UnderAttack writes: Scammers are attempting to trick Chinese victims into sending thousands of dollars in order to secure the release of Chinese Huawei executive Meng who was arrested in Canada last week. The messages claim to originate from Ms. Meng and suggest that she found a corrupt guard who will let her go for a few thousand dollars. Of course, there will be riches for anybody who is willing to help (and more). The scam is reportedly targeting people via WeChat, which may have a higher success rate than more widely distributed scams.

One of the messages reads (translated): "Hello, I am MENG Wanzou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei. I will be good on my word. if you are single, we can also discuss the important thing in life. The guard's name is David, the account number is 52836153836252, swift 55789034. I will be good on my word."

An anonymous reader quotes a report from Ars Technica: Four months after receiving a complaint claiming that Verizon "grossly overstated" its 4G LTE coverage in government filings, the Federal Communications Commission says that at least one carrier is apparently guilty of significant rules violations. The FCC did not name any specific carrier in its announcement and did not respond to our question about whether Verizon is among the carriers being investigated. But the investigation was apparently triggered by a complaint about Verizon filed in August by the Rural Wireless Association (RWA).

The RWA, which represents rural carriers, made its case to the FCC by submitting speed test data. The speed tests showed the Verizon network wasn't providing 4G LTE service in areas that Verizon claimed to cover, according to the RWA. Inaccurate coverage maps could make it difficult for rural carriers to get money from the Mobility Fund, a government fund intended for unserved areas. "A preliminary review of speed test data submitted through the challenge process suggested significant violations of the Commission's rules," FCC Chairman Ajit Pai said Friday in his announcement of the FCC investigation. The FCC said its investigation focuses on "whether one or more major carriers violated the Mobility Fund Phase II (MF-II) reverse auction's mapping rules and submitted incorrect coverage maps."

An anonymous reader quotes a report from The Hill: The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation. The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. "In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

Google+ has suffered another data leak, and Google has decided to shut down the consumer version of the social network four months earlier than it originally planned. From a report: Google+ will now close to consumers in April, rather than August. Additionally, API access to the network will shut down within the next 90 days. According to Google, the new vulnerability impacted 52.5 million users, who could have had profile information like their name, email address, occupation, and age exposed to developers, even if their account was set to private. Apps could also access profile data that had been shared with a specific user, but was not shared publicly.

Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it's anonymous, but the data shows how personal it is. From a report: The millions of dots on the map trace highways, side streets and bike trails -- each one following the path of an anonymous cellphone user. One path tracks someone from a home outside Newark to a nearby Planned Parenthood, remaining there for more than an hour. Another represents a person who travels with the mayor of New York during the day and returns to Long Island at night. [...] An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times.

At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States -- about half those in use last year. The database reviewed by The Times -- a sample of information gathered in 2017 and held by one company -- reveals people's travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.

"Democrats are expected to use their upcoming control of the House to push for strong net neutrality rules," reports NBC News: "The FCC's repeal sparked an unprecedented political backlash, and we've channeled that internet outrage into real political power," said Evan Greer, deputy director of Fight for the Future, a digital rights-focused non-profit organization. "As we head into 2019, net neutrality supporters in the House of Representatives will be in a much stronger position to engage in FCC oversight...." Gigi Sohn, a former lawyer at the FCC who is now a fellow at the Georgetown Law Institute for Technology, Law and Policy, said she expects Democrats to use their new power to push for the restoration of strong net neutrality rules -- and for the topic to be on the lips of presidential hopefuls. "I have no doubt that bills to restore the 2015 rules will be introduced in both the Senate and the House relatively early on," Sohn said....

Jessica Rosenworcel, an FCC commissioner who has been a vocal supporter of net neutrality, noted that it has become a national issue -- and one that has broad approval from Americans. She pointed to a University of Maryland study that found 83 percent of people surveyed were against the FCC's move to undo the rules around net neutrality... Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation...said he is "extraordinarily confident" that proponents of net neutrality will win. "It really just boils down to how one side of the polling is in this space," Falcon said.

Democrat Senator Mark Warner "says Google is profiting off advertising fraud and has no interest in addressing it," reports ZDNet -- and he's laying part of the blame on America's trade commissioners. Warner is just as mad about the FTC as he is about Google, claiming the FTC has failed to take action against the Mountain View-based company for more than two years since he and New York Democrat Senator Chuck Schumer first wrote the agency about Google's ad fraud problem. "The FTC's failure to act has had the effect of allowing Google to structure its own market," said Sen. Warner in a letter sent to the FTC... "While the company controls each link in the supply chain and therefore maintains the power to monitor activity in the digital advertising market from start to finish, it has continued to be caught flat-footed in identifying and addressing digital ad fraud."

Sen. Warner also called out Google for proving unwilling to address misuse of its advertising platform for the "rampant proliferation of online disinformation" -- referring to how various foreign entities have used Google ads to push political agendas, both in the US and other countries of the world. "As long as Google stands to profit from the sale of additional advertisements, the financial incentive for it to voluntarily root out and address fraud remains minimal," Sen. Warner added.

Uber's terms of service prohibit its drivers from joining class action lawsuits, Gizmodo writes, adding that over 12,000 drivers have now "found a way to weaponize the ridesharing platform's restrictive contract in what's possibly the funniest labor strategy of the year."

An anonymous reader summarizes their report: Uber's contract requires that all driver lawsuits be arbitrated (instead of argued in open court), but "While arbitrating parties are responsible for paying for their own attorneys, the terms state that 'in all cases where required by law, [Uber] will pay the Arbitrator's and arbitration fees'... A group of 12,501 drivers opted to take Uber at its word, individually bringing their cases up for arbitration, overwhelming the infrastructure...." (Gizmodo calls it Uber's arbitration policy "coming back to bite it in the ass.") A petition in California's Northern District Court points out that Uber now is apparently overwhelmed. "Of those 12,501 demands, in only 296 has Uber paid the initiating filing fees necessary for an arbitration to commence [...] only 47 have appointed arbitrators, and [...] in only six instances has Uber paid the retainer fee of the arbitrator to allow the arbitration to move forward."

The drivers' lawyers are now complaining that Uber's delinquincies "make clear it does not actually support arbitration; rather, it supports avoiding any method of dispute resolution, no matter the venue... At this point, it is fair to ask whether Uber's previous statements to the 9th Circuit about its desire to facilitate arbitration with its drivers were nothing more than empty promises to avoid litigating a class action."

"Today, a bail hearing was held for Huawei's chief financial officer, who was arrested in Canada on Saturday at the request of U.S. law enforcement," reports The Verge. "The CFO, Meng Wanzhou, is facing extradition to the U.S. for conspiring to defraud banking institutions, according to the Star Vancouver." The Verge reports that her main defense is "a PowerPoint presentation that Meng had once given to explain to a bank in Hong Kong that Huawei had not violated any U.S. sanctions." From the report: Many lined up to see Meng's bail hearing today, after the extremely high-profile arrest that signified the first major break in a U.S. probe that has mostly been kept from the public. The U.S. has an arrest warrant out for Meng that was issued by a New York court on August 22nd. It has 60 days from the time of Meng's arrest on Saturday to provide Canadian courts with evidence and intent.

Meng served on the board for a Hong Kong-based company called Skycom, which allegedly did business with Iran between 2009 and 2014. U.S. banks worked with Huawei at this time, so Iran sanctions were violated indirectly, and Meng therefore committed fraud against these banks. Skycom reportedly had connections to Huawei and at the bail hearing today, Gibb-Carsley argued that Skycom was an unofficial subsidiary of Huawei's, using the same company logo. "Huawei is SkyCom," he said, "This is the crux, I say, of the alleged fraud." The hearing also examined whether Meng would be a flight risk if she was granted the $1 million bail, part of the argument Gibb-Carsley was pushing. "Defense lawyer Martin responded by explaining the Chinese emphasis on saving face, and how Meng wouldn't want her father and Huawei to look bad. Even more than that, 'she would not embarrass China itself,' Martin said."

Solar panels will be a required feature on new houses in California, after the state's Building Standards Commission gave final approval to a housing rule that's the first of its kind in the United States. From a report: Set to take effect in 2020, the new standard includes an exemption for houses that are often shaded from the sun. It also includes incentives for people to add a high-capacity battery to their home's electrical system, to store the sun's energy. "These provisions really are historic and will be a beacon of light for the rest of the country," said commissioner Kent Sasaki, according to The Mercury News. "[It's] the beginning of substantial improvement in how we produce energy and reduce the consumption of fossil fuels."

The rule marks a new phase in California's environmental policies, which have often set trends and established standards nationwide. The state has set the goal of drawing 100 percent of its electricity from renewable energy sources and sharply reducing greenhouse gas emissions. The solar panels rule was initially endorsed as part of the state's Green Building Standards Code by the California Energy Commission back in May.

Chinese mobile app companies pose the same national security risk to the US as telecom giants like Huawei and ZTE, Sen. Mark Warner said in an interview. From a report: Recent US legislation largely banned Huawei and ZTE from use by the government and its contractors, due to concerns about surveillance and other national security risks. Now Warner, the top Democrat on the Senate Intelligence Committee, is signaling that Chinese app developers may face similar scrutiny from lawmakers, corporate America, and the intelligence community.

Warner's comments follow a recent BuzzFeed News report that popular apps from China's Cheetah Mobile and Kika Tech were exploiting user permissions to engage in a form of ad fraud. Eight Android apps with more than 2 billion total downloads were said to be engaging in a form of app-install ad fraud. Google subsequently removed two of the apps from the Play store and said it continues to investigate. Cheetah and Kika deny engaging in app-install fraud. "Under Chinese law, all Chinese companies are ultimately beholden to the Communist Party, not their board or shareholders, so any Chinese technology company -- whether in telecom or mobile apps -- should be seen as extensions of the state and a national security risk," Warner said in an interview this week with BuzzFeed News. Further reading: Sen. Warner calls for US cyber doctrine, new standards for security.

EU governments agreed on Friday to toughen up draft rules allowing law enforcement authorities to get electronic evidence directly from tech companies such as Facebook and Google stored in the cloud in another European country. From a report: The move underlines the growing trend in Europe to rein in tech giants whether on the regulatory front or the antitrust front. The e-evidence proposal also came in the wake of recent deadly terrorist attacks in Europe, pressure on tech companies to do more to cooperate with police investigations and people's growing tendency to store and share information on WhatsApp, Facebook, Viber, Skype, Instagram and Telegram.

The European Commission, the EU executive, came up with the draft legislation in April, which includes a 10-day deadline for companies to respond to police requests or 6 hours in emergency cases, and fines up to 2 percent of a company's global turnover for not complying with such orders. The proposal covers telecoms services providers, online marketplaces and internet infrastructure services providers and applies to subscriber data and other data on access, transactional and content.

An anonymous reader quotes a report from The Guardian: Luxembourg is set to become the first country in the world to make all its public transport free. Fares on trains, trams and buses will be lifted next summer under the plans of the re-elected coalition government led by Xavier Bettel, who was sworn in for a second term as prime minister on Wednesday. Luxembourg City, the capital of the small Grand Duchy, suffers from some of the worst traffic congestion in the world. It is home to about 110,000 people, but a further 400,000 commute into the city to work. A study suggested that drivers in the capital spent an average of 33 hours in traffic jams in 2016. While the country as a whole has 600,000 inhabitants, nearly 200,000 people living in France, Belgium and Germany cross the border every day to work in Luxembourg.

Luxembourg has increasingly shown a progressive attitude to transport. This summer, the government brought in free transport for every child and young person under the age of 20. Secondary school students can use free shuttles between their institution and their home. Commuters need only pay about $2.27 for up to two hours of travel, which in a country of just 999 sq miles (2,590 sq km) covers almost all journeys. Now, from the start of 2020 all tickets will be abolished, saving on the collection of fares and the policing of ticket purchases. The policy is yet to be fully thought through, however. A decision has yet to be taken on what to do about first- and second-class compartments on trains.

A new report (PDF) from the AINow Institute calls for the U.S. government to take general steps to improve the regulation of facial recognition technology amid much debate over the privacy implications. "The implementation of AI systems is expanding rapidly, without adequate governance, oversight, or accountability regimes," it says. The report suggests, for instance, extending the power of existing government bodies in order to regulate AI issues, including use of facial recognition: "Domains like health, education, criminal justice, and welfare all have their own histories, regulatory frameworks, and hazards." MIT Technology Review reports: It also calls for stronger consumer protections against misleading claims regarding AI; urges companies to waive trade-secret claims when the accountability of AI systems is at stake (when algorithms are being used to make critical decisions, for example); and asks that they govern themselves more responsibly when it comes to the use of AI. And the document suggests that the public should be warned when facial-recognition systems are being used to track them, and that they should have the right to reject the use of such technology.

The report also warns about the use of emotion tracking in face-scanning and voice detection systems. Tracking emotion this way is relatively unproven, yet it is being used in potentially discriminatory ways -- for example, to track the attention of students. "It's time to regulate facial recognition and affect recognition," says Kate Crawford, cofounder of AINow and one of the lead authors of the report. "Claiming to 'see' into people's interior states is neither scientific nor ethical."

China is demanding the release of a senior executive at Huawei after she was detained in Canada on extradition charges to the U.S. Wanzhou Meng, who is also the deputy chair of Huawei's board and the daughter of company founder Ren Zhengfei, is suspected of violating U.S. trade sanctions against Iran. NBC News reports: The arrest of Meng Wanzhou, chief financial officer and daughter of the company's founder Ren Zhengfei, spooked investors with U.S. stocks tumbling on fears of a flare-up in Chinese-U.S. tensions. She was arrested in Vancouver, British Columbia, on Dec. 1. China's Ministry of Foreign Affairs said officials have been contacted both in the U.S. and Canada to demand Meng's release. Geng Shuang, a spokesman for the ministry, said her detention needed to be explained, and both countries had to "effectively protect the legitimate rights and interests of the person concerned." A spokesperson for Huawei said in a statement that it "complies with all applicable laws and regulations where it operates, including applicable export control and sanction laws and regulations."

Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process."

The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law.

UPDATE: The encryption bill has passed the Senate with a final vote of 44-12, with Labor and the Coalition voting for it. "Australia's security and intelligence agencies now have legal authority to force encryption services to break the encryptions, reports The Guardian. Story is developing...

FCC Chairman Ajit Pai has admitted that around 500,000 comments submitted during the net neutrality public comment period were linked to Russia email addresses. "Pai noted in a court filing that most of the comments were in favor of net neutrality, which the FCC repealed last December," reports Engadget. From the report: The New York Times and BuzzFeed News have filed freedom of information requests in the hopes of uncovering the extent of fraudulent comments and Russian influence in the net neutrality process. Pai's filing was part of an FCC memorandum that addressed the requests, and the agency has argued that releasing the data could expose the U.S. to cyberattacks.

Pai's concession underscores how Russia's influence on U.S. democracy extends beyond headline-grabbing election interference and fake news peddling, and it also reflects the litany of issues the FCC faced during the net neutrality comment period. Over half of the almost 22 million comments came from phony, temporary or duplicate email addresses, according to a study, and reportedly only 17.4 percent of the comments were unique.

Canada has arrested Huawei's chief financial officer on suspicion of violating U.S. trade sanctions against Iran. "Wanzhou Meng, who is also the deputy chair of Huawei's board and the daughter of company founder Ren Zhengfei, was arrested in Vancouver at the request of U.S. authorities," reports The Globe and Mail. From the report: "Wanzhou Meng was arrested in Vancouver on December 1. She is sought for extradition by the United States, and a bail hearing has been set for Friday," Justice department spokesperson Ian McLeod said in a statement to The Globe and Mail. "As there is a publication ban in effect, we cannot provide any further detail at this time. The ban was sought by Ms. Meng.

A Canadian source with knowledge of the arrest said U.S. law enforcement authorities are alleging that Ms. Meng tried to evade the U.S. trade embargo against Iran but provided no further details. Since at least 2016, U.S. authorities have been reviewing Huawei's alleged shipping of U.S.-origin products to Iran and other countries in violation of U.S. export and sanctions laws.

An anonymous reader quotes a report from CBC.ca: According to Markham automotive security specialist Jeff Bates, owner of Lockdown Security, wireless key fobs have a role to play in many recent car thefts, with thieves intercepting and rerouting their signals -- even from inside homes -- to open and steal cars. According to Bates, many of these thieves are using a method called "relay theft." Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start. The thief will bring a device close to the home's door, close to where most keys are sitting, to boost the fob's signal. They leave another device near the vehicle, which receives the signal and opens the car. Many people don't realize it, Bates said, but the thieves don't need the fob in the car to drive it away. Bates says, if you have a key fob that can wirelessly unlock/start your car, you should not keep it by the front door.

"If you do live in a house, try to leave your keys either upstairs or ... as far away from the vehicle as possible," he said. "The other thing that you can do is there are products out there that you can put your key fob into," such as a faraday cage -- a box used to block radio signals -- a key pouch, which works similarly, or even a steel box.

Newly public documents reveal just how paranoid Facebook was of its potential competitors and shines new light on some of the company's most important acquisitions. From a report: The internal documents, made public as part of a cache of documents released by UK lawmakers, show just how close an eye the social network was keeping on competitors like WhatsApp and Snapchat, both of which became acquisition targets. The documents, which are labeled "highly confidential," show slides from an internal presentation in 2013 that compares Facebook's reach to competing apps, including WhatsApp and Snapchat. While Facebook and Instagram lead in marketshare, it's clear why Facebook may have viewed Snapchat and WhatsApp as potential threats. [...] Facebook's presentation relied on data from Onavo, the virtual private network (VPN) service which Facebook also acquired several months later. Facebook's use of Onavo, which has been likened to "corporate spyware," has itself been controversial.

Earlier this year, many Android users were shocked to discover that Facebook had been collecting a record of their call and SMS history, as revealed by the company's data download tool. Now, internal emails released by the UK Parliament show how the decision was made internally. From a report: According to the emails, developers knew the data was sensitive, but they still pushed to collect it as a way of expanding Facebook's reach. The emails show Facebook's growth team looking to call log data as a way to improve Facebook's algorithms as well as to locate new contacts through the "People You May Know" feature. Notably, the project manager recognized it as "a pretty high-risk thing to do from a PR perspective," but that risk seems to have been overwhelmed by the potential user growth.

Initially, the feature was intended to require users to opt in, typically through an in-app pop-up dialog box. But as developers looked for ways to get users signed up, it became clear that Android's data permissions could be manipulated to automatically enroll users if the new feature was deployed in a certain way.

AmiMoJo shares a report from 9to5Mac: Apple is facing a new class action lawsuit claiming that it sells select iMac and MacBook models without needed dust filters. In turn, this causes issues such as display imprecations, slowing performance, and more, the lawsuit alleges. The iMac and MacBook lawsuit is being brought forward by law firm Hagens Berman Sobol Shapiro, which is a class action litigation firm that has gone after Apple before. Most notably, the firm won the infamous $450 million ebooks pricing case against Apple. Since then, Hagens Berman has levied other suits at Apple, including one regarding the performance throttling of iPhones. Hagens Berman's latest lawsuit reads in part: "iMac and MacBook owners have reported dark smudges and spots on the interior of the screens of their desktop computers as well as excessive slowness and break downs of their computers related to the lack of filter on Apple computers. The computer intakes air to cool its components, but with no filter, dust gets trapped inside. This affects the screen and logic board of the computer, leading to dust stuck behind the screen and gummed up motherboards, causing the computer to run slow and/or overheat."

Hagens Berman says "Apple refuses to remedy the defect," instead forcing affected customers to pay "more than $500 to fix this screen defect, and even more if they wish to replace parts integral to the computer's sped and performance." "We believe Apple owes it to the purchasers of these premium, high-end computers to pay for the widespread defect, and we seek to represent iMac owners to recover their losses in costs to repair this defect, or for their loss of use of their computer."

The Secret Service is planning to test facial recognition surveillance around the White House, "with the goal of identifying 'subjects of interest' who might pose a threat to the president," reports The Verge. The document with the plans was published by the American Civil Liberties Union, describing "a test that would compare closed circuit video footage of public White House spaces against a database of images -- in this case, featuring employees who volunteered to be tracked." From the report: The test was scheduled to begin on November 19th and to end on August 30th, 2019. While it's running, film footage with a facial match will be saved, then confirmed by human evaluators and eventually deleted. The document acknowledges that running facial recognition technology on unaware visitors could be invasive, but it notes that the White House complex is already a "highly monitored area" and people can choose to avoid visiting. We don't know whether the test is actually in operation, however. "For operational security purposes we do not comment on the means and methods of how we conduct our protective operations," a spokesperson told The Verge.

The ACLU says that the current test seems appropriately narrow, but that it "crosses an important line by opening the door to the mass, suspicionless scrutiny of Americans on public sidewalks" -- like the road outside the White House. (The program's technology is supposed to analyze faces up to 20 yards from the camera.) "Face recognition is one of the most dangerous biometrics from a privacy standpoint because it can so easily be expanded and abused -- including by being deployed on a mass scale without people's knowledge or permission."

China has announced an array of punishments that could restrict companies' access to borrowing and state-funding support over intellectual-property theft. The news comes after the G20 Summit in Argentina, where the Trump Administration agreed to hold off on tariff action for at least 90 days as they negotiate to resolve specific U.S. complaints. Bloomberg reports: China set out a total of 38 different punishments to be applied to IP violations, starting this month. The document, dated Nov. 21, was released Tuesday by the National Development and Reform Commission and signed by various government bodies, including the central bank and supreme court. China says violators would be banned from issuing bonds or other financing tools, and participating in government procurement. They would also be restricted from accessing government financial support, foreign trade, registering companies, auctioning land or trading properties. In addition, violators will be recorded on a list, and financial institutions will refer to that when lending or granting access to foreign exchange. Names will be posted on a government website. "This is an unprecedented regulation on IP violation in terms of the scope of the ministries and severity of the punishment," said Xu Xinming, a researcher at the Center for Intellectual Property Studies at China University of Political Science and Law. The newly announced punishments are "a security net of IP protection" targeting repeat offenders and other individuals who aren't in compliance with the law, he said.

schwit1 shares a report from CBS News: Information sharing website Quora has announced a data breach which has exposed "approximately 100 million users'" personal data. The company said in a statement released Monday that it discovered the "unauthorized access to one of our systems by a malicious third party," on Friday. Chief Executive Adam D'Angelo wrote in the blog post that Quora had alerted law enforcement authorities and was "working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future." D'Angelo said Quora was working to alert the affected users of the site, whose names, email addresses and encrypted passwords, and public content such as their questions, answers and comments, were exposed through the breach. Those users would be required to reset their passwords, D'Angelo said.

An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.

Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.

UK academic publisher Springer Nature has filed a complaint against Sci-Hub, a site that provides open access to scientific research papers. "The Moscow City Court was told that Sci-Hub is infringing the company's copyrights and should, therefore, be subjected to blocking," reports TorrentFreak. "Listing 'bulletproof' hosting company Quasi Networks and U.S.-based CloudFlare as facilitating access to the site, Springer Nature complained that three specific works were being made available illegally by Sci-Hub." From the report: As the above table obtained from the Court shows, the research papers cover topics of interest to the medical community in the spheres of heart and brain health -- Effect of glucose-lowering therapies on heart failure, Nitric oxide signaling in cardiovascular health and disease, and Lactate in the brain: from metabolic end-product to signaling molecule. These would ordinarily sit behind paywalls but thanks to Sci-Hub, their contents are available for everyone to absorb for free. It's a situation that's unacceptable to Springer Nature and the Moscow City Court was sympathetic to the company's complaints. As a result, several Sci-Hub and Library Genesis domains (gen.lib.rus.ec, www.libgen.io, scihub.unblocked.gdn, lgmag.org, libgen.unblocked.gdn, sci-hub.tw and libgen.io) are now being rendered inaccessible by Russian Internet Service Providers.

White House economic adviser Larry Kudlow said on Monday that the United States wants to end subsidies for electric cars and other items including renewable energy sources. "Asked about actions planned after General Motors announced U.S. plant closings and layoffs last week, Kudlow said he expected subsidies for buying electric cars will end in 2020 or 2021," reports Reuters. "Kudlow said the Trump administration will end other subsidies, including on 'renewables.'"

DuckDuckGo, a privacy-focused search engine, offers a variety of useful features such as instant answers and bangs. The latter are particularly useful for people who want to use DuckDuckGo to search directly on other sites. Typing '!yt keyword', for instance, will do a direct search on YouTube, while '!w keyword' goes to Wikipedia. This library of bangs has been around for a long time and has grown to more than 10,000 over the years.

From a report: However, a few days ago, roughly 2,000 of these were removed. Interestingly, this included many bangs that link to torrent sites, such as The Pirate Bay, 1337x and RARBG. Similarly, bangs for OpenSubtitles, Sci-Hub and LibGen are gone too. Initially, it was unclear what had happened, but after people started asking questions on Reddit, DuckDuckGo staff explained that this was part of a larger cleanup operation. DuckDuckGo went through its bangs library and removed all non-working versions, as well as verbose ones that were not actively used. In addition, many pirate site bangs were deleted as these are no longer"permitted."

"Bangs had been neglected for some time, and there were tons of broken ones. As part of the bang clean-up, we also removed some that were pointing to primarily illegal content," DuckDuckGo staffer Tagawa explains. The search engine still indexes the sites in question but it feels that offering curated search shortcuts for these sites in their service might cause problems. "It may not seem like so at first blush, but it is very different legally if it is a bang vs. in the search results because the bangs are added to the product by us explicitly, and can be interpreted legally as an editorial decision that is actively facilitating that site and its content," the staff wrote.

Tumblr, the underground social media site known for its pornographic content and tight-knit community, will be instituting a major change to its guidelines in a couple of weeks. The company said in a blog post today that it will permanently ban adult content from its platform on December 17th. The company flatly stated that "adult content will no longer be allowed here." The Verge reports: Banned content includes photos, videos, and GIFs of human genitalia, female-presenting nipples, and any media involving sex acts, including illustrations. The exceptions include nude classical statues and political protests that feature nudity. The new guidelines exclude text, so erotica remains permitted. Illustrations and art that feature nudity are still okay -- so long as sex acts aren't depicted -- and so are breastfeeding and after-birth photos.

After December 17th, any explicit posts will be flagged and deleted by algorithms. For now, Tumblr is emailing users who have posted adult content flagged by algorithms and notifying them that their content will soon be hidden from view. Posts with porn content will be set to private, which will prevent them from being reblogged or shared elsewhere in the Tumblr community. "Blogs that have been either self-flagged or flagged by us as 'explicit' per our old policy and before December 17, 2018 will still be overlaid with a content filter when viewing these blogs directly," the blog post reads. "While some of the content on these blogs may now be in violation of our policies and will be actioned accordingly, the blog owners may choose to post content that is within our policies in the future, so we'd like to provide that option..."

Hundreds of military service members reportedly got caught up in a sextortion scam run by prison inmates using cellphones, according to a release issued by the Naval Criminal Investigative Service (NCIS). From a report: Military agents from multiple criminal investigation groups have served summons and issued warrants for arrests related to the scheme. According to the NCIS, South Carolina and North Carolina prison inmates, assisted by outside accomplices, sought out service members through dating sites and social media, then took on false identities, feigned romantic interest, and exchanged photos.

Once the inmates had successfully catfished their targets, they would then pose as the father of the fake persona, insisting their child was underage and that the target had therefore committed a crime by exchanging photos. In some situations, the "father" claimed he wouldn't press charges if the target gave him money. Sometimes the catfisher would pose as law enforcement requesting money for the family.

Independent security researcher Fabio Castro found data belonging to 32 million customers of SKY Brasil exposed online. "Using the advanced features of the Shodan search engine, he was able to discover multiple servers in Brazil running Elasticsearch that made information available without authentication," reports BleepingComputer. "A cluster of servers called 'digital-logs-prd' attracted the researcher's attention and with a simple command, he listed the indices available, one of them 429.1GB in size." From the report: The file included personally identifiable information of SKY Brasil customers, which featured full name, email address, service login password, client IP address, payment methods, phone number, and street address. SKY Brasil is a telecommunications company that also offers television services, being the second largest provider of pay-TV services in the country, according to statistics from March. In a conversation with BleepingComputer, Castro said that he reported his findings to the company who fixed the problem by restricting access with a password, an operation that takes just a few minutes. Because the server has been exposed for a long time, the protective measure may have come too late. Castro told us that it is very possible that criminals have already grabbed the data.

Intel has filed a lawsuit last week against one of their former hardware engineers, alleging they tried to steal confidential chip blueprints to potentially pass on to Micron. "The lawsuit [...] is the latest twist in the tale of Intel and Micron's difficult partnership over 3D XPoint memory," reports The Register. From the report: The legal complaint, aimed at former employee Doyle Rivers, alleges that having "secretly" accepted a position at Chipzilla's former bedfellow, Micron, Rivers had a go at taking confidential trade and personnel data with him as he left. Intel alleged that a few days before leaving, "Rivers tried to access and copy a 'top secret' designated Intel file that Intel's electronic security system blocked from being copied."

Chipzilla said the document was related to what it was at pains to say is its "independent" work to productize the 3D XPoint tech into its Optane product line. In other words, blueprints secret to Intel. No one outside Intel, "including Micron" had been privy to such data, the complaint alleged. Intel's security system stopped the file from escaping, but according to the complaint, that did not stop Rivers from allegedly hoovering up a selection of personnel files into a USB device plugged into his computer. The chipmaker also claimed that Rivers "aggressively" recruited his former colleagues to join him on his grand adventure to pastures new. Intel demanded that Rivers return the USB drive, but he apparently "never responded" to them. Instead, "he handed the USB device over to his new employer." It was later discovered by a forensic investigator that it had been wiped. Intel is now demanding "a neutral forensic investigator" be allowed to take a look at Rivers' PC to see what was on there, and when exactly the USB stick was erased. There's a deadline of November 16 for Rivers to agree to this probing.

In 2010, Max Ray Butler received a 13-year prison sentence for "hacking" -- at the time, the longest one ever -- after stealing nearly 2 million credit cards and running up fraudulent charges over $86 million.

But eight years into his sentence, he's now being charged with commiting five more counts of wire fraud while still in prison, as well as possessing stolen credit card numbers and contraband in prison, plus two more related counts of conspiracy.

An anonymous reader quotes the Washington Times: Previously known as Max Ray Butler and by his hacker alias, "Iceman," Max Ray Vision has been charged in a nine-count indictment filed by federal prosecutors that places him at the center of a scheme that allegedly involved using a smuggled cellphone, stolen banking data and a consumer-grade drone to make an airdrop into prison, The Daily Beast first reported Friday.... Prosecutors alleged in the indictment that Vision used a smuggled T-Mobile "My-Touch" cellphone while incarcerated at the Federal Correctional Center in Oakdale, Louisiana, to access the internet and obtain stolen debit card numbers.

"Using MoneyGram and Western Union websites, and their respective mobile applications," a grand jury charged in the indictment, "Butler wired funds from the bank accounts associated with the stolen debit card numbers to other inmates at Oakdale FCC," including five co-defendants also charged in the indictment. He later instructed his fellow inmates to transfer the funds obtained from the stolen debit cards to a former cellmate who had been released in May 2015, according to the indictment... Vision's former cellmate allegedly used the stolen funds to purchase an unmanned aerial vehicle, or drone, that was then used in April 2016 to attempt to smuggle another cellphone and other unspecified contraband into prison, according to the indictment...

He allegedly began using the smuggled Android phone in Oct. 2014, according to the indictment, roughly 18 months before the airdrop.
"The potential for greater crimes [sic] opportunities are obvious," complained the Bureau of Prisons concluded in a report cited by The Daily Beast, "i.e. escape, introduction of firearms, etc.

"Although [Vision] was only equipped with a smartphone, he proved that he is more than capable to disrupt and circumvent the security of the institution and present a clear danger to the community in general."

Leonovo will add $7.3 million into a $1M fund settling a class action lawsuit over their undisclosed pre-installation of Superfish's targeting adware on 28 different laptop models in 2014.

Within one year the U.S. Department of Homeland Security had warned that the adware made laptops vulnerable to SSL spoofing, allowing the reading of encrypted web traffic and the redirecting of traffic from official websites to spoofs, while according to Bloomberg the original software itself also "could access customer Social Security numbers, financial data, and sensitive heath information, the court said."

An anonymous reader quotes Softpedia: According to a "SuperFish Vulnerability" advisory published by Lenovo on their support website following the discovery of the pre-installed software by consumers, the VisualDiscovery comparison search engine software was designed to work in the background, intercepting HTTP(S) traffic with the help of a self-signed root certificate that allowed it to decrypt and monitor all traffic, encrypted or not.... "VisualDiscovery was installed on nearly 800,000 Lenovo laptops sold in the United States between September 1, 2014 and February 28, 2015," also states the settlement agreement. "On January 18, 2015, in response to mounting complaints about the effects of VisualDiscovery, Lenovo instructed Superfish to turn it off at the server level...."

Out of the 800,000 who bought the laptops that came with VisualDiscovery pre-installed, the 500,000 ones who registered their devices with Lenovo or bought them from retailers such as Best Buy and Amazon will be contacted directly by the Chinese company and informed about the settlement agreement. The rest of the customers who cannot be reached straightaway will be targeted by Lenovo using multiple online advertising platforms, from Google to Twitter and Facebook.
A separate settlement with the FTC in 2017 was criticized for its failure to fine Lenovo -- though it did require the company to get affirmative consent for any future adware programs, plus regular third-party audits of its bundled software for the next 20 years.

George H.W. Bush, the 41st president of the United States, has passed away tonight at the age of 94. As The Washington Post reports, he was "the last veteran of World War II to serve as president, he was a consummate public servant and a statesman who helped guide the nation and the world out of a four-decade Cold War that had carried the threat of nuclear annihilation." From the report: Although Mr. Bush served as president three decades ago, his values and ethic seem centuries removed from today's acrid political culture. His currency of personal connection was the handwritten letter -- not the social media blast. He had a competitive nature and considerable ambition that were not easy to discern under the sheen of his New England politesse and his earnest generosity. He was capable of running hard-edge political campaigns, and took the nation to war. But his principal achievements were produced at negotiating tables.

Despite his grace, Mr. Bush was an easy subject for caricature. He was an honors graduate of Yale University who was often at a loss for words in public, especially when it came to talking about himself. Though he was tested in combat when he was barely out of adolescence, he was branded "a wimp" by those who doubted whether he had essential convictions. This paradox in the public image of Mr. Bush dogged him, as did domestic events. His lack of sure-footedness in the face of a faltering economy produced a nosedive in the soaring popularity he enjoyed after the triumph of the Persian Gulf War. In 1992, he lost his bid for a second term as president. Bush's spokesman Jim McGrath announced his death on Twitter, but didn't provide the cause of death. In 2012, he announced that he had vascular Parkinsonism, a condition that limited his mobility.

UPDATE: George W. Bush, the 43rd President of the United States, has issued a statement on the passing of his father: "Jeb, Neil, Marvin, Doro, and I are saddened to announce that after 94 remarkable years, our dear Dad has died. George H. W. Bush was a man of the highest character and the best dad a son or daughter could ask for. The entire Bush family is deeply grateful for 41's life and love, for the compassion of those who have cared and prayed for Dad, and for the condolences of our friends and fellow citizens."

According to a new report from The Associated Press, a number of China's government officials and entities have had access to the location data of "new energy vehicles" from many different manufacturers. "More than 200 manufacturers (both national and foreign) transmit the data to 'government-backed monitoring centers,' according to the report, including one called 'The Shanghai Electric Vehicle Public Data Collecting, Monitoring and Research Center' and another known as the 'National Big Data Alliance of New Energy Vehicles,'" reports The Verge. From the report: Chinese officials told the AP that this data -- which includes the real-time location of cars, plus "dozens of other data points" -- is collected to "improve public safety" and "facilitate industrial development and infrastructure planning." The officials say the data is also used to "prevent fraud" in the government's subsidy program for new energy vehicles, which offers steep discounts on clean cars. The monitoring systems have been in place since the beginning of 2017, according to a report by the International Council on Clean Transportation from last year. Staffers at the data monitoring centers are able to look at a map, click on a car, and see things like make and model, mileage, and battery charge, according to the AP report.

Prosecutors in South Korea say that Samsung's latest bendable screen technology has been stolen and sold to two Chinese companies. "The prosecutors allege that a Samsung supplier leaked blueprints of Samsung's 'flexible OLED edge panel 3D lamination' to a company that it had set up," reports CNN. "That company then sold the tech secrets to the Chinese firms for nearly $14 million, according to the prosecutors." CNN reports: The Suwon District Prosecutor's Office charged 11 people on Thursday with stealing tech secrets from Samsung, the office said in a statement. They did not name the people or companies involved in the theft. Samsung Display, a subsidiary of the South Korean conglomerate, said in a statement Friday that it was "surprised and appalled at the results of the investigation by prosecutors."

Prosecutors said Samsung invested six years and some 150 billion won ($130 million) to develop the bendable screen. Investigators have not been able to track down and question two Chinese individuals believed to be involved in the case, and have asked Interpol to help find and detain them. Of the 11 people indicted, three have been detained.

An anonymous reader quotes a report from The Washington Post: Facebook executives in recent years appeared to discuss giving access to their valuable user data to some companies that bought advertising when it was struggling to launch its mobile-ad business, according to internal emails quoted in newly unredacted court filings. In an ongoing federal court case against Facebook, the plaintiffs claim that the social media giant doled out people's data secretly and selectively in exchange for advertising purchases or other concessions, even as others were cut off, ruining their businesses. The case was brought by one such company, Six4Three, which claims its business was destroyed in 2015 by Facebook's actions.

In one of the exchanges from the filings, Facebook employees discussed shutting down access "in one-go to all apps that don't spend at least $250k a year to maintain access to the data," according to the trove. The documents reference email exchanges regarding Facebook's relations with several large commercial partners, including Lyft, Tinder, Amazon.com, Airbnb and the Royal Bank of Canada. Facebook denies that it exchanged access to people's data for commercial benefit. Thousands of pages of court filings, which Facebook is fighting to keep sealed -- including in an emergency hearing scheduled for Friday afternoon -- illustrate the shrewd strategies the social network employed as it built its advertising empire. The disclosure sheds light on allegations of anti-competitive behavior that could play into efforts by U.S. and European lawmakers to curb the power of technology giants. "The documents Six4Three gathered for this baseless case are only part of the story and are presented in a way that is very misleading without additional context," Konstantinos Papamiltiadis, Facebook's director of developer platforms and programs, said in a statement. "We stand by the platform changes we made in 2015 to stop a person from sharing their friends' data with developers. Any short-term extensions granted during this platform transition were to prevent the changes from breaking user experience."

Businesses using fingerprint scanners to monitor their workforce can legally sack employees who refuse to hand over biometric information on privacy grounds, the Fair Work Commission has ruled. From a report: The ruling, which will be appealed, was made in the case of Jeremy Lee, a Queensland sawmill worker who refused to comply with a new fingerprint scanning policy introduced at his work in Imbil, north of the Sunshine Coast, late last year. Fingerprint scanning was used to monitor the clock-on and clock-off times of about 150 sawmill workers at two sites and was preferred to swipe cards because it prevented workers from fraudulently signing in on behalf of their colleagues to mask absences.

The company, Superior Woods, had no privacy policy covering workers and failed to comply with a requirement to properly notify individuals about how and why their data was being collected and used. The biometric data was stored on servers located off-site, in space leased from a third party. Lee argued the business had never sought its workers' consent to use fingerprint scanning, and feared his biometric data would be accessed by unknown groups and individuals.

An anonymous reader writes: Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach. The hotel and resorts giant said in a statement filed with U.S. regulators that the "unauthorized access" to its guest database was detected on or before September 10 -- but may have dated back as far as 2014. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014," said the statement. "Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it."

Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.

schwit1 shares a report: More than 200 manufacturers, including Tesla, Volkswagen, BMW, Daimler, Ford, General Motors, Nissan, Mitsubishi and U.S.-listed electric vehicle start-up NIO, transmit position information and dozens of other data points to government-backed monitoring centers, The Associated Press has found. Generally, it happens without car owners' knowledge. The automakers say they are merely complying with local laws, which apply only to alternative energy vehicles. Chinese officials say the data is used for analytics to improve public safety, facilitate industrial development and infrastructure planning, and to prevent fraud in subsidy programs.

But other countries that are major markets for electronic vehicles -- the United States, Japan, across Europe -- do not collect this kind of real-time data. And critics say the information collected in China is beyond what is needed to meet the country's stated goals. It could be used not only to undermine foreign carmakers' competitive position, but also for surveillance -- particularly in China, where there are few protections on personal privacy. Under the leadership of Xi Jinping, China has unleashed a war on dissent, marshalling big data and artificial intelligence to create a more perfect kind of policing, capable of predicting and eliminating perceived threats to the stability of the ruling Communist Party.

An anonymous reader quotes a report from ZDNet: New Delhi police have arrested 63 suspects in the last two months working and operating 26 call centers that were engaging in tech support scams, posing as tech support staff at Microsoft, Google, Apple, and other major tech companies. The raids on Delhi-based call centers have taken place over the last two months, Microsoft said. Police first raided 10 call centers and arrested 24 people in October, and then raided 16 other call centers and made 39 more arrests this week.

Microsoft said its staff received over 7,000 victim reports associated with the 16 call centers raided this week, from over 15 countries. Users reported paying between $100 and $500 for unnecessary tech support services and products. The raids resulted in the seizure of substantial evidence including call scripts, live chats, voice call recordings and customer records from tech support fraud operations, Microsoft said. The Delhi police's crackdown on tech support call centers came after Microsoft filed legal complaints earlier this year. Microsoft has been collecting customer complaints about tech support scams since 2014, via its "Report a technical support scam" portal.

NASA Administrator Jim Bridenstine announced Thursday that nine U.S. companies will compete to deliver experiments to the lunar surface. The space agency will buy the service and let private industry work out the details on getting there, he said. The Press Herald reports: The goal is to get small science and technology experiments to the surface of the moon as soon as possible. The first flight could be next year; 2019 marks the 50th anniversary of the first manned moon landing. "We're going at high speed," said Thomas Zurbuchen, head of NASA's science mission directorate, which will lead the effort. NASA officials said the research will help get astronauts back to the moon more quickly and keep them safer once they're there. The initial deliveries likely will include radiation monitors, as well as laser reflectors for gravity and other types of measurements, Zurbuchen said. Bridenstine said it will be up to the companies to arrange their own rocket rides. NASA will be one of multiple customers using these lunar services.

An anonymous reader quotes a report from The Intercept about Google's secretive plans to build a censor version of its search engine for China: The objective, code-named Dragonfly, was to build a search engine for China that would censor broad categories of information about human rights, democracy, and peaceful protest. Yonatan Zunger, then a 14-year veteran of Google and one of the leading engineers at the company, was among a small group who had been asked to work on Dragonfly. He was present at some of the early meetings and said he pointed out to executives managing the project that Chinese people could be at risk of interrogation or detention if they were found to have used Google to seek out information banned by the government.

Scott Beaumont, Google's head of operations in China and one of the key architects of Dragonfly, did not view Zunger's concerns as significant enough to merit a change of course, according to four people who worked on the project. Beaumont and other executives then shut out members of the company's security and privacy team from key meetings about the search engine, the four people said, and tried to sideline a privacy review of the plan that sought to address potential human rights abuses. Google's leadership considered Dragonfly so sensitive that they would often communicate only verbally about it and would not take written notes during high-level meetings to reduce the paper trail, two sources said. Only a few hundred of Google's 88,000 workforce were briefed about the censorship plan. Some engineers and other staff who were informed about the project were told that they risked losing their jobs if they dared to discuss it with colleagues who were themselves not working on Dragonfly.

An anonymous reader quotes a report from The Hill: A group of Democratic lawmakers sent a letter to Amazon CEO Jeff Bezos on Thursday saying that the company's previous explanations to Congress about its Rekognition software were inadequate. Democratic lawmakers expressed concern about the potential threat the technology poses to civil liberties in the hands of police. "Facial recognition technology may one day serve as a useful tool for law enforcement officials working to protect the American public and keep us safe," the letter reads. "However, at this time, we have serious concerns that this type of product has significant accuracy issues, places disproportionate burdens on communities of color, and could stifle Americans' willingness to exercise their First Amendment rights in public." In the letter on Thursday, the Democratic members requested that Amazon provide them with results from accuracy tests of the Rekognition software. They also asked again for information on their government clients and if they audited law enforcement's use of facial recognition to ensure that its not being employed in violation of civil rights law. "Customer trust, privacy, and security are our top priorities at AWS," Michael Punke, Amazon's vice president for global public policy, wrote in response. "We have long been committed to working with federal and state legislatures to modernize outdated laws to enhance the privacy and security of our customers by preventing law enforcement from accessing data without a warrant."

Starbucks announced that it will start blocking pornography viewing on its stores' Wi-Fi starting in 2019. "A Starbucks representative told NBC News that the viewing of 'egregious content' over its stores' Wi-Fi has always violated its policy, but the company now has a way to stop it," reports NBC News. From the report: "We have identified a solution to prevent this content from being viewed within our stores and we will begin introducing it to our U.S. locations in 2019," the company representative said. The announcement was first reported by Business Insider and comes after a petition from internet-safety advocacy group Enough is Enough garnered more than 26,000 signatures. The nonprofit launched a porn-free campaign aimed at McDonald's and Starbucks in 2014, and it says that while McDonald's "responded rapidly and positively," Starbucks did not.

In a letter that [Enough is Enough CEO Donna Rice Hughes] said she received from Starbucks over the summer, the company vowed to address the issue "once we determine that our customers can access our free Wi-Fi in a way that also doesn't involuntarily block unintended content." Starbucks has not released details about how it plans to restrict the viewing of pornographic sites or illegal content over its Wi-Fi. In response, the vice president of YouPorn responded by sending a memo to staff banning Starbucks products from company offices starting Jan. 1, 2019.

An anonymous reader quotes a report from Ars Technica: Earlier this year, a federal judge in Fresno, California, denied prosecutors' efforts to compel Facebook to help it wiretap Messenger voice calls. But the precise legal arguments that the government made, and that the judge ultimately rejected, are still sealed. On Wednesday, the American Civil Liberties Union formally asked the judge to unseal court dockets and related rulings associated with this ongoing case involving alleged MS-13 gang members. ACLU lawyers argue that such a little-charted area of the law must be made public so that tech companies and the public can fully know what's going on.

In their new filing, ACLU lawyers pointed out that "neither the government's legal arguments nor the judge's legal basis for rejecting the government motion has ever been made public." The attorneys continued, citing a "strong public interest in knowing which law has been interpreted" and referencing an op-ed published on Ars on October 2 as an example. The ACLU argued that the case is reminiscent of the so-called "FBI v. Apple" legal showdown -- whose docket and related filings were public -- where the government made novel arguments in an attempt to crack the encryption on a seized iPhone. Those legal questions were never resolved, as the government said the day before a scheduled hearing that it had found a company to assist in its efforts. "Moreover, the sealing of the docket sheet in this case impermissibly prevents the public from knowing anything about the actions of both the judiciary and the executive in navigating a novel legal issue, which has the potential to reoccur in the future," the ACLU's attorneys continued.

"The case involves the executive branch's attempt to force a private corporation to break the encryption and other security mechanisms on a product relied upon by the public to have private conversations. The government is not just seeking information held by a third party; rather, it appears to be attempting to get this Court to force a communications platform to redesign its product to thwart efforts to secure communications between users."

Two Iranian officials have been indicted by U.S. federal prosecutors for creating and deploying the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. TechCrunch reports: Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, were indicted by a federal grand jury in New Jersey on Monday on several counts of computer hacking and fraud charges. The case was unsealed Wednesday, shortly before a press conference announcing the charges by U.S. deputy attorney general Rod Rosenstein. In total, SamSam has generated some $6 million in proceeds to date -- or 1,430 bitcoin at today's value. In a separate announcement, the Treasury said it had imposed sanctions against two bitcoin addresses associated with the ransomware. The department said the two addresses processed more than 7,000 transactions used to collect ransom demands from victims. "The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims," said Rosenstein. "According to the indictment, the hackers infiltrated computer systems in ten states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims."

One of the victims was the City of Atlanta, which was knocked offline earlier this year and spent a projected $2.6 million in recovery. "It was later discovered that the city's computers had long been vulnerable to leaked exploits developed by the National Security Agency -- later stolen and leaked online for anyone to use," reports TechCrunch.