The database of Bulgaria's National Revenue Agency (NRA), which was hacked over the weekend and sent to local reporters, is now being shared on hacking forums, ZDNet has learned from sources in the threat intelligence community. From a report: Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of Bulgaria. ZDNet obtained a copy of the database and verified its authenticity with local sources, and this is a copy of the same database sent to local media over the weekend. The database contains 57 folders, 10.7 GB in size, and holds personal and financial information consistent with what Bulgarian newspapers reported receiving over the weekend. This includes personally identifiable information, tax information, from both the NRA, and from other government agencies who shared their data.

Amazon.com has a promotion for U.S. shoppers on Prime Day, the 48-hour marketing blitz that started Monday: Earn $10 of credit if you let Amazon track the websites you visit. From a report: The deal is for new installations of the Amazon Assistant, a comparison-shopping tool that customers can add to their web browsers. It fetches Amazon's price for products that users see on Walmart.com, Target.com and elsewhere. In order to work, the assistant needs access to users' web activity, including the links and some page content they view. The catch, as Amazon explains in the fine print, is the company can use this data to improve its general marketing, products and services, unrelated to the shopping assistant. The terms underscore the power consumers routinely give to Amazon and other big technology companies when using their free services. In this case, Amazon gains potential insight into how it should tailor marketing and how it could stamp out the retail competition.

An anonymous reader quotes a report from ZDNet: Facebook has been exploited to act as a distribution platform for a set of Remote Access Trojans (RATs) for years, researchers say. According to Check Point Research, a "large-scale" campaign has been operating under Facebook's radar since at least 2014 throughout a campaign related to politics in Libya. The aim of the operation has been to spread RATs including Houdini, Remcos, and SpyNote. Tens of thousands of victims from Libya, Europe, the US, and China are believed to have been compromised. The threat actor behind the campaign has used the political turmoil in Libya to their advantage. Libya's National Army commander, Khalifa Haftar, has been impersonated for years and a page apparently operated by the public figure was actually a central point for the distribution of malware.

The page impersonating Haftar was created in April 2019 and has since attracted over 11,000 followers. Posts were shared with political themes and links claiming to share leaked intelligence reports and material, but if someone interested in Libyan politics clicked on the URLs, they would instead be sent to malicious content. Malicious VBE and WSF files for Windows machines, as well as malware-laden APK files for the mobile Android operating system, would then be downloaded and upon execution would install a Trojan. The malware was hosted on public services including Google Drive, Box, and Dropbox. The researchers say over 30 Facebook pages have been spreading approximately 40 malicious links since 2014 and one of them has over 100,000 followers.

"In order to avoid any suspicion, the pages in question would also publish legitimate content, most commonly related to news in Libya," the report adds. "Occasionally, other content -- such as download links to fake applications for watching football matches for free or malicious VPN services -- would also be released." Facebook says they have taken down the pages for violating their policies.

SpaceX says 57 of its 60 broadband data satellites are now communicating with their ground stations -- and that this grants them special privileges when other companies launch their own satellite telecommunication networks. An anonymous reader quotes GeekWire: In an emailed update, SpaceX said Starlink is ready to go into a testing phase that involves streaming videos and playing video games via satellite.... "Now that the majority of the satellites have reached their operational altitude, SpaceX will begin using the constellation to start transmitting broadband signals, testing the latency and capacity by streaming videos and playing some high-bandwidth video games using gateways throughout North America," SpaceX said... SpaceX said "Starlink is now the first NGSO [non-geosynchronous satellite orbit] system to operate in the Ku-band and communicate with U.S. ground stations, demonstrating the system's potential to provide fast, reliable internet to populations around the world."

That statement isn't intended merely as a marketing boast: In documents filed earlier this month with the Federal Communications Commission, SpaceX says its "first to operate" status with the FCC means it can "select its frequencies first" if there's a conflict with other satellite telecommunication networks in low Earth orbit. SpaceX's claim on that score has set off a flurry of regulatory filings from its rivals in the market for satellite broadband services, including the international OneWeb consortium and Canada's biggest satellite operator, Telesat.

In one of this month's filings, OneWeb charged that SpaceX was being "irresponsible" by going ahead with a Ku-band system under conditions that would interfere with OneWeb's previously launched [six] satellites. But SpaceX shrugged off OneWeb's objections, as well as Kepler's. It said neither OneWeb nor Kepler qualified for the FCC's first-choice status because their ground stations weren't in the U.S... The exchange of FCC filings illustrates how tangled the regulatory environment for satellite internet broadband services can get. And things could get even more tangled if additional players including Amazon and Boeing join the fray.

In honor of FreeDOS's 25th birthday, project founder and coordinator Jim Hall agreed to answer the 10 best questions submitted by Slashdot readers. You asked and he answered! Read on for Jim's interview.

Pre-saving albums on Spotify can give music labels access to personal user data like emails addresses and playlists, according to a Billboard report. From a report: To pre-save music, which adds a release to a user's library as soon as it comes out, Spotify users click through and approve permissions that give the label far more account access than the streaming giant normally grants them -- enough to track what they listen to, change what artists they follow and potentially even control their music streaming remotely. This lets labels access some of the data that streaming companies usually guard for themselves -- which they want in order to compete with the streaming giants on a more even playing field. But at a time when the policies of online giants like Google and Facebook has made online privacy a contentious issue, music's pre-saving process could begin to spark concern among consumers, and perhaps even regulators.

Labels also ask for far more permissions than they need. Spotify users who, for example, tried to pre-save the Little Mix single "Bounce Back" from links shared by the act or its label, Sony Music, were prompted to agree that Spotify could allow Sony to "view your Spotify account data," "view your activity on Spotify" and "take actions in Spotify on your behalf." The exact permissions Sony requests are only visible to those who click through to the corresponding submenus, so users may not fully understand all that they're agreeing to -- or that the changes apply to their account unless they change it on Spotify's website.

Hackers broke into the systems of more than a dozen global telecom firms and stole huge amounts of data in a seven-year spying campaign, researchers from a cyber security company said, identifying links to previous Chinese cyber-espionage activities. From a report: Investigators at U.S.-Israeli cyber firm Cybereason said on Tuesday the attackers compromised companies in more than 30 countries and aimed to gather information on individuals in government, law-enforcement and politics. The hackers also used tools linked to other attacks attributed to Beijing by the United States and its Western allies, said Lior Div, chief executive of Cybereason. "For this level of sophistication it's not a criminal group. It is a government that has capabilities that can do this kind of attack," he told Reuters. Div later presented a step-by-step breakdown of the breach at a cybersecurity conference in Tel Aviv in the same session that the heads of U.S. and British cyber intelligence units and the head of Israel's Mossad spy agency spoke.

WeTransfer, a popular online service to transfer and share files, has informed some of its customers of a security incident that resulted in it sharing emails with download links to wrong recipients. BetaNews reports: In the email to customers, WeTransfer said: "We are writing to let you know about a security incident in which a number of WeTransfer service emails were sent to the wrong people. This happened on June 16th and 17th. Our team has been working tirelessly to correct and contain this situation and find out how it happened. We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show those files have been accessed, but almost certainly by the intended recipient. Nevertheless, as a precaution we blocked the link to prevent further downloads.

Two days ago, Egypt's former president, Mohammed Morsi, collapsed in court during a trial and died from a sudden heart attack. Even though Morsi was the first democratically elected Egyptian president, news outlets have scrubbed that information from stories of his demise in what appears to be a government-mandated description sent out to press. The Verge reports: As noted by Mada Masr, a majority of newspapers published the same 42-word story sent to editors as a directive via WhatsApp. In the case of at least one outlet, a news anchor did that a little too well. In the clip below, the anchor can be heard wrapping her report with "sent from a Samsung device."

Morsi was elected in June 2012, though military forcibly removed him about a year later. The former president collapsed on Monday while in the midst of a courtroom hearing. The circumstances of Morsi's death have been called into question by rival regimes, including that of Turkey President Recep Tayyip Erdogan, who was aligned with Morsi during his brief rule due to both men's links to the Muslim Brotherhood. However, human rights groups have cited Morsi's deteriorating health over the years as the probable cause of this death. It's unclear why the current government, led Abdel Fattah el-Sisi, instructed news outlets to scrub Morsi's presidential history.

U.S. Senator and presidential candidate Bernie Sanders has taken to Twitter to announce his support for video game workers unions. "In his message, Sanders gives shout-outs to IATSE (the International Alliance of Theatrical Stage Employees) and Game Workers Unite, two organizations that have been working to help game creators organize," reports VentureBeat. "He also links to a June 11 Time story about the epidemic of worker burn out occurring in the industry." From the report: Video games make a ton of money, including $43 billion in revenue in 2018 in the U.S. (as Sanders also points out). But the people making games are often overworked and suspect to "crunch," mandatory (and sometimes unpaid) overtime. Recently, stories of unhealthy crunch cultures have surrounded giant game makers like Rockstar and Electronic Arts. Other employees suffer mass layoffs, like at Activision Blizzard earlier this year, even when their companies are big or even record profits. Some studios shut down completely.

Over the weekend, Google Search was caught allegedly copying song lyrics from Genius.com. In response, Google published a long explanation of how lyrics in Search work and said that they will add attribution to note which third-party service is supplying the lyrics. 9to5Google reports: When you look up a song in Search, Google often returns a YouTube video with the Knowledge Panel featuring lyrics, links to streaming services, and other artist/album/release/genre info. A query that explicitly asks for "lyrics" will display the full text as the first item at the top of Google.com. The Wall Street Journal over the weekend reported on an accusation that Search was taking content from Genius. According to Google today, it does "not crawl or scrape websites to source these lyrics." When available, Google will pay music publishers for the right to display lyrics. However, in most cases, publishers do not have digital transcripts, with the search engine instead turning to third-party "lyrics content providers."

Google today reiterated that it's asking partners to "investigate the issue," with the third-party -- and not Google directly -- likely at fault for scraping Genius content. Meanwhile, Knowledge Panels in Search will soon gain attribution to note who is supplying digital lyrics text. "Google today reiterated that it's asking partners to 'investigate the issue,' with the third-party -- and not Google directly -- likely at fault for scraping Genius content," Google said in a blog post. "Meanwhile, Knowledge Panels in Search will soon gain attribution to note who is supplying digital lyrics text."

An anonymous reader quotes a report from Gizmodo: Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domains that redirect users to external sites, a handy tool for criminals hoping to infect users with malware or fool them into surrendering personal information. Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material.

Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material. The ability to generate malicious links that appear to lead to actual government websites can be a handy pretense for criminals conducting phishing campaigns. What's more, these malicious redirects may be used to send users to websites masquerading as official government services, encouraging them to hand over personal information, such as names, addresses, and Social Security numbers.

In addition to the "Sign in With Apple" button, Apple announced another privacy-focused measure at its WWDC on Monday: developers are no longer permitted to include third-party ads or analytics tools in apps in the App Store's kid category. Engadget reports: The company laid out the rule in its updated guidelines for app submissions, confirming a report from last week that it would add such additional protections for younger users. Developers are also prohibited from including external links or in-app purchases, unless they're in a section of the app only accessible to parents. Apple also urged developers to be mindful of privacy laws in various jurisdictions regarding the data they collect from kids.

The NLNet Foundation is a non-profit supporting privacy, security, and the "open internet". Now the group has approved funding for the hybrid Libre RISC-V CPU/VPU/GPU, which will "pay for full-time engineering work to be carried out over the next year, and to pay for bounty-style tasks."

Long-time Slashdot reader lkcl explains why that's significant: High security software is irrelevant if the hardware is fundamentally compromised, for example with the Intel spying backdoor co-processor known as the Management Engine. The Libre RISCV SoC was begun as a way for users to regain trust and ownership of the hardware that they legitimately purchase.

This processor will be the first of its kind, as the first commercial SoC designed to give users the hardware and software source code of the 3D GPU, Video Decoder, main processor, boot process and the OS.

Shockingly, in the year 2019, whilst there are dozens of SoCs with full source code that are missing either a VPU or a GPU (such as the TI OMAP Series and Xilinx ZYNQ7000s), there does not exist a single commercial embedded SoC which has full source code for the bootloader, CPU, VPU and GPU. The iMX6 for example has etnaviv support for its GPU however the VPU is proprietary, and all of Rockchip and Allwinner's offerings use either MALI or PowerVR yet their VPUs have full source (reverse engineered in the case of Allwinner).

This processor, which will be quad core dual issue 800mhz RV64GC and capable of running full GNU/Linux SMP OSes, with 720p video playback and embedded level 25fps 3D performance in around 2.5 watts at 28nm, is designed to address that imbalance. Links and details on the Libre RISC-V SoC wiki.

The real question is: why is this project the only one of its kind, and why has no well funded existing Fabless Semiconductor Company tried something like this before? The benefits to businesses of having full source code are already well-known.

Suren Enfiajyan shared this story from Science magazine: Genes are a powerful driver of risk for autism, but some researchers suspect another factor is also at play: the set of bacteria that inhabits the gut. That idea has been controversial, but a new study offers support for this gut-brain link. It reveals that mice develop autismlike behaviors when they are colonized by microbes from the feces of people with autism. The result doesn't prove that gut bacteria can cause autism. But it suggests that, at least in mice, the makeup of the gut can contribute to some hallmark features of the disorder.

"It's quite an encouraging paper," says John Cryan, a neuroscientist at University College Cork in Ireland who was not involved in the research. The idea that metabolites -- the molecules produced by bacterial digestion -- can influence brain activity "is plausible, it makes sense, and it will help push the field forward..." Compared with mice colonized with bacteria from children without autism, the mice that inherited a microbiome from a child with autism were less social and showed more repetitive behavior, the authors report today in Cell. Mice with the autism-derived microbiome also had lower levels of several bacterial species that the researchers suspect could be beneficial...

"There's still a lot of missing links," says Jun Huh, an immunologist at Harvard University who studies the relationship between bacteria and brain function. "But I think the real importance of this study is to show -- for the first time -- that there's a causal relationship between the bacterial community and [autismlike] behavior."
UPDATE (6/21/2019): Some online criticism of the study suggests that the data may have been misinterpreted.

Trailrunner7 shares a report: All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there's a fix in the works, it has not yet been integrated. The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the "docker cp" command, which copies files to and from containers.

"The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack. The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of 'docker cp' it is opened when creating the archive that is streamed to the client)," Sarai said in his advisory on the problem. "If an attacker can add a symlink component to the path after the resolution but beforeit is operated on, then you could end up resolving the symlink path component on the host as root. In the case of 'docker cp' this gives you read and write access to any path on the host."

An anonymous reader shares a report: Every week millions of these requests are sent to hosting platforms, as well as third-party services, such as search engines. Quite a few of the major players, including Twitter, Google, and Bing, publish these requests online. However, due to the massive volume, it's hard for casual observers to spot any trends in the data. Researchers from Queen Mary University of London and Boston University aim to add some context with an elaborate study covering a broad database of takedown requests. Their results are now bundled in a paper titled: "Who Watches the Watchmen: Exploring Complaints on the Web."

The research covers all takedown requests that were made available through the Lumen Database in 2017. The majority of these were sent to Google, with Bing, Twitter, and Periscope as runners-up. In total, more than one billion reported URLs were analyzed. Most takedown requests or 'web complaints' were copyright-related, 98.6% to be precise. This means that other notices, such as defamation reports, court orders, and Government requests, make up a tiny minority. The researchers report that the complaints were submitted by 38,523 unique senders, covering 1.05 billion URLs. While that's a massive number, most reported links are filed by a very small group of senders.

While the United States is banning the use of Huawei equipment from its fifth-generation infrastructure, the Chinese telecommunications company is working to expand its share in the undersea cable market, which is dominated by the U.S., Europe and Japan. Nikkei Asian Review reports: About a decade ago, Huawei entered the business by setting up a joint venture with British company Global Marine Systems. It expanded its presence by laying short links in regions like Southeast Asia and the Russian Far East. But last September, Huawei surprised industry executives in Japan, the U.S. and Europe by completing a 6,000 km trans-Atlantic cable linking Brazil with Cameroon. This showed Huawei has acquired advanced capabilities, even though it is still far behind the established players in terms of experience and cable volume.

During the 2015-2020 period, Huawei is expected to complete 20 new cables -- mostly short ones of less than 1,000 km. Even when these are finished, Huawei's market share will be less than 10%. Over the long term, however, the company could emerge as a player to be reckoned with. Huawei is estimated to be involved in around 30 undersea cable projects at the moment. It also reportedly has a hand in about 60 projects to enhance cable landing stations to boost transmission capacity. The reality is, even if the U.S. succeeds in shutting out Huawei from 5G networks in major countries, the Chinese company could still thwart American efforts to maintain leadership in handling global data traffic. The report goes on to say that the U.S., Japan and Australia are working to address this potential threat. "Steps they are considering include banning Huawei from laying cables connected to one of the three countries, and urging other governments to prevent the company from getting involved in the construction of any major cables Informed sources."

Millions of golfer records from the Game Golf app, including GPS details from courses played, usernames and passwords, and even Facebook login data, were all exposed for anyone with an internet browser to see -- a veritable hole-in-one for a cyberattacker looking to build profiles for potential victims, to be used in follow-on social-engineering attacks. Threatpost reports: Security Discovery researcher Bob Diachenko recently ran across an Elastic database that was not password-protected and thus visible in any browser. Further inspection showed that it belongs to Game Golf, which is a family of apps developed by San Francisco-based Game Your Game Inc. Game Golf comes as a free app, as a paid pro version with coaching tools and also bundled with a wearable. It's a straightforward analyzer for those that like to hit the links -- tracking courses played, GPS data for specific shots, various player stats and so on -- plus there's a messaging and community function, and an optional "caddy" feature. It's popular, too: It has 50,000+ installs on Google Play.

Unfortunately, Game Golf landed its users in a sand trap of privacy concerns by not securing the database: Security Discovery senior security researcher Jeremiah Fowler said that the bucket included all of the aforementioned analyzer information, plus profile data like usernames and hashed passwords, emails, gender, and Facebook IDs and authorization tokens. In all, the exposure consisted of millions of records, including details on "134 million rounds of golf, 4.9 million user notifications and 19.2 million records in a folder called 'activity feed,'" Fowler said. The database also contained network information for the company: IP addresses, ports, pathways and storage info that "cybercriminals could exploit to access deeper into the network," according to Fowler, writing in a post on Tuesday. No word on whether malicious players took a swing at the data, as it were, but the sheer breadth of the information that the app gathers is concerning, Fowler noted.

"Loneliness is rampant, and it's killing us," writes Kasley Killam for Scientific American. "Anywhere from one quarter to one half of Americans feel lonely a lot of the time, which puts them at risk for developing a range of physical and mental illnesses, including heart disease, cancer, diabetes, and depression." Killam surfaces several studies that found volunteering to be an effective strategy to help combat this widespread health problem. From the report: In a recent survey of over 10,000 people in the UK, two-thirds reported that volunteering helped them feel less isolated. Similarly, a 2018 study of nearly 6,000 people across the US examined widows who, unsurprisingly, felt lonelier than married adults. After starting to volunteer for two or more hours per week, their average level of loneliness subsided to match that of married adults, even after controlling for demographics, baseline health, personality traits, and other social involvement. These benefits may be especially strong the older you are and the more often you volunteer.

Participating in volunteer opportunities may help alleviate loneliness and its related health impact for several reasons. The first and most obvious is that it's a meaningful way to connect with others and make new friends. Second, volunteering can make up for the loss of meaning that commonly occurs with loneliness. Research using the UCLA Loneliness Scale and Meaning in Life Questionnaire has shown that more loneliness is associated with less meaning. This makes sense, given our deeply rooted need for belonging. By volunteering for social causes that are important to us, we can gain a sense of purpose, which in turn may shield us from negative health outcomes. For example, purpose in life has been linked to a reduced likelihood of stroke and greater psychological well-being. Third, loneliness and isolation can lead to cognitive decline, such as memory loss. But according to the neuroscientist Lisa Genova, people who regularly engage in mentally stimulating activities build up more neural connections and are subsequently more resilient to symptoms of Alzheimer's. So, volunteering is one way to stay engaged and stimulated, rather than isolated and lonely, and thereby protect against cognitive decline.