An anonymous reader quotes a report from TechCrunch: Wargraphs, a one-man-band startup behind a popular companion app for League of Legends called Porofessor, which helps players track and improve their playing stats, is getting acquired for up to [$54 million], half up front and half based on meeting certain earnings and growth targets. MOBA Networks, a company founded out of Sweden that buys, grows and runs online gaming communities (MOBA is short for "multiplayer online battle arena"), is buying the startup and its existing products. The plan is to expand them to more markets, in particular across Asia, and to build analytics for more titles.

I write "startup", but that might be with the loosest interpretation of the term. There is only a single employee, the mild-mannered Jean-Nicholas, and he has also entirely bootstrapped the business on his own. But that hasn't held him back. Wargraphs currently also builds analytics for Legends of Runeterra and Teamfight Tactics, but the League of Legends business has been its biggest it by far. Porofessor has had 10 million downloads of its app on Overwolf -- which is where Porofessor was built -- and more than 1.25 million daily active users if you combine traffic both from that platform and its own direct website. The company, such as it is, has been around for some 10 years, has pretty much always been profitable with revenues of 12.3 million euros in its last fiscal year. Jean-Nicholas told TechCrunch's Ingrid Lunden that he wants to build "a game" next. "Specifically, a card game that will compete against Hearthstone, coincidentally published by Activision Blizzard," writes Lunden. "He has no plans to raise outside funding for this, but he might hire an employee or two."

An anonymous reader quotes a report from TechCrunch: If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there's a chance your credit card number and personal information were exposed. Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders' information was spilling onto the open web. At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses -- and rising in real-time as customers placed new orders. The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder's information.

The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data. Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data, and reporting it to companies to get their systems secured.

But in this case, Sen wasn't the first person to discover the spilling data. According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database's contents of credit card data and would return it in exchange for a small sum of cryptocurrency. A review of the data by TechCrunch shows most of the credit card numbers are owned by cardholders in the United States. [...] Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database. TechCrunch contacted Tencent about its customer's database leaking credit card information, and the company responded quickly. The customer's database went offline a short time later. Many of the stores leaking customers' information claim to operate out of Hong Kong and were set up in the past few weeks. Some of the websites include: spraygroundusa.com, ihuahebuy.com, igoodlinks.com, ibuysbuy.com, lichengshop.com, hzoushop.com, goldlyshop.com, haohangshop.com, twinklebubble.store, and spendidbuy.com.

A group of U.S. lawmakers says the U.S. Treasury Department may be the right government entity to create a digital dollar -- not the Federal Reserve. A new bill introduced Monday would authorize just that. CoinDesk reports: Reps. Stephen Lynch (D-Mass.), Jesus Chuy Garcia (D-Ill.), Ayanna Pressley (D-Mass.) and Rashida Tlaib (D-Mich.) introduced the "Electronic Currency And Secure Hardware Act" (ECASH Act) to direct the Treasury Secretary to develop and issue an electronic version of the U.S. dollar, with an eye to preserving privacy and anonymity in transactions. The electronic dollar, as defined in the bill, would be a bearer instrument that people could hold on their phone or a card. The system would be token-based, not account-based, meaning if someone were to lose their phone or card, they would lose the funds. In other words, it would be like losing a wallet with dollar bills in it. This electronic dollar would be deemed legal tender and be functionally identical to a physical greenback.

Rohan Grey, an assistant professor at Willamette University who consulted on the bill, told CoinDesk the bill is meant to create a true digital analogue to the U.S. dollar. "We're proposing to have a genuine cash-like bearer instrument, a token-based system that doesn't have either a centralized ledger or distributed ledger because it had no ledger whatsoever. It uses secured hardware software and it's issued by the Treasury," he said. This form of e-cash would support peer-to-peer transactions, and given the nature of its setup, it would support fully anonymous transactions. Thus, it would differ from other proposals for a digital dollar, which are based on stablecoins or other decentralized ledger tools. The full text of the E-CASH Bill can be read here.

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database. From a report: A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.

Long-time Slashdot reader jawtheshark shares an announcement from the EFF's free, automated, and open TLS certificate authority at LetsEncrypt.org: Let's Encrypt will begin issuing [free] wildcard certificates in January of 2018... A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.
58% of web traffic is now encrypted, Let's Encrypt reports, crediting in part the 47 million domains they've secured since December of 2015. "Our hope is that offering wildcards will help to accelerate the Web's progress towards 100% HTTPS," explains their web page, noting that they're announcing the wild card certificates now in conjunction with a request for donations to support their work.

McGruber writes: On Tuesday, there was an election in Dekalb County, Georgia. An area of the county known as LaVista Hills voted on a referendum on whether they should incorporate into a brand-new city or whether they should remain an unincorporated part of the county. The referendum failed by a mere 136 votes, less than 1 percent of all votes cast. The second in command at DeKalb County's office of elections is now alleging there were very serious irregularities regarding the LaVista Hills cityhood vote. Piazza says voters were turned away at their polling places, voter material wasn't properly secured, and that "there was a memory card that collects citizen votes loose in the office." Piazza's allegations have prompted Georgia Secretary of State Brian Kemp and the Georgia Bureau of Investigation to open an investigation. Local Atlanta television stations are reporting that Piazza first reported the irregularities to his boss in Dekalb County and that she responded by putting him on leave. One TV station is also broadcasting footage of state investigators removing election equipment from Dekalb County offices. (Those reports are not yet posted on their websites.)

KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics."

mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free. The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system. The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. Several flaws have been known to the operator since 2009." There are two sets of problems: their website is not adequately secured, allowing identity harvesting attacks, and the transit cards themselves are easy to forge.

An anonymous reader writes "My Skype account was hijacked, which I discovered after Skype suspended it for suspicious activity, including a number of paid calls and an attempt to debit my card. Now that I've secured the account again, I can see the call history — there are several numbers called in Senegal, Mali, Benin and Philippines. Obviously I could call them myself and create a bit of havoc in their lives, but ideally I'd like to trace the hijacker himself — perhaps with some kind of 'social engineering' approach. Or is it just a waste of time?" How would you do this, and would you bother?

MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"

Hugh Pickens writes "Is a concert ticket a piece of property that its holder has the right to buy and sell as he sees fit, or is it merely a seat-rental contract subject to restrictions determined by its issuer? The Washington Post reports that in an effort to thwart scalpers and dampen ticket reselling on the so-called secondary market, musicians as diverse as Bruce Springsteen, Miley Cyrus, and Metallica have adopted 'paperless ticketing' for some or all of the seats at their live shows. Ticket issuers Ticketmaster and Veritix tout paperless tickets as a way to eliminate worries about lost, stolen, or counterfeit tickets, and to banish long will-call lines. But paperless tickets aren't really tickets at all, but essentially personal seat reservations, secured electronically like airline tickets. Fans buy tickets with a credit card and must then go to the venue with the same credit card and a photo ID to gain admittance. The problem is that Ticketmaster's paperless tickets can't be transferred from a buyer to a second party. The inability to pass along a seat creates what has become known in the industry as the 'grandma problem': it's almost impossible for a grandma living at one end of the country to buy a paperless ticket to giver to a grandchild living at the other end. Without the ability to transfer virtual tickets, brokers and dealers fear being run out of business, and consumers have a harder time selling unwanted tickets. 'People should be free to give away or sell their tickets to whomever they want, whenever they want,' says Gary Adler, a Washington attorney who represents the National Association of Ticket Brokers. 'An open market is really best for consumers.'"

I'm typing this on a netbook with no hard drive, not using a chip from Intel or AMD, and powered by AA batteries. Eight rechargeable AAs, to be precise, in a bank of cells right where a Li-Ion battery would sit in a conventional laptop. The batteries charge in place, too (regulation prevents overcharging) meaning that the power cord is a simple three-prong-to-cloverleaf cord, no wall-wart required. It's the EduBook from Xcore (see that page for some photos of the internals, too), and it's a cool concept. Despite some warts, it's one of the most interesting things I ran into on the CES show floor last month (Xcore's Michael Barnes kindly supplied the laptop, straight from the display case). Read on for my review.

jtcm writes "Three men have been charged with conspiring to violate the Digital Millennium Copyright Act after federal investigators found that they allegedly offered a cracker more than $250,000 to assist with breaking Dish Network's satellite TV encryption scheme: '[Jung] Kwak had two co-conspirators secure the services of a cracker and allegedly reimbursed the unidentified person about $8,500 to buy a specialized and expensive microscope used for reverse engineering smart cards. He also allegedly offered the cracker more than $250,000 if he successfully secured a Nagra card's EPROM (eraseable programmable read-only memory), the guts of the chip that is needed to reverse-engineer Dish Network's encryption.' Kwak owns a company known as Viewtech, which imports and sells Viewsat satellite receiver boxes. Dish Network's latest encryption scheme, dubbed Nagra 3, has not yet been cracked by satellite TV pirates."

Last week we solicited questions for US Representative Jim Langevin (D-RI), one of the chairs of the CSIS Cybersecurity Commission. Here are his answers — along with contact information for him if you want to continue the conversation.

You posted your questions for Herbert H. Thompson, PhD, on November 3rd and 4th. He decided to wait to answer until after the election in case there was a flagrant voting machine problem he could include in his answers -- and there has been at least one, but it is probably not a "security" problem per se, and is a long way from being resolved in any case. So here we go. Good food for thought here.

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review.

Thanks to GameSpot for their editorial discussing graphics card manufacturers, and how their race for revenue could harm PC gaming. The piece discusses the days when "3dfx's Glide standard was the only thing going", and "3dfx even secured deals with retailers to create separate sections for 3dfx-compatible games." However, the author laments: "I thought hardware-specific games were a thing of the past. Then I booted up the demo for Bridge It", an Nvidia-sponsored title which "will not run unless you have an Nvidia GeForce 4 Ti or GeForce FX graphics card installed." The article ends with a hope that "clearer heads will prevail and PC gaming can take new steps toward improving ease-of-use, not balkanizing the platform for business reasons."

in4mation writes "The folks at LASEC have found a flaw in the SSL protocol. Quoting Professor Serge Vaudenay from a BBC article the security problem is in 'the SSL protocol itself and not in how we use it or how we implement it.' Apparently the flow only affects webmail and not banking or credit card payments and took less than an hour (160 attempts) to crack." Update: 02/20 20:52 GMT by T : Kurt Seifried writes to say that this is almost exactly wrong: "The flaw is in IMPLEMENTATION, NOT THE PROTOCOL. Due to the way error checks are handled an attacker can find out which error condition occurred by measuring the response. The solution is trivial, a path that forces OpenSSL to do the second check even if the first one fails, thus denying the remote attacker any information as to which exact error condition occurred." He includes a link to the security advisory at openssl.org. Update: 02/20 21:49 GMT by T : Read on below for some more information from SSL 3.0 designer Paul Kocher.

We ran the "Call for questions" Monday, January 13, under the headline, Discuss BIOS and Palladium Issues With an AMIBIOS Rep. Note that Brian Richardson, AMI sales engineer, is a real engineer, not just a salesperson, and is also a staunch Slashdot reader who knows we have low tolerance for PR whitewashes around here. Brian's answers are real, not laundered, and he responded not only to the 10 questions we sent him but also to some he felt deserved answers even though they weren't moderated all the way up. Please note that in much of this interview he is speaking as "Brian Richardson, individual," and that his opinions do not necessarily reflect those of AMI's management. With that said, be prepared to learn a lot about the BIOS business, and how TCPA and Palladium relate (and don't relate) to it.

n1ywb asks: "I recently cajoled myself into buying a Dell Axim. Since the compact flash slot is obviously taken up by my 802.11b card, that leaves me with the OTHER slot for adding additional storage. This other slot is billed as a 'Secure Digital Card' slot, although I understand it is backwards compatable with the 'Multimedia Card' standard. The name 'Secure Digital' is somewhat misleading it seems. It has some kind of digital rights management technology onboard, which nobody seems to want to elaborate on. It has hardware encryption, which sandisk.com touts as 'Cryptographic security for copyrighted data based on proven security concepts from DVD audio.' Hah! DeCSS anyone? Magic markers? There isn't a lot of REAL information about SD cards out there. I like cheap and fast storage, but I'm paranoid of DRM. _I_ am god here; my hardware is slave to me. I don't want my PDA telling me I can't play my Grateful Dead bootlegs because they aren't digitally signed. Should I buy MMC or SD? Where can I find more info? Any real world experiences? What do you think is the bottom line?"