IP Address May Associate Lyft CTO With Uber Data Breach ( 103

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? 81

New submitter tanstaaf1 writes: I was thinking about the whole tracking and privacy train-wreck and I'm wondering why specific information on how it is done, and how it can be micromanaged or undone by a decent programmer (at least), isn't vastly more accessible? By searching, I can only find information on how to erase cookies using the browser. Browser level (black box) solutions aren't anywhere near good enough; if it were, the exploits would be few and far between instead everywhere everyday. Read below for the rest of tanstaaf1's question.

IBM's Watson Is Now Analyzing Your Vacation Photos 117

jfruh writes: IBM's Jeopardy-winning supercomputer Watson is now suite of cloud-based services that developers can use to add cognitive capabilities to applications, and one of its powers is visual analysis. Visual Insights analyzes images and videos posted to services like Twitter, Facebook and Instagram, then looks for patterns and trends in what people have been posting. Watson turns what it gleans into structured data, making it easier to load into a database and act upon — which is clearly appealing to marketers and just as clearly carries disturbing privacy implications.

Russia's Plan To Crack Tor Crumbles 122

mspohr writes: It looks like Russia's effort to crack Tor was harder than they anticipated. The company that won the contract is now trying to get out of it. Bloomberg reports: "The Kremlin was willing to pay 3.9 million rubles ($59,000) to anyone able to crack Tor, a popular tool for communicating anonymously over the Internet. Now the company that won the government contract expects to spend more than twice that amount to abandon the project. The Central Research Institute of Economics, Informatics, and Control Systems—a Moscow arm of Rostec, a state-run maker of helicopters, weapons, and other military and industrial equipment—agreed to pay 10 million rubles ($150,000) to hire a law firm tasked with negotiating a way out of the deal, according to a database of state-purchase disclosures. Lawyers from Pleshakov, Ushkalov and Partners will work with Russian officials on putting an end to the Tor research project, along with several classified contracts, the government documents say."

Cassandra Rewritten In C++, Ten Times Faster 341

urdak writes: At Cassandra Summit opening today, Avi Kivity and Dor Laor (who had previously written KVM and OSv) announced ScyllaDB — an open-source C++ rewrite of Cassandra, the popular NoSQL database. ScyllaDB claims to achieve a whopping 10 times more throughput per node than the original Java code, with sub-millisecond 99%ile latency. They even measured 1 million transactions per second on a single node. The performance of the new code is attributed to writing it in Seastar — a C++ framework for writing complex asynchronous applications with optimal performance on modern hardware.
United Kingdom

UK Govt's Expensive Mobile Coverage Project Builds Just 8 Masts In 4 Years 75

An anonymous reader points out a dismal report at The Register on a project intended by the UK government to connect lots of internet have-nots, but which has so far not accomplished as much as hoped. The Mobile Infrastructure Project is intended to provide last-mile connectivity, but the project has languished, and fallen short of its promises. This year, Department for Culture, Media and Sport has managed to erect only six masts, which can serve about 200 homes apiece. Originally more than 575 sites had been commissioned, following the publication of the “no coverage” database by watchdog Ofcom. At the rate seen so far of four masts a year it will take over 140 years to complete the £150m Mobile Infrastructure Project. The original deadline was to to have all the sites equipped and live by the end of 2015. However, that deadline was extended to March 2016 to "ensure that benefits of the program are maximized."

Chinese Compiling "Facebook" of US Government Employees 113

schwit1 writes: According to private security firm CrowdStrike's founder, Dmitri Alperovitch, the Chinese are compiling a massive 'Facebook' like database on American federal government employees for use in espionage and blackmail. The data was stolen from high profile attacks against the U.S. Office of Personnel Management, as well as intrusions into the Anthem and CareFirst BlueCross BlueShield health insurance networks. "That can now be used to embarrass you publicly and force you to work for the Chinese government," Alperovitch says. "It's, in effect, a private version of Facebook with much more detail about your life than even Facebook has that the Chinese now have access to."

Ex-Ashley Madison CTO Threatens Libel Suit Against Journalist 142

An anonymous reader writes: Security reporter Brian Krebs, who has been instrumental in breaking news about the Ashley Madison hack, is now being threatened by the website's former CTO with a libel suit. Contained in the leaked data was a series of emails from the ex-CTO, Raja Bhatia, to the CEO of Ashley Madison's parent company. In the emails, Bhatia noted a security hole in a competing website, saying that he downloaded their user database and was capable of modifying and exposing it. After reporting on these emails, Krebs received a letter from Bhatia's lawyer (PDF) saying the post was libelous and defamatory. They demanded a retraction, which Krebs is thus far unwilling to do.

Boston Tracks Vehicles, Lies About It, Leaves Data Exposed 88

An anonymous reader writes: License plate readers have been in the news a lot lately for the invasion of privacy they represent. Boston is the latest city to make mistakes with the technology. Two weeks ago, a reporter realized that the City of Boston had accidentally exposed records for their automated license plate reader system online. Anyone could have downloaded "dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012." What's worse is that the Boston Police Department claimed in 2013 that it had stopped using license plate readers. A look through the accidentally-public database shows "hundreds of emails" dating from 2013 to the present, indicating that the police were still getting that data with help from the Transportation Department.

Proposed MAC Sniffing Dongle Intended To Help Recover Stolen Electronics 120

An anonymous reader writes to say that an Iowa City police officer is developing a new concept to help police find more stolen property. The Gazette has a short report that officer David Schwindt, inspired by a forensics class, is working on L8NT, a specialized wireless dongle to help police officers locate stolen electronics (any of them with wireless capabilities and a MAC address, at least) by scanning for MAC addresses associated with stolen goods. The idea is to have police scan as they drive for these MAC entries, and match them against a database. The article notes a few shortcomings in this concept, but does not point out an even bigger one: MAC addresses are usually mutable, anyhow, in a way that's not as obvious as an obscured serial number, and thieves could refine their business model by automating the change.

Facebook's Solution To 'One of Education's Biggest Problems' Is a Dashboard 63

theodp writes: Gushing in July that Facebook engineers had solved one of education's biggest problems, Melinda Gates perhaps set up Segway-like expectations for Facebook's education software. And while The Verge sings the praises of what appears to be progress-tracking dashboards that connect students to mostly free 3rd-party lessons — not unlike Khan Academy or even the 50-year-old PLATO system — it's hard to get jazzed based on the screenshots (1, 2, 3) that Facebook provided in a .zip file accompanying its announcement. The "personalized learning plan" dashboards are a joint effort of Facebook and the Meg Whitman-led and backed Summit charter schools. In a nice circle-of-tech-CEO-education-reform-life twist, the first Summit high school opened in a building in Redwood City after students attending the Bill Gates-touted and backed Silicon Valley High Tech High charter there were evicted to make way, and the Gates Foundation is now spending $8M to bring HP CEO Whitman's Summit charter schools — and presumably Facebook CEO Mark Zuckerberg's personalized learning plans — to Seattle children.
Open Source

Netflix Open Sources Sleepy Puppy XSS Hunter 12

msm1267 writes: Netflix has released a tool it calls Sleepy Puppy. The tool injects cross-site scripting payloads into a target app that may not be vulnerable, but could be stored in a database and tracks the payload if it's reflected to a secondary application that makes use of the data in the same field. "We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible," said co-developer Scott Behrens, a senior application security engineer at Netflix. "We also wanted to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications." Sleepy Puppy is available on Netflix's Github repository and is one of a slew of security tools its engineers have released to open source.

Lights, Camera, Experiment! 14

theodp writes: The New Yorker's Jamie Holmes takes a look at How Methods Videos Are Making Science Smarter, helping scientists replicate elaborate experiments in a way that the text format of traditional journals simply can't. The Journal of Visualized Experiments (JOVE), for instance, is a peer-reviewed scientific journal that now has a database of more than four thousand videos that are usually between ten and fifteen minutes long, ranging in subject from biology and chemistry to neuroscience and medicine. "Complexity was always an issue," JOVE co-founder, Moshe Pritsker explains. "Even when biology was a much smaller enterprise, it relied on a degree of specialized craft in the laboratory. But, since the end of the nineties, we've seen a huge influx of new technologies into biology: genomics, proteomics, technologies like microarrays, complex genetic methods, and sophisticated microscopy and imaging techniques." And, as the popularity of the decidedly non-peer reviewed Crazy Russian Hacker's YouTube videos shows, methods videos aren't just for research scientists.
The Courts

Federal Court Overturns Ruling That NSA Metadata Collection Was Illegal 151

New submitter captnjohnny1618 writes: NPR is reporting that an appeals court has overturned the decision that found the NSA's bulk data collection to be illegal. "Judges for the District of Columbia court of appeals found that the man who brought the case, conservative lawyer Larry Klayman, could not prove that his particular cellphone records had been swept up in NSA dragnets." The article clarifies that due to the recent passage of new laws governing how metadata is collected, this is of less significance than it would have otherwise been: "If you remember, after a fierce battle, both houses of Congress voted in favor of a law that lets phone companies keep that database, but still allows the government to query it for specific data. The three-judge panel of the United States Court of Appeals for the District of Columbia still decided to take on the case, because that new program doesn't begin until 180 days after the date that law was enacted (June 2, 2015.)" On top of that, the injunction from the earlier ruling never actually went into effect. Still, it seems like an important ruling to me: a government agency was willfully and directly violating the rights of the Americans (and international citizens as well) and now it's just going to get shrugged off?
Your Rights Online

Analysis Reveals Almost No Real Women On Ashley Madison 450

gurps_npc writes: Ashley Madison claimed to have about 31 million men and 5.5 million woman enrolled. Those odds are not good for the men, 6:1. But unfortunately, most of those 'women' were fake. This researcher analyzed the data and found only 12,000 actual, real women using Ashley Madison. That means for every 7750 men, there were 3 women. There are reports that Ashley Madison paid people to create fake female profiles. Their website admits that 'some of the users may be there for "entertainment purposes."' The article itself is well written, including a description of the analysis. A charitable person would say that Ashley Madison was selling a fantasy, not reality. But a realist would say Ashley Madison is just a thief stealing money from lonely, unhappy men.

Ask Slashdot: Maintaining Continuity In Your Creative Works? 95

imac.usr writes: I recently rewatched the Stonecutters episode of The Simpsons and laughed as always at the scene where Homer pulls into his parking space — right next to his house. It's such a great little comic moment. This time, though, it occurred to me that someone probably wrote in to complain that the power plant was normally in a completely different part of town, no doubt adding "I really hope somebody got fired for that blunder." And that got me to wondering: how do creators of serial media — books, web comics, TV shows, even movie serials — record their various continuities? Is there a story bible with the information, or a database of people/places/things, or even something scribbled on a 3x5 card. I know Slashdot is full of artists who must deal with this issue on a regular basis, so I'd be interested in hearing any perspectives on how (or even if) you manage it.

Extortionists Begin Targeting AshleyMadison Users, Demand Bitcoin 286

tsu doh nimh writes: It was bound to happen: Brian Krebs reports that extortionists have begun emailing people whose information is included in the leaked user database, threatening to find and contact the target's spouse and alert them if the recipient fails to cough up 1 Bitcoin. Krebs interviews one guy who got such a demand, a user who admits to having had an affair after meeting a woman on the site and who is now worried about the fallout, which he said could endanger his happily married life with his wife and kids. Perhaps inevitable: two Canadian law firms have filed a class action lawsuit against the company, seeking more than half a billion dollars in damages.

New Rules Say UK Video Bloggers Must Be Clearer About Paid Endorsements 36

AmiMoJo writes: New guidelines for video bloggers who enter marketing relationships with brands have been published. Earlier this year the Advertising Standards Authority (ASA) ruled that paid endorsements for Oreo biscuits on YouTube were not marked clearly enough. The new rules outline several scenarios where content must be clearly marked as an advertisement. One note from the linked article: However, the guidelines noted that when free items are sent to vloggers without any editorial or content control over videos exerted by the brand in question, there is no need for them to follow the Cap code.

Hackers Publish Cheating Site's Stolen Data 319

pdclarry notes that many news outlets are reporting that 9.7 GB of data stolen from cheating website has been published online. "The dump contains files with titles including 'aminno_member_dump.gz,' 'aminno_member_email.dump.gz,' 'CreditCardTransactions7z,' and 'member_details.dump.gz,' an indication that the download could contain highly personal details." Brian Krebs questioned the way this has been reported without confirmation, but added that he's been contacted by several people who found their own accurate details within the data dump. Many of the reports note this detail: "Assuming the download turns out to be authentic, people should remember that it was possible for anyone to create an account using the name and e-mail address of other individuals."

Virginia Ditches 'America's Worst Voting Machines' 393

Geoffrey.landis writes: Computerized voting machines are bad news in general, but the WINVote machines used in Virginia might just have earned their reputation as the most insecure voting machine in America. They feature Wi-Fi that can't be turned off (protected, however, with a WEP password of "abcde"), an unencrypted database, and administrative access with a hardcoded password of "admin." According to security researcher Jeremy Epstein, if the machines weren't hacked in past elections, "it was because nobody tried." But with no paper trail, we'll never know.

Well, after ignoring the well-documented problems for over a decade, Virginia finally decided to decommission the machines... after the governor had problems with the machines last election and demanded an investigation. Quoting: "In total, the vulnerabilities investigators found were so severe and so trivial to exploit, Epstein noted that 'anyone with even a modicum of training could have succeeded' in hacking them. An attacker wouldn't have needed to be inside a polling place either to subvert an election... someone 'within a half mile with a rudimentary antenna built using a Pringles can could also have attacked them.'"