aggregator

How Open Source Software Helps The Federal Reserve Bank of New York

Slashdot - Your Rights Online - So, 2017-10-14 21:34
Long-time Slashdot reader Esther Schindler quotes Hewlett Packard Enterprise: When you handle trillions of dollars a year in transactions and manage the largest known vault of gold in the world, security and efficiency are top priorities. Open source reusable software components are key to the New York Fed's successful operation, explains Colin Wynd, vice president and head of the bank's Common Service Organization... The nearly 2,000 developers across the Federal Reserve System used to have a disparate set of developer tools. Now, they benefit from a standard toolset and architecture, which also places limits on which applications the bank will consider using. "We don't want a third-party application that isn't compatible with our common architecture," said Wynd. One less obvious advantage to open source adoption is in career satisfaction and advancement. It gives developers opportunities to work on more interesting applications, said Wynd. Developers can now take on projects or switch jobs more easily across Federal Reserve banks because the New York Fed uses a lot of common open source components and a standard tool set, meaning retraining is minimal if needed at all." Providing training in-house also creates a more consistent use of best practices. "Our biggest headache is to prove to groups that an application is secure, because we have to defend against nation state attacks."

Read more of this story at Slashdot.

Dutch Police Build a Pokemon Go-Style App For Hunting Wanted Criminals

Slashdot - Your Rights Online - So, 2017-10-14 18:34
"How can the police induce citizens to help investigate crime? By trying to make it 'cool' and turning it into a game that awards points for hits," reports CSO. mrwireless writes: Through their 'police of the future' innovation initiative, and inspired by Pokemon Go, the Dutch police are building an app where you can score points by photographing the license plates of stolen cars. When a car is reported stolen the app will notify people in the neighbourhood, and then the game is on! Privacy activists are worried this creates a whole new relationship with the police, as a deputization of citizens blurs boundaries, and institutionalizes 'coveillance' -- citizens spying on citizens. It could be a slippery slope to situations that more resemble the Stasi regime's, which famously used this form of neighborly surveillance as its preferred method of control. CSO cites Spiegel Online's description of the unofficial 189,000 Stasi informants as "totally normal citizens of East Germany who betrayed others: neighbors reporting on neighbors, schoolchildren informing on classmates, university students passing along information on other students, managers spying on employees and Communist bosses denouncing party members." The Dutch police are also building another app that allows citizens to search for missing persons.

Read more of this story at Slashdot.

IRS Suspends $7 Million Contract With Equifax After Malware Discovered

Slashdot - Your Rights Online - So, 2017-10-14 01:20
After malware was discovered on Equifax's website again, the IRS decided late Thursday that it would temporarily suspend the agency's $7.1 million data security contract with the company. CBS News reports: In September, Equifax revealed that it had exposed 143 million consumer files -- containing names, addresses, Social Security numbers and even bank account information -- to hackers in an unprecedented security lapse. The number of consumer potentially affect by the data breach was later raised to 145.5 million. The company's former CEO blamed a single careless employee for the entire snafu. But even as he was getting grilled in Congress earlier this month, the IRS was awarding the company with a no-bid contract to provide "fraud prevention and taxpayer identification services." "Following new information available today, the IRS temporarily suspended its short-term contract with Equifax for identity proofing services," the agency said in a statement. "During this suspension, the IRS will continue its review of Equifax systems and security." The agency does not believe that any data the IRS has shared with Equifax to date has been compromised, but the suspension was taken as "a precautionary step."

Read more of this story at Slashdot.

Dutch Privacy Regulator Says Windows 10 Breaks the Law

Slashdot - Your Rights Online - So, 2017-10-14 00:40
An anonymous reader quotes a report from Ars Technica: The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law. To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn't always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection -- though this language still wasn't explicit about what was collected and why -- and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen. In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10's "Basic" telemetry setting. However, the company has not done so for the "Full" option, and the Full option remains the default. The DPA's complaint doesn't call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to "end all violations," but if the software company fails to do so, it faces sanctions.

Read more of this story at Slashdot.

Qualcomm Seeks China iPhone Ban, Escalating Apple Legal Fight

Slashdot - Your Rights Online - Pt, 2017-10-13 20:40
Qualcomm filed lawsuits in China seeking to ban the sale and manufacture of iPhones in the country, the chipmaker's biggest shot at Apple so far in a sprawling and bitter legal fight. From a report: The San Diego-based company aims to inflict pain on Apple in the world's largest market for smartphones and cut off production in a country where most iPhones are made. The product provides almost two-thirds of Apple's revenue. Qualcomm filed the suits in a Beijing intellectual property court claiming patent infringement and seeking injunctive relief, according to Christine Trimble, a company spokeswoman. "Apple employs technologies invented by Qualcomm without paying for them," Trimble said. An Apple spokesman didn't immediately respond to a request for comment on Friday. Qualcomm's suits are based on three non-standard essential patents, it said. They cover power management and a touch-screen technology called Force Touch that Apple uses in current iPhones, Qualcomm said. The inventions "are a few examples of the many Qualcomm technologies that Apple uses to improve its devices and increase its profits," Trimble said. The company made the filings at the Beijing court on Sept. 29. The court has not yet made them public.

Read more of this story at Slashdot.

Recordings of the Sounds Heard In the Cuban US Embassy Attacks Released

Slashdot - Your Rights Online - Pt, 2017-10-13 16:00
New submitter chrissfoot shares a report from The Associated Press: The Associated Press has obtained a recording of what some U.S. Embassy workers heard in Havana in a series of unnerving incidents later deemed to be deliberate attacks. The recording, released Thursday by the AP, is the first disseminated publicly of the many taken in Cuba of mysterious sounds that led investigators initially to suspect a sonic weapon. The recordings themselves are not believed to be dangerous to those who listen. Sound experts and physicians say they know of no sound that can cause physical damage when played for short durations at normal levels through standard equipment like a cellphone or computer. What device produced the original sound remains unknown. Americans affected in Havana reported the sounds hit them at extreme volumes. You can listen to the "Dangerous Sound" here via YouTube.

Read more of this story at Slashdot.

Researcher Turns HDD Into Rudimentary Microphone

Slashdot - Your Rights Online - Pt, 2017-10-13 15:00
An anonymous reader writes from Bleeping Computer: Speaking at a security conference, researcher Alfredo Ortega has revealed that you can use your hard disk drive (HDD) as a rudimentary microphone to pick up nearby sounds. This is possible because of how hard drives are designed to work. Sounds or nearby vibrations are nothing more than mechanical waves that cause HDD platters to vibrate. By design, a hard drive cannot read or write information to an HDD platter that moves under vibrations, so the hard drive must wait for the oscillation to stop before carrying out any actions. Because modern operating systems come with utilities that measure HDD operations up to nanosecond accuracy, Ortega realized that he could use these tools to measure delays in HDD operations. The longer the delay, the louder the sound or the intense the vibration that causes it. These read-write delays allowed the researcher to reconstruct sound or vibration waves picked up by the HDD platters. A video demo is here. "It's not accurate yet to pick up conversations," Ortega told Bleeping Computer in a private conversation. "However, there is research that can recover voice data from very low-quality signals using pattern recognition. I didn't have time to replicate the pattern-recognition portion of that research into mine. However, it's certainly applicable." Furthermore, the researcher also used sound to attack hard drives. Ortega played a 130Hz tone to make an HDD stop responding to commands. "The Linux kernel disconnected it entirely after 120 seconds," he said. There's a video of this demo on YouTube.

Read more of this story at Slashdot.

FDA Advisers Endorse Gene Therapy To Treat Form of Blindness

Slashdot - Your Rights Online - Pt, 2017-10-13 05:30
An anonymous reader quotes a report from CBS News: A panel of U.S. health advisers has endorsed an experimental approach to treating inherited blindness, setting the stage for the likely approval of an innovative new genetic medicine. A panel of experts to the Food and Drug Administration voted unanimously in favor of Spark Therapeutics' injectable therapy, which aims to improve vision in patients with a rare mutation that gradually destroys normal vision. The vote amounts to a recommendation to approve the therapy. According to Spark Therapeutics' website, inherited retinal diseases are a group of rare blinding conditions caused by one of more than 220 genes. Some living with these diseases experience a gradual loss of vision, while others may be born without the ability to see or lose their vision in infancy or early childhood. Genetic testing is the only way to verify the exact gene mutation that is the underlying cause of the disease.

Read more of this story at Slashdot.

Alphabet's Waymo Demanded $1 Billion In Settlement Talks With Uber

Slashdot - Your Rights Online - Pt, 2017-10-13 02:20
An anonymous reader quotes a report from Reuters: Alphabet's Waymo sought at least $1 billion in damages and a public apology from Uber as conditions for settling its high-profile trade secret lawsuit against the ride-services company, sources familiar with the proposal told Reuters. The Waymo self-driving car unit also asked that an independent monitor be appointed to ensure Uber does not use Waymo technology in the future, the sources said. Uber rejected those terms as non-starters, said the sources, who were not authorized to publicly discuss settlement talks. The precise dollar amount requested by Waymo and the exact time the offer was made could not be learned. Waymo's tough negotiating stance, which has not been previously reported, reflects the company's confidence in its legal position after months of pretrial victories in a case which may help to determine who emerges in the forefront of the fast-growing field of self-driving cars. The aggressive settlement demands also suggest that Waymo is not in a hurry to resolve the lawsuit, in part because of its value as a distraction for Uber leadership, said Elizabeth Rowe, a trade secret expert at the University of Florida Levin College of Law.

Read more of this story at Slashdot.

Google Permanently Disables Touch Function On All Home Minis Due To Privacy Concerns

Slashdot - Your Rights Online - Pt, 2017-10-13 01:40
Big Hairy Ian shares a report from BBC: Google has stopped its Home Mini speakers responding when users touch them. It permanently turned off the touch activation feature after it found that sensors primed to spot a finger tap were too sensitive. Early users found that the touch sensors were registering "phantom" touches that turned them on. This meant the speakers were recording everything around them thousands of times a day. Google said it disabled the feature to give users "peace of mind." Google's Home Mini gadgets were unveiled on October 4th as part of a revamp of its line of smart speakers. The intelligent assistant feature on it could be activated two ways -- by either saying "OK, Google" or by tapping the surface. About 4,000 Google Home Mini units were distributed to early reviewers and those who attended Google's most recent launch event. Artem Russakovskii from Android Police first discovered the issue with his unit, ultimately causing Google to "permanently [nerf] all Home Minis" because his spied on everything he said 24/7.

Read more of this story at Slashdot.

DJI Unveils Technology To Identify and Track Airborne Drones

Slashdot - Your Rights Online - Pt, 2017-10-13 01:00
garymortimer shares a report from sUAS News: DJI, the world's leader in civilian drones and aerial imaging technology, has unveiled AeroScope, its new solution to identify and monitor airborne drones with existing technology that can address safety, security and privacy concerns. AeroScope uses the existing communications link between a drone and its remote controller to broadcast identification information such as a registration or serial number, as well as basic telemetry, including location, altitude, speed and direction. Police, security agencies, aviation authorities and other authorized parties can use an AeroScope receiver to monitor, analyze and act on that information. AeroScope has been installed at two international airports since April, and is continuing to test and evaluate its performance in other operational environments. AeroScope works with all current models of DJI drones, which analysts estimate comprise over two-thirds of the global civilian drone market. Since AeroScope transmits on a DJI drone's existing communications link, it does not require new on-board equipment or modifications, or require extra steps or costs to be incurred by drone operators. Other drone manufacturers can easily configure their existing and future drones to transmit identification information in the same way.

Read more of this story at Slashdot.

Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries

Slashdot - Your Rights Online - Pt, 2017-10-13 00:20
Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities," the company said in a statement. "Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates." The hotel chain said the incident affected payment card information -- cardholder name, card number, expiration date and internal verification code -- from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.

Read more of this story at Slashdot.

US Weapons Data Stolen During Raid of Australian Defense Contractor's Computers

Slashdot - Your Rights Online - Cz, 2017-10-12 23:40
phalse phace writes: Another day, another report of a major breach of sensitive U.S. military and intelligence data. According to a report by The Wall Street Journal (Warning: source may be paywalled; alternative source), "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. The identity and affiliation of the hackers in the Australian attack weren't disclosed, but officials with knowledge of the intrusion said the attack was thought to have originated in China." The article goes on to state that "Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach." The stolen data also included details of the C-130 Hercules transport aircraft and guided bombs used by the U.S. and Australian militaries as well as design information "down to the captain's chair" on new warships for Australia's navy.

Read more of this story at Slashdot.

Down the Rabbit Hole With a BLU Phone Infection

Slashdot - Your Rights Online - Cz, 2017-10-12 19:10
msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.

Read more of this story at Slashdot.

How Facebook Outs Sex Workers

Slashdot - Your Rights Online - Cz, 2017-10-12 16:40
An anonymous reader shares a Gizmodo report: Leila has two identities, but Facebook is only supposed to know about one of them. Leila is a sex worker. She goes to great lengths to keep separate identities for ordinary life and for sex work, to avoid stigma, arrest, professional blowback, or clients who might be stalkers (or worse). Her "real identity" -- the public one, who lives in California, uses an academic email address, and posts about politics -- joined Facebook in 2011. Her sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook's "People You May Know" recommendations, Leila (a name I'm using in place of either of the names she uses) was shocked to see some of her regular sex-work clients. Despite the fact that she'd only given Facebook information from her vanilla identity, the company had somehow discerned her real-world connection to these people -- and, even more horrifyingly, her account was potentially being presented to them as a friend suggestion too, outing her regular identity to them. Because Facebook insists on concealing the methods and data it uses to link one user to another, Leila is not able to find out how the network exposed her or take steps to prevent it from happening again. "We're living in an age where you can weaponize personal information against people"Kashmir Hill, the reporter who wrote the above story, a few weeks ago shared another similar incident.

Read more of this story at Slashdot.

US Government Has 'No Right To Rummage' Through Anti-Trump Protest Website Logs, Says Judge

Slashdot - Your Rights Online - Cz, 2017-10-12 02:05
A Washington D.C. judge has told the U.S. Department of Justice it "does not have the right to rummage" through the files of an anti-Trump protest website -- and has ordered the dot-org site's hosting company to protect the identities of its users. The Register reports: Chief Judge Robert E. Morin issued the revised order [PDF] Tuesday following a high-profile back and forth between the site's hosting biz DreamHost and prosecutors over what details Uncle Sam was entitled to with respect to the disruptj20.org website. "As previously observed, courts around the country have acknowledged that, in searches for electronically stored information, evidence of criminal activity will likely be intermingled with communications and other records not within the scope of the search warrant," he noted in his ruling. "Because of the potential breadth of the government's review in this case, the warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities." The order then lists a series of protocols designed to protect netizens "to comply with First Amendment and Fourth Amendment considerations, and to prevent the government from obtaining any identifying information of innocent persons."

Read more of this story at Slashdot.

Equifax Breach Included 10 Million US Driving Licenses

Slashdot - Your Rights Online - Śr, 2017-10-11 23:20
An anonymous reader quotes a report from Engadget: 10.9 million U.S. driver's licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers' records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver's licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency's system.

Read more of this story at Slashdot.

FCC's Claim That One ISP Counts As 'Competition' Faces Scrutiny In Court

Slashdot - Your Rights Online - Śr, 2017-10-11 22:40
Jon Brodkin reports via Ars Technica: A Federal Communications Commission decision to eliminate price caps imposed on some business broadband providers should be struck down, advocacy groups told federal judges last week. The FCC failed to justify its claim that a market can be competitive even when there is only one Internet provider, the groups said. Led by Chairman Ajit Pai, the FCC's Republican majority voted in April of this year to eliminate price caps in a county if 50 percent of potential customers "are within a half mile of a location served by a competitive provider." That means business customers with just one choice are often considered to be located in a competitive market and thus no longer benefit from price controls. The decision affects Business Data Services (BDS), a dedicated, point-to-point broadband link that is delivered over copper-based TDM networks by incumbent phone companies like AT&T, Verizon, and CenturyLink. But the FCC's claim that "potential competition" can rein in prices even in the absence of competition doesn't stand up to legal scrutiny, critics of the order say. "In 2016, after more than 10 years of examining the highly concentrated Business Data Services market, the FCC was poised to rein in anti-competitive pricing in the BDS market to provide enterprise customers, government agencies, schools, libraries, and hospitals with much-needed relief from monopoly rates," Phillip Berenbroick, senior policy counsel at consumer advocacy group Public Knowledge said. But after Republicans gained the FCC majority in 2017, "the commission illegally reversed course without proper notice and further deregulated the BDS market, leaving consumers at risk of paying up to $20 billion a year in excess charges from monopolistic pricing," Berenbroick said.

Read more of this story at Slashdot.

Pirate Bay is Mining Cryptocurrency Again, No Opt Out

Slashdot - Your Rights Online - Śr, 2017-10-11 21:30
The Pirate Bay is mining cryptocurrency again, causing a spike in CPU usage among many visitors. From a report: For now, the notorious torrent site provides no option to disable it. The new mining expedition is not without risk. CDN provider Cloudflare previously suspended the account of a site that used a similar miner, which means that The Pirate Bay could be next. Last month The Pirate Bay caused some uproar by adding a Javascript-based cryptocurrency miner to its website. The miner utilizes CPU power from visitors to generate Monero coins for the site, providing an extra source of revenue. [...] The Pirate Bay currently has no opt-out option, nor has it informed users about the latest mining efforts. This could lead to another problem since Coinhive said it would crack down on customers who failed to keep users in the loop.

Read more of this story at Slashdot.

Moscow Has Turned Kaspersky Antivirus Software Into a Global Spy Tool, Using It To Scan Computers For Secret US Data

Slashdot - Your Rights Online - Śr, 2017-10-11 20:11
WSJ has a major scoop today. From a report: The Russian government used a popular antivirus software to secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool (could be paywalled), according to current and former U.S. officials with knowledge of the matter. The software, made by the Moscow-based company Kaspersky Lab, routinely scans files of computers on which it is installed looking for viruses and other malicious software. But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as "top secret," which may be written on classified government documents, as well as the classified code names of U.S. government programs, these people said. The Wall Street Journal reported last week that Russian hackers used Kaspersky's software in 2015 to target a contractor working for the National Security Agency, who had removed classified materials from his workplace and put them on his home computer, which was running the program. The hackers stole highly classified information on how the NSA conducts espionage and protects against incursions by other countries, said people familiar with the matter. But the use of the Kaspersky program to spy on the U.S. is broader and more pervasive than the operation against that one individual, whose name hasn't been publicly released, current and former officials said. This link should get you around WSJ's paywall. Also read: Israeli Spies 'Watched Russian Agents Breach Kaspersky Software'

Read more of this story at Slashdot.