×
IOS

iOS 12 Will Automatically Share Your iPhone Location With 911 Centers (phonedog.com) 46

Apple has revealed a new feature that's coming to the next version of iOS. With iOS 12, iPhone owners will be able to automatically share their location data when they dial 911. PhoneDog reports: Apple explains that it'll use RapidSOS's IP-based data pipeline to securely share an iPhone owner's HELO (Hybridized Emergency Location) info when they call 911 call centers. This system will integrate with many 911 call centers' existing software. HELO data estimates a 911 caller's location data using cell towers as well as features like GPS and Wi-Fi access points. Apple began using HELO in 2015, but by utilizing RapidSOS's tech, too, it should make it much easier and faster for a 911 call center to locate a caller.
Security

The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com) 86

Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.

Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.

Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.

Privacy

Amazon Shareholders To Jeff Bezos: Stop Marketing Facial Recognition Tool (nbcnews.com) 60

A group of Amazon shareholders are calling on the company to stop pitching its facial recognition tool to local law enforcement agencies, writing in a letter to CEO Jeff Bezos that the technology could pose a privacy threat and a financial risk. From a report: The letter comes amid mounting criticism of the tool, called Rekognition, from privacy activists and civil rights organizations, including the American Civil Liberties Union. The groups have raised concerns that the tool could be used to build a system to automate the widespread identification and tracking of anyone. Rekognition is already being used by at least one law enforcement agency, the Washington County Sheriff's Office in Oregon, according to a customer testimonial page. "While Rekognition may be intended to enhance some law enforcement activities, we are deeply concerned it may ultimately violate civil and human rights," the shareholders said in the letter to Bezos, a copy of which was provided to NBC News by the ACLU.
Australia

Australia Discontinues Its National Biometric ID Project (gizmodo.com.au) 41

The Australian Criminal Intelligence Commission's (ACIC) biometrics project, which adds facial recognition to a national crime database, is being discontinued following reports of delays and budget blowouts. From a report: This announcement comes after the project was suspended earlier this month and NEC Australia staff were escorted out of the building by security on Monday June 4. [...] ACIC contracted the NEC for the $52 million Biometric Identification Services project with the view of replacing the fingerprint identification system that is currently in place. The aim of the project, which was supposed to run until 2021, was to include palm print, foot prints and facial recognition to aid in police investigations. The Australian government stated that it wanted to provide Australians with a single digital identity by 2025.
Firefox

Firefox's Pocket Tries to Build a Facebook-Style Newsfeed That Respects Your Privacy (theverge.com) 103

An anonymous reader quotes Ars Technica: Pocket, which lets you save articles and videos you find around the web to consume later, now has a home inside Firefox as the engine powering recommendations to 50 million people a month. By analyzing the articles and videos people save into Pocket, [Pocket founder and CEO Nate] Weiner believes the company can show people the best of the web -- in a personalized way -- without building an all-knowing, Facebook-style profile of the user.

"We're testing this really cool personalization system within Firefox where it uses your browser history to target personalized [recommendations], but none of that data actually comes back to Pocket or Mozilla," Weiner said. "It all happens on the client, inside the browser itself. There is this notion today... I feel like you saw it in the Zuckerberg hearings. It was like, 'Oh, users. They will give us their data in return for a better experience.' That's the premise, right? And yes, you could do that. But we don't feel like that is the required premise. There are ways to build these things where you don't have to trade your life profile in order to actually get a good experience."

Pocket can analyze which articles and videos from around the web are being shared as well as which ones are being read and watched. Over time, that gives the company a good understanding of which links lead to high-quality content that users of either Pocket or Firefox might enjoy.

I use Firefox, but I don't use Pocket. Are there any Slashdot readers who want to share their experiences with read-it-later services, or thoughts about what Firefox is attempting?
Privacy

Some Prominent Tech Companies Are Paying Big Money To Kill a California Privacy Initiative (theverge.com) 82

An anonymous reader quotes a report from The Verge: As data-sharing scandals continue to mount, a new proposal in California offers a potential solution: the California Consumer Privacy Act would require companies to disclose the types of information they collect, like data used to target ads, and allow the public to opt out of having their information sold. Now, some of tech's most prominent companies are pouring millions of dollars into an effort to to kill the proposal.

In recent weeks, Amazon, Microsoft, and Uber have all made substantial contributions to a group campaigning against the initiative, according to state disclosure records. The $195,000 contributions from Amazon and Microsoft, as well as $50,000 from Uber, are only the latest: Facebook, Google, AT&T, and Verizon have each contributed $200,000 to block the measure, while other telecom and advertising groups have also poured money into the opposition group. After Mark Zuckerberg was grilled on privacy during congressional hearings, Facebook said it would no longer support the group. Google did not back down, and the more recent contributions suggest other companies will continue fighting the measure.

Privacy

Comey, Who Investigated Hillary Clinton For Using Personal Email For Official Business, Used His Personal Email For Official Business (buzzfeed.com) 446

An anonymous reader shares a report: Former FBI Director James Comey, who led the investigation into Hillary Clinton's use of personal email while secretary of state, also used his personal email to conduct official business, according to a report from the Justice Department on Thursday. The report also found that while Comey was "insubordinate" in his handling of the email investigation, political bias did not play a role in the FBI's decision to clear Clinton of any criminal wrongdoing.

The report from the office of the inspector general "identified numerous instances in which Comey used a personal email account (a Gmail account) to conduct FBI business." In three of the five examples, investigators said Comey sent drafts he had written from his FBI email to his personal account. In one instance, he sent a "proposed post-election message for all FBI employees that was entitled 'Midyear thoughts,'" the report states. In another instance, Comey again "sent multiple drafts of a proposed year-end message to FBI employees" from his FBI account to his personal email account.

China

China's Surveillance State Will Soon Track Cars (wsj.com) 113

China is establishing an electronic identification system to track cars nationwide, according to a report on WSJ, which cites records and people briefed on the matter. From a report: Under the plan being rolled out July 1, a radio-frequency identification chip for vehicle tracking will be installed on cars when they are registered. Compliance will be voluntary this year but will be made mandatory for new vehicles at the start of 2019, the people said. Authorities have described the plan as a means to improve public security and to help ease worsening traffic congestion, documents show, a major concern in many Chinese cities partly because clogged roads contribute to air pollution. But such a system, implemented in the world's biggest automotive market, with sales of nearly 30 million vehicles a year, will also vastly expand China's surveillance network, experts say. That network already includes widespread use of security cameras, facial recognition technology and internet monitoring.
Privacy

Spanish Soccer League App In Google Play Wants To Use Phone Mics To Enforce Copyrights (arstechnica.com) 77

The official app for the Spanish soccer league La Liga, which has more than 10 million downloads from Google Play, was recently updated to seek access to users' microphone and GPS settings. "When granted, the app processes audio snippets in an attempt to identify public venues that broadcast soccer games without a license," reports Ars Technica. From the report: According to a statement issued by La Liga officials, the functionality was added last Friday and is enabled only after users click "eyes" to an Android dialog asking if the app can access the mic and geolocation of the device. The statement says the audio is used solely to identify establishments that broadcast games without a license and that the app takes special precautions to prevent it from spying on end users. [La Liga's full statement with the "appropriate technical measures to protect the user's privacy" is embedded in Ars' report.]

[E]ven if the app uses a cryptographic hash or some other means to ensure that stored or transmitted audio fragments can't be abused by company insiders or hackers (a major hypothetical), there are reasons users should reject this permission. For one, allowing an app to collect the IP address, unique app ID, binary representation of audio, and the time that the audio was converted could provide a fair amount of information over time about a user. For another, end users frequenting local bars and restaurants shouldn't be put in the position of policing the copyrights of sports leagues, particularly with an app that uses processed audio from their omnipresent phone.

Security

Britain's Dixons Carphone Discovers Data Breach Affecting 5.9 Million Payment Cards (betanews.com) 32

Mark Wilson shares a report from BetaNews: Another week, another cyberattack. This time around, it's the Dixons Carphone group which says it has fallen victim to not one but two major breaches. The bank card details of 5.9 million customers have been accessed by hackers in the first breach. In the second, the personal records of 1.2 million people have been exposed. Dixons Carphone says that it is investigating an attack on its card processing system at Currys PC World and Dixons Travel in which there was an attempt to compromise 5.9 million cards. The company stressed that the vast majority -- 5.8 million -- of these cards were protected by chip and PIN, and that the data accessed did not include PINS, CVVs or any other authentication data that could be used to make payments or identify the card owners. The report goes on to mention that 105,000 non-EU issued payment cards, which were not chip and PIN protected, were also affected. The company says it will be contacting those customers affected by the breaches.
United Kingdom

UK Watchdog Issues $334K Fine For Yahoo's 2014 Data Breach (theregister.co.uk) 29

An anonymous reader quotes a report from The Register: Yahoo's U.K. limb has finally been handed a $334,300 (250,000 GBP) fine for the 2014 cyber attack that exposed data of half a million Brit users. Today, the Information Commissioner's Office issued Yahoo U.K. Services Ltd a $334,300 (250,000 GBP) fine following an investigation that focused on the 515,121 U.K. accounts that the London-based branch of the firm had responsibility for. The ICO said "systemic failures" had put user data at risk as the U.K. arm of Yahoo did not take appropriate technical and organizational measures to prevent a data breach of this size.

In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo's servers would be flagged for investigation. It also noted that, as a data controller, Yahoo U.K. services Ltd had a responsibility to ensure its processors -- in this case Yahoo, whose U.S. servers held the data on U.K. users -- complied with data protection standards.

Privacy

Apple Tries To Stop Developers Sharing Data On Users' Friends (bloomberg.com) 21

Apple has updated its App Store guidelines to close a loophole that let app makers store and share data without many people's consent. The practice has "been employed for years," reports Bloomberg. "Developers ask users for access to their phone contacts, then use it for marketing and sometimes share or sell the information -- without permission from the other people listed on those digital address books." From the report: As Apple's annual developer conference got underway on June 4, the Cupertino, California-based company made many new pronouncements on stage, including new controls that limit tracking of web browsing. But the phone maker didn't publicly mention updated App Store Review Guidelines that now bar developers from making databases of address book information they gather from iPhone users. Sharing and selling that database with third parties is also now forbidden. And an app can't get a user's contact list, say it's being used for one thing, and then use it for something else -- unless the developer gets consent again. Anyone caught breaking the rules may be banned.

While Apple is acting now, the company can't go back and retrieve the data that may have been shared so far. After giving permission to a developer, an iPhone user can go into their settings and turn off apps' contacts permissions. That turns off the data faucet, but doesn't return information already gathered.

Privacy

Spanish Football League Defends Phone 'Spying' (bbc.com) 86

An anonymous reader shares a report: Spanish football league La Liga has defended the privacy policy of its app after admitting it was accessing the microphone and GPS of Android users. It said it had been trying to track down venues illegally broadcasting matches, by matching audio data and phone location. The app, downloaded more than 10 million times on the Google Play Store, has been criticised by fans. La Liga said it wanted to "protect clubs and their fans from fraud." The broadcasting of football matches in public places without a paid licence cost the game an estimated 150 million euros ($177m) a year, it said. The new function was enabled on Friday, 8 June.
Facebook

Facebook Offers Nearly 500 Pages of Answers To Congress' Questions From Zuckerberg's Testimony (washingtonpost.com) 62

An anonymous reader quotes a report from The Washington Post: Facebook pledged to continue refining its privacy practices and investigating its entanglement with Cambridge Analytica in nearly 500 pages of new information supplied to Congress and published Monday (Warning: source may be paywalled; alternative source) -- though the social giant sidestepped some of lawmakers' most critical queries. Much as it did during the hearing, Facebook told lawmakers on the Senate Judiciary Committee and the Senate Commerce Committee that it is reviewing all apps available on its platform that had access to large queries of data, a process that already has resulted in 200 suspensions.

Facebook did acknowledge that its consultants embedded in 2016 presidential campaigns, including President Trump's team, "did not identify any issues involving the improper use of Facebook data in the course of their interactions with Cambridge Analytica." In another exchange, Facebook said it had provided "technical support and best practices guidance to advertisers, including Cambridge Analytica, on using Facebook's advertising tools." Facebook also pointed to new tools meant to address its privacy practices, including a feature called Clear History, which "will enable people to see the websites and apps that send us information when they use them, delete this information from their accounts, and turn off our ability to store it associated with their accounts going forward," the company said.
The social network did continue to sidestep many of the lawmakers' questions and concerns. The Washington Post provides a couple examples: "Delaware Sen. Christopher A. Coons (Del.), for example, probed whether Facebook had ever learned of any application developer 'transferring or selling user data without user consent' and in violation of Facebook's policies. In response, Facebook only committed in writing that it would 'investigate all apps that it had access to large amounts of data.'"

Facebook also didn't address Democratic Sen. Patrick J. Leahy's concerns. He asked Facebook to detail if the Obama campaign in 2012 had violated "any of Facebook's policies, and thereby get banned from the platform." Facebook said: "Both the Obama and Romney campaigns had access to the same tools, and no campaign received any special treatment from Facebook."

You can view the nearly 500 pages of new information here.
Facebook

Mark Zuckerberg and the 2012 Facebook Moscow Hack 63

Long-time Slashdot reader theodp writes: As Facebook's privacy debacle rages on, it's interesting to look back at Mark Zuckerberg's 2012 visit to the Facebook Moscow Hack (photos, video), at which Facebook provided training in how to access the data of app users' friends and awarded prizes for apps that did so.

In a 2012 video, Facebook's Simon Cross shows the Moscow crowd how they can "get a ton of other information" on Facebook users and their friends. "We now have an access token, so now let's make the same request again and see what happens," Cross explains (YouTube). "We've got a little bit more data, but now we can start doing really interesting stuff. We can get my friends. We can get some more information about one of my friends. Here's Connor, who you'll meet later. Say 'hello,' Connor. He's waving. And we can also get a ton of other information as well."

Cross, ironically, was the spokesperson Facebook later tapped in 2015 to explain to the press why giving friends' data to apps was a horrible idea that had to be curtailed lest Facebook lose its users' trust. Cross told reporters that Mark Zuckerberg said one of Facebook's new slogans was 'People First', because "if people don't feel comfortable using Facebook and specifically logging in Facebook and using Facebook in apps, we don't have a platform, we don't have developers."
Privacy

Facebook Gave Some Developers Access To Users' Friends After Policy Changed (usatoday.com) 31

Facebook granted a select group of companies special access to its users' records even after the point in 2015 that the company has claimed it stopped sharing such data with app developers. USA Today reports: According to the Wall Street Journal, which cited court documents, unnamed Facebook officials and other unnamed sources, Facebook made special agreements with certain companies called "whitelists," which gave them access to extra information about a user's friends. This includes data such as phone numbers and "friend links," which measure the degree of closeness between users and their friends. These deals were made separately from the company's data-sharing agreements with device manufacturers such as Huawei, which Facebook disclosed earlier this week after a New York Times report on the arrangement. Facebook said following the WSJ report it inked deals with a small number of developers that gave them access to users' friends after the more restrictive policy went into effect.
Government

Justice Department Seizes Reporter's Phone, Email Records In Leak Probe (thehill.com) 165

According to The New York Times, the Department of Justice seized a New York Times reporter's phone and email records this year in an effort to probe the leaking of classified information, the first known instance of the DOJ going after a journalist's data under President Trump. The Hill reports: The Times reported Thursday that the DOJ seized years' worth of records from journalist Ali Watkins's time as a reporter at BuzzFeed News and Politico before she joined The Times in 2017 as a federal law enforcement reporter, according to the report Thursday. Watkins was alerted by a prosecutor in February that the DOJ had years of records and subscriber information from telecommunications companies such as Google and Verizon for two email accounts and a phone number belonging to her. Investigators did not receive the content of the records, according to The Times. The newspaper reported that it learned of the letter on Thursday.
Privacy

Ticketfly Says 27 Million Accounts Compromised During 'Malicious' Attack (billboard.com) 11

Earlier this month, we reported of a "cyber incident" that compromised the systems of Ticketfly, a large ticket distribution service. We have now learned that roughly 27 million user accounts were compromised during the attack. The information includes names, addresses, email addresses and phone numbers; thankfully, no credit/debit card info and passwords were stolen. Billboard reports: Ticketfly's website is fully back online a week after being targeted by what it describes as a "malicious cyber attack," though its mobile app for iOS remains offline "as we continue to prioritize bringing up the most critical parts of the platform first." Following the hack, the company rolled out a network of temporary venue and promoter websites so that events, including Riot Fest and Celebrate Brooklyn, could continue selling tickets. The "vast majority" of the temporary sites are now live, the firm said. All passwords for both ticket buyers and venue/promoter clients were reset following the hack, though they found no evidence that they were accessed. "It is possible, however, that hashed values of password credentials could have been accessed," the site warned. "Hashing is a way of scrambling a piece of data, making it generally incomprehensible."
Facebook

Facebook Alerts 14M To Privacy Bug That Changed Status Composer To Public (techcrunch.com) 36

Facebook has landed itself in yet another self-inflicted privacy debacle. As many as 14 million Facebook users who thought they were posting items that only their friends or smaller groups could see may have been posting that content to the entire world, the company said Thursday. From a report: Facebook's Chief Privacy Officer Erin Egan wrote to TechCrunch in a statement: "We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before -- and they could still choose their audience just as they always have. We'd like to apologize for this mistake." The bug was active from May 18th to May 27th, with Facebook able start rolling out a fix on May 22nd. It happened because Facebook was building a 'featured items' option on your profile that highlights photos and other content.
United Kingdom

UK Bank TSB Admits 1,300 Accounts Hit By Fraud Amid IT Meltdown (bbc.com) 28

An anonymous reader shares a BBC report: Life savings have been stolen from TSB accounts by fraudsters "exploiting" the bank's IT problems, with 1,300 people losing money. On occasions, people were waiting on the phone for up to nine hours to report cases, the bank's boss Paul Pester has told MPs. He said that 70 times the normal level of fraud attacks were seen last month. The introduction of a new IT system in April left customers struggling to make transactions and see their balances. The bank said it would compensate customers in full for any fraud they suffered. The evidence came after the financial regulator confirmed that it was investigating TSB and criticised Mr Pester for an "optimistic view" of services after the meltdown.

Slashdot Top Deals