Iphone

'Dear Apple, The iPhone X and Face ID Are Orwellian and Creepy' (hackernoon.com) 279

Trent Lapinski from Hacker Noon writes an informal letter to Apple, asking "who the hell actually asked for Face ID?" and calling the iPhone X and new face-scanning security measure "Orwellian" and "creepy": For the company that famously used 1984 in its advertising to usher in a new era of personal computing, it is pretty ironic that 30+ years later they would announce technology that has the potential to eliminate global privacy. I've been waiting 10-years since the first iPhone was announced for a full-screen device that is both smaller in my hand but has a larger display and higher capacity battery. However, I do not want these features at the cost of my privacy, and the privacy of those around me. While the ease of use and user experience of Face ID is apparent, I am not questioning that, the privacy concerns are paramount in today's world of consistent security breaches. Given what we know from Wikileaks Vault7 and the CIA / NSA capabilities to hijack any iPhone, including any sensor on the phone, the very thought of handing any government a facial ID system for them to hack into is a gift the world may never be able to return. Face ID will have lasting privacy implications from 2017 moving forward, and I'm pretty sure I am not alone in not wanting to participate.

The fact of the matter is the iPhone X does not need Face ID, Apple could have easily put a Touch ID sensor on the back of the phone for authentication (who doesn't place their finger on the back of their phone?). I mean imagine how cool it would be to put your finger on the Apple logo on the back of your iPhone for Touch ID? It would have been a highly marketable product feature that is equally as effective as Face ID without the escalating Orwellian privacy implications. [...] For Face ID to work, the iPhone X actively has to scan faces looking for its owner when locked. This means anyone within a several foot range of an iPhone X will get their face scanned by other people's phones and that's just creepy.

Privacy

DC Court Rules Tracking Phones Without a Warrant Is Unconstitutional (cbsnews.com) 63

An anonymous reader writes: Law enforcement use of one tracking tool, the cell-site simulator, to track a suspect's phone without a warrant violates the Constitution, the D.C. Court of Appeals said Thursday in a landmark ruling for privacy and Fourth Amendment rights as they pertain to policing tactics. The ruling could have broad implications for law enforcement's use of cell-site simulators, which local police and federal agencies can use to mimic a cell phone tower to the phone connect to the device instead of its regular network. In a decision that reversed the decision of the Superior Court of the District of Columbia and overturned the conviction of a robbery and sexual assault suspect, the D.C. Court of Appeals determined the use of the cell-site simulator "to locate a person through his or her cellphone invades the person's actual, legitimate and reasonable expectation of privacy in his or her location information and is a search."
EU

EU Paid For Report That Said Piracy Isn't Harmful -- And Tried To Hide Findings (thenextweb.com) 107

According to Julia Reda's blog, the only Pirate in the EU Parliament, the European Commission in 2014 paid the Dutch consulting firm Ecorys 360,000 euros (about $428,000) to research the effect piracy had on sales of copyrighted content. The final report was finished in May 2015, but was never published because the report concluded that piracy isn't harmful. The Next Web reports: The 300-page report seems to suggest that there's no evidence that supports the idea that piracy has a negative effect on sales of copyrighted content (with some exceptions for recently released blockbusters). The report states: "In general, the results do not show robust statistical evidence of displacement of sales by online copyright infringements. That does not necessarily mean that piracy has no effect but only that the statistical analysis does not prove with sufficient reliability that there is an effect. An exception is the displacement of recent top films. The results show a displacement rate of 40 per cent which means that for every ten recent top films watched illegally, four fewer films are consumed legally."

On her blog, Julia Reda says that a report like this is fundamental to discussions about copyright policies -- where the general assumption is usually that piracy has a negative effect on rightsholders' revenues. She also criticizes the Commissions reluctance to publish the report and says it probably wouldn't have released it for several more years if it wasn't for the access to documents request she filed in July.
As for why the Commission hadn't published the report earlier, Reda says: "all available evidence suggests that the Commission actively chose to ignore the study except for the part that suited their agenda: In an academic article published in 2016, two European Commission officials reported a link between lost sales for blockbusters and illegal downloads of those films. They failed to disclose, however, that the study this was based on also looked at music, ebooks and games, where it found no such connection. On the contrary, in the case of video games, the study found the opposite link, indicating a positive influence of illegal game downloads on legal sales. That demonstrates that the study wasn't forgotten by the Commission altogether..."
Encryption

Distrustful US Allies Force Spy Agency To Back Down In Encryption Fight (reuters.com) 80

schwit1 shares a report from Reuters: An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques -- those least likely to be vulnerable to hacks -- to address the concerns.
Security

Security Researchers Warn that Third-Party GO Keyboard App is Spying on Millions of Android Users (betanews.com) 64

An anonymous reader shares a report: Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code." Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information. Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.
Social Networks

Facebook Will Share Copies of Political Ads Purchased by Russian Sources With the US Congress (recode.net) 182

An anonymous reader shares a report: Facebook will turn over copies of political ads purchased by Russian sources to congressional lawmakers, who are investigating the country's potential interference in the 2016 U.S. presidential election. Initially, Facebook had only released those ads -- 3,000 of them, valued at about $100,000 -- to Robert Mueller, the former FBI director who is spearheading the government's probe into Russia's actions. Facebook had withheld those details from House and Senate leaders, citing privacy concerns. But the move drew sharp rebukes from the likes of Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, who has charged in recent days that Facebook may not have done enough to scan its systems for potential Russian influence and to ensure that such foreign purchases -- otherwise illegal under U.S. law -- don't happen again. "After an extensive legal and policy review, today we are announcing that we will also share these ads with congressional investigators," wrote Colin Stretch, the company's general counsel. "We believe it is vitally important that government authorities have the information they need to deliver to the public a full assessment of what happened in the 2016 election."
Businesses

Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com) 94

Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."
The Almighty Buck

Bitcoin Futures-Based ETF Likely To Be Approved in the US (thestreet.com) 55

The race is on: who will be the first to launch a Bitcoin exchange-traded fund in the United States? From a report, shared by a reader: In Europe, there is already a Bitcoin exchange traded note (ETN) available to investors. In the U.S., it is widely anticipated a Bitcoin ETF will be be approved by the U.S. Securities and Exchange Commission (SEC) very soon. In Europe, ETNs are designed to track the movement of Bitcoin against the U.S. dollar. The ETNs are Bitcoin Tracker One, which is traded in Swedish krona and Bitcoin Tracker EURO, which is traded in euro. Both ETNs are issued by XBT Provider AB and traded on Nasdaq OMX (Stockholm). Dave Nadig, CEO of ETF.com and previously the director of ETFs at FactSet Research Systemsm believes we can expect to see Bitcoin Futures-based ETF launched in the U.S. by the end of this year. "Yes, you can already trade a derivative in Europe, an exchange traded note which tracks Bitcoin," Nadig adds. "Then the race in the U.S. is the race to see what gets approval first. Will it be a Bitcoin future or a straight up Bitcoin holding ETF? My bet is that we will see Bitcoin futures approved fairly quickly."
Security

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com) 153

An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.
Businesses

Waymo Wants Uber to Pay $2.6 Billion Over Alleged Trade Secret Theft (reuters.com) 25

Alphabet's Waymo unit is seeking about $2.6 billion from Uber for the alleged theft of one of several trade secrets in a lawsuit over self-driving cars, a lawyer for Uber said on Wednesday. From a report: Uber attorney Bill Carmody disclosed the figure in a hearing in federal court in San Francisco, where both companies are discussing whether a trial in the case will begin next month. Waymo has asserted claims that Uber stole several of its trade secrets. The total amount of Waymo's damages request was not publicly disclosed at the hearing on Wednesday. Waymo claimed in a lawsuit earlier this year that former engineer Anthony Levandowski downloaded more than 14,000 confidential files before leaving to set up a self-driving truck company, which Uber acquired soon after.
Privacy

Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report (windowsreport.com) 66

SmartAboutThings shares a report from Windows Report: If you installed the "Steam Inventory Helper" on your computer, you may want to uninstall it as soon as possible. Recent reports suggest that this extension used to buy and sell digital goods on Steam is spying on its users. Redditor Wartab made a thorough analysis of the tool and reached the following conclusions: The spyware code tracks your every move starting from the moment you visit a website until you leave. It also tracks where you are coming from on the site; Steam Inventory Helper tracks your clicks, including when you are moving your mouse and when you are having focus in an input; When you click a link, it sends the link URL to a background script; Fortunately, the code does not monitor what you type. Apparently, the purpose of this spyware is to collect data about gamers for promotional purposes.
Twitter

Twitter Suspends 300,000 Accounts Tied To Terrorism In 2017 (bloomberg.com) 69

According to a new transparency report, Twitter said it suspended nearly 300,000 accounts globally linked to terrorism in the first half of the year. The company is improving automation tools used to help block accounts that promote terrorism and violence. Bloomberg reports: Of [the nearly 300,000 accounts that were suspended], roughly 95 percent were identified by the company's spam-fighting automation tools. Meanwhile, the social network said government data requests continued to increase, and that it provided authorities with data on roughly 3,900 accounts from January to June. Twitter said about 75 percent of the blocked accounts this year were spotted before a single tweet was sent, and that 935,897 accounts had been suspended since August 2015, with two-thirds of those coming in the past year. American authorities made 2,111 requests from Twitter from January to June, the most of the 83 countries tracked by the company. Twitter supplied information on users in 77 percent of the inquiries. Japan made 1,384 requests and the U.K. issued 606 requests. Turkish authorities continued a trend of aggressively policing Twitter, making 554 requests for account data and issuing court orders to remove 715 pieces of content. Other governments made only 38 total content-removal requests.
Data Storage

Google, Bing, Yahoo Data Retention Doesn't Improve Search Quality, Study Claims (theregister.co.uk) 38

A new paper released on Monday via the National Bureau of Economic Research claims that retaining search log data doesn't do much for search quality. "Data retention has implications in the debate over Europe's right to be forgotten, the authors suggest, because retained data undermines that right," reports The Register. "It's also relevant to U.S. policy discussions about privacy regulations." From the report: To determine whether retention policies affected the accuracy of search results, Chiou and Tucker used data from metrics biz Hitwise to assess web traffic being driven by search sites. They looked at Microsoft Bing and Yahoo! Search during a period when Bing changed its search data retention period from 18 months to 6 months and when Yahoo! changed its retention period from 13 months to 3 months, as well as when Yahoo! had second thoughts and shifted to an 18-month retention period. According to Chiou and Tucker, data retention periods didn't affect the flow of traffic from search engines to downstream websites. "Our findings suggest that long periods of data storage do not confer advantages in search quality, which is an often-cited benefit of data retention by companies," their paper states. Chiou and Tucker observe that the supposed cost of privacy laws to consumers and to companies may be lower than perceived. They also contend that their findings weaken the claim that data retention affects search market dominance, which could make data retention less relevant in antitrust discussions of Google.
The Courts

Pepe the Frog's Creator Is Sending Takedown Notices To Far-Right Sites (vice.com) 331

An anonymous reader quotes a report from Motherboard: Pepe the Frog creator Matt Furie has made good on his threat to "aggressively enforce his intellectual property." The artist's lawyers have taken legal action against the alt-right. They have served cease and desist orders to several alt-right personalities and websites including Richard Spencer, Mike Cernovich, and the r/the_Donald subreddit. In addition, they have issued Digital Millennium Copyright Act takedown requests to Reddit and Amazon, notifying them that use of Pepe by the alt-right on their platforms is copyright infringement. The message is to the alt-right is clear -- stop using Pepe the Frog or prepare for legal consequences. Furie originally created Pepe as a non-political character for his Boy's Club comic, but Pepe later became an internet meme and during the 2016 U.S. presidential election the alt-right movement appropriated the frog in various grotesque and hateful memes.
Electronic Frontier Foundation

EFF Resigns From Web Consortium In Wake of EME DRM Standardization (eff.org) 220

New submitter Frobnicator writes: Four years ago, the W3C began standardizing Encrypted Media Extensions, or EME. Several organizations, including the EFF, have argued against DRM within web browsers. Earlier this year, after the W3C leadership officially recommended EME despite failing to reach consensus, the EFF filed the first-ever official appeal that the decision be formally polled for consensus. That appeal has been denied, and for the first time the W3C is endorsing a standard against the consensus of its members.

In response, the EFF published their resignation from the body: "The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew -- and the large corporate members continued to reject any meaningful compromise -- the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. [...] Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. Effective today, EFF is resigning from the W3C."
Jeff Jaffe, CEO of W3C said: "I know from my conversations that many people are not satisfied with the result. EME proponents wanted a faster decision with less drama. EME critics want a protective covenant. And there is reason to respect those who want a better result. But my personal reflection is that we took the appropriate time to have a respectful debate about a complex set of issues and provide a result that will improve the web for its users. My main hope, though, is that whatever point-of-view people have on the EME covenant issue, that they recognize the value of the W3C community and process in arriving at a decision for an inherently contentious issue. We are in our best light when we are facilitating the debate on important issues that face the web."
Privacy

In a 'Plot Twist', Wikileaks Releases Documents It Claims Detail Russia Mass Surveillance Apparatus (techcrunch.com) 166

WikiLeaks, believed by many to be a Kremlin front, surprised some observers Tuesday morning (Snowden called it a "plot twist") when it released documents linking a Russian tech company with access to thousands of citizens' telephone and internet communications with Moscow. From a report: Writing a summary of the cache of mostly Russian-language documents, Wikileaks claims they show how a long-established Russian company which supplies software to telcos is also installing infrastructure, under state mandate, that enables Russian state agencies to tap into, search and spy on citizens' digital activity -- suggesting a similar state-funded mass surveillance program to the one utilized by the U.S.'s NSA or by GCHQ in the U.K. (both of which were detailed in the 2013 Snowden disclosures). The documents which Wikileaks has published (there are just 34 "base documents" in this leak) relate to a St. Petersburg-based company, called Peter-Service, which it claims is a contractor for Russian state surveillance. The company was set up in 1992 to provide billing solutions before going on to become a major supplier of software to the mobile telecoms industry.
AI

AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org) 134

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Google

Jeweler Forged Judge's Signature To Force Google To Kill Negative Reviews (thedailybeast.com) 52

A sapphire salesman is facing jail time for forging a judge's signature in a case involving Google. Kelly Weill from The Daily Beast reports: Michael Arnstein is the third-generation owner of the Natural Sapphire Company, a Manhattan-based jewelry business. After a falling-out with a former business partner, Arnstein's company amassed dozens of negative reviews, which featured prominently in the Natural Sapphire Company's Google search results. Arnstein sued the former business partner in 2011, accusing him of writing defamatory negative reviews, and a judge ordered the partner to delete 54 of the negative comments. But some negative reviews remained, even after the court order. So Arnstein copied the judge's signature and forged new court orders of his own, demanding that Google scrub negative reviews from his company's search results, Arnstein admitted in a guilty plea on Friday.
Crime

Equifax Stock Sales Are the Focus of US Criminal Probe (bloomberg.com) 48

An anonymous reader quotes a report from Bloomberg: The U.S. Justice Department has opened a criminal investigation into whether top officials at Equifax Inc. violated insider trading laws when they sold stock before the company disclosed that it had been hacked, according to people familiar with the investigation. U.S. prosecutors in Atlanta, who the people said are looking into the share sales, said in a statement they are examining the breach and theft of people's personal information in conjunction with the Federal Bureau of Investigation. The Securities and Exchange Commission is working with prosecutors on the investigation into stock sales, according to another person familiar with the matter. Investigators are looking at the stock sales by Equifax's chief financial officer, John Gamble; its president of U.S. information solutions, Joseph Loughran; and its president of workforce solutions, Rodolfo Ploder, said two of the people, who asked not to be named because the probe is confidential. Equifax disclosed earlier this month that it discovered a security breach on July 29. The three executives sold shares worth almost $1.8 million in early August. The company has said the managers didn't know of the breach at the time they sold the shares. Regulatory filings don't show that the transactions were part of pre-scheduled trading plans.
IOS

Apple Officially Bans Scammy Antivirus Apps From iOS App Store (theverge.com) 51

Fake "virus scanning" apps have plagued the iOS App Store for a while, and Apple seems to finally be banning them once and for all in updated developer guidelines it published last week. From a report: The updated developer guidelines, compiled by Paul Hudson over at Hacking With Swift, now includes a ban on apps that claim to "including content or services that it does not actually offer" -- something that includes any iOS virus scanning apps, seeing as it wasn't possible to scan for viruses on iOS with third party apps, since iOS's sandboxing prevents applications from directly interacting with each other or the core of the iOS operating system.

Slashdot Top Deals