Security

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com) 106

Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.
The Internet

China Cyber Watchdog Rejects Censorship Critics, Says Internet Must Be 'Orderly' (reuters.com) 78

China's top cyber authority on Thursday rejected a recent report ranking it last out of 65 countries for press freedom, saying the internet must be "orderly" and the international community should join it in addressing fake news and other cyber issues. From a report: Ren Xianliang, vice minister of the Cyberspace Administration of China (CAC), said the rapid development of the country's internet over two decades is proof of its success and that it advocates for the free flow of information. "We should not just make the internet fully free, it also needs to be orderly... The United States and Europe also need to deal with these fake news and rumors," Ren told journalists without elaborating.
Businesses

The Brutal Fight To Mine Your Data and Sell It To Your Boss (bloomberg.com) 75

An anonymous reader shares a report from Bloomberg, explaining how Silicon Valley makes billions of dollars peddling personal information, supported by an ecosystem of bit players. Editor Drake Bennett highlights the battle between an upstart called HiQ and LinkedIn, who are fighting for your lucrative professional identity. Here's an excerpt from the report: A small number of the world's most valuable companies collect, control, parse, and sell billions of dollars' worth of personal information voluntarily surrendered by their users. Google, Facebook, Amazon, and Microsoft -- which bought LinkedIn for $26.2 billion in 2016 -- have in turn spawned dependent economies consisting of advertising and marketing companies, designers, consultants, and app developers. Some operate on the tech giants' platforms; some customize special digital tools; some help people attract more friends and likes and followers. Some, including HiQ, feed off the torrents of information that social networks produce, using software bots to scrape data from profiles. The services of the smaller companies can augment the offerings of the bigger ones, but the power dynamic is deeply asymmetrical, reminiscent of pilot fish picking food from between the teeth of sharks. The terms of that relationship are set by technology, economics, and the vagaries of consumer choice, but also by the law. LinkedIn's May 23 letter to HiQ wasn't the first time the company had taken legal action to prevent the perceived hijacking of its data, and Facebook and Craigslist, among others, have brought similar actions. But even more than its predecessors, this case, because of who's involved and how it's unfolded, has spoken to the thorniest issues surrounding speech and competition on the internet.
Privacy

Consumers Are Holding Off On Buying Smart-Home Gadgets Due To Security, Privacy Fears (businessinsider.com) 143

According to a new survey from consulting firm Deloitte, consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes. The firm found that consumer interest in connected home technology lags behind their interest in other types of IoT devices. Business Insider reports: "Consumers are more open to, and interested in, the connected world," the firm said in its report. Noting the concerns about smart home devices, it added: "But not all IoT is created equal." Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives. Meanwhile, the vast majority of consumers think gadget makers weren't doing a good job of telling them about security risks. Fewer than 20% of survey respondents said they were very well informed about such risks and almost 40% said they weren't informed at all.
The Internet

FCC Plans December Vote To Kill Net Neutrality Rules (bloomberg.com) 115

An anonymous reader quotes a report from Bloomberg: The U.S. Federal Communications Commission under its Republican chairman plans to vote in December to kill the net neutrality rules passed during the Obama era, said two people briefed on the plans. Chairman Ajit Pai in April proposed gutting the rules that he blamed for depressing investment in broadband, and said he intended to "finish the job" this year. The chairman has decided to put his proposal to a vote at the FCC next month, said the people. The agency's monthly meeting is to be held Dec. 14. The people asked not to be identified because the plan hasn't been made public. It's not clear what language Pai will offer to replace the rules that passed with only Democratic votes at the FCC in 2015. He has proposed that the FCC end the designation of broadband companies such as AT&T Inc. and Comcast Corp. as common carriers. That would remove the legal authority that underpins the net neutrality rules. One of the people said Pai may call for vacating the rules except for portions that mandate internet service providers inform customers about their practices. The current regulations forbid broadband providers from blocking or slowing web traffic, or from charging higher fees in return for quicker passage over their networks.
Transportation

Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says (aviationtoday.com) 140

schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.
Google

Why Google Should Be Afraid of a Missouri Republican's Google Probe (arstechnica.com) 231

An anonymous reader quotes a report from Ars Technica: The Republican attorney general of Missouri has launched an investigation into Google's business practices. Josh Hawley wants to know how Google handles user data. And he plans to look into whether Google is using its dominance in the search business to harm companies in other markets where Google competes. It's another sign of growing pressure Google is facing from the political right. Grassroots conservatives increasingly see Google as falling on the wrong side of the culture wars. So far that hasn't had a big impact in Washington policymaking. But with Hawley planning to run for the U.S. Senate next year, we could see more Republican hostility toward Google -- and perhaps other big technology companies -- in the coming years. The Hawley investigation will dig into whether Google violated Missouri's consumer-protection and antitrust laws. Specifically, Hawley will investigate: "Google's collection, use, and disclosure of information about Google users and their online activities," "Google's alleged misappropriation of online content from the websites of its competitors," and "Google's alleged manipulation of search results to preference websites owned by Google and to demote websites that compete with Google." States like Missouri have their own antitrust laws and the power to investigate company business conduct independently of the feds. So Hawley seems to be taking yet another look at those same issues to see if Google's conduct runs afoul of Missouri law.

We don't know if Hawley will get the Republican nomination or win his challenge to Sen. Claire McCaskill (D-Mo.) next year, but people like him will surely be elected to the Senate in the coming decade. Hawley's decision to go after Google suggests that he sees some upside in being seen as an antagonist to a company that conservatives increasingly view with suspicion. More than that, it suggests that Hawley believes it's worth the risk of alienating the GOP's pro-business wing, which takes a dim view of strict antitrust enforcement even if it targets a company with close ties to Democrats.

Privacy

Yelp Ordered To Identify User Accused of Defaming a Tax Preparer (bloomberg.com) 142

mi writes: California State Appeals Court ruled this week that Yelp can't shield the identify of an anonymous reviewer who posted allegedly defamatory statements about a tax preparer. "The three-judge appeals panel in Santa Ana agreed with Yelp that it could protect the First Amendment rights of its anonymous reviewer but it still had to turn over the information," reports Bloomberg. "The panel reasoned that the accountant had made a showing that the review was defamatory in that it went beyond expressing an opinion and allegedly included false statements."
Medicine

FDA Approves Digital Pill That Tracks If Patients Have Ingested Their Medication (nytimes.com) 72

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): For the first time, the Food and Drug Administration has approved a digital pill -- a medication embedded with a sensor that can tell doctors whether, and when, patients take their medicine. The approval, announced late on Monday, marks a significant advance in the growing field of digital devices designed to monitor medicine-taking and to address the expensive, longstanding problem that millions of patients do not take drugs as prescribed. Experts estimate that so-called nonadherence or noncompliance to medication costs about $100 billion a year, much of it because patients get sicker and need additional treatment or hospitalization. Patients who agree to take the digital medication, a version of the antipsychotic Abilify, can sign consent forms allowing their doctors and up to four other people, including family members, to receive electronic data showing the date and time pills are ingested. A smartphone app will let them block recipients anytime they change their mind. Although voluntary, the technology is still likely to prompt questions about privacy and whether patients might feel pressure to take medication in a form their doctors can monitor.
Government

Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com) 98

"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
The Courts

Tesla Is a 'Hotbed For Racist Behavior,' Worker Claims In Lawsuit (bloomberg.com) 300

An African-American employee has filed a lawsuit against Tesla, claiming their production floor is a "hotbed for racist behavior" and that black workers at the electric carmaker suffer severe and pervasive harassment. "The employee says he's one of more than 100 African-American Tesla workers affected and is seeking permission from a judge to sue on behalf of the group," reports Bloomberg. "He's seeking unspecified general and punitive monetary damages as well as an order for Tesla to implement policies to prevent and correct harassment." From the report: "Although Tesla stands out as a groundbreaking company at the forefront of the electric car revolution, its standard operating procedure at the Tesla factory is pre-Civil Rights era race discrimination," the employee said in the complaint, filed Monday in California's Alameda County Superior Court. The lawsuit was filed on behalf of Marcus Vaughn, who worked in the Fremont factory from April 23 to Oct. 31. Vaughn alleged that employees and supervisors regularly used the "N word" around him and other black colleagues. Vaughn said he complained in writing to human resources and Musk and was terminated in late October for "not having a positive attitude."
Communications

Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com) 32

An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
Android

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (bleepingcomputer.com) 73

Catalin Cimpanu, writing for BleepingComputer: Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers. The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson -- the name of the main character in the Mr. Robot TV series. Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.
The Almighty Buck

Study Finds SpaceX Investment Saved NASA Hundreds of Millions (popularmechanics.com) 156

schwit1 shares a report from Popular Mechanics: When a SpaceX Dragon spacecraft connected with the International Space Station on May 25, 2012, it made history as the first privately-built spacecraft to reach the ISS. The Dragon was the result of a decision 6 years prior -- in 2006, NASA made an "unprecedented" investment in SpaceX technology. A new financial analysis shows that the investment has paid off, and the government found one of the true bargains of the 21st century when it invested in SpaceX. A new research paper by Edgar Zapata, who works at Kennedy Space Center, looks closely at the finances of SpaceX and NASA. "There were indications that commercial space transportation would be a viable option from as far back as the 1980s," Zapata writes. "When the first components of the ISS were sent into orbit 1998, NASA was focused on "ambitious, large single stage-to-orbit launchers with large price tags to match." For future commercial crew missions sending astronauts into space, Zapata estimates that it will cost $405 million for a SpaceX Dragon crew deployment of 4 and $654 million for a Boeing Starliner, which is scheduled for its first flight in 2019. That sounds like a lot, and it is, but Zapata estimates that its only 37 to 39 percent of what it would have cost the government.
Google

Google Subpoenaed Over Data Privacy, Antitrust in Missouri (cnbc.com) 18

Google is facing a new front in its regulatory battles after Missouri's attorney general on Monday launched a broad investigation into whether the company's business practices violate the state's consumer-protection and antitrust laws. From a report: Attorney General Josh Hawley's office said on Monday that it issued a subpoena to investigate if Google's use of information that it collects about consumers is appropriate and if the company stifles competing websites in search results. Google has largely steered clear of antitrust problems in the U.S. That's not the case in Europe, where the company faces a fine of about $2.7 billion over the display of its shopping ads.

Slashdot Top Deals