DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Businesses

Uber Tried To Hide Its Secret IPhone Fingerprinting From Apple (cnbc.com) 92

theodp quotes today's New York Times profile of Uber CEO Travis Kalanick: For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple's engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple's privacy guidelines.
Uber told TechCrunch this afternoon that it still uses a form of this device fingerprinting, saying they need a way to identify those devices which committed fraud in the past -- especially in China, where Uber drivers used stolen iPhones to request dozens of rides from themselves to increase their pay rate. It's been modified to comply with Apple's rules, and "We absolutely do not track individual users or their location if they've deleted the app..." an Uber spokesperson said. "Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."

The article offers a longer biography of Kalanick, who dropped out of UCLA in 1998 to start a peer-to-peer music-sharing service named Scour. (The service eventually declared bankruptcy after being sued for $250 billion for alleged copyright infringement.) Desperately trying to save his next company, Kalanick "took the tax dollars from employee paychecks -- which are supposed to be withheld and sent to the Internal Revenue Service," according to the Times, "and reinvested the money into the start-up, even as friends and advisers warned him the action was potentially illegal." The money eventually reached the IRS as he "staved off bankruptcy for a second time by raising another round of funding." But the article ultimately argues that Kalanick's drive to win in life "has led to a pattern of risk-taking that has put his ride-hailing company on the brink of implosion."
Government

CIA, FBI Launch Manhunt For WikiLeaks Source (cbsnews.com) 179

An anonymous reader quotes CBS: CBS News has learned that a manhunt is underway for a traitor inside the Central Intelligence Agency. The CIA and FBI are conducting a joint investigation into one of the worst security breaches in CIA history, which exposed thousands of top-secret documents that described CIA tools used to penetrate smartphones, smart televisions and computer systems. Sources familiar with the investigation say it is looking for an insider -- either a CIA employee or contractor -- who had physical access to the material... Much of the material was classified and stored in a highly secure section of the intelligence agency, but sources say hundreds of people would have had access to the material. Investigators are going through those names.
Homeland security expert Michael Greenberger told one CBS station that "My best guest is that when this is all said and done we're going to find out that this was done by a contractor, not by an employee of the CIA."
Education

EFF Says Google Chromebooks Are Still Spying On Students (softpedia.com) 83

schwit1 quotes a report from Softpedia: In the past two years since a formal complaint was made against Google, not much has changed in the way they handle this. Google still hasn't shed its "bad guy" clothes when it comes to the data it collects on underage students. In fact, the Electronic Frontier Foundation says the company continues to massively collect and store information on children without their consent or their parents'. Not even school administrators fully understand the extent of this operation, the EFF says. According to the latest status report from the EFF, Google is still up to no good, trying to eliminate students privacy without their parents notice or consent and "without a real choice to opt out." This, they say, is done via the Chromebooks Google is selling to schools across the United States.
Botnet

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com) 87

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
Crime

DOJ: Russian 'Superhacker' Gets 27 Years In Prison (thedailybeast.com) 50

According to the Justice Department, a 32-year-old Russian "superhacker" has been sentenced to 27 years in prison for stealing and selling millions of credit-card numbers, causing more than $169 million worth of damages to business and financial institutions. The Daily Beast reports: Roman Valeryevich Seleznev, 32, aka Track2, son of a prominent Russian lawmaker, was convicted last year on 38 counts of computer intrusion and credit-card fraud. "This investigation, conviction and sentence demonstrates that the United States will bring the full force of the American justice system upon cybercriminals like Seleznev who victimize U.S. citizens and companies from afar," said Acting Assistant Attorney General Kenneth Blanco said in a statement. "And we will not tolerate the existence of safe havens for these crimes -- we will identify cybercriminals from the dark corners of the Internet and bring them to justice."
Microsoft

Microsoft Improves Gmail Experience For Windows 10 Insiders, But There Are Privacy Concerns (betanews.com) 68

Reader BrianFagioli writes: Today, Microsoft announced a new Gmail experience for Windows 10. While only available for Windows Insiders as of today, it uses the same concept as the Outlook mobile app, but for the Mail and Calendar apps. Microsoft will provide you with an arguably improved experience as long as you are OK with storing all of your Gmail messages in Microsoft's cloud. What types of features will the new experience offer? Things such as tracking packages, getting updated on your favorite sports teams, and a focused inbox. "To power these new features, we'll ask your permission to sync a copy of your email, calendar and contacts to the Microsoft Cloud. This will allow new features to light up, and changes to update back and forth with Gmail -- such as creation, edit or deletion of emails, calendar events and contacts. But your experience in Gmail.com or apps from Google will not change in any way."
Microsoft

LinkedIn Apologizes For Trying To Connect Everyone In Real Life (vocativ.com) 70

LinkedIn has apologized for a vague new update that told some iPhone users its app would begin sharing their data with nearby users without further explanation. From a report: The update prompted outrage on Twitter after cybersecurity expert Rik Ferguson received a strange alert when he opened the resume app to read a new message: "LinkedIn would like to make data available to nearby Bluetooth devices even when you're not using the app." That gave Ferguson, vice president of research at the cybersecurity firm Trend Micro, a handful of concerns, he told Vocativ. Among them: "the lack of specificity, which data, when, under what conditions, to which devices, why does it need to happen when I'm not using the app, what are the benefits to me, where is the feature announcement and explanation, why wasn't it listed in the app update details." Reached for comment, LinkedIn said it's a mistake -- that some iPhone users were accidentally subject to undeveloped test feature the company is still working on.
Google

In The First Months of Trump Era, Facebook And Apple Spent More On Lobbying Than They Ever Have (buzzfeed.com) 52

An anonymous reader shares a report: According to federal lobbying disclosures filed Thursday, Facebook and Apple set their all-time record high for spending in a single quarter. Facebook spent $3.2 million lobbying the federal government in the first months of the Trump era. During the same period last year, Facebook spent $2.8 million (about 15% less). The company lobbied both chambers of Congress, the White House, and six federal agencies on issues including high-tech worker visas, network neutrality, internet privacy, encryption, and international taxation. Facebook was the 12th-highest spender out of any company and second-highest in tech. [...] Apple spent $1.4 million, which is just $50,000 more than during the final months of the Obama presidency, when it set its previous record, but the most it has ever spent in a single quarter. Apple lobbied on issues including government requests for data, the regulation of mobile health apps, and self-driving cars. Google, once again, outspent every other technology company. It was 10th overall, tallying $3.5 million.
Security

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com) 37

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.
Google

Google Home Now Recognizes Specific Users' Voices, Gains Support For Multiple Accounts (phonedog.com) 48

Google has issued a long-awaited feature for Google Home: support for multiple users. In an update rolling out today, up to six people will be able to connect their Google account to a Google Home, and the unit will try to distinguish each person's voice from the other users connected to the device. Therefore, each person will be able to get access to their schedule, playlists, and more. PhoneDog reports: Support for multiple users is rolling out in the U.S. now and will be available in the U.K. in the coming months. To know if the feature is available to you, launch the Google Home app and look for a card that says "Multi-user is available." You can also click the icon in the upper right corner, find your Google Home, and select "Link your account." From there, you'll train the Google Assistant to recognize your voice so that it knows it's you when you're talking and not the other people with connected accounts. You'll say "Ok Google" and "Hey Google" twice each.
Security

Mastercard is Building Fingerprint Scanners Directly Into Its Cards (fastcompany.com) 84

Mastercard said on Thursday it's beginning trials of its "next-generation biometric card" in South Africa. In addition to the standard chip and pin, the new cards have a built-in fingerprint reader that the user can use to authenticate every purchase. From a report: Impressively, the new card is no thicker or larger than your current credit and debit cards.
China

China To Question Apple About Live-Streaming Apps On App Store That Violate Internet Regulations (theguardian.com) 31

Three Chinese government agencies are planning to tell Apple to "tighten up checks" on live-streaming software offered on its app store, which can be used to violate internet regulation in the country. "Law enforcement officers had already met with Apple representatives over live-streaming services, [state news agency Xinhua reported], but did not provide details of the meetings," reports The Guardian. From the report: The inquiry appears to be focused on third-party apps available for download through Apple's online marketplace. The company did not respond to requests for comment. China operates the world's largest internet censorship regime, blocking a host of foreign websites including Google, Facebook, Twitter and Instagram, but the authorities have struggled to control an explosion in popularity of live-streaming video apps. As part of the inquiry into live-streaming, three Chinese websites -- toutiao.com, huoshanzhibo.com and huajiao.com -- were already found to have violated internet regulations, and had broadcast content that violated Chinese law, including providing "pornographic content," the Xinhua report said. Pornography is banned in China. The three sites were told to increase oversight of live-broadcasting services, user registration and "the handling of tips-offs." Two of the websites, huoshanzhibo.com and huajiao.com, were under formal investigation and may have their cases transferred to the police for criminal prosecutions, the Xinhua report said. Casting a wide net, the regulations state that apps cannot "engage in activities prohibited by laws and regulations such as endangering national security, disrupting social order and violating the legitimate rights and interests of others."
Communications

Microsoft's Skype Is Most Used Messaging Service For Cyber Criminals, Study Finds (securityledger.com) 57

chicksdaddy quotes a report from The Security Ledger: Cyber criminals lurk in the dark recesses of the internet, striking at random and then disappearing into the virtual ether. But when they want to talk shop with their colleagues, they turn to Redmond, Washington-based Microsoft and its Skype communications tools, according to an analysis by the firm Flashpoint. Mentions of different platforms were used as a proxy for gauging interest in and use of these messaging services. Flashpoint analysts looked, especially, for invitations to continue conversation outside of cyber criminal marketplaces, like references to ICQ accounts or other platforms. The survey results show that, out of a population of around 80 instant messenger platforms and protocols, a short list of just five platforms accounts for between 80% and 90% of all mentions within the cyber underground. Of those, Microsoft's Skype was the chat king. It ranked among the top five platforms across all language groups. That, despite the platform's lack of end-to-end encryption or forward secrecy features and evidence, courtesy of NSA hacker Edward Snowden, that U.S. spies may have snooped on Skype video calls in recent years, The Security Ledger reports. The conclusion: while security is a priority amongst thieves, it isn't the sole concern that cyber criminals and their associates have. In fact, sophisticated hacking communities like those in Russia to continue to rely on legacy platforms like ICQ when provably more secure alternatives exist. The reason? Business. "These cyber criminals have a lot of different options that they're juggling and a lot of factors that weigh on their options," said Leroy Terrelonge III, the Director of Middle East and Africa Research at Flashpoint. "We might suspect that cyber criminals use the most secure means of communication all the time, that's not what our research showed."
Piracy

Pirate Bay Founder Launches Anonymous Domain Registration Service (torrentfreak.com) 60

An anonymous reader quotes a report from TorrentFreak: Former Pirate Bay spokesperson and co-founder Peter Sunde has just announced his latest venture. Keeping up his fight for privacy on the Internet, he's launching a new company called Njalla, that helps site operators to shield their identities from prying eyes. The name Njalla refers to the traditional hut that Sami people use to keep predators at bay. It's built on a tall stump of a tree or pole and is used to store food or other goods. On the Internet, Njalla helps to keep people's domain names private. While anonymizer services aren't anything new, Sunde's company takes a different approach compared to most of the competition. With Njalla, customers don't buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust. A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.
Privacy

Bose Headphones Secretly Collected User Data, Lawsuit Reveals (fortune.com) 230

The audio maker Bose, whose wireless headphones sell for up to $350, uses an app to collect the listening habits of its customers and provide that information to third parties -- all without the knowledge and permission of the users, according to a lawsuit filed in Chicago. From a report: The complaint accuses Boston-based Bose of violating the WireTap Act and a variety of state privacy laws, adding that a person's audio history can include a window into a person's life and views. "Indeed, one's personal audio selections -- including music, radio broadcast, Podcast, and lecture choices -- provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity," says the complaint, noting a person's audio history may contain files like LGBT podcasts or Muslim call-to-prayer recordings.
Government

Trump Administration Kills Open.Gov, Will Not Release White House Visitor Logs (techdirt.com) 268

An anonymous reader quotes a report from Techdirt: It will never be said that the Trump presidency began with a presumption of openness. His pre-election refusal to release his tax returns set a bit of precedent in that regard. The immediate post-election muffling of government agency social media accounts made the administration's opacity goals um clearer. So, in an unsurprising move, the Trump administration will be doing the opposite of the Obama administration. The American public will no longer have the privilege of keeping tabs on White House visitors. TIME reports: "The Trump Administration will not disclose logs of those who visit the White House complex, breaking with his predecessor, the White House announced Friday. White House communications director Michael Dubke said the decision to reverse the Obama-era policy was due to 'the grave national security risks and privacy concerns of the hundreds of thousands of visitors annually.' Instead, the Trump Administration is relying on a federal court ruling that most of the logs are 'presidential records' and are not subject to the Freedom of Information Act." So, to further distance himself from the people he serves (and the people who elected him), Trump and his administration have shut down the transparency portal put in place by the previous Commander-in-Chief: "White House officials said the Administration is ending the contract for Open.gov, the Obama-era site that hosted the visitor records along with staff financial disclosures, salaries, and appointments. An official said it would save $70,000 through 2020 and that the removed disclosures, salaries and appointments would be integrated into WhiteHouse.gov in the coming months."
Microsoft

Microsoft Says Previous Windows Patches Fixed Newly Leaked NSA Exploits (pcworld.com) 48

Microsoft said it has already patched vulnerabilities revealed in last week's high-profile leak of suspected U.S. National Security Agency spying tools, meaning customers should be protected if they've kept their software up-to-date. From a report: Friday's leak caused concern in the security community. The spying tools include about 20 exploits designed to hack into old versions of Windows, such as Windows XP and Windows Server 2008. However, Microsoft said several patches -- one of which was made only last month -- address the vulnerabilities. "Our engineers have investigated the disclosed exploits, and most of the exploits are already patched," the company said in a blog post late on Friday. Three of the exploits found in the leak have not been patched but do not work on platforms that Microsoft currently supports, such as Window 7 or later and Exchange 2010 or later.
Government

GOP Congressman Defending Privacy Vote: 'Nobody's Got To Use The Internet' (washingtonpost.com) 304

Wisconsin congressman F. James Sensenbrenner Jr. defended his decision to help repeal broadband privacy rules by telling a constituent, "Nobody's got to use the Internet." An anonymous reader quotes the 73-year-old congressman: "And the thing is that if you start regulating the Internet like a utility, if we did that right at the beginning, we would have no Internet... Internet companies have invested an awful lot of money in having almost universal service now. The fact is is that, you know, I don't think it's my job to tell you that you cannot get advertising for your information being sold. My job, I think, is to tell you that you have the opportunity to do it, and then you take it upon yourself to make that choice... That's what the law has been, and I think we ought to have more choices rather than fewer choices with the government controlling our everyday lives."
"The congressman then moved on to the next question," reports The Washington Post, but criticism of his remarks appeared on social media. One activist complained that the congressman's position was don't use the internet if you don't want your information sold to advertisers -- drawing a clarification from the congressman's office.

"Actually he said that nobody has to use the Internet. They have a choice. Big difference."
Advertising

Burger King Won't Take a Hint; Alters TV Ad To Evade Google's Block (washingtonpost.com) 606

ewhac writes: Earlier this week, Burger King released a broadcast television ad that opened with an actor saying, "Ok, Google, what is the Whopper?" thereby triggering any Google Home device in hearing range to respond to the injected request with the first line from the Whopper's Wikipedia page. Google very properly responded to the injection attack by fingerprinting the sound sample and blocking it from triggering responses. However, it seems Burger King and/or its ad agency are either unwilling or congenitally incapable of getting the hint, and has released an altered version of the ad to evade Google's block. According to spokesperson Dara Schopp, BK regards the ad as a success, as it has increased the brand's "social conversation" on Twitter by some 300%. It seems that Burger King thinks that malware-laden advertising infesting webpages is a perfectly wonderful idea (in principle, at least), and has taken it to the next level by reaching through your TV speakers and directly messing with your digital devices. You may wish to consider alternate vendors for your burger needs.
Security

NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet (arstechnica.com) 109

An anonymous reader quotes a report from Ars Technica: The Shadow Brokers -- the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits -- just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world. Friday's release -- which came as much of the computing world was planning a long weekend to observe the Easter holiday -- contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and "slick" code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday's release contains several tools with the word "eternal" in their name that exploit previously unknown flaws in Windows desktops and servers.

Slashdot Top Deals