The Internet

House Panel Wants Google, Facebook, AT&T CEOs To Testify On Internet Rules (reuters.com) 8

The chairman of the U.S. House Energy and Commerce Committee on Tuesday asked the chief executives of Alphabet, Facebook, Amazon.com, AT&T, Verizon Communications and other companies to testify at a Sept. 7 hearing on the future of net neutrality rules. From a report: The U.S. Federal Communications Commission is considering tossing out 2015 Obama administration net neutrality rules that reclassified internet service like a public utility. The rules bar providers from blocking, slowing or offering paid prioritization of websites. Many internet providers want Congress to step in and write permanent rules. Other chief executives asked to testify include the heads of Comcast, Netflix and Charter. Some companies including Facebook said they were reviewing the letter but none immediately said if they will testify.
Social Networks

It Looks Like Facebook Is Also Building a Smart Speaker With Touch Screen (techcrunch.com) 30

From a report: Facebook may launch its own smart home gadget to get you messaging more friends and looking at more photos. DigiTimes reports from Taiwan that Facebook is building a 15-inch touch screen smart speaker. Citing sources from the "upstream supply chain", Chinese iPhone manufacturer Pegatron is building the device for a Q1 2018 launch, with a small pilot run having already been produced. It's said to have been designed by Facebook secretive new hardware lab Building 8, using an LG in-cell touch screen with magnesium-aluminum-alloy chassis. While no further details are known about the speaker's functionality, it could potentially extend Facebook's feed of photos and videos plus its dominant messaging platform into the bedroom, living room, or kitchen.
Medicine

Global Network of Labs Will Test Security of Medical Devices (securityledger.com) 46

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

Democrats

Democrats Propose New Competition Laws That Would 'Break Up Big Companies If They're Hurting Consumers' (arstechnica.com) 278

An anonymous reader quotes a report from Ars Technica: Senate and House Democratic leaders today proposed new antitrust laws that could prevent many of the biggest mergers and break up monopolies in broadband and other industries. "Right now our antitrust laws are designed to allow huge corporations to merge, padding the pockets of investors but sending costs skyrocketing for everything from cable bills and airline tickets to food and health care," US Senate Minority Leader Chuck Schumer (D-NY) wrote in a New York Times opinion piece. "We are going to fight to allow regulators to break up big companies if they're hurting consumers and to make it harder for companies to merge if it reduces competition." The "Better Deal" unveiled by Schumer and House Democratic Leader Nancy Pelosi (D-Calif.) was described in several documents that can be found in an Axios story. The plan for "cracking down on corporate monopolies" lists five industries that Democrats say are in particular need of change, specifically airlines, cable and telecom, the beer industry, food, and eyeglasses. The Democrats' plan for lowering the cost of prescription drugs is detailed in a separate document. The Democrats didn't single out any internet providers that they want broken up, but they did say they want to stop AT&T's proposed $85.4 billion purchase of Time Warner: "Consolidation in the telecommunications is not just between cable or phone providers; increasingly, large firms are trying to buy up content providers. Currently, AT&T is trying to buy Time Warner. If AT&T succeeds in this deal, it will have more power to restrict the content access of its 135 million wireless and 25.5 million pay-TV subscribers. This will only enable the resulting behemoths to promote their own programming, unfairly discriminate against other distributors and their ability to offer highly desired content, and further restrict small businesses from successfully competing in the market."
Biotech

Wisconsin Company Will Let Employees Use Microchip Implants To Buy Snacks, Open Doors (theverge.com) 107

A Wisconsin company called Three Square Market will soon offer employees implantable chips to open doors, buy snacks, log in to computers, and use office equipment like copy machines. The chips use near field communication (NFC) technology and will be implanted between the thumb and forefinger of participating employees. According to The Verge, around 50 people are supposedly getting the optional implants. From the report: NFC chips are already used in a couple of workplaces in Europe; The Los Angeles Times reported on startup workspace Epicenter's chip program earlier this year. In the US, installing them is also a form of simple biohacking. They're essentially an extension of the chips you'd find in contactless smart cards or microchipped pets: passive devices that store very small amounts of information. A Swedish rail company also lets people use implants as a substitute for fare cards. 32M CEO Todd Westby is clearly trying to head off misunderstandings and paranoia by saying that they contain "no GPS tracking at all" -- because again, it's comparable to an office keycard here.
Privacy

Sweden Accidentally Leaks Personal Details of Nearly All Citizens (thehackernews.com) 224

An anonymous reader quotes a report from The Hacker News: Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

Wireless Networking

Ask Slashdot: How Can You Avoid Routers With Locked Firmware? 310

thejynxed writes: Awhile ago the FCC in the USA implemented a rule that required manufacturers to restrict end-users from tampering with the radio outputs on wi-fi routers. It was predicted that manufacturers would take the lazy way out by locking down the firmware/bootloaders of the routers entirely instead of partitioning off access to the radio transmit power and channel ranges. This has apparently proven to be the case, as even now routers that were previously marketed as "Open Source Ready" or "DD-WRT Compatible" are coming with locked firmware.

In my case, having noticed this trend, I purchased three routers from Belkin, Buffalo, and Netgear in Canada, the UK, and Germany respectively, instead of the USA, and the results: All three routers had locked firmware/bootloaders, with no downgrade rights and no way to install Tomato, DD-WRT, OpenWRT, etc. It seems the FCC rule is an example of the wide-reaching effect of US law on the products sold in other nations, etc. So, does anyone know a good source of unlocked routers or other technical information on how to bypass this ridiculous outcome of FCC over-reach and manufacturer laziness?

The FCC later specified that they were not trying to block Open Source firmware modifications -- so leave your best suggestions in the comments. How can you avoid routers with locked firmware?
United States

US Agency Revokes All State Discounts For Kaspersky Products (thebaltimorepost.com) 92

The U.S. General Services Administration has removed Kapersky Lab from its list of approved vendors for federal systems, which also eliminates the discounts it previously offered to state governments. Long-time Slashdot reader Rick Zeman writes: "The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."

The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."
Iphone

Apple Sued By State Farm Over Alleged iPhone Fire (cnet.com) 160

An anonymous reader quotes CNET: Insurer State Farm and one of its customers, Wisconsin resident Xai Thao, allege that one of Apple's older iPhones had a defective battery that led to a fire last year. A lawsuit filed on Thursday by both State Farm and Thao claims that her iPhone 4S "failed" and "started a fire at Thao's home." The lawsuit further claims that "preliminary investigations show evidence of a significant and localized heating event in the battery area of the iPhone." It also declares that there were "remnants of internal shorting, indicating that an internal failure of the iPhone's battery caused the fire"... The State Farm lawsuit says that Thao's iPhone was "in a defective and unreasonably dangerous condition" when she bought it in 2014. The suit is claiming in excess of $75,000 in damages.
United Kingdom

UK To Require Drone Registration And Safety Exams (bloomberg.com) 94

An anonymous reader quotes Bloomberg: Drones will have to be registered and their users required to pass safety tests under new rules to be announced by the U.K.'s Department for Transport... Registration will be mandated for owners of drones 250 grams (8.8 ounces) or larger after research found that drones as small as 400 grams (14 ounces) could damage the windscreens of helicopters. Other security measures like "geo-fencing" -- GPS-based technology programmed into drones to prevent them from flying into sensitive areas such as prisons and airports -- are also under consideration, according to a statement from the department.
The BBC points out that "There is no time frame or firm plans as to how the new rules will be enforced and the Department of Transport admitted that 'the nuts and bolts still have to be ironed out.'"

"The UK government says 22 incidents involving commercial airliners and drones were investigated between January and April of this year," adds TechRadar, "with police unable to trace the owners of the drones -- one of the reasons for the new legislation."
Microsoft

Microsoft Launches A Counterattack Against Russia's 'Fancy Bear' Hackers (thedailybeast.com) 95

Kevin Poulsen writes on the Daily Beast: It turns out Microsoft has something even more formidable than Moscow's malware: Lawyers. Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft's trademarks... Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear... Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like "livemicrosoft[.]net" or "rsshotmail[.]com" that Fancy Bear registers under aliases for about $10 each. Once under Microsoft's control, the domains get redirected from Russia's servers to the company's, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers' network of automated spies. "In other words," Microsoft outside counsel Sten Jenson explained in a court filing last year, "any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server."
Businesses

Are Nondisparagement Agreements Silencing Employee Complaints? (cnbc.com) 183

cdreimer writes, "According to a report in the New York Times, 'nondisparagement agreements are increasingly included in employment contracts and legal settlements' to hide abuses that would otherwise be made public." The Times reports: Employment lawyers say nondisparagement agreements have helped enable a culture of secrecy. In particular, the tech start-up world has been roiled by accounts of workplace sexual harassment, and nondisparagement clauses have played a significant role in keeping those accusations secret... Nondisparagement clauses are not limited to legal settlements. They are increasingly found in standard employment contracts in many industries, sometimes in a simple offer letter that helps to create a blanket of silence around a company. Their use has become particularly widespread in tech employment contracts, from venture investment firms and start-ups to the biggest companies in Silicon Valley, including Google... Employees increasingly "have to give up their constitutional right to speak freely about their experiences if they want to be part of the work force," said Nancy E. Smith, a partner at the law firm Smith Mullin.
Three different tech industry employees told the Times "they are not allowed to acknowledge that the agreements even exist." And Google "declined to comment" for the article.
Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 203

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Facebook

Facebook Petitioned To Change License For ReactJS (github.com) 43

mpol writes: The Apache Software Foundation issued a notice last weekend indicating that it has added Facebook's BSD+Patents [ROCKSDB] license to its Category X list of disallowed licenses for Apache Project Management Committee members. This is the license that Facebook uses for most of its open source projects. The RocksDB software project from Facebook already changed its license to a dual Apache 2 and GPL 2. Users are now petitioning on GitHub to have Facebook change the license of React.JS as well.

React.JS is a well-known and often used JavaScript Framework for frontend development. It is licensed as BSD + Patents. If you use React.JS and agreed to its license, and you decide to sue Facebook for patent issues, you are no longer allowed to use React.JS or any Facebook software released under this license.

Piracy

Kodi Magazine 'Directs Readers To Pirate Content' (bbc.com) 48

An anonymous reader writes: A British magazine is directing readers to copyright-infringing software, the Federation Against Copyright Theft (Fact) has said. Kodi is a free, legal media player for computers -- but software add-ons can make it possible to download pirated content. The Complete Guide to Kodi magazine instructs readers on how to download such add-ons. Dennis Publishing has not yet responded to a BBC request for comment. The magazine is available at a number of retailers including WH Smith, Waterstones and Amazon. It was spotted on sale by cyber-security researcher Kevin Beaumont. It repeatedly warns readers of the dangers of accessing pirated content online, but one article lists a series of software packages alongside screenshots promoting "free TV", "popular albums" and "world sport". "Check before you stream and use them at your own risk," the guide says, before adding that readers should stay "on the right side of the law."

Slashdot Top Deals