Government

Spain's Crackdown on Catalonia Includes Internet Censorship (internetsociety.org) 78

Spain's autonomous Catalonia region wants to hold a referendum on independence next weekend. Spain's Constitutional Court insists that that vote is illegal, and has taken control of Catalonia's police force to try to stop the vote. They're deploying thousands of additional police officers and have seized nearly 10 million ballots. And now the Internet Society has gotten involved, according to an announcement shared by Slashdot reader valinor89: Measures restricting free and open access to the Internet related to the independence referendum have been reported in Catalonia. There have been reports that major telecom operators have been asked to monitor and block traffic to political websites, and following a court order, law enforcement has raided the offices of the .cat registry in Barcelona, examining a computer and arresting staff.

We are concerned by reports that this court order would require a top-level domain (TLD) operator such as .cat to begin to block "all domains that may contain any kind of information about the referendum."

Open Source

Facebook Relents, Switches React, Flow, Immuable.js and Jest To MIT License (theregister.co.uk) 44

An anonymous reader quotes the Register: Faced with growing dissatisfaction about licensing requirements for some of its open-source projects, Facebook said it will move React, Jest, Flow, and Immutable.js under the MIT license next week. "We're relicensing these projects because React is the foundation of a broad ecosystem of open source software for the web, and we don't want to hold back forward progress for nontechnical reasons," said Facebook engineering director Adam Wolff in a blog post on Friday. Wolff said while Facebook continues to believe its BSD + Patents license has benefits, "we acknowledge that we failed to decisively convince this community"... Wolff said the updated licensing scheme will arrive next week with the launch of React 16, a rewrite of the library designed for more efficient operation at scale.
Facebook was facing strong criticism from the Apache Software Foundation and last week Wordpress.com had announced plans to move away from React.

"Wolff said Facebook considered a license change for its other open-source projects, but wasn't ready to commit to anything," the Register adds. "Some projects, he said, will keep the BSD + Patents license."
Cellphones

Super-Accurate GPS Chips Coming To Smartphones In 2018 (ieee.org) 97

schwit1 writes about a new mass-market Broadcom chip designed for the next generation of smartphones: It'll know where you are to within 30 centimeters (11.8 inches), rather than five meters. At least that's the claim chip maker Broadcom is making. It says that some of its next-generation smartphone chips will use new global positioning satellite signals to boost accuracy. In a detailed report on the announcement and how the new signals work, IEEE Spectrum says that the new chips, which are expected to appear in some phones as soon as next year, will also use half the power of today's chips and even work in cities where tower blocks often interfere with existing systems. All told, it sounds like a massive change for those who rely on their phones to find their way.
Iphone

Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com) 57

AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
Power

Court Rules That Imported Solar Panels Are Bad For US Manufacturing (theverge.com) 259

The International Trade Commission has ruled that American companies are being hurt by cheap solar panels from overseas, providing an opportunity for President Donald Trump to tax imports from countries like China. The Verge reports: Today's unanimous decision ruled that the companies SolarWorld Americans and Suniva were struggling financially not because of their own poor management, but because they couldn't compete with cheap panels from countries like China, Mexico, and South Korea. Suniva is now suggesting import duties of 40 cents a watt for solar cells, and a floor price of 78 cents a watt for panels. (Right now, the average floor price, worldwide, for panels is about 32 cents.) The Solar Energy Industries Association warned that implementing these suggestions could end up doubling the price of solar, thus destroying demand and causing Americans to lose their jobs.
Google

Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs (bleepingcomputer.com) 102

An anonymous reader writes from a report via Bleeping Computer: The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari. Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues. The tests were carried out with a new fuzzing tool created by Google engineers named Domato, also open-sourced on GitHub. This is the third fuzzing tool Google creates and releases into open-source after OSS-Fuzz and syzkaller. Researchers focused on testing DOM engines for vulnerabilities because they expect them to be the next target for browser exploitation after Flash reaches end-of-life in 2020.
Privacy

Walmart Wants To Deliver Groceries Straight To Your Fridge (consumerist.com) 169

New submitter Rick Schumann writes: Walmart has a new marketing idea: "Going to the store? No one has time for that anymore," Walmart says. They want to partner with a company called August Home, who makes smart locks, so a delivery service can literally deliver groceries right into your refrigerator -- while you watch remotely on your phone. Great, time-saving idea, or super-creepy invasion of your privacy? You decide. Here's how the company says it would work:
1. Place an order on Walmart.com for groceries or other goods.
2. A driver for Deliv -- a same-day delivery service -- retrieves items when the order is ready, and brings them to the customer's home.
3. If no one answers, the delivery person can use a one-time passcode that's been pre-authorized by the customer to open the home's smart lock.
4. The customer receives a smartphone notification when the delivery is occurring, and can choose to watch it all play out in real-time on home security cameras through a dedicated app.
5. Delivery person leaves packages in the foyer, then brings the groceries to the kitchen, unloads them into the fridge, and leaves.
6. Customer receives notification that the door has locked behind them.
Security

Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com) 57

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.
Privacy

Passwords For 540,000 Car Tracking Devices Leaked Online (thehackernews.com) 32

An anonymous reader quotes a report from The Hacker News: Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen. The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices. The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.
Red Hat Software

Red Hat Pledges Patent Protection For 99 Percent of FOSS-ware (theregister.co.uk) 64

Red Hat says it has amassed over 2,000 patents and won't enforce them if the technologies they describe are used in properly-licensed open-source software. From a report: The company has made more or less the same offer since 2002, when it first made a "Patent Promise" in order to "discourage patent aggression in free and open source software." Back then the company didn't own many patents and claimed its non-enforcement promise covered 35 per cent of open-source software. The Promise was revised in order to reflect the company's growing patent trove and to spruce up the language it uses to make it more relevant. The revised promise "applies to all software meeting the free software or open source definitions of the Free Software Foundation (FSF) or the Open Source Initiative (OSI)." [...] It's not a blank cheque. Hardware isn't covered and Red Hat is at pains to point out that "Our Promise is not an assurance that Red Hat's patents are enforceable or that practicing Red Hat's patented inventions does not infringe others' patents or other intellectual property." But the company says 99 percent of FOSS software should be covered by the Promise.
Iphone

'Dear Apple, The iPhone X and Face ID Are Orwellian and Creepy' (hackernoon.com) 436

Trent Lapinski from Hacker Noon writes an informal letter to Apple, asking "who the hell actually asked for Face ID?" and calling the iPhone X and new face-scanning security measure "Orwellian" and "creepy": For the company that famously used 1984 in its advertising to usher in a new era of personal computing, it is pretty ironic that 30+ years later they would announce technology that has the potential to eliminate global privacy. I've been waiting 10-years since the first iPhone was announced for a full-screen device that is both smaller in my hand but has a larger display and higher capacity battery. However, I do not want these features at the cost of my privacy, and the privacy of those around me. While the ease of use and user experience of Face ID is apparent, I am not questioning that, the privacy concerns are paramount in today's world of consistent security breaches. Given what we know from Wikileaks Vault7 and the CIA / NSA capabilities to hijack any iPhone, including any sensor on the phone, the very thought of handing any government a facial ID system for them to hack into is a gift the world may never be able to return. Face ID will have lasting privacy implications from 2017 moving forward, and I'm pretty sure I am not alone in not wanting to participate.

The fact of the matter is the iPhone X does not need Face ID, Apple could have easily put a Touch ID sensor on the back of the phone for authentication (who doesn't place their finger on the back of their phone?). I mean imagine how cool it would be to put your finger on the Apple logo on the back of your iPhone for Touch ID? It would have been a highly marketable product feature that is equally as effective as Face ID without the escalating Orwellian privacy implications. [...] For Face ID to work, the iPhone X actively has to scan faces looking for its owner when locked. This means anyone within a several foot range of an iPhone X will get their face scanned by other people's phones and that's just creepy.

Privacy

DC Court Rules Tracking Phones Without a Warrant Is Unconstitutional (cbsnews.com) 84

An anonymous reader writes: Law enforcement use of one tracking tool, the cell-site simulator, to track a suspect's phone without a warrant violates the Constitution, the D.C. Court of Appeals said Thursday in a landmark ruling for privacy and Fourth Amendment rights as they pertain to policing tactics. The ruling could have broad implications for law enforcement's use of cell-site simulators, which local police and federal agencies can use to mimic a cell phone tower to the phone connect to the device instead of its regular network. In a decision that reversed the decision of the Superior Court of the District of Columbia and overturned the conviction of a robbery and sexual assault suspect, the D.C. Court of Appeals determined the use of the cell-site simulator "to locate a person through his or her cellphone invades the person's actual, legitimate and reasonable expectation of privacy in his or her location information and is a search."
EU

EU Paid For Report That Said Piracy Isn't Harmful -- And Tried To Hide Findings (thenextweb.com) 158

According to Julia Reda's blog, the only Pirate in the EU Parliament, the European Commission in 2014 paid the Dutch consulting firm Ecorys 360,000 euros (about $428,000) to research the effect piracy had on sales of copyrighted content. The final report was finished in May 2015, but was never published because the report concluded that piracy isn't harmful. The Next Web reports: The 300-page report seems to suggest that there's no evidence that supports the idea that piracy has a negative effect on sales of copyrighted content (with some exceptions for recently released blockbusters). The report states: "In general, the results do not show robust statistical evidence of displacement of sales by online copyright infringements. That does not necessarily mean that piracy has no effect but only that the statistical analysis does not prove with sufficient reliability that there is an effect. An exception is the displacement of recent top films. The results show a displacement rate of 40 per cent which means that for every ten recent top films watched illegally, four fewer films are consumed legally."

On her blog, Julia Reda says that a report like this is fundamental to discussions about copyright policies -- where the general assumption is usually that piracy has a negative effect on rightsholders' revenues. She also criticizes the Commissions reluctance to publish the report and says it probably wouldn't have released it for several more years if it wasn't for the access to documents request she filed in July.
As for why the Commission hadn't published the report earlier, Reda says: "all available evidence suggests that the Commission actively chose to ignore the study except for the part that suited their agenda: In an academic article published in 2016, two European Commission officials reported a link between lost sales for blockbusters and illegal downloads of those films. They failed to disclose, however, that the study this was based on also looked at music, ebooks and games, where it found no such connection. On the contrary, in the case of video games, the study found the opposite link, indicating a positive influence of illegal game downloads on legal sales. That demonstrates that the study wasn't forgotten by the Commission altogether..."
Encryption

Distrustful US Allies Force Spy Agency To Back Down In Encryption Fight (reuters.com) 102

schwit1 shares a report from Reuters: An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques -- those least likely to be vulnerable to hacks -- to address the concerns.
Security

Security Researchers Warn that Third-Party GO Keyboard App is Spying on Millions of Android Users (betanews.com) 65

An anonymous reader shares a report: Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code." Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information. Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.
Social Networks

Facebook Will Share Copies of Political Ads Purchased by Russian Sources With the US Congress (recode.net) 224

An anonymous reader shares a report: Facebook will turn over copies of political ads purchased by Russian sources to congressional lawmakers, who are investigating the country's potential interference in the 2016 U.S. presidential election. Initially, Facebook had only released those ads -- 3,000 of them, valued at about $100,000 -- to Robert Mueller, the former FBI director who is spearheading the government's probe into Russia's actions. Facebook had withheld those details from House and Senate leaders, citing privacy concerns. But the move drew sharp rebukes from the likes of Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, who has charged in recent days that Facebook may not have done enough to scan its systems for potential Russian influence and to ensure that such foreign purchases -- otherwise illegal under U.S. law -- don't happen again. "After an extensive legal and policy review, today we are announcing that we will also share these ads with congressional investigators," wrote Colin Stretch, the company's general counsel. "We believe it is vitally important that government authorities have the information they need to deliver to the public a full assessment of what happened in the 2016 election."
Businesses

Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com) 97

Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."
The Almighty Buck

Bitcoin Futures-Based ETF Likely To Be Approved in the US (thestreet.com) 59

The race is on: who will be the first to launch a Bitcoin exchange-traded fund in the United States? From a report, shared by a reader: In Europe, there is already a Bitcoin exchange traded note (ETN) available to investors. In the U.S., it is widely anticipated a Bitcoin ETF will be be approved by the U.S. Securities and Exchange Commission (SEC) very soon. In Europe, ETNs are designed to track the movement of Bitcoin against the U.S. dollar. The ETNs are Bitcoin Tracker One, which is traded in Swedish krona and Bitcoin Tracker EURO, which is traded in euro. Both ETNs are issued by XBT Provider AB and traded on Nasdaq OMX (Stockholm). Dave Nadig, CEO of ETF.com and previously the director of ETFs at FactSet Research Systemsm believes we can expect to see Bitcoin Futures-based ETF launched in the U.S. by the end of this year. "Yes, you can already trade a derivative in Europe, an exchange traded note which tracks Bitcoin," Nadig adds. "Then the race in the U.S. is the race to see what gets approval first. Will it be a Bitcoin future or a straight up Bitcoin holding ETF? My bet is that we will see Bitcoin futures approved fairly quickly."
Security

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com) 154

An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.
Businesses

Waymo Wants Uber to Pay $2.6 Billion Over Alleged Trade Secret Theft (reuters.com) 25

Alphabet's Waymo unit is seeking about $2.6 billion from Uber for the alleged theft of one of several trade secrets in a lawsuit over self-driving cars, a lawyer for Uber said on Wednesday. From a report: Uber attorney Bill Carmody disclosed the figure in a hearing in federal court in San Francisco, where both companies are discussing whether a trial in the case will begin next month. Waymo has asserted claims that Uber stole several of its trade secrets. The total amount of Waymo's damages request was not publicly disclosed at the hearing on Wednesday. Waymo claimed in a lawsuit earlier this year that former engineer Anthony Levandowski downloaded more than 14,000 confidential files before leaving to set up a self-driving truck company, which Uber acquired soon after.

Slashdot Top Deals