Microsoft

PSA: Microsoft Is Using Cortana To Read Your Private Skype Conversations (betanews.com) 180

BrianFagioli shares a report from BetaNews: With Cortana's in-context assistance, it's easier to keep your conversations going by having Cortana suggest useful information based on your chat, like restaurant options or movie reviews. And if you're in a time crunch? Cortana also suggests smart replies, allowing you to respond to any message quickly and easily -- without typing a thing," says The Skype Team. The team further says, "Cortana can also help you organize your day -- no need to leave your conversations. Cortana can detect when you're talking about scheduling events or things you have to do and will recommend setting up a reminder, which you will receive on all your devices that have Cortana enabled. So, whether you're talking about weekend plans or an important work appointment, nothing will slip through the cracks."

So, here's the deal, folks. In order for this magical "in-context" technology to work, Cortana is constantly reading your private conversations. If you use Skype on mobile to discuss private matters with your friends or family, Cortana is constantly analyzing what you type. Talking about secret business plans with a colleague? Yup, Microsoft's assistant is reading those too. Don't misunderstand -- I am not saying Microsoft has malicious intent by adding Cortana to Skype; the company could have good intentions. With that said, there is the potential for abuse. Microsoft could use Cortana's analysis to spy on you for things like advertising or worse, and that stinks. Is it really worth the risk to have smart replies and suggested calendar entries? I don't know about you, but I'd rather not have my Skype conversations read by Microsoft.

Privacy

Equifax Made Salary, Work History Available To Anyone With Your SSN and DOB (krebsonsecurity.com) 169

An anonymous reader quotes a report from KrebsOnSecurity: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax. At issue is a service provided by Equifax's TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that "Your personal information is protected." "With your consent your personal data can be retrieved only by credentialed verifiers," Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits. Sadly, this isn't anywhere near true because most employers who contribute data to The Work Number -- including Fortune 100 firms, government agencies and universities -- rely on horribly weak authentication for access to the information.

Iphone

Face ID Is Coming To the iPad Pro Next Year, Says Report (macrumors.com) 73

According to MacRumors, KGI Securities analyst Ming-Chi Kuo said iPad Pro models set to be released in 2018 will come equipped with a TrueDepth Camera and will support Face ID. Apple is believed to be adding TrueDepth cameras to the iPad Pro to introduce a user experience that's consistent with the iPhone X and boost competitiveness. From the report: According to Kuo, TrueDepth Cameras will be limited to the iPad Pro, which is Apple's main flagship tablet device. Kuo also predicts 2018 iPhone models will adopt the new camera technology coming in the iPhone X, as he has mentioned in a previous note: "We predict iOS devices to be equipped with TrueDepth Camera in 2018F will include iPhone X and 2018 new iPhone and iPad models. Because of this, we believe more developers will pay attention to TrueDepth Camera/ facial recognition related applications. We expect Apple's (U.S.) major promotion of facial recognition related applications will encourage the Android camp to also dedicate more resources to developing hardware and facial recognition applications."
Mars

SpaceX's Mars Vision Puts Pressure on NASA's Manned Exploration Programs (marketwatch.com) 142

An anonymous reader shares a report: Entrepreneur Elon Musk's announcement late last month accelerating plans for manned flights to Mars ratchets up political and public relations pressure on NASA's efforts to reach the same goal. With Musk publicly laying out a much faster schedule than NASA -- while contending his vision is less expensive and could be financed primarily with private funds -- a debate unlike any before is shaping up over the direction of U.S. space policy. Industry officials and space experts consider the proposal by Musk's Space Exploration to land people on the red planet around the middle of the next decade extremely optimistic. Some supporters concede the deadline appears ambitious even for reaching the moon, while Musk himself acknowledged some of his projected dates are merely "aspirational." But the National Aeronautics and Space Administration doesn't envision getting astronauts to Mars until at least a decade later, a timeline NASA is finding increasingly hard to defend in the face of criticism that it is too slow.
Advertising

Ask Slashdot: Is Deliberately Misleading People On the Internet Free Speech? 503

Slashdot reader dryriver writes: Before anyone cries "free speech must always be free," let me qualify the question. Under a myriad of different internet sites and blogs are these click-through adverts that promise quick "miracle cures" for everything from toenail fungus to hair loss to tinnitus to age-related skin wrinkles to cancer. A lot of the ads begin with copy that reads "This one weird trick cures....." Most of the "cures" on offer are complete and utter crap designed to lift a few dollars from the credit cards of hundreds of thousands of gullible internet users. The IQ boosting pills that supposedly give you "amazing mental focus after just 2 weeks" don't work at all. Neither do any of the anti-ageing or anti-wrinkle creams, regardless of which "miracle berry" extract they put in them this year. And if you try to cure your cancer with an Internet remedy rather than seeing a doctor, you may actually wind up dead.

So the question -- is peddling this stuff online really "free speech"? You are promising something grandiose in exchange for hard cash that you know doesn't deliver any benefits at all.

Long-time Slashdot reader apraetor counters, "But how do you determine what is 'true'?" And Slashdot reader ToTheStars argues "It's already established that making claims about medicine is subject to scrutiny by the FDA (or the relevant authority in your jurisdiction)." But are other things the equivalent of yelling "fire" in a crowded movie theatre? Leave your best thoughts in the comments. Is deliberately misleading people on the internet free speech?
Businesses

The Case Against Biometric IDs (nakedcapitalism.com) 146

"The White House and Equifax Agree: Social Security Numbers Should Go," reads a headline at Bloomberg. Securities lawyer Jerri-Lynn Scofield tears down one proposed alternative: a universal biometric identity system (possibly using fingerprints and an iris scan) with further numeric verification. Presto Vivace shared the article: Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem. What we're being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out...?

[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.

The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.
Crime

Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI (bleepingcomputer.com) 212

An anonymous reader writes: "VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."
Google

Google Accused of Racketeering. Lawsuit Claims 'Pattern' Of Trade Secret Thefts (mercurynews.com) 153

schwit1 quotes the Mercury News: In an explosive new allegation, a renowned architect has accused Google of racketeering, saying in a lawsuit the company has a pattern of stealing trade secrets from people it first invites to collaborate. Architect Eli Attia spent 50 years developing what his lawsuit calls "game-changing new technology" for building construction. Google in 2010 struck a deal to work with him on commercializing it as software, and Attia moved with his family from New York to Palo Alto to focus on the initiative, code-named "Project Genie." The project was undertaken in Google's secretive "Google X" unit for experimental "moonshots."

But then Google and its co-founders Larry Page and Sergey Brin "plotted to squeeze Attia out of the project" and pretended to kill it but used Attia's technology to "surreptitiously" spin off Project Genie into a new company, according to the lawsuit... This week, a judge in Santa Clara County Superior Court approved the addition of racketeering claims to the lawsuit originally filed in 2014. Attia's legal team uncovered six other incidents in which Google had engaged in a "substantially similar fact pattern of misappropriation of trade secrets" from other people or companies, according to a July 25 legal filing from Attia.

Wired reported yesterday that Project Loon -- also a Google X project -- "is embroiled in a lawsuit with Space Data, a small company accusing Alphabet of patent infringement, misappropriation of trade secrets, and breach of contract following a failed acquisition bid."

The lawyer for the racketeering suit complains Google can deploy a "virtually unlimited budget to fight these things in court."
Security

HP Enterprise Let Russia Scrutinize The Pentagon's Cyberdefense Software (reuters.com) 121

"A Russian defense agency was allowed to review the cyberdefense software used by the Pentagon to protect its computer networks," writes new submitter quonset. "This according to Russian regulatory records and interviews with people with direct knowledge of the issue." Reuters reports: The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of Hewlett Packard Enterprise's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman. Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack. "It's a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary."
It's another example of the problems security companies face when they try to do business internationally, according to Reuters. "One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software."

Long-time Slashdot reader bbsguru has his own worries. "So, opening your code for review because it is demanded by a potential customer? What could possibly go wrong? HPE may find out, and the U.S. Military is among the many clients depending on the answer."
Bitcoin

Bitcoin Transactions Lead To Arrest of Major Drug Dealer (techspot.com) 169

"Drug dealer caught because of BitCoin usage," writes Slashdot reader DogDude. TechSpot reports: 38-year-old French national Gal Vallerius stands accused of acting as an administrator, senior moderator, and vendor for dark web marketplace Dream Market, where visitors can purchase anything from heroin to stolen financial data. Upon arriving at Atlanta international airport on August 31, Vallerius was arrested and his laptop searched. U.S. Drug Enforcement Administration agents allegedly discovered $500,000 of Bitcoin and Bitcoin cash on the computer, as well a Tor installation and a PGP encryption key for someone called OxyMonster...

In addition to his role with the site, agents had identified OxyMonster as a major seller of Oxycontin and crystal meth. "OxyMonster's vendor profile featured listings for Schedule II controlled substances Oxycontin and Ritalin," testified DEA agent Austin Love. "His profile listed 60 prior sales and five-star reviews from buyers. In addition, his profile stated that he ships from France to anywhere in Europe." Investigators discovered OxyMonster's real identity by tracing outgoing Bitcoin transactions from his tip jar to wallets registered to Vallerius. Agents then checked his Twitter and Instagram accounts, where they found many writing similarities, including regular use of quotation marks, double exclamation marks, and the word "cheers," as well as intermittent French posts. The evidence led to a warrant being issued for Vallerius' arrest.

U.S. investigators had been monitoring the site for nearly two years, but got their break when Vallerius flew to the U.S. for a beard-growing competition in Austin, Texas. He now faces a life sentence for conspiracy to distribute controlled substances.
Government

White House Chief of Staff's Phone Was Reportedly Hacked Months Ago (reuters.com) 138

93 Escort Wagon writes: The personal cellphone belonging to Trump's Chief of Staff, John Kelly, may have been compromised, Reuters reports in a story originating from Politico. This may have happened as early as last December. The issue was discovered when Kelly submitted the phone to the White House's tech support crew during the summer, complaining that the phone would not update correctly.
Security

Disqus Confirms Over 17.5 Million Email Addresses Were Stolen In 2012 Hack of Its Comments Tool (zdnet.com) 81

Disqus, a company that builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012. "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers," reports ZDNet. From the report: Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google. The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach. The company said in a blog post, posted less than a day after Hunt's private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach. Users whose passwords were exposed will have their passwords force-reset. The company warned users who have used their Disqus password on other sites to change the password on those accounts.
AT&T

Sprint, T-Mobile Could Announce a Merger By Month's End (androidpolice.com) 47

Last month, it was reported that T-Mobile is close to agreeing tentative terms on a deal to merge with Sprint. Now, it appears that negotiations between the two companies are almost complete. Android Police reports: The report claims that Sprint and T-Mobile are putting the finishing touches on the merger, which will likely be announced at the quarterly earnings report at the end of this month. Some of the current discussion topics include Sprint's valuation (estimated to be around $29 billion), the location of the combined company's headquarters, and appointments to the executive management team. The merge is not expected to include a breakup/termination fee, meaning if one company backed out of the deal, there would be no financial penalty. This would align both companies to lobby government regulators for approval without any conflicts of interest. After AT&T called off its buyout of T-Mobile in 2011 due to government opposition, the company paid a $4 billion breakup fee to T-Mobile, which helped strengthen T-Mobile as a competitor. The report notes that while T-Mobile and Sprint's quarterly earnings reports have not been set, T-Mobile's was on October 24 last year, and Sprint's was the next day.
America Online

Regulate Facebook Like AIM (vice.com) 105

New submitter gooddogsgotoheaven shares a report from Motherboard arguing why the U.S. government should regulate Facebook like AIM: Sixteen years ago, the FCC approved a merger between American Online and Time Warner, but with several conditions. As part of the deal, AOL was required to make its web portal compatible with other chat apps. The government stopped AOL from building a closed system where everyone had to use AIM, meaning it had to adopt interoperability -- the ability to be compatible with other computer systems. The FCC required AOL to be compatible with at least one instant messaging rival immediately after the merger went through. Within six months, the FCC required AOL to make its portal compatible with at least two other rivals, or face penalties. The FCC's decision changed how we communicate with each other on the internet. By forcing AIM to make room for competition, a range of messaging apps and services, as well as social networks emerged. Instead of being limited to AIM, people who used AOL's portal could choose other platforms.

If Facebook were forced to make room for other services on its platform in the same way AOL made room for other chat apps, new services could emerge. "Facebook has to allow people to access their relationships however they want through other businesses or tools that are not controlled by Facebook," Matt Stoller, a fellow at the Open Markets Institute, said. "Having them control and mediate the structure of those relationships -- that's not right." Of course, people can opt out of Facebook and choose to use other, smaller social networks. But those businesses are essentially unable to thrive because of the hold Facebook has on how we communicate online. All our friends and family are already on Facebook, and because the platform is not regulated to allow competition, it's incredibly difficult for other, newer ones to emerge.

United States

US Jobs Dropped By 33,000 In September, Likely Due To Storms (npr.org) 128

An anonymous reader shares an NPR report: The U.S. economy shed 33,000 jobs in September, according to the latest report from the Bureau of Labor Statistics, while unemployment fell to 4.2 percent. The September payrolls drop broke a nearly 7-year streak of continuous job gains. But economists caution that the drop is likely representing the short-term consequences of bad weather, not a long-term shift in the job market. Before this report, the economy had added an average of about 175,000 jobs per month; the unemployment rate has been at 4.3 or 4.4 percent since April. Job growth in September was expected to be lower than usual because of the effects of several devastating hurricanes. Economists did not generally predict an actual decline, but a not-so-stellar report was widely anticipated.
Moon

Vice President Pence Vows US Astronauts Will Return To the Moon (engadget.com) 226

Before astronauts go to Mars, they will return to the Moon, Vice President Mike Pence said in a Wall Street Journal op-ed yesterday and in a speech at the National Air and Space Museum today. He touts "humans exploration and discovery" as the new focus of America's space program. This "means establishing a renewed American presence on the moon, a vital strategic goal. And from the foundation of the moon, America will be the first nation to bring mankind to Mars." Engadget reports: There have been two prevailing (and opposing) views when it comes to U.S. endeavors in human spaceflight. One camp maintains that returning to the moon is a mistake. NASA has already been there; it should work hard and set our sights on Mars and beyond. The other feels that Mars is too much of a reach, and that the moon will be easier to achieve in a short time frame. Mars may be a medium-to-long-term goal, but NASA should use the moon as a jumping-off point. It's not surprising that the Trump administration is valuing short-term gains over a longer, more ambitious project. The U.S. will get to Mars eventually, according to Pence, but the moon is where the current focus lies.
Businesses

Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say (gizmodo.com) 91

To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."
AI

Toymaker Mattel Cancels AI Babysitter After Privacy Complaints (theverge.com) 45

An anonymous reader shares a report: Toymaker Mattel has shelved plans to build an "all-in-one voice-controlled smart baby monitor," after complaints about the device were raised by privacy advocates and child psychologists. According to a report from The Washington Post, the company said in a statement that the device, named Aristotle, did not "fully align with Mattel's new technology strategy" and would not be "[brought] to the marketplace." Aristotle was unveiled back in January this year by Mattel's Nabi brand. It combined the smart speaker and digital assistant functionality of Amazon's Echo with a connected camera that acted as a baby monitor. But the Aristotle was intended to be a much more active presence in children's lives than an Echo speaker, with Mattel claiming it would read them bedtime stories, soothe them if they cried in the night, and even teach them their ABCs. A petition asking Mattel not to release the Aristotle gained more than 15,000 signatories.
Government

Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense: WSJ (wsj.com) 223

An NSA contractor brought home highly classified documents that detailed how the U.S. penetrates foreign computer networks and defends against cyberattacks. The contractor used Kaspersky antivirus on his home computer, which hackers working for the Russian government exploited to steal the documents, the WSJ reported on Thursday (the link could be paywalled; alternative source), citing multiple people with knowledge of the matter. From the report: The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said. The theft, which hasn't been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S. The incident occurred in 2015 but wasn't discovered until spring of last year, said the people familiar with the matter. Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said. Ahead of the publication of WSJ report, Kaspersky founder Eugene Kaspersky tweeted, "New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyberthreats."
AI

Mattel's New Baby Monitor Uses AI To Soothe Babies and Lawmakers Aren't Happy About It (washingtonpost.com) 131

Mattel has a new kid-focused smart hub called Aristotle, which can switch on a night light if it hears a baby crying to soothe the child (Warning: source may be paywalled; alternative source). The device is also designed to keep changing its activities, even to the point where it can help a preteen with homework, learning about the child along the way. Given the privacy concerns, lawmakers are worried that the always-on device could build an "in-depth profile of children and their family." Jezebel reports: The $299 Aristotle is similar in spirit to the Amazon Echo, only the scope of its features is much broader -- and scarier. Last week, Senator Ed Markey and Representative Joe Barton sent a letter to Mattel CEO Margaret Giorgiadis about their issues with the tablet, which tracks things like kids' eating and sleeping habits when they're young, and adapts to answering their questions about long division and sex or whatever as they grow up. According to nabi, the Mattel brand that developed the device, the Aristotle is meant to "provide parents with a platform that simplifies parenting, while helping them nurture, teach, and protect their young ones." Not everyone is on board. But Markey and Barton aren't the only ones squicked by Aristotle's capabilities. Buzzfeed reports that privacy experts, parents and child psychologists are also concerned that the device "encourages babies to form bonds with inanimate objects and use information it collects for targeted advertising," so much so that a petition has been launched to prevent it from going to market.

Slashdot Top Deals