Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security

Big Vulnerability In Hotel Wi-Fi Router Puts Guests At Risk 35

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel's reservation and keycard systems. The vulnerability, which was discovered by Justin W. Clarke of the security firm Cylance, gives attackers read-write access to the root file system of the ANTlabs devices. The discovery of the vulnerable systems was particularly interesting to them in light of an active hotel hacking campaign uncovered last year by researchers at Kaspersky Lab. In that campaign, which Kaspersky dubbed DarkHotel.
Australia

Australia Passes Mandatory Data Retention Law 109

Posted by timothy
from the what's-in-the-box dept.
Bismillah writes Opposition from the Green Party and independent members of parliament wasn't enough to stop the ruling conservative Liberal-National coalition from passing Australia's new law that will force telcos and ISPs to store customer metadata for at least two years. Journalists' metadata is not exempted from the retention law, but requires a warrant to access. The metadata of everyone else can be accessed by unspecified government agencies without a warrant however.
Businesses

RadioShack Puts Customer Data Up For Sale In Bankruptcy Auction 258

Posted by samzenpus
from the names-and-numbers dept.
itwbennett writes For years, RadioShack made a habit of collecting customers' contact information at checkout. Now, the bankrupt retailer is putting that data on the auction block. A list of RadioShack assets for sale includes more than 65 million customer names and physical addresses, and 13 million email addresses. Bloomberg reports that the asset sale may include phone numbers and information on shopping habits as well. New York's Attorney General says his office will take 'appropriate action' if the data is handed over.
Transportation

Uber To Turn Into a Big Data Company By Selling Location Data 120

Posted by Soulskill
from the yellow-cabs-looking-slightly-less-unappealing dept.
Presto Vivace sends news that Uber has entered into a partnership with Starwood Hotels that hooks accounts from both companies together. If you're a customer of both, you'll get a small benefit when chartering Uber rides, but the cost is that Uber will share all their data on you with Starwood. The article says, This year, we are going to see the transformation of Uber into a big data company cut from the same cloth as Google, Facebook and Visa – using the wealth of information they know about me and you to deliver new services and generate revenue by selling this data to others. ... Uber can run the same program with airlines, restaurants, nightclubs, bars – every time you go from point A to point B in an Uber, “A”, “B” or both represent a new potential consumer of your data. ... Uber knows the hot nightclubs, best restaurants and most obviously now has as much data about traffic patterns as Waze (which coincidentally trades data with local governments). Combining Uber’s data with the very-personal data that customers are willing to give up in exchange for benefits, means that Uber can, and is, on its way to becoming a Big Data company.
Privacy

Public Records Request Returns 4.6M License Plate Scans From Oakland PD 109

Posted by Soulskill
from the i-know-where-you-drove-last-summer dept.
schwit1 points out a report from Ars Technica on how they used a public records request to acquire an entire License Plate Reader dataset from the Oakland Police Department. The dataset includes 4.6 million total reads from 1.1 million unique plates. They built a custom visualization tool to demonstrate how this data could be abused. "For instance, during a meeting with an Oakland city council member, Ars was able to accurately guess the block where the council member lives after less than a minute of research using his license plate data. Similarly, while "working" at an Oakland bar mere blocks from Oakland police headquarters, we ran a plate from a car parked in the bar's driveway through our tool. The plate had been read 48 times over two years in two small clusters: one near the bar and a much larger cluster 24 blocks north in a residential area—likely the driver's home." Though the Oakland PD has periodically deleted data to free up space — the 4.6 million records were strewn across 18 different Excel spreadsheets with hundreds of thousands of lines each — there is no formal retention limit.
Government

$1B TSA Behavioral Screening Program Slammed As "Junk Science" 224

Posted by timothy
from the little-here-a-little-there dept.
schwit1 writes The Transportation Security Administration has been accused of spending a billion dollars on a passenger-screening program that's based on junk science. The claim arose in a lawsuit filed by the American Civil Liberties Union, which has tried unsuccessfully to get the TSA to release documents on its SPOT (Screening Passengers by Observation Techniques) program through the Freedom of Information Act. SPOT, whose techniques were first used in 2003 and formalized in 2007, uses "highly questionable" screening techniques, according to the ACLU complaint, while being "discriminatory, ineffective, pseudo-scientific, and wasteful of taxpayer money." TSA has spent at least $1 billion on SPOT. The Government Accountability Office (GAO) reported in 2010 that "TSA deployed SPOT nationwide before first determining whether there was a scientifically valid basis for using behavior detection and appearance indicators as a means for reliably identifying passengers as potential threats in airports," according to the ACLU. And in 2013, GAO recommended that the agency spend less money on the program, which uses 3,000 "behavior detection officers" whose jobs is to identify terrorists before they board jetliners.
Security

Cisco SPA300/500 IP Phones Vulnerable To Remote Eavesdropping 45

Posted by samzenpus
from the protect-ya-neck dept.
Bismillah writes Cisco has confirmed that its SPA300 and SPA500 are vulnerable to remote eavesdropping and dialing, and is working on a patch. Meanwhile, the advice is not to have the phones on internet-facing connections. From the article: "Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5. An attacker can send a specially crafted Extended Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams. Successful exploits could be used to conduct further attacks, Cisco warned. Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low 'harassment' severity rating."
United Kingdom

UK Government Admits Intelligence Services Allowed To Break Into Any System 107

Posted by samzenpus
from the whenever-we-feel-like-it dept.
An anonymous reader writes Recently, Techdirt noted that the FBI may soon have permission to break into computers anywhere on the planet. It will come as no surprise to learn that the U.S.'s partner in crime, the UK, granted similar powers to its own intelligence services some time back. What's more unexpected is that it has now publicly said as much, as Privacy International explains: "The British Government has admitted its intelligence services have the broad power to hack into personal phones, computers, and communications networks, and claims they are legally justified to hack anyone, anywhere in the world, even if the target is not a threat to national security nor suspected of any crime." That important admission was made in what the UK government calls its "Open Response" to court cases started last year against GCHQ.
The Military

Islamic State Doxes US Soldiers, Airmen, Calls On Supporters To Kill Them 332

Posted by samzenpus
from the directions-to-a-murder dept.
An anonymous reader writes in with this story about the latest weapon used by ISIS: doxing. "Middle East terrorist organization Islamic State (ISIS) has called on its followers take the fight to 100 members of the United States military residing in the US. A group calling itself the 'Islamic State Hacking Division' has posted names, addresses, and photographs of soldiers, sailors, and airmen online, asking its 'brothers residing in America' to murder them, according to Reuters. Although the posting purports to come from the 'Hacking Division,' US Department of Defense officials say that none of their systems appear to have been breached by the group. Instead, the personal data was almost certainly culled from publicly available sources, a DoD official told the New York Times on the condition of anonymity."
The Almighty Buck

DuckDuckGo Donates $100,000 Among Four FOSS Projects 36

Posted by samzenpus
from the have-a-little-cash dept.
jones_supa writes As is the search engine company's annual habit, DuckDuckGo has chosen to advance four open source projects by donating to them. The primary focus this year was to support FOSS projects that bring privacy tools to anyone who needs them. $25,000 goes to The Freedom of the Press Foundation to support SecureDrop, which is a whistleblower submission used to securely accept documents from anonymous sources. The Electronic Frontier Foundation was given $25,000 to support PrivacyBadger, which is a browser add-on that stops advertisers and other third-party trackers from secretly tracking your surfing habits. Another $25,000 arrives at GPGTools to support GPG Suite, which is a software package for OS X that encrypts files or messages. Finally, $25,000 was donated to Riseup to support Tails, which is a live operating system that aims at preserving your privacy and anonymity.
IBM

A Sucker Is Optimized Every Minute 107

Posted by timothy
from the straight-to-godwin dept.
theodp writes Now that we have hard data on everything, observes the NY Times' Virginia Heffernan in A Sucker Is Optimized Every Minute, we no longer make decisions from our hearts, guts or principles. "The gut is dead," writes Heffernan. "Long live the data, turned out day and night by our myriad computers and smart devices. Not that we trust the data, as we once trusted our guts. Instead, we 'optimize' it. We optimize for it. We optimize with it." To win Presidential elections. To turn web pages into Googlebait. To sucker people into registering for websites. Of the soon-to-arrive Apple Watch, Heffernan notes: "After time keeping, the watch's chief feature is 'fitness tracking': It clocks and stores physiological data with the aim of getting you to observe and change your habits of sloth and gluttony. Evidently I wasn't the only one whose thoughts turned to 20th-century despotism: The entrepreneur Anil Dash quipped on Twitter, albeit stretching the truth, 'Not since I.B.M. sold mainframes to the Nazis has a high-tech company embraced medical data at this scale.'"
Communications

Taxi Apps Accused of Facilitating Sexual Harassment In Brazil 49

Posted by timothy
from the just-need-you-to-complete-this-form dept.
New submitter André Costa writes The companies responsible for taxi apps Easy Taxi and 99Taxis are being accused of making it too easy for taxi drivers to harass female customers (some news reports — in Portuguese — can be found here, here and here). These apps currently disclose informations such as the client's name, cell phone and address to the driver. One customer that started being harassed through offensive text messages after a ride started an online petition demanding that the companies take effective measures to protect female customers. The petition already collected more than 27,000 signatures, and both Easy Taxi and 99Taxis already announced that they will implement features that will protect clients' privacy. At first, users will be allowed to choose if they want their phone numbers to be disclosed. Within a couple of months, both companies said they will provide VOIP calls, which will eliminate the need to exchange phone numbers.
Security

How 'The Cloud' Eats Away at Your Online Privacy (Video) 82

Posted by Roblimo
from the it-seems-the-network-is-the-computer-after-all dept.
Tom Henderson, Principal Researcher at ExtremeLabs Inc., is not a cloud fan. He is a staunch privacy advocate, and this is the root of his distrust of companies that store your data in their memories instead of yours. You can get an idea of his (dis)like of vague cloud privacy protections and foggy vendor service agreements from the fact that his Network World columnn is called Thumping the Clouds. We called Tom specifically to ask him about a column entry titled The downside to mass data storage in the cloud.

Today's video covers only part of what Tom had to say about cloud privacy and information security, but it's still an earful and a half. His last few lines are priceless. Watch and listen, or at least read the transcript, and you'll see what we mean.
Canada

Defending Privacy Doesn't Pay: Canadian Court Lets Copyright Troll Off the Hook 52

Posted by Soulskill
from the pennies-for-personal-data dept.
An anonymous reader writes: A Canadian court has issued its ruling on the costs (PDF) in the Voltage — TekSavvy case, a case involving the demand for the names and address of thousands of TekSavvy subscribers by Voltage on copyright infringement grounds. Last year, the court opened the door to TekSavvy disclosing the names and addresses, but also established new safeguards against copyright trolling in Canada. The court awarded only a fraction of the costs sought by TekSavvy, which sends a warning signal to ISPs that getting involved in these cases can lead to significant costs that won't be recouped. That is a bad message for privacy. So is the likely outcome for future cases (should they arise) with subscribers left with fewer notices and information from their ISP given the costs involved and the court's decision to not compensate for those costs.
United States

Leaked Document Reveals Upcoming Biometric Experiments At US Customs 97

Posted by samzenpus
from the scan-me dept.
sarahnaomi sends word of new biometric technologies coming to U.S. entry points. "The facial recognition pilot program launched last week by U.S. Customs and Border Protection, which civil liberties advocates say could lead to new potentially privacy-invading programs, is just the first of three biometric experiments that the feds are getting ready to launch. The three experiments involve new controversial technologies like iris and face scanner kiosks, which CBP plans to deploy at the Mexican border, and facial recognition software, according to a leaked document obtained by Motherboard. All three pilots are part of a broader Customs and Border Protection program to modernize screenings at American entry and exit ports, including at the highly politicized Mexican border, with the aid of new biometric technologies. The program is known as Apex Air Entry and Exit Re-Engineering Project, according to the leaked slides. These pilot programs have the goal of "identifying and implementing" biometric technologies that can be used at American borders to improve the immigration system as well as US national security, according to the slides."
Security

Target To Pay $10 Million In Proposed Settlement For 2013 Data Breach 54

Posted by samzenpus
from the pay-up dept.
itwbennett writes Target has agreed to pay $10 million in a proposed settlement to a class-action lawsuit stemming from its massive 2013 data breach, which affected as many as 110 million people. Individual victims could receive up to $10,000. The proposed settlement also includes measures to better protect the customer data that Target collects, according to documents filed with the U.S. District Court, District of Minnesota.
Government

NZ Customs Wants Power To Require Passwords 197

Posted by samzenpus
from the papers-please dept.
First time accepted submitter Orange Roughy writes New Zealand customs are seeking powers to obtain passwords and encryption keys for travelers. Supposedly they will only act to obtain credentials if it was acting on 'some intelligence or observation of abnormal behaviour.' People who refuse to hand over credentials could face up to three months jail time. From the story: "Customs boss Carolyn Tremain has told MPs the department would only request travellers hand over passwords to their electronic devices if it had a reason to be suspicious about what was on them. The department unleashed a furore last week when it said in a discussion paper that it should be given unrestricted power to force people to divulge passwords to their smartphones and computers at the border. That would be without Customs officials having to show they had any grounds for suspicion."
Businesses

Amazon Wins US Regulators' Approval To Test-fly Drone 90

Posted by samzenpus
from the dropping-your-package dept.
mpicpp sends word that Amazon drones may soon deliver your packages. "Amazon.com Inc has won U.S. federal regulators' approval to test a delivery drone, as the e-commerce giant pursues a vision of speeding packages to customers through the air amid public concern over the safety and privacy implications. The Federal Aviation Administration said on Thursday it had issued an experimental airworthiness certificate to an Amazon unit and its prototype drone design, allowing it to conduct outdoor test flights on private, rural land in Washington state. The experimental certificate applies to a particular drone design and Amazon must obtain a new certification for test flights if it modifies the drone. In return, the company must supply monthly data to the regulators, and conduct flights at 400 feet (120 meters) or below and in 'visual meteorological conditions,' according to the FAA's certificate. The drone operators must also have a private pilots' license and current medical certification."
Privacy

Google: Our New System For Recognizing Faces Is the Best 90

Posted by timothy
from the sorry-not-yet-april-fool's dept.
schwit1 writes Last week, a trio of Google researchers published a paper on a new artificial intelligence system dubbed FaceNet that it claims represents the most accurate approach yet to recognizing human faces. FaceNet achieved nearly 100-percent accuracy on a popular facial-recognition dataset called Labeled Faces in the Wild, which includes more than 13,000 pictures of faces from across the web. Trained on a massive 260-million-image dataset, FaceNet performed with better than 86 percent accuracy.

The approach Google's researchers took goes beyond simply verifying whether two faces are the same. Its system can also put a name to a face—classic facial recognition—and even present collections of faces that look the most similar or the most distinct.
Every advance in facial recognition makes me think of Paul Theroux's dystopian Ozone.
Security

Persistent BIOS Rootkit Implant To Debut At CanSecWest 120

Posted by timothy
from the deep-in-the-tunnels dept.
msm1267 writes Research on new BIOS vulnerabilities and a working rootkit implant will be presented on Friday at the annual CanSecWest security conference. An attacker with existing remote access on a compromised computer can use the implant to turn down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed. The devious part of the exploit is that the researchers have found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure and privacy focused operating systems such as Tails in the line of fire of the implant.

Their implant, the researchers said, is able to scrape the secret PGP key Tails uses for encrypted communication, for example. It can also steal passwords and encrypted communication. The implant survives OS re-installation and even Tails' built-in protections, including its capability of wiping RAM.