Privacy

People Keep Finding Hidden Cameras in Their Airbnbs (buzzfeed.com) 167

"Airbnb has a scary problem on their hands: People keep finding hidden cameras in their rental homes," reports the New York Post. "Another host was busted last month trying to film guests without their knowledge -- marking the second time since October that the company has had to publicly deal with this sort of incident." BuzzFeed reports: In October, an Indiana couple visiting Florida discovered a hidden camera disguised as a smoke detector in their Airbnb's master bedroom. Earlier that same year Airbnb was forced to investigate and suspend a Montreal listing after one of the renters discovered a camera in the bedroom of the property... Hidden cameras aren't just an issue for Airbnb -- it's been a hot-button topic in hospitality for years. There are hundreds of stories about hotels using unlawful surveillance. [For example, this one.]

Airbnb recommends its customers read the reviews of the host of any rental property they might be interested in, and also offers an on-platform messaging tool that allows communication between host and guests... "Cameras are never allowed in bathrooms or bedrooms; any other cameras must be properly disclosed to guests ahead of time," Airbnb spokesperson Jeff Henry told BuzzFeed News.

This time the couple discovered hidden cameras that were disguised as a motion detectors. Airbnb says they've permanently banned the offending host -- and offered his guests a refund -- adding that this type of incident was "incredibly rare."
Bitcoin

People Who Can't Remember Their Bitcoin Passwords Are Really Freaking Out Now (slate.com) 202

An anonymous reader quotes a report from Slate: Bitcoin has had quite a week. On Thursday, the cryptocurrency surged past $19,000 a coin before dropping down to $15,600 by Friday midday. The price of a single Bitcoin was below $1,000 in January. Any investors who bought Bitcoins back in 2013, when the price was less than $100, probably feel pretty smart right now. But not all early cryptocurrency enthusiasts are counting their coins. Instead they might be racking their brains trying to remember their passwords, without which those few Bitcoins they bought as an experiment a few years ago could be locked away forever. That's because Bitcoin's decentralization relies on cryptography, where each transaction is signed with an identifier assigned to the person paying and the person receiving Bitcoin.

"I've tried to ignore the news about Bitcoin completely," joked Alexander Halavais, a professor of social technology at Arizona State University, who said he bought $70 of Bitcoin about seven years as a demonstration for a graduate class he was teaching at the time but has since forgotten his password. "I really don't want to know what it's worth now," he told me. "This is possibly $400K and I'm freaking the fuck out. I'm a college student so this would change my life lmao," wrote one Reddit user last week. The user claimed to have bought 40 bitcoins in 2013 but can't remember the password now. "A few years ago, I bought about 20 euros worth of bitcoin, while it was at around 300eur/btc.," lamented another Reddit user earlier this week. "Haven't looked at it since, and recently someone mentioned the price had hit 10.000usd. So, I decided to take a look at my wallet, but found that it wasn't my usual password. I have tried every combination of the password variations I usually use, but none of them worked."

Security

Zero-Day iOS HomeKit Vulnerability Allowed Remote Access To Smart Accessories Including Locks (9to5mac.com) 39

Apple has issued a fix to a vulnerability that allowed unauthorized control of accessories, including smart locks and garage door openers. "Our understanding is Apple has rolled out a server-side fix that now prevents unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality," reports 9to5Mac. From the report: The vulnerability, which we won't describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac. The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies. The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account; earlier versions of iOS were not affected.
Security

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com) 126

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."
More research on the attack will be published on the Black Hat website in the following days.
Chrome

Chrome 63 Offers Even More Protection From Malicious Sites, Using Even More Memory (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: To further increase its enterprise appeal, Chrome 63 -- which hit the browser's stable release channel yesterday -- includes a couple of new security enhancements aimed particularly at the corporate market. The first of these is site isolation, an even stricter version of the multiple process model that Chrome has used since its introduction. Chrome uses multiple processes for several security and stability reasons. On the stability front, the model means that even if a single tab crashes, other tabs (and the browser itself) are unaffected. On the security front, the use of multiple processes makes it much harder for malicious code from one site to steal secrets (such as passwords typed into forms) of another. [...]

Naturally, this greater use of multiple processes incurs a price; with this option enabled, Chrome's already high memory usage can go up by another 15 to 20 percent. As such, it's not enabled by default; instead, it's intended for use by enterprise users that are particularly concerned about organizational security. The other new capability is the ability for administrators to block extensions depending on the features those extensions need to use. For example, an admin can block any extension that tries to use file system access, that reads or writes the clipboard, or that accesses the webcam or microphone. Additionally, Google has started to deploy TLS 1.3, the latest version of Transport Layer Security, the protocol that enables secure communication between a browser and a Web server. In Chrome 63, this is only enabled between Chrome and Gmail; in 2018, it'll be turned on more widely.

Social Networks

Twitter Says It Accidentally Banned A Bunch Of Accounts (buzzfeed.com) 25

An anonymous reader shares a report: Over the past 24 hours, some Twitter users had their profiles replaced with a notice saying their accounts were now being "withheld in: Worldwide." The "country withheld" program run by Twitter typically prevents users based in a specific country from from seeing tweets sent by a withheld account. This was the first time people could recall the company withholding accounts globally, which was in effect a total ban for the user. At the time of writing, BuzzFeed News had identified 21 accounts that were being withheld worldwide, and users on Twitter were beginning to wonder if this was a new method being used by the company to suspend accounts. But a Twitter spokesperson tells BuzzFeed News that the worldwide withholdings were in fact the result of a bug. "We have identified a bug that incorrectly impacted certain accounts. We have identified a fix, are working to resolve the issue, and anticipate it will be fully resolved shortly," the spokesperson told BuzzFeed News.
Businesses

Bangladesh Bank, NY Fed Discuss Suing Manila Bank For Heist Damages (reuters.com) 29

An anonymous reader shares a report: Bangladesh's central bank has asked the Federal Reserve Bank of New York to join a lawsuit it plans to file against a Philippines bank for its role in one of the world's biggest cyber-heists, several sources said. The Fed is yet to respond formally, but there is no indication it would join the suit. Unidentified hackers stole $81 million from Bangladesh Bank's account at the New York Fed in February last year, using fraudulent orders on the SWIFT payments system. The money was sent to accounts at Manila-based Rizal Commercial Banking Corp and then disappeared into the casino industry in the Philippines.
Businesses

ISP Disclosures About Data Caps and Fees Eliminated By Net Neutrality Repeal (arstechnica.com) 281

In 2015, the Federal Communications Commission forced ISPs to be more transparent with customers about hidden fees and the consequences of exceeding data caps. Since the requirements were part of the net neutrality rules, they will be eliminated when the FCC votes to repeal the rules next week. Ars Technica reports: While FCC Chairman Ajit Pai is proposing to keep some of the commission's existing disclosure rules and to impose some new disclosure requirements, ISPs won't have to tell consumers exactly what everything will cost when they sign up for service. There have been two major versions of the FCC's transparency requirements: one created in 2010 with the first net neutrality rules, and an expanded version created in 2015. Both sets of transparency rules survived court challenges from the broadband industry. The 2010 requirement had ISPs disclose pricing, including "monthly prices, usage-based fees, and fees for early termination or additional network services." That somewhat vague requirement will survive Pai's net neutrality repeal. But Pai is proposing to eliminate the enhanced disclosure requirements that have been in place since 2015. Here are the disclosures that ISPs currently have to make -- but won't have to after the repeal:

-Price: the full monthly service charge. Any promotional rates should be clearly noted as such, specify the duration of the promotional period and the full monthly service charge the consumer will incur after the expiration of the promotional period.
-Other Fees: all additional one time and/or recurring fees and/or surcharges the consumer may incur either to initiate, maintain, or discontinue service, including the name, definition, and cost of each additional fee. These may include modem rental fees, installation fees, service charges, and early termination fees, among others.
-Data Caps and Allowances: any data caps or allowances that are a part of the plan the consumer is purchasing, as well as the consequences of exceeding the cap or allowance (e.g., additional charges, loss of service for the remainder of the billing cycle).

Pai's proposed net neutrality repeal says those requirements and others adopted in 2015 are too onerous for ISPs.

Bitcoin

Bank of America Wins Patent For Crypto Exchange System (coindesk.com) 52

New submitter psnyder shares a report from CoinDesk: [The patent] outlined a potential cryptocurrency exchange system that would convert one digital currency into another. Further, this system would be automated, establishing the exchange rate between the two currencies based on external data feeds. The patent describes a potential three-part system, where the first part would be a customer's account and the other two would be accounts owned by the business running the system. The user would store their chosen cryptocurrency through the customer account. The second account, referred to as a "float account," would act as a holding area for the cryptocurrency the customer is selling, while the third account, also a float account, would contain the equivalent amount of the cryptocurrency the customer is converting their funds to. That third account would then deposit the converted funds back into the original customer account for withdrawal. The proposed system would collect data from external information sources on cryptocurrency exchange rates, and use this data to establish its own optimal rate. The patent notes this service would be for enterprise-level customers, meaning that if the bank pursues this project, it would be offered to businesses.
Government

Volkswagen Executive Sentenced To Maximum Prison Term For His Role In Dieselgate (arstechnica.com) 101

An anonymous reader quotes a report from Ars Technica: On Wednesday, a U.S. District judge in Detroit sentenced Oliver Schmidt, a former Volkswagen executive, to seven years in prison for his role in the Volkswagen diesel emissions scandal of 2015. Schmidt was also ordered to pay a criminal penalty of $400,000, according to a U.S. Department of Justice (DOJ) press release. The prison term and the fine together represent the maximum sentence that Schmidt could have received under the plea deal he signed in August. Schmidt, a German citizen who lived in Detroit as an emissions compliance executive for VW, was arrested in Miami on vacation last January. In August, he pleaded guilty to conspiracy and to making a false statement under the Clean Air Act. Schmidt's plea deal stated that the former executive could face up to seven years in prison and between $40,000 and $400,000 in fines.

Last week, Schmidt's attorneys made a last-minute bid requesting a lighter sentence for Schmidt: 40 months of supervised release and a $100,000 fine. Schmidt also wrote a letter to the judge, which surfaced over the weekend, in which the executive said he felt "misused" by his own company and claimed that higher-ranked VW executives coached him on a script to help him lie to a California Air Resources Board (CARB) official. Instead, Schmidt was sentenced to the maximum penalties outlined in the plea deal. Only one other VW employee has been sentenced in connection with the emissions scandal: former engineer James Liang, who received 40 months in prison and two years of supervised release as the result of his plea deal. Although six other VW Group executives have been indicted, none is in U.S. custody.

Google

Inside Oracle's Cloak-and-dagger Political War With Google (recode.net) 86

schwit1 shares a Recode report: The story that appeared in Quartz this November seemed shocking enough on its own: Google had quietly tracked the location of its Android users, even those who had turned off such monitoring on their smartphones. But missing from the news site's report was another eyebrow-raising detail: Some of its evidence, while accurate, appears to have been furnished by one of Google's fiercest foes: Oracle. For the past year, the software and cloud computing giant has mounted a cloak-and-dagger, take-no-prisoners lobbying campaign against Google, perhaps hoping to cause the company intense political and financial pain at a time when the two tech giants are also warring in federal court over allegations of stolen computer code. Since 2010, Oracle has accused Google of copying Java and using key portions of it in the making of Android. Google, for its part, has fought those claims vigorously. More recently, though, their standoff has intensified. And as a sign of the worsening rift between them, this summer Oracle tried to sell reporters on a story about the privacy pitfalls of Android, two sources confirmed to Recode.
Privacy

Keylogger Found On Nearly 5,500 WordPress Sites (bleepingcomputer.com) 83

An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.
Medicine

Victims of Mystery Attacks In Cuba Left With Anomalies In Brain Tissue (arstechnica.com) 233

An anonymous reader quotes a report from Ars Technica: American victims of mysterious attacks in Cuba have abnormalities in their brains' white matter, according to new medical testing reported by the Associated Press. But, so far, it's unclear how or if the white-matter anomalies seen in the victims relate to their symptoms. White matter is made up of dense nerve fibers that connect neurons in different areas of the brain, forming networks. It gets its name from the light-colored electrical insulation, myelin, that coats the fibers. Overall, the tissue is essential for rapidly transmitting brain signals critical for learning and cognitive function.

In August, U.S. authorities first acknowledged that American diplomats and their spouses stationed in Havana, Cuba, had been the targets of puzzling attacks for months. The attacks were carried out by unknown agents and for unknown reasons, using a completely baffling weaponry. The attacks were sometimes marked by bizarrely targeted and piercing noises or vibrations, but other times they were completely imperceptible. Victims complained of a range of symptoms, including dizziness, nausea, headaches, balance problems, ringing in the ears (tinnitus), nosebleeds, difficulty concentrating and recalling words, permanent hearing loss, and speech and vision problems. Doctors have also identified mild brain injuries, including swelling and concussion. U.S. officials now report that 24 Americans were injured in the attacks but wouldn't comment on how many showed abnormalities in their white matter.

Businesses

Judge Dismisses Lawsuit That Claims Google Paid Female Employees Less Than Male Colleagues (cnn.com) 257

A California judge has rejected a class action claim against Google for alleged gender inequity. In September, three female Google employees filed a lawsuit against Google, claiming the search giant "engaged in systemic and pervasive pay and promotion discrimination." They sought class action status on behalf of women who have worked at Google in California for the past four years. CNN reports: This week, a judge rejected their request to make the suit a class action. A judge ruled that the class was "overbroad," stating that it "does not purport to distinguish between female employees who may have valid claims against Google based upon its alleged conduct from those who do not." Jim Finberg, the lawyer representing the plaintiffs, said his clients plan to file an amended complaint seeking class action certification. He said it will address the court's ruling and make "clear that Google violates the California Equal Pay Act throughout California and throughout the class period by paying women less than men for substantially equal work in nearly every job classification."
Government

Warrantless Surveillance Can Continue Even If Law Expires, Officials Say (theverge.com) 68

According to a New York Times report citing American officials, the Trump administration has decided that the National Security Agency and the FBI can lawfully keep operating their warrantless surveillance program even if Congress fails to extend the law authorizing it before an expiration date of New Year's Eve. The Verge reports: The White House believes the Patriot Act's surveillance provisions won't expire until four months into 2018. Lawyers point to a one-year certification that was granted on April 26th of last year. If that certification is taken as a legal authorization for the FISA court overall -- as White House lawyers suggest -- then Congress will have another four months to work out the details of reauthorization. There are already several proposals for Patriot Act reauthorization in the Senate, which focus the Section 702 provisions that authorize certain types of NSA surveillance. Some of the proposals would close the backdoor search loophole that allows for warrantless surveillance of U.S. citizens, although a recent House proposal would leave it in place. But with Congress largely focused on tax cuts and the looming debt ceiling fight, it's unlikely the differences could be reconciled before the end of the year.
Medicine

FCC Chair Ajit Pai Falsely Claims Killing Net Neutrality Will Help Sick and Disabled People (vice.com) 207

An anonymous reader quotes a report from Motherboard: One popular claim by the telecom sector is that net neutrality rules are somehow preventing people who are sick or disabled from gaining access to essential medical services they need to survive. Verizon, for example, has been trying to argue since at least 2014 that the FCC's net neutrality rules' ban on paid prioritization (which prevents ISPs from letting deep-pocketed content companies buy their way to a distinct network performance advantage over smaller competitors) harms the hearing impaired. That's much to the chagrin of groups that actually represent those constituents, who have consistently and repeatedly stated that this claim simply isn't true. Comcast lobbyists have also repeated this patently-false claim in their attempt to lift the FCC ban on unfair paid prioritization deals.

The claim that net neutrality rules hurt the sick also popped up in a recent facts-optional fact sheet the agency has been circulating to try and justify the agency's Orwellian-named "Restoring Internet Freedom" net neutrality repeal. In the FCC's current rules, the FCC was careful to distinguish between "Broadband Internet Access Services (BIAS)," which is general internet traffic like browsing, e-mail or app data and "Non-BIAS data services," which are often given prioritized, isolated capacity to ensure lower latency, better speed, and greater reliability. VoIP services, pacemakers, energy meters and all telemedicine applications fall under this category and are exempt from the rules. Despite the fact that the FCC's net neutrality rules clearly exempt medical services from the ban on uncompetitive paid prioritization, FCC boss Ajit Pai has consistently tried to claim otherwise. He did so again last week during a speech in which he attempted to defend his agency from the massive backlash to its assault on net neutrality.
"By ending the outright ban on paid prioritization, we hope to make it easier for consumers to benefit from services that need prioritization -- such as latency-sensitive telemedicine," Pai said. "By replacing an outright ban with a robust transparency requirement and FTC-led consumer protection, we will enable these services to come into being and help seniors."
The Almighty Buck

Ask Slashdot: How Do I Explain Copyright To My Kids? 327

orgelspieler writes: My son paid for a copy of a novel on his iPad. When his school made it against the rules to bring iPads, he wanted to get the same book on his Kindle. I tried to explain that the format of his eBook was not readily convertible to the Kindle. So he tried to go on his schools online library app. He checked it out just fine, but ironically, the offline reading function only works on the now-disallowed iPads. Rather than paying Amazon $7 for a book I already own, and he has already checked out from the library, I found a bootleg PDF online. I tried to explain that he could just read that, but he freaked out. "That's illegal, Dad!" I tried to explain format shifting, and the injustice of the current copyright framework in America. Even when he did his own research, stumbling across EFF's website on fair use, he still would not believe me.

Have any of you fellow Slashdotters figured out a good way to navigate the moral, legal, and technological issues of copyright law, as it relates to the next generation of nerds? Interestingly, my boy seems OK with playing old video games on the Wayback Machine, so I don't think it's a lost cause.
Security

NiceHash Hacked, $62 Million of Bitcoin May Be Stolen (reddit.com) 79

New submitter Chir breaks the news to us that the NiceHash crypto-mining marketplace has been hacked. The crypto mining pool broke the news on Reddit, where users suggest that as many as 4,736.42 BTC -- an amount worth more than $62 million at current prices -- has been stolen. The NiceHash team is urging users to change their online passwords as a result of the breach and theft.
Facebook

Facebook and YouTube Are Full of Pirated Video Streams of Live NFL Games (cnbc.com) 231

Pirated video streams of televised National Football League games are widespread on Facebook and on Google's YouTube service, CNBC has found. From a report: Using technology from these internet giants, thousands of football fans were able to watch long segments of many contests free of charge during the league's Week 13 schedule of games last Thursday and Sunday. Dozens of these video streams, pirated from CBS and NBC broadcasts, featured ads from well-known national brands interspersed with game action. This online activity comes as the league struggles with declining ratings that have been blamed variously on player protests during the national anthem and revelations about former players suffering from a brain disease caused by concussions. Yet this illegal distribution of NFL content may also be crimping the league's viewer numbers.
Firefox

Yahoo Sues Mozilla For Breach of Contract -- So Mozilla Counter Sues Yahoo (betanews.com) 112

Mark Wilson writes: Mozilla and Yahoo have started a legal spat about the deal that existed between the two companies regarding the use of the Yahoo search engine in the Firefox browser. On December 1, Yahoo fired the first shot filing a complaint that alleges Mozilla breached a contract that existed between the two companies by terminating the arrangement early. In a counter complaint, Mozilla says that it was not only justified in terminating the contract early, but that Yahoo Holdings and Oath still have a bill that needs to be settled.

Slashdot Top Deals