aggregator

FCC Says Wireless Location Data Sharing Broke the Law

Slashdot - Your Rights Online - Pt, 2020-01-31 23:26
Federal Communications Commission Chairman Ajit Pai told lawmakers Friday he intends to propose fines against at least one U.S. wireless carrier for sharing customers' real-time location data with outside parties without the subscribers' knowledge or consent. From a report: The FCC has been investigating for more than a year following revelations that subscriber location data from AT&T, T-Mobile and Sprint made its way to a resale market used by bounty hunters. Pai said in letters to several lawmakers that the agency's investigation has found that "one or more wireless carriers apparently violated federal law."

Read more of this story at Slashdot.

Charges Dropped Against Pentesters Paid To Break Into Iowa Courthouse

Slashdot - Your Rights Online - Pt, 2020-01-31 18:41
Prosecutors have dropped criminal charges against two security professionals who were arrested and jailed last September for breaking into an Iowa courthouse as part of a contract with Iowa's judicial arm. From a report: The dismissal, which was announced on Thursday, is a victory not only for Coalfire Labs, the security firm that employed the two penetration testers, but the security industry as a whole and the countless organizations that rely on it. Although employees Gary DeMercurio and Justin Wynn had written authorization to test the physical security of the Dallas County Courthouse in Iowa, the men spent more than 12 hours in jail on felony third-degree burglary charges. The charges were later lowered to misdemeanor trespass. The case cast a menacing cloud over an age-old practice that's crucial to securing buildings and the computers and networks inside of them. Penetration testers are hired to hack or break into sensitive systems or premises and then disclose the vulnerabilities and techniques that made the breaches possible. Owners and operators then use the information to improve security. "I'm very glad to hear this," said a professional pentester when I told him the charges were dropped (he prefers to use only his handle: Tink). "Clients and security firms have an obligation to protect their pentesters and consultants. Pentesters are not criminals. Pentesters help organizations protect against criminals."

Read more of this story at Slashdot.

FBI Probes Use of Israeli Firm's Spyware In Personal and Government Hacks

Slashdot - Your Rights Online - Pt, 2020-01-31 12:00
nickwinlund77 shares a report from Reuters: The FBI is investigating the role of Israeli spyware vendor NSO Group Technologies in possible hacks on American residents and companies as well as suspected intelligence gathering on governments, according to four people familiar with the inquiry. The probe was underway by 2017, when Federal Bureau of Investigation officials were trying to learn whether NSO obtained from American hackers any of the code it needed to infect smartphones, said one person interviewed by the FBI then and again last year. The FBI conducted more interviews with technology industry experts after Facebook filed a lawsuit in October accusing NSO itself of exploiting a flaw in Facebook's WhatsApp messaging service to hack 1,400 users, according to two people who spoke with agents or Justice Department officials. Part of the FBI probe has been aimed at understanding NSO's business operations and the technical assistance it offers customers, according to two sources familiar with the inquiry. Suppliers of hacking tools could be prosecuted under the Computer Fraud and Abuse Act (CFAA) or the Wiretap Act, if they had enough knowledge of or involvement in improper use, said James Baker, general counsel at the FBI until January 2018. The CFAA criminalizes unauthorized access to a computer or computer network, and the Wiretap Act prohibits use of a tool to intercept calls, texts or emails. NSO is known in the cybersecurity world for its "Pegasus" software other tools that can be delivered in several ways. The software can capture everything on a phone, including the plain text of encrypted messages, and commandeer it to record audio."

Read more of this story at Slashdot.

E3 Organizer Says It's Tightened Security After Accidentally Doxxing Thousands of Attendees

Slashdot - Your Rights Online - Pt, 2020-01-31 01:20
The Electronic Software Association is introducing tighter security measures around press registration for E3, following an incident last year in which sensitive personal information belonging to thousands of journalists, YouTube creators, and Twitch streamers was made public. The Verge reports: A new blog post published today details updates to the conference and its "media registration process," which the company says "received a lot of attention this past summer." "Earning back your trust and support is our top priority," the post reads. "That's why we rebuilt the E3 website with enhanced and layered security measures developed by an outside cybersecurity firm. This included updating our data management processes, including the handling of personally identifiable information, and we will no longer store that data on our site." Changes to the registration process will also occur this year. The ESA will "collect the minimum information necessary" for attendees registering. The post doesn't state what those specific changes are. Last year's leak, which involved an unprotected file uploaded online and available for anyone to download, led to personal information like home addresses and phone numbers appearing on hateful forums like Kiwi Farms. After data leaked, multiple journalists -- including staff members of The Verge -- received texts and phone calls from complete strangers.

Read more of this story at Slashdot.

Apple, Broadcom Ordered To Pay $1.1 Billion To CalTech In Patent Case

Slashdot - Your Rights Online - Pt, 2020-01-31 01:02
The California Institute of Technology (CalTech) said it won a $1.1 billion jury verdict in a patent case against Apple and Broadcom. Reuters reports: In a case filed in federal court in Los Angeles in 2016, the Pasadena, California-based research university alleged that Broadcom wi-fi chips used in hundreds of millions of Apple iPhones infringed patents relating to data transmission technology. "While we thank the members of the jury for their service, we disagree with the factual and legal bases for the verdict and intend to appeal," Broadcom said in a statement. Apple said it plans to appeal the verdict, but declined further comment. The company had said in court filings that it believed all of the university's claims against it resulted from it using Broadcom's chips in its devices, calling itself "merely an indirect downstream party." The verdict awarded CalTech $837.8 million from Apple and $270.2 million from Broadcom. "We are pleased the jury found that Apple and Broadcom infringed Caltech patents," CalTech said in a statement. "As a non-profit institution of higher education, Caltech is committed to protecting its intellectual property in furtherance of its mission to expand human knowledge and benefit society through research integrated with education."

Read more of this story at Slashdot.

Feds Order Massive Number Of Tech Giants To Help Hunt Down One WhatsApp Meth Dealer

Slashdot - Your Rights Online - Cz, 2020-01-30 23:27
As it struggles to get content from encrypted messenger apps and smartphones, the U.S. government is getting creative in how it tracks down criminal WhatsApp users, according to a search warrant uncovered by Forbes. From the report: Aside from shedding light on police data-trawling operations, these new efforts are "problematic," legal experts tell Forbes. They show that investigators are willing to test the boundaries of legality by demanding content they may not legally be allowed to collect from WhatsApp. And they're then demanding data from a seemingly endless list of tech providers -- from Google to any telecom company imaginable -- that could feasibly help them catch a single WhatsApp user. In a bid to find an alleged Mexican methamphetamine dealer, the government demanded that WhatsApp hand over basic subscriber details, according to a previously unreported government order filed in Colorado in October. They'd been tipped off that the dealer -- a fugitive on the DEA's most-wanted list -- was a frequent user of WhatsApp and had even used the app to talk with an undercover agent. That WhatsApp data would come from what's known as a "pen-trap." Think of these as tracking tools that collect limited metadata like user phone numbers, IP addresses and call duration, not the content of messages. Forbes has reported on these before and they're fairly common. So far, so normal.

Read more of this story at Slashdot.

Breach at Indian Airline SpiceJet Affects 1.2 Million Passengers

Slashdot - Your Rights Online - Cz, 2020-01-30 20:53
SpiceJet, one of India's largest privately owned airlines, suffered a data breach involving the details of more than a million of its passengers, a security researcher told TechCrunch. From the report: The security researcher, who described their actions as "ethical hacking" but whom we are not naming as they likely fell afoul of U.S. computer hacking laws, gained access to one of SpiceJet's systems by brute-forcing the system's easily guessable password. An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the budget-carrier last month, TechCrunch has learned. Each record included details such as name of the passenger, their phone number, email address and their date of birth, the researcher told TechCrunch. Some of these passengers were state officials, they said. The database included a rolling month's worth of flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.

Read more of this story at Slashdot.

Facebook To Pay $550 Million To Settle Facial Recognition Suit

Slashdot - Your Rights Online - Cz, 2020-01-30 03:30
Facebook has agreed to pay $550 million to settle a class-action lawsuit (Warning: source may be paywalled; alternative source) over its use of facial recognition technology in Illinois, "giving privacy groups a major victory that again raised questions about the social network's data-mining practices," reports The New York Times. From the report: The case stemmed from Facebook's photo-labeling service, Tag Suggestions, which uses face-matching software to suggest the names of people in users' photos. The suit said the Silicon Valley company violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission and without telling them how long the data would be kept. Facebook has said the allegations have no merit. Under the agreement, Facebook will pay $550 million to eligible Illinois users and for the plaintiffs' legal fees. The sum dwarfs the $380.5 million that the Equifax credit reporting agency agreed this month to pay to settle a class-action case over a 2017 consumer data breach. Facebook disclosed the settlement as part of its quarterly financial results, in which it took a charge on the case. The sum amounted to a rounding error for Facebook, which reported that revenue rose 25 percent to $21 billion in the fourth quarter, compared with a year earlier, while profit increased 7 percent to $7.3 billion.

Read more of this story at Slashdot.

Blizzard Now Claims Full Copyright For Player-Mode 'Custom Game' Mods

Slashdot - Your Rights Online - Cz, 2020-01-30 02:10
An anonymous reader quotes a report from Ars Technica: As influential as Warcraft III was in the real-time strategy genre, the game's most enduring legacy might be as the basis for genre-defining, fan-made custom game spin-offs like Defense of the Ancients (aka Dota) and Auto Chess in its wake. Now, Blizzard is taking steps to ensure it retains complete ownership of any such custom games that originate from its titles in the future, including those that come out of Warcraft III's recently released Reforged update. As noted by PC Gamer, a recent update to Blizzard's Acceptable Use Policy expands the legal rights that custom-game makers automatically assign to Blizzard (new language highlighted in bold; old language available on The Internet Archive): "Custom Games are and shall remain the sole and exclusive property of Blizzard. Without limiting the foregoing, you hereby assign to Blizzard all of your rights, title, and interest in and to all Custom Games, including but not limited to any copyrights in the content of any Custom Games." Blizzard's claim on custom-game copyrights is important because, while it's hard to effectively copyright the basic concept of a game, you can copyright the original characters, art, and writing associated with the game itself. "Under Blizzard's new legal language, any similar games created from the base of Reforged would be completely controlled by Blizzard," adds Ars. "While other developers would be able to copy the general gameplay for their own purposes, any derivative games that use the same name, art, or characters would belong to Blizzard." "While Blizzard doesn't allow custom-game developers to engage in direct 'commercial exploitation' from their creations, those developers are allowed to accept donations to recoup the 'time and resources' involved in creating the game (with some restrictions). Blizzard also retains the right to 'remove Custom Games from its systems and/or require that a Custom Game developer cease any and/or all development and distribution of a Custom Game.'"

Read more of this story at Slashdot.

Department of Interior Grounds Its Drones Amid Cybersecurity Concerns

Slashdot - Your Rights Online - Cz, 2020-01-30 00:10
An anonymous reader quotes a report from TechCrunch: The U.S. Department of the Interior has confirmed it has grounded its fleet of non-emergency drones amid concerns over cybersecurity. In a brief statement, the department said the move will help to ensure that "the technology used for these operations is such that it will not compromise our national security interests." Interior spokesperson Carol Danko said the department affirms with a formal order the "temporary cessation of non-emergency drones while we ensure that cybersecurity, technology and domestic production concerns are adequately addressed," months after the department said it was grounding its approximately 800 drones. But the drones will still be used for emergency purposes, such as search and rescue and assisting with natural disasters, the statement said. The order did not specifically mention threats from China, but said that information collected during drone missions "has the potential to be valuable to foreign entities, organizations, and governments." Danko told TechCrunch that the department currently has 121 drones made by DJI and 665 drones that are Chinese-built but not made by DJI. She added that 24 drones are made in the U.S. but have Chinese components. "The review is to help us identify and assess any potential threats or risks," said Danko.

Read more of this story at Slashdot.

Apple Has a Putin Problem

Slashdot - Your Rights Online - Śr, 2020-01-29 22:50
harrymcc writes: New legislation in Russia -- known as the 'law against Apple' -- mandates that smartphone makers must preinstall government apps that will give authorities access to an array of information about the phone's user. Apple, not surprisingly, is trying to wriggle its way out of complying. But whatever happens, it's another case of an authoritarian government pushing around a U.S. tech company for very un-democratic reasons. Over at Fast Company, Josh Nadeau reports on the issue and why the stakes are so high.

Read more of this story at Slashdot.

Paris Museums Put 60,000+ Historic Photos Online, Copyright-Free

Slashdot - Your Rights Online - Śr, 2020-01-29 22:10
Long-time reader schwit1 shares a report: Paris Musees, a group of 14 public museums in Paris, has made a splash by releasing high-res digital images for over 100,000 artworks through a new online portal. All the works were released to the public domain (CC0, or "No Rights Reserved"), and they include 62,599 historic photos by some of the most famous French photographers such as Eugene Atget. The new website, called the Collections portal, was launched on January 8th and offers powerful search and filtering options for finding specific artworks.

Read more of this story at Slashdot.

US Files Lawsuits Over Robocall Scams, Cites 'Massive Financial Losses'

Slashdot - Your Rights Online - Śr, 2020-01-29 15:00
An anonymous reader quotes a report from Reuters: The U.S. government on Tuesday sued five U.S. companies and three individuals, alleging they were behind hundreds of millions of fraudulent robocalls that scammed elderly Americans and others into "massive financial losses." The U.S. Justice Department lawsuits said most of the calls originated in India and used voice over internet protocol (VoIP) carriers, which use internet connections instead of traditional copper phone lines. The companies named in the suits include Tollfreedeals.com, Global Voicecom Inc., Global Telecommunication Services Inc and KAT Telecom Inc. The Justice Department said the robocalls led to "massive financial losses to elderly and vulnerable victims across the nation." U.S. Attorney Richard Donoghue, who overseas the Eastern District of New York office, said that for the first time, the Justice Department was targeting "U.S.-based enablers" and seeking temporary restraining orders to block further calls. The government said the firms were warned numerous times they were carrying fraudulent robocalls.

Read more of this story at Slashdot.

7 Years Later, Emergency Alert Systems Still Unpatched, Vulnerable

Slashdot - Your Rights Online - Śr, 2020-01-29 05:30
chicksdaddy writes: The Security Ledger is reporting that more than 50 Emergency Alert System (EAS) devices made by Monroe Electronics (now Digital Alert Systems) are un-patched and accessible from the public Internet, seven years after security researchers alerted the public about security flaws in the devices. More than 50 EAS deployments across the United States still use a shared SSH key, a security vulnerability first discovered and reported by IOActive in 2013, according to a warning posted by the security researcher Shawn Merdinger on January 19, seven years after the initial vulnerability report was issued. Security Ledger viewed the exposed web interfaces for Monroe/Digital Alerts Systems EAS hardware used by two FM broadcasters in Texas and an exposed EAS belonging to a broadband cable provider in North Carolina. Also publicly accessible: EAS systems for two stations (FM and AM) serving the Island of Hawaii. Residents there received a false EAS alert about an incoming ICBM in 2018. That incident was found to be the result of human error but prompted the FCC to issue new guidance about securing EAS systems. Digital Alert Systems said it is aware of the problem and is contacting the customers whose gear is exposed. However, a search using the Shodan search engine suggests that few have taken steps to remove their EAS systems from the public Internet in the past week. Security Ledger is withholding the names of the broadcasters whose EAS systems were exposed for security reasons. None of the stations contacted for the story was able to provide comment prior to publication.

Read more of this story at Slashdot.

White House Tells Airlines It May Suspend All China-US Flights Amid Coronavirus Outbreak

Slashdot - Your Rights Online - Śr, 2020-01-29 03:05
The White House has told airline executives it's considering suspending flights from China to the U.S. amid an escalating outbreak of a new coronavirus that has infected thousands of people across the world. CNBC reports: The Trump administration is looking at a variety of measures to contain the fast-spreading virus that has infected roughly 4,700 people across the globe, U.S. health officials told reporters on a conference call Tuesday. White House officials called executives at major U.S. carriers on Tuesday, telling them that a temporary ban on China flights is on the table, according to people familiar with those conversations. United Airlines, which has the most service of the U.S. airlines to Hong Kong and mainland China with about a dozen daily flights, on Tuesday announced it would cancel dozens of flights next month to Hong Kong and mainland China as the outbreak worsens. The Chicago-based airline said it has experienced a âoesignificant decline in demand for travel to China.â United and its rivals Delta and American are waiving cancellation and change fees for travelers booked to China. The restrictions could affect flights into and out of China, as well as airports across the United States, administration officials said. They declined to be named because no final decision has been made.

Read more of this story at Slashdot.

Clearview AI Is Struggling To Address Complaints As Its Legal Issues Mount

Slashdot - Your Rights Online - Śr, 2020-01-29 02:45
An anonymous reader quotes a report from BuzzFeed News: Clearview AI, the facial recognition company that claims to have amassed a database of more than 3 billion photos scraped from Facebook, YouTube, and millions of other websites, is scrambling to deal with calls for bans from advocacy groups and legal threats. These troubles come after news reports exposed its questionable data practices and misleading statements about working with law enforcement. Following stories published in the New York Times and BuzzFeed News, the Manhattan-based startup received cease-and-desist letters from Twitter and the New Jersey attorney general. It was also sued in Illinois in a case seeking class-action status. Despite its legal woes, Clearview continues to contradict itself, according to documents obtained by BuzzFeed News that are inconsistent with what the company has told the public. In one example, the company, whose code of conduct states that law enforcement should only use its software for criminal investigations, encouraged officers to use it on their friends and family members. In the aftermath of revelations about its technology, Clearview has tried to clean up its image by posting informational webpages, creating a blog, and trotting out surrogates for media interviews, including one in which an investor claimed Clearview was working with "over a thousand independent law enforcement agencies." Previously, Clearview had stated that the number was around 600. Clearview has also tried to allay concerns that its technology could be abused or used outside the scope of police investigations. In a code of conduct that the company published on its site earlier this month, it said its users should "only use the Services for law enforcement or security purposes that are authorized by their employer and conducted pursuant to their employment." It bolstered that idea with a blog post on Jan. 23, which stated, "While many people have advised us that a public version would be more profitable, we have rejected the idea.""Clearview exists to help law enforcement agencies solve the toughest cases, and our technology comes with strict guidelines and safeguards to ensure investigators use it for its intended purpose only," the post stated. But in a November email, a company representative encouraged a police officer to use the software on himself and his acquaintances. "Have you tried taking a selfie with Clearview yet?" the email read. "It's the best way to quickly see the power of Clearview in real time. Try your friends or family. Or a celebrity like Joe Montana or George Clooney. Your Clearview account has unlimited searches. So feel free to run wild with your searches."

Read more of this story at Slashdot.

US Colleges Are Trying To Install Location Tracking Apps On Students' Phones

Slashdot - Your Rights Online - Śr, 2020-01-29 02:02
Some U.S. colleges are now apparently requiring students to install a location tracking app to track attendance. Sean Hollister writes for The Verge: The Kansas City Star reported that at the University of Missouri, new students "won't be given a choice" of whether to install the SpotterEDU app, which uses Apple's iBeacons to broadcast a Bluetooth signal that can help the phone figure out whether a student is actually in a room. But a university spokesperson told Campus Reform on Sunday that only athletes are technically required to use the app, and a new statement from the university on Monday not only claims that it's "completely optional" for students, but that the app's being piloted with fewer than 2 percent of the student body. What the reports do agree on: the app uses local Bluetooth signals, not GPS, so it's probably not going to be very useful to track students outside of school. "No GPS tracking is enabled, meaning the technology cannot locate the students once they leave class," reads part of the university's statement. SpotterEDU isn't just used at the University of Missouri, though -- it's being tested at nearly 40 schools, company founder and former college basketball coach Rick Carter told The Washington Post in December. The Post's story makes it sound remarkably effective, with one Syracuse professor attesting that classes have never been so full, with more than 90 percent attendance. But that same professor attested that an earlier version of the app did have access to GPS coordinates, if only for a student to proactively share their location with a teacher. The Post reports that Degree Analytics is also being used in an additional 19 schools, but unlike SpotterEDU, it uses Wi-Fi signals instead of Bluetooth. The New York Times also reported in September of a similar app from a company called FanMaker that provides "loyalty points" to students who stick around to watch college sports games at the stadium instead of skipping out. That app is in use at 40 schools, the Times wrote.

Read more of this story at Slashdot.

LabCorp Security Lapse Exposed Thousands of Medical Documents

Slashdot - Your Rights Online - Wt, 2020-01-28 22:01
A security flaw in LabCorp's website exposed thousands of medical documents, like test results containing sensitive health data. From a report: It's the second incident in the past year after LabCorp said in June that 7.7 million patients had been affected by a credit card data breach of a third-party payments processor. The breach also hit several other laboratory testing companies, including Quest Diagnostics. This latest security lapse was caused by a vulnerability on a part of LabCorp's website, understood to host the company's internal customer relationship management system. Although the system appeared to be protected with a password, the part of the website designed to pull patient files from the back-end system was left exposed. That unprotected web address was visible to search engines and was later cached by Google, making it accessible to anyone who knew where to look. The cached search result only returned one document -- a document containing a patient's health information. But changing and incrementing the document number in the web address made it possible to access other documents. The bug is now fixed.

Read more of this story at Slashdot.

Facebook Rolls Out Privacy Tool To Manage How You're Tracked Across the Web

Slashdot - Your Rights Online - Wt, 2020-01-28 21:21
Facebook has been determined to give people privacy controls while they're on the social network, but on Tuesday, it rolled out a long-promised tool that hopes to give people control from the social network. From a report: In a blog post on Data Privacy Day, Facebook CEO Mark Zuckerberg announced that the "Off-Facebook Activity" tool would finally be launched globally, a tool that allows people to manage how Facebook tracks them across the internet. Zuckerberg had promised this feature since May 2018, which at the time he called a "Clear History" button. While it had slow roll-outs around the world, starting last August, it should be available now to the 2.4 billion people who use Facebook every month, Zuckerberg said. In the blog post, he explained the delay was because "we had to rebuild some of our systems to make this possible." "Other businesses send us information about your activity on their sites and we use that information to show you ads that are relevant to you," Zuckerberg said in the post. "Now you can see a summary of that information and clear it from your account if you want to."

Read more of this story at Slashdot.

Ring Doorbell App Packed With Third-Party Trackers

Slashdot - Your Rights Online - Wt, 2020-01-28 17:21
Ring isn't just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers. An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers' personally identifiable information (PII). From the report, shared by reader AmiMoJo: Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user's device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it. All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills. Ring has exhibited a pattern of behavior that attempts to mitigate exposure to criticism and scrutiny while benefiting from the wide array of customer data available to them. It has been able to do so by leveraging an image of the secure home, while profiting from a surveillance network which facilitates police departments' unprecedented access into the private lives of citizens, as we have previously covered. For consumers, this image has cultivated a sense of trust in Ring that should be shaken by the reality of how the app functions: not only does Ring mismanage consumer data, but it also intentionally hands over that data to trackers and data miners.

Read more of this story at Slashdot.