Security

Google Offers $1,000 Bounties For Hacking Dropbox, Tinder, Snapchat, and Others (mashable.com) 4

An anonymous reader quotes Mashable: Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace... If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. For HackerOne, it's about attracting more and better participants in bounty programs.
Businesses

Why Are We Still Using Passwords? (securityledger.com) 52

Here's some surprising news from the Akamia Edge conference. chicksdaddy writes: [E]xecutives at some of the U.S.'s leading corporations agreed that the much maligned password won't be abandoned any time soon, even as data breaches and follow-on attacks make passwords more susceptible than ever to abuse, the Security Ledger reports. "We reached the end of needing passwords maybe seven years ago, but we still use them," said Steve Winterfeld, Director of Cybersecurity, at clothing retailer Nordstrom. "They're still the primary layer of defense."

"It's hard to kill them," noted Shalini Mayor, who is a Senior Director at Visa Inc. "The question is what to replace them with." This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called "credential stuffing" techniques, which use automated password guessing attacks against web-based applications... Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani Mayor said Visa is "looking at" biometric technologies like Apple's TouchID as a tool for making payments securely. Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.

Education

Code School Fined $375K Over Employment Claims and Licensing Issues (arstechnica.com) 18

An anonymous reader quotes Ars Technica: [O]ne of the most prominent institutions, New York's Flatiron School, will be shelling out $375,000 to settle charges brought by New York Attorney General Eric Schneiderman's office. The AG said the school operated for a period without the proper educational license, and it improperly marketed both its job placement rates and the salaries of its graduates. New York regulators didn't find any inaccuracies in Flatiron's "outcomes report," a document the company is proud of. However, the Attorney General's office found that certain statements made on Flatiron's website didn't constitute "clear and conspicuous" disclosure.

For instance, Flatiron claimed that 98.5 percent of graduates were employed within 180 days of graduation. However, only by carefully reading the outcomes report would one find that the rate included not just full-time employees, but apprentices, contract workers, and freelancers. Some of the freelancers worked for less than 12 weeks. The school also reported an average salary of $74,447 but didn't mention on its website that the average salary claim only applied to graduates who achieved full-time employment. That group comprised only 58 percent of classroom graduates and 39 percent of those who took online courses.

The school's courses last 12 to 16 weeks, and cost between $12,000 and $15,000, according to a statement from the attorney general's office [PDF]. (Or $1,500 a month for an onine coding class). Eligible graduate can claim their share of the $375,000 by filing a complaint within the next thee months.
The Courts

Friendlier GPL-Enforcement Permission Proposed By Linux Kernel Developers (kroah.com) 29

The former Executive Director of the Free Software Foundation -- and Slashdot user #41121 -- contacted Slashdot with this announcement. bkuhn -- now president of the Software Freedom Conservancy -- writes: Software Freedom Conservancy, home of the GPL Compliance Project for Linux Developers, publicly applauded today the proposal of the Linux Kernel Enforcement Statement, which adds a per-copyright-holder-opt-in additional permission to the termination provisions of Linux's GPLv2-only license.
It apparently addresses a developer who "made claims based on ambiguities in the GPL-2.0 that no one in our community has ever considered part of compliance," according to a statement from some of the kernel developers who drafted the statement. While the kernel community has always supported enforcement efforts to bring companies into compliance, we have never even considered enforcement for the purpose of extracting monetary gain... [W]e are aware of activity that has resulted in payments of at least a few million Euros. We are also aware that these actions, which have continued for at least four years, have threatened the confidence in our ecosystem. Because of this, and to help clarify what the majority of Linux kernel community members feel is the correct way to enforce our license, the Technical Advisory Board of the Linux Foundation has worked together with lawyers in our community, individual developers, and many companies that participate in the development of, and rely on Linux, to draft a Kernel Enforcement Statement to help address both this specific issue we are facing today, and to help prevent any future issues like this from happening again. It adopts the same termination provisions we are all familiar with from GPL-3.0 as an Additional Permission giving companies confidence that they will have time to come into compliance if a failure is identified.
Businesses

Tech Companies To Lobby For Immigrant 'Dreamers' To Remain In US (reuters.com) 130

An anonymous reader quotes a report from Reuters: Nearly two dozen major companies in technology and other industries are planning to launch a coalition to demand legislation that would allow young, illegal immigrants a path to permanent residency, according to documents seen by Reuters. The Coalition for the American Dream intends to ask Congress to pass bipartisan legislation this year that would allow these immigrants, often referred to as "Dreamers," to continue working in the United States, the documents said. Alphabet Inc's Google, Microsoft Corp, Amazon.com Inc, Facebook Inc, Intel Corp, Uber Technologies Inc, IBM Corp, Marriott International Inc and other top U.S. companies are listed as members, one of the documents shows. The push for this legislation comes after President Donald Trump's September decision to allow the Deferred Action for Childhood Arrivals (DACA) program to expire in March. That program, established by former President Barack Obama in 2012, allows approximately 900,000 illegal immigrants to obtain work permits. Some 800 companies signed a letter to Congressional leaders after Trump's decision, calling for legislation protecting Dreamers. That effort was spearheaded by a pro-immigration reform group Facebook Chief Executive Mark Zuckerberg co-founded in 2013 called FWD.us.
Desktops (Apple)

Tim Cook Confirms the Mac Mini Isn't Dead (macrumors.com) 102

Apple has refreshed just about every Mac product within the last couple of years -- except for the Mac Mini. Naturally, this has left many analysts questioning whether or not the company would be phasing out the Mini to focus more on its mobile devices. A MacRumors reader decided to email Apple CEO Tim Cook to get an update on the Mac mini and he received a response. Cook said it was "not time to share any details," but he confirmed that the Mac mini will be an important part of the company's product lineup in the future. MacRumors reports: Cook's response echoes a similar statement from Apple marketing chief Phil Schiller, who commented on the Mac mini when Apple's plans for a new Mac Pro were unveiled. "The Mac mini is an important product in our lineup and we weren't bringing it up because it's more of a mix of consumer with some pro use," he said. Positioned as a "bring your own peripherals" machine that comes without a mouse, keyboard, or display, the Mac mini is Apple's most affordable desktop machine. The current version is woefully outdated though, and continues to use Haswell processors and integrated Intel HD 5000/Intel Iris Graphics. It's not clear when Apple will introduce a new Mac mini, and aside from a single rumor hinting at a new high-end Mac mini with a redesign that "won't be so mini anymore," we've heard no rumors about work on a possible Mac mini refresh.
Government

The US Government Keeps Spectacularly Underestimating Solar Energy Installation (qz.com) 103

Michael J. Coren reports via Quartz: Every two years, the U.S. Energy Information Administration (EIA), America's official source for energy statistics, issues 10-year projections about how much solar, wind and conventional energy the future holds for the U.S. Every two years, since the mid-1990s, the EIA's projections turn out to be wrong. Last year, they proved spectacularly wrong. The Natural Resources Defense Council, an environmental advocacy group, and Statista recently teamed up to analyze the EIA's predictions for energy usage and production. They found that the EIA's 10-year estimates between 2006 to 2016 systematically understated the share of wind, solar and gas. Solar capacity, in particular, was a whopping 4,813% more in 2016 than the EIA had predicted in 2006 it would be. To be fair, there is a caveat here: The prediction in 2006 was that 10 years hence the U.S. would be generating just 0.8 gigawatts (GW) of solar energy. With such a low baseline figure, any increase will look huge in percentage terms. Nonetheless, there is an unmistakable trend in the data: The EIA regularly underestimates the growth in renewables but overestimates U.S. fossil-fuel consumption, which some critics see as an attempt to boost the oil and gas industry.
Government

Body Camera Study Shows No Effect On Police Use of Force Or Citizen Complaints (npr.org) 101

An anonymous reader quotes a report from NPR: Having police officers wear little cameras seems to have no discernible impact on citizen complaints or officers' use of force, at least in the nation's capital. That's the conclusion of a study performed as Washington, D.C., rolled out its huge camera program. The city has one of the largest forces in the country, with some 2,600 officers now wearing cameras on their collars or shirts. In the wake of high-profile shootings, many police departments have been rapidly adopting body-worn cameras, despite a dearth of solid research on how the technology can change policing. "We need science, rather than our speculations about it, to try to answer and understand what impacts the cameras are having," says David Yokum, director of the Lab @ DC. His group worked with local police officials to make sure that cameras were handed out in a way that let the researchers carefully compare officers who were randomly assigned to get cameras with those who were not. The study ran from June 2015 to last December. It's to be expected that these cameras might have little impact on the behavior of police officers in Washington, D.C., he says, because this particular force went through about a decade of federal oversight to help improve the department.
Bitcoin

Software Developer Creates Personal Cryptocurrency (wired.com) 73

mirandakatz writes: If you want to pick Evan Prodromou's brain -- as many people often do -- you'll have to pay him. And not just a consulting fee: You'll have to pay him in his own personal cryptocurrency, dubbed Evancoin. Currently, 20 days after his Initial Coin Offering, a single Evancoin is worth $45. As Prodromou tells Scott Rosenberg at Backchannel, "I'm not above a stunt! But in this case I'm really serious about exploring how cryptocurrency is changing what we can do with money and how we think about it. Money is this sort of consensual hallucination, and I wanted to experiment around that." The story goes on to explain what, exactly, goes into creating a personal cryptocurrency, and whether Evancoin could becoming a phenomenon that spreads.
Transportation

Elon Musk Begins Digging a Hyperloop Tunnel In Maryland (baltimoresun.com) 111

Elon Musk has been granted permission by Maryland to start digging tunnels for his hyperoop transit system that he wants to build between New York and Washington. "Hogan administration officials said Thursday the state has issued a conditional utility permit to let Musk's tunneling firm, The Boring Co., dig a 10.3-mile tunnel beneath the state-owned portion of the Baltimore-Washington Parkway, between the Baltimore city line and Maryland 175 in Hanover," reports Baltimore Sun. From the report: It would be the first portion of the underground system that Musk says could eventually ferry passengers from Washington to New York, with stops in Baltimore and Philadelphia, in just 29 minutes. Maryland's approval is the first step of many needed to complete the multibillion-dollar project. Gov. Larry Hogan toured a site in Hanover that aides said could become an entry point for the hyperloop. The state does not plan to contribute to the cost of the project, aides said. Administration officials said they will treat the hyperloop like a utility, and permitted it in the same way the state allows electric companies to burrow beneath public rights-of-way. It was not immediately clear Thursday what environmental review or other permitting procedures must be completed before the company breaks ground.
Businesses

Vungle CEO Arrested For Child Rape and Attempted Murder (axios.com) 98

Freshly Exhumed writes: Axios is working to get details about a revelation on a government website that Vungle CEO Zain Jaffer is facing charges at the Maple Street Correctional Center in Redwood City, California of attempted murder, a lewd act on a child, oral copulation of a person under 14, child abuse, assault with a deadly weapon and battery upon an officer and emergency personnel. Vungle is self-described on its website as "the leading in-app video advertising platform for performance marketers," and was founded by Jaffer in 2011. Vungle has since issued a statement: "While we do not have any information that is not in the public record at this point, these are extremely serious allegations, and we are shocked beyond words. While these are only preliminary charges, they are obviously so serious that it led to the immediate removal of Mr. Jaffer from any operational responsibility at the company. The company stressed that this matter has nothing to do with Mr. Jaffer's former role at the company." Axios notes that "the San Francisco-based company has raised over $25 million in VC funding from firms like Google Ventures, Thomvest Ventures, Crosslink Capital, SoftTech VC and 500 Startups."
Android

Google Says 64 Percent of Chrome Traffic On Android Now Protected With HTTPS, 75 Percent On Mac, 66 Percent On Windows (techcrunch.com) 80

An anonymous reader quotes a report from TechCrunch: Google's push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent. Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago. In the U.S., HTTPS usage in Chrome is up from 59 percent to 73 percent. Combined, these metrics paint a picture of fairly rapid progress in the switchover to HTTPS. This is something that Google has been heavily pushing by flagging and pressuring sites that hadn't yet adopted HTTPS.
Education

Arkansas Will Pay Up To $1,000 Cash To Kids Who Pass AP Computer Science A Exam 92

theodp writes: The State of Arkansas will be handing out cash to high school students who pass an Advanced Placement test in computer science. "The purpose of the incentive program is to increase the number of qualifying scores (3, 4, or 5) on Advanced Placement Computer Science A exams," explained a press release for the Arkansas Advanced Placement Computer Science A Incentive Program (only 87 Arkansas public school students passed the AP CS A exam in 2016, according to College Board data). Gov. Asa Hutchinson added, "The Arkansas Department of Education's incentive for high scores on the AP Computer Science A exam is a terrific way to reward our students for their hard work in school. The real payoff for their hard work, of course, is when they show their excellent transcripts to potential employers who offer good salaries for their skills." The tiered monetary awards call for public school students receiving a top score of 5 on the AP CS A exam to receive $1,000, with another $250 going to their schools. Scores of 4 will earn students $750 and schools $150, while a score of 3 will result in a $250 payday for students and $50 for their schools. The program evokes memories of the College Board's Google-funded AP STEM Access program, which rewarded AP STEM teachers with a $100 DonorsChoose.org gift card for each student who received a 3, 4, or 5 on an AP exam. DonorsChoose.org credits were also offered later by tech-bankrolled Code.org and Google to teachers who got their students coding.
Media

Body Camera Giant Wants Police To Collect Your Videos Too (fastcompany.com) 56

tedlistens shares a report from Fast Company: Axon, the police supplier formerly known as Taser and now a leading maker of police body cameras, has also charged into police software with a service that allows police to manage and eventually analyze increasingly large caches of video, like a Dropbox for cops. Now it wants to add the public's video to the mix. An online tool called Citizen, set to launch later this year, will allow police to solicit the public for photos or video in the aftermath of suspected crimes and ingest them into Axon's online data platform. Todd Basche, Axon's executive vice president for worldwide products, said the tool was designed after the company conducted surveys of police customers and the public and found that potentially valuable evidence was not being collected. "They all pointed us to the need to collect evidence that's out there in the community."

[But] systems like Citizen still raise new privacy and policy questions, and could test the limits of already brittle police-community relations. Would Citizen, for instance, also be useful for gathering civilian evidence of incidents of police misconduct or brutality? [And how would ingesting citizen video into online police databases, like Axon's Evidence.com, allow police to mine it later for suspicious activity, in a sort of dragnet fashion?] "It all depends," says one observer, "on how agencies use the tool."

Twitter

Twitter Plans To End Revenge Porn Next Week, Hate Speech In Two (arstechnica.com) 246

An anonymous reader quotes a report from Ars Technica: In the beginning of 2017, Twitter said it would take on harassment and hate speech. CEO Jack Dorsey said the company would embrace a "completely new approach to abuse on Twitter" with open dialogue along the way. For months, though, the company has offered few details about what it would do, or when. That changed late yesterday, when Twitter posted a timeline with specific promises on actions it will take. The changes begin next week. On October 27, Twitter will expand what types of "non-consensual nudity" (aka "revenge porn") that it takes action against. The company will already act when a victim complains, but Twitter will soon act even in cases where the victims may not be aware images were taken, instances like upskirt photos and hidden webcams. "Anyone we identify as the original poster of non-consensual nudity will be suspended immediately," the October entry reads. On November 3, Twitter will ban hate imagery in profile headers and avatars, and the service will start suspending accounts "for organizations that use violence to advance their cause." The same day it will institute a policy of stopping "Unwanted Sexual Advances," although the company says it has already been taking enforcement actions on this front. Later in November, Twitter will ban "hateful display names."
AI

The AI That Has Nothing to Learn From Humans (theatlantic.com) 91

An anonymous reader shares a report: Now that AlphaGo's arguably got nothing left to learn from humans -- now that its continued progress takes the form of endless training games against itself -- what do its tactics look like, in the eyes of experienced human players? We might have some early glimpses into an answer. AlphaGo Zero's latest games haven't been disclosed yet. But several months ago, the company publicly released 55 games that an older version of AlphaGo played against itself. (Note that this is the incarnation of AlphaGo that had already made quick work of the world's champions.) DeepMind called its offering a "special gift to fans of Go around the world." Since May, experts have been painstakingly analyzing the 55 machine-versus-machine games. And their descriptions of AlphaGo's moves often seem to keep circling back to the same several words: Amazing. Strange. Alien. "They're how I imagine games from far in the future," Shi Yue, a top Go player from China, has told the press. A Go enthusiast named Jonathan Hop who's been reviewing the games on YouTube calls the AlphaGo-versus-AlphaGo face-offs "Go from an alternate dimension." From all accounts, one gets the sense that an alien civilization has dropped a cryptic guidebook in our midst: a manual that's brilliant -- or at least, the parts of it we can understand. Will Lockhart, a physics grad student and avid Go player who codirected The Surrounding Game (a documentary about the pastime's history and devotees) tried to describe the difference between watching AlphaGo's games against top human players, on the one hand, and its self-paired games, on the other. According to Will, AlphaGo's moves against Ke Jie made it seem to be "inevitably marching toward victory," while Ke seemed to be "punching a brick wall." Any time the Chinese player had perhaps found a way forward, said Lockhart, "10 moves later AlphaGo had resolved it in such a simple way, and it was like, 'Poof, well that didn't lead anywhere!'" By contrast, AlphaGo's self-paired games might have seemed more frenetic. More complex. Lockhart compares them to "people sword-fighting on a tightrope."
Microsoft

Consumer Reports Refuses To Recommend Microsoft Surface Book 2 (betanews.com) 105

An anonymous reader writes: Earlier in the year, the review group said that problems with reliability meant that it was impossible for it to recommend any Microsoft laptop or tablet. Now Consumer Reports says that this extends to the Surface Book 2, meaning that the device will not be recommended. Microsoft is likely to be similarly disappointed with Consumer Reports' statement about the Surface Book 2. Speaking to Benzinga, Consumer Reports' spokesperson James McQueen said: "We will evaluate the performance of the Microsoft Surface Book 2 once we get it into our labs next month for testing, but we will not be able to recommend it. Our decision to withhold our recommendation of all Microsoft laptops and tablets is still in effect."
Security

Student Expelled After Using Hardware Keylogger to Hack School, Change Grades (bleepingcomputer.com) 129

Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.
Transportation

Laptops Could Be Banned From Checked Bags on Planes Due To Fire Risk (cnn.com) 162

Readers share a report: Laptops could be banned from checked baggage on planes due to a fire risk under a proposal being recommended by an international air safety panel. According to a report, an overheating laptop battery could cause a significant fire in a cargo hold that fire fighting equipment aboard the plane would not be able to extinguish. That could "lead to the loss of the aircraft," according to the proposal. The ban will be considered by the International Civil Aviation Organization, a United Nations organization, at its meeting this month. Even if the organization endorses the proposal from its Dangerous Goods Panel, which is making the recommendation, it would be up to regulators in individual nations to pass rules to enforce it. The U.S. FAA has no comment on the proposal. But it is represented on the panel that is supporting the ban, and its research on the risk of fires from laptops is included in the proposal.
Privacy

Smartwatches For Kids Are a Total Privacy Nightmare (gizmodo.com) 33

An anonymous reader shares a report: Kids' smartwatches are usually intended to help parents feel at ease that their children are safe when they're not around. But as it turns out, a number of these devices may do more harm than good. A 49-page report on smartwatches for children details all the ways in which they are a security nightmare. The report (PDF), conducted by the Norwegian Consumer Council (NCC) and European security firm Mnemonic, analyzed four kids' smartwatches -- Gator 2, Tinitell, Viksfjord, and Xplora. According the NCC's report, two of the aforementioned devices were vulnerable to hackers, affording them the ability to remotely control the apps on the device. Through a breached device, the NCC says a hacker could access information on a child's whereabouts in real-time, uncover their personal information, and even communicate with the child. What's more, one of the devices could allow someone "with some technical knowledge" to discreetly listen to the child's surroundings. Beyond these gross invasions of privacy, the Council said certain key features of these devices -- an SOS button and a feature that alerts parents when kids leave virtual boundaries -- were unreliable. The report also notes issues regarding collecting user data -- only one of the product's terms and services allowed parents to opt in to or out of data collection. And one watch, the Xplora app, gave up children's data to marketers, the NCC said.

Slashdot Top Deals