An anonymous reader quotes a report from TechCrunch: Twitter today updated its Developer Policy to clarify rules around data usage, including in academic research, as well as its position on bots, among other things. The policy has also been entirely rewritten in an effort to simplify the language used and make it more conversational, Twitter says. The new policy has been shortened from eight sections to four, and the accompanying Twitter Developer Agreement has been updated to align with the Policy changes, as well. One of the more notable updates to the new policy is a change to the rules to better support non-commercial research.

Twitter data is used to study topics like spam, abuse, and other areas related to conversation health, the company noted, and it wants these efforts to continue. The revised policy now allows the use of the Twitter API for academic research purposes. In addition, Twitter is simplifying its rules around the redistribution of Twitter data to aid researchers. Now, researchers will be able to share an unlimited number of Tweet IDs and/or User IDs, if they're doing so on behalf of an academic institution and for the sole purpose of non-commercial research, such as peer review, says Twitter. The company is also revising rules to clarify how developers are to proceed when the use cases for Twitter data change. In the new policy, developers are informed that they must notify the company of any "substantive" modification to their use case and receive approval before using Twitter content for that purpose. Not doing so will result in suspension and termination of their API and data access, Twitter warns.

The policy additionally outlines when and where "off-Twitter matching" is permitted, meaning when a Twitter account is being associated with a profile built using other data. Either the developer will need to obtain opt-in consent from the user in question, or they can only proceed if the information was provided by the person or is based on publicly available data. [...] Finally, the revamped policy clarifies that not all bots are bad. Some even enhance the Twitter experience, the company says, or provide useful information. Going forward, developers must specify if they're operating a bot account, what the account is, and who is behind it. This way, explains Twitter, "it's easier for everyone on Twitter to know what's a bot – and what's not."

Microsoft announced today a coordinated takedown of Necurs, one of the largest spam and malware botnets known to date, believed to have infected more than nine million computers worldwide. From a report: The takedown effort came after Microsoft and industry partners broke the Necurs DGA -- the botnet's domain generation algorithm, the component that generates random domain names. Necurs authors register DHA-generated domains weeks or months in advance and host the botnet's command-and-control (C&C) servers, where bots (infected computers) connect to receive new commands. "We were then able to accurately predict over six million unique domains that would be created in the next 25 months," said Tom Burt, Microsoft Vice President for Customer Security & Trust. Breaking the DGA allowed Microsoft and its industry partners to create a comprehensive list of future Necurs C&C server domains that they can now block and prevent the Necurs team from registering.

Facebook filed a lawsuit this week against Namecheap, claiming the domain name registrar has refused to cooperate in an investigation into a series of malicious domains that have been registered through its service and which impersonated the Facebook brand. ZDNet reports: Christen Dubois, Director and Associate General Counsel at Facebook, said today that Facebook engineers tracked down 45 suspicious Facebook lookalike domains registered through Namecheap, which had the owners' details hidden through the company's WhoisGuard side-service. Some of the sample domains included the likes of instagrambusinesshelp.com, facebo0k-login.com, and whatsappdownload.site. Dubois said lookalike domains like these -- which abuse the Facebook brand -- are often used for phishing, fraud, and scams.

"We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate," Dubois said. "We don't want people to be deceived by these web addresses, so we've taken legal action," the Facebook exec said.

Adrianne Jeffries, Leon Yin, and Surya Mattu, reporting for The Markup: Pete Buttigieg is leading at 63 percent. Andrew Yang came in second at 46 percent. And Elizabeth Warren looks like she's in trouble with 0 percent. These aren't poll numbers for the U.S. 2020 Democratic presidential contest. Instead, they reflect which candidates were able to consistently land in Gmail's primary inbox in a simple test. The Markup set up a new Gmail account to find out how the company filters political email from candidates, think tanks, advocacy groups, and nonprofits. We found that few of the emails we'd signed up to receive -- 11 percent -- made it to the primary inbox, the first one a user sees when opening Gmail and the one the company says is "for the mail you really, really want."

Half of all emails landed in a tab called "promotions," which Gmail says is for "deals, offers, and other marketing emails." Gmail sent another 40 percent to spam. For political causes and candidates, who get a significant amount of their donations through email, having their messages diverted into less-visible tabs or spam can have profound effects. "The fact that Gmail has so much control over our democracy and what happens and who raises money is frightening," said Kenneth Pennington, a consultant who worked on Beto O'Rourke's digital campaign. "It's scary that if Gmail changes their algorithms," he added, "they'd have the power to impact our election."

If you thought LinkedIn had already reached peak undesirability, you were wrong: the company is now planning to add Snapchat-style Stories to its platform. From a report: Yes, the business-focused networking app that fills your inbox with recruiter and PR spam may be getting Stories. Social media users have been suffering from Stories exhaustion for years at this point. It's a feature that works great for its pioneer, Snapchat, and for Instagram... and pretty much nothing else -- I mean, have you ever watched a Facebook Story on purpose? LinkedIn Stories inevitably promise to bring well-manicured, painfully corporate video clips to your feed as a way to mix up the approach to networking. Or, as the company puts it, to "bring creativity and authenticity to the ways that members share more of their work life, so that they can build and nurture the relationships necessary to become more productive and successful."

Truecaller, one of the world's largest caller-identification service providers, has amassed 200 million monthly active users and is increasingly proving that it can turn a profit, it said Tuesday. The company also noted that India is its largest market with 150 million active users. From a report: Reaching the 200 million milestone gives the Swedish firm a significant lead over its Seattle-based rival Hiya, which had about 100 million users as of October last year. But unlike its rivals, Truecaller has expanded beyond its caller ID and spam monitoring service. In recent years, it has added messaging and payments services in some markets. Both of these are gaining adoption, said Truecaller co-founder and chief executive Alan Mamedi (pictured above) in an interview with TechCrunch. The payments service, currently available only in India, would soon be expanded to some African markets, said Mamedi. In India, Truecaller plans to offer lending service in a few weeks, he said.

Mogster shares a report from the BBC: Monty Python stars have led the tributes to their co-star Terry Jones, who has died at the age of 77. The Welsh actor and writer played a variety of characters in the iconic comedy group's Flying Circus TV series, and directed several of their films. He died on Tuesday, four years after contracting a rare form of dementia known as Frontotemporal Dementia (FTD). Here are some of Jones' best lines:

"Now, you listen here! He's not the Messiah. He's a very naughty boy!" -- as Brian's mother in Monty Python's Life of Brian

"I'm alive, I'm alive!" -- as the naked hermit who gives away the location of a hiding Brian in Life of Brian

"I shall use my largest scales" - as Sir Belvedere, who oversees a witch trial in Monty Python and the Holy Grail

"What, the curtains?" -- as Prince Herbert, who is told "One day, lad, all this will be yours" in Holy Grail

"Spam, spam, spam, spam, spam, spam, spam" -- as the greasy spoon waitress in a Monty Python sketch

It's a tantalizing prospect for traders whose success often hinges on microseconds: a desktop PC algorithm that crunches market data faster than today's most advanced supercomputers. Japan's Toshiba says it has the technology to make such rapid-fire calculations a reality -- not quite quantum computing, but perhaps the next best thing. From a report: The claim is being met with a mix of intrigue and skepticism at financial firms in Tokyo and around the world. Toshiba's "Simulated Bifurcation Algorithm" is designed to harness the principles behind quantum computers without requiring the use of such machines, which currently have limited applications and can cost millions of dollars to build and keep near absolute zero temperature. Toshiba says its technology, which may also have uses outside finance, runs on PCs made from off-the-shelf components.

"You can just plug it into a server and run it at room temperature," Kosuke Tatsumura, a senior research scientist at Toshiba's Computer & Network Systems Laboratory, said in an interview. The Tokyo-based conglomerate, while best known for its consumer electronics and nuclear reactors, has long conducted research into advanced technologies. Toshiba has said it needs a partner to adopt the algorithm for real-world use, and financial firms have taken notice as they grapple for an edge in markets increasingly dominated by machines. Banks, brokerages and asset managers have all been experimenting with quantum computing, although viable applications are generally considered to be some time away.

Following in Mozilla's footsteps, Google announced today plans to hide notification popup prompts inside Chrome starting next month, February 2020. ZDNet reports: According to a blog post published today, Google plans to roll out a "quieter notification permission UI that reduces the interruptiveness of notification permission requests." The change is scheduled for Google Chrome 80, scheduled for release on February 4, next month.

Starting with Chrome 80 next month, Google's browser will also block most notification popups by default, and show an icon in the URL bar, similar to Firefox. When Chrome 80 launches next month, a new option will be added in the Chrome settings section that allows users to enroll in the new "quieter notification UI." Users can enable this option as soon as Chrome 80 is released, or they can wait for Google to enable it by default as the feature rolls out to the wider Chrome userbase in the following weeks. According to Google, the new feature works by hiding notification requests for Chrome users who regularly dismiss notification prompts. Furthermore, Chrome will also automatically block notification prompts on sites where users rarely accept notifications.

Security researcher Ibrahim Balic said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter's Android app. TechCrunch reports: Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter's contacts upload feature. "If you upload your phone number, it fetches user data in return," he told TechCrunch. He said Twitter's contact upload feature doesn't accept lists of phone numbers in sequential format -- likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)

Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20. Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site's password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users -- including politicians and officials -- to a WhatsApp group in an effort to warn users directly. A Twitter spokesperson told TechCrunch the company was working to "ensure this bug cannot be exploited again."

"Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs," the spokesperson said.

Businesses often send one-time passwords, account alerts and appointment confirmations via text. But if you've ever received one of those, you know they tend to come from a random number, and bad actors can take advantage of that by disguising phishing scams as one of those messages. To protect users, Google will soon verify SMS messages from registered businesses. From a report: When you receive a message from a verified business, you'll see the company name, logo and a verification badge in the message thread. Businesses must sign up to use Verified SMS, and so far, 1-800-Flowers, Banco Bradesco, Kayak, Payback and SoFi are on-board. Verified SMS is rolling out gradually in the US, Brazil, Canada, France, India, Mexico, Philippines, Spain and the UK. Google is also adding real-time spam detection. When Google suspects a message is phishy or garbage, it will show a spam warning in Messages.

An anonymous reader quotes a report from Ars Technica: An email sent by the Florida Department of Law Enforcement to all Florida county commissioners indicated that the ransomware that struck the city of Pensacola on December 7 was the same malware used in an attack against the private security firm Allied Universal, according to a report by the Pensacola News Journal. That malware has been identified elsewhere as Maze, a form of ransomware that has also been distributed via spam email campaigns in Italy.

Bleeping Computer's Lawrence Abrams reported in November that the Maze operators had contacted him after the Allied Universal attack, claiming to have stolen files from the company before encrypting them on the victims' computers. After Allied apparently missed the deadline for payment of the ransom on the files, the ransomware operators published 700 megabytes of files from Allied and demanded 300 Bitcoins (approximately $2.3 million) to decrypt the network. The Maze operators told Abrams that they always steal victims' files to use as further leverage to get them to pay: "It is just a logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing from it. We also delete data because it is not really interesting. We are neither espionage group nor any other type of APT, the data is not interesting for us." "The use of the data to blackmail the victim, and in Allied's case, the threat to use Allied's certificates and domain name to spam customers with additional ransomware attacks, is something new," writes Sean Gallagher.

"This is the first time this has ever happened, as far as we know," said Brett Callow, a spokesperson for the antivirus software vendor Emisoft. "Ransomware groups usually encrypt, not steal. We expect data exfiltration to become more and more commonplace. Whether Pensacola's data was exfiltrated, I obviously can't say."

The nonprofit Open Source Technology Improvement Fund connects open-source security projects with funding and logistical support. (Launched in 2015, the Illinois-based group includes on its advisory council representatives from DuckDuckGo and the OpenVPN Project.)

To raise more money, they're now planning to offer "hacker-themed swag" and apparel created with a state-of-the art direct-to-garment printer -- and they're using Kickstarter to help pay for that printer: With the equipment fully paid for, we will add a crucial revenue stream to our project so that we can get more of our crucial work funded. OSTIF is kicking-in half of the funding for the new equipment from our own donated funds from previous projects, and we are raising the other half through this KickStarter. We have carefully selected commercial-grade equipment, high quality materials, and gathered volunteers to work on the production of the shirts and wallets.
Pledges of $15 or more will be rewarded with an RFID-blocking wallet that blocks "drive-by" readers from scanning cards in your pocket, engraved with the message of your choice. And donors pledging $18 or more get to choose from their "excellent gallery" of t-shirts. Dozens of artists have contributed more than 40 specially-commissioned "hacker-themed" designs, including "Resist Surveillance" and "Linux is Communism" (riffing on a 2000 remark by Microsoft's CEO Steve Ballmer).

There's also shirts commemorating Edward Snowden (including one with an actual NSA document leaked by Edward Snowden) as well as a mock concert t-shirt for the "world tour" of the EternalBlue exploit listing locations struck after it was weaponized by the NSA. One t-shirt even riffs on the new millennial catchphrase "OK boomer" -- replacing it with the phrase "OK Facebook" using fake Cyrillic text.

And one t-shirt design shows an actual critical flaw found by the OSTIF while reviewing OpenVPN 2.4.0.

So far they have 11 backers, earning $790 of their $45,000 goal.

From a report: Keybase started off as co-founder and developer Max Krohn's "hobby project" -- a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who also was cofounder of OkCupid and SparkNotes) got involved and along came $10.8 million in funding from a group of investors led by Andreesen Horowitz. And then things got increasingly more complicated. Keybase aims to make public-key encryption accessible to everyone, for everything from messaging to file sharing to throwing a few crypto-coins someone's way. But because of that level of accessibility, Keybase faces a very OkCupid kind of problem: after drawing in people interested in easy public-key crypto-based communications and then drawing in blockchain lovers with its partnership with (and funding from) Stellar.org, Keybase has also drawn in spammers and scammers. And that has brought a host of alerts and messages that have made what was once a fairly clear communications channel into one clogged with unwanted alerts, messages, and other unpleasantry -- raising a chorus of complaints in Keybase's open chat channel. It turns out there's a reason spell check keeps wanting to tell me that Keybase should be spelled "debase."

Keybase's leadership is promising to do something to fix the spam problem -- or at least make it easier to report and block abusers. In a blog post, Krohn and Coynes wrote, "To be clear, the current spam volume isn't dire, YET. Keybase still works great. But we should act quickly." But the measures promised by Keybase won't completely eliminate the issue. And Keybase execs have no interest in getting involved with additional steps that they see as censorship. "Keybase is a private company and we do retain our rights to kick people out," the co-founders said in the blog post. "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

Researchers at Valimail found that only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks. TechCrunch reports: Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender's email and rejects fraudulent or spoofed emails. DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target's inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know.

But the research found that although DMARC is enabled on many domains, it's not properly enforced, rendering its filtering efforts largely ineffective. The researchers said 66% of the district election-related domains had no DMARC entry at all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether. [...] The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data or delete it altogether, a move that would potentially disrupt the democratic process.

Do you feel you have been receiving more spam calls of late? You are probably not wrong -- or alone. From a report: The volume of spam calls has grown by 18% globally this year, according to Truecaller. In its annual report published Tuesday, the Stockholm-based firm said users worldwide received 26 billion spam calls between January and October this year -- up from 17.7 billion during the same period last year. The United States remains the eighth most spammed country, where the volume of robocalls increased by 35% this year. In a separate report earlier this year, Truecaller estimated that 43 million Americans were scammed last year and lost about $10.5 billion. The growth is despite the efforts local carriers and authorities have made in the country. Brazil again topped the list for the most spammed country. The culprit behind the increasingly growing spam calls in the country are its own telecom operators and internet service providers. Truecaller said that in the last 12 months, calls from the operators have increased from 32% to 48%.

[...] One of the takeaways from the report is just how complex it is to understand the nature of these spam calls. There is no common thread -- or culprit -- behind these calls. In some markets, such as South Africa (ranked sixth in the report), spammers are mostly making fraudulent tech support calls and conducting job offer scams. Peru, ranked second, and Indonesia, ranked third, have seen spam calls explode in the nation. In Peru, users received more than 30 spam calls in the month. Most of these calls were made by financial services that are looking to upsell credit cards and loans.

Speaking of YouTube ads, the Google-owned company is rolling out a new ad format for its TV experience, dubbed Masthead, to all users. The company tested this new ad format with some users earlier this year. From a report: Announced in a brief post, YouTube says that its beta test of this new ad format was successful in select markets leading to the now global rollout of the Masthead ad format. The new format is available to all advertisers on a CPM basis as part of a cross-screen advertising campaign on YouTube. YouTube's Masthead ad format is not subtle by any means, appearing over the entire top portion of the TV app. Further, that ad auto-plays silently and expands to full-size when the user hovers over the ad. Advertisers, such as FOX, call this "first of its kind" initiative a "fantastic way" to promote its content. The TV network has been using the YouTube Masthead to promote its hit show The Masked Singer.

Tom Warren, writing for The Verge: YouTube has been pissing me off for weeks. I'm starting to feel like I should pay $11.99 a month to subscribe to YouTube Premium just to get rid of the annoying pop-ups Google sends me almost daily. Google has decided to place pop-up ads in its own YouTube app for Premium subscriptions. This feels slightly acceptable at first, but Google has also decided these should spam you to death, sometimes full-screen, with no option to permanently dismiss them so you see them all the damn time. It's a classic growth hack designed to get more people to use YouTube Music or YouTube Premium because, honestly, who cares about either of those services? I already subscribe to Spotify, which is far superior to YouTube Music, and I'd never pay $11.99 just to have fewer YouTube ads and background playback of videos on my phone. It's a pointless subscription that Google is trying to lazily ram down my throat instead of improving its offering, competing fairly with others, and, most importantly, focusing on its customer experience. Google's efforts here have made sure I, and I bet many others, will never touch YouTube Music or YouTube Premium. I absolutely loathe both of these services to the point where I'm left swearing at my phone like an idiot, simply because these stubborn ads keep appearing on top of the YouTube videos I'm trying to watch.

Freshly Exhumed shares a report from ZDNet: A mysterious hacker has published today a database dump of one of the internet's most infamous neo-nazi meeting places -- the IronMarch forum. The data published today includes a full copy of its content, including sensitive details such as emails, IP addresses, usernames, and private messages. The database dump is currently being analyzed by a multitude of entities, including law enforcement, in the hopes of linking forum members to accounts on other sites and potentially exposing their real-world identities. The drive to unmask forum members comes from the fact that IronMarch, while a little-known site to most internet users, has been the birthplace of two of today's most extreme far-right neo-nazi movements -- the Atomwaffen Division and SIEGE Culture -- with the first being accused of orchestrating at least eight murders around the world. The forum's data was published earlier today via the Internet Archive portal.

"The published information includes a carbon copy of the site, from user details to forum posts, and from private messages to multi-factor authentication settings and forum management logs," reports BleepingComputer. "The forum's database includes details on 3,548 registered profiles. The last user's database ID is 15,218; however, the dump only included details on 3,548 accounts -- most likely due to spam or deleted profiles. The registration date for the last user is November 20, 2017, suggesting the database is a copy of the site near the time it went offline."

The research lab OpenAI has released the full version of a text-generating AI system that experts warned could be used for malicious purposes. From a report: The institute originally announced the system, GPT-2, in February this year, but withheld the full version of the program out of fear it would be used to spread fake news, spam, and disinformation. Since then it's released smaller, less complex versions of GPT-2 and studied their reception. Others also replicated the work. In a blog post this week, OpenAI now says it's seen "no strong evidence of misuse" and has released the model in full.

GPT-2 is part of a new breed of text-generation systems that have impressed experts with their ability to generate coherent text from minimal prompts. The system was trained on eight million text documents scraped from the web and responds to text snippets supplied by users. Feed it a fake headline, for example, and it will write a news story; give it the first line of a poem and it'll supply a whole verse. It's tricky to convey exactly how good GPT-2's output is, but the model frequently produces eerily cogent writing that can often give the appearance of intelligence (though that's not to say what GPT-2 is doing involves anything we'd recognize as cognition).