Microsoft

Security Analyst Concludes Windows 10 Enterprise 'Tracks Too Much' (xato.net) 75

A viral Twitter rant about Windows 10 Enterprise supposedly ignoring users' privacy settings has since been clarified. "I made mistakes on my original testing and therefore saw more connections than I should have," writes IT security analyst Mark Burnett, "including some to Google ads." But his qualified results -- quoted below -- are still critical of Microsoft:
  • You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break many things.
  • Settings can be set wrong if you aren't paying attention. Also, settings are not consistent and can be confusing to beginners.
  • You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience... But you can't completely opt-out. Windows still tracks too much.
  • Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff... I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

The Courts

The Lawyer Who Founded Prenda Law Just Got Disbarred (engadget.com) 50

Long-time Slashdot reader lactose99 writes: One of the original copyright trolls finally got their comeuppance. From TFA: "John L. Steele, a Chicago lawyer who pled guilty to perjury, fraud and money laundering resulting from alleged 'honeypot' schemes, has just been disbarred by an Illinois court." John L. Steele, as you may know, is one of the principals of Prenda Law, a notorious copyright troll who has been featured on /. several times. The article goes on to describe how the Prenda lawyers used honeypot-like tactics to trick people into downloads and then subsequently scammed them for copyright violations.
Their operation brought in $6 million in settlement fees, reports Engadget, adding "While it is illegal to download copyrighted files from file-sharing sites, it is also against the law to extort downloaders."
Government

Investigation Demanded Over Fake FCC Comments Submitted By Dead People (bbc.com) 115

An anonymous reader writes: Fight for the Future has found another issue with the fake comments submitted to the FCC opposing net neutrality. "The campaign group says that some of the comments were posted using the names and details of dead people," according to the BBC. The exact same comment was also submitted more than 7,000 times using addresses in Colorado, where a reporter discovered that contacting the people at those addresses drew reactions which included "I have never seen this before in my life" and "No, I did not post this comment. In fact, I disagree with this comment." Fight for the Future also knocked on doors in Tampa, Florida, where the few people who answered "were shocked to hear that their name and address were publicly listed alongside a political message they did not necessarily understand or agree with." An alleged commenter in Montana told a reporter she didn't even know what net neutrality was.

14 people have already signed Fight for the Future's official complaint to the FCC, which calls for notification of all people affected, an investigation, and the immediate removal of all fake comments from the public docket. "Based on numerous media reports, nearly half a million Americans may have been impacted by whoever impersonated us," states the letter, "in a dishonest and deceitful campaign to manufacture false support for your plan to repeal net neutrality protections."

Fight for the Future says they've already verified "dozens" of instance of real people discovering a fake comment was submitted in their name -- and that in addition, more than 2,400 people have already used their site to contact their state Attorneys General demanding an investigation. They note the FCC has taken no steps to remove the fake comments from its docket, "risking the safety and privacy of potentially hundreds of thousands of people," while a campaign director at Fight for the Future added, "For the FCC's process to have any legitimacy, they simply cannot move forward until an investigation has been conducted."
Republicans

Hackers Have Targeted Both the Trump Organization And Democrat Election Data (arstechnica.com) 209

An anonymous reader writes: Two recent news stories give new prominence to politically-motivated data breaches. Friday the Wall Street Journal reported that last year Guccifer 2.0 sent 2.5 gigabytes of Democratic Congressional Campaign Committee election data to a Republican operative in Florida, including their critical voter turnout projections. At the same time ABC News is reporting that the FBI is investigating "an attempted overseas cyberattack against the Trump Organization," adding that such an attack would make his network a high priority for government monitoring.

"In the course of its investigation," they add, "the FBI could get access to the Trump Organization's computer network, meaning FBI agents could possibly find records connected to other investigations." A senior FBI official (now retired) concedes to ABC that "There could be stuff in there that they [the Trump organization] do not want to become part of a separate criminal investigation."

It seems like everyone's talking about the privacy of their communications. Tonight the Washington Post writes that Trump's son-in-law/senior advisor Jared Kushner "discussed the possibility of setting up a secret and secure communications channel between Trump's transition team and the Kremlin, using Russian diplomatic facilities in an apparent move to shield their pre-inauguration discussions from monitoring, according to U.S. officials briefed on intelligence reports." And Friday Hillary Clinton was even quoted as saying, "I would have won had I not been subjected to the unprecedented attacks by Comey and the Russians..."
Encryption

10 Years Later: FileZilla Adds Support For Master Password That Encrypts Your Logins (bleepingcomputer.com) 77

An anonymous reader writes: "Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format," reports BleepingComputer. "This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here." By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text. The move is extremely surprising, at least for the FileZilla user base. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse. In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.
Facebook

Facebook Bans Sale of Piracy-Enabling Set-Top Boxes 60

Lirodon quotes a report from Variety: Facebook has joined the fight against illegal video-streaming devices. The social behemoth recently added a new category to products it prohibits users to sell under its commerce policy: Products or items that "facilitate or encourage unauthorized access to digital media." The change in Facebook's policy, previously reported by The Drum, appears primarily aimed at blocking the sale of Kodi-based devices loaded with software that allows unauthorized, free access to piracy-streaming services. Kodi is free, open-source media player software. The app has grown popular among pirates, who modify the code with third-party add-ons for illegal streaming. Even with the ban officially in place, numerous "jail-broken" Kodi-enabled devices remain listed in Facebook's Marketplace section, indicating that the company has yet to fully enforce the new ban. A Facebook rep confirmed the policy went into effect earlier this month. In addition, the company updated its advertising policy to explicitly ban ads for illegal streaming services and devices.
Bug

Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices 48

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.
Security

Chipotle Says 'Most' of Its Restaurants Were Infected With Credit Card Stealing Malware (theverge.com) 112

Earlier this year, Chipotle announced that the their payment processing system was hacked. Today, the company has released more information about the hack, identifying the malware that was responsible and releasing a new tool to help customers check whether the restaurant they visited was involved. The company did not say how many restaurants were affected, but it did tell The Verge that "most" locations nationwide may have been involved. The Verge reports: "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in a statement. "There is no indication that other customer information was affected." We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) Chipotle noted that not all locations have been identified, but it's a starting guide to check whether your visit lines up with the breached period.
Businesses

Sean Parker Is Going To Great Lengths To Ensure 'Screening Room' Is Piracy Free, Patents Reveal (torrentfreak.com) 136

Napster co-founder Sean Parker has been working on his new service called Screening Room, which when becomes reality, could allow people to watch the latest Hollywood blockbusters in their living room as soon as they premiere at the box office. This week we get a glimpse at the kind of technologies Parker is using to ensure that the movies don't get distributed easily. From a report: Over the past several weeks, Screening Room Media, Inc. has submitted no less than eight patent applications related to its plans, all with some sort of anti-piracy angle. For example, a patent titled "Presenting Sonic Signals to Prevent Digital Content Misuse" describes a technology where acoustic signals are regularly sent to mobile devices, to confirm that the user is near the set-top box and is authorized to play the content. Similarly, the "Monitoring Nearby Mobile Computing Devices to Prevent Digital Content Misuse" patent, describes a system that detects the number of mobile devices near the client-side device, to make sure that too many people aren't tuning in. The general technology outlined in the patents also includes forensic watermarking and a "P2P polluter." The watermarking technology can be used to detect when pirated content spreads outside of the protected network onto the public Internet. "At this point, the member's movie accessing system will be shut off and quarantined. If the abuse or illicit activity is confirmed, the member and the household will be banned from the content distribution network," the patent reads. [...] Screening Room's system also comes with a wide range of other anti-piracy scans built in. Among other things, it regularly scans the Wi-Fi network to see which devices are connected, and Bluetooth is used to check what other devices are near.
Businesses

Disney Chief Bob Iger Doesn't Believe Movie Hack Threat Was Real (hollywoodreporter.com) 27

You may remember Disney's boss revealing that hackers had threatened to leak one of the studio's new films unless it paid a ransom. Bob Iger didn't name the film, but it was thought to be "Pirates of the Caribbean: Dead Men Tell No Tales." But now Iger says: "To our knowledge we were not hacked." From a report: Disney chairman-CEO Bob Iger confirmed Thursday that a hacker claiming to have stolen an upcoming Disney movie and demanding a ransom didn't appear to have the goods. "To our knowledge we were not hacked," Iger told Yahoo Finance. "We had a threat of a hack of a movie being stolen. We decided to take it seriously but not react in the manner in which the person who was threatening us had required." Iger continued, "We don't believe that it was real and nothing has happened." On May 15, as first reported by The Hollywood Reporter, Iger told ABC employees at a town hall meeting in New York that someone claiming to have stolen an upcoming movie would release the film on the internet unless the company paid a ransom. Iger told staff that the studio wouldn't meet any such demands.
Government

Major US Tech Firms Press Congress For Internet Surveillance Reforms (reuters.com) 37

Dustin Volz, reporting for Reuters: Facebook, Amazon and more than two dozen other U.S. technology companies pressed Congress on Friday to make changes to a broad internet surveillance law, saying they were necessary to improve privacy protections and increase government transparency. The request marks the first significant public effort by Silicon Valley to wade into what is expected to be a contentious debate later the year over the Foreign Intelligence Surveillance Act, parts of which will expire on Dec. 31 unless Congress reauthorizes them. Of particular concern to the technology industry and privacy advocates is Section 702, which allows U.S. intelligence agencies to vacuum up vast amounts of communications from foreigners but also incidentally collects some data belonging to Americans that can be searched by analysts without a warrant.
Government

Proposed Active-Defense Bill Would Allow Destruction of Data, Use of Beacon Tech (onthewire.io) 68

Trailrunner7 quotes a report from On the Wire: A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker's machine. The Active Cyber Defense Certainty Act, drafted by Rep. Tom Graves (R-Ga.) in March, is designed to enable people who have been targets of cybercrime to employ certain specific techniques to trace the attack and identify the attacker. The bill defines active cyber defense as "any measure -- (I) undertaken by, or at the direction of, a victim"; and "(II) consisting of accessing without authorization the computer of the attacker to the victim" own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network." After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker. "The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion," the bill says.
Privacy

83 Percent Of Security Staff Waste Time Fixing Other IT Problems (betanews.com) 205

An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.
Censorship

Egypt Blocks 21 Websites For 'Terrorism' And 'Fake News' (reuters.com) 54

Ahmed Aboulenein, reporting for Reuters: Egypt has banned 21 websites, including the main website of Qatar-based Al Jazeera television and prominent local independent news site Mada Masr, accusing them of supporting terrorism and spreading false news. The blockade is notable in scope and for being the first publicly recognized by the government. It was heavily criticized by journalists and rights groups. The state news agency announced it late on Wednesday. Individual websites had been inaccessible in the past but there was never any official admission. Reuters found the websites named by local media and were inaccessible. The move follows similar actions taken on Wednesday by Egypt's Gulf allies Saudi Arabia and the United Arab Emirates, which blocked Al Jazeera and other websites after a dispute with Qatar. From a separate report: "This is not the typical Egyptian regime attitude," Lina Attalah, the editor-in-chief of Mada Masr told BuzzFeed News in an interview in Cairo. "We are used to facing troubles with the regime since we have always chosen to write the stories they don't like to hear. We are used to being arrested or have cases filed against us, but blocking us is a new thing." Mada Masr, since its founding in 2013, has regularly published critical stories of the regime in both English and Arabic.
Government

US Intelligence Community Has Lost Credibility Due To Leaks (bloomberg.com) 338

Two anonymous readers and Mi share an article: U.K. police investigating the Manchester terror attack say they have stopped sharing information with the U.S. after a series of leaks that have so angered the British government that Prime Minister Therese May wants to discuss them with President Donald Trump during a North Atlantic Treaty Organization meeting in Brussels. What can Trump tell her, though? The leaks drive him nuts, too. Since the beginning of this century, the U.S. intelligence services and their clients have acted as if they wanted the world to know they couldn't guarantee the confidentiality of any information that falls into their hands. At this point, the culture of leaks is not just a menace to intelligence-sharing allies. It's a threat to the intelligence community's credibility. [...] If this history has taught the U.S. intelligence community anything, it's that leaking classified information isn't particularly dangerous and those who do it largely enjoy impunity. Manning spent seven years in prison (though she'd been sentenced to 35), but Snowden, Assange, Petraeus, the unknown Chinese mole, the people who stole the hacking tools and the army of recent anonymous leakers, many of whom probably still work for U.S. intelligence agencies, have escaped any kind of meaningful punishment. President Donald Trump has just now announced that the administration would "get to the bottom" of leaks. In a statement, he said: "The alleged leaks coming out of government agencies are deeply troubling. These leaks have been going on for a long time and my Administration will get to the bottom of this. The leaks of sensitive information pose a grave threat to our national security. I am asking the Department of Justice and other relevant agencies to launch a complete review of this matter, and if appropriate, the culprit should be prosecuted to the fullest extent of the law. There is no relationship we cherish more than the Special Relationship between the United States and the United Kingdom.

Slashdot Top Deals