An anonymous reader quotes a report from Krebs on Security: Panerabread.com, the website for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records -- including names, email and physical addresses, birthdays and the last four digits of the customer's credit card number -- for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.

Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].

The government of Ecuador said on Wednesday it has cut off internet access in its embassy in London to Julian Assange, the founder of the whistleblowing site WikiLeaks, saying that he was putting the country's international relations at risk. In a statement released on Wednesday, Ecuador said that the step had been taken because Assange had failed to abide by an agreement not to interfere in the South American country's relations with other states. From a report: As part of an agreement between Assange and the Ecuadorean government, he is not permitted to send any messages that could interfere with the South American nation's relations with other countries. Assange has been living in Ecuador's embassy for more than five years.

Paul Sawers, writing for VentureBeat: On Tuesday, Mozilla announced a new tool it said will help keep Facebook from tracking your browsing across the web. The Facebook Container add-on for Firefox promises to make it "much harder" for Facebook to track you when you're not on its site. Mozilla has been working on the technology for several years already, accelerating its development in response to what it called a "growing demand for tools that help manage privacy and security," according to a statement issued by Mozilla today.

Most people are probably aware that data they directly give to Facebook -- such as "liking" a Page or updating their relationship status -- may be sold to advertisers. But fewer people know that Facebook can also track their activities on other websites that have integrated with aspects of Facebook's tracking technology, such as the pervasive "Like" button. And it's in this scenario that Mozilla is now hoping to play the good guy.

Eccentric Megaupload founder Kim Dotcom has won a major court battle today in his ongoing fight against his extradition from New Zealand to the U.S. From a report: German-born Dotcom faces extradition to the United States relating to his Megaupload site, which was shut down in 2012 following an FBI-ordered raid on his Auckland mansion. U.S. authorities say Dotcom and three co-accused Megaupload executives cost film studios and record companies more than $500 million and generated more than $175 million by encouraging paying users to store and share copyrighted material. Dotcom, who has New Zealand residency, is fighting those charges and the extradition. The Human Rights Review Tribunal awarded Dotcom damages of NZ$30,000 ($21,816) for the "loss of a benefit" and NZ$60,000 for "loss of dignity and injury to feelings."

Just 1 percent of all Reddit communities set off 74 percent of all conflicts on the site, a new research has found. The Outline: In the self-published research from Srijan Kumar, Jure Leskoec, William Hamilton, and Dan Jurafsky of Stanford University, "intercommunity conflict" is defined as "negative sentiment to comment in another community." These users wouldn't necessarily qualify as trolls or sockpuppets; they're instigators, posting links to other subreddits and encouraging other users to target, harass, and fight with users on that subreddit.

An anonymous reader quotes a report from ZDNet: Firefox maker Mozilla has outlined its 2018 roadmap to make the web less intrusive and safer for users. First up, Mozilla says it will proceed and implement last year's experiment with a breach alerts service, which will warn users when their credentials have been leaked or stolen in a data breach. Mozilla aims to roll out the service around October. Breach Alerts is based on security consultant Troy Hunt's data breach site Have I Been Pwned. Firefox will also implement a similar block on autoplay video to the one Chrome 66 will introduce next month, and that Safari already has. However, Dotzler says Firefox's implementation will "provide users with a way to block video auto-play that doesn't break websites". This feature is set to arrive in Firefox 62, which is scheduled for release in May.

After Firefox 62 the browser will gain an optional Chrome-like ad filter and several privacy-enhancing features similar to those that Apple's WebKit developers have been working on for Safari's Intelligent Tracking Prevention. By the third quarter of 2018, Firefox should also be blocking ad-retargeting through cross-domain tracking. It's also going to move all key privacy controls into a single location in the browser, and offer more "fine-grained" tracking protection. Dotzler says Mozilla is in the "early stages" of determining what types of ads Firefox should block by default. Also on the roadmap is a feature that arrived in Firefox 59, released earlier this month. A new Global Permissions feature will help users avoid having to deny every site that requests permission for location, camera, microphone and notifications. Beyond security and privacy, Mozilla plans to build on speed-focused Quantum improvements that came in Firefox 57 with smoother page rendering.

An anonymous reader shares a report: It may be a while since you've heard the handle "Guccifer 2.0," the hacker who took responsibility for the infamous DNC hack of 2016. Reports from the intelligence community at the time, as well as common sense, pegged Guccifer 2.0 not as the Romanian activist he claimed to be, but a Russian operative. Evidence has been scarce, but one slip-up may have given the game away. An anonymous source close to the U.S. government investigation of the hacker told the Daily Beast that on one single occasion, Guccifer 2.0 failed to log into the usual VPN that disguised their traffic. As a result, they left one honest IP trace at an unnamed social media site.

That IP address, "identified Guccifer 2.0 as a particular GRU officer working out of the agency's headquarters on Grizodubovoy Street in Moscow," the Daily Beast reported. (The GRU is one of the Russia's security and intelligence organs.) Previous work by security researchers had suggested this, but it's the first I've heard of evidence this direct. Assuming it's genuine, it's a sobering reminder of how fragile anonymity is on the internet -- one click and the whole thing comes crashing down.

CaptainDork shares a report from BuzzFeed: A British gun enthusiast whose friends were banned from Facebook for posting pictures of firearms has started his own version of the site for gun lovers. Called Gunbook, it was set up by David Scott, a 57-year-old shooting instructor who lives in Kilsyth, 20 miles from Dunblane. It went live three weeks ago and he says it already has more than 1,000 members, around 60 of whom are from the U.S. Scott admitted that part of the attraction of the site for members was that they could post about their love of deadly weapons without being judged by family and friends. "Quite a lot want to talk about guns and shooting and target shooting and their families can see and often people comment. Gunbook is the place where people can talk about guns without their families seeing because a lot of people have got anti-shooting and anti-hunting friends on these sites."

Many of the profile pictures on the site show people standing in striking poses with guns -- or are simply a picture of their arsenal. And just like any other social media platform, much of the content that has quickly populated the Facebook clone ends up being videos and memes. In contrast, his site is loosely controlled and encourages a community around gun ownership. It has two admins but reassures users in a Q&A on the site that "they will generally just leave you all to get on with things." It adds later that "they will never interfere [in a group] unless a post gets reported and even then only racist and really dodgy ones will get looked at if reported. Please do NOT upload porn videos to our servers though ;0."

An anonymous reader quotes a report from TorrentFreak: For many years, KeepVid has been a prime destination for people who wanted to download videos from YouTube, Dailymotion, Facebook, Vimeo, and dozens of other sites. The web application was free and worked without any hassle. This was still the case earlier this month when the site advertised itself as follows: "KeepVid Video Downloader is a free web application that allows you to download videos from sites like YouTube, Facebook, Twitch.Tv, Vimeo, Dailymotion and many more." However, a few days ago the site radically changed its course. While the motivation is unknown at the time, KeepVid took its popular video download service offline without prior notice. Today, people can no longer use the KeepVid site to download videos. On the contrary, the site warns that using video download and conversion tools might get people in trouble. "Video downloading from the Internet will become more and more difficult, and KeepVid encourages people to download videos via the correct and legal ways," the new KeepVid reads. The site now lists several alternative options to enjoy videos and music, including Netflix, Hulu, Spotify, and Pandora.

New submitter cornholed writes: Yesterday, Reddit updated their Content Policy forbidding transactions for certain goods and services. From the formal announcement on Reddit: "As of today, users may not use Reddit to solicit or facilitate any transaction or gift involving certain goods and services, including: firearms, ammunition, or explosives; drugs, including alcohol and tobacco, or any controlled substances (except advertisements placed in accordance with our advertising policy); paid services involving physical sexual contact; stolen goods; personal information; falsified official documents or currency." Bloomberg has an interesting write-up on how Reddit is wading into the gun control debate. See this post on Reddit for a full-list of all subreddits banned. "Reddit has been something of a Wild West for users building communities by curating and commenting on content in subreddits," reports Bloomberg. "Sometimes, as in the case with gun sales, marketplaces emerge in the course of conversations within specific communities. With Reddit's increased popularity -- the site is the sixth-most-visited in the world -- has come introspection and stricter content guidelines. The company recognizes its responsibility for having provided a platform for hate groups to flourish and, more recently, the possibility that Russian propaganda on the site may have played a role in influencing the 2016 presidential election."

hyperclocker shares a report from U.S. News & World Report: Orbitz says a legacy travel booking platform may have been hacked, possibly exposing the personal information of people that made certain purchases between January 1, 2016 and December 22, 2017. Orbitz said Tuesday about 880,000 payment cards were impacted. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on the platform -- which was for both consumers and business partners -- between Oct. 1, 2017 and Dec. 22, 2017. "Orbitz said it worked with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered in order to 'eliminate and prevent unauthorized access to the platform,'" reports The Verge. "The company also notes that its current site, Orbitz.com, wasn't affected. It is notifying customers who may have been impacted and is offering a year of free credit monitoring."

Facebook's chief information security officer, Alex Stamos, will leave the company after internal disagreements over how the social network should deal with its role in spreading disinformation. The New York Times reports (Warning: source may be paywalled; alternative source): Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Sheryl Sandberg, the social network's chief operating officer, according to the current and former employees, who asked not to be identified discussing internal matters. After his day-to-day responsibilities were reassigned to others in December, Mr. Stamos said he would leave the company. He was persuaded to stay through August to oversee the transition of his duties because executives thought his departure would look bad, the current and former employees said. He has been overseeing the transfer of his security team to Facebook's product and infrastructure divisions. His group, which once had 120 people, now has three, the current and former employees said. Mr. Stamos would be the first high-ranking employee to leave Facebook since controversy erupted over disinformation on its site. His departure is a sign of heightened leadership tensions at the company.

Long-time Slashdot reader jebrick quotes an article from Ars Technica about how Norway's government-owned public broadcasting company "employs open source tactics to fight trolling": The five-person team behind a simple WordPress plugin, which took three hours to code, never expected to receive worldwide attention as a result. But NRKbeta, the tech-testing group at Norway's largest national media organization, tapped into a meaty vein with the unveiling of last February's Know2Comment, an open source plugin that can attach to any WordPress site's comment section. "It was a basic idea," NRKbeta developer Stale Grut told a South By Southwest crowd on Tuesday. "Readers had to prove they read a story before they were able to comment on it"... He and fellow staffers spent three hours building the plugin, which Grut reminded the crowd is wholly open source... "[W]e realized not every article is in need of this. We are a tech site; we don't have a lot of controversy, so there's not a big need for it. We use it now on stories where we anticipate there'll be uninformed debate to add this speed bump."
What do you think? And would a quiz-for-commenting-privileges be a good addition to Slashdot?

Zack Whittaker, reporting for ZDNet: For hours on Thursday, the top Google search result for "Amazon" was pointed to a scam site. The bad ad appeared at the very top of the search result for anyone searching for the internet retail giant -- even above the legitimate search result for Amazon.com. Anyone who clicked on the ad was sent to a page that tried to trick the user into calling a number for fear that their computer was infected with malware -- and not sent to Amazon.com as they would have hoped.

The page presents itself as an official Apple or Windows support page, depending on the type of computer you're visiting the page from. An analysis of the webpage's code showed that anyone trying to dismiss the popup box on the page would likely trigger the browser expanding to full-screen, giving the appearance of ransomware. A one-off event would be forgivable. But this isn't the first time this has happened. It's at least the second time in two years that Google has served up a malicious ad under Amazon's name.

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

Firefox is working on a blocker for annoying in-page alerts that often ask you to input your email address to receive a newsletter from the site. "The feature is still in the planning stages, but Mozilla is asking users for any examples of sites with annoying pop-ups," reports Android Police. "Mozilla wants to make Firefox automatically detect and dismiss the popups." From the report: If you know of sites that use in-page popups (whether it be newsletter signups, surveys, or something else), you can fill out the survey here. There are also Firefox and Chrome extensions that make the process easier. I'll be interested to see how Mozilla pulls this off, it will no doubt be difficult to detect the difference between helpful and not-helpful popups.

In an article published on The New Yorker this week, Andrew Marantz discusses the state of free speech on the Web and takes a look at Reddit, the internet's fourth-most-popular site, after Google, YouTube, and Facebook. Some excerpts from the story: On November 23, 2016, shortly after President Trump's election, Reddit CEO Steve Huffman was at his desk, in San Francisco, perusing the site. It was the day before Thanksgiving. Reddit's administrators had just deleted a subreddit called r/Pizzagate, a forum for people who believed that high-ranking staffers of Hillary Clinton's Presidential campaign, and possibly Clinton herself, were trafficking child sex slaves. The reason for the ban, according to Reddit's administrators, was not the beliefs of people on the subreddit, but the way they'd behaved -- specifically, their insistence on publishing their enemies' private phone numbers and addresses, a clear violation of Reddit's rules. [...] Some of the conspiracy theorists left Reddit and reunited on Voat, a site made by and for the users that Reddit sloughs off. Other Pizzagaters stayed and regrouped on r/The_Donald, a popular pro-Trump subreddit. Throughout the Presidential campaign, The_Donald was a hive of Trump boosterism. By this time, it had become a hermetic subculture, full of inside jokes and ugly rhetoric. The community's most frequent commenters, like the man they'd helped propel to the Presidency, were experts at testing boundaries. Within minutes, they started to express their outrage that Pizzagate had been deleted.

Redditors are pseudonymous, and their pseudonyms are sometimes prefaced by "u," for "username." Huffman's is Spez. As he scanned The_Donald, he noticed that hundreds of the most popular comments were about him: "fuck u/spez", "u/spez is complicit in the coverup". One commenter simply wrote "u/SPEZ IS A CUCK," in bold type, a hundred and ten times in a row. Huffman, alone at his computer, wondered whether to respond. "I consider myself a troll at heart," he said later. "Making people bristle, being a little outrageous in order to add some spice to life -- I get that. I've done that." Privately, Huffman imagined The_Donald as a misguided teen-ager who wouldn't stop misbehaving. "If your little brother flicks your ear, maybe you ignore it," he said. "If he flicks your ear a hundred times, or punches you, then maybe you give him a little smack to show you're paying attention."

Although redditors didn't yet know it, Huffman could edit any part of the site. He wrote a script that would automatically replace his username with those of The_Donald's most prominent members, directing the insults back at the insulters in real time: in one comment, "Fuck u/Spez" became "Fuck u/Trumpshaker"; in another, "Fuck u/Spez" became "Fuck u/MAGAdocious." The_Donald's users saw what was happening, and they reacted by spinning a conspiracy theory that, in this case, turned out to be true. "Manipulating the words of your users is fucked," a commenter wrote.

Zack Whittaker, writing for ZDNet: For about twelve hours earlier this month, encrypted email service Tutanota seemed to fall off the face of the internet for Comcast customers. Starting in the afternoon on March 1, people weren't sure if the site was offline or if it had been attacked. Reddit threads speculated about the outage. Some said that Comcast was actively blocking the site, while others dismissed the claims altogether. Several tweets alerted the Hanover, Germany-based encrypted messaging provider to the alleged blockade, which showed a "connection timed out" message to Comcast users. It was as if to hundreds of Comcast customers, Tutanota didn't exist. But as soon as users switched to another non-Comcast internet connection, the site appeared as normal. "To us, this came as a total surprise," said Matthias Pfau, co-founder of Tutanota, in an email. "It was quite a shock as such an outage shows the immense power [internet providers] are having over our Internet when they can block sites...without having to justify their action in any way," he said.

By March 2, the site was back, but the encrypted email provider was none the wiser to the apparent blockade. The company contacted Comcast for answers, but did not receive a reply. When contacted, a Comcast spokesperson couldn't say why the site was blocked -- or even if the internet and cable giant was behind it. According to a spokesperson, engineers investigated the apparent outage but found there was no evidence of a connection breakage between Comcast and Tutanota. The company keeps records of issues that trigger incidents -- but found nothing to suggest an issue. It's not the first time Comcast customers have been blocked from accessing popular sites. Last year, the company purposefully blocked access to internet behemoth Archive.org for more than 13 hours.

An anonymous reader quotes a report from VICE News: Reddit says it has identified and removed hundreds of Russian propaganda accounts, a few days after reports revealed that Russian trolls were active on the platform during the 2016 U.S. presidential election. In a post Monday, Reddit co-founder Steve Huffman said his site operators had been investigating for awhile and had found a few hundred accounts suspected to be of Russian origin or linked to known sources of Russian propaganda. "Of course, every account we find expands our search a little more," he said, also claiming the "vast majority" of the suspicious accounts were banned back in 2015-2016. An even bigger challenge was the problem of "indirect propaganda," where content produced by accounts now known to be Russian trolls was enthusiastically shared by Trump supporters on subreddits such as r/The_Donald. Reddit's investigation followed a report from The Daily Beast, based on leaked internal data from Kremlin-backed troll farm the Internet Research Agency, that confirmed Russian trolls were active on the site, as well as Tumblr, in their mission to spread disinformation, divide Americans and disrupt U.S. politics. The Washington Post reports that congressional investigators looking into the Russian issue intend to question Reddit and Tumblr over their involvement.

An anonymous reader quotes an exclusive report from Motherboard: Through a software-aided investigation, Motherboard has found that while YouTube has managed to clamp down on Islamic extremists uploading propaganda, the video giant is still awash with videos supporting violent and established neo-Nazi organizations, even when, in some cases, users have reported the offending videos. Clips of neo-Nazi propaganda operations, hate-filled speeches, and extremists pushing for direct action have remained on the site for weeks, months, or years at a time. Arguably, many if not all of these videos may fall under YouTube's own policy on hate speech, which "refers to content that promotes violence against or has the primary purpose of inciting hatred against individuals or groups based on certain attributes," including race or ethnic origin, religion, and sexual orientation, according to the policy.

Motherboard built a tool to monitor YouTube and make a record of when the platform removed certain videos, and limited the clips to propaganda for established neo-Nazi and far-right terrorist organizations like Atomwaffen, rather than people in the so-called "alt-right." Most of the videos were discovered through simple YouTube searches of relevant organizations' names, or sometimes through the "recommended videos" sidebar after Motherboard had built up a browsing history of neo-Nazi material. For the sake of comparison, over a week-long period Motherboard also tracked pro-ISIS videos uploaded by the group's supporters and then distributed through a network of Telegram channels. Typically, YouTube removed these Islamic extremism videos in a matter of hours, including those that did not contain images of violence, but were instead speeches or other not directly violent content. But YouTube is playing catch up with neo-Nazi material. YouTube removed only two videos that Motherboard was monitoring: two identical clips of a speech from UK terrorist organization National Action.