aggregator

Uber Used Another Secret Software To Evade Police, Report Says

Slashdot - Your Rights Online - Cz, 2018-01-11 18:50
schwit1 shares a Bloomberg report: In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies's office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event. Like managers at Uber's hundreds of offices abroad, they'd been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they'd obtained a warrant to collect. The investigators left without any evidence. Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'

Read more of this story at Slashdot.

FBI Calls Apple 'Jerks' and 'Evil Geniuses' For Making iPhone Cracks Difficult

Slashdot - Your Rights Online - Cz, 2018-01-11 15:00
troublemaker_23 shares a report from iTWire: A forensics expert from the FBI has lashed out at Apple, calling the company's security team a bunch of "jerks" and "evil geniuses" for making it more difficult to circumvent the encryption on its devices. Stephen Flatley told the International Conference on Cyber Security in New York on Wednesday that one example of the way that Apple had made it harder for him and his colleagues to break into the iPhone was by recently making the password guesses slower, with a change in hash iterations from 10,000 to 10,000,000. A report on the Motherboard website said Flatley explained that this change meant that the speed at which one could brute-force passwords went from 45 attempts a second to one every 18 seconds. "Your crack time just went from two days to two months," he was quoted as saying. "At what point is it just trying to one up things and at what point is it to thwart law enforcement? Apple is pretty good at evil genius stuff," Flatley added.

Read more of this story at Slashdot.

Violating a Website's Terms of Service Is Not a Crime, Federal Court Rules

Slashdot - Your Rights Online - Cz, 2018-01-11 05:30
An anonymous reader quotes a report from the Electronic Frontier Foundation: Good news out of the Ninth Circuit: the federal court of appeals heeded EFF's advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle's website in a manner it didn't like. The court ruled back in 2012 that merely violating a website's terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes -- in this case, California and Nevada -- to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear -- if it wasn't clear already -- that violating a corporate computer use policy is not a crime.

Read more of this story at Slashdot.

NYC Sues Oil Companies Over Climate Change

Slashdot - Your Rights Online - Cz, 2018-01-11 01:20
An anonymous reader quotes a report from The Guardian: New York City is seeking to lead the assault on both climate change and the Trump administration with a plan to divest $5 billion from fossil fuels and sue the world's most powerful oil companies over their contribution to dangerous global warming. City officials have set a goal of divesting New York's $189 billion pension funds from fossil fuel companies within five years in what they say would be "among the most significant divestment efforts in the world to date." Currently, New York City's five pension funds have about $5 billion in fossil fuel investments. New York state has already announced it is exploring how to divest from fossil fuels. New York's Mayor, Bill de Blasio, said that the city is taking the five fossil fuel firms -- BP, Exxon Mobil, Chevron, ConocoPhillips and Shell -- to federal court due to their contribution to climate change. Court documents state that New York has suffered from flooding and erosion due to climate change and because of looming future threats it is seeking to "shift the costs of protecting the city from climate change impacts back on to the companies that have done nearly all they could to create this existential threat." The court filing claims that just 100 fossil fuel producers are responsible for nearly two-thirds of all greenhouse gas emissions since the industrial revolution, with the five targeted companies the largest contributors. The case will also point to evidence that firms such as Exxon knew of the impact of climate change for decades, only to downplay and even deny this in public.

Read more of this story at Slashdot.

FCC Plan To Lower Broadband Standards Is Met With 'Mobile Only Challenge'

Slashdot - Your Rights Online - Śr, 2018-01-10 23:25
An anonymous reader quotes a report from Ars Technica: Broadband consumer advocates have launched a "Mobile Only Challenge" to show U.S. regulators that cellular data should not be considered an adequate replacement for home Internet service. The awareness campaign comes as the Federal Communications Commission is considering a change to the standard it uses to judge whether broadband is being deployed to all Americans in a reasonable and timely fashion. While FCC Chairman Ajit Pai hasn't released his final plan yet, the FCC may soon declare that America's broadband deployment problem is solved as long as everyone has access to either fast home Internet or cellular Internet service with download speeds of at least 10Mbps. That would be a change from current FCC policy, which says that everyone should have access to both mobile data and fast home Internet services such as fiber or cable. "The FCC wants to lower broadband standards," organizers of the Mobile Only Challenge say on the campaign's website. "Pledge to spend one day in January 2018 accessing the Internet only on your mobile device to tell them that's not OK." The Mobile Only Challenge was organized by Public Knowledge, Next Century Cities, New America's Open Technology Institute, the Institute for Local Self-Reliance, the National Hispanic Media Coalition (NHMC), and other groups. Participants are encouraged to share their experiences using the #MobileOnly hashtag.

Read more of this story at Slashdot.

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password

Slashdot - Your Rights Online - Śr, 2018-01-10 22:45
A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock. As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

Read more of this story at Slashdot.

WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats

Slashdot - Your Rights Online - Śr, 2018-01-10 20:01
A group of crytopgraphers from Germany's Ruhr University Bochum have uncovered flaws in WhatsApp's security that compromise the instant messaging service's end-to-end encryption. WhatsApp, owned by Facebook, has over one billion active users. In a paper published last week, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group -- a claim that might not bode well with privacy enthusiasts. From the paper: The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. Further reading: Wired.

Read more of this story at Slashdot.

Senator Wants Apple To Answer Questions on Slowing iPhones

Slashdot - Your Rights Online - Śr, 2018-01-10 16:42
The chairman of a U.S. Senate committee overseeing business issues asked Apple to answer questions about its disclosure that it slowed older iPhones with flagging batteries, Reuters reported on Wednesday, citing a letter. From the report: The California-based company apologized over the issue on Dec. 28, cut battery replacement costs and said it will change its software to show users whether their phone battery is good. Senator John Thune, a Republican who chairs the Commerce, Science and Transportation Committee, said in a Jan. 9 letter to Apple Chief Executive Officer Tim Cook that "the large volume of consumer criticism leveled against the company in light of its admission suggests that there should have been better transparency."

Read more of this story at Slashdot.

Congress Is About To Vote On Expanding the Warrantless Surveillance of Americans

Slashdot - Your Rights Online - Śr, 2018-01-10 15:00
An anonymous reader quotes a report from Motherboard: On Tuesday afternoon, a handful of U.S. Representatives will convene to review an amendment that would reauthorize warrantless foreign surveillance and expand the law so that it could include American citizens. It would, in effect, legalize a surveillance practice abandoned by the NSA in 2017 in order to appease the Foreign Intelligence Surveillance Court, which found the NSA to have abused its collection capacity several times. If it passes Tuesday's review, the bill may be voted on by the U.S. House of Representatives as early as Thursday. Drafted by the House Intelligence Committee last December, the FISA Amendments Reauthorization Act of 2017 is an amendment to Section 702 of the Foreign Intelligence Surveillance Act (FISA). It is one of six different FISA-related bills under consideration by Congress at the moment, but by far the most damaging to the privacy rights of American citizens. FISA was enacted in 1978, but Section 702, referred to by former FBI Director James Comey as the "crown jewels of the intelligence community," wasn't added until 2008. This section allows intelligence agencies to surveil any foreigner outside the U.S. without a warrant that the agency considers a target. The problem is that this often resulted in the warrantless surveillance of U.S. citizens as well due to two loopholes known as "backdoor searches" and "about collection." Backdoor search refers to a roundabout way of monitoring Americans' communications. Since intelligence agencies are able to designate any foreigner's communications as a target for surveillance, if this foreigner has communicated with an American this means this American's communications are then also considered fair game for surveillance by the agency.

Read more of this story at Slashdot.

'I Tried the First Phone With An In-Display Fingerprint Sensor'

Slashdot - Your Rights Online - Śr, 2018-01-10 12:00
Vlad Savov from The Verge reports of his experience using the first smartphone with a fingerprint scanner built into the display: After an entire year of speculation about whether Apple or Samsung might integrate the fingerprint sensor under the display of their flagship phones, it is actually China's Vivo that has gotten there first. At CES 2018, I got to grips with the first smartphone to have this futuristic tech built in, and I was left a little bewildered by the experience. The mechanics of setting up your fingerprint on the phone and then using it to unlock the device and do things like authenticate payments are the same as with a traditional fingerprint sensor. The only difference I experienced was that the Vivo handset was slower -- both to learn the contours of my fingerprint and to unlock once I put my thumb on the on-screen fingerprint prompt -- but not so much as to be problematic. Basically, every other fingerprint sensor these days is ridiculously fast and accurate, so with this being newer tech, its slight lag feels more palpable. Vivo is using a Synaptics optical sensor called Clear ID that works by peering through the gaps between the pixels in an OLED display (LCDs wouldn't work because of their need for a backlight) and scanning your uniquely patterned epidermis. The sensor is already in mass production and should be incorporated in several flagship devices later this year.

Read more of this story at Slashdot.

AT&T and Comcast Finalize Court Victory Over Nashville and Google Fiber

Slashdot - Your Rights Online - Śr, 2018-01-10 03:40
"AT&T and Comcast have solidified a court victory over the metro government in Nashville, Tennessee, nullifying a rule that was meant to help Google Fiber compete against the incumbent broadband providers," reports Ars Technica. From the report: The case involved Nashville's "One Touch Make Ready" ordinance that was supposed to give Google Fiber and other new ISPs faster access to utility poles. The ordinance let a single company make all of the necessary wire adjustments on utility poles itself instead of having to wait for incumbent providers like AT&T and Comcast to send work crews to move their own wires. But AT&T and Comcast sued the metro government to eliminate the rule and won a preliminary victory in November when a U.S. District Court judge in Tennessee nullified the rule as it applies to poles owned by AT&T and other private parties. The next step for AT&T and Comcast was overturning the rule as it applies to poles owned by the municipal Nashville Electric Service (NES), which owns around 80 percent of the Nashville poles. AT&T and Comcast achieved that on Friday with a new ruling from U.S. District Court Judge Aleta Trauger. Nashville's One Touch Make Ready ordinance "is ultra vires and void or voidable as to utility poles owned by Nashville Electric Service because adoption of the Ordinance exceeded Metro Nashville's authority and violated the Metro Charter," the ruling said. Nashville is "permanently enjoined from applying the Ordinance to utility poles owned by Nashville Electric Service." The Nashville government isn't planning to appeal the decision, a spokesperson for Nashville Mayor Megan Barry told Ars today.

Read more of this story at Slashdot.

Senate Bill to Block Net Neutrality Repeal Now Has 40 Co-Sponsors

Slashdot - Your Rights Online - Śr, 2018-01-10 02:20
New submitter Rick Schumann writes: The senate bill to block the FCC repeal of Obama-era internet net neutrality rules now has 40 co-sponsors, up from the 30 co-sponsors it had yesterday. The bill, being driven by Senate minority Democrats, requires only a simple majority vote in order to be passed, although Washington insiders are currently predicting the bill will fail. "The bill would use authority under the Congressional Review Act (CRA) to block the FCC's repeal from going into effect," reports The Hill. "And with more than 30 senators on board, the legislation will be able to bypass the committee approval process and Democrats will be able to force a vote on the floor."

Read more of this story at Slashdot.

UK Backs Off From Banning Reidentification Research

Slashdot - Your Rights Online - Śr, 2018-01-10 01:40
An anonymous reader writes: The United Kingdom has recently debated banning reidentification in its new data privacy law. This proposal has quickly been identified as dangerous and criticized, as it was argued this is not only ineffective but would also put at risk legitimate security and privacy researchers. Following public outcry, the UK government amended the bill to include safe-guards allowing researchers to study anonymization weaknesses. Researchers will also gain a new channel of disclosure via the Information Commissioner Office (ICO). According to The Guardian, "Researchers will have to notify the ICO within three days of successfully deanonymizing data, and demonstrate that they had acted in the public interest and without intention to cause damage or distress in re-identifying data."

Read more of this story at Slashdot.

James Dolan, Co-Creator of SecureDrop, Dead At 36

Slashdot - Your Rights Online - Wt, 2018-01-09 23:40
The Freedom of the Press Foundation is reporting that James Dolan, former Marine and co-creator of the whistleblower submission system SecureDrop alongside Aaron Swartz and Wired editor Kevin Poulsen, has died at age 36. He reportedly took his own life. Gizmodo reports: First deployed as StrongBox with The New Yorker, organizations such as the Washington Post, the New York Times, the Associated Press, and Gizmodo Media Group have all come to rely on SecureDrop -- which allows highly secure communication between journalists and sources in possession of sensitive information or documents. As an industry tool, it has become invaluable for reporters. Dolan joined the Freedom of the Press Foundation to maintain SecureDrop after co-creator Aaron Swartz took his life in 2013 at age 26, as pressure mounted in a federal investigation against him that many felt was overzealous. Memorial services have not yet been announced, and presently the circumstances of Dolan's death are not known.

Read more of this story at Slashdot.

With WPA3, Wi-Fi Security is About To Get a Lot Tougher

Slashdot - Your Rights Online - Wt, 2018-01-09 18:40
One of the biggest potential security vulnerabilities -- public Wi-Fi -- may soon get its fix. From a report: The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things. One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated. Further reading: WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago

Read more of this story at Slashdot.

FBI Chief Calls Unbreakable Encryption 'Urgent Public Safety Issue'

Slashdot - Your Rights Online - Wt, 2018-01-09 18:01
The inability of law enforcement authorities to access data from electronic devices due to powerful encryption is an "urgent public safety issue," FBI Director Christopher Wray said on Tuesday in remarks that sought to renew a contentious debate over privacy and security. From a report: The FBI was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency's work, Wray said during a speech at a cyber security conference in New York. "This is an urgent public safety issue," Wray added, while saying that a solution is "not so clear cut."

Read more of this story at Slashdot.

Snowden Joins Outcry Against World's Biggest Biometric Database

Slashdot - Your Rights Online - Wt, 2018-01-09 17:22
Former U.S. intelligence-contractor-turned whistleblower Edward Snowden joined critics of India's digital ID program as the nation's top court is due to decide on its legality. From a report: Snowden on Tuesday tweeted in support of an Indian journalist who faces police charges after she reported that personal details of over a billion citizens enrolled in the program could be illegally accessed for just $8 paid through a digital wallet. Named Aadhaar, the program is backed by the world's biggest biometric database, which its operator Unique Identification Authority of India, or UIDAI, says wasn't breached. Snowden tweeted, "The journalists exposing the Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI."

Read more of this story at Slashdot.

Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key

Slashdot - Your Rights Online - Wt, 2018-01-09 16:00
Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.

Read more of this story at Slashdot.

Apple Investigated By France For 'Planned Obsolescence'

Slashdot - Your Rights Online - Wt, 2018-01-09 09:00
AmiMoJo shares a report from the BBC: French prosecutors have launched a probe over allegations of "planned obsolescence" in Apple's iPhone. Under French law it is a crime to intentionally shorten the lifespan of a product with the aim of making customers replace it. In December, Apple admitted that older iPhone models were deliberately slowed down through software updates. It follows a legal complaint filed in December by pro-consumer group Stop Planned Obsolescence (Hop). Hop said France was the third country to investigate Apple after Israel and the U.S., but the only one in which the alleged offense was a crime. Penalties could include up to 5% of annual turnover or even a jail term.

Read more of this story at Slashdot.

Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor

Slashdot - Your Rights Online - Wt, 2018-01-09 01:20
BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.

Read more of this story at Slashdot.