The Almighty Buck

OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website (androidpolice.com) 50

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment.
Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
Programming

Russia Lost a $45 Million Satellite Because 'They Didn't Get the Coordinates Right' (gizmodo.com) 101

Last month, Russia lost contact with a 6,062-pound, $45 million satellite. Turns out, that happened because the Meteor-M weather satellite was programmed with the wrong coordinates. Gizmodo reports: On Wednesday, Russian Deputy Prime Minister Dmitry Rogozin told the Rossiya 24 state TV channel that a human error was responsible for the screw-up, according to Reuters. While the Meteor-M launched last month from the Vostochny cosmodrome in the Far East, it was reportedly programmed with take-off coordinates for the Baikonur cosmodrome, which is located in southern Kazakhstan. "The rocket was really programmed as if it was taking off from Baikonur," Rogozin said. "They didn't get the coordinates right." And the rocket had some precious cargo on board: "18 smaller satellites belonging to scientific, research and commercial companies from Russia, Norway, Sweden, the U.S., Japan, Canada and Germany," Reuters reported.
Power

FCC Approves First Wireless 'Power-At-A-Distance' Charging System (engadget.com) 138

The FCC has approved the first wireless charger that works from up to three feet away. Engadget reports: San Jose-based startup, Energous, announced on Tuesday that it has received the first such FCC certification for power-at-a-distance wireless charging with its WattUp Mid Field transmitter. The transmitter converts electricity into radio frequencies, then beams the energy to nearby devices outfitted with a corresponding receiver. This differs from the resonant induction method that the Pi wireless charging system relies upon and offers a greater range than the Belkin and Mophie chargers that require physical contact with the device. The WattUp can charge multiple devices simultaneously and should work on any number of devices, from phones and tablets to keyboards and earbuds, so long as they're outfitted with the right receiver. What's more, the WattUp ecosystem is manufacturer-agnostic -- like WiFi -- meaning that you'll still be able to, for example, charge your Samsung phone even if the transmitter is made by Sony or Apple.
Social Networks

The People Who Read Your Airline Tweets (theatlantic.com) 54

From a piece on The Atlantic: At first, the idea of a company directly tweeting at its customers was very strange. Nowadays, people have gotten used to having back-and-forths with customer service representatives. In any given hour, JetBlue makes public contact with 10, 15, 20 different people. American Airlines receives 4500 mentions an hour, 70 to 80 percent of them on Twitter. Both companies staff their social teams with long-time employees who are familiar with the airlines' systems. Both hire internally out of the "reservations" team, so they know how to rebook flights and make things happen. At American, the average social-media customer-support person has been at the company for 17 years. Every major airline has a team like this. Southwest runs what it calls a "Listening Center." American Airlines calls it their "social-media hub" in Fort Worth, Texas. Alaska has a "social care" team in Seattle that responds to the average tweet for help in two minutes and 34 seconds, according to a report by Conversocial. Most of the time, it's a worthy, but low-profile job. But not always. This is the strangest thing about people tweeting with airlines: They're just a routine part of how the business works now. Tweets and Facebook posts go out via a social-media team and a customer-service team responds to the incoming problems, snark, and jokes.
Privacy

Cloud-Based Repository Leak Exposes 123 Million American Households (zdnet.com) 62

"An Amazon Web Services (AWS) S3 cloud storage bucket containing information from data analytics firm Alteryx has been found publicly exposed, comprising the personal information of 123 million U.S. households," reports ZDNet. "The S3 bucked, located at the subdomain 'alteryxdownload,' was found by California cybersecurity firm UpGuard, with its Cyber Risk Team discovering the leak on October 6, 2017." From the report: The 36 GB data file titled "ConsumerView_10_2013" contained over 123 million rows, each one signifying a different American household. A similar file was seen by UpGuard when the personal details of 198 million American voters, compiled in a dataset by a data firm used by the Republican National Committee, were exposed. To highlight the breadth of the issue, UpGuard said the exposed data reveals over 3.5 billion fields of personally identifying details and data points about virtually every American household, including racial and ethnic information. The spreadsheet uses anonymized identifiers, but the information in the other few billion fields are very detailed, UpGuard said. Home addresses, contact information, mortgage status, financial histories, and very specific analysis of purchasing behavior -- such as domestic travel habits, if someone is a cat enthusiast, and their sporting interests -- is up for grabs in the exposed data. As for how this happened, ZDNet says, "the bucket was configured via permission settings to allow any AWS 'Authenticated Users' to download its stored data. Authenticated users are any user that has an AWS account."
Medicine

Contact Lens Startup Hubble Sold Lenses With a Fake Prescription From a Made-up Doctor (qz.com) 325

Alison Griswold, reporting for Quartz: The Hubble contacts sitting in front of me are everything the ads promised: two weeks' worth of soft, daily lenses in robin's-egg-blue packaging. They arrived promptly, one week after I placed an order on Hubble's website, and three days after the company notified me the contacts had shipped. The lenses were packed in cream-colored boxes and came with a five-step guide, illustrated in different shades of pastel. There's only one problem: I don't wear contacts, and I ordered these using a fake prescription from a made-up doctor. Hubble was founded in May 2016 as a direct-to-consumer contact lens brand -- the Warby Parker of contacts, if you will. The company aims to make buying contact lenses as cheap and easy as shopping on Amazon. It has fast become a star of New York's startup scene, raising more than $30 million from investors that include Founders Fund and Greycroft Partners. Its valuation tops $200 million. Since the service officially launched in November 2016, Hubble claims to have sold $20 million worth of lens subscriptions, and says it's growing 20% month over month. Hubble expanded to Canada in August and plans to be in the UK as early as January. Quick service, cheap contacts, and whimsical branding have made Hubble a speedy success. But in its rush to disrupt the consumer experience, Hubble also appears to be playing fast and loose with some basic consumer protections.
Facebook

Facebook Launches New Messenger App for Young Kids -- What Could Possibly Go Wrong? (gizmodo.com) 62

More than one billion people use Facebook's Messenger app to communicate every month. Now the social juggernaut is going after the younger audience. On Monday, it announced Messenger Kids, a standalone mobile app designed for children age 13 and under. From a report: The app, Messenger Kids, is a messaging service that gives parents authority over who their kids can chat with. Once a parent adds someone to their child's contact list through the main Facebook app, kids can video chat as well as send photos, videos, and texts, or pick something from "a library of kid-appropriate and specially chosen GIFs, frames, stickers, masks, and drawing tools," according to Facebook's announcement post. [...] A Facebook spokesperson said in an email to Gizmodo, "We've built automated systems that can detect things like nudity, violence, and child exploitative imagery to help limit that content from being shared on Messenger Kids. We also have blocking and reporting mechanisms, and have a dedicated team of human reviewers that review all content that is reported."
Republicans

Valuable Republican Donor Database Breached -- By Other Republicans (politico.com) 73

Politico reports: Staffers for Senate Republicans' campaign arm seized information on more than 200,000 donors from the House GOP campaign committee over several months this year by breaking into its computer system, three sources with knowledge of the breach told Politico... Multiple NRSC staffers, who previously worked for the NRCC, used old database login information to gain access to House Republicans' donor lists this year. The donor list that was breached is among the NRCC's most valuable assets, containing not only basic contact information like email addresses and phone numbers but personal information that could be used to entice donors to fork over cash -- information on top issues and key states of interest to different people, the names of family members, and summaries of past donation history... Donor lists like these are of such value to party committees that they can use them as collateral to obtain loans worth millions of dollars when they need cash just before major elections...

"The individuals on these lists are guaranteed money," said a Republican fundraiser. "They will give. These are not your regular D.C. PAC list"... The list has helped the NRCC raise over $77 million this year to defend the House in 2018... Though the House and Senate campaign arms share the similar goal of electing Republican candidates and often coordinate strategy in certain states, they operate on distinct tracks and compete for money from small and large donors.

Long-time Slashdot reader SethJohnson says the data breach "is the result of poor deprovisioning policies within the House Republican Campaign Committee -- allowing staff logins to persist after a person has left the organization."

NRCC officials who learned of the breach "are really pissed," one source told the site.
AI

Facebook Rolls Out AI To Detect Suicidal Posts Before They're Reported (techcrunch.com) 171

Facebook is rolling out "proactive detection" artificial intelligence technology that will scan all posts on the site for patterns of suicidal thoughts, and when necessary send mental health resources to the user at risk or their friends, or contact local first-responders. The goal is to use AI to decrease how long it takes to send help to those in need. TechCrunch reports: Facebook previously tested using AI to detect troubling posts and more prominently surface suicide reporting options to friends in the U.S. Now Facebook is will scour all types of content around the world with this AI, except in the European Union, where General Data Protection Regulation privacy laws on profiling users based on sensitive information complicate the use of this tech. Facebook also will use AI to prioritize particularly risky or urgent user reports so they're more quickly addressed by moderators, and tools to instantly surface local language resources and first-responder contact info. It's also dedicating more moderators to suicide prevention, training them to deal with the cases 24/7, and now has 80 local partners like Save.org, National Suicide Prevention Lifeline and Forefront from which to provide resources to at-risk users and their networks.
Google

Regulators Question Google Over Location Data (cnn.com) 19

Sherisse Pham and Taehoon Lee, writing for CNN Tech: Google is facing scrutiny for reportedly collecting data about the location of smartphone users without their knowledge. Regulators in South Korea summoned Google representatives this week to question them about a report that claimed the company was collecting data from Android devices even when location services were disabled. The Korea Communications Commission (KCC) "is carrying out an inquiry into the claims that Google collected users' Cell ID data without consent even when their smartphone's location service was inactive," Chun Ji-hyun, head of KCC's privacy infringement division, told CNNMoney on Friday. U.K. data protection officials are also looking into the matter. "Organizations are required by law to be transparent with consumers about what they are doing with personal information," said a spokesperson for the Information Commissioner's Office. "We are aware of the reports about the tracking system and are in contact with Google."
Spam

Spam Is Back (theoutline.com) 154

Jon Christian, writing for The Outline: For a while, spam -- unsolicited bulk messages sent for commercial or fraudulent purposes -- seemed to be fading away. The 2003 CAN-SPAM Act mandated unsubscribe links in email marketing campaigns and criminalized attempts to hide the sender's identity, while sophisticated filters on what were then cutting-edge email providers like Gmail buried unwanted messages in out-of-sight spam folders. In 2004, Microsoft co-founder Bill Gates told a crowd at the World Economic Forum that "two years from now, spam will be solved." In 2011, cybersecurity reporter Brian Krebs noted that increasingly tech savvy law enforcement efforts were shutting down major spam operators -- including SpamIt.com, alleged to be a major hub in a Russian digital criminal organization that was responsible for an estimated fifth of the world's spam. These efforts meant that the proportion of all emails that are spam has slowly fallen to a low of about 50 percent in recent years, according to Symantec research.

But it's 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills. Networks associated with the buzzy new cryptocurrency system Ethereum have been plagued with spam. Facebook recently fought a six-month battle against a spam operation that was administering fake accounts in Bangladesh, Indonesia, Saudi Arabia, and other countries. Last year, a Chicago resident sued the Trump campaign for allegedly sending unsolicited text message spam; this past November, ZDNet reported that voters were being inundated with political text messages they never signed up for. Apps can be horrid spam vectors, too. Repeated mass data breaches that include contact information, such as the Yahoo breach in which 3 billion user accounts were exposed, surely haven't helped. Meanwhile, you, me, and everyone we know is being plagued by robocalls.

Science

A Stable Plasma Ring Has Been Created In Open Air For the First Time Ever (futurism.com) 113

New submitter mrcoder83 shares a report from Futurism: Engineers from the California Institute of Technology (Caltech) have been able to create a stable plasma ring without a container. According to the Caltech press release, it's "essentially capturing lightning in a bottle, but without the bottle." This remarkable feat was achieved using only a stream of water and a crystal plate, made from either quartz and lithium niobate. The union of these tools induced a type of contact electrification known as the triboelectric effect. The researchers blasted the crystal plate with an 85-micron-diameter jet of water (narrower than a human hair) from a specially designed nozzle. The water hit the crystal plate with a pressure of 632.7 kilograms of force per centimeter (9,000 pounds per square inch), generating an impact velocity of around 305 meters per second (1,000 feet per second) -- as fast as a bullet from a handgun. Plasma was formed as a result of the creation of an electric charge when the water hit the crystal surface. The flow of electrons from the point of contact ionizes the molecules and atoms in the gas area surrounding the water's surface, forming a donut-shaped glowing plasma that's dozens of microns in diameter. Caltech posted a video of the plasma ring on their YouTube channel.
Businesses

A Hacker 'Hero' Has Been Banned From Cyber Conferences After Decades Of Inappropriate Behavior (buzzfeed.com) 346

Several readers share a report: John Draper, a prankster hero to an early generation of hackers, used his status at cybersecurity conferences to arrange private meetings with teenage fans and a reporter where he touched them inappropriately, multiple men have told BuzzFeed News. The allegations are the latest in what has become in recent weeks an explosion of sexual misconduct reports that have roiled a seemingly endless list of industries, from Hollywood to the news media to the Alabama Senate race. As in many of those other cases, Draper's actions were well known to at least a core of people who had regular contact with him. Apple cofounder Steve Wozniak told BuzzFeed News that Steve Jobs once told him that Draper, an early associate, once asked Jobs to sit on Draper's back in the 1970s, an offer Wozniak said Jobs declined as being "out of the ordinary." But in the hacking world, where unusual behavior is accepted and often celebrated, there were few official steps taken to prevent Draper's overtures to unsuspecting fans. Volunteers who worked the annual DEF CON hacking conventions in Las Vegas recalled that one of their responsibilities was to separate Draper from his teenage followers. Draper's behavior drew attention at other conventions as well, where he was a frequent presence. Brandon Creighton, a long-standing volunteer at hacker conferences who was familiar with rumors about Draper, recalled escorting him from a private party after ToorCon in San Diego in 2007, though exactly why was not clear.
Twitter

Jack Dorsey Responds To Serial Killer Who Found His Victims Through Suicidal Twitter Posts (nhk.or.jp) 73

AmiMoJo shares a report from NHK WORLD: Twitter's CEO is reacting to a grisly case in Japan where a suspected serial killer allegedly found his victims through their suicidal posts on the social media platform. In an interview with NHK, Jack Dorsey said it is unrealistic and impossible to remove suicidal tweets. But he said he hoped Twitter could become a tool for prevention. Last month, the dismembered bodies of 9 people were found in 27-year-old Takahiro Shiraishi's apartment near Tokyo. Police say he admitted to the killings. They believe he preyed on people who posted about wanting to kill themselves on Twitter. Recently, Twitter updated its rules regarding posts about self-harm: "You may not promote or encourage suicide or self-harm. When we receive reports that a person is threatening suicide or self-harm, we may take a number of steps to assist them, such as reaching out to that person and providing resources such as contact information for our mental health partners."
IT

Hoverboards Recalled For Fire and Explosion Risks -- Again (cnbc.com) 37

An anonymous reader shares a report: The Consumer Product Safety Commission recalled hoverboards from several companies over concerns the devices could catch fire or explode. The series of recalls affects roughly 16,000 hoverboards from brands including iHoverspeed, Sonic Smart Wheels, Tech Drift, iLive, Go Wheels, Drone Nerds, LayZ Board and Smart Balance Wheel. All the brands of self-balancing scooters share a common problem: lithium-ion batteries that could potentially overheat and cause a fire or explode. The agency is advising owners to stop using the hoverboards immediately and return them to the appropriate company for a replacement. Consumers can visit the CPSC website for details on the recalls and how to contact companies for replacements.
IT

After Outrage, Logitech Gives Free Upgrade To Owners of Soon To Be Obsolete Device (gizmodo.com) 105

It looks like Logitech didn't anticipate the barrage of criticism it received after announcing this week that it would be intentionally bricking its Harmony Link hub next March. The company is now reversing course. Its Harmony Link will still die next summer, but if you own one, the company is happy to give you a free upgrade to the more recent Harmony Hub model. From a report: Originally, Logitech planned to only offer Harmony Link owners with active warranties free upgrades to its new Harmony Hub devices. But for people out of warranty -- possibly the majority of Harmony Link users, as the devices were last sold in 2015 -- they would just get a one-time, 35 percent discount on a new $100 Harmony Hub. However, after customer outrage, Logitech revised it plans and announced that the company will give every Harmony Link owner a new Hub for free. Additionally, users who had already used the coupon to purchase a new Hub will also be able to contact Logitech in order to obtain a refund for the difference in price. However, Logitech is still not planning to extend support for the Harmony Link. The company says, "We made the business decision to end the support and services of the Harmony Link when the encryption certificate expires in the spring of 2018 -- we would be acting irresponsibly by continuing the service knowing its potential/future vulnerability."
Facebook

How Facebook Figures Out Everyone You've Ever Met (gizmodo.com) 219

"I deleted Facebook after it recommended as People You May Know a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email," an attorney told Gizmodo. Kashmir Hill, a reporter at the news outlet, who recently documented how Facebook figured out a connection between her and a family member she did not know existed, shares several more instances others have reported and explains how Facebook gathers information. She reports: Behind the Facebook profile you've built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you've never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections. Because shadow-profile connections happen inside Facebook's algorithmic black box, people can't see how deep the data-mining of their lives truly is, until an uncanny recommendation pops up. Facebook isn't scanning the work email of the attorney above. But it likely has her work email address on file, even if she never gave it to Facebook herself. If anyone who has the lawyer's address in their contacts has chosen to share it with Facebook, the company can link her to anyone else who has it, such as the defense counsel in one of her cases. Facebook will not confirm how it makes specific People You May Know connections, and a Facebook spokesperson suggested that there could be other plausible explanations for most of those examples -- "mutual friendships," or people being "in the same city/network." The spokesperson did say that of the stories on the list, the lawyer was the likeliest case for a shadow-profile connection. Handing over address books is one of the first steps Facebook asks people to take when they initially sign up, so that they can "Find Friends." The problem with all this, Hill writes, is that Facebook doesn't explicitly say the scale at which it would be using the contact information it gleans from a user's address book. Furthermore, most people are not aware that Facebook is using contact information taken from their phones for these purposes.
EU

EU Gives Ultimatum To Facebook and Twitter: Obey Us Or We'll Start Regulating (theregister.co.uk) 335

An anonymous reader quotes a report from The Register: The EU Commission has fired a shot across Facebook and Twitter's bows, having issued a proclamation decreeing that "social media platforms" must do more to remove "illegal content inciting hatred, violence and terrorism online." Although what is said in the EU proclamation is nothing new -- indeed, in the UK, the measures proposed by the EU's talking heads have been standard practice for years -- what matters here is not what is being said publicly, but instead the threat of what might happen unless Facebook appeases the bloc's leaders. The EU said that platforms should appoint dedicated points of contact for police forces and other State agencies to talk to about illegal content; appoint trusted content moderators ("flaggers," in EU-ese); and invest in "automatic detection technologies." In addition, illegal content should be deleted within "specific timeframes."

All straightforward; nothing new there, at least from the British perspective. Yet the threat is in the EU's later words: "Today's communication is a first step and follow-up initiatives will depend on the online platforms' actions to proactively implement the guidelines. The Commission will carefully monitor progress made by the online platforms over the next months and assess whether additional measures are needed."

Education

2017 'Ig Nobel' Prizes Recognize Funny Research On Cats, Crocodiles, and Cheese (improbable.com) 20

An anonymous reader writes: "The 27th First Annual Ig Nobel Prize Ceremony" happened Thursday at Harvard's Sanders theatre, recognizing real (but unusual) research papers from all over the world "that make people laugh, then think." This year's prize in the physics category went to Marc-Antoine Fardin, who used fluid dynamics to probe the question "Can a cat be both a solid and a liquid?"

Six prize-winning Swiss researchers also demonstrated that regular playing of a didgeridoo is an effective treatment for obstructive sleep apnoea and snoring, while two Australians tested how contact with a live crocodile affects a person's willingness to gamble. And five French researchers won the medicine prize for their use of advanced brain-scanning technology to investigate "the neural basis of disugst for cheese."

You can watch the ceremony online -- and Reuters got an interesting quote from the editor of the Annals of Improbable Research, who founded the awards ceremony 27 years ago. "We hope that this will get people back into the habits they probably had when they were kids of paying attention to odd things and holding out for a moment and deciding whether they are good or bad only after they have a chance to think."
Security

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com) 86

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full

Slashdot Top Deals