Security

Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing (bleepingcomputer.com) 59

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.
Facebook

Facebook 'Likes' Are a Powerful Tool For Authoritarian Rulers, Court Petition Says (qz.com) 59

A Cambodian opposition leader has filed a petition in a California court against Facebook, demanding the company disclose its transactions with his country's authoritarian prime minister, whom he accuses of falsely inflating his popularity through purchased "likes" and spreading fake news. From a report: The petition, filed Feb. 8, brings the ongoing debate over Facebook's power to undermine democracies into a legal setting. The petitioner, Sam Rainsy, says that Hun Sen, the prime minister, "has used the network to threaten violence against political opponents and dissidents, disseminate false information, and manipulate his (and the regime's) supposed popularity, thus seeking to foster an illusion of popular legitimacy." Rainsy alleges that Hun had used "click farms" to artificially boost his popularity, effectively buying "likes." The petition says that Hun had achieved astonishing Facebook fame in a very short time, raising questions about whether this popularity was legitimate.
It's funny.  Laugh.

There Are Ajit Pai 'Verizon Puppet' Jokes That the FCC Doesn't Want You To Read (arstechnica.com) 97

An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission is refusing to release the draft versions of jokes told by Chairman Ajit Pai at a recent dinner, claiming that releasing the drafts would "impede the candid exchange of ideas" within the commission. In December, Pai gave a speech at the annual FCC Chairman's Dinner and played a video that attempts to lampoon critics who accuse Pai of doing the bidding of Verizon, his former employer. The video was shown less than a week before the FCC voted to repeal net neutrality rules, a favorable move for the broadband industry requested by Verizon and other ISPs. The satirical skit shows Pai planning his future ascension to the FCC chairmanship with Verizon executive Kathleen Grillo in 2003, the last year Pai worked as a Verizon lawyer. The video shows Pai and the Verizon executive plotting to install a "Verizon puppet" as FCC chair. In response, Gizmodo filed a Freedom of Information Act (FoIA) request for "any communications records from within the chairman's office referencing the event or the Verizon executive," the news site wrote yesterday. "Nearly a dozen pages worth of emails were located, including draft versions of the video's script and various edits," Gizmodo wrote. "The agency is refusing to release them, however; it is 'reasonably foreseeable,' it said, that doing so would injure the 'quality of agency decisions.'" The FCC searched for the records in response to Gizmodo's request and "returned no communications whatsoever with Kathy Grillo," the article said.
Transportation

US Transportation Department Calls For 'Summit' On Autonomous Cars (reuters.com) 38

Auto manufacturers, technology companies, road safety advocates and policy makers will attend a March 1 conference over potential government actions that could speed the rollout of autonomous cars, the U.S. Transportation Department said on Friday. Reuters reports: Next month's "summit" is to help "identify priority federal and non-federal activities that can accelerate the safe rollout" of autonomous vehicles, the department said. It will also be open to the public. The U.S. National Highway Traffic-Safety Administration (NHTSA) wants comments on what research to conduct before deciding whether to eliminate or rewrite regulations. It could take the agency years to finalize rule changes, and advocates are pushing Congress to act. The March 1 meeting at the department's headquarters in Washington will include "several stakeholder breakout sessions on various topics related to automation," NHTSA said.
Government

Budget Deal Has Tax Credit Extensions For Nuclear, Fuel Cells, Carbon Capture (arstechnica.com) 104

An anonymous reader quotes a report from Ars Technica: A two-year budget deal was approved by the House and the Senate this morning and signed by President Trump a few hours later. The budget (PDF) included a slew of tax credit extensions that will affect how the energy industry plans its next two years. Most notably, the deal extended a $0.018 per-kWh credit for nuclear power plants over 6,000MW -- a tax credit that is primarily going to benefit one project in the US. That project is the construction of two new reactors at the Georgia Vogtle nuclear power plant.

Interestingly, a bipartisan effort to increase and extend tax credits for carbon sequestration passed through this budget. The bill was pushed through by Senators Heidi Heitkamp (D-N.D.), Shelley Moore Capito (R-W.V.), Sheldon Whitehouse (D-R.I.), and John Barrasso (R-Wyo.). The bill would offer a tax credit per ton of carbon dioxide that is captured and either sequestered, used for another end product, or used for enhanced oil recovery. The credit applies to any facility that started carbon capture construction within the past seven years, and the credit extends for 12 years.

While the budget deal leaves the federal tax credit scheme for electric vehicles unchanged (automakers can still entice buyers with a $7,500 credit for the first 200,000 electric vehicles that roll off that automaker's line), the budget did include and extend some interesting tax credits for other kinds of non-traditional energy. Fuel cell vehicles saw an extension of tax credits that will allow purchasers of new cars a tax credit of between $4,000 and $40,000, depending on the weight of the vehicle (this is probably good news for potential customers of Nikola's in-development fuel-cell semis). Non-hydrogen alternative fuel infrastructure also scored, as the new budget lets installers of infrastructure for alternative fuels like biodiesel and natural gas deduct 30 percent of the cost of installing the new pumps. Two-wheeled electric vehicle buyers will also see a 10-percent credit extended (though that credit has a $2,500 cap). Per-gallon biodiesel and renewable diesel credits that expired at the end of 2017 will continue.

The Courts

Maine Dairy Company Settles Lawsuit Over Oxford Comma (bostonmagazine.com) 164

Daniel Victor reports via The New York Times: Ending a case that electrified punctuation pedants, grammar goons and comma connoisseurs, Oakhurst Dairy settled an overtime dispute with its drivers that hinged entirely on the lack of an Oxford comma in state law. The dairy company in Portland, Me., agreed to pay $5 million to the drivers (Warning: source may be paywalled; alternative source), according to court documents filed on Thursday. The relatively small-scale dispute gained international notoriety last year when the United States Court of Appeals for the First Circuit ruled that the missing comma created enough uncertainty to side with the drivers, granting those who love the Oxford comma a chance to run a victory lap across the internet. But the resolution means there will be no ruling from the land's highest courts on whether the Oxford comma -- the often-skipped second comma in a series like "A, B, and C" -- is an unnecessary nuisance or a sacred defender of clarity, as its fans and detractors endlessly debate.

The case began in 2014, when three truck drivers sued the dairy for what they said was four years' worth of overtime pay they had been denied. Maine law requires time-and-a-half pay for each hour worked after 40 hours, but it carved out exemptions for: The canning, processing, preserving, freezing, drying, marketing, storing, packing for shipment or distribution of: agricultural produce; meat and fish products; and perishable foods. What followed the last comma in the first sentence was the crux of the matter: "packing for shipment or distribution of." The court ruled that it was not clear whether the law exempted the distribution of the three categories that followed, or if it exempted packing for the shipment or distribution of them. Had there been a comma after "shipment," the meaning would have been clear.

Programming

Should GitHub Allow Username Reuse? (donatstudios.com) 84

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

Security

Hackers In Equifax Breach Accessed More Personal Information Than Previously Disclosed (cnn.com) 58

An anonymous reader quotes a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): Equifax said, in a document submitted to the Senate Banking Committee and reviewed by The Wall Street Journal, that cyberthieves accessed records across numerous tables in its systems that included such data as tax identification numbers, email addresses and drivers' license information beyond the license numbers it originally disclosed. The revelations come some five months after Equifax announced it had been breached and personal information belonging to 145.5 million consumers had been compromised, including names, Social Security numbers, dates of birth and addresses. It's unclear how many of the 145.5 million people are affected by the additional data including tax ID numbers, which are often assigned to people who don't have Social Security numbers. Hackers also accessed email addresses for some consumers, according to the document and an Equifax spokeswoman, who said "an insignificant number" of email addresses were affected. She added that email addresses aren't considered sensitive personal information because they are commonly searchable in public domains.

As for tax ID numbers, the Equifax spokeswoman said they "were generally housed in the same field" as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack. Equifax also said, in response to questions from The Wall Street Journal, that some additional drivers' license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that drivers' license numbers were accessed; the document submitted to the banking committee also includes drivers' license issue dates and states.

The Internet

Major Websites Are Planning a 'Day of Action' To Block Repeal of Net Neutrality (medium.com) 87

An anonymous reader writes: Fight for the Future, a nonprofit advocacy group concerned with digital rights, has posted to medium today, revealing that many major websites, online communities, and internet users are planning a "day of action" focused on finding the final vote needed to pass the Congressional Review Act (CRA). "50 Senators have already come out in support of the CRA, which would completely overturn the FCC's December 14 decision and restore net neutrality protections," the post reads. "Several Senators have indicated that they are considering becoming the 51st vote we need to win, but they're under huge pressure from telecom lobbyists. Only a massive burst of energy from the internet will get them to move."

The day of action is scheduled for February 27, and participants include Tumblr, Etsy, Vimeo, Medium, Namecheap, Imgur, Sonos, and DuckDuckGo. "Internet users will be encouraged to sound the alarm on social media and sign up to receive alerts with their lawmaker's position on net neutrality and prompts to take action on the big day, while websites, subreddits, and online communities will display prominent alerts driving phone calls, emails, and tweets to Senators and Representatives calling on them to pass the CRA." The post notes that we're faced with an uphill battle as the fight will elevate to the House of Representatives if the CRA can pass the Senate. From there it will go to the President's desk.

Piracy

Man Handed Conditional Prison Sentence for Spreading Information About Popcorn Time Service (torrentfreak.com) 120

A man from Denmark has been handed a six-month conditional prison sentence for spreading information about Popcorn Time, an authorized on-demand movies and TV shows streaming service, news outlet TorrentFreak reports. From the report: In what is being described as a first for Europe, the man was convicted after telling people how to download, install and use the movie streaming service. He was also ordered to forfeit $83,300 in ad revenue and complete 120 hours community service.
Media

Twitch To Ban Users For 'Hate' on Other Platforms (bbc.com) 155

Twitch has updated its guidelines so that abuse taking place on other platforms can contribute to a suspension on the streaming site. From a report: Directing "hate or harassment" towards someone on Twitch using other services will be considered a policy violation. Conduct Twitch deems "hateful" on any platform will result in an "immediate indefinite suspension." Sexual conduct rules have also been changed to consider the "context" of a stream. Moderators will pay attention to clothing, the title of a stream, camera angles and chat moderation when deciding whether something is sexually inappropriate.
Bitcoin

Russian Nuclear Scientists Arrested For 'Bitcoin Mining Plot' (bbc.com) 84

Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies, BBC reported Friday, citing local media. From the report: The suspects had tried to use one of Russia's most powerful supercomputers to mine Bitcoins, media reports say. The Federal Nuclear Centre in Sarov, western Russia, is a restricted area. The centre's press service said: "There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining." The supercomputer was not supposed to be connected to the internet -- to prevent intrusion -- and once the scientists attempted to do so, the nuclear centre's security department was alerted. They were handed over to the Federal Security Service (FSB), the Russian news service Mash says. "As far as we are aware, a criminal case has been launched against them," the press service told Interfax news agency.
Businesses

Uber Settles Dispute With Alphabet's Self-driving Car Unit (cnbc.com) 39

In a shocking development, Uber said on Friday it has settled the high-stakes trade-secret theft lawsuit brought by Alphabet's Waymo, resolving a conflict that already cost the ride-hailing giant its top driverless car engineer and threatened to further embarrass the company. From a report: Uber will pay Waymo a 0.34 percent equity stake amounting to about $245 million at Uber's recent $72 billion valuation, the companies said on Friday, after days of courtroom theatrics. Uber has also agreed not to incorporate Waymo's confidential information into its hardware and software, though Uber CEO Dara Khosrowshahi writes that he doesn't believe his company used any of Waymo's trade secrets in the first place. Khosrowshahi says that he feels "regret" over the dispute and wished his predecessors had handled it differently.
Communications

Turkey Rolls Out Domestic Rival To WhatsApp, Raising Surveillance Concerns (reuters.com) 36

Turkey has launched a domestic messaging app to rival Facebook's popular WhatsApp Messenger service, raising concerns among government critics that Ankara (capital of Turkey) could use the new platform to tighten surveillance and bolster an 18-month-old crackdown. From a report: The app, called PttMessenger after Turkey's Post and Telegraph General Directorate (PTT), was introduced in a limited roll-out to state institutions and some private companies this week. It is expected to be publicly available in six months. PttMessenger will provide a "system safer than WhatsApp," government spokesman Bekir Bozdag told a news conference. "Since no data is stored with the host, it will be impossible to access these data. A system safer than WhatsApp has been developed." Critics cast doubt on the suggestion PttMessenger data could not be retrieved, fearing it will give authorities greater ability to monitor dissent, pointing to the widespread crackdown that was launched after a failed military coup in July 2016.
Bitcoin

Arizona Introduces Bill That Would Allow Residents To Pay Taxes In Bitcoin (investopedia.com) 109

In a bid to attract businesses involved in blockchain and cryptocurrencies, Arizona lawmakers have proposed a bill that would allow the state's citizens to pay their taxes in bitcoin. "Arizona State Rep. Jeff Weninger, who introduced the bill, said it was a signal to everyone in the United States, and possibly throughout the world, that Arizona was going to be the place to be for blockchain and digital currency technology in the future," reports Investopedia. From the report: Weninger, a Republican, also cited the ease of making online payments through the cryptocurrency "while you're watching television," as another reason. But he did not divulge much detail about the implementation of such a system. That might be the reason why Weninger faces an uphill battle in getting the bill approved by the state legislature. Bitcoin's price volatility is already being cited as a possible roadblock to implementing such a measure by state legislators. Arizona state senator Steve Farley, a Democrat who's running for governor, said the bill puts the "volatility burden" of bitcoin's price on taxpayers who make payments in U.S. dollars. "It would mean that the money goes to the state and then the state has to take responsibility of how to exchange it," Farley said.
Democrats

32 Senators Want To Know If US Regulators Halted Equifax Probe (engadget.com) 93

An anonymous reader quotes a report from Engadget: Earlier this week, a Reuters report suggested that the Consumer Financial Protection Bureau (CFPB) had halted its investigation into last year's massive Equifax data breach. Reuters sources said that even basic steps expected in such a probe hadn't been taken and efforts had stalled since Mick Mulvaney took over as head of the CFPB late last year. Now, 31 Democratic senators and one Independent have written a letter to Mulvaney asking if that is indeed the case and if so, why.

In their letter, the senators expressed their concern over these reports and reiterated the duty the CFPB has to not only investigate the breach but to bring action against Equifax if deemed necessary. "Consumer reporting agencies and the data they collect play a central role in consumers' access to credit and the fair and competitive pricing of that credit," they wrote. "Therefore, the CFPB has a duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers and bring enforcement actions as necessary."

Businesses

Detroit Quietly Bans Airbnb (curbed.com) 197

A new zoning ordinance that quietly went into effect this week has residents trying to figure out what comes next for Airbnb's presence in Detroit. Many hosts have received notices that the city has outlawed Airbnb for R1 and R2 zoning. Curbed Detroit reports: The new zoning ordinance apparently went through the Planning Commission and City Council in 2017, and went into effect this week. The text added to the amendment states: "Use of a dwelling to accommodate paid overnight guests is prohibited as a home occupation; notwithstanding this regulation, public accommodations, including bed and breakfast inns outside the R1 and R2 Districts, are permitted as provided in Sec. 61-12-46 of this Code." The vast majority of Airbnb units in Detroit are in R1 and R2 districts. These do not include places like lofts, apartments, or larger developments. Airbnb has issued a statement saying: "We're very disappointed by this turn of events. Airbnb has served as an economic engine for middle class Detroiters, many of whom rely on the supplemental income to stay in their homes. We hope that the city listens to our host community and permits home sharing in these residential zones."
Google

Google Chrome Pushes For User Protection With 'Not secure' Label (axios.com) 85

In an effort to force websites to better protect their users, the Chrome web browser will label all sites not encrypted traffic as "Not secure" in the web address bar, Google announced Thursday. From a report: Encrypted traffic allows users to access data on a website without allowing potential eavesdroppers to see anything the users visit. HTTPS also prevents meddlers from changing information in transit. During normal web browsing, Google currently displays a "Not secure" warning in the next to a site's URL if it forgoes HTTPS encryption and a user enters data. Now the browser will label all sites without HTTPS encryption this way.
IOS

Apple Says the Leaked iPhone Source Code is Outdated (cnet.com) 80

Apple has responded to security concerns surrounding leaked iPhone source code, pointing out that any potential vulnerabilities would be outdated. From a report: "Old source code from three years ago appears to have been leaked," Apple said in a statement, "but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections." The iBoot source code for iOS 9, a core part of what keeps your iPhones and iPads secure when they turn on, was leaked on GitHub, Motherboard first reported. The source code leak was considered a major security issue for Apple, as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down, but multiple copies of the code have already spread online.
Google

Original Pixel Phone Users Are Suing Google Over Microphone Defects (fastcompany.com) 62

Google is facing a lawsuit over the original Pixel. From a report: In a class action complaint filed this week, plaintiffs allege that the microphones in their Pixel and Pixel XL phones were defective from the start, and that Google knowingly sold defective phones amid widespread complaints immediately after launch. The lawsuit also claims that some warranty replacement phones continued to have problems, though neither of the named plaintiffs in the lawsuit had their phones repaired within Google's standard warranty period. Google acknowledged the Pixel phones' microphone issues in March 2017. An employee on Google's support forums attributed the problems to "a hairline crack in the solder connection on the audio codec," and said the problem can come and go depending on the temperature of the phone or the way it's being held.

Slashdot Top Deals