DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Security

Royal Jordanian Airlines Bans Use of Electronics After US Voices Security 'Concerns' (theverge.com) 109

An anonymous reader quotes a report from The Verge: Royal Jordanian airlines banned the use of electronics on flights servicing the U.S. after government officials here expressed concerns. Details are scant, but CNN is reporting that other carriers based on the Middle East and Africa may be affected as well. The news broke when Royal Jordanian, a state-owned airline that operates around 500 flights a week, posted this cryptic notice on its Twitter feed. The ban, which includes laptops, tablets, and video games, but does not include smartphones or medical devices, is effective for Royal Jordanian flights servicing New York, Chicago, Detroit, and Montreal. A spokesperson for Royal Jordanian was not immediately available for clarification. Meanwhile, CNN is reporting that Royal Jordanian may not be the only carrier affected by these new security provisions. Jon Ostrower, the network's aviation editor, just tweeted that as many as 12 airlines based in the Middle East and Africa could be impacted. A Saudi executive also tweeted that "directives by U.S. authorities" could affect passengers traveling from 13 countries, with the new measure set to go into effect over the next 96 hours.
Communications

Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files (zdnet.com) 76

Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco's IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are "no workarounds" to address the vulnerability, but it said that disabling Telnet would "eliminate" some risks.
Government

FBI Director Comey Confirms Investigation Into Trump Campaign (reuters.com) 532

FBI Director James Comey confirmed during testimony before Congress Monday that the FBI is investigating whether the Trump campaign colluded with a covert Russian campaign to interfere with the election. From a report on Reuters: Comey told a congressional hearing on Russian activities that the probe "includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia's efforts. Because it is an open, ongoing investigation and is classified, I cannot say more about what we are doing and whose conduct we are examining," Comey said. Earlier, the chairman of the U.S. House of Representatives Intelligence Committee, Republican Representative Devin Nunes, told the same hearing that the panel had seen no evidence of collusion between Russia and Trump's 2016 campaign. Nunes also denied an unsubstantiated claim from Trump that there had been a wiretap on his Trump Tower in New York but said it was possible other surveillance was used against the Republican.
Businesses

Indiana Considers Prohibiting Cities From Banning Airbnb (usnews.com) 164

"Indiana's cities and towns wouldn't be allowed to put their own restrictions on companies such as Airbnb under a proposal state lawmakers are considering," reports the Associated Press. Slashdot reader El Cubano writes: The proposed legislation would prohibit local government in the state from banning Airbnb rentals by their residents. There are exceptions for home owner associations (which will still be allowed to ban rentals in their communities) and 180-day per year cap.

It is interesting to see something like this being considered at the state level. Supporters say that they are trying to prevent knee-jerk regulations and to protect an innovative emerging market. At the same time, local authorities are upset that they will no longer have the option to make the determination for themselves.

The bill has already been approved by the Indiana House, as well as a key committee in the Indiana Senate.
Businesses

Two More Executives Are Leaving Uber, Drivers May Unionize (nytimes.com) 200

First the resignations. "The beliefs and approach to leadership that have guided my career are inconsistent with what I saw and experienced at Uber," the company's former president told Recode on Sunday, announcing his resignation. "The departures add to the executive exodus from Uber this year," writes The New York Times. An anonymous reader quotes their report. Brian McClendon, vice president of maps and business platform at Uber, also plans to leave at the end of the month... Raffi Krikorian, a well-regarded director in Uber's self-driving division, left the company last week, while Gary Marcus, who joined Uber in December after Uber acquired his company, left this month. Uber also asked for the resignation of Amit Singhal, a top engineer who failed to disclose a sexual harassment claim against him at his previous employer, Google, before joining Uber. And Ed Baker, another senior executive, left this month as well.
Jones left Uber after less than six months, though McClendon's departure is said to be more amicable. "Mr. McClendon, in a statement, said he was returning to his hometown, Lawrence, Kansas, after 30 years away. 'This fall's election and the current fiscal crisis in Kansas is driving me to more fully participate in our democracy -- and I want to do that in the place I call home."

In other news, the Teamsters labor union plans to start organizing Uber's drivers into a union, after a Washington judge rejected Uber's attempt to overturn a right-to-unionize ordinance passed by the city of Seattle.
Government

Apple Paid $0 In Taxes To New Zealand, Despite Sales of $4.2 Billion (nzherald.co.nz) 448

Apple paid no income tax to New Zealand's Inland Revenue Department for the last 10 years, according to an article shared by sit1963nz, prompting calls for the company to "do the right thing" even from some American-based Apple users. From the New Zealand Herald: Bryan Chaffin of The Mac Observer, an Apple community blog site founded in 1998...wrote that Apple was the largest taxpayer in the United States, but 'pays next to nothing in most parts of the world... [L]ocal taxes matter. Roads matter. Schools matter. Housing authorities matter. Health care matters. Regulation enforcement matters. All of the things that support civil society matter. Apple's profits are made possible by that civil society, and the company should contribute its fair share.'"
Apple's accounts "show apparent income tax payments of $37 million," according to an earlier article, "but a close reading shows this sum was actually sent abroad to the Australian Tax Office, an arrangement that has been in place since at least 2007. Had Apple reported the same healthy profit margin in New Zealand as it did for its operations globally it would have paid $356 million in taxes over the period."

"It is absolutely extraordinary that they are able to get away with paying zero tax in this country," said Green Party co-leader James Shaw. "I really like Apple products -- they're incredibly innovative -- but it looks like their tax department is even more innovative than their product designers."
Patents

Maryland Legislator Wants To Keep State University Patents Away From Trolls (eff.org) 52

The EFF's "Reclaim Invention" campaign provided the template for a patent troll-fighting bill recently introduced in the Maryland legislature to guide public universities. An anonymous reader writes: The bill would "void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll)," according to the EFF, requiring universities to manage their patent portfolios in the public interest. James Love, the director of the nonprofit Knowledge Ecology International, argues this would prevent assigning patents to "organizations who are just suing people for infringement," which is especially important for publicly-funded colleges. "You don't want public sector patents to be used in a way that's a weapon against the public." Yarden Katz, a fellow at Harvard's Berkman Klein Center for Internet amd Society, says the Maryland legislation would "set an example for other states by adopting a framework for academic research that puts public interests front and center."
The EFF has created a web page where you can encourage your own legislators to pass similar bills, and to urge universities to pledge "not to knowingly license or sell the rights of inventions, research, or innovation...to patent assertion entities, or patent trolls."
Microsoft

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com) 227

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
Government

NY Bill Would Require Removal of Inaccurate, Irrelevant Or Excessive Statements (washingtonpost.com) 155

schwit1 writes: In a bill aimed at securing a "right to be forgotten," introduced by Assemblyman David I. Weprin and (as Senate Bill 4561 by state Sen. Tony Avella), New York politicians would require people to remove "inaccurate," "irrelevant," "inadequate" or "excessive" statements about others... Failure to comply would make the search engines or speakers liable for, at least, statutory damages of $250/day plus attorney fees.
The Washington Post reports the bill's provisions would be as follows: Within 30 days of a "request from an individual, all search engines [and online speakers] shall remove...content about such individual, and links or indexes to any of the same, that is 'inaccurate', 'irrelevant', 'inadequate' or 'excessive,' and without replacing such removed...content with any disclaimer [or] takedown notice.... [I]naccurate', 'irrelevant', 'inadequate', or 'excessive' shall mean content, which after a significant lapse in time from its first publication, is no longer material to current public debate or discourse, especially when considered in light of the financial, reputational and/or demonstrable other harm that the information...is causing to the requester's professional, financial, reputational or other interest, with the exception of content related to convicted felonies, legal matters relating to violence, or a matter that is of significant current public interest, and as to which the requester's role with regard to the matter is central and substantial."
Crime

Your Hotel Room Photos Could Help Catch Sex Traffickers (cnn.com) 151

100,000 people people have already downloaded an app that helps fight human trafficking. dryriver summarizes a report from CNN: Police find an ad for paid sex online. It's an illegally trafficked underage girl posing provocatively in a hotel room. But police don't know where this hotel room is -- what city, what neighborhood, what hotel or hotel room. This is where the TraffickCam phone app comes in. When you're staying at a hotel, you take pictures of your room... The app logs the GPS data (location of the hotel) and also analyzes what's in the picture -- the furniture, bed sheets, carpet and other visual features. This makes the hotel room identifiable. Now when police come across a sex trafficking picture online, there is a database of images that may reveal which hotel room the picture was taken in.
"Technology drives everything we do nowadays, and this is just one more tool that law enforcement can use to make our job a little safer and a little bit easier," says Sergeant Adam Kavanaugh, supervisor of the St. Louis County Multi-Jurisdictional Human Trafficking Task Force. "Right now we're just beta testing the St. Louis area, and we're getting positive hits," he says (meaning ads that match hotel-room photos in the database). But the app's creators hope to make it available to all U.S. law enforcement within the next few months, and eventually globally, so their app is already collecting photographs from hotel rooms around the world to be stored for future use.
Crime

Company's Former IT Admin Accused of Accessing Backdoor Account 700+ Times (bleepingcomputer.com) 63

An anonymous reader writes: "An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer," reports BleepingComputer. Court papers reveal the IT admin left to be the CTO at one of the sportswear company's IT suppliers after working for 14 years at his previous employer. For more than two years, he's [allegedly] been using an account he created before he left to access his former colleagues' emails and gather information about the IT services they might need in the future. The IT admin was fired from his CTO job after his new employer found out what he was doing.
One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...
The Military

The US Army Finally Gets The World's Largest Laser Weapon System (bizjournals.com) 130

It's been successfully tested on trucks, as well as UAVs and small rockets, according to a video from Lockheed Martin, which is now shipping the first 60kW-class "beam combined" fiber laser for use by the U.S. Army. An anonymous reader quotes the Puget Sound Business Journal: Lockheed successfully developed and tested the 58 kW laser beam earlier this year, setting a world record for this type of laser. The company is now preparing to ship the laser system to the U.S. Army Space and Missile Defense Command/Army Forces Strategic Command in Huntsville, Alabama [according to Robert Afzal, senior fellow for Lockheed's Laser and Sensor Systems in Bothell]. "We have shown that a powerful directed energy laser is now sufficiently light-weight, low volume and reliable enough to be deployed on tactical vehicles for defensive applications on land, at sea and in the air..." Laser weapons, which complement traditional kinetic weapons in the battlefield, will one day protect against threats such as "swarms of drones" or a flurry of rockets and mortars, Lockheed said.
Encryption

Ask Slashdot: How Would You Implement Site-Wide File Encryption? 151

Recently-leaked CIA documents prove that encryption works, according to the Associated Press. But how should sys-admins implement site-wide file encryption? Very-long-time Slashdot reader Pig Hogger writes: If you decide to implement server-level encryption across all your servers, how do you manage the necessary keys/passwords/passphrases to insure that you have both maximum uptime (you can access your data if you need to reboot your servers), yet that the keys cannot be compromised... What are established practices to address this issue?
Keep in mind that you can't change your password once the server's been seized, bringing up the issue of how many people know that password. Or is there a better solution? Share you suggestions and experiences in the comments. How would you implement site-wide file encryption?
Government

CBS Reports 'Suspicious' Cell Phone Tower Activity In Washington DC (cbsnews.com) 187

"An unusually high amount of suspicious cell phone activity in the nation's capital has caught the attention of the Department of Homeland Security, raising concerns that U.S. officials are being monitored by a foreign entity," reports CBS News: The issue was first reported in the Washington Free Beacon, but a source at telecom security firm ESD America confirmed the spike in suspicious activity to CBS News. ESD America, hired preemptively for a DHS pilot program this January called ESD Overwatch, first noticed suspicious activity around cell phone towers in certain parts of the capital, including near the White House. This kind of activity can indicate that someone is monitoring specific individuals or their devices... According to the ESD America source, the first such spike of activity was in D.C. but there have been others in other parts of the country. Based on the type of technology used, the source continued, it is likely that the suspicious activity was being conducted by a foreign nation.
The news coincides with a letter sent to the DHS by two congressmen "deeply concerned" about vulnerabilities in the SS7 protocol underlying U.S. cellular networks, according to an article shared by Slashdot reader Trailrunner7. Senator Ron Wyden and Representative Ted Lieu are asking if the agency has enough resources to address the threat. "Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones."
China

China's Police Will Shoot Illegal Drones With Radio-Jamming Rifles (mashable.com) 62

"Police in China are being equipped with new high-tech weaponry to help them fight back against illegal drone use," writes new submitter drunkdrone. Mashable reports: A Chinese city's police department is arming itself with more than 20 drone-jamming rifles...which work by emitting radio signals that force the drones to land, purportedly without damaging them. The drone-killing rifles will be used during the upcoming 2017 Wuhan Marathon, to raise security. Wuhan police demonstrated the drone-killing rifles last week, where they shot down six drones, according to the Chutian Metropolitan Daily.
Each rifle costs $36,265, and has a range of 0.6 miles.
Botnet

Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot (linux.com) 84

"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com: You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said...

"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."

Communications

Could We Eliminate Spam With DMARC? (zdnet.com) 124

An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
Government

US Lawmakers Propose Minimum Seat Sizes For Airlines (consumerist.com) 266

The size of each passenger's seat on an airplane -- as well as the distance between rows of seats -- should be standardized, according to legislation proposed by two American lawmakers. Slashdot reader AmiMoJo quotes Consumerist: The text of the bill does not specify any dimensions for seat widths or legroom. Rather, if the legislation is passed, the particulars would be left up to the FAA to sort out... Though seat size may vary from airline to airline, Cohen notes that the average distance between rows of seats has dropped from 35 inches before airline deregulation in the 1970s, to around 31 inches today. Your backside is getting the squeeze, as well, as the average width of an airline seat has also shrunk from 18 inches to about 16.5 inches.
Security

Windows 10 UAC Bypass Uses Backup and Restore Utility (bleepingcomputer.com) 58

An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility
Crime

Judge Grants Search Warrant For Everyone Who Searched a Crime Victim's Name On Google (startribune.com) 101

Hennepin County District Judge Gary Larson has issued a search warrant to Edina, Minnesota police to collect information on people who searched for variations of a crime victim's name on Google from Dec. 1 through Jan. 7. Google would be required to provide Edina police with basic contact information for people targeted by the warrant, as well as Social Security numbers, account and payment information, and IP and MAC addresses. StarTribune reports: Information on the warrant first emerged through a blog post by public records researcher Tony Webster. Edina police declined to comment Thursday on the warrant, saying it is part of an ongoing investigation. Detective David Lindman outlined the case in his application for the search warrant: In early January, two account holders with SPIRE Credit Union reported to police that $28,500 had been stolen from a line of credit associated with one of their accounts, according to court documents. Edina investigators learned that the suspect or suspects provided the credit union with the account holder's name, date of birth and Social Security number. In addition, the suspect faxed a forged U.S. passport with a photo of someone who looked like the account holder but wasn't. Investigators ran an image search of the account holder's name on Google and found the photo used on the forged passport. Other search engines did not turn up the photo. According to the warrant application, Lindman said he had reason to believe the suspect used Google to find a picture of the person they believed to be the account holder. Larson signed off on the search warrant on Feb. 1. According to court documents, Lindman served it about 20 minutes later.

Slashdot Top Deals