Privacy

Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug (theverge.com) 27

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.
The Internet

FreeBSD's New Code of Conduct (freebsd.org) 591

FreeBSD has a new code of conduct, which is making several people angry. From the blog post: This code of conduct applies to all spaces used by the FreeBSD Project, including our mailing lists, IRC channels, and social media, both online and off. Anyone who is found to violate this code of conduct may be sanctioned or expelled from FreeBSD Project controlled spaces at the discretion of the FreeBSD Code of Conduct Committee. Participants are responsible for knowing and abiding by these rules. Harassment includes but is not limited to: Comments that reinforce systemic oppression related to gender, gender identity and expression, sexual orientation, disability, mental illness, neurodiversity, physical appearance, body size, age, race, or religion. Unwelcome comments regarding a person's lifestyle choices and practices, including those related to food, health, parenting, drugs, and employment. Deliberate misgendering. Deliberate use of "dead" or rejected names. Gratuitous or off-topic sexual images or behaviour in spaces where they're not appropriate.

Physical contact and simulated physical contact (e.g., textual descriptions like "hug" or "backrub") without consent or after a request to stop. Threats of violence. Incitement of violence towards any individual, including encouraging a person to commit suicide or to engage in self-harm. Deliberate intimidation. Stalking or following. Harassing photography or recording, including logging online activity for harassment purposes. Sustained disruption of discussion. Unwelcome sexual attention. Pattern of inappropriate social contact, such as requesting/assuming inappropriate levels of intimacy with others. Continued one-on-one communication after requests to cease. Deliberate "outing" of any private aspect of a person's identity without their consent except as necessary to protect vulnerable people from intentional abuse. Publication of non-harassing private communication without consent. Publication of non-harassing private communication with consent but in a way that intentionally misrepresents the communication (e.g., removes context that changes the meaning). Knowingly making harmful false claims about a person.

Security

Phishing Attack Scores Credentials For More Than 50,000 Snapchat Users (theverge.com) 11

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.
Businesses

Labor Board Says Google Could Fire James Damore For Anti-Diversity Memo (theverge.com) 562

According to a recently disclosed letter from the U.S. National Labor Relations Board, Google didn't violate labor laws by firing engineer James Damore for a memo criticizing the company's diversity program. "The lightly redacted statement is written by Jayme Sophir, associate general counsel of the NLRB's division of advice; it dates to January, but was released yesterday, according to Law.com," reports The Verge. "Sophir concludes that while some parts of Damore's memo was legally protected by workplace regulations, 'the statements regarding biological differences between the sexes were so harmful, discriminatory, and disruptive as to be unprotected.'" From the report: Damore filed an NLRB complaint in August of 2017, after being fired for internally circulating a memo opposing Google's diversity efforts. Sophir recommends dismissing the case; Bloomberg reports that Damore withdrew it in January, and that his lawyer says he's focusing on a separate lawsuit alleging discrimination against conservative white men at Google. NLRB records state that its case was closed on January 19th. In her analysis, Sophir writes that employers should be given "particular deference" in trying to enforce anti-discrimination and anti-harassment policies, since these are tied to legal requirements. And employers have "a strong interest in promoting diversity" and cooperation across different groups of people. Because of this, "employers must be permitted to 'nip in the bud' the kinds of employee conduct that could lead to a 'hostile workplace,'" she writes. "Where an employee's conduct significantly disrupts work processes, creates a hostile work environment, or constitutes racial or sexual discrimination or harassment, the Board has found it unprotected even if it involves concerted activities regarding working conditions."
The Courts

Judge Won't Let FCC's Net Neutrality Repeal Stop Lawsuit Alleging Charter Throttled Netflix (hollywoodreporter.com) 33

An anonymous reader quotes a report from The Hollywood Reporter: [I]n the first significant decision referring to the repeal [of net neutrality] since FCC chairman Ajit Pai got his way, a New York judge on Friday ruled that the rescinding of net neutrality rules wasn't relevant to an ongoing lawsuit against Charter Communications. New York Attorney General Eric Schneiderman filed the lawsuit almost exactly a year ago today. It's alleged that Charter's Spectrum-TWC service promised internet speeds it knew it couldn't deliver and that Spectrum-TWC also misled subscribers by promising reliable access to Netflix, online content and online games. According to the complaint, the ISP intentionally failed to deliver reliable service in a bid to extract fees from backbone and content providers. When Netflix wouldn't pay, this "resulted in subscribers getting poorer quality streams during the very hours when they were most likely to access Netflix," and after Netflix agreed to pay demands, service "improved dramatically." This arguably is the kind of thing that net neutrality was supposed to prevent. And Charter itself pointed to the net neutrality repeal in a bid to block Schneiderman's claims that Charter had engaged in false advertising and deceptive business practices. New York Supreme Court Justice O. Peter Sherwood isn't sold.

He writes in an opinion that the FCC's order "which promulgates a new deregulatory policy effectively undoing network neutrality, includes no language purporting to create, extend or modify the preemptive reach of the Transparency Rule," referring to how ISPs have to disclose "actual network performance." And although Charter attempted to argue that the FCC clarified its intent to stop state and local governments from imposing disclosure obligations on broadband providers that were inconsistent with FCC's rules, Sherwood notes other language from the "Restoring Internet Freedom Order" how states will "continue to play their vital role in protecting consumers from fraud, enforcing fair business practices... and generally responding to consumer inquiries and complaints."

Government

Facebook Must Stop Tracking Belgian Users, Court Rules (mercurynews.com) 83

Facebook must stop tracking Belgian users' surfing outside the social network and delete data it's already gathered, or it will face fines of 250,000 ($312,000) euros a day, a Belgian court ruled. From a report: Facebook "doesn't sufficiently inform" clients about the data it gathers on their broader web use, nor does it explain what it does with the information or say how long it stores it, the Brussels Court of First Instance said in a statement. The social network is coming under increasing fire in Europe, with a high-profile German antitrust probe examining whether it unfairly compels users to sign up to restrictive privacy terms. Belgium's data-protection regulators have targeted the company since at least 2015 when a court ordered it to stop storing non-users' personal data.
Intel

Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com) 94

Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
Encryption

Two Years After FBI vs Apple, Encryption Debate Remains (axios.com) 169

It's been two years since the FBI and Apple got into a giant fight over encryption following the San Bernardino shooting, when the government had the shooter's iPhone, but not the password needed to unlock it, so it asked Apple to create a way inside. What's most surprising is how little has changed since then. From a report: The encryption debate remains unsettled, with tech companies largely opposed and some law enforcement agencies still making the case to have a backdoor. The case for strong encryption: Those partial to the tech companies' arguments will note that cyberattacks and hacking incidents have become even more common, with encryption serving as a valuable way to protect individuals' personal information. The case for backdoors: Criminals are doing bad stuff and when devices are strongly encrypted they can do it in what amounts to the perfect dark alley, completely hidden from public view.
Twitter

Federal Judge Says Embedding a Tweet Can Be Copyright Infringement (eff.org) 144

An anonymous reader quotes a report from the Electronic Frontier Foundation: Rejecting years of settled precedent, a federal court in New York has ruled [PDF] that you could infringe copyright simply by embedding a tweet in a web page. Even worse, the logic of the ruling applies to all in-line linking, not just embedding tweets. If adopted by other courts, this legally and technically misguided decision would threaten millions of ordinary Internet users with infringement liability.

This case began when Justin Goldman accused online publications, including Breitbart, Time, Yahoo, Vox Media, and the Boston Globe, of copyright infringement for publishing articles that linked to a photo of NFL star Tom Brady. Goldman took the photo, someone else tweeted it, and the news organizations embedded a link to the tweet in their coverage (the photo was newsworthy because it showed Brady in the Hamptons while the Celtics were trying to recruit Kevin Durant). Goldman said those stories infringe his copyright.
"[W]hen defendants caused the embedded Tweets to appear on their websites, their actions violated plaintiff's exclusive display right; the fact that the image was hosted on a server owned and operated by an unrelated third party (Twitter) does not shield them from this result," Judge Katherine Forrest said.
Crime

Electronics-Recycling Innovator Faces Prison For Extending Computers' Lives 274

schwit1 shares a report from Los Angeles Times: Prosecutors said 33-year-old [Eric Lundgren, an electronic-waste recycling innovator] ripped off Microsoft by manufacturing 28,000 counterfeit discs with the company's Windows operating system on them. He was convicted of conspiracy and copyright infringement, which brought a 15-month prison sentence and a $50,000 fine. In a rare move though, a federal appeals court has granted an emergency stay of the sentence, giving Lundgren another chance to make his argument that the whole thing was a misunderstanding. Lundgren does not deny that he made the discs or that he hoped to sell them. But he says this was no profit-making scheme. By his account, he just wanted to make it easier to extend the usefulness of secondhand computers -- keeping more of them out of the trash.

The case centers on "restore discs," which can be used only on computers that already have the licensed Windows software and can be downloaded free from the computer's manufacturer, in this case Dell. The discs are routinely provided to buyers of new computers to enable them to reinstall their operating systems if the computers' hardware fails or must be wiped clean. But they often are lost by the time used computers find their way to a refurbisher. Lundgren said he thought electronics companies wanted the reuse of computers to be difficult so that people would buy new ones. He thought that producing and selling restore discs to computer refurbishers -- saving them the hassle of downloading the software and burning new discs -- would encourage more secondhand sales. In his view, the new owners were entitled to the software, and this just made it easier. The government, and Microsoft, did not see it that way. Federal prosecutors in Florida obtained a 21-count indictment against Lundgren and his business partner, and Microsoft filed a letter seeking $420,000 in restitution for lost sales. Lundgren claims that the assistant U.S. attorney on the case told him, "Microsoft wants your head on a platter and I'm going to give it to them."
Media

FCC Chairman Ajit Pai Is Under Investigation Over $3.9 Billion Media Deal 140

According to a report in The New York Times (Warning: source may be paywalled), Ajit Pai and the FCC approved a set of rules in 2017 to allow television broadcasters to increase the number of stations they own. Weeks after the rules were approved, Sinclair Broadcasting announced a $3.9 billion deal to buy Tribune Media. PC Gamer reports: The deal was made possible by the new set of rules, which subsequently raised some eyebrows. Notably, the FCC's inspector general is reportedly investigating if Pai and his aides abused their position by pushing for the rule changes that would make the deal possible, and timing them to benefit Sinclair. The extent of the investigation is not clear, nor is how long it will take. However, it does bring up the question of whether Pai had coordinated with Sinclair, and it could force him to publicly address the topic, which he hasn't really done up to this point.

Legislators first pushed for an investigation into this matter last November. At the time, a spokesman for the FCC representing Pai called the allegations "baseless" and alluded to it being a partisan play by those who oppose the chairman. "For many years, Chairman Pai has called on the FCC to update its media ownership regulations," the FCC spokesman said. "The chairman is sticking to his long-held views, and given the strong case for modernizing these rules, it's not surprising that those who disagree with him would prefer to do whatever they can to distract from the merits of his proposals."
Communications

119,000 Passports, Photo IDs of FedEx Customers Found On Unsecured Amazon Server (gizmodo.com) 34

FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.
Electronic Frontier Foundation

EFF Urges US Copyright Office To Reject Proactive 'Piracy' Filters (torrentfreak.com) 55

TorrentFreak: As entertainment companies and Internet services spar over the boundaries of copyright law, the EFF is urging the US Copyright Office to keep "copyright's safe harbors safe." In a petition just filed with the office, the EFF warns that innovation will be stymied if Congress goes ahead with a plan to introduce proactive 'piracy' filters at the expense of the DMCA's current safe harbor provisions. [...] "Major media and entertainment companies and their surrogates want Congress to replace today's DMCA with a new law that would require websites and Internet services to use automated filtering to enforce copyrights. "Systems like these, no matter how sophisticated, cannot accurately determine the copyright status of a work, nor whether a use is licensed, a fair use, or otherwise non-infringing. Simply put, automated filters censor lawful and important speech," the EFF warns.
United Kingdom

UK Blames Russia For Cyber Attack, Says Won't Tolerate Disruption (reuters.com) 142

Britain blamed Russia on Thursday for a cyber-attack last year, publicly pointing the finger at Moscow for spreading a virus which disrupted companies across Europe including UK-based Reckitt Benckiser. From a report: Russia denied the accusation, saying it was part of "Russophobic" campaign it said was being waged by some Western countries. The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices. Britain's foreign ministry said the attack originated from the Russian military. "The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," the ministry said in a statement. "The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt," it said.
Piracy

Tickbox Must Remove Pirate Streaming Add-ons From Sold Devices (torrentfreak.com) 70

TickBox TV, the company behind a Kodi-powered streaming device, must release a new software updater that will remove copyright-infringing addons from previously shipped devices. A California federal court issued an updated injunction in the lawsuit that was filed by several major Hollywood studios, Amazon, and Netflix, which will stay in place while both parties fight out their legal battle. TorrentFreak reports: Last year, the Alliance for Creativity and Entertainment (ACE), an anti-piracy partnership between Hollywood studios, Netflix, Amazon, and more than two dozen other companies, filed a lawsuit against the Georgia-based company Tickbox TV, which sells Kodi-powered set-top boxes that stream a variety of popular media. ACE sees these devices as nothing more than pirate tools so the coalition asked the court for an injunction to prevent Tickbox from facilitating copyright infringement, demanding that it removes all pirate add-ons from previously sold devices. Last month, a California federal court issued an initial injunction, ordering Tickbox to keep pirate addons out of its box and halt all piracy-inducing advertisements going forward. In addition, the court directed both parties to come up with a proper solution for devices that were already sold.

The new injunction prevents Tickbox from linking to any "build," "theme," "app," or "addon" that can be indirectly used to transmit copyright-infringing material. Web browsers such as Internet Explorer, Google Chrome, Safari, and Firefox are specifically excluded. In addition, Tickbox must also release a new software updater that will remove any infringing software from previously sold devices. All tiles that link to copyright-infringing software from the box's home screen also have to be stripped. Going forward, only tiles to the Google Play Store or to Kodi within the Google Play Store are allowed. In addition, the agreement also allows ACE to report newly discovered infringing apps or addons to Tickbox, which the company will then have to remove within 24-hours, weekends excluded.

Slashdot Top Deals