aggregator

Will Tesla Update Bring Remote Access To Car Cameras?

Slashdot - Your Rights Online - 47 min 33 sec ago
"Tesla's Sentry Mode is about to bring things to a whole new level by enabling Tesla owners to remotely see what their cars can see through Autopilot cameras," claims Electrek — citing a Twitter user named green "who has been revealing new Tesla features found in software updates." "It's not certain when the live camera update would arrive, provided it's not scrapped," writes Engadget, adding "Elon Musk has been teasing a 'hot' holiday software release, but 'green' warned that it might not make that release..." Some background from Electrek: For a while now, Tesla has been talking about better integrating its Tesla Sentry Mode feature into its mobile app. Sentry Mode is an integrated surveillance system inside Tesla's vehicles using the Autopilot cameras around the car and it has been changing the game when it comes to vandalizing parked cars. On several occasions, Sentry Mode videos went viral, and the vandals turned themselves in after online pressure. In other cases, video evidence helped police identify and find the vandals. The feature was built on top of "TeslaCam," a previously released integrated dashcam system with similar capability as Sentry mode, but used when someone is inside the car. TeslaCam helped several Tesla owners with insurance claims by proving that they weren't at fault in some accidents captured by the integrated dashcam system. In order to activate the TeslaCam and Sentry Mode features, owners have to plug a storage device, thumb drive, or SSD inside their Tesla and activate the features in the settings... Tesla owners can already have an extensive look at the status of their vehicles, including the doors open or close, same for windows, charge port, and more. Now they are going to be able to see around their vehicles even if no Sentry Mode event has been activated. That's only if the update is actually released. How do Slashdot's readers feel about the possibility of this feature? Does the world change when Tesla owners can remotely access their cars' cameras?

Read more of this story at Slashdot.

What Happened After Silicon Valley Tried to Make Telecommuting Permanent

Slashdot - Your Rights Online - 7 godzin 47 min ago
California's state air quality mandates require each region to have a feasible plan for a 19% reduction in emissions by 2035. But "after a barrage of criticism from Silicon Valley businesses and Bay Area mayors, Metropolitan Transportation Commission planners have backed off a requirement to have employees from big companies work from home three days a week," reports the Bay Area News Group. Instead a compromise plan approved unanimously by commissioners last week "calls for big companies to have 60% of their employees take sustainable commutes — by transit, bike or carpooling — by 2035." Lawmakers, mayors and the business community railed against the remote work mandate, saying it would undercut the Bay Area's economy and encourage large companies to re-locate to cheaper regions. Transit supporters said work-from-home requirements would cut train and bus use without clear proof it would reduce the mileage of vehicle trips and emissions. The new proposal calls for no more than 40 percent of a company's workforce to commute by auto on an average workday by 2035. Farms and employers with fewer than 50 workers would be exempt. The plan encourages companies to subsidize transit passes, bikes, on-site employee housing, and commuter shuttles, as well as helping workers afford housing in walkable, transit-rich communities. Many large tech companies like Google and Facebook already provide shuttles and subsidize transit for their workers. It also suggests companies discourage workers from single-vehicle commutes by reducing parking spaces and raising parking fees, compressing work schedules and eliminating personal desks in favor of shared work spaces. The new proposal was designed with input from state lawmakers, the mayors of San Francisco and San Jose, county supervisors, and officials from the tech industry and transit groups, MTC commissioner Nick Josefowitz said. "This is a much more effective policy," said Josefowitz, chief of policy at the regional think tank SPUR. "This is figuring out how to do it better with everybody at the table." Gwen Litvak of the business coalition Bay Area Council said the work-from-home mandate would have hurt urban centers and businesses. "The compromise will help revitalize downtowns, and gives business critical flexibility to have workers carpool, use public transit, ride bikes or walk, or even work remotely, but by their own choice," she said. San Jose Mayor Sam Liccardo said the revisions better reflect how his city is evolving — from a suburban, car-centric culture to a city focused on developing a dense commercial and residential core supported by a robust transit network... Liccardo said part of Silicon Valley's success springs from having talented employees working side-by-side, exchanging ideas and innovations. Remote work reduces some creative energy. "We cannot impose mandates that contradict the laws of human nature and the laws of creative industry," he said.

Read more of this story at Slashdot.

America's Top Court Strikes Down Covid-19 Restriction On Religious Groups

Slashdot - Your Rights Online - So, 2020-11-28 17:34
DevNull127 writes: Earlier this year the governor's order had "restricted the size of religious gatherings in certain areas of New York where infection rates were climbing," reports the New York Times. But Wednesday night (in a close 5 to 4 decision) America's highest court ruled against the governor — and in favor of two religious organizations challenging him. "[T]hey tell us without contradiction that they have complied with all public health guidance, have implemented additional precautionary measures, and have operated at 25% or 33% capacity for months without a single outbreak," the ruling points out. CNN notes that the court's majority believed that the governor's enjoined regulations were "'far more restrictive than any Covid-related regulations that have previously come before the court, much tighter than those adopted by many other jurisdictions hard hit by the pandemic, and far more severe than has been shown to be required to prevent the spread of the virus' at the religious services in question." The Times concludes that "If unconstrained religious observance and public safety were sometimes at odds, as the governor and other public officials maintained, the court ruled that religious freedom should win out." Jeffrey D. Sachs, a professor and director of the Center for Sustainable Development at Columbia University, argues the court's ruling "proved the dangers of scientifically illiterate judges overturning government decisions that were based on scientific evidence."

Read more of this story at Slashdot.

Chinese Police Have Seized $4.2 Billion Cryptos from PlusToken Ponzi Crackdown

Slashdot - Your Rights Online - So, 2020-11-28 14:30
Crypto assets worth more than $4.2 billion have been seized by Chinese police during the massive PlusToken Ponzi scheme crackdown, according to a new court ruling. From a report: In a November 19 judgment made public on Thursday, the Jiangsu Yancheng Intermediate People's Court has detailed the breakdown for the first time of all the crypto assets seized by Chinese police related to the PlusToken case. A total of 194,775 BTC, 833,083 ETH, 1.4 million LTC, 27.6 million EOS, 74,167 DASH, 487 million XRP, 6 billion DOGE, 79,581 BCH, and 213,724 USDT have been seized by Chinese law enforcement from seven convicts during the crackdown. These assets, at today's prices, are worth over $4.2 billion in total. As part of the ruling, the court said "the seized digital currencies will be processed pursuant to laws and the proceeds and gains will be forfeited to the national treasury." However, the Yancheng Intermediate People's Court doesn't elaborate on how much of the seized crypto assets have been or will be "processed" or via what method exactly. The PlusToken criminal case was initially ruled on September 22 by a lower-level district court in the city of Yancheng in China's Jiangsu province.

Read more of this story at Slashdot.

A Hacker is Selling Access To the Email Accounts of Hundreds of C-Level Executives

Slashdot - Your Rights Online - So, 2020-11-28 12:00
A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world. From a report: The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in, ZDNet has learned this week. The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as: CEO, COO, CFO, CMO, CTO, President, VP, Exec Assistant, Finance Manager, Accountant, and Director. Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user's role.

Read more of this story at Slashdot.

Microsoft Productivity Score Feature Criticised as Workplace Surveillance

Slashdot - Your Rights Online - Cz, 2020-11-26 20:18
Microsoft has been criticised for enabling "workplace surveillance" after privacy campaigners warned that the company's "productivity score" feature allows managers to use Microsoft 365 to track their employees' activity at an individual level. From a report: The tools, first released in 2019, are designed to "provide you visibility into how your organisation works," according to a Microsoft blogpost, and aggregate information about everything from email use to network connectivity into a headline percentage for office productivity. But by default, reports also let managers drill down into data on individual employees, to find those who participate less in group chat conversations, send fewer emails, or fail to collaborate in shared documents. "This is so problematic at many levels," tweeted the Austrian researcher Wolfie Christl, who raised alarm about the feature. "Employers are increasingly exploiting metadata logged by software and devices for performance analytics and algorithmic control," Christl added. "MS is providing the tools for it. Practices we know from software development (and factories and call centres) are expanded to all white-collar work."

Read more of this story at Slashdot.

Cambridge University Says Darwin's Iconic Notebooks Were Stolen

Slashdot - Your Rights Online - Cz, 2020-11-26 15:00
An anonymous reader quotes a report from NBC News: Two notebooks written by the famed British naturalist Charles Darwin in 1837 and missing for years may have been stolen from the Cambridge University Library, according to curators who launched a public appeal Tuesday for information. The notebooks, estimated to be worth millions of dollars, include Darwin's celebrated "Tree of Life" sketch that the 19th-century scientist used to illustrate early ideas about evolution. Officials at the Cambridge University Library say the two notebooks have been missing since 2001, and it's now thought that they were stolen. "I am heartbroken that the location of these Darwin notebooks, including Darwin's iconic 'Tree of Life' drawing, is currently unknown, but we're determined to do everything possible to discover what happened and will leave no stone unturned during this process," Jessica Gardner, the university librarian and director of library services, said in a statement. The lost manuscripts were initially thought to have been misplaced in the university's enormous archives, which house roughly 10 million books, maps and other objects. But an exhaustive search initiated at the start of 2020 -- the "largest search in the library's history," according to Gardner -- failed to turn up the notebooks and they are now being reported as stolen. Cambridge University officials said a police investigation is underway and the notebooks have been added to Interpol's database of stolen artworks.

Read more of this story at Slashdot.

hCaptcha Runs On 15% Of the Internet

Slashdot - Your Rights Online - Cz, 2020-11-26 12:00
In a blog post, hCaptcha announced that its bot detector is running on about 15% of the internet, adding they they "took most of this market share directly from Google reCAPTCHA." From the post: Competing with Google and other Big Tech companies seems like a tall order: their monopolistic market power, platform effects and army of highly paid developers are generally considered too powerful to tackle for anyone but other tech giants such as Facebook or Amazon. Our story shows that it doesn't have to be that way -- you can beat Big Tech by focussing on privacy. Consider Google reCAPTCHA, which consumes enormous amounts of behavioral data to determine whether web users are legitimate humans or bots. At hCaptcha, we have deliberately taken a very different approach, using privacy-preserving machine learning techniques to identify typical bot behaviors at high accuracy, all while consuming and storing as little data as possible. Google is an ad company, and their security products look very much like their ad products: they track user behavior on every page of a website and across the web. We designed hCaptcha to be as privacy-friendly as possible from day one. This led to a completely different approach to the problem. As it turns out, tracking users across the web and tying their web history to their identity is completely unnecessary for achieving good security. The many companies that have switched over to hCaptcha often report equal or better performance in bot detection and mitigation despite our privacy focus. A growing number of critics have pointed out that Google's disregard for user privacy should concern customers looking to protect their websites and apps. At the same time, stopping bots from accessing publisher sites can reveal ad fraud, pitting Google's reCAPTCHA product directly against their ad business, which produces over 80% of their revenue. Every bot Google detects should be earning zero ad dollars. Google's company incentives are thus poorly aligned with the users of their security services, and this may be one explanation for the poor performance of their reCAPTCHA security offering.

Read more of this story at Slashdot.

Struggling Electric Jet Startup Zunum Sues Boeing For Fraud and Misuse of Trade Secrets

Slashdot - Your Rights Online - Cz, 2020-11-26 03:40
Kirkland, Washington-based aviation startup Zunum Aero filed a lawsuit this week accusing Boeing of fraud, technology theft, breach of contract, and misappropriation of trade secrets. The company, which had received millions of dollars from the venture arms of Boeing and JetBlue, said it would be ready to fly its 12-seat hybrid electric jets by 2022. Instead, it ran out of cash in 2018, forcing it to lay off nearly all of its employees and vacate its headquarters. The Verge reports: Zunum said that Boeing "colluded with other key aerospace manufacturers and funders" to sabotage its efforts to raise additional cash and tried to poach Zunum's engineers during the process. The startup claims that Boeing saw its superior technology and potential to disrupt air travel as a threat to its own dominance in the aviation world and sought to undermine it. Using its due diligence as an investor as subtext, Zunum said Boeing gained access to its business plan and proprietary technology, and "exploited" Zunum for its own benefit. "Boeing saw an innovative venture, with a dramatically improved path to the future, and presented itself as interested in investing and partnering with Zunum," the company claims in court filings. "But instead, Boeing stole Zunum's technology and intentionally hobbled the upstart entrant in order to maintain its dominant position in commercial aviation by stifling competition." It's rare that a startup would sue one of its investors after failing to deliver on its promises. But Zunum said its setbacks weren't because of bad technology or a faulty business plan. Rather, the company claims it was sabotaged by Boeing, which misused its position as an investor to pillage its talent and patents before eventually scuttling the company's ability to continue to raise money. Zunum also names HorizonX, Boeing's venture capital arm, and French engine supplier Safran as co-defendants. The company is seeking compensatory and punitive damages. A spokesperson for Boeing said the lawsuit was without merit and that the company would "vigorously" contest it in court.

Read more of this story at Slashdot.

IRS Could Search Warrantless Location Database Over 10,000 Times

Slashdot - Your Rights Online - Cz, 2020-11-26 02:20
An anonymous reader quotes a report from Motherboard: The IRS was able to query a database of location data quietly harvested from ordinary smartphone apps over 10,000 times, according to a copy of the contract between IRS and the data provider obtained by Motherboard. The document provides more insight into what exactly the IRS wanted to do with a tool purchased from Venntel, a government contractor that sells clients access to a database of smartphone movements. The Inspector General is currently investigating the IRS for using the data without a warrant to try to track the location of Americans. "This contract makes clear that the IRS intended to use Venntel's spying tool to identify specific smartphone users using data collected by apps and sold onwards to shady data brokers. The IRS would have needed a warrant to obtain this kind of sensitive information from AT&T or Google," Senator Ron Wyden told Motherboard in a statement after reviewing the contract. [...] One of the new documents says Venntel sources the location information from its "advertising analytics network and other sources." Venntel is a subsidiary of advertising firm Gravy Analytics. The data is "global," according to a document obtained from CBP. Venntel then packages that data into a user interface and sells access to government agencies. A former Venntel worker previously told Motherboard that customers can use the product to search a specific area to see which devices were there, or follow a particular device across time. Venntel provides its own pseudonymous ID to each device, but the former worker said users could try to identify specific people. The new documents say that the IRS' purchase of an annual Venntel subscription granted the agency 12,000 queries of the dataset per year. "In support of Internal Revenue Service (IRS) Criminal Investigation's (CI) law enforcement investigative mission, the Cyber Crimes Unit (CCU) requires one (1) Venntel Mobile Intelligence web-based subscription," one of the documents reads. "This allows tracing and pattern-of-life analysis on locations of interesting criminal investigations, allowing investigators to trace locations of mobile devices even if a target is using anonymizing technologies like a proxy server, which is common in cyber investigations," it adds.

Read more of this story at Slashdot.

2FA Bypass Discovered In Web Hosting Software cPanel

Slashdot - Your Rights Online - Cz, 2020-11-26 00:28
An anonymous reader quotes a report from ZDNet: Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers. The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts. These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim's site. On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world. But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA -- if 2FA was enabled for an account. While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today. Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner. The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.

Read more of this story at Slashdot.

Nintendo Sues More Hack Sellers, 'a Worsening International Problem'

Slashdot - Your Rights Online - Śr, 2020-11-25 22:41
Nintendo of America has filed a lawsuit against an Amazon Nintendo Switch hack reseller -- the sort of litigation it's taken on in similar cases in the past. Nintendo's lawyers allege the Amazon seller, Le Hoang Minh, circumvents Nintendo's copyright measures in selling an RCM Loader, used to "jailbreak" the Nintendo Switch. From a report: The lawsuit was filed in a Seattle court last week, according to court documents obtained by Polygon. In the lawsuit, Nintendo outlines what it calls a "serious, worsening international problem" with video game software piracy. It details Nintendo's security systems, and how the RCM Loaders bypass those systems. The RCM Loader (which is essentially a USB device that plugs into the Nintendo Switch) allows the user to play so-called "pirated" or unauthorized games. According to the lawsuit, Nintendo sent a DMCA notice to the seller, to which a counterclaim was issued. Because of the counterclaim, Amazon was required to relist the RCM Loader, unless Nintendo filed an infringement lawsuit. And that's what it did. The company is looking for the courts to stop the seller, and award it $2,500 in damages for each infringement.

Read more of this story at Slashdot.

Google Ordered To Hand Over Emails in $600 Million Divorce Battle

Slashdot - Your Rights Online - Śr, 2020-11-25 22:00
A US court has ordered Google to hand over the personal emails of the son of a Russian oligarch as part of a bitter $601 million divorce case. From a report [Editor's note: the link may be paywalled; alternative source]: Judge Virginia DeMarchi in California told the US tech group to surrender Temur Akhmedov's emails for use as evidence in a lawsuit brought by his mother, Tatiana Akhmedova, the wife of an ally of President Vladimir Putin. Ms Akhmedova has gone to court in the US and the UK in an attempt to force her ex-husband, Farkhad Akhmedov, to pay the world's largest-ever divorce settlement. Google said the order was a breach of its customer's privacy. The divorce case, which is being funded by litigation financier Burford Capital, has led to a legal battle over assets including a helicopter, a private jet and a superyacht called the Luna that used to belong to Chelsea Football Club owner Roman Abramovich. Google sought to block the order to give up the emails this week on the basis that to do so would infringe Mr Akhmedov's right to privacy because he had not given consent to share them. Ms DeMarchi said Google's concern for the "privacy and security of its account holders' communications" was "commendable" but ruled the request did not breach the US Stored Communications Act, which governs voluntary and compelled disclosure of emails. The information from the emails will be used to learn whether Temur assisted his father in the fraudulent transfer of assets, and if so, to win a judgment against him, Tatiana Akhmedova said in a filing.

Read more of this story at Slashdot.

Three Members of TMT Cybercrime Group Arrested in Nigeria

Slashdot - Your Rights Online - Śr, 2020-11-25 20:45
Three Nigerians suspected of being part of a cybercrime group that targeted tens of thousands of victims around the world have been arrested today in Lagos, Nigeria's capital, Interpol reported. From a report: In a report disclosing its involvement in the investigation, security firm Group-IB said the three suspects are members of a cybercrime group they have been tracking since 2019 and which they have been tracking under the codename of TMT. Group-IB said the group primarily operated by sending out mass email spam campaigns containing files laced with malware. To send their email spam, the group used the Gammadyne Mailer and Turbo-Mailer email automation tools and then relied on MailChimp to track if a recipient victim opened their messages. The file attachments were laced with various strains of malware that granted hackers access to infected computers from where they focused on stealing credentials from browsers, email, and FTP clients.

Read more of this story at Slashdot.

Vestager Seeks Patents Overhaul Amid Court Fights Over Cars

Slashdot - Your Rights Online - Śr, 2020-11-25 20:05
The European Union will seek to overhaul the system for key patents such as those that have fueled legal battles between car makers and technology companies, the EU's technology chief said Wednesday. From a report: Margrethe Vestager promised that regulators will weigh reforms to improve the framework in place for so-called standard-essential patents and work on industry-led initiatives "to reduce frictions and litigation." The EU move could help avoid repeats of lengthy legal battles such as Nokia Oyj's effort to get Daimler AG to pay more for mobile technology used in cars. While Daimler wants the underlying patents be licensed to its various component suppliers, Nokia wants to charge per car at a much higher price. Companies often seek court help to determine whether certain technology patents are valid and how much should be paid for licensing technology seen as essential for an industry. The EU has frequently been asked to weigh in on how much is fair for key technology. "There's quite a lot of litigation back and forth and in the short-term we would want to push for industry to figure out how to set up foras to enable discussions and mediation so that maybe to a bigger degree it can be solved out of court," Vestager said. The current system to set up so-called standard essential patents deemed key to certain technology "is not very transparent," she said. "This is why we will consider a very close consultation with anyone involved whether we should set up a third-party essential 'reality check' so someone outside of your business" can rule on whether a patent is really important or not.

Read more of this story at Slashdot.

Amazon Partners With the US Government To Stop the Sale of Counterfeit Goods

Slashdot - Your Rights Online - Śr, 2020-11-25 12:00
Amazon announced a joint operation with the National Intellectual Property Rights Coordination Center (IPR Center) on Tuesday, focused on stopping counterfeit goods from entering the US. The Verge reports: The partnership will rely on intelligence gathered from Amazon's Counterfeit Crimes Unit, logistics company DHL, and US Customs and Border Patrol (CBP) to proactively stop the sale of counterfeit products. "Operation Fulfilled Action" relies on Amazon's dominant positioning as both a distributor and marketplace for products. Because of the amount sold on Amazon's various storefronts, IPR Center and Amazon have shared information previously, even collaborating on a crackdown on fraud related to COVID-19. This new operation marks a more long-term partnership, however. Prior to Amazon's involvement, IPR Center's focus on "securing the global supply-chain" might be unfamiliar to the average person, but you've actually seen a bit of the Center's work before -- the government warning that plays before every DVD and Blu-ray was created by the organization. As far as counterfeit products are concerned, Amazon says it already investigated and removed potentially fraudulent offenders. A partnership with these new agencies should allow the company to go further and "stop counterfeits at the border, regardless of where bad actors were intending to offer them" said Dharmesh Mehta, vice president of customer trust and partner support at Amazon.

Read more of this story at Slashdot.

Apple Security Chief Maintains Innocence After Bribery Charges

Slashdot - Your Rights Online - Śr, 2020-11-25 00:00
An anonymous reader quotes a report from Ars Technica: A grand jury in California's Santa Clara County has indicted Thomas Moyer, Apple's head of global security, for bribery. Moyer is accused of offering 200 iPads to the Santa County Sheriff's office in exchange for concealed carry permits for four Apple employees. Moyer's attorney says that he did nothing wrong, and notably Apple is standing behind its executive. "We expect all of our employees to conduct themselves with integrity," an Apple spokesperson said in a statement. "After learning of the allegations, we conducted a thorough internal investigation and found no wrongdoing." Also indicted were two officials in the office of Santa Clara County Sheriff Laurie Smith. These officials are accused of soliciting the alleged bribe. California law gives sheriffs broad discretion to decide who gets permits to carry concealed weapons in the state. Smith has previously faced accusations that her office deliberately withheld permits to carry concealed weapons until applicants did favors for Smith. A June investigation by NBC Bay Area found that donors to Smith's re-election campaign were 14 times more likely to get concealed carry permits than those who didn't donate. A press release from Smith's office described the indictments as "a difficult time for our organization." Jeff Rosen, the Santa Clara district attorney responsible for the indictments, said that the donation of 200 iPads was scuttled at the last minute after Rosen obtained a search warrant in the case. According to LinkedIn, Moyer is responsible for "strategic management of Apple's corporate and retail security, crisis management, executive protection, investigations and new product secrecy." While two individuals in Sheriff Smith's office were indicted, no charges have been filed against Smith herself. Rosen says the investigation is ongoing. A common prosecutorial strategy is to focus on lower-ranking employees first in order to pressure them to provide evidence against their boss.

Read more of this story at Slashdot.

India Bans Another 43 Chinese Apps Over Cybersecurity Concerns

Slashdot - Your Rights Online - Wt, 2020-11-24 18:05
India is not done banning Chinese apps. The world's second largest internet market, which has banned over 175 apps with links to the neighboring nation in recent months, said on Tuesday it was banning an additional 43 such apps. From a report: Like with the previous orders, India cited cybersecurity concerns to block these apps. "This action was taken based on the inputs regarding these apps for engaging in activities which are prejudicial to sovereignty and integrity of India, defence of India, security of state and public order," said India's IT Ministry in a statement. The ministry said it issued the order to block these apps "based on the comprehensive reports received from Indian Cyber Crime Coordination Center, Ministry of Home Affairs." The apps that have been banned include popular short video service Snack Video, which had surged to the top of the chart in recent months, as well as e-commerce app AliExpress, delivery app Lalamove, and shopping app Taobao Live. At this point, there doesn't appear to be any Chinese app left in the top 500 apps used in India.

Read more of this story at Slashdot.

Baidu's Android Apps Caught Collecting Sensitive User Details

Slashdot - Your Rights Online - Wt, 2020-11-24 16:47
Two Android applications belonging to Chinese tech giant Baidu were removed from the official Google Play Store at the end of October after they were caught collecting sensitive user details. From a report: The two apps -- Baidu Maps and Baidu Search Box -- were removed after Google received a report from US cyber-security firm Palo Alto Networks. Both apps had more than 6 million downloads combined before being removed. According to the US security firm, the two apps contained code that collected information about each user's phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number. The data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps. Palo Alto Networks security researchers Stefan Achleitner and Chengcheng Xu, who identified the data collection code, said that while some of the collected information is "rather harmless," some data like the IMSI code "can be used to uniquely identify and track a user, even if that user switches to a different phone." The research team said that while the collection of personal user details is not specifically forbidden by Google's policy for Android apps after they reported the issue to Google, the Play Store security team confirmed their findings and "identified [additional] unspecified violations" in the two Baidu apps, which eventually led to the two apps being removed from the official store on October 28.

Read more of this story at Slashdot.

'Smart' Doorbells For Sale On Amazon, eBay Came Stocked With Security Vulnerabilities

Slashdot - Your Rights Online - Wt, 2020-11-24 04:02
The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 "smart" doorbells sold on popular platforms like Amazon and eBay. CyberScoop reports: One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell's camera, on insecure servers. One device made by a company called Victure, for example, sent a user's wireless name and password, unencrypted, to servers in China, according to the researchers. In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect "unsafe or non-compliant products from being listed in our stores." eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. Victure did not immediately respond to a request for comment. The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.

Read more of this story at Slashdot.