aggregator

NSA Unlawfully Surveilled Kim Dotcom In New Zealand, Says Report

Slashdot - Your Rights Online - Śr, 2017-08-02 02:05
According to new documents from New Zealand's Government Communications Security Bureau (GCSB), the NSA illegally used technology to spy on Megaupload founder Kim Dotcom. "The New Zealand Herald first reported that the GCSB told the nation's high court that it ceased all surveillance of Dotcom in early 2012, but that 'limited' amounts of communications from Dotcom were later intercepted by its technology without the bureau's knowledge," reports The Hill. From the report: Dotcom was surveilled by the NSA and the GCSB in a joint intelligence operation named Operation Debut. According to the Herald, that surveillance was scheduled to end in January 2012, but the United States continued to use New Zealand's technology. According to court documents obtained by the Herald, "Limited interception of some communications continued beyond the detasking date without the knowledge of GCSB staff." The court papers don't explain how the NSA was able to use the GCSB's spying technology without the bureau's knowledge. According to the Herald, "The GCSB documents do contain an admission of NSA involvement, although it was not made outright." Dotcom is facing charges of copyright infringement and money laundering related to Megaupload, a file-sharing website shut down in 2012. He is currently fighting U.S. attempts to extradite him from New Zealand.

Read more of this story at Slashdot.

Senators Propose Bill Targeting Websites That Facilitate Sex Trafficking

Slashdot - Your Rights Online - Wt, 2017-08-01 23:20
An anonymous reader quotes a report from USA Today: A bipartisan group of lawmakers introduced legislation Tuesday that aims to make it easier to sue and criminally prosecute operators of online classified sites like Backpage.com that have been used to advertise sex workers. The proposed bill would amend the Communications Decency Act to eliminate a provision that shields operators of websites from being liable for content posted by third-party users. In addition to removing liability protections for websites that facilitate "unlawful sex acts with sex trafficking victims," lawmakers are seeking to amend the CDA to allow state prosecutors -- not just federal law enforcement -- to take action against individuals and businesses that use websites to violate federal sex trafficking laws. "For too long, courts around the country have ruled that Backpage can continue to facilitate illegal sex trafficking online with no repercussions," said Sen. Rob Portman, R-Ohio. "The Communications Decency Act is a well-intentioned law, but it was never intended to help protect sex traffickers who prey on the most innocent and vulnerable among us. This bipartisan, narrowly crafted bill will help protect vulnerable women and young girls from these horrific crimes."

Read more of this story at Slashdot.

US Senators To Introduce Bill To Secure 'Internet of Things'

Slashdot - Your Rights Online - Wt, 2017-08-01 18:40
Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.

Read more of this story at Slashdot.

White House Officials Tricked By Email Prankster

Slashdot - Your Rights Online - Wt, 2017-08-01 17:20
Jake Tapper, reporting for CNN: A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited. "Tom, we are arranging a bit of a soiree towards the end of August," the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. "It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening." Bossert wrote back: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted). Bossert did not respond to CNN's request for comment; the email prankster said he was surprised Bossert responded given his expertise. The emails were shared with CNN by the email prankster. White House officials acknowledged the incidents and said they were taking the matter seriously. "We take all cyber related issues very seriously and are looking into these incidents further," White House press secretary Sarah Huckabee Sanders told CNN.

Read more of this story at Slashdot.

Amazon Suspends Sales of Blu Android Phones Due To Privacy Concerns

Slashdot - Your Rights Online - Wt, 2017-08-01 16:00
CNET reports: Amazon just put budget phone maker Blu in the penalty box. The online retailing giant told CNET that it was suspending sales of phones from Blu, known for making ultra-cheap Android handsets, due to a "potential security issue." The move comes after security firm Kryptowire demonstrated last week how software in Blu's phones collected data and sent it to servers in China without alerting people. Blu defended the software, created by a Chinese company called Shanghai Adups Technology, and denied any wrongdoing. A company spokeswoman said at the time it "has several policies in place which take customer privacy and security seriously." She added there had been no breaches. Blu said it was in a process of review to reinstate the phones at Amazon.

Read more of this story at Slashdot.

Privacy Watchdog Asks FTC To Look Into Google's Offline Shopping Tracker

Slashdot - Your Rights Online - Wt, 2017-08-01 15:00
An anonymous reader quotes a report from Ars Technica: A privacy advocacy group has filed a formal legal complaint with the Federal Trade Commission, asking the agency to begin an investigation "into Google's in-store tracking algorithm to determine whether it adequately protects the privacy of millions of American consumers." In the Monday filing, the Electronic Privacy Information Center (EPIC) said it is concerned with Google's new Store Sales Management program, which debuted in May. The system allows the company to extend its online tracking capabilities into the physical world. The idea is to combine credit card and other financial data acquired from data brokers to create a singular profile as a way to illustrate to companies what goods and services are being searched for online, which result in actual in-person sales. Because the algorithm that Google uses is secret, EPIC says, there is no way to determine how well Google's claimed anonymization feature -- to mask names, credit card numbers, location, and other potentially private data -- actually works. While Google has been cagey about exactly how it does this, the company has previously revealed that the technique is based on CryptDB.

Read more of this story at Slashdot.

HP Patents 'Reminder Messages'

Slashdot - Your Rights Online - Wt, 2017-08-01 09:00
Daniel Nazer reports via the Electronic Frontier Foundation: On July 25, 2017, the Patent Office issued a patent to HP on reminder messages. Someone needs to remind the Patent Office to look at the real world before issuing patents. United States Patent No. 9,715,680 (the '680 patent) is titled "Reminder messages." While the patent application does suggest some minor tweaks to standard automated reminders, none of these supposed additions deserve patent protection. Although this claim uses some obscure language (like "non-transitory computer-readable storage medium" and "article data"), it describes a quite mundane process. The "article data" is simply additional information associated with an event. For example, "buy a cake" might be included with a birthday reminder. The patent also requires that this extra information be input via a "scanning operation" (e.g. scanning a QR code). The '680 patent comes from an application filed in July 2012. It is supposed to represent a non-obvious advance on technology that existed before that date. Of course, reminder messages were standard many years before the application was filed. And just a few minutes of research reveals that QR codes were already used to encode information for reminder messages. The Patent Office reviewed HP's application for years without ever considering any real-world products. Indeed, the examiner considered only patents and patent applications.

Read more of this story at Slashdot.

Iranians Use 'Cute Photographer' Profile To Hack Targets In Middle East

Slashdot - Your Rights Online - Wt, 2017-08-01 04:05
chicksdaddy shares a report from The Security Ledger: Hackers working on behalf of the government of Iran are using alluring social media profiles featuring a young, English photographer to entice and then compromise the systems of high value targets in the oil and gas industry, according to a report by Dell Secureworks. In a report released on Thursday, Secureworks' Counter Threat Unit (CTU) said that it observed an extensive phishing campaign beginning in January and February 2017 that used a polished social media profile of a young, English woman using the name "Mia Ash" to conduct highly targeted spear-phishing and social engineering attacks against employees of Middle Eastern and North Africa firms in industries like telecommunications, government, defense, oil and financial services. The attacks are the work of an advanced persistent threat group dubbed COBALT GYPSY or "Oil Rig" that has been linked to other sophisticated attacks. The attacks, which spread across platforms including LinkedIn and Facebook, as well as email, were highly successful. In some cases, the attacks lasted months -- and long after the compromise of the employee -- with the targets engaged in a flirtation with a woman they believed was a young, attractive female photographer. The Mia Ash persona is a fake identity based loosely on a real person -- a Romanian photographer and student who has posted her work prolifically online. According to a report by Security Ledger, the persona was created specifically with the goal of performing reconnaissance on and establishing relationships with employees of targeted organizations. Victims were targeted with the PupyRAT Trojan, an open source, cross-platform remote access trojan (RAT) used to take control of a victim's system and harvest credentials like logins and passwords from victims, and lured with malware-laden documents such as "photography surveys" (really?). One target was even instructed to make sure to open the document from work because it will "work better," Secureworks said.

Read more of this story at Slashdot.

FCC Says Its Specific Plan To Stop DDoS Attacks Must Remain Secret

Slashdot - Your Rights Online - Pn, 2017-07-31 23:20
An anonymous reader quotes a report from Ars Technica: FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter last month that it was researching "additional solutions" to protect the comment system. Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return. "Given the ongoing nature of the threats to disrupt the Commission's electronic comment ling system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC's IT staff has worked with commercial cloud providers to implement Internetbased solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs." The CIO's answers to lawmakers' questions were sent along with a letter from Pai to Reps. Frank Pallone, Jr. (D-N.J.), Elijah Cummings (D-Md.), Mike Doyle (D-Penn.), DeGette (D-Colo.), Robin Kelly (D-Ill.), and Gerald Connolly (D-Va.). The letter is dated July 21, and it was posted to the FCC's website on July 28.

Read more of this story at Slashdot.

LinkedIn Says It's Illegal To Scrape Its Website Without Permission

Slashdot - Your Rights Online - Pn, 2017-07-31 20:40
A small company called hiQ is locked in a high-stakes battle over web scraping with LinkedIn. It's a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the web. From a report: HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA. James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company. "Lots of businesses are built on connecting data from a lot of sources," Grimmelmann said. He argued that scraping is a key way that companies bootstrap themselves into "having the scale to do something interesting with that data." [...] But the law may be on the side of LinkedIn -- especially in Northern California, where the case is being heard. In a 2016 ruling, the 9th Circuit Court of Appeals, which has jurisdiction over California, found that a startup called Power Ventures had violated the CFAA when it continued accessing Facebook's servers despite a cease-and-desist letter from Facebook.

Read more of this story at Slashdot.

Hackers Break Into HBO's Networks, May Have Leaked 'Game of Thrones' Script

Slashdot - Your Rights Online - Pn, 2017-07-31 18:40
An anonymous reader shares a report: Hackers have broken into the networks of HBO and reportedly leaked unreleased episodes of a number of shows, as well as the script for next week's "Game of Thrones" episode. Altogether, they have reportedly obtained a total of 1.5 terabyte of data. HBO confirmed the intrusion in a statement sent to Variety: "HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information. We immediately began investigating the incident and are working with law enforcement and outside cybersecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold."

Read more of this story at Slashdot.

It Is Easy To Expose Users' Secret Web Habits, Say Researchers

Slashdot - Your Rights Online - Pn, 2017-07-31 18:00
An anonymous reader shares a BBC report: Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician. The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather "clickstreams." These are detailed records of everywhere that people go online. The researchers argue such data -- which some firms scoop up and use to target ads -- should be protected. The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals. People's browsing history is often used to tailor marketing campaigns. The results of the research by Svea Eckert and Andreas Dewes were revealed at the Def Con hacking conference in Las Vegas this weekend. The pair found that 95% of the data they obtained came from 10 popular browser extensions. "What these companies are doing is illegal in Europe but they do not care," said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.

Read more of this story at Slashdot.

Russia Bans VPNs To Stop Users From Looking at Censored Sites

Slashdot - Your Rights Online - Pn, 2017-07-31 17:20
Russia is cracking down on software that allows users to view internet sites banned by the government. From a report: President Vladimir Putin has signed a bill that prohibits services, including virtual private networks (VPNs), that enable users to skirt government censorship efforts. The law will take effect on November 1. Russian internet regulator Roskomnadzor maintains a blacklist of thousands of websites. Leonid Levin, chairman of a parliamentary committee on information policy and communications, said the law signed by Putin does not "introduce any new restrictions and especially no censorship." "My colleagues only included the restriction of access to information that is already forbidden by law or a court decision," he told state news agency RIA Novosti earlier this month.

Read more of this story at Slashdot.

Facebook Funds 'Defending Digital Democracy' Initiative At Harvard

Slashdot - Your Rights Online - Pn, 2017-07-31 10:00
An anonymous reader quotes Diginomica: A fresh initiative aimed at information sharing about election threats and dubbed Defending Digital Democracy has the financial support of Facebook and the academic muscle of Harvard behind it. Will the project succeed where similar initiatives have failed...? On 19 July and backed by a $500,000 initial grant from Facebook, the Belfer Center for Science and International Affairs at Harvard Kennedy School launched a new, bipartisan initiative called the Defending Digital Democracy Project. The project will be co-led by Robby Mook, Democrat Hillary Clinton's 2016 presidential campaign manager, and Matt Rhoades, Republican Mitt Romney's 2012 campaign manager. The hope is that creating a unique and bipartisan team comprised of top-notch political operatives and leaders in the cyber and national security world, the project will be able to to identify and recommend strategies, tools, and technology to protect democratic processes and systems from cyber and information attacks. The group will also assess new technologies (including blockchain) to secure elections, and wants to create an information sharing infrastructure modeled "on similar efforts within the tech industry to share tech intelligence." The article says Facebook's chief security officer "hopes that election officials who are wary of cooperating with the federal government will be more receptive to working with an independent group tied to Harvard and the tech industy," and the group also includes Google's director for Information Security and Privacy. "Facebook plans to host state and local election officials at its D.C. office later this year to discuss the information sharing organization, and launch the organization in early 2018."

Read more of this story at Slashdot.

O'Reilly Media Asks: Is It Time To Build A New Internet?

Slashdot - Your Rights Online - Pn, 2017-07-31 01:39
An anonymous reader shares an article from O'Reilly Media's VP of content strategy: It's high time to build the internet that we wanted all along: a network designed to respect privacy, a network designed to be secure, and a network designed to impose reasonable controls on behavior. And a network with few barriers to entry -- in particular, the certainty of ISP extortion as new services pay to get into the "fast lane." Is it time to start over from scratch, with new protocols that were designed with security, privacy, and maybe even accountability in mind? Is it time to pull the plug on the abusive old internet, with its entrenched monopolistic carriers, its pervasive advertising, and its spam? Could we start over again? That would be painful, but not impossible... In his deliciously weird novel Someone Comes To Town, Someone Leaves Town, Cory Doctorow writes about an alternative network built from open WiFi access points. It sounds similar to Google's Project Fi, but built and maintained by a hacker underground. Could Doctorow's vision be our future backboneless backbone? A network of completely distributed municipal networks, with long haul segments over some public network, but with low-level protocols designed for security? We'd have to invent some new technology to build that new network, but that's already started. The article cites the increasing popularity of peer-to-peer functionality everywhere from Bitcoin and Blockchain to the Beaker browser, the Federated Wiki, and even proposals for new file-sharing protocols like IPFS and Upspin. "Can we build a network that can't be monopolized by monopolists? Yes, we can..." "It's time to build the network we want, and not just curse the network we have."

Read more of this story at Slashdot.

Should The Government Fix Slow Internet Access?

Slashdot - Your Rights Online - N, 2017-07-30 21:28
An anonymous reader quotes a story from Nate Silver's FiveThirtyEight site about "the worst internet in America": FiveThirtyEight analyzed every county's broadband usage using data from researchers at the University of Iowa and Arizona State University and found that Saguache, Colorado was at the bottom. Only 5.6 percent of adults were estimated to have broadband... It has some of the worst internet in the country. That's in part because of the mountains and the isolation they bring... Its population of 6,300 is spread across 3,169 square miles 7,800 feet above sea level, but on land that is mostly flat, so you can almost see the full scope of two mountain ranges as you drive the county's highway... But Saguache isn't alone in lacking broadband. According to the Federal Communications Commission, 39 percent of rural Americans -- 23 million people -- don't have access. In Pew surveys, those who live in rural areas were about twice as likely not to use the internet as urban or suburban Americans. In Saguache County download speeds of 12 Mbps (with an upload speed of 2 Mbps) cost $90 a month, and the article points out that when it comes to providing broadband, "small companies and cooperatives are going it more or less alone, without much help yet from the federal government." But that raises an inevitable question. Should the federal government be subsidizing rural internet access?

Read more of this story at Slashdot.

Honolulu Targets 'Smartphone Zombies' With Crosswalk Ban

Slashdot - Your Rights Online - N, 2017-07-30 17:10
Templer421 shares news from Reuters: A ban on pedestrians looking at mobile phones or texting while crossing the street will take effect in Hawaii's largest city in late October, as Honolulu becomes the first major U.S. city to pass legislation aimed at reducing injuries and deaths from "distracted walking." The ban comes as cities around the world grapple with how to protect phone-obsessed "smartphone zombies" from injuring themselves by stepping into traffic or running into stationary objects. Starting Oct. 25, Honolulu pedestrians can be fined between $15 and $99, depending on the number of times police catch them looking at a phone or tablet device as they cross the street, Mayor Kirk Caldwell told reporters gathered near one of the city's busiest downtown intersections on Thursday... People making calls for emergency services are exempt from the ban... Opponents of the Honolulu law argued it infringes on personal freedom and amounts to government overreach. Meanwhile, the city of London has tried putting pads on their lamp posts "to soften the blow for distracted walkers."

Read more of this story at Slashdot.

Will 'Smart Cities' Violate Our Privacy?

Slashdot - Your Rights Online - N, 2017-07-30 06:54
An anonymous reader quotes Computerworld's article on the implications of New York City's plan to blanket the city with "smart" kiosks offering ultrafast Wi-Fi. The existence of smart-city implementations like Intersection's LinkNYC means that New Yorkers won't actually need mobile contracts anymore. Most who would otherwise pay for them will no doubt continue to do so for the convenience. But those who could not afford a phone contract in the past will have ubiquitous fast connectivity in the future. This strongly erodes the digital divide within smart cities. A 2015 study conducted by New York City found that more than a quarter of city households had no internet connectivity at home, and more than half a million people didn't own their own computer... Over the next 15 years, the city will go through the other two phases, where sensor data will be processed by artificial intelligence to gain unprecedented insights about traffic, environment and human behavior and eventually use it to intelligently re-direct traffic and shape other city functions... And as autonomous cars gradually roll out, New York will be well positioned to be one of the first cities to legalize them, because they'll be safer thanks to 5G, sensors and data from all those kiosks. Intersection, a Google-backed startup, has already installed 1,000 of the kiosks in New York, and is planning to install 7,000 more. The sides of the kiosk have screens which show alerts and other public information -- as well as advertisements, which cover all the costs of the installations and even bring extra money into the city coffers. New York's move "puts pressure on other U.S. cities to follow suit," the article also points out, adding that privacy policies "are negotiated agreements between the company and the city. So if a city wants to use those cameras and sensors for surveillance, it can."

Read more of this story at Slashdot.

US Voting Machines Cracked In 90 Minutes At DEFCON

Slashdot - Your Rights Online - N, 2017-07-30 03:50
An anonymous reader quotes The Hill: Hackers at at a competition in Las Vegas were able to successfully breach the software of U.S. voting machines in just 90 minutes on Friday, illuminating glaring security deficiencies in America's election infrastructure. Tech minds at the annual "DEF CON" in Las Vegas were given physical voting machines and remote access, with the instructions of gaining access to the software. According to a Register report, within minutes, hackers exposed glaring physical and software vulnerabilities across multiple U.S. voting machine companies' products. Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP. Though some of the machines were out of date, they were all from "major U.S. voting machine companies" like Diebold Nixorf, Sequoia Voting Systems, and WinVote -- and were purchased on eBay or at government auctions. One of the machines apparently still had voter registration data stored in plain text in an SQLite database from a 2008 election, according to event's official Twitter feed. By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."

Read more of this story at Slashdot.

Apple Pulls Anti-Censorship Apps from China's App Store

Slashdot - Your Rights Online - N, 2017-07-30 01:46
An anonymous reader quotes Fortune:Services helping Chinese users circumvent the "Great Firewall of China" have been pulled from Apple's Chinese App Store en masse. On Saturday morning, at least some software makers affected by the sweep received notification from Apple that their tools were removed for violating Chinese law. Internet censorship in China restricts communications about topics including democracy, Tibetan freedom, and the 1989 Tienanmen Square protests. The culling primarily seems to have affected virtual private networks, or VPNs, which mask users' Internet activity and data from outside monitoring. According to a report by the New York Times, many of the most popular such apps are now missing from the Chinese App Store.

Read more of this story at Slashdot.