Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Yahoo!

Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com) 60

Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.
Privacy

Facebook Told To Stop Taking Data From German WhatsApp Users (bloomberg.com) 35

An anonymous reader shares a Bloomberg report: Facebook, already under scrutiny in the U.S. and the European Union for revisions to privacy policies for its WhatsApp messaging service, was ordered by Hamburg's privacy watchdog to stop processing data of German users of the chat service. In a renewed clash with the social-network operator, Johannes Caspar, one of Germany's most outspoken data protection commissioners, ordered Facebook to delete any data it already has. The news comes as EU privacy regulators, who previously expressed concerns about the policy shift, meet in Brussels to discuss their position. There's no legal basis for Facebook to use information of WhatsApp customers, Caspar said Tuesday. "This order protects the data of about 35 million WhatsApp users in Germany," Caspar said. "It has to be their decision as to whether they want to connect their account with Facebook. Therefore, Facebook has to ask for their permission in advance. This has not happened."
Security

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe (arstechnica.com) 139

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.
Privacy

California Enacts Law Requiring IMDb To Remove Actor Ages On Request (hollywoodreporter.com) 294

California Gov. Jerry Brown on Saturday signed legislation that requires certain entertainment sites, such as IMDb, to remove -- or not post in the first place -- an actor's age or birthday upon request, reports Hollywood Reporter. From the report: The law, which becomes effective Jan. 1, 2017, applies to entertainment database sites that allow paid subscribers to post resumes, headshots or other information for prospective employers. Only a paying subscriber can make a removal or nonpublication request. Although the legislation may be most critical for actors, it applies to all entertainment job categories. "Even though it is against both federal and state law, age discrimination persists in the entertainment industry," Majority Leader Ian Calderon, D-Whittier, said in a statement. "AB 1687 provides the necessary tools to remove age information from online profiles on employment referral websites to help prevent this type of discrimination."Bloomberg columnist, Shira Ovide said, "Congratulations, IMDB. You have now become the subject of California law." Slate writer Will Oremus added, "Sometimes I start to think California is not such a bad place and then they go and do something like this."
United States

Kentucky's Shotgun 'Drone Slayer' Gets Sued Again (yahoo.com) 300

"Technology has surpassed the law..." argues a Kentucky man who fired a shotgun at a drone last year. An anonymous Slashdot reader reports: The drone's owner has now filed for damages in Federal Court over the loss of his $1,800 drone, arguing that the shotgun blast was unjustified because his drone wasn't actually trespassing or invading anyone's privacy. The defendant -- who has dubbed himself 'the Drone Slayer' -- said the aerial vehicle was over his garden and his daughter, and the verdict could ultimately set a new precedent in U.S. law: who owns the air?

"Operators need to know where they can fly," argued the drone pilot's lawyer, "and owners must know when they can reasonably expect privacy and be free of prying eyes." He estimates a drone is shot from he skies about once a month, and "What happens typically is that law enforcement doesn't know what to do and civil suits are uncommon as most people don't want to get involved due to the costs."

The Drone Slayer was originally charged with felony counts of wanton endangerment and criminal mischief. But all of those charges were dismissed in October when a district judge ruled he "had a right to shoot at the aircraft."
Security

97% of the Top Companies Have Leaked Credentials Online (onthewire.io) 21

Apparently lots of people have been use both their work email address and work password on third-party sites -- suggesting a huge vulnerability. Trailrunner7 quotes On The Wire: The last few years have seen a number of large-scale breaches at popular sites and companies, including LinkedIn, Adobe, MySpace, and Ashley Madison, and many of the credentials stolen during those incidents have ended up online in various places... [R]esearch from Digital Shadows found that the most significant breach for the global 1,000 companies it looked at was the LinkedIn incident... Digital Shadows found more than 1.6 million credentials online for the 1,000 companies it studied. Adobe's breach was next on the list, with more than 1.3 million credentials.
"For Ashley Madison alone, there were more than 200,000 leaked credentials from the top 1,000 global companies," the researchers report, noting they also found many leaked credentials from breaches at other dating and gaming sites, as well as Myspace. Their conclusion? "The vast majority of organizations have credentials exposed online..."
Media

Snapchat's 10-Second-Video Glasses Are Real And Cost $130 Bucks (techcrunch.com) 92

Long-time Slashdot reader bheerssen writes that Snapchat "announced a new product yesterday, Spectacles, which are sunglasses with a camera built into the frame." TechCrunch reports: Snapchat's long-rumored camera glasses are actually real. The startup's first foray into hardware will be a pair of glasses called "Spectacles" and will go on sale this fall for $129.99, according to the WSJ... To start recording you tap a button on the side of the glasses. Video capture will mimic Snapchat's app, meaning you can only capture 10 seconds of video at once. This video will sync wirelessly to your phone, presumably making it available to share as a snap.
The cameras will be using a circular 115-degree lens to mimic the human eye's natural field of vision, and in the Journal's article, Snap CEO Evan Spiegel remembers his first test of the product in 2015. "I could see my own memory, through my own eyes -- it was unbelievable... It was the closest I'd ever come to feeling like I was there again." The camera glasses will enter "limited distribution" sometime within the next three months, which TechCrunch believes "could end up being like Google Glass when it first launched -- officially on sale to the public but pretty hard to come by."
Security

Hacker Who Aided ISIS Gets 20 Years In Prison (softpedia.com) 131

An anonymous reader quotes a report from Softpedia: Ardit Ferizi, aka Th3Dir3ctorY, 20, a citizen of Kosovo, will spend 20 years in a U.S. prison for providing material support to ISIS hackers by handing over data for 1,351 U.S. government employees. Ferizi obtained the data by hacking into a U.S. retail company on June 13, 2015. The hacker then filtered the stolen information and put aside records related to government officials, which he later handed over to Junaid Hussain, the then leader of the Islamic State Hacking Division (ISHD). Hussain then uploaded this information online, asking fellow ISIS members to seek out these individuals and execute lone wolf attacks. Because of this leak, the U.S. Army targeted and killed Hussain in a drone strike in Syria in August 2015. Before helping ISIS, Ferizi had a prodigious hacking career as the leader of Kosova Hacker's Security (KHS) hacking crew. He was arrested on October 6, 2015, at the international airport in Kuala Lumpur, Malaysia, while trying to catch a flight back to Kosovo. Ferizi was in Kuala Lumpur studying computer science.
Security

Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet (arstechnica.com) 203

An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
Security

40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey (esecurityplanet.com) 113

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.
United States

Probe Of Leaked US NSA Hacking Tools Examines Operative's Mistake (reuters.com) 57

Joseph Menn and John Walcott, reporting for Reuters: A U.S. investigation into a leak of hacking tools used by the National Security Agency is focusing on a theory that one of its operatives carelessly left them available on a remote computer and Russian hackers found them, four people with direct knowledge of the probe told Reuters. The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a group calling itself Shadow Brokers. The public release of the tools coincided with U.S. officials saying they had concluded that Russia or its proxies were responsible for hacking political party organizations in the run-up to the Nov. 8 presidential election. On Thursday, lawmakers accused Russia of being responsible. Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.
Facebook

Indian Students Score a Partial Win in Facebook Privacy Dispute (bloomberg.com) 47

WhatsApp announced last month that it would stop begin sharing some of users' information -- phone number, contact information of people in your address book etc -- with Facebook. Two Indian students last month expressed their concern over this, adding that WhatsApp was "severely" compromising their privacy and those of other billion plus users, and that it was reneging from its original promise. They approached Delhi High Court, and after hearing from everyone, the bench of chief justice told WhatsApp that it must delete data of users who are opt out of privacy policy changes before September 25. Bloomberg adds: The Delhi High Court on Friday ruled that WhatsApp has to delete all data on users who choose to stop using the service before Sept. 25, when the new policy takes effect. Also, it can only share data collected after that date. However, going forward, WhatsApp is free to share information on users who haven't opted out. The court also asked India's government to consider if it was feasible to craft regulations to oversee WhatsApp and other messaging apps, though it didn't specify what form they could take.
IOS

19-Year-Old Jailbreaks iPhone 7 In 24 Hours (vice.com) 97

An anonymous reader writes: 19-year-old hacker qwertyoruiop, aka Luca Todesco, jailbroke the new iPhone 7 just 24 hours after he got it, in what's the first known iPhone 7 jailbreak. Todesco tweeted a screenshot of a terminal where he has "root," alongside the message: "This is a jailbroken iPhone 7." He even has video proof of the jailbreak. Motherboard reports: "He also said that he could definitely submit the vulnerabilities he found to Apple, since they fall under the newly launched bug bounty, but he hasn't decided whether to do that yet. The hacker told me that he needs to polish the exploits a bit more to make the jailbreak 'smoother,' and that he is also planning to make this jailbreak work through the Safari browser just like the famous 'jailbreakme.com,' which allowed anyone to jailbreak their iPhone 4 just by clicking on a link." Apple responded to the news by saying, "Apple strongly cautions against installing any software that hacks iOS."
Government

Hacker Leaks Michelle Obama's Passport (nypost.com) 122

The hacker who leaked Colin Powell's private email account last week has struck again. This time they have hacked a low-level White House staffer and released a picture of Michelle Obama's passport, along with detailed schedules for top U.S. officials and private email messages. New York Post reports: The information has been posted online by the group DC Leaks. The White House staffer -- who also apparently does advance work for Hillary Clinton's presidential campaign -- is named Ian Mellul. The released documents include a PowerPoint outline of Vice President Joe Biden's recent Cleveland trip, showing his planned route, where he'll meet with individuals and other sensitive information, according to the Daily Mail. In an email to The Post, the hacker writes, "The leaked files show the security level of our government. If terrorists hack emails of White House Office staff and get such sensitive information we will see the fall of our country." The hacker adds, "We hope you will tell the people about this criminal negligence of White House Office staffers."
Crime

Cops Are Raiding Homes of Innocent People Based Only On IP Addresses (fusion.net) 240

Kashmir Hill has a fascinating story today on what can go wrong when you solely rely on IP address in a crime investigation -- also highlighting how often police resort to IP addresses. In the story she follows a crime investigation that led police to raid a couple's house at 6am in the morning, because their IP address had been associated with the publication of child porn on notorious 4chan porn. The problem was, Hill writes: the couple -- David Robinson and Jan Bultmann -- weren't the ones who had uploaded the child porn. All they did was voluntarily use one of their old laptops as a Tor exit relay, a software used by activists, dissidents, privacy enthusiasts as well as criminals, so that people who want to stay anonymous when surfing the web could do so. Hill writes: Robinson and Bultmann had [...] specifically operated the riskiest node in the chain: the exit relay which provides the IP address ultimately associated with a user's activity. In this case, someone used Tor to make the porn post, and his or her traffic had been routed through the computer in Robinson and Bultmann's house. The couple wasn't pleased to have helped someone post child porn to the internet, but that's the thing about privacy-protective tools: They're going to be used for good and bad purposes, and to support one, you might have to support the other.Robinson added that he was a little let down because police didn't bother to look at the public list which details the IP addresses associated with Tor exit relays. Hill adds: The police asked Robinson to unlock one MacBook Air, and then seemed satisfied these weren't the criminals they were looking for and left. But months later, the case remains open with Robinson and Bultmann's names on police documents linking them to child pornography. "I haven't run an exit relay since. The police told me they'd be back if it happened again," Robinson said; he's still running a Tor node, just not the end point anymore. "I have to take the threat seriously because I don't want my wife or I to wake up with guns in our faces."Technologist Seth Schoen, and EFF Executive Director Cindy Cohn in a white paper aimed at courts and cops. "For many reasons, connecting an individual to a crime linked to an IP address, without any additional investigation, is irresponsible and threatens the civil liberties of innocent people."
Google

Google Backs Off On Previously Announced Allo Privacy Feature (theverge.com) 84

When Google first unveiled its Allo messaging app, the company said it would not keep a log of chats you have with people when in incognito mode. The company released Allo for iOS and Android users last night, and it seems it is reneging on some of those promises. The Verge reports:The version of Allo rolling out today will store all non-incognito messages by default -- a clear change from Google's earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app. Users can also avoid the logging by using Alo's Incognito Mode, which is still fully end-to-end encrypted and unchanged from the initial announcement. Like Hangouts and Gmail, Allo messages will still be encrypted between the device and Google servers, and stored on servers using encryption that leaves the messages accessible to Google's algorithms. According to Google, the change was made to improve the Allo assistant's smart reply feature, which generates suggested responses to a given conversation. Like most machine learning systems, the smart replies work better with more data. As the Allo team tested those replies, they decided the performance boost from permanently stored messages was worth giving up privacy benefits of transient storage.
Security

College Student Got 15 Million Miles By Hacking United Airlines (fortune.com) 79

An anonymous reader quotes a report from Fortune: University of Georgia Tech student Ryan Pickren used to get in trouble for hacking websites -- in 2015, he hacked his college's master calendar and almost spent 15 years in prison. But now he's being rewarded for his skills. Pickren participated in United Airlines' Bug Bounty Program and earned 15 million United miles. At two cents a mile, that's about $300,000 worth. United's white hat hacking program invites computer experts to legally hack their systems, paying up to one million United miles to hackers who can reveal security flaws. At that rate, we can presume Pickren reported as many as 15 severe bugs. The only drawback to all those free miles? Taxes. Having earned $300,000 of taxable income from the Bug Bounty Program, Pickren could owe the Internal Revenue Service tens of thousands of dollars. He's not keeping all of the, though: Pickren donated five million miles to Georgia Tech. The ultimate thank-you for not pressing charges last year. In May, certified ethical hackers at Offensi.com identified a bug allowing remote code execution on one of United Airlines' sites and were rewarded with 1,000,000 Mileage Plus air miles. Instead of accepting the award themselves, they decided to distribute their air miles among three charities.
Security

Anonymous Hacker Explains His Attack On Boston Children's Hospital (huffingtonpost.com) 294

Okian Warrior writes: Martin Gottesfeld of Anonymous was arrested in connection with the Spring 2014 attacks on a number of healthcare and treatment facilities in the Boston area. The attacks were in response/defense of a patient there named Justina Pelletier. Gottesfeld now explains why he did what he did, in a statement provided to The Huffington Post. Here's an excerpt from his statement: [Why I Knocked Boston Children's Hospital Off The Internet] The answer is simpler than you might think: The defense of an innocent, learning disabled, 15-year-old girl. In the criminal complaint, she's called 'Patient A,' but to me, she has a name, Justina Pelletier. Boston Children's Hospital disagreed with her diagnosis. They said her symptoms were psychological. They made misleading statement on an affidavit, went to court, and had Justina's parents stripped of custody. They stopped her painkillers, leaving her in agony. They stopped her heart medication, leaving her tachycardic. They said she was a danger to herself, and locked her in a psych ward. They said her family was part of the problem, so they limited, monitored, and censored her contact with them..."
Robotics

Robot Handcuffed and Arrested At Moscow Rally (abc.net.au) 46

Russian police have arrested a robot. Long-time Slashdot reader ferret4 quotes ABC News: A robot has been detained by police at a political rally in Moscow, with authorities attempting to handcuff the machine. Police have not confirmed why they detained the machine named Promobot, but local media was reporting the company behind the robot said police were called because it was 'recording voters' opinions on [a] variety of topics for further processing and analysis by the candidate's team'."
Interestingly, an earlier model of the same robot escaped its research lab in June, traveling 150 feet before its batteries died -- and despite being reprogrammed twice, continued to move towards the exits.
Privacy

Assange Agrees to US Prison If Obama Pardons Chelsea Manning (theverge.com) 389

"If Obama grants Manning clemency, Assange will agree to U.S. prison in exchange -- despite its clear unlawfulness," Wikileaks announced on Twitter Thursday. An anonymous Slashdot reader quotes The Verge: WikiLeaks' statement was released one day before a Swedish appeals court decided to maintain a warrant for Assange's arrest over a 2010 rape charge. Assange has said that extradition to Sweden would lead to his eventual extradition to the US, where he could face charges related to WikiLeaks' publication of secret government documents... Assange has been living in political asylum at the Ecuadorian embassy in London since 2012...

Chelsea Manning, a former US Army private, was convicted in 2013 for providing a trove of documents and videos to WikiLeaks, and is currently serving a 35-year sentence at the US Disciplinary Barracks in Leavenworth, Kansas. She was hospitalized after a reported suicide attempt in July, and this month went on a hunger strike to seek treatment for her gender dysphoria. Manning ended her hunger strike this week after the military agreed to allow her to have gender reassignment surgery. She still faces indefinite solitary confinement due to administrative charges related to her suicide attempt.

The tweet also included a link to a letter from Assange's attorney, Barry Pollack, calling on the Justice Department to be more transparent about its investigation into WikiLeaks -- and citing the FBI's investigation into Hillary Clinton's handling of classified information. "Director Comey made it clear his conclusion was based on the necessity of proving criminal intent [and] noted that responsible prosecutors consider the context of a person's actions... Criminal prosecution is appropriate only when a person...was intending to aid enemies of the United States or was attempting to obstruct justice."

Slashdot Top Deals