China

Ecuador is Fighting Crime Using Chinese Surveillance Technology (scmp.com) 22

Ecuador has introduced a security system using monitoring technology from China, including facial recognition, as it tries to bring down its crime rate and improve emergency management, according to state-run Xinhua news agency. From a report: A network of cameras has been installed across the South American nation's 24 provinces -- keeping watch on its population of 16.4 million people -- using a system known as the ECU911 Integrated Security Service, Xinhua reported. Used by the country's police, armed forces and fire brigade, it went into operation in November 2016 and has an emergency response and monitoring system.
Security

Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes (wired.com) 43

Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops, a security firm reports. From Wired: On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.
Cloud

UK Hospitals Can Now Store Confidential Patient Records In the Public Cloud (zdnet.com) 73

The National Health Service (NHS) has given hospitals the go-ahead to store sensitive patient records in the cloud. "NHS Digital said the advantages of using cloud services include cost savings associated with not having to buy and maintain hardware and software, and availability of backup and fast system recovery," reports ZDNet. "'Together these features cut the risk of health information not being available due to local hardware failure,' said the report." From ZDNet: Rob Shaw, deputy chief executive at NHS Digital, said: "It is for individual organizations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively." The UK government introduced a 'cloud first' policy for public sector IT in 2013, and NHS Choices and NHS England's Code4Health initiative are already successfully using the cloud. NHS Digital's guidance said that the NHS and social care providers may use cloud computing services for NHS data, although data must only be hosted within the European Economic Area, a country deemed adequate by the European Commission, or in the U.S. where covered by Privacy Shield.
Android

Yale Privacy Lab and Exodus Privacy's F-Droid Android App Store is a Replacement for Google Play That Features Only FOSS Apps That Don't Do Any Tracking (wired.com) 58

Google Play, the marquee Android apps store, is filled with apps that are riddled with hidden trackers that siphon a smorgasbord of data from all sensors, in all directions, unknown to the Android user. Not content with the strides Google has made to curtail the issue, Yale Privacy Lab has collaborated with Exodus Privacy to detect and expose trackers with the help of the F-Droid app store. From a report on Wired: F-Droid is the best replacement for Google Play, because it only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions. F-Droid doesn't offer the millions of apps available in Google Play, so some people will not want to use it exclusively. It's true that Google does screen apps submitted to the Play store to filter out malware, but the process is still mostly automated and very quick -- too quick to detect Android malware before it's published, as we've seen. Installing F-Droid isn't a silver bullet, but it's the first step in protecting yourself from malware.
Microsoft

Microsoft Fights Search Warrants for Overseas Emails in the Supreme Court (microsoft.com) 67

Microsoft's Chief Legal Officer writes about "the landmark Microsoft case that will decide whether the U.S. government can use a search warrant to force a company to seize a customer's private emails stored in Ireland and import them to the United States." On Thursday, 289 different groups and individuals from 37 countries signed 23 different legal briefs supporting Microsoft's position that Congress never gave law enforcement the power to ignore treaties and breach Ireland's sovereignty in this way. How could it? The government relies on a law that was enacted in 1986, before anyone conceived of cloud computing... When the U.S. government requires a tech company to execute a warrant for emails stored overseas, the provider must search a foreign datacenter and make a copy abroad, and then import that copy to the United States. This creates a complex issue with huge international consequences. It shouldn't be resolved by taking the law to a place it was never intended to go...

The U.S. Department of Justice's attempt to seize foreign customers' emails from other countries ignores borders, treaties and international law, as well as the laws those countries have in place to protect the privacy of their own citizens... It's also a path that will lead to the doorsteps of American homes by putting the privacy of U.S. citizens' emails at risk. If the U.S. government obtains the power to search and seize foreign citizens' private communications physically stored in other countries, it will invite other governments to do the same thing. If we ignore other countries' laws, how can we demand that they respect our laws?

Amicus briefs supporting Microsoft have been filed in the U.S. Supreme Court by Ireland, France, and the European Commission and European privacy regulators. Microsoft even notes that on this issue, "Fox News agreed with the American Civil Liberties Union."
Businesses

Amazon Opens 'Surveillance-Powered, No-Checkout Convenience Store' (geekwire.com) 261

An anonymous reader quotes GeekWire: The first Amazon Go grocery and convenience store will open to the public Monday in Seattle -- letting any person with an Amazon account, the Amazon Go app and a willingness to give up more of their personal privacy than usual simply grab anything they want and walk out, without going through a checkout line... After shoppers check in by scanning their unique QR code, overhead cameras work with weight sensors in the shelves to precisely track which items they pick up and take with them. When they leave, they just leave. Amazon Go's systems automatically debit their accounts for the items they take, sending the receipt to the app. In my first test of Amazon Go this past week, my elapsed time in the store was exactly 23 seconds -- from scanning the QR code at the entrance to exiting with my chosen item...

The company says the tracking is precise enough to distinguish between multiple people standing side-by-side at a shelf, detecting which one picked up a yogurt or cupcake, for example, and which one was merely browsing. The system also knows when people pick up items and put them back, ensuring that Amazon doesn't dock anyone's account for milk or chips when they simply wanted to read the label. The idea is to "push the boundaries of computer vision and machine learning" to create an "effortless experience for customers," said Dilip Kumar, Amazon Go vice president of technology, after taking GeekWire through the store this past week... Apart from the kitchen staff preparing fresh food at the back, we saw only two workers in the 1,800-square-foot Amazon Go store during our visit: one at the beer and wine section to check IDs, and another just inside the entrance to greet customers.

TechCrunch calls it "Amazon's surveillance-powered no-checkout convenience store," adding "the system is made up of dozens and dozens of camera units mounted to the ceiling, covering and recovering every square inch of the store from multiple angles."

The Seattle Times reports that the store "was also criticized by grocery-store workers' unions, which feared an effort to automate the work done by cashiers, the second-most-common job in the U.S."
The Internet

Ajit Pai's FCC Can't Admit Broadband Competition Is a Problem (dslreports.com) 108

An anonymous reader quotes a report from DSLReports: While the FCC is fortunately backing away from a plan that would have weakened the standard definition of broadband, the agency under Ajit Pai still can't seem to acknowledge the lack of competition in the broadband sector. Or the impact this limited competition has in encouraging higher prices, net neutrality violations, privacy violations, or what's widely agreed to be some of the worst customer service of any industry in America. The Trump FCC had been widely criticized for a plan to weaken the standard definition of broadband from 25 Mbps down, 3 Mbps up, to include any wireless connection capable of 10 Mbps down, 1 Mbps up. Consumer advocates argued the move was a ham-fisted attempt to try and tilt the data to downplay the industry's obvious competitive and coverage shortcomings. They also argued that the plan made no coherent sense, given that wireless broadband is frequently capped, often not available (with carrier maps the FCC relies on falsely over-stating coverage), and significantly more expensive than traditional fixed-line service.

In a statement (pdf), FCC boss Ajit Pai stated the agency would fortunately be backing away from the measure, while acknowledging that frequently capped and expensive wireless isn't a comparable replacement for fixed-line broadband. "The draft report maintains the same benchmark speed for fixed broadband service previously adopted by the Commission: 25 Mbps download/3 Mbps upload," stated Pai. "The draft report also concludes that mobile broadband service is not a full substitute for fixed service. Instead, it notes there are differences between the two technologies, including clear variations in consumer preferences and demands." That's the good news. The bad news: the FCC under Pai's leadership continues to downplay and ignore the lack of competition in the sector, and the high prices and various bad behaviors most people are painfully familiar with.

Security

Security Breaches Don't Affect Stock Price, Study Suggests (schneier.com) 28

Computer security professional Bruce Schneier highlights the key findings of a study that suggests security breaches don't affect stock price. The study has been published in the Journal of Information Privacy and Security. From the report: -While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

-For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

-Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

Privacy

Trump Signs Surveillance Extension Into Law (thehill.com) 94

President Trump took to Twitter this afternoon to announce that he has signed a six-year renewal of a powerful government surveillance tool. "Just signed 702 Bill to authorize foreign intelligence collection," Trump tweeted. "This is NOT the same FISA law that was so wrongly abused during the election. I will always do the right thing for our country and put the safety of the American people first!" The Hill reports: Section 702 of the Foreign Intelligence Surveillance Act (FISA), which the Senate voted to renew with a few small tweaks this week, allows the U.S. to spy on foreigners overseas. The intelligence community says the program is a critical tool in identifying and disrupting terror plots. But the broader surveillance law, which governs U.S. spying on foreigners, has become politically entangled with the controversy over the federal investigation into Trump's campaign and Russia. Some Republicans have claimed that the FBI inappropriately obtained a politically motivated FISA warrant to spy on Trump during the transition and on Friday, Capitol Hill was consumed with speculation about a four-page memo produced by House Intelligence Committee Republicans that some GOP lawmakers hinted contained evidence of such wrongdoing.
Google

Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication (theregister.co.uk) 254

It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.
Security

Senate Passes Bill Renewing NSA's Internet Surveillance Program (reuters.com) 96

From a report: The U.S. Senate on Thursday passed a bill to renew the National Security Agency's warrantless internet surveillance program for six years and with minimal changes, overcoming objections from civil liberties advocates that it did too little to safeguard the privacy of Americans. From a report on CNET: The programs, known as Prism and Upstream, allow the NSA to collect online communications of foreigners outside the US. Prism collects these communications from internet services, and Upstream taps into the internet's infrastructure to capture information in transit. Some communications from Americans and others in the US are collected in the process. The vote Thursday renews the programs for six years. The House approved a bill renewing the programs last week. Former NSA contractor Edward Snowden first revealed the programs by leaking information about them to journalists in 2013. After the news coverage, the administration of President Barack Obama declassified much information about the programs.
Privacy

Amazon Won't Say If It Hands Your Echo Data To the Government (zdnet.com) 105

Zack Whittaker reports via ZDNet of how Amazon still won't say whether or not it hands your Echo data to the government -- three years after the Echo was first released. From the report: Amazon has a transparency problem. Three years ago, the retail giant became the last major tech company to reveal how many subpoenas, search warrants, and court orders it received for customer data in a half-year period. While every other tech giant had regularly published its government request figures for years, spurred on by accusations of participation in government surveillance, Amazon had been largely forgotten. Eventually, people noticed and Amazon acquiesced. Since then, Amazon's business has expanded. By its quarterly revenue, it's no longer a retail company -- it's a cloud giant and a device maker. The company's flagship Echo, an "always listening" speaker, collects vast amounts of customer data that's openly up for grabs by the government. But Amazon's bi-annual transparency figures don't want you to know that. In fact, Amazon has been downright deceptive in how it presents the data, obfuscating the figures in its short, but contextless, twice-yearly reports. Not only does Amazon offer the barest minimum of information possible, the company has -- and continues -- to deliberately mislead its customers by actively refusing to clarify how many customers, and which customers, are affected by the data demands it receives.
Crime

Facebook Is a 'Living, Breathing Crime Scene,' Says Former Tech Insider (nbcnews.com) 144

An anonymous reader quotes a report from NBC News: With more than 2 billion users, Facebook's reach now rivals that of Christianity and exceeds that of Islam. However, the network's laser focus on profits and user growth has come at the expense of its users, according to one former Facebook manager who is now speaking out against the social platform. "One of the things that I saw consistently as part of my job was the company just continuously prioritized user growth and making money over protecting users," the ex-manager, Sandy Parakilas, who worked at Facebook for 16 months, starting in 2011, told NBC News. During his tenure at Facebook, Parakilas led third-party advertising, privacy and policy compliance on Facebook's app platform. "Facebook is a living, breathing crime scene for what happened in the 2016 election -- and only they have full access to what happened," said Tristan Harris, a former design ethicist at Google. His work centers on how technology can ethically steer the thoughts and actions of the masses on social media and he's been called "the closest thing Silicon Valley has to a conscience" by The Atlantic magazine.

In response to the comments, Facebook issued a statement saying it is a "vastly different company" from when it was founded. "We are taking many steps to protect and improve people's experience on the platform," the statement said. "In the past year, we've worked to destroy the business model for false news and reduce its spread, stop bad actors from meddling in elections, and bring a new level of transparency to advertising. Last week, we started prioritizing meaningful posts from friends and family in News Feed to help bring people closer together. We have more work to do and we're heads down on getting it done."

Privacy

A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency (qz.com) 146

An anonymous reader quotes a report from Quartz: In the aftermath of an erroneous missile warning that terrified Hawaiians on Saturday (Jan. 13), the state's emergency management agency has come under increased scrutiny, from the poor design of the software that enables alerts to a particularly slapdash security measure by one of its employees. Old photos from the Associated Press inside the agency's office appear to show an unspecified password on a yellow Post-It note, stuck to a computer monitor. The image, which shows operations manger Jeffrey Wong standing in front of the computer, was taken in July and appeared in articles published at the time about the agency's preparedness in the face of a nuclear threat. The agency verified that the password is indeed real but wouldn't go into specifics on what program the password was supposed to be used for.
China

Philippine Lawmakers Worry China Telecom May Be a 'Trojan horse' (reuters.com) 27

An anonymous reader shares a report: Opposition members of the Philippine Congress raised concern on Wednesday that China Telecom Corp, which may enter the Philippine industry, could be a "Trojan horse" aimed at giving China access to state secrets. The Southeast Asian country aims to name a third telecom operator within the first quarter that will break the duopoly of PLDT and Globe Telecom State-run China Telecom has been named as a possible investor in that third entity. President Rodrigo Duterte, who has warned both PLDT and Globe to shape up or face competition, has welcomed Chinese entities specifically to become the third telecoms operator. Beijing has selected China Telecom to invest in the Philippines, according to Philippine officials, but it would need to partner with a local company as it cannot operate alone under the law. China Telecom's presence in the Philippines, however, does not sit well with some lawmakers, given China's telecommunications expertise and sophisticated technology.
Security

Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre (betanews.com) 104

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.
Security

Researchers Uncover Android Malware With Never-Before-Seen Spying Capabilities (arstechnica.com) 102

An anonymous reader quotes a report from Ars Technica: According to a report published Tuesday by antivirus provider Kaspersky Lab, "Skygofree" is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, gelocation data, calendar events, and business-related information stored in device memory. Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.
The Almighty Buck

OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website (androidpolice.com) 63

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment.
Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
Privacy

India To Add Facial Authentication For Its Aadhaar Card Security (reuters.com) 20

India will build facial recognition into its national identity card in addition to fingerprints after a series of breaches in the world's biggest biometric identification programme, the government said on Monday. From a report: A local newspaper reported this month that access to the "Aadhaar" database which has identity details of more than 1 billion citizens was being sold for just $8 on social media. The Unique Identification Authority of India (UIDAI), which issues the identity cards, said it would add face recognition software as an additional layer of security from July. Card holders will be required to match their photographs with that stored in the data base for authentication in addition to fingerprints and iris scans, the agency said in a statement.
Electronic Frontier Foundation

Calls to Action on the Fifth Anniversary of the Death of Aaron Swartz (eff.org) 151

On the fifth anniversary of the death of Aaron Swartz, EFF activist Elliot Harmon posted a remembrance: When you look around the digital rights community, it's easy to find Aaron's fingerprints all over it. He and his organization Demand Progress worked closely with EFF to stop SOPA. Long before that, he played key roles in the development of RSS, RDF, and Creative Commons. He railed hard against the idea of government-funded scientific research being unavailable to the public, and his passion continues to motivate the open access community. Aaron inspired Lawrence Lessig to fight corruption in politics, eventually fueling Lessig's White House run... It's tempting to become pessimistic in the face of countless threats to free speech and privacy. But the story of the SOPA protests demonstrates that we can win in the face of seemingly insurmountable odds.
He shares a link to a video of Aaron's most inspiring talk, "How We Stopped SOPA," writing that "Aaron warned that SOPA wouldn't be the last time Hollywood attempted to use copyright law as an excuse to censor the Internet... 'The enemies of the freedom to connect have not disappeared... We won this fight because everyone made themselves the hero of their own story. Everyone took it as their job to save this crucial freedom. They threw themselves into it. They did whatever they could think of to do.'"

On the anniversary of Aaron's death, his brother Ben Swartz, an engineer at Twitch, wrote about his own efforts to effect change in ways that would've made Aaron proud, while Aaron's mother urged calls to Congress to continue pushing for reform to the Computer Fraud and Abuse Act.

And there were countless other remembrances on Twitter, including one fro Cory Doctorow, who tweeted a link to Lawrence Lessig's analysis of the prosecution. And Lessig himself marked the anniversary with several posts on Twitter. "None should rest," reads one, "for still, there is no peace."

Slashdot Top Deals