Businesses

One of Australia's Richest Men Lost $1 Million To Email Scam (bloomberg.com) 7

Kaye Wiggins, reporting for Bloomberg: The multi-millionaire founder of Twynam Agricultural Group lost $1 million in an email fraud, a London court heard Thursday. The British man who facilitated the theft says he's a victim too. John Kahlbetzer, who is on the Forbes list of the 50 richest Australians, lost the money when fraudsters tricked the administrator of his personal finances into transferring it to them, his court papers say. Fraudsters emailed Christine Campbell, pretending to be the 87-year-old and asking her to pay $1 million to an account held by a British man, David Aldridge, which she did. Kahlbetzer is suing Aldridge to recover the funds, but Aldridge says he was being "unwittingly used" and was himself the victim of a fraud involving a woman he met online and believed he was in a loving relationship with. Email frauds where companies' staff are tricked into transferring money are a growing problem. U.S. Federal Bureau of Investigation statistics show "business email compromise" cases, where criminals ask company officials to transfer funds, have cost more than $3 billion since 2015.
Crime

DOJ Confirms Uber Is Being Investigated For Criminal Behavior (arstechnica.com) 33

A newly released letter from the Department of Justice has formally acknowledged that federal prosecutors have an open criminal investigation into Uber. Ars Technica reports: Late last month, as part of the proceedings in the high-profile and ongoing Waymo v. Uber trade secrets lawsuit, U.S. District Judge William Alsup said that on November 22 he had received a letter from San Francisco-based federal prosecutors. It is very unusual for a judge in a civil case to be apprised of a pending criminal investigation involving one of the litigants. In a separate November 28 letter sent to Judge Alsup, Acting U.S. Attorney Alex Tse asked that the first letter not be made public. The judge unsealed both letters on Wednesday. The first letter was signed by two prosecutors, Matthew Parrella and Amie Rooney. Those attorneys are assigned to the Computer Hacking and Intellectual Property (CHIP) Unit at the United States Attorney's Office in San Jose. [T]he letter could mean Uber and/or its current or former employees may be under investigation for possible crimes under the Computer Fraud and Abuse Act, a longstanding anti-hacking law.
The Internet

Lawmakers Are Fighting For Net Neutrality (theverge.com) 188

An anonymous reader quotes a report from The Verge: Lawmakers and public officials are responding to the FCC's decision to gut net neutrality with promises of action. In the hours following the FCC hearing, officials from around the country announced lawsuits and bills intended to counter the FCC's decision. In New York, Attorney General Eric Schneiderman said that he's leading a multi-state lawsuit to challenge the FCC's vote, though he didn't give further details on the suit or who would be joining him. Calling today's decision an "illegal rollback," he described it as giving "Big Telecom an early Christmas present."

Washington state Attorney General Bob Ferguson also announced he would sue alongside Schneiderman and other attorneys general across the country, saying that he held "a strong legal argument" and that it was likely the government had failed to follow the law with this vote. Other officials from Santa Clara, California, including county supervisor Joe Simitian, are also suing the FCC to block the decision. "We believe the depth of your ideas should outweigh the depths of your pockets," Simitian said at a press conference.

State Sen. Scott Wiener (D-CA) announced plans to introduce a bill to adopt net neutrality as a requirement in his state. He wrote in a Medium post, "If the FCC won't stand up for a free and open internet, California will."

Rep. Mike Coffman (R-CO) tweeted that he will be submitting net neutrality legislation, saying that this was a decision better left to Congress. Coffman was the first Republican to ask the FCC to delay the vote, citing "unanticipated negative consequences" on Tuesday.
Furthermore, Sen. Bernie Sanders (D-VT) and Sen. Brian Schatz (D-HI) are supporting Sen. Ed Markey's (D-MA) plan to introduce a Congressional Review Act resolution to undo the FCC vote. Even Rep. Marsha Blackburn (R-TN), who had previously announced on Twitter her support for Ajit Pai and the FCC, tweeted a video, saying, "We will codify the need for no blocking, no throttling, and making certain that we preserve that free and open internet." We're likely to see many others express their disappointment with the FCC's decision over the next few hours and days.
Electronic Frontier Foundation

EFF: Accessing Publicly Available Information On the Internet Is Not a Crime (eff.org) 166

An anonymous reader quotes a report from EFF: EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage -- without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony "hacking" under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.

EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn's request to transform the CFAA from a law meant to target "hacking" into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not "hacking," and neither is violating a website's terms of use. LinkedIn would have the court believe that all "bots" are bad, but they're actually a common and necessary part of the Internet. "Good bots" were responsible for 23 percent of Web traffic in 2016. Using them to access publicly available information on the open Internet should not be punishable by years in federal prison. LinkedIn's position would undermine open access to information online, a hallmark of today's Internet, and threaten socially valuable bots that journalists, researchers, and Internet users around the world rely on every day -- all in the name of preserving LinkedIn's advantage over a competing service. The Ninth Circuit should make sure that doesn't happen.

Security

Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters (zdnet.com) 85

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."
Botnet

Mirai IoT Botnet Co-Authors Plead Guilty (krebsonsecurity.com) 31

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.
Businesses

Uber's Massive Scraping Program Collected Data About Competitors Around The World (gizmodo.com) 29

Kate Conger, reporting for Gizmodo: For years, Uber systemically scraped data from competing ride-hailing companies all over the world, harvesting information about their technology, drivers, and executives. Uber gathered information from these firms using automated collection systems that ran constantly, amassing millions of records, and sometimes conducted physical surveillance to complement its data collection. Uber's scraping efforts were spearheaded by the company's Marketplace Analytics team, while the Strategic Services Group gathered information for security purposes, Gizmodo learned from three people familiar with the operations of these teams, from court testimony, and from internal Uber documents. Until Uber's data scraping was discontinued this September in the face of mounting litigation and multiple federal investigations, Marketplace Analytics gathered information on Uber's overseas competitors in an attempt to advance Uber's position in those markets. SSG's mission was to protect employees, executives, and drivers from violence, which sometimes involved tracking protesters and other groups that were considered threatening to Uber. An Uber spokesperson declined to comment for this story.
Government

Trump Signs Law Forcing Drone Users To Register With Government (thehill.com) 464

President Trump signed a sweeping defense policy bill into law on Tuesday that will allow the government to require recreational drone users to register their model aircraft. This comes after a federal court ruled in May that Americans no longer have to register non-commercial drones with the Federal Aviation Administration (FAA) "because Congress had said in a previous law that the FAA can't regulate model aircraft," reports The Hill. From the report: In December 2015, the FAA issued an interim rule requiring drone hobbyists to register their recreational aircraft with the agency. The rule -- which had not been formally finalized -- requires model aircraft owners to provide their name, email address and physical address; pay a $5 registration fee; and display a unique drone ID number at all times. Those who fail to comply could face civil and criminal penalties. While Congress directed the FAA to safely integrate drones into the national airspace in a 2012 aviation law, lawmakers also included a special exemption to prevent model aircraft from being regulated. A D.C.-based appeals court cited the 2012 law in its ruling striking down the FAA drone registry, arguing that recreational drones count as model aircraft and that the registry counts as a rule or regulation.
Bitcoin

SEC Shuts Down Munchee ICO (techcrunch.com) 43

The Securities and Exchange Commission has shut down Munchee, a company that built a $15 million token sale. According to TechCrunch, "The Munchee ICO aimed to fund the MUN coin, a payment system for restaurant reviews." However, the company "received a cease and desist from the SEC on December 11" because it constituted the offer and sale of unregistered securities. From the report: Within the SECs findings they noted that Munchee touted itself as a "utility" token which means that the company believed the MUN token would be primarily used within the Munchee ecosystem and not be used to fund operations. However, thanks to an application of the Howey Test (a Supreme Court finding that essentially states that any instrument with the expectation of return is an investment vehicle), the SEC found the Munchee was actually releasing a security masquerading as a utility. "Munchee offered MUN tokens in order to raise capital to build a profitable enterprise," read the SEC notice. "Munchee said that it would use the offering proceeds to run its business, including hiring people to develop its product, promoting the Munchee App, and ensuring 'the smooth operation of the MUN token ecosystem.'" The stickiest part? Munchee claimed that its coins would increase in value thanks to a convoluted process of growth.

In short, Munchee was undone by two things: depending on the token sale as a vehicle to raise cash for operations and using the typically spammy and scammy marketing efforts most ICO floggers use now, tactics taken directly from affiliate marketing handbooks. Fortunately, Munchee was able to return all $15 million to the 40 investors that dumped their coins into scheme.

Books

San Diego Comic-Con Wins Trademark Suit Against 'Salt Lake Comic Con' (deseretnews.com) 117

The Deseret News reports: A jury has found that Salt Lake Comic Con founders Dan Farr and Bryan Brandenburg, along with their company, violated a trademark when they named their fan convention a "comic con." However, the jury decided that the trademark was not willfully violated, and only awarded $20,000 of the $12 million that San Diego Comic-Con had asked for in damages. The decision came at the end of an eight-day jury trial and three years of legal maneuvering... And with an estimated 140 other fan conventions across the country calling themselves comic cons, the impact of the decision could be felt nationwide...

The Salt Lake group also has an ongoing action with the U.S. Patent and Trademark Office seeking to invalidate San Diego's "comic-con" trademark... San Diego Comic-Con, which has been holding events since 1970, has a trademark on "comic-con" with a hyphen, but was unsuccessful in its 1995 bid to trademark "comic con," with a space. The unhyphenated name "Comic Con International," as well as the event's iconic "eye logo," are also protected by trademark. The event maintains that its trademarks cover the term "comic con" in all its forms...

San Diego Comic-Con wanted more than $12 million in damages from Salt Lake, including over $9 million for a three-month "corrective advertising campaign" to dispel confusion... In his closing arguments, Michael Katz, an attorney for Salt Lake Comic Con, questioned the amount San Diego was seeking, noting that San Diego authorities said during trial the organization generally spends between $20,000 and $30,000 for a month of advertising.

Slashdot reader AlanBDee writes: When I attended the Salt Lake City Comic Con I did assume it was the same organization that put on San Diego Comic-Con... But now I have to wonder how that will affect other Comic Cons around the nation? What should these comic based fan conventions be called if not Comic Con?
Businesses

Bangladesh Bank, NY Fed Discuss Suing Manila Bank For Heist Damages (reuters.com) 29

An anonymous reader shares a report: Bangladesh's central bank has asked the Federal Reserve Bank of New York to join a lawsuit it plans to file against a Philippines bank for its role in one of the world's biggest cyber-heists, several sources said. The Fed is yet to respond formally, but there is no indication it would join the suit. Unidentified hackers stole $81 million from Bangladesh Bank's account at the New York Fed in February last year, using fraudulent orders on the SWIFT payments system. The money was sent to accounts at Manila-based Rizal Commercial Banking Corp and then disappeared into the casino industry in the Philippines.
Businesses

ISP Disclosures About Data Caps and Fees Eliminated By Net Neutrality Repeal (arstechnica.com) 281

In 2015, the Federal Communications Commission forced ISPs to be more transparent with customers about hidden fees and the consequences of exceeding data caps. Since the requirements were part of the net neutrality rules, they will be eliminated when the FCC votes to repeal the rules next week. Ars Technica reports: While FCC Chairman Ajit Pai is proposing to keep some of the commission's existing disclosure rules and to impose some new disclosure requirements, ISPs won't have to tell consumers exactly what everything will cost when they sign up for service. There have been two major versions of the FCC's transparency requirements: one created in 2010 with the first net neutrality rules, and an expanded version created in 2015. Both sets of transparency rules survived court challenges from the broadband industry. The 2010 requirement had ISPs disclose pricing, including "monthly prices, usage-based fees, and fees for early termination or additional network services." That somewhat vague requirement will survive Pai's net neutrality repeal. But Pai is proposing to eliminate the enhanced disclosure requirements that have been in place since 2015. Here are the disclosures that ISPs currently have to make -- but won't have to after the repeal:

-Price: the full monthly service charge. Any promotional rates should be clearly noted as such, specify the duration of the promotional period and the full monthly service charge the consumer will incur after the expiration of the promotional period.
-Other Fees: all additional one time and/or recurring fees and/or surcharges the consumer may incur either to initiate, maintain, or discontinue service, including the name, definition, and cost of each additional fee. These may include modem rental fees, installation fees, service charges, and early termination fees, among others.
-Data Caps and Allowances: any data caps or allowances that are a part of the plan the consumer is purchasing, as well as the consequences of exceeding the cap or allowance (e.g., additional charges, loss of service for the remainder of the billing cycle).

Pai's proposed net neutrality repeal says those requirements and others adopted in 2015 are too onerous for ISPs.

Government

Volkswagen Executive Sentenced To Maximum Prison Term For His Role In Dieselgate (arstechnica.com) 101

An anonymous reader quotes a report from Ars Technica: On Wednesday, a U.S. District judge in Detroit sentenced Oliver Schmidt, a former Volkswagen executive, to seven years in prison for his role in the Volkswagen diesel emissions scandal of 2015. Schmidt was also ordered to pay a criminal penalty of $400,000, according to a U.S. Department of Justice (DOJ) press release. The prison term and the fine together represent the maximum sentence that Schmidt could have received under the plea deal he signed in August. Schmidt, a German citizen who lived in Detroit as an emissions compliance executive for VW, was arrested in Miami on vacation last January. In August, he pleaded guilty to conspiracy and to making a false statement under the Clean Air Act. Schmidt's plea deal stated that the former executive could face up to seven years in prison and between $40,000 and $400,000 in fines.

Last week, Schmidt's attorneys made a last-minute bid requesting a lighter sentence for Schmidt: 40 months of supervised release and a $100,000 fine. Schmidt also wrote a letter to the judge, which surfaced over the weekend, in which the executive said he felt "misused" by his own company and claimed that higher-ranked VW executives coached him on a script to help him lie to a California Air Resources Board (CARB) official. Instead, Schmidt was sentenced to the maximum penalties outlined in the plea deal. Only one other VW employee has been sentenced in connection with the emissions scandal: former engineer James Liang, who received 40 months in prison and two years of supervised release as the result of his plea deal. Although six other VW Group executives have been indicted, none is in U.S. custody.

Google

Inside Oracle's Cloak-and-dagger Political War With Google (recode.net) 86

schwit1 shares a Recode report: The story that appeared in Quartz this November seemed shocking enough on its own: Google had quietly tracked the location of its Android users, even those who had turned off such monitoring on their smartphones. But missing from the news site's report was another eyebrow-raising detail: Some of its evidence, while accurate, appears to have been furnished by one of Google's fiercest foes: Oracle. For the past year, the software and cloud computing giant has mounted a cloak-and-dagger, take-no-prisoners lobbying campaign against Google, perhaps hoping to cause the company intense political and financial pain at a time when the two tech giants are also warring in federal court over allegations of stolen computer code. Since 2010, Oracle has accused Google of copying Java and using key portions of it in the making of Android. Google, for its part, has fought those claims vigorously. More recently, though, their standoff has intensified. And as a sign of the worsening rift between them, this summer Oracle tried to sell reporters on a story about the privacy pitfalls of Android, two sources confirmed to Recode.
Businesses

Judge Dismisses Lawsuit That Claims Google Paid Female Employees Less Than Male Colleagues (cnn.com) 257

A California judge has rejected a class action claim against Google for alleged gender inequity. In September, three female Google employees filed a lawsuit against Google, claiming the search giant "engaged in systemic and pervasive pay and promotion discrimination." They sought class action status on behalf of women who have worked at Google in California for the past four years. CNN reports: This week, a judge rejected their request to make the suit a class action. A judge ruled that the class was "overbroad," stating that it "does not purport to distinguish between female employees who may have valid claims against Google based upon its alleged conduct from those who do not." Jim Finberg, the lawyer representing the plaintiffs, said his clients plan to file an amended complaint seeking class action certification. He said it will address the court's ruling and make "clear that Google violates the California Equal Pay Act throughout California and throughout the class period by paying women less than men for substantially equal work in nearly every job classification."
Government

Warrantless Surveillance Can Continue Even If Law Expires, Officials Say (theverge.com) 68

According to a New York Times report citing American officials, the Trump administration has decided that the National Security Agency and the FBI can lawfully keep operating their warrantless surveillance program even if Congress fails to extend the law authorizing it before an expiration date of New Year's Eve. The Verge reports: The White House believes the Patriot Act's surveillance provisions won't expire until four months into 2018. Lawyers point to a one-year certification that was granted on April 26th of last year. If that certification is taken as a legal authorization for the FISA court overall -- as White House lawyers suggest -- then Congress will have another four months to work out the details of reauthorization. There are already several proposals for Patriot Act reauthorization in the Senate, which focus the Section 702 provisions that authorize certain types of NSA surveillance. Some of the proposals would close the backdoor search loophole that allows for warrantless surveillance of U.S. citizens, although a recent House proposal would leave it in place. But with Congress largely focused on tax cuts and the looming debt ceiling fight, it's unlikely the differences could be reconciled before the end of the year.
Firefox

Yahoo Sues Mozilla For Breach of Contract -- So Mozilla Counter Sues Yahoo (betanews.com) 112

Mark Wilson writes: Mozilla and Yahoo have started a legal spat about the deal that existed between the two companies regarding the use of the Yahoo search engine in the Firefox browser. On December 1, Yahoo fired the first shot filing a complaint that alleges Mozilla breached a contract that existed between the two companies by terminating the arrangement early. In a counter complaint, Mozilla says that it was not only justified in terminating the contract early, but that Yahoo Holdings and Oath still have a bill that needs to be settled.
Encryption

US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com) 249

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
Bitcoin

Feds Shut Down Allegedly Fraudulent Cryptocurrency Offering (arstechnica.com) 47

An anonymous reader quotes a report from Ars Technica: The Securities and Exchange Commission on Monday announced that it was taking action against an initial coin offering (ICO) that the SEC alleges is fraudulent. The announcement represents the first enforcement action by the SEC's recently created cyber fraud unit. In July, the agency fired a warning shot. It announced that a 2016 fundraising campaign had run afoul of securities law, but that the SEC would decline to prosecute those responsible. The hope was to get the cryptocurrency world to take securities laws more seriously without doing anything drastic. Now the SEC is taking the next step by prosecuting what it considers to be one of the most egregious scams in the ICO world. The SEC's complaint, filed in federal court in New York, is against Dominic Lacroix, whom the SEC describes as a "recidivist securities law violator." The SEC considers Lacroix's cryptocurrency project, PlexCoin, to be a "fast-moving Initial Coin Offering (ICO) fraud that raised up to $15 million from thousands of investors since August by falsely promising a 13-fold profit in less than a month." The PlexCoin website has a hilariously vague description of this supposedly revolutionary cryptocurrency. "The PlexCoin's new revolutionary operating structure is safer and much easier to use than any other current cryptocurrency," the site proclaims. "One of the many features of PlexBank will be to secure your cryptocurrency from market variation, which is highly volatile, and invest your money in a place where you can get interesting guaranteed returns." According to Ars, "The SEC isn't impressed and is arguing that PlexCoin has 'all of the characteristics of a full-fledged cyber scam.' The agency is seeking to freeze the assets of the PlexCoin project in hopes of getting investors' funds back to them."
Privacy

Trump Is Looking at Plans For a Global Network of Private Spies (vice.com) 481

David Gilbert, writing for Vice: The White House is reportedly looking at a proposal to create a ghost network of private spies in hostile countries -- a way of bypassing the intelligence community's "deep state," which Donald Trump believes is a threat to his administration. The network would report directly to the president and CIA Director Mike Pompeo, and would be developed by Blackwater founder Erik Prince, according to multiple current and former officials speaking to The Intercept. "Pompeo can't trust the CIA bureaucracy, so we need to create this thing that reports just directly to him," a former senior U.S. intelligence official with firsthand knowledge of the proposals told the website. Described as "totally off the books," the network would be run by intelligence contractor Amyntor Group and would not share any data with the traditional intelligence community.

Slashdot Top Deals