Microsoft

Windows 10 Bundled a Password Manager with a Security Flaw (bleepingcomputer.com) 6

An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.

Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.

The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
The Military

The US Military Admits It Spent $22 Million Investigating UFOs (boston.com) 119

Long-time Slashdot reader Joosy writes, "Until 2012 the Pentagon had a program, the 'Advanced Aerospace Threat Identification Program', that tracked unidentified flying objects." An anonymous reader writes: The Pentagon finally acknowledged the existence of the $22 million program today to the New York Times, while also claiming that they closed the program five years ago. "But its backers say that, while the Pentagon ended funding for the effort at that time, the program remains in existence. For the past five years, they say, officials with the program have continued to investigate episodes brought to them by service members, while also carrying out their other Defense Department duties."

Over the years the program "produced documents that describe sightings of aircraft that seemed to move at very high velocities with no visible signs of propulsion, or that hovered with no apparent means of lift. Officials with the program have also studied videos of encounters between unknown objects and U.S. military aircraft." But ultimately, a Pentagon spokesman said, "It was determined that there were other, higher priority issues that merited funding, and it was in the best interest of the DoD to make a change."

China

Facial Recognition Algorithms -- Plus 1.8 Billion Photos -- Leads to 567 Arrests in China (scmp.com) 140

"Our machines can very easily recognise you among at least 2 billion people in a matter of seconds," says the chief executive and co-founder of Yitu. The South China Morning Post reports: Yitu's Dragonfly Eye generic portrait platform already has 1.8 billion photographs to work with: those logged in the national database and you, if you have visited China recently... 320 million of the photos have come from China's borders, including ports and airports, where pictures are taken of everyone who enters and leaves the country. According to Yitu, its platform is also in service with more than 20 provincial public security departments, and is used as part of more than 150 municipal public security systems across the country, and Dragonfly Eye has already proved its worth. On its very first day of operation on the Shanghai Metro, in January, the system identified a wanted man when he entered a station. After matching his face against the database, Dragonfly Eye sent his photo to a policeman, who made an arrest. In the following three months, 567 suspected lawbreakers were caught on the city's underground network. The system has also been hooked up to security cameras at various events; at the Qingdao International Beer Festival, for example, 22 wanted people were apprehended.

Whole cities in which the algorithms are working say they have seen a decrease in crime. According to Yitu, which says it gets its figures directly from the local authorities, since the system has been implemented, pickpocketing on Xiamen's city buses has fallen by 30 per cent; 500 criminal cases have been resolved by AI in Suzhou since June 2015; and police arrested nine suspects identified by algorithms during the 2016 G20 summit in Hangzhou. Dragonfly Eye has even identified the skull of a victim five years after his murder, in Zhejiang province.

The company's CEO says it's impossible for police to patrol large cities like Shanghai (population: 24,000,000) without using technology.

And one Chinese bank is already testing facial-recognition algorithms hoping to develop ATMs that let customers withdraw money just by showing their faces.
The Courts

Here's the Letter Alleging Uber Spied on Individuals For Competitive Intelligence (recode.net) 37

The judge in the $1.9 billion civil suit between Google-parent company Alphabet's self-driving car unit Waymo and Uber released the letter of a disgruntled former employee -- former Uber security officer Richard Jacobs -- on Friday, laying bare a number of explosive allegations against the ride-hailing company that include corporate espionage, unlawful surveillance, illegal wiretapping, bribery of foreign officials, and illicit hacking. From a report: The letter read: "This program, formerly known as the Strategic Services Group, under Nick Gicinto, collected intelligence and conducted unauthorized surveillance, including unauthorized recording of private conversations against executives from competitor firms, such as DiDi Chuxing and against its own employees and contractors at the Autonomous Technologies Group in Pittsburgh." Jacobs testified in court and walked back some of the allegations made in the letter, which was written by his attorney, Clayton Halunen. Days later, Uber's new chief legal officer Tony West issued a directive to employees to stop surveilling individuals, which Recode first reported. In a separate note to staff Khosrowshahi (current CEO of Uber) said the letter detailed enough to "merit serious concern." While Jacobs, Padilla (Uber's general counsel) and other employees addressed some of the claims made within the letter -- confirming the use of Wickr for business-related communications -- the letter itself had not been made public before Friday evening. The document prepared by Jacobs' attorney also claimed Uber was using some of these surveillance tactics on Alphabet's self-driving arm, Waymo. However, during his testimony, Jacobs walked that allegation back.
Bitcoin

An Anonymous Bitcoin Millionaire Is Donating Their Fortune To Charities (gizmodo.com) 93

An anonymous reader quotes a report from Gizmodo: Tis the season for giving, and one Bitcoin investor claims to be giving away the majority of their cryptocurrency holdings after experiencing an incredible year. The unnamed donor has set up a fund to hand out $86 million worth of Bitcoin to various charities, and they've already started listing the donations and providing receipts. If this whole thing works out, you can just call this mystery person the Bitcoin Bill Gates. So far, The Pineapple Fund claims to have distributed just over $6.5 million in Bitcoin between eight charities. Its website provides links to the blockchain transactions under the name of each charity. These transactions are in a public ledger, but the sender and recipient are only identified by a long string of digits. We contacted the Electronic Freedom Foundation to ask if the two transactions that were purportedly sent to the activist group were indeed legitimate. A spokesperson confirmed via email that the EFF has "been in touch with the Pineapple Fund and are in the process of receiving the donation." The anonymous founder writes: "Sometime around the early days of bitcoin, I saw the promise of decentralized money and decided to mine/buy/trade some magical internet tokens. The expectation shattering returns of bitcoin over many years has lead to an amount far more than I can spend. What do you do when you have more money than you can ever possibly spend? Donating most of it to charity is what I'm doing. For reference, The Pineapple Fund is bigger than the entire market cap of bitcoin when I got in, and one of the richest 250 bitcoin addresses today."
Mozilla

Mozilla Slipped a 'Mr. Robot'-Promo Plugin Into Firefox and Users Are Pissed (gizmodo.com) 283

MarcAuslander shares a report from Gizmodo: Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox -- and managed to piss off a bunch of its privacy-conscious users in the process. The extension, called Looking Glass, is intended to promote an augmented reality game to "further your immersion into the Mr. Robot universe," according to Mozilla. It was automatically added to Firefox users' browsers this week with no explanation except the cryptic message, "MY REALITY IS JUST DIFFERENT THAN YOURS," prompting users to worry on Reddit that they'd been hit with spyware. Without an explanation included with the extension, users were left digging around in the code for Looking Glass to find answers. Looking Glass was updated for some users today with a description that explains the connection to Mr. Robot and lets users know that the extension won't activate without explicit opt-in.

Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. "The Mr. Robot series centers around the theme of online privacy and security," the company said in an explanation of the mysterious extension. "One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy."

AT&T

ISPs Won't Promise To Treat All Traffic Equally After Net Neutrality (theverge.com) 211

An anonymous reader writes: The FCC voted to put an end to net neutrality, giving internet providers free rein to deliver service at their own discretion. There's really only one condition here: internet providers will have to disclose their policies regarding "network management practices, performance, and commercial terms." So if ISPs want to block websites, throttle your connection, or charge certain websites more, they'll have to admit it. We're still too far out to know exactly what disclosures all the big ISPs are going to make -- the rules (or lack thereof) don't actually go into effect for another few months -- but many internet providers have been making statements throughout the year about their stance on net neutrality, which ought to give some idea of where they'll land. We reached out to 10 big or notable ISPs to see what their stances are on three core tenets of net neutrality: no blocking, no throttling, and no paid prioritization. Not all of them answered, and the answers we did get are complicated. [The Verge reached out to Comcast, AT&T, Verizon, T-Mobile, Sprint, Charter (Spectrum), Cox, Altice USA (Optimum and SuddenLink), and Google Fi and Google Fiber.]

Many ISPs say they support some or all of these core rules, but there's a big caveat there: for six of the past seven years, there have been net neutrality rules in place at the FCC. That means all of the companies we checked with have had to abide by the no blocking, no throttling, and no paid prioritization rules. It means that they can say, and be mostly correct in saying, that they've long followed those rules. But it is, on some level, because they've had to. What actually matters is which policies ISPs say they'll keep in the future, and few are making commitments about that. In fact, all of the companies we contacted (with the exception of Google) have supported the FCC's plan to remove the current net neutrality rules. None of the ISPs we contacted will make a commitment -- or even a comment -- on paid fast lanes and prioritization. And this is really where we expect to see problems: ISPs likely won't go out and block large swaths of the web, but they may start to give subtle advantages to their own content and the content of their partners, slowly shaping who wins and loses online.
Comcast: Comcast says it currently doesn't block, throttle content, or offer paid fast lanes, but hasn't committed to not doing so in the future.
AT&T: AT&T has committed to not blocking or throttling websites in the future. However, its stance around fast lanes is unclear.
Verizon: Verizon indicates that, at least in the immediate future, it will not block legal content. As for throttling and fast lanes, the company has no stance, and even seems to be excited to use the absence of rules to its advantage.
T-Mobile: T-Mobile makes no commitments to not throttle content or offer paid fast lanes and is unclear on its commitment to not blocking sites and services. It's already involved in programs that advantage some services over others.
Sprint: Sprint makes no commitments on net neutrality, but suggests it doesn't have plans to offer a service that would block sites.
Charter (Spectrum): Charter doesn't make any guarantees, but the company indicates that it's currently committed to not blocking or throttling customers.
Cox: Cox says it won't block or throttle content, even without net neutrality. It won't make commitments on zero-rating or paid fast lanes.
Altice USA (Optimum and SuddenLink): Altice doesn't currently block or throttle and suggests it will keep those policies, though without an explicit commitment. The company doesn't comment on prioritizing one service over another.
Google Fi and Google Fiber: Google doesn't make any promises regarding throttling and paid prioritization. However, it is the only company to state that it believes paid prioritization would be harmful.
Bitcoin

Feds Moving Quickly To Cash in on Seized Bitcoin, Now Worth $8.4 Million (arstechnica.com) 141

A federal judge in Utah has agreed to let the US government sell off a seized cache of over 513 bitcoins (BTC) and 512 Bitcoin Cash (BCH). At current prices, that would yield approximately $8.4 million for the bitcoins and nearly $1 million for the BCH. From a report: In a court filing, prosecutors noted that due to the volatility of the Bitcoin market, both coins risk losing value. Both the BTC and the BCH have already been transferred to government-controlled wallets. The new round of seized digital currency belonged to a Utah man named Aaron Shamo, whom prosecutors say led a multimillion-dollar ring of counterfeit pharmaceuticals, including oxycodone and alprazolam that were sold on Dark Web marketplaces. Shamo was arrested over a year ago -- his trial has not yet been scheduled. On Tuesday, US District Judge Dale Kimball allowed the sale to proceed. Once sold, the money would go to an account held at the Treasury Executive Office for Asset Forfeiture.
Businesses

One of Australia's Richest Men Lost $1 Million To Email Scam (bloomberg.com) 83

Kaye Wiggins, reporting for Bloomberg: The multi-millionaire founder of Twynam Agricultural Group lost $1 million in an email fraud, a London court heard Thursday. The British man who facilitated the theft says he's a victim too. John Kahlbetzer, who is on the Forbes list of the 50 richest Australians, lost the money when fraudsters tricked the administrator of his personal finances into transferring it to them, his court papers say. Fraudsters emailed Christine Campbell, pretending to be the 87-year-old and asking her to pay $1 million to an account held by a British man, David Aldridge, which she did. Kahlbetzer is suing Aldridge to recover the funds, but Aldridge says he was being "unwittingly used" and was himself the victim of a fraud involving a woman he met online and believed he was in a loving relationship with. Email frauds where companies' staff are tricked into transferring money are a growing problem. U.S. Federal Bureau of Investigation statistics show "business email compromise" cases, where criminals ask company officials to transfer funds, have cost more than $3 billion since 2015.
Government

CIA Captured Putin's 'Specific Instructions' To Hack the 2016 Election, Says Report (thedailybeast.com) 526

An anonymous reader quotes a report from The Daily Beast: When Director of National Intelligence James R. Clapper Jr., CIA Director John Brennan and FBI Director James B. Comey all went to see Donald Trump together during the presidential transition, they told him conclusively that they had "captured Putin's specific instructions on the operation" to hack the 2016 presidential election, according to a report in The Washington Post. The intel bosses were worried that he would explode but Trump remained calm during the carefully choreographed meeting. "He was affable, courteous, complimentary," Clapper told the Post. Comey stayed behind afterward to tell the president-elect about the controversial Steele dossier, however, and that private meeting may have been responsible for the animosity that would eventually lead to Trump firing the director of the FBI.
Bitcoin

A Cryptocurrency Without a Blockchain Has Been Built To Outperform Bitcoin (technologyreview.com) 182

An anonymous reader quotes a report from MIT Technology Review: Bitcoin isn't the only cryptocurrency on a hot streak -- plenty of alternative currencies have enjoyed rallies alongside the Epic Bitcoin Bull Run of 2017. One of the most intriguing examples is also among the most obscure in the cryptocurrency world. Called IOTA, it has jumped in total value from just over $4 billion to more than $10 billion in a little over two weeks. But that isn't what makes it interesting. What makes it interesting is that it isn't based on a blockchain at all; it's something else entirely. The rally began in late November, after the IOTA Foundation, the German nonprofit behind the novel cryptocurrency, announced that it was teaming up with several major technology firms to develop a "decentralized data marketplace."

Though IOTA tokens can be used like any other cryptocurrency, the protocol was designed specifically for use on connected devices, says cofounder David Sonstebo. Organizations collect huge amounts of data from these gadgets, from weather tracking systems to sensors that monitor the performance of industrial machinery (a.k.a. the Internet of things). But nearly all of that information is wasted, sitting in siloed databases and not making money for its owners, says Sonstebo. IOTA's system can address this in two ways, he says. First, it can assure the integrity of this data by securing it in a tamper-proof decentralized ledger. Second, it enables fee-less transactions between the owners of the data and anyone who wants to buy it -- and there are plenty of companies that want to get their hands on data.
The report goes on to note that instead of using a blockchain, "IOTA uses a 'tangle,' which is based on a mathematical concept called a directed acyclic graph." The team decided to research this new alternative after deciding that blockchains are too costly. "Part of Sonstebo's issue with Bitcoin and other blockchain systems is that they rely on a distributed network of 'miners' to verify transactions," reports MIT Technology Review. "When a user issues a transaction [with IOTA], that individual also validates two randomly selected previous transactions, each of which refer to two other previous transactions, and so on. As new transactions mount, a 'tangled web of confirmation' grows, says Sonstebo."
Crime

DOJ Confirms Uber Is Being Investigated For Criminal Behavior (arstechnica.com) 34

A newly released letter from the Department of Justice has formally acknowledged that federal prosecutors have an open criminal investigation into Uber. Ars Technica reports: Late last month, as part of the proceedings in the high-profile and ongoing Waymo v. Uber trade secrets lawsuit, U.S. District Judge William Alsup said that on November 22 he had received a letter from San Francisco-based federal prosecutors. It is very unusual for a judge in a civil case to be apprised of a pending criminal investigation involving one of the litigants. In a separate November 28 letter sent to Judge Alsup, Acting U.S. Attorney Alex Tse asked that the first letter not be made public. The judge unsealed both letters on Wednesday. The first letter was signed by two prosecutors, Matthew Parrella and Amie Rooney. Those attorneys are assigned to the Computer Hacking and Intellectual Property (CHIP) Unit at the United States Attorney's Office in San Jose. [T]he letter could mean Uber and/or its current or former employees may be under investigation for possible crimes under the Computer Fraud and Abuse Act, a longstanding anti-hacking law.
The Internet

Lawmakers Are Fighting For Net Neutrality (theverge.com) 212

An anonymous reader quotes a report from The Verge: Lawmakers and public officials are responding to the FCC's decision to gut net neutrality with promises of action. In the hours following the FCC hearing, officials from around the country announced lawsuits and bills intended to counter the FCC's decision. In New York, Attorney General Eric Schneiderman said that he's leading a multi-state lawsuit to challenge the FCC's vote, though he didn't give further details on the suit or who would be joining him. Calling today's decision an "illegal rollback," he described it as giving "Big Telecom an early Christmas present."

Washington state Attorney General Bob Ferguson also announced he would sue alongside Schneiderman and other attorneys general across the country, saying that he held "a strong legal argument" and that it was likely the government had failed to follow the law with this vote. Other officials from Santa Clara, California, including county supervisor Joe Simitian, are also suing the FCC to block the decision. "We believe the depth of your ideas should outweigh the depths of your pockets," Simitian said at a press conference.

State Sen. Scott Wiener (D-CA) announced plans to introduce a bill to adopt net neutrality as a requirement in his state. He wrote in a Medium post, "If the FCC won't stand up for a free and open internet, California will."

Rep. Mike Coffman (R-CO) tweeted that he will be submitting net neutrality legislation, saying that this was a decision better left to Congress. Coffman was the first Republican to ask the FCC to delay the vote, citing "unanticipated negative consequences" on Tuesday.
Furthermore, Sen. Bernie Sanders (D-VT) and Sen. Brian Schatz (D-HI) are supporting Sen. Ed Markey's (D-MA) plan to introduce a Congressional Review Act resolution to undo the FCC vote. Even Rep. Marsha Blackburn (R-TN), who had previously announced on Twitter her support for Ajit Pai and the FCC, tweeted a video, saying, "We will codify the need for no blocking, no throttling, and making certain that we preserve that free and open internet." We're likely to see many others express their disappointment with the FCC's decision over the next few hours and days.
Security

Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment (securityweek.com) 30

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.
Electronic Frontier Foundation

EFF: Accessing Publicly Available Information On the Internet Is Not a Crime (eff.org) 174

An anonymous reader quotes a report from EFF: EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage -- without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony "hacking" under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.

EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn's request to transform the CFAA from a law meant to target "hacking" into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not "hacking," and neither is violating a website's terms of use. LinkedIn would have the court believe that all "bots" are bad, but they're actually a common and necessary part of the Internet. "Good bots" were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison. LinkedIn's position would undermine open access to information online, a hallmark of today's Internet, and threaten socially valuable bots that journalists, researchers, and Internet users around the world rely on every day -- all in the name of preserving LinkedIn's advantage over a competing service. The Ninth Circuit should make sure that doesn't happen.

Slashdot Top Deals