Inside the Booming Black Market For Spotify Playlists ( 44

The black market for Spotify playlists is booming. It's cheaper than you might expect to hack the system -- and if it's done right, it more than pays for itself, the Daily Dot reports. From the article: It's impossible to overstate the value of Spotify playlists. The company dominates the streaming music market, with 159 million active users and 71 million paid subscribers -- nearly double Apple Music's subscription base, according to a recent report in the Wall Street Journal. More importantly, Spotify has made playlists its defining feature. [...] The rising value of Spotify playlists has spurred a new form of payola -- the decades-old illegal practice of paying for a song to be broadcast on the radio -- with massive amounts of money changing hands behind the scenes. An August 2015 expose by Billboard quoted an unnamed major-label executive who claimed playlist adds were being sold for "$2,000 for a playlist with tens of thousands of fans to $10,000 for the more well-followed playlists." Spotify responded by updating its terms of service to explicitly prohibit "selling a user account or playlist, or otherwise accepting any compensation, financial or otherwise, to influence the name of an account or playlist or the content included on an account or playlist." But the practice of paying for placement, as with other forms of payola before it, hasn't died out. It's just been remixed.

In a matter of minutes and for a mere $2, you can pay to have your song considered by one of the 1,500 curators working on SpotLister, one of several new services that sells access to prominent Spotify users. The site was founded by two 21-year-old college students -- Danny Garcia, a guitar player at New York University, and a close friend who requested anonymity due to unrelated privacy concerns. They started a "private-for-hire" PR company in 2016 that offered "pitching services" to generate buzz on SoundCloud and, later, Spotify. The two would take on anywhere from 15 to 20 clients a month, each paying anywhere from $1,000-$5,000 to secure prominent placement on playlists.


MoviePass Wants To Gather a Whole Lot of Data About Its Users ( 162

An anonymous reader writes: MoviePass CEO Mitch Lowe thinks his service's rapid growth will continue, projecting earlier this month that MoviePass will have 5 million subscribers by the end of 2018, and account for around 20% of all movie ticket purchases. But some of those future subscribers might be concerned about his company's tactics, which Lowe recently said includes tracking users' location before and after a trip to the movies. Lowe's comments, originally reported by Media Play News, were made at the Entertainment Finance Forum on March 2 in Hollywood. They came during a panel titled "Data is the New Oil: How Will MoviePass Monetize It?" Lowe's answer to that question, in part, was that "our bigger vision is to build a night at the movies," including by guiding users to a meal before or after seeing a film.

Lowe said that was possible because "we get an enormous amount of information. Since we mail you the card, we know your home address . . . we know the makeup of that household, the kids, the age groups, the income. It's all based on where you live. It's not that we ask that. You can extrapolate that. "Then," Lowe continued, "Because you are being tracked in your GPS by the phone . . . we watch how you drive from home to the movies. We watch where you go afterwards, and so we know the movies you watch. We know all about you. We don't sell that data. What we do is we use that data to market film."


Chinese Police Begin Tracking Citizens With Face-Recognizing Smart Glasses ( 112

An anonymous reader quotes Reuters: At a highway check point on the outskirts of Beijing, local police are this week testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects. The AI-powered glasses, made by LLVision, scan the faces of vehicle occupants and the plates, flagging with a red box and warning sign to the wearer when any match up with a centralized "blacklist".

The test -- which coincides with the annual meeting of China's parliament in central Beijing -- underscores a major push by China's leaders to leverage technology to boost security in the country... Wu Fei, chief executive of LLVision, said people should not be worried about privacy concerns because China's authorities were using the equipment for "noble causes", catching suspects and fugitives from the law. "We trust the government," he told Reuters at the company's headquarters in Beijing.

This weekend while China's President Xi Jinping is expected to push through a reform allowing him to stay in power indefinitely, Reuters reports that the Chinese goverment is pushing the use of cutting-edge technology "to track and control behavior that goes against the interests of the ruling Communist Party online and in the wider world... A key concern is that blacklists could include a wide range of people stretching from lawyers and artists to political dissidents, charity workers, journalists and rights activists...

"The new technologies range from police robots for crowd control, to drones to monitor border areas, and artificially intelligent systems to track and censor behavior online," Reuters reports, citing one Hong Kong researcher who argues that China now sees internet and communication technologies "as absolutely indispensable tools of social and political control."

Documents Prove Local Cops Have Bought Cheap iPhone Cracking Tech ( 101

GrayShift is a new company that promises to unlock even iPhones running the latest version of iOS for a relatively cheap price. From a report: In a sign of how hacking technology often trickles down from more well-funded federal agencies to local bodies, at least one regional police department has already signed up for GrayShift's services, according to documents and emails obtained by Motherboard. As Forbes reported on Monday, GrayShift is an American company which appears to be run by an ex-Apple security engineer and others who have long held contracts with intelligence agencies. In its marketing materials, GrayShift offers a tool called GrayKey, an offline version of which costs $30,000 and comes with an unlimited number of uses. For $15,000, customers can instead buy the online version, which grants 300 iPhones unlocks.

This is what the Indiana State Police bought, judging by a purchase order obtained by Motherboard. The document, dated February 21, is for one GrayKey unit costing $500, and a "GrayKey annual license -- online -- 300 uses," for $14,500. The order, and an accompanying request for quotation, indicate the unlocking service was intended for Indiana State Police's cybercrime department. A quotation document emblazoned with GrayShift's logo shows the company gave Indiana State Police a $500 dollar discount for their first year of the service. Importantly, according to the marketing material cited by Forbes, GrayKey can unlock iPhones running modern versions of Apple's mobile operating system, such as iOS 10 and 11, as well as the most up to date Apple hardware, like the iPhone 8 and X.


Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen Lab ( 29

Matthew Braga, reporting for CBC: Since last fall, Turkish internet users attempting to download one of a handful of popular apps may have been the unwitting targets of a wide-reaching computer surveillance campaign. And in Egypt, users across the country have, seemingly at random, had their browsing activity mysteriously redirected to online money-making schemes. Internet filtering equipment sold by technology company Sandvine -- founded in Waterloo, Ont. -- is believed to have played a significant part in both.

That's according to new research from the University of Toronto's Citizen Lab, which has examined misuse of similar equipment from other companies in the past. The researchers say it's likely that Sandvine devices are not only being used to block the websites of news, political and human rights organizations, but are also surreptitiously redirecting users toward spyware and unwanted ads. Using network-filtering devices to sneak spyware onto targets' computers "has long been the stuff of legends" according to the report -- a practice previously documented in leaked NSA documents and spyware company brochures, the researchers say, but never before publicly observed.
Citizen Lab notes that targeted users in Turkey and Syria who attempted to download Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects. It adds: This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default. Additionally, targeted users in Turkey and Syria who downloaded a wide range of applications from CBS Interactive's (a platform featured by CNET to download software) were instead redirected to versions containing spyware. does not appear to support HTTPS despite purporting to offer "secure download" links.

Half of Ransomware Victims Didn't Recover Their Data After Paying the Ransom ( 58

An anonymous reader shares a report: A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand. The survey, carried out by research and marketing firm CyberEdge Group, reveals that paying the ransom demand, even if for desperate reasons, does not guarantee that victims will regain access to their files. Timely backups are still the most efficient defense against possible ransomware infections, as it allows easy recovery. The survey reveals that 55% of all responders suffered a ransomware infection in 2017, compared to the previous year's study, when 61% experienced similar incidents. Of all the victims who suffered ransomware infections, CyberEdge discovered that 61.3% opted not to pay the ransom at all. Some lost files for good (8%), while the rest (53.3%) managed to recover files, either from backups or by using ransomware decrypter applications. Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors.

McAfee Acquires VPN Provider TunnelBear ( 56

McAfee announced that it has acquired Canada-based virtual private network (VPN) company TunnelBear. From a report: Founded in 2011, Toronto-based TunnelBear has gained a solid reputation for its fun, cross-platform VPN app that uses quirky bear-burrowing animations to bring online privacy to the masses. The company claims around 20 million people have used its service across mobile and desktop, while a few months back it branched out into password management with the launch of the standalone RememBear app. [...] That TunnelBear has sold to a major brand such as McAfee won't be greeted warmly by many of the product's existing users. However, with significantly more resources now at its disposal, TunnelBear should be in a good position to absorb any losses that result from the transfer of ownership.

Facebook's VPN Service Onavo Protect Collects Personal Data -- Even When It's Switched Off ( 67

Security researcher Will Strafach took a look at Onavo Protect, a newly released VPN service from Facebook: I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook ( as the user goes about their day:
When user's mobile device screen is turned on and turned off.
Total daily Wi-Fi data usage in bytes (Even when VPN is turned off).
Total daily cellular data usage in bytes (Even when VPN is turned off).
Periodic beacon containing an "uptime" to indicate how long the VPN has been connected.


FBI Paid Geek Squad Repair Staff As Informants ( 205

According to newly released documents by the Electronic Frontier Foundation, federal agents would pay Geek Squad employees to flag illegal materials on devices sent in by customers for repairs. "The relationship goes back at least ten years, according to documents released as a result of the lawsuit [filed last year]," reports ZDNet. "The agency's Louisville division aim was to maintain a 'close liaison' with Geek Squad management to 'glean case initiations and to support the division's Computer Intrusion and Cyber Crime programs.'" From the report: According to the EFF's analysis of the documents, FBI agents would "show up, review the images or video and determine whether they believe they are illegal content" and seize the device so an additional analysis could be carried out at a local FBI field office. That's when, in some cases, agents would try to obtain a search warrant to justify the access. The EFF's lawsuit was filed in response to a report that a Geek Squad employee was used as an informant by the FBI in the prosecution of child pornography case. The documents show that the FBI would regularly use Geek Squad employees as confidential human sources -- the agency's term for informants -- by taking calls from employees when they found something suspect.

'Repeatable Sanitization' is a Feature of PCs Now ( 90

HP has announced a trio of slightly-odd products intended for use in hospitals. From a report: The new HP EliteOne 800 G4 23.8 Healthcare Edition All-in-One PC and HP EliteBook 840 G5 Healthcare Edition Notebook are computers intended for use in the healthcare industry. The EliteBook will ship with software called "Easy Clean" that disables the keyboard, touchscreen and keypad "to facilitate cleaning with germicidal wipes while the device is still on." HP said it's scoured the market and thinks it is the only vendor on the planet with a laptop capable of handling "up to 10,000 wipes with germicidal towelettes over a 3-year period." The All-in-One boasts no antibacterial features, but does have both RFID and biometric authentication, handy features in an environment where PCs can't be left unlocked to preserve privacy. That requirement means PCs are logged on to many more times a day than the average machine, making the presence of Windows Hello facial recognition more than a gimmick. Oddly, both come with the disclaimer that they're "not intended for use in diagnosis, cure, treatment or prevention of disease or other medical conditions."

Google Is Helping the Pentagon Build AI for Drones ( 95

Google has partnered with the United States Department of Defense to help the agency develop artificial intelligence for analyzing drone footage, a move that set off a firestorm among employees of the technology giant when they learned of Google's involvement, Gizmodo reported on Tuesday. From the report: Google's pilot project with the Defense Department's Project Maven, an effort to identify objects in drone footage, has not been previously reported, but it was discussed widely within the company last week when information about the project was shared on an internal mailing list, according to sources who asked not to be named because they were not authorized to speak publicly about the project. Some Google employees were outraged that the company would offer resources to the military for surveillance technology involved in drone operations, sources said, while others argued that the project raised important ethical questions about the development and use of machine learning.

The Slow Death of the Internet Cookie ( 97

Sara Fischer, writing for Axios: Over 60% of marketers believe they will no longer need to rely on tracking cookies, a 20-year-old desktop-based technology, for the majority of their digital marketing within the next two years, according to data from Viant Technology, an advertising cloud. Why it matters: Advertising and web-based services that were cookie-dependent are slowly being phased out of our mobile-first world, where more personalized data targeting is done without using cookies. Marketers are moving away from using cookies to track user data on the web to target ads now that people are moving away from desktop. 90% of marketers say they see improved performance from people-based marketing, compared with cookie-based campaigns.

MoviePass CEO Proudly Says App Tracks Your Location Before, After Movies ( 166

MoviePass CEO Mitch Lowe told an audience at a Hollywood event last Friday that the app tracks moviegoers' locations before and after each show they watch. "We get an enormous amount of information," Lowe said. "We watch how you drive from home to the movies. We watch where you go afterwards." His talk at the Entertainment Finance Forum was entitled "Data is the New Oil: How will MoviePass Monetize It?" TechCrunch reports: It's no secret that MoviePass is planning on making hay out of the data collected through its service. But what I imagined, and what I think most people imagined, was that it would be interesting next-generation data about ticket sales, movie browsing, A/B testing on promotions in the app and so on. I didn't imagine that the app would be tracking your location before you even left your home, and then follow you while you drive back or head out for a drink afterwards. Did you? It sure isn't in the company's privacy policy, which in relation to location tracking discloses only a "single request" when selecting a theater, which will "only be used as a means to develop, improve, and personalize the service." Which part of development requires them to track you before and after you see the movie? A MoviePass representative said in a statement to TechCrunch: "We are exploring utilizing location-based marketing as a way to help enhance the overall experience by creating more opportunities for our subscribers to enjoy all the various elements of a good movie night. We will not be selling the data that we gather. Rather, we will use it to better inform how to market potential customer benefits including discounts on transportation, coupons for nearby restaurants, and other similar opportunities."

Microsoft To Offer Governments Local Version of Azure Cloud Service ( 28

Microsoft on Monday said it will soon make it possible for government clients to run its cloud technology on their own servers as part of a concerted effort to make Azure more appealing to local and federal agencies. From a report: The pairing of Azure Stack, Microsoft's localized cloud product, and Azure Government, the government-tailored version of Microsoft's cloud, comes as competition against Inc for major clients in the public sector ramps up. The new offering, which will be made available in mid-2018, is designed to appeal to governments and agencies with needs for on-premise servers, such as in a military operation or in an embassy abroad, said Tom Keane, Microsoft Azure's head of global infrastructure.

New LTE Attacks Can Snoop On Messages, Track Locations, and Spoof Emergency Alerts ( 28

An anonymous reader quotes a report from ZDNet: A slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts. Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages. Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user -- such as a phone number. Although authentication relay attacks aren't new, this latest research shows that they can be used to intercept message, track a user's location, and stop a phone from connecting to the network. By using common software-defined radio devices and open source 4G LTE protocol software, anyone can build the tool to carry out attacks for as little as $1,300 to $3,900, making the cost low enough for most adversaries. The researchers aren't releasing the proof-of-concept code until the flaws are fixed, however.

Ask Slashdot: Best To-Do/Task List Software? 278

Albanach writes: Despite searching, I have not identified a good solution for managing to-do lists, a problem that can't be unique or unusual. For a variety of reasons, I need something I host myself, which allows me to organize tasks, give them due dates and/or priorities and to easily reorganize. I'd prefer a web interface so that I can access my list from home/work/mobile. My searches generally turned up hosted solutions that don't work for privacy reasons, or very old software that has shown no sign of updates in years. What are other Slashdotters using to manage their real-world task list?

Equifax Identifies Additional 2.4 Million Customers Hit By Data Breach ( 15

Credit score giant Equifax said on Thursday it had identified another 2.4 million U.S. consumers whose names and driver's license information were stolen in a data breach last year that affected half the U.S. population. From a report: The company said it was able confirm the identities of U.S. consumers whose driver's license information was taken by referencing other information in proprietary company records that the attackers did not steal. "Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them," the company said.

Germany Says Government Network Was Breached ( 30

An anonymous reader shares a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): German authorities said on Wednesday they were investigating a security breach of the government's highly protected computer network. The country's intelligence agencies were examining attacks on more than one government ministry, the interior ministry said, adding that the affected departments had been informed and that the attack had been isolated and brought under control. Earlier on Wednesday, the German news agency DPA reported that German security services had discovered a breach of the government's IT network in December and traced it back to state-sponsored Russian hackers. German companies have been the target of sustained attacks by state-sponsored hackers, mainly believed to be Chinese. In 2015, the Bundestag, parliament's lower house, suffered a extensive breach, leading to the theft of several gigabytes of data by what German security officials believe were Russian cyberthieves. Hackers believed to be part of the Russia-linked APT28 group sought to infiltrate the computer systems of several German political parties in 2016, Germany's domestic intelligence agency said in 2016.

Facebook Silently Enables Facial Recognition Abilities For Users Outside EU, Canada ( 70

Facebook is now informing users around the world that it's rolling out facial recognition features. Users in the European Union and Canada will not be notified because laws restrict this type of activity in those areas. Neowin reports: With the new tools, you'll be able to find photos that you're in but haven't been tagged in; they'll help you protect yourself against strangers using your photo; and Facebook will be able to tell people with visual impairments who's in their photos and videos. By default, Facebook warns that this feature is enabled but can be switched off at any time; additionally, the firm says it may add new capabilities at any time. In its initial statement, Facebook said the following about the impersonation protections it was introducing: "We want people to feel confident when they post pictures of themselves on Facebook so we'll soon begin using face recognition technology to let people know when someone else uploads a photo of them as their profile picture. We're doing this to prevent people from impersonating others on Facebook."

Slashdot Top Deals