Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Advertising

Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year (softpedia.com) 102

An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.
Microsoft

Court Ruling Shows The Internet Does Have Borders After All (csoonline.com) 43

itwbennett writes: Microsoft's recent victory in court, when it was ruled that the physical location of the company's servers in Ireland were out of reach of the U.S. government, was described on Slashdot as being "perceived as a major victory for privacy." But J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP) has a different view of the implications of the ruling that speaks to John Perry Barlow's vision of an independent cyberspace: "By recognizing the jurisdictional boundaries of Ireland, it is possible that the Second Circuit Court created an incentive for other jurisdictions to require data to be held within their national boundaries. We have seen similar laws emerge in Russia -- they fall under a policy trend towards 'data localization' that has many cloud service and global organizations deeply concerned. Which leads to a tough question: what happens if every country tries to assert jurisdictional control over the web? Might we end up with a fractured web, a 'splinternet,' of lessening utility?"
Robotics

US Military Using $600K 'Drone Buggies' To Patrol Camps In Africa (cnbc.com) 56

An anonymous reader quotes a report from CNBC: The U.S. military is using an unmanned robotic vehicle to patrol around its camps in the Horn of Africa. The remote controlled vehicle is the result of a 30-year plan after military chiefs approved the concept of a robotic security system in 1985. Now the Mobile Detection Assessment and Response System, known as MDARS, are carrying out patrols in the east African country of Djibouti, under the control of the Combined Joint Task Force-Horn of Africa. The area is known as home to a number of hostile militant groups including the al-Qaeda-affiliated al-Shabaab. An operator sits in a remote location away from the vehicle watching the terrain via a camera link which is fixed to the chassis. U.S. military software engineer Joshua Kordanai said in a video presentation that the vehicle drives itself, freeing the remote operator to monitor video. "The vehicle has an intruder detection payload, consisting of radar, a night vision camera, a PTZ [pan-tilt-zoom] camera and two-way audio, so the system will be able to detect motion," he added. One report prices the cost of an earlier version of the military 'drone buggy' at $600,000 each.
The Courts

Judge Rules Political Robocalls Are Protected By First Amendment (onthewire.io) 168

Trailrunner7 quotes a report from On the Wire: A federal judge has ruled that robocalls made on behalf of political candidates are protected by the First Amendment and cannot be outlawed. The decision came in a case in Arkansas, where political robocalls had been illegal for more than 30 years. On Wednesday, U.S. District Court Judge Leon Holmes ruled that banning political robocalls amounts to an infringement of free speech protections and also constitutes prior restraint of speech. Political campaigns have been using robocalls for decades, and some states have sought to ban them, arguing that they are intrusive and violate recipients' privacy. In the Arkansas case, the state attorney general put forward both of these arguments, and also argued that the calls can tie up phone lines, making them unusable in an emergency. Holmes said in his decision that there was no evidence that political robocalls prevent emergency communications, and also said that the Arkansas statute should have banned all robocalls, not just commercial and political ones. "The statute at issue here imposes a content-based restriction on speech; it is not one of the rare cases that survives strict scrutiny. The state has failed to prove that the statute at issue advances a compelling state interest and is narrowly tailored to serve that interest," Holmes wrote.
Security

WhatsApp Isn't Fully Deleting Its 'Deleted' Chats (theverge.com) 59

Facebook-owned messaging app WhatsApp retains and stores chat logs even after those messages have been deleted, according to iOS researcher Jonathan Zdziarski. The Verge reports: Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place. In most cases, the data is marked as deleted by the app itself -- but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default. WhatsApp was applauded by many privacy advocates for switching to default end-to-end encryption through the Signal protocol, a process that completed this April. But that system only protects data in transit, preventing carriers and other intermediaries from spying on conversations as they travel across the network.
Chrome

Ask Slashdot: Best Browser Extensions -- 2016 Edition 177

Reader LichtSpektren writes: Almost eleven years ago, Slashdot featured an Ask titled "Favorite Firefox Extensions?". I thought it might be worthwhile to ask the question again (Editor's note: we couldn't agree more!), but expand the query to all web browsers now that there's more choices available.

Right now my main browser is Firefox, which I use with uBlock Origin, Disconnect, HTTPS Everywhere, Privacy Badger, NoScript, Self-Destructing Cookies, Decentraleyes, Privacy Settings, and Clean Links. (N.B. the first four of these are also available in Chromium-based browsers.) I use Chrome as a secondary browser, with the first four of the aforementioned extensions, plus also Clear Cache and occasionally Flashcontrol.

This one has nothing to do with security or privacy, but Reedy on Chromium is a really nice tool for speed reading.

What do you use?
Let's get this going.
Government

British Spy Agency GCHQ Used URL Shortener To Honeypot Arab Spring Activists (vice.com) 39

The British spy agency GCHQ used a custom URL shortener and Twitter sockpuppets to influence and infiltrate activists during the Iran revolution of 2009 and the Arab Spring of 2011, reports Motherboard, citing leaked documents by Edward Snowden. From the article: The GCHQ's special unit, known as the Joint Threat Research Intelligence Group or JTRIG, was first revealed in 2014, when leaked top secret documents showed it tried to infiltrate and manipulate -- using "dirty trick" tactics such as honeypots -- online communities including those of Anonymous hacktivists, among others. The group's tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014. A now-defunct free URL shortening service -- lurl.me -- was set up by GCHQ that enabled social media signals intelligence. Lurl.me was used on Twitter and other social media platforms for the dissemination of pro-revolution messages in the Middle East.
Crime

Gary Johnson: I'd Consider Pardoning Snowden, Chelsea Manning (vocativ.com) 248

An anonymous reader writes from a report via Vocativ: [Vocativ reports:] "The U.S.'s most popular third-party presidential candidate says he would 'consider' pardoning the highest profile convicts of computer-related crimes in the country, including Chelsea Manning, Ross Ulbricht, and Jeremy Hammond. Libertarian candidate Gary Johnson, a former governor of New Mexico, also reiterated his possible willingness to pardon Edward Snowden, the former National Security Agency analyst who gave a cache of agency documents to journalists in 2013." "Having actually served as a governor and administered the power to grant pardons and clemency, Gary Johnson is very conscious and respectful of the need for processes for using that authority," Joe Hunter, Johnson's communications director, told Vocativ in a statement. "However, he has made it clear on numerous occasions that he would 'look seriously at' pardoning Edward Snowden, based on public information that Snowden's actions did not cause actual harm to any U.S. intelligence personnel. Likewise, he has said he would look favorably on pardoning Ross Ulbricht, consistent with his broader and long-standing commitment to pardon nonviolent drug offenders, whistleblowers, and others imprisoned under unjust and ill-advised laws," Hunter said. When Vocativ asked specifically about Chelsea Manning, Jeremy Hammond, Barrett Brown, and Matthew Keys, Hunter responded: "The same goes for the other individuals you have mentioned -- and hundreds, if not thousands, like them. Gov. Johnson finds it to be an outrage that the U.S. has the highest incarceration rate in the developed world, and announced in 2012 that, as President, he would promptly commence the process of pardoning nonviolent offenders who have done no real harm to others." The Green Party candidate Jill Stein has also shared her thoughts on pardoning Edward Snowden and Chelsea Manning. Not only would she pardon Snowden, but she said she would appoint him to her cabinet.
Democrats

WikiLeaks Releases Hacked Voicemails From DNC Officials (thenextweb.com) 175

An anonymous reader writes: Late Wednesday afternoon as the Democratic National Convention was in full swing, Julian Assange and WikiLeaks decided to follow through with an earlier statement by publishing hacked voicemails of top democratic officials. There are 29 leaked recordings, which are identified by phone number and total about 14 minutes combined. Many of the voicemails are messages of callers leaving their numbers in hopes of being called back. Others are from voters upset that the DNC was giving too much support to Sanders. The Hill reports that "One caller with an Arizona area code called to blast the DNC for putting Sanders surrogate Cornel West on the platform drafting committee. 'I'm furious for what you are doing for Bernie Sanders,' another caller says in a message. 'He's getting way too much influence. What I see is the Democratic Party bending over backwards for Bernie,' adds the caller, who threatens to leave the party if the DNC doesn't stop 'coddling' the Vermont senator."
Privacy

Using VPN in UAE Could Cost You $545,000 (businessinsider.com) 109

An anonymous reader writes: The President of the United Arab Emirates has issued a series of new federal laws relating to IT crimes, including a regulation that forbids anyone in the UAE from making use of virtual private networks to secure their web traffic from prying eyes. The new law states that anyone who uses a VPN or proxy server can be imprisoned and fined between $136,000-$545,000 if they are found to use VPNs fraudulently. Previously, the law was restricted to prosecuting people who used VPNs as part of an internet crime, but UK-based VPN and privacy advocate Private Internet Access says that the law has now changed to enable police in the UAE to go after anyone who uses VPNs to access blocked services, which is considered to be fraudulent use of an IP address.
Crime

Tor Project Confirms Sexual Misconduct By Developer Jacob Appelbaum (theverge.com) 399

An anonymous reader quotes a report from The Verge: The Tor Project, a nonprofit known for its online anonymity software, says it has verified claims that former employee Jacob Appelbaum engaged in "sexually aggressive behavior" with people inside and outside of its organization. "We have confirmed that the events did take place as reported," Shari Steele, Tor's executive director, tells The Verge. In a blog post today, Steele says that Tor began an investigation into Appelbaum's behavior after several people came forward with allegations of misconduct in late May. In a statement made in June, he said the allegations were "entirely false." He resigned from the Tor Project in May. "I want to thank all the people who broke the silence around Jacob's behavior," Steele writes. "It is because of you that this issue has now been addressed. I am grateful you spoke up, and I acknowledge and appreciate your courage." Steele says that Tor is now implementing a new anti-harassment policy, as well as a process for submitting complaints and having them reviewed. The changes will be put in place this week. Tor also announced last month that it would replace its entire board of directors.
Security

Rio Olympics Will Be First Sporting Event Watched By 'Eye In The Sky' Drone Cameras (fastcompany.com) 33

tedlistens quotes a report from Fast Company: When the Olympic Games begin next month in Rio de Janeiro, billions of people are expected to watch athletes from countries around the world compete. But also watching over the Olympic and Paralympic events will be a set of futuristic, balloon-mounted surveillance camera systems capable of monitoring a wide swath of the city in high resolution and in real-time. Initially developed for use by U.S. forces in Iraq and Afghanistan by Fairfax, Virginia-based Logos Technologies, the technology is sold under the name Simera, and offers live aerial views of a large area, or what the company calls 'wide-area motion imagery,' captured from a balloon tethered some 200 meters above the ground. The system's 13 cameras make it possible for operators to record detailed, 120-megapixel imagery of the movement of vehicles and pedestrians below in an area up to 40 square kilometers, depending on how high the balloon is deployed, and for up to three days at a time. The Rio Olympics marks the "first time [Simera] will be deployed by a non-U.S. government at a large-scale event," according to the company. Simera is being compared to a live city-wide Google Maps combined with TiVo, as it can let law enforcement view ground-level activities in real time in addition to letting them rewind through saved images. Doug Rombough, Logo's vice president of business development, says the image clarity is not good enough to make out individual faces or license plate numbers, though it is clear enough to follow individual people and vehicles around the city. "However, a higher resolution video camera attached to the same balloon, which captures images at 60 times that of full HD resolution, or 15 times 4K, at three frames per second, will allow operators to get a closer look at anything or anyone that looks suspicious," reports Fast Company.
Iphone

New York DA Wants Apple, Google To Roll Back Encryption (tomsguide.com) 254

An anonymous reader writes: Manhattan District Attorney Cyrus Vance Jr. called on Apple and Google to weaken their device encryption, arguing that thousands of crimes remained unsolved because no one can crack into the perpetrators' phones. Vance, speaking at the International Conference on Cyber Security here, said that law enforcement officials did not need an encryption "backdoor," sidestepping a concern of computer-security experts and device makers alike. Instead, Vance said, he only wanted the encryption standards rolled back to the point where the companies themselves can decrypt devices, but police cannot. This situation existed until September 2014, when Apple pushed out iOS 8, which Apple itself cannot decrypt. "Tim Cook was absolutely right when he told his shareholders that the iPhone changed the world," Vance said. "It's changed my world. It's letting criminals conduct their business with the knowledge we can't listen to them."
Privacy

Trump Calls For Russia To Cyber-Invade the United States To Find Clinton's 'Missing' Emails (gawker.com) 1004

Republican presidential nominee Donald Trump publicly called on the Russian hackers allegedly responsible for the recent leak of DNC emails to launch another cyber-attack on the United States, this time to hack emails from Hillary Clinton's tenure as secretary of State, according to reporters who attended the press conference Wednesday. (Alternate source: NYTimes, Quartz, and MotherJones) "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing," Trump said. "I think you will probably be rewarded mightily by our press."

Clinton came under investigation for her use of a personal email address while serving as secretary of state. After turning over to the FBI all correspondence about government business during her years in the State Department, Clinton revealed at a press conference last year that she had deleted about half of her emails that pertained to personal matters, like her daughter's wedding. Attorney General Loretta Lynch ultimately decided not to pursue criminal charges against Clinton. Update: Here's a video of Trump saying that.
Communications

NIST Prepares To Ban SMS-Based Two-Factor Authentication (softpedia.com) 147

An anonymous reader writes: "The U.S. National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA)," reports Softpedia. The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number, and because in the case of VoIP connections, SMS messages may be intercepted and not delivered to the phone. The guideline recommends the usage of tokens and software cryptographic authenticators instead. Even biometrics authentication is considered safe, under one condition: "Biometrics SHALL be used with another authentication factor (something you know or something you have)," the guideline's draft reads. The NIST DAG draft reads in part: "If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
Security

Vine's Source Code Was Accidentally Made Public For Five Minutes (theregister.co.uk) 42

An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."
Security

Researchers Discover 110 Snooping Tor Nodes (helpnetsecurity.com) 45

Reader Orome1 writes: In a period spanning 72 days, two researchers from Northeastern University have discovered at least 110 "misbehaving" and potentially malicious hidden services directories (HSDirs) on the Tor anonymity network. "Tor's security and anonymity is based on the assumption that the large majority of its relays are honest and do not misbehave. Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs)," Professor Guevara Noubir and Ph.D. student Amirali Sanatinia explained. "Bad" HSDirs can be used for a variety of attacks on hidden services: from DoS attacks to snooping on them.
Iphone

Suspect Required To Unlock iPhone Using Touch ID in Second Federal Case (9to5mac.com) 231

An anonymous reader shares a report on 9to5Mac: A second federal judge has ruled that a suspect can be compelled to unlock their iPhone using their fingerprint in order to give investigators access to data which can be used as evidence against them. The first time this ever happened in a federal case was back in May, following a District Court ruling in 2014. The legal position of forcing suspects to use their fingerprints to unlock devices won't be known with certainty until a case reaches the U.S. Supreme Court, but lower court rulings so far appear to establish a precedent which is at odds with that concerning passcodes. Most constitutional experts appear to believe that the Fifth Amendment prevents a suspect from being compelled to reveal a password or passcode, as this would amount to forced self-incrimination -- though even this isn't certain. Fingerprints, in contrast, have traditionally been viewed as 'real or physical evidence,' meaning that police are entitled to take them without permission.Ars Technica has more details.
Microsoft

Microsoft Can't Shield User Data From Government, Says Government (bloomberg.com) 190

Microsoft is now arguing in court that their customers have a right to know when the government is reading their e-mail. But "The U.S. said federal law allows it to obtain electronic communications without a warrant or without disclosure of a specific warrant if it would endanger an individual or an investigation," according to Bloomberg. An anonymous reader quotes their report: The software giant's lawsuit alleging that customers have a constitutional right to know if the government has searched or seized their property should be thrown out, the government said in a court filing... The U.S. says there's no legal basis for the government to be required to tell Microsoft customers when it intercepts their e-mail... The Justice Department's reply Friday underscores the government's willingness to fight back against tech companies it sees obstructing national security and law enforcement investigations...

Secrecy orders on government warrants for access to private e-mail accounts generally prohibit Microsoft from telling customers about the requests for lengthy or even unlimited periods, the company said when it sued. At the time, federal courts had issued almost 2,600 secrecy orders to Microsoft alone, and more than two-thirds had no fixed end date, cases the company can never tell customers about, even after an investigation is completed.

United States

New Illinois Law Limits Police Use Of Cellphone-Tracking Stingray (go.com) 34

An anonymous Slashdot reader quotes a report from ABC News: A new Illinois law limits how police can use devices that cast a wide net in gathering cellphone data... [Stingray] gathers phone-usage data on targets of criminal investigations, but it also gathers data on other cellphones -- hundreds or even thousands of them -- in the area. The new law requires police to delete the phone information of anyone who wasn't an investigation target within 24 hours. It also prohibits police from accessing data for use in an investigation not authorized by a judge.

A dozen other states have adopted such regulations, and Congress is considering legislation that would strengthen federal guidelines already in place... Privacy advocates worry that without limits on how much data can be gathered or how long it can be stored, law enforcement could use the technology to build databases that track the behavior and movement of people who are not part of criminal investigations.

Earlier this month a U.S. judge threw out evidence gathered with Stingray for the first time, saying that without a search warrant, "the government may not turn a citizen's cell phone into a tracking device." The ACLU has identified 66 agencies in 24 states using Stingray technology, "but because many agencies continue to shroud their purchase and use of stingrays in secrecy, this map dramatically underrepresents the actual use of stingrays by law enforcement agencies nationwide."

Slashdot Top Deals