wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."
An anonymous reader writes There's an independent agency within the U.S. government called the Privacy and Civil Liberties Oversight Board. Their job is to weigh the benefits of government actions — like stopping terrorist threats — against violations of citizens' rights that may result from those actions. As you might expect, the NSA scandal landed squarely in their laps, and they've compiled a report evaluating the surveillance methods. As the cynical among you might also expect, the Oversight Board gave the NSA a pass, saying that while their methods were "close to the line of constitutional reasonableness," they were used for good reason. In the completely non-binding 191-page report (PDF), they said, "With regard to the NSA's acquisition of 'about' communications [metadata], the Board concludes that the practice is largely an inevitable byproduct of the government's efforts to comprehensively acquire communications that are sent to or from its targets. Because of the manner in which the NSA conducts upstream collection, and the limits of its current technology, the NSA cannot completely eliminate 'about' communications from its collection without also eliminating a significant portion of the 'to/from' communications that it seeks."
the simurgh writes: As many who follow the Kim Dotcom saga know, New Zealand police seized his encrypted computer drives in 2012, copies of which were illegally passed to the FBI. Fast-forward to 2014: Dotcom wants access to the seized but encrypted content. A New Zealand judge has now ruled that even if the Megaupload founder supplies the passwords, the encryption keys cannot be forwarded to the FBI.
vortex2.71 (802986) writes Amazon is suing a former employee of its cloud services division after he took a similar position at Google. The interesting aspect of the lawsuit is that Google is choosing to vigorously defend the lawsuit, so this is a case of Goliath vs. Goliath rather than David vs. Goliath. According to court documents, Zoltan Szabadi left a business-development position at Amazon Web Services for Google's Cloud Platform division. Szabadi's lawyer responded by contending that, while Szabadi did sign a non-compete agreement, he would only use his general knowledge and skills at Google and would not use any confidential information he had access to at Amazon. He also believes Amazon's confidentiality and non-compete agreements are an unlawful business practice.
mrspoonsi (2955715) writes with this excerpt from the BBC: ISPs from the U.S., UK, Netherlands, and South Korea have joined forces with campaigners Privacy International to take GCHQ to task over alleged attacks on network infrastructure. It is the first time that GCHQ has faced such action. The ISPs claim that alleged network attacks, outlined in a series of articles in Der Spiegel and the Intercept, were illegal and "undermine the goodwill the organizations rely on." The complaint (PDF).
MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products: As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.
jones_supa writes: Russia's legislature, often accused of metaphorically turning back the clock, has decided to do it literally – abandoning the policy of keeping the country on daylight-saving time all year. The 2011 move to impose permanent "summer time" in 2011 was one of the most memorable and least popular initiatives of Dmitry Medvedev's presidency. It forced tens of millions to travel to their jobs in pitch darkness during the winter. In the depths of December, the sun doesn't clear the horizon in Moscow until 10am. The State Duma, the lower house of parliament, voted 442-1 on Tuesday to return to standard time this autumn and stay there all year. The article also discusses a ban on swearing in books, plays, and films that went into effect today in Russia.
An anonymous reader writes: If you're involved in the free and open-source software movement — especially in the United States — you may want to read through this, as long as it may seem. It appears that the United States' Internal Revenue Service has strongly shifted its views of free and open-source software, and to the detriment of the movement, in my opinion. From the article: "The IRS reasons that since Yorba’s open source software may be used for any purpose, Yorba is not a charity. Consider all the for-profit and non-charitable ways the Apache server is used; I’d still argue Apache is a charitable organization. (What else could it be?) There’s a charitable organization here in San Francisco that plants trees throughout the city for the benefit of all. If one of their tree’s shade falls on a cafe table and cools the cafe’s patrons as they enjoy their espressos, does that mean the tree-planting organization is no longer a charity?"
McGruber (1417641) writes "In June 2013, Atlanta police arrested costumed street performer "Baton Bob" during the middle of a street performance after Baton Bob was allegedly involved in a verbal altercation with mall security guards. Now, a year later, Baton Bob has filed a federal lawsuit accusing Atlanta police of violating his constitutional rights, assault, discrimination, privacy violations and identify theft. Atlanta Police allegedly forced Baton Bob to make a pro-police statement on his Facebook page before officers would allow Bob to be released on bond. According to the lawsuit: "At approximately 3:40 p.m., while Plaintiff sat handcuffed and without an attorney, he was told to dictate a public statement to Officer Davis, who then typed and posted the message to the Baton Bob Facebook account. The message read: 'First of all, the atl police officer that responded to the incident thru security has been very respectful and gracious to me even in handcuffs. So, the situation escalated from a complaint from a security officer in the area and for some reason she rolled up on me like she didn't know who I was and like I had not been there before. For them to call police to come to intervene was not necessary. So, out of it, because of my fury, the Atlanta police officer did not understand the elements of the situation, so he was trying to do his job, respectfully and arrested my ass!!!!!!!!! I'll be out tomorrow so look out for my show at 14th and Peachtree. So now I'm waiting to be transported so I can sign my own bond and get the hell out of here. I want to verify, that the Atlanta police was respectful to me considering the circumstances. See you when I see you!!!!!!!!!!!!!!' As promised, Plaintiff was then given a signature bond and released from jail."
An anonymous reader writes In a post published Monday, Symantec writes that western countries including the U.S., Spain, France, Italy, Germany, Turkey, and Poland are currently the victims of an ongoing cyberespionage campaign. The group behind the operation, called Dragonfly by Symantec, originally targeted aviation and defense companies as early as 2011, but in early 2013, they shifted their focus to energy firms. They use a variety of malware tools, including remote access trojans (RATs) and operate during Eastern European business hours. Symantec compares them to Stuxnet except that "Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."
mrspoonsi (2955715) writes A court permitted the NSA to collect information about governments in 193 countries and foreign institutions like the World Bank, according to a secret document the Washington Post published Monday. The certification issued by a Foreign Intelligence Surveillance Court in 2010 shows the NSA has the authority to "intercept through U.S. companies not just the communications of its overseas targets, but any communications about its targets as well," according to the Post's report. Only four countries in the world — Britain, Canada, Australia and New Zealand — were exempt from the agreement, due to existing no-spying agreements that the Post highlights in this document about the group of countries, known as "Five Eyes" with the U.S.
An anonymous reader writes For some reason that escapes me, a Judge has granted Microsoft permission to hijack NoIP's DNS. This is necessary according to Microsoft to thwart a "global cybercrime epidemic" being perpetrated by infected machines running Microsoft software. No-IP is a provider of dynamic DNS services (among other things). Many legitimate users were affected by the takedown: "This morning, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives. ... We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening."
An anonymous reader writes "The U.S. Supreme Court declined to throw out a class-action lawsuit against Google for sniffing Wi-Fi networks with its Street View cars. The justices left intact a federal appeals court ruling that the U.S. Wiretap Act protects the privacy of information on unencrypted in-home Wi-Fi networks. Several class-action lawsuits were filed against Google shortly after the company acknowledged that its Street View cars were accessing email, web history and other data on unencrypted Wi-Fi networks. A Google spokesman said the company was disappointed that the Supreme Court had declined to hear the case."
An anonymous reader writes The Obama Administration is set to appoint Phil Johnson, a pharmaceutical industry executive, as the next Director of the United States Patent and Trademark Office, according to sources. The move is likely to anger patent reform advocates given Johnson's past efforts to block legislation aimed at reining in patent trolls, and in light of his positions that appear to contradict the White House's professed goal of fixing the patent system. The top job at the Patent Office has been vacant for around 18-months since the departure of previous director David Kappos in early 2013. Currently, the office is being managed by former Googler Michelle Lee, who was appointed deputy director in December. Earlier this month, Republican Senators led by Orrin Hatch (R-UT) sent a letter to President Obama that praised Lee but that also described the current USPTO management structure as "unfair, untenable and unacceptable for our country's intellectual property agency."
McGruber writes Atlanta Mayor Kasim Reed and New Orleans Mayor Mitch Landrieu agree: there will a 15 round fight between Uber and the taxicab industry that currently enjoys regulatory capture, but after a long fight, Uber will win. Landrieu says: "It actually is going to be a 15 round fight. And it's going to take time to work out, hopefully sooner rather than later. But that debate will be held.....But it is a forceful fight, and our city council is full of people on Uber's side, people on the cabs' side, and it's a battle." Mayor Reed of Atlanta also expressed how politically powerful the taxi cartels can be: "I tell you, Uber's worth more than Sony, but cab drivers can take you out. So you've got to [weigh that]. Get in a cab and they say, 'Well that mayor, he is sorry.' You come to visit Atlanta, they say, 'Well that Mayor Reed is as sorry as the day is long. Let me tell you how sorry he is while I drive you to your hotel. And I want you to know that crime is up.' This guy might knock you out. I want you to know it can get really real. It's not as easy as it looks."
theodp (442580) writes "The Internet's Own Boy, the documentary about the life and death of Aaron Swartz, was appropriately released on the net as well as in theaters this weekend, and is getting good reviews from critics and audiences. Which is kind of remarkable, since the Achilles' heel of this documentary, as critic Matt Pais notes in his review, is that "everyone on the other side of this story, from the government officials who advocated for Swartz's prosecution to Swartz's former Reddit colleagues to folks at MIT, declined participation in the film." Still, writer/director Brian Knappenberger manages to deliver a compelling story, combining interesting footage with interviews from Swartz's parents, brothers, girlfriends, and others from his Internet projects/activism who go through the stages of joy, grief, anger, and hope that one sees from loved ones at a wake. "This remains an important David vs. Goliath story," concludes Pais, "of a remarkable brain years ahead of his age with the courage and will to fight Congress-and a system built to impede, rather than encourage, progress and common sense. The Internet's Own Boy will upset you. As it should." And Quinn Norton, who inadvertently gave the film its title ("He was the Internet's own boy," Quinn said after Swartz's death, "and the old world killed him."), offers some words of advice for documentary viewers: "Your ass will be in a seat watching a movie. When it is done, get up, and do something.""
Ars Technica has spent some time with pre-production (but very nearly final) samples of the Blackphone, from Geeksphone and Silent Circle. They give it generally high marks; the hardware is mostly solid but not cutting edge, but the software it comes with distinguishes it from run-of-the-mill Android phones. Though it's based on Android, the PrivOS system in these phone offers fine grained permissions, and other software included with the phone makes it more secure both if someone has physical access to the phone (by encrypting files, among other things) and if communications between this phone and another are being eavesdropped on. A small taste: At first start up, Blackphone’s configuration wizard walks through getting the phone configured and secured. After picking a language and setting a password or PIN to unlock the phone itself, the wizard presents the option of encrypting the phone’s stored data with another password. If you decline to encrypt the phone’s mini-SD storage during setup, you’ll get the opportunity later (and in the release candidate version of the PrivOS we used, the phone continued to remind me about that opportunity each time I logged into it until I did). PrivOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks.
jfruh (300774) writes "California governor Jerry Brown has signed a law repealing Section 107 of California's Corporations Code, which prohibited companies or individuals from issuing money other than U.S. dollars. Before the law was repealed, not only bitcoin but everything from Amazon Coin to Starbucks Stars were techinically illegal; the law was generally not enforced."
VentureBeat reports that the unofficial Google ambassador to the world has made another significant visit to a place where Internet access is either forbidden or impractical for most of the citizenry; hopefully it heralds change on that front. Continuing his tour of countries with authoritarian governments and less-than-favorable Internet access, Google Chairman Eric Schmidt made a secret visit to Cuba yesterday. The U.S. government has forbidden its citizens from traveling to Cuba or spending any money within the country since cold war tensions in the 1960s. Even though the cold war is over, the ban remains in effect, which is why Schmidt’s visit is significant. Unofficially (meaning not on behalf of his company), the powerful Googler has also made controversial visits to North Korea and Myanmar to promote Internet freedom, and has previously spoken out against online censorship happening in both China and India. Schmidt, says the article, "was joined by a crew of former Google employees as well as author Jared Cohen."
An anonymous reader writes The U.S. National Archives has revealed to Wikipedia newspaper The Signpost that it will be uploading all of its holdings to the Wikimedia Commons. Dominic McDevitt-Parks told the Signpost that "The records we have uploaded so far contain some of the most high-value holdings ... However, we are not limiting ourselves ... Our approach has always been simply to upload as much as possible ... to make them as widely accessible to the public as possible."