DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Security

British Cops Will Scan Every Fan's Face At the Champions League Final (vice.com) 49

Using a new facial recognition surveillance system, British police will scan every fan's face at the UEFA Champions League on June 3rd and compare them to a police database of some 500,000 "persons of interest." "According to a government tender issued by South Wales Police, the system will be deployed during the day of the game in Cardiff's main train station, as well as in and around the Principality Stadium situated in the heart of Cardiff's central retail district." From the report: Cameras will potentially be scanning the faces of an estimated 170,000 visitors plus the many more thousands of people in the vicinity of the bustling Saturday evening city center on match day, June 3. Captured images will then be compared in real time to 500,000 custody images stored in the police information and records management system alerting police to any "persons of interest," according to the tender. The security operation will build on previous police use of Automated Facial Recognition, or AFR technology by London's Metropolitan Police during 2016's Notting Hill Carnival.
Businesses

Amazon Wants To Put a Camera and Microphone in Your Bedroom (vice.com) 182

On Wednesday, Amazon announced the Echo Look, the latest gadget in the company's new Echo-powered hardware lineup. Motherboard explains: The newly announced Echo Look is a virtual assistant with a microphone and a camera that's designed to go somewhere in your bedroom, bathroom, or wherever the hell you get dressed. Amazon is pitching it as an easy way to snap pictures of your outfits to send to your friends when you're not sure if your outfit is cute, but it's also got a built-in app called StyleCheck that is worth some further dissection. [...] "All photos and video captured with your Echo Look are securely stored in the AWS cloud and locally in the Echo Look app until a customer deletes them," a spokesperson for the company said. "You can delete the photos or videos associated with your account anytime in the Echo Look App." Motherboard also asked if Echo Look photos, videos, and the data gleaned from them would be sold to third parties; the company did not address that question.
Network

Gamers in Hawaii Can't Compete... Because of Latency (theoutline.com) 263

Sometimes it's very important to know that the servers of the web services you're using are situated somewhere in your neighbourhood. And it's not just because of privacy concerns. The Outline has a story this week in which it talks about gamers in Hawaii who're increasingly finding it difficult to compete in global tournaments because the games' servers are almost every time placed overseas. From the article: [...] The game's server is in Chicago. That means if you live in the Midwest, your computer can communicate with it almost instantaneously. If you're in L.A., it can take roughly 60 milliseconds. But if you're in Hawaii, it can take 120 milliseconds, with some players reporting as long as 200 milliseconds. And at the highest echelons of competitive video gaming, milliseconds matter. [...] In League and other eSports games, playing on a high ping is a big disadvantage. The goal of the game is to set up defenses to protect your base while pushing forward to capture the enemy's base, and there are typically lightning bolts and fireballs and slime-spitting dragons shooting across the screen. Playing on a high ping means players may not see all of the action that happens in a game. Latency can really screw things up for a young eSports scene, said Zack Johnson, who runs gg Circuit, a global tournament provider for gaming centers like PC Gamerz. Players on the mainland sometimes say they don't want to compete against Hawaii players, he said, because the high ping throws things off.
The Courts

Uber Gets Sued Over Alleged 'Hell' Program To Track Lyft Drivers (techcrunch.com) 36

An anonymous reader quotes a report from TechCrunch: Uber has another lawsuit on its hands. This time, it's about Uber's alleged use of a program called "Hell." The plaintiff, Michael Gonzales, drove for Lyft during the time Uber allegedly used the software. He's seeking $5 million in a class action lawsuit. As the story goes, Uber allegedly tracked Lyft drivers using a secret software program internally referred to as "Hell." It allegedly let Uber see how many Lyft drivers were available to give rides, and what their prices were. Hell could allegedly also determine if people were driving for both Uber and Lyft. The lawsuit, filed in the U.S. District Court for the Northern District of California, alleges Uber broadly invaded the privacy of the Lyft drivers, specifically violated the California Invasion of Privacy Act and Federal Wiretap Act and engaged in unfair competition. Uber has not confirmed nor outright denied the claims.
Operating Systems

NSA's DoublePulsar Kernel Exploit a 'Bloodbath' (threatpost.com) 183

msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.
Businesses

Uber Tried To Hide Its Secret IPhone Fingerprinting From Apple (cnbc.com) 114

theodp quotes today's New York Times profile of Uber CEO Travis Kalanick: For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple's engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple's privacy guidelines.
Uber told TechCrunch this afternoon that it still uses a form of this device fingerprinting, saying they need a way to identify those devices which committed fraud in the past -- especially in China, where Uber drivers used stolen iPhones to request dozens of rides from themselves to increase their pay rate. It's been modified to comply with Apple's rules, and "We absolutely do not track individual users or their location if they've deleted the app..." an Uber spokesperson said. "Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."

The article offers a longer biography of Kalanick, who dropped out of UCLA in 1998 to start a peer-to-peer music-sharing service named Scour. (The service eventually declared bankruptcy after being sued for $250 billion for alleged copyright infringement.) Desperately trying to save his next company, Kalanick "took the tax dollars from employee paychecks -- which are supposed to be withheld and sent to the Internal Revenue Service," according to the Times, "and reinvested the money into the start-up, even as friends and advisers warned him the action was potentially illegal." The money eventually reached the IRS as he "staved off bankruptcy for a second time by raising another round of funding." But the article ultimately argues that Kalanick's drive to win in life "has led to a pattern of risk-taking that has put his ride-hailing company on the brink of implosion."
Government

CIA, FBI Launch Manhunt For WikiLeaks Source (cbsnews.com) 199

An anonymous reader quotes CBS: CBS News has learned that a manhunt is underway for a traitor inside the Central Intelligence Agency. The CIA and FBI are conducting a joint investigation into one of the worst security breaches in CIA history, which exposed thousands of top-secret documents that described CIA tools used to penetrate smartphones, smart televisions and computer systems. Sources familiar with the investigation say it is looking for an insider -- either a CIA employee or contractor -- who had physical access to the material... Much of the material was classified and stored in a highly secure section of the intelligence agency, but sources say hundreds of people would have had access to the material. Investigators are going through those names.
Homeland security expert Michael Greenberger told one CBS station that "My best guest is that when this is all said and done we're going to find out that this was done by a contractor, not by an employee of the CIA."
Education

EFF Says Google Chromebooks Are Still Spying On Students (softpedia.com) 84

schwit1 quotes a report from Softpedia: In the past two years since a formal complaint was made against Google, not much has changed in the way they handle this. Google still hasn't shed its "bad guy" clothes when it comes to the data it collects on underage students. In fact, the Electronic Frontier Foundation says the company continues to massively collect and store information on children without their consent or their parents'. Not even school administrators fully understand the extent of this operation, the EFF says. According to the latest status report from the EFF, Google is still up to no good, trying to eliminate students privacy without their parents notice or consent and "without a real choice to opt out." This, they say, is done via the Chromebooks Google is selling to schools across the United States.
Botnet

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com) 88

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
Crime

DOJ: Russian 'Superhacker' Gets 27 Years In Prison (thedailybeast.com) 50

According to the Justice Department, a 32-year-old Russian "superhacker" has been sentenced to 27 years in prison for stealing and selling millions of credit-card numbers, causing more than $169 million worth of damages to business and financial institutions. The Daily Beast reports: Roman Valeryevich Seleznev, 32, aka Track2, son of a prominent Russian lawmaker, was convicted last year on 38 counts of computer intrusion and credit-card fraud. "This investigation, conviction and sentence demonstrates that the United States will bring the full force of the American justice system upon cybercriminals like Seleznev who victimize U.S. citizens and companies from afar," said Acting Assistant Attorney General Kenneth Blanco said in a statement. "And we will not tolerate the existence of safe havens for these crimes -- we will identify cybercriminals from the dark corners of the Internet and bring them to justice."
Microsoft

Microsoft Improves Gmail Experience For Windows 10 Insiders, But There Are Privacy Concerns (betanews.com) 70

Reader BrianFagioli writes: Today, Microsoft announced a new Gmail experience for Windows 10. While only available for Windows Insiders as of today, it uses the same concept as the Outlook mobile app, but for the Mail and Calendar apps. Microsoft will provide you with an arguably improved experience as long as you are OK with storing all of your Gmail messages in Microsoft's cloud. What types of features will the new experience offer? Things such as tracking packages, getting updated on your favorite sports teams, and a focused inbox. "To power these new features, we'll ask your permission to sync a copy of your email, calendar and contacts to the Microsoft Cloud. This will allow new features to light up, and changes to update back and forth with Gmail -- such as creation, edit or deletion of emails, calendar events and contacts. But your experience in Gmail.com or apps from Google will not change in any way."
Microsoft

LinkedIn Apologizes For Trying To Connect Everyone In Real Life (vocativ.com) 71

LinkedIn has apologized for a vague new update that told some iPhone users its app would begin sharing their data with nearby users without further explanation. From a report: The update prompted outrage on Twitter after cybersecurity expert Rik Ferguson received a strange alert when he opened the resume app to read a new message: "LinkedIn would like to make data available to nearby Bluetooth devices even when you're not using the app." That gave Ferguson, vice president of research at the cybersecurity firm Trend Micro, a handful of concerns, he told Vocativ. Among them: "the lack of specificity, which data, when, under what conditions, to which devices, why does it need to happen when I'm not using the app, what are the benefits to me, where is the feature announcement and explanation, why wasn't it listed in the app update details." Reached for comment, LinkedIn said it's a mistake -- that some iPhone users were accidentally subject to undeveloped test feature the company is still working on.
Google

In The First Months of Trump Era, Facebook And Apple Spent More On Lobbying Than They Ever Have (buzzfeed.com) 54

An anonymous reader shares a report: According to federal lobbying disclosures filed Thursday, Facebook and Apple set their all-time record high for spending in a single quarter. Facebook spent $3.2 million lobbying the federal government in the first months of the Trump era. During the same period last year, Facebook spent $2.8 million (about 15% less). The company lobbied both chambers of Congress, the White House, and six federal agencies on issues including high-tech worker visas, network neutrality, internet privacy, encryption, and international taxation. Facebook was the 12th-highest spender out of any company and second-highest in tech. [...] Apple spent $1.4 million, which is just $50,000 more than during the final months of the Obama presidency, when it set its previous record, but the most it has ever spent in a single quarter. Apple lobbied on issues including government requests for data, the regulation of mobile health apps, and self-driving cars. Google, once again, outspent every other technology company. It was 10th overall, tallying $3.5 million.
Security

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com) 37

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.
Google

Google Home Now Recognizes Specific Users' Voices, Gains Support For Multiple Accounts (phonedog.com) 48

Google has issued a long-awaited feature for Google Home: support for multiple users. In an update rolling out today, up to six people will be able to connect their Google account to a Google Home, and the unit will try to distinguish each person's voice from the other users connected to the device. Therefore, each person will be able to get access to their schedule, playlists, and more. PhoneDog reports: Support for multiple users is rolling out in the U.S. now and will be available in the U.K. in the coming months. To know if the feature is available to you, launch the Google Home app and look for a card that says "Multi-user is available." You can also click the icon in the upper right corner, find your Google Home, and select "Link your account." From there, you'll train the Google Assistant to recognize your voice so that it knows it's you when you're talking and not the other people with connected accounts. You'll say "Ok Google" and "Hey Google" twice each.
Security

Mastercard is Building Fingerprint Scanners Directly Into Its Cards (fastcompany.com) 85

Mastercard said on Thursday it's beginning trials of its "next-generation biometric card" in South Africa. In addition to the standard chip and pin, the new cards have a built-in fingerprint reader that the user can use to authenticate every purchase. From a report: Impressively, the new card is no thicker or larger than your current credit and debit cards.
China

China To Question Apple About Live-Streaming Apps On App Store That Violate Internet Regulations (theguardian.com) 31

Three Chinese government agencies are planning to tell Apple to "tighten up checks" on live-streaming software offered on its app store, which can be used to violate internet regulation in the country. "Law enforcement officers had already met with Apple representatives over live-streaming services, [state news agency Xinhua reported], but did not provide details of the meetings," reports The Guardian. From the report: The inquiry appears to be focused on third-party apps available for download through Apple's online marketplace. The company did not respond to requests for comment. China operates the world's largest internet censorship regime, blocking a host of foreign websites including Google, Facebook, Twitter and Instagram, but the authorities have struggled to control an explosion in popularity of live-streaming video apps. As part of the inquiry into live-streaming, three Chinese websites -- toutiao.com, huoshanzhibo.com and huajiao.com -- were already found to have violated internet regulations, and had broadcast content that violated Chinese law, including providing "pornographic content," the Xinhua report said. Pornography is banned in China. The three sites were told to increase oversight of live-broadcasting services, user registration and "the handling of tips-offs." Two of the websites, huoshanzhibo.com and huajiao.com, were under formal investigation and may have their cases transferred to the police for criminal prosecutions, the Xinhua report said. Casting a wide net, the regulations state that apps cannot "engage in activities prohibited by laws and regulations such as endangering national security, disrupting social order and violating the legitimate rights and interests of others."
Communications

Microsoft's Skype Is Most Used Messaging Service For Cyber Criminals, Study Finds (securityledger.com) 57

chicksdaddy quotes a report from The Security Ledger: Cyber criminals lurk in the dark recesses of the internet, striking at random and then disappearing into the virtual ether. But when they want to talk shop with their colleagues, they turn to Redmond, Washington-based Microsoft and its Skype communications tools, according to an analysis by the firm Flashpoint. Mentions of different platforms were used as a proxy for gauging interest in and use of these messaging services. Flashpoint analysts looked, especially, for invitations to continue conversation outside of cyber criminal marketplaces, like references to ICQ accounts or other platforms. The survey results show that, out of a population of around 80 instant messenger platforms and protocols, a short list of just five platforms accounts for between 80% and 90% of all mentions within the cyber underground. Of those, Microsoft's Skype was the chat king. It ranked among the top five platforms across all language groups. That, despite the platform's lack of end-to-end encryption or forward secrecy features and evidence, courtesy of NSA hacker Edward Snowden, that U.S. spies may have snooped on Skype video calls in recent years, The Security Ledger reports. The conclusion: while security is a priority amongst thieves, it isn't the sole concern that cyber criminals and their associates have. In fact, sophisticated hacking communities like those in Russia to continue to rely on legacy platforms like ICQ when provably more secure alternatives exist. The reason? Business. "These cyber criminals have a lot of different options that they're juggling and a lot of factors that weigh on their options," said Leroy Terrelonge III, the Director of Middle East and Africa Research at Flashpoint. "We might suspect that cyber criminals use the most secure means of communication all the time, that's not what our research showed."
Piracy

Pirate Bay Founder Launches Anonymous Domain Registration Service (torrentfreak.com) 60

An anonymous reader quotes a report from TorrentFreak: Former Pirate Bay spokesperson and co-founder Peter Sunde has just announced his latest venture. Keeping up his fight for privacy on the Internet, he's launching a new company called Njalla, that helps site operators to shield their identities from prying eyes. The name Njalla refers to the traditional hut that Sami people use to keep predators at bay. It's built on a tall stump of a tree or pole and is used to store food or other goods. On the Internet, Njalla helps to keep people's domain names private. While anonymizer services aren't anything new, Sunde's company takes a different approach compared to most of the competition. With Njalla, customers don't buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust. A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.
Privacy

Bose Headphones Secretly Collected User Data, Lawsuit Reveals (fortune.com) 230

The audio maker Bose, whose wireless headphones sell for up to $350, uses an app to collect the listening habits of its customers and provide that information to third parties -- all without the knowledge and permission of the users, according to a lawsuit filed in Chicago. From a report: The complaint accuses Boston-based Bose of violating the WireTap Act and a variety of state privacy laws, adding that a person's audio history can include a window into a person's life and views. "Indeed, one's personal audio selections -- including music, radio broadcast, Podcast, and lecture choices -- provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity," says the complaint, noting a person's audio history may contain files like LGBT podcasts or Muslim call-to-prayer recordings.

Slashdot Top Deals