBMC (Xbox Media Center), which then became Kodi.
Facebook

Facebook's Uneven Enforcement of Hate Speech Rules Allows Vile Posts To Stay Up (propublica.org) 171

ProPublica has found inconsistent rulings on hate speech after analyzing more than 900 Facebook posts submitted to them as part of a crowd-sourced investigation into how the world's largest social network implements its hate-speech rules. "Based on this small fraction of Facebook posts, its content reviewers often make different calls on items with similar content, and don't always abide by the company's complex guidelines," reports ProPublica. "Even when they do follow the rules, racist or sexist language may survive scrutiny because it is not sufficiently derogatory or violent to meet Facebook's definition of hate speech." From the report: We asked Facebook to explain its decisions on a sample of 49 items, sent in by people who maintained that content reviewers had erred, mostly by leaving hate speech up, or in a few instances by deleting legitimate expression. In 22 cases, Facebook said its reviewers had made a mistake. In 19, it defended the rulings. In six cases, Facebook said the content did violate its rules but its reviewers had not actually judged it one way or the other because users had not flagged it correctly, or the author had deleted it. In the other two cases, it said it didn't have enough information to respond.

"We're sorry for the mistakes we have made -- they do not reflect the community we want to help build," Facebook Vice President Justin Osofsky said in a statement. "We must do better." He said Facebook will double the size of its safety and security team, which includes content reviewers and other employees, to 20,000 people in 2018, in an effort to enforce its rules better. He added that Facebook deletes about 66,000 posts reported as hate speech each week, but that not everything offensive qualifies as hate speech. "Our policies allow content that may be controversial and at times even distasteful, but it does not cross the line into hate speech," he said. "This may include criticism of public figures, religions, professions, and political ideologies."

Security

300,000 Users Exposed In Ancestry.com Data Leak (threatpost.com) 43

Dangerous_Minds shares a report from ThreatPost: Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet. In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com Tony Blackham said a file containing the user data was publicly exposed on a RootsWeb server. On Wednesday, Ancestry.com told Threatpost it believed the data was exposed on November 2015. The data resided on RootsWeb's infrastructure, and is not linked to Ancestry.com's site and services. Ancestry.com said RootsWeb has "millions" of members who use the site to share family trees, post user-contributed databases and host thousands of messaging boards. The company said RootsWeb doesn't host sensitive information such as credit card data or social security numbers. It added, there are no indications data exposed to the public internet has been accessed by a malicious third party. The company declined to specify how and why the data was stored insecurely on the server. "Approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers," Blackham wrote.
Privacy

That Game on Your Phone May Be Tracking What You're Watching on TV (nytimes.com) 98

Rick Zeman writes: The New York Times (may be paywalled) has an article describing how some apps track TV and movie viewing even when the loaded app isn't currently active. These seemingly innocuous games, geared towards both adults and children work by "using a smartphone's microphone. For instance, Alphonso's software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely...." While these apps, mostly available on Google play, with some available on the Apple Store, do offer an opt opt, it's not clear when consumers see "permission for microphone access for ads," it may not be clear to a user that, "Oh, this means it's going to be listening to what I do all the time to see if I'm watching 'Monday Night Football."'
One advertising executive summarizes thusly: "It's not what's legal. It is what's not creepy."

Crime

Two Romanians Charged With Hacking Washington DC Police Surveillance Cameras Days Before Trump's Inauguration (bbc.com) 47

US prosecutors have charged two Romanians with hacking Washington DC police computers linked to surveillance cameras just days before President Donald Trump's inauguration. From a report on BBC: The pair are being held in Romania, having been arrested at Bucharest Otopeni airport on 15 December. Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, allegedly accessed 123 outdoor surveillance cameras as part of a suspected ransomware scheme. Mr Trump was sworn in on 20 January. The US Department of Justice said the case was "of the highest priority" because of the security surrounding the presidential inauguration. The perpetrators intended to use the camera computers to send ransomware to more than 179,600 email addresses and extort money from victims, the justice department said in a statement.
Chrome

Chrome Extension with 100,000 Users Caught Pushing Cryptocurrency Miner (bleepingcomputer.com) 47

Catalin Cimpanu, reporting for BleepingComputer: A Chrome extension with over 105,000 users has been deploying an in-browser cryptocurrency miner to unsuspecting users for the past few weeks. The extension does not ask for user permission before hijacking their CPUs to mine Monero all the time the Chrome browser is open. Named "Archive Poster," the extension is advertised as a mod for Tumblr that allows users an easier way to "reblog, queue, draft, and like posts right from another blog's archive." According to users reviews, around the start of December the extension has incorporated the infamous Coinhive in-browser miner in its source code.
Bitcoin

A Manager of the Exmo Bitcoin Exchange Has Been Kidnapped In Ukraine (bbc.com) 82

CaptainDork shares a report from BBC: A manager of the Exmo Bitcoin exchange has been kidnapped in Ukraine. According to Russian and Ukrainian media reports Pavel Lerner, 40, was kidnapped while leaving his office in Kiev's Obolon district on December 26th. The reports said he was dragged into a black Mercedes-Benz by men wearing balaclavas. Police in Kiev confirmed to the BBC that a man had been kidnapped on the day in question, but would not confirm his identity. A spokeswoman said that the matter was currently under investigation, and that more information would be made public later on. Mr Lerner is a prominent Russian blockchain expert and the news of his kidnapping has stunned many in the international cryptocurrency community.
Windows

Windows 10 Visits To US Government Sites Surpass Windows 7 For the First Time (onmsft.com) 111

In what may be a signal of changing attitudes for Windows 10, visits to U.S. government sites via Windows 10 have surpassed Windows 7 for the first time. On MSFT reports: This United States government website reports that of the 2.54 billion visits to U.S. Government websites over the past 90 days, 20.9% came from Windows 10, and 20.7% from Windows 7. Interestingly, Windows 8.1 came in at 2.7%, Windows 8 .05%, and other OS 0.8%. The numbers are a bit niche and could be just from a holiday bump based on the sites 90-day average, but they still do give a solid number comparison for the state of various OS and browser stats. When it comes to browser share, Edge was not popularly used to visit U.S. Government websites. Chrome was on top with 44.4%, Followed up Safari with 27.6%, Internet Explorer at 12.3%, and then Firefox at 5.9% and Edge at 3.9%. Though all these government percentages may be bleak for Microsoft, the latest AdDuplex December report also shows strong adoption for Windows 10 Fall Creators Update, so things can only go up from Microsoft from here on out.

Slashdot Top Deals