Privacy

Passwords For 540,000 Car Tracking Devices Leaked Online (thehackernews.com) 32

An anonymous reader quotes a report from The Hacker News: Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen. The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices. The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.
Businesses

Oracle's Larry Ellison Pokes Amazon Again With New Cloud Pricing Plan (siliconangle.com) 65

Oracle went on the offensive again versus Amazon.com this week with a new cloud pricing plan that gives discounts to Oracle database customers who move their databases to the cloud. From a report: Chairman and Chief Technology Officer Larry Ellison said during an event at its Redwood City, California headquarters that while Oracle has matched Amazon Web Services for base-level computing, storage and networking services known as infrastructure as a service, it's now moving to make higher-level cloud services such as databases and analytics cheaper than AWS's. Actually, Ellison claimed that Oracle's infrastructure runs faster and therefore ends up costing less, but it's clear that the company is focusing more on its traditional strengths one tier up from the infrastructure: so-called platform as a service offerings such as the Oracle Database. Oracle said it will allow customers to move their existing licenses for databases, middleware and analytics to Oracle's platform services, just as they've allowed them to bring licenses to its infrastructure before.
Android

Apple's A11 Bionic Chip In iPhone 8 and iPhone X Smokes Android Handsets In Early Benchmarks (hothardware.com) 332

MojoKid writes: Many of the new releases of Apple's iPhone bring with it a new A-series SoC (System on Chip) and Apple is keeping that tradition with the iPhone 8 and iPhone 8 Plus, and iPhone X. Each of those handsets sports a custom ARM-based A11 Bionic processor with six cores -- four high performance cores and two power efficiency cores. The two power efficiency cores will perform the bulk medial chores to maintain battery life, which Apple says will be 2 hours longer than the iPhone 7. However, for heavier workloads, the chip is capable of not only firing up its four high performance cores, but also all six cores simultaneously. If early leaked benchmarks are any indication, the A11 Bionic is going to be a benchmark-busting beast of a chip. A set of just-posted Geekbench scores reinforces that notion. Just prior to Apple announcing its newest iPhone models, Geekbench's database was updated with a new entry for an "iPhone 10,5" which we assume to be the iPhone X. Based on the scores recorded, in this one benchmark at least, the A11 CPU powering the iPhone X appears to be 50 to 70 percent faster than any Android handset on the market currently, even those powered by the new Qualcomm Snapdragon 835.
Music

Can Blockchain Save The Music Industry? (wired.com) 129

An anonymous reader quotes Wired: Last fall, a group of music industry heavyweights gathered in New York City to do something they'd mostly failed to do up to that point: work together. Representatives from major labels like Universal, Sony, and Warner sat next to technologists from companies like Spotify, YouTube, and Ideo and discussed the collective issues threatening their industry... The participants of that confab would later form a group called the Open Music Initiative... "Pretty early on it was obvious that there's an information gap in the industry," says Erik Beijnoff, a product developer at Spotify and a member of the OMI.

That "information gap" refers to the data around who helped create a song. Publishers might keep track of who wrote the underlying composition of a song, or the session drummer on a recording, but that information doesn't always show up in a digital file's metadata. This disconnect between the person who composed a song, the person who recorded it, and the subsequent plays, has led to problems like writers and artists not getting paid for their work, and publishers suing streaming companies as they struggle to identify who is owed royalties. "It's a simple question of attribution," says Berklee College of Music's vice president of innovation and strategy, Panos A. Panay. "And payments follow attribution."

Over the last year, members of the OMI -- almost 200 organizations in total -- have worked to develop just that. As a first step, they've created an API that companies can voluntarily build into their systems to help identify key data points like the names of musicians and composers, plus how many times and where tracks are played. This information is then stored on a decentralized database using blockchain technology -- which means no one owns the information, but everyone can access it.

Earth

UN Aviation Agency To Call For Global Drone Registry (reuters.com) 47

An anonymous reader quotes a report from Reuters: The United Nations' aviation agency is backing the creation of a single global drone registry, as part of broader efforts to come up with common rules for flying and tracking unmanned aircraft. While the International Civil Aviation Organization cannot impose regulations on countries, ICAO has proposed formation of the registry during a Montreal symposium this month to make data accessible in real time, said Stephen Creamer, director of ICAO's air navigation bureau. The single registry would eschew multiple databases in favor of a one-stop-shop that would allow law enforcement to remotely identify and track unmanned aircraft, along with their operator and owner. It's not yet clear who would operate such a database, although ICAO could possibly fill that role. The proposal, however, could face push back from users, after hobbyists successfully challenged the creation of a U.S. drone registry by the Federal Aviation Administration in court earlier this year.
Security

Mexican Tax Refund Site Left 400GB of Sensitive Customer Info Wide Open (theregister.co.uk) 18

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database. From a report: A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.
Security

Over 28 Million Records Stolen In Breach of Latin American Social Network Taringa (thehackernews.com) 16

Taringa, also known as "The Latin American Reddit," has been compromised in a massive data breach that has resulted in the leaked login credentials of almost all of its over 28 million users. The Hackers News reports: The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users. The hashed passwords use an ageing algorithm called MD5 -- which has been considered outdated even before 2012 -- that can easily be cracked, making Taringa users open to hackers. Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days. The data breach reportedly occurred last month, and the company then alerted its users via a blog post: "It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says. "At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."
Oracle

Oracle Finally Decides To Stop Prolonging the Inevitable, Begins Hardware Layoffs (theregister.co.uk) 177

Shaun Nichols, reporting for The Register: Oracle is starting layoffs that will hit its hardware division, The Register has learned. Current and some soon-to-be former staffers have whispered that the database giant is shipping out packages containing the paperwork for ending their employment. The workers have received alerts from FedEx that the packages, which will need to be signed for, are en route for a September 1 delivery. "One of my co-workers emailed that he received a notification from FedEx of a label created by Oracle America, Inc," writes one anonymous employee. "I just checked and a label has been created for my home address. This is in the US. Looks like Friday is it for Sparc MicroElectronics." The layoffs are hardly a surprise, given the performance of Oracle's hardware unit as of late. In the last financial year, Oracle reported hardware revenues of $4.15bn. By comparison, in 2016 the unit logged hardware revenues of $4.67bn. In 2015 it was $5.2bn, and 2014 saw $5.37bn.
Businesses

Facebook's 21-Year-Old Wunderkind Leaves For Google (bloomberg.com) 106

An anonymous reader shares a report: Facebook hired Michael Sayman for an internship when he was 17 years old, and gave him a full-time engineering job at 18. Now, the wunderkind is leaving for Alphabet's Google. He turned 21 last week. At Facebook, Sayman was a product manager who helped the social-media giant understand how his generation uses their phones, advising on experimental products for teens and helping executives understand trends. At Google, he'll be a product manager for Assistant, a voice-based service built on the search engine's giant database.
EU

Germany Tests Facial-Recognition Surveillance On 300 Citizens (dw.com) 86

An anonymous reader quotes DW: Earlier this year, with no shortage of publicity, Berlin police found volunteers to participate in a test of a prototype facial-recognition system at Sudkreuz station. The system seeks to match images of people on CCTV cameras with pictures of the volunteers in a test database. Volunteers also wear transponders providing information about their whereabouts. Comparing the two sets of data will give a good indication of whether the technology is of any use.
Another DW article reports the six-month test is attracting criticism: Germany's interior minister is pleased with the initial results, but critics are wary of increased surveillance... The 300 testers who volunteered for the project carry a transponder that apparently only transmits data on ambient temperature, battery status and signal strength, according to the project staff member in the Sudkreuz station control room who explained the technology to [German Interior Minister Thomas] de Maiziere. But [activist Paul] Gerstenkorn contends the angle and acceleration of the testers are recorded as well... For German Data Protection Commissioner Andrea Vosshoff, the fact that active and not passive technology is being used is going too far. Unlike a passive chip, the transponder constantly transmits information that anyone can collect with the help of freeware available on the internet.

Vosshoff says the police have not "sufficiently" informed the testers, and called for the project to be temporarily halted...The interior minister has vehemently defended the project, saying the technology is not being used to catch petty criminals such as shoplifters, but terrorists and serious offenders. Four weeks into the test phase, De Maiziere has praised its "surprising accuracy" - specifically referring to people recognized by the software whose pictures are already stored in police databases. According to Germany's federal police force, pictures of all other passers-by captured by the surveillance cameras are "immediately deleted." After the six-month trial phase in Berlin, a decision will be made on whether automatic facial recognition will be implemented nationwide in Germany's train stations and other public spaces.

Government

India's Top Court Rules Privacy a Fundamental Right in Blow To Government 182

India's top court unanimously ruled on Thursday that individual privacy is a fundamental right, a verdict that will impact everything from the way companies handle personal data to the roll-out of the world's largest biometric ID card program. From a report: A nine-member bench of India's Supreme Court announced the ruling in a big setback for the Narendra Modi-led government, which argued that privacy was not a fundamental right protected by the constitution. The ruling comes against the backdrop of a large multi-party case against the mandatory use of national identity cards, known as Aadhaar, as an infringement of privacy. There have also been concerns over breaches of data. Critics say the ID cards link enough data to create a comprehensive profile of a person's spending habits, their friends and acquaintances, the property they own and a trove of other information. "This is a blow to the government, because the government had argued that people do not have a right to privacy," said Prashant Bhushan, a senior lawyer involved in the case.
The Courts

Justice Department Walks Back Demand For Information On Anti-Trump Website (theverge.com) 130

After issuing a warrant to DreamHost for "all files" related to an anti-trump website, the Justice Department says it's scaling back a demand for information from hosting service DreamHost. The Verge reports: In a legal filing today, the Justice Department argues that the warrant was proper, but also says DreamHost has since brought up information that was previously "unknown." In light of that, it has offered to carve out information demanded in the warrant, specifically pledging to not request information like HTTP logs tied to IP addresses. The department says it is only looking for information related to criminal activity on the site, and says that "the government is focused on the use of the Website to organize, to plan, and to effect a criminal act -- that is, a riot." Peaceful protestors, the government argues, are not the targets of the warrant. The filing asks the court to proceed with the new, less burdensome request, which, apart from the carved-out sections, still requests "all records or other information, pertaining to the Account, including all files, databases, and database records stored by DreamHost in relation to that Account." It's unclear if DreamHost will continue to fight the new demand.
United Kingdom

Energy Firm Slapped With $65,000 Fine For Making 1.5 Million Nuisance Calls (theregister.co.uk) 67

A UK firm offering people energy-saving solutions has been fined after making almost 1.5 million unsolicited calls without checking if the numbers were registered on the UK's opt-out database. From a report: Southampton-based Home Logic used a dialler system to screen the telephone numbers that it planned to call against the Telephone Preference Service register, which allows people to opt out of receiving marketing calls. This system was unavailable for at least 90 days out of the 220 between April 2015 and March 2016 due to technical issues -- but that didn't stop Home Logic from continuing to make phone calls. Some 1,475,969 were made in that time. And, as a result, Blighty's data protection watchdog the Information Commissioner's Office received 133 complaints about the firm from people who had registered with the TPS and did not expect to be picking up the phone to marketeers. It ruled that the biz had breached the Privacy and Electronic Communications Regulations and duly fined it 50,000 pound ($64,500).
Privacy

Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket (threatpost.com) 37

Leaks of personal and business information from unsecured Amazon S3 buckets are piling up. From a report: The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Security found a publicly accessible bucket containing business and personal data, including contracts and agreements between hotels, customers and Groupize, Kromtech said. The data included some credit card payment authorization forms that contained full payment card information including expiration data and CVV code. The researchers said the database stored in S3 contained numerous folders, below; one called "documents" held close to 3,000 scanned contracts and agreements, while another called all_leads had more than 3,100 spreadsheets containing critical Groupize business data including earnings. There were 37 other folders in the bucket containing tens of thousands of files, most of them storing much more benign data.
Databases

Google and ProPublica Team Up To Build a National Hate Crime Database (techcrunch.com) 310

In partnership with ProPublica, Google News Lab is launching a new tool to track hate crimes across America. The "Documenting Hate News Index" is being powered by machine learning to track reported hate crimes across all 50 states, collecting data from February 2017 onward. TechCrunch reports: Data visualization studio Pitch Interactive helped craft the index, which collects Google News results and filters them through Google's natural language analysis to extract geographic and contextual information. Because they are not catalogued in any kind of formal national database, a fact that inspired the creation of the index to begin with, Google calls the project a "starting point" for the documentation and study of hate crimes. While the FBI is legally required to document hate crimes at the federal level, state and local authorities often fail to report their own incidents, making the data incomplete at best.

The initiative is a data-rich new arm of the Documenting Hate project which collects and verifies hate incidents reported by both individual contributors and by news organizations. The Hate News Index will keep an eye out for false positives (casual uses of the word "hate" for example), striking a responsible balance between machine learning and human curation on a very sensitive subject. Hate events will be mapped onto a calendar in the user interface, though users can also use a keyword search or browse through algorithmic suggestions. For anyone who'd like to take the data in a new direction, Google will open sourced its data set, making it available through GitHub.

PC Games (Games)

Can 'No Man's Sky' Redeem Itself With Its Third Free Update? (engadget.com) 107

An anonymous reader quotes Engadget's new article on No Man's Sky: Developer Hello Games has gone some way to giving the people what they've wanted Friday with the third major update since the title's launch. "Atlas Rises" (aka update 1.3) adds the beginnings of real-time multiplayer to the space exploration game, though admittedly, "interaction with others is currently very limited." Thanks to the update, up to 16 players can now exist together in the same space. Fellow pilots will appear as floating blue orbs moving about the terrain, and proximity-based voice chat will allow players to plan their next jump together. That's pretty much it, but Hello Games calls it "an important first step into the world of synchronous co-op in No Man's Sky."

Meeting up with other explorers should be a bit easier with the new portal system, which allows players to travel between planets instantly, including to random worlds. Taking a leaf out of Stargate lore, activating a sequence of glyphs on portals can designate specific exit points. Hello Games hopes the community will band together to create something of a database of glyph sequences... There's 30 hours of new storyline gameplay and a new mission system that lets you pick up all kinds of different odd jobs from a forever-updating list. Star systems now are now graded with "wealth, economy and conflict levels," giving you more information on desirable destinations (depending on what you're after). There's a new class of ships, new exotic planet types and a new "interdimensional race" to contend with. Terrain editing is now possible provided you have the appropriate Multi-Tool enhancement, and crashed freighters on the surface of planets serve as new scavenging hotspots... to its credit, Hello Games continues to push massive, free updates for the title, such that the game is now very different to what it was initially.

The game has been heavily discounted to promote the update, and Saturday it became Amazon's #12 best-selling PS4 game -- and one of Steam's top 100 most-played games.
Bitcoin

Former Bitcoin Developer Shares Early Satoshi Nakamoto Emails (vice.com) 42

Jordan Pearson, writing for Motherboard: Satoshi Nakamoto is Bitcoin's anonymous creator and absentee head of state. In the years since she (or he, or they) disappeared into the ether and left the technology in the hands of a few high-profile developers, Nakamoto's words have become nigh-gospel for some in the Bitcoin world. On Friday, a user going by "CipherionX" on the Bitcointalk forum published five emails allegedly between Satoshi Nakamoto and former Bitcoin developer Mike Hearn. In an email to Motherboard, Hearn confirmed that he shared the emails with the user. While Hearn himself, who was one of the earliest Bitcoin developers, has previously quoted most of the juicy bits from his correspondence with Nakamoto, it appears to be the first time much of the material has been shared in full. None of the emails are included on a popular database of Nakamoto's writings collected from old emails and forum posts.
Oracle

Oracle Fiddles With Major Database Release Cycle Numbers (theregister.co.uk) 69

An anonymous reader shares a report: Big Red has changed its database release cycle, scrapping names that see decimal points and numbers added on for an indeterminate amount of time, instead plumping for annual releases numbered by the year. So what would have been Oracle Database 12.2.0.2 will now be Oracle Database 18; 12.2.0.3 will come out a year later, and be Oracle Database 19. The approach puts Oracle only about 20 years behind Microsoft in adopting a year-based naming convention (Microsoft still uses years to number Windows Server, even though it stopped for desktop versions when it released XP). [...] Well, Big Red will surely be using the revamp as a way to boost sales of database licences -- a crucial part of its business -- which have been in decline for two years running. In fiscal 2016, Oracle reported a 12 per cent drop in annual sales of new software licences, and its most recent results for fiscal 2017 revealed a further 5 per cent drop. And, for all that Oracle has shouted about its cloudy success of late, it isn't yet a major money-maker for the biz. New software license sales make up a quarter of overall revenue, while support for that software makes up a further 45 per cent. In part, the new numbering will be a handy marketing ploy. Rather than playing with the decimal points, a release with a new whole number could be an attempt to give the impression of agility in the face of younger, fresher competitors. Meanwhile, fewer patches and releases on each system also allows Oracle to know more quickly, and more accurately, what security features each customer has. The annual numbering system is also a very simple way of telling you your system is old.
Network

Data Cap Analysis Found Almost 200 ISPs Imposing Data Limits in the US (arstechnica.com) 41

An anonymous reader shares a report: BroadbandNow, a broadband provider search site that gets referral fees from some ISPs, has more than 2,500 home internet providers in its database. BroadbandNow's team looked through the ISPs' websites to generate a list of those with data caps. The data cap information was "pulled directly from ISP websites," BroadbandNow Director of Content Jameson Zimmer told Ars. BroadbandNow, which is operated by a company called Microbrand Media, plans to keep tracking the data caps over time in order to examine trends, he said. The listed caps range from 3GB to 3TB per month. That 3GB cap seemed like it couldn't be accurate, so we called the ISP, a small phone company called NTCNet in Newport, New York. A person answering the phone confirmed that the company lists 3GB as its cap, but said it is not enforced and that customers' usage isn't monitored. The cap is essentially a placeholder in case the ISP needs to enforce data limits in the future. [...] BroadbandNow excluded mobile providers from its list of ISPs with data caps, since caps are nearly universal among cellular companies. The list of 196 providers with caps includes 89 offering fixed wireless service, 45 fiber ISPs, 35 DSL ISPs, 63 cable ISPs, and two satellite providers. Some offer Internet service using more than one technology. Some of the providers are tiny, with territories covering just 100 or a few hundred people.
Bug

The NSA Intercepted Microsoft's Windows Bug Reports (schneier.com) 52

Bruce Schneier writes on his security blog: Back in 2013, Der Spiegel reported that the NSA intercepts and collects Windows bug reports... "When Tailored Access Operations selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft... this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer..."

The article talks about the (limited) value of this information with regard to specific target computers, but I have another question: how valuable would this database be for finding new zero-day Windows vulnerabilities to exploit?

Slashdot Top Deals