Supreme Court Wrestles With Microsoft Data Privacy Fight ( 163

Supreme Court justices on Tuesday wrestled with Microsoft's dispute with the U.S. Justice Department over whether prosecutors can force technology companies to hand over data stored overseas, with some signaling support for the government and others urging Congress to pass a law to resolve the issue. From a report: Chief Justice John Roberts and Justice Samuel Alito, both conservatives, hinted during an hour-long argument in the case at support for the Justice Department's stance that because Microsoft is based in the United States it was obligated to turn over data sought by prosecutors in a U.S. warrant. As the nine justices grappled with the technological complexities of email data storage, liberals Ruth Bader Ginsburg and Sonia Sotomayor questioned whether the court needed to act in the data privacy case in light of Congress now considering bipartisan legislation that would resolve the legal issue. A ruling is due by the end of June.

Coinbase: We Will Send Data On 13,000 Users To IRS ( 133

Coinbase has formally notified its customers that it will be complying with a court order and handing over the user data for about 13,000 of its customers to the Internal Revenue Service. Ars Technica reports: The case began back in November 2016 when the IRS went to a federal judge in San Francisco to enforce an initial order that would have required the company to hand over the data of all users who transacted on the site between 2013 and 2015 as part of a tax evasion investigation. Coinbase resisted the IRS' request in court. But by November 2017, after a hearing, U.S. Magistrate Judge Jacqueline Scott Corley narrowed the request to only cover 13,000 particular individuals. The San Francisco-based startup is now required to provide "taxpayer ID, name, birth date, address, and historical transaction records for certain higher-transacting customers during the 2013-2015 period." Coinbase reminded its users that it is "unable to provide legal or tax advice." The company also noted, "If you have concerns about this, we encourage you to seek legal advice from an attorney promptly. Coinbase expects to produce the information covered by the court's order within 21 days."

Pop-Up Cameras Could Soon Be a Mobile Trend ( 58

An anonymous reader quotes a report from TechCrunch: There's an interesting concept making its way around Mobile World Congress. Two gadgets offer cameras hidden until activated, which offer a fresh take on design and additional privacy. Vivo built a camera into a smartphone concept that's on a little sliding tray and Huawei will soon offer a MacBook Pro clone that features a camera hidden under a door above the keyboard. This could be a glimpse of the future of mobile design. Cameras have long been embedded in laptops and smartphones much to the chagrin of privacy experts. Some users cover up these cameras with tape or slim gadgets to ensure nefarious players do not remotely activate the cameras. Others, like HP, have started to build in shutters to give the user more control. Both DIY and built-in options require substantial screen bezels, which the industry is quickly racing to eliminate.

With shrinking bezels, gadget makers have to look for new solutions like the iPhone X notch. Others still, like Vivo and Huawei, are look at more elegant solutions than carving out a bit of the screen. For Huawei, this means using a false key within the keyboard to house a hidden camera. Press the key and it pops up like a trapdoor. We tried it out and though the housing is clever, the placement makes for awkward photos -- just make sure you trim those nose hairs before starting your conference call. Vivo has a similar take to Huawei though the camera is embedded on a sliding tray that pops-up out of the top of the phone.


Mozilla Removes Individual Cookie Management in Firefox 60 ( 177

Martin Brinkmann, writing for Ghacks: The most recent version of Firefox Nightly, currently at version 60, comes with changes to Firefox's cookie management. Mozilla merged cookie settings with site data in the web browser which impacts how you configure and manage cookie options. If you run Firefox 59 or earlier, you can load about:preferences#privacy to manage privacy related settings in Firefox. If you set the history to "use custom settings for history" or "remember history", you get an option manage cookie settings and to remove individual cookies from Firefox. A click on the link or button opens a new browser window in which all set cookies are listed. You can use it to find set cookies, look up information, remove selected or all cookies. Mozilla engineers changed this in recent versions of Firefox 60 (currently on the Nightly channel).

Researchers From MIT and Harvard University Present a Paper Describing a New System, Dubbed Veil, That Makes Private Browsing More Private ( 20

From a blog post on MIT News Office: Veil would provide added protections to people using shared computers in offices, hotel business centers, or university computing centers, and it can be used in conjunction with existing private-browsing systems and with anonymity networks such as Tor, which was designed to protect the identity of web users living under repressive regimes. "Veil was motivated by all this research that was done previously in the security community that said, 'Private-browsing modes are leaky -- Here are 10 different ways that they leak,'" says Frank Wang, an MIT graduate student in electrical engineering and computer science and first author on the paper. "We asked, 'What is the fundamental problem?' And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser's best effort is, it still collects it. We might as well not collect that information in the first place."

Apple Moves To Store iCloud Keys in China, Raising Human Rights Fears ( 33

Apple will begin hosting Chinese users' iCloud accounts in a new Chinese data center at the end of this month to comply with new laws there. The move would give Chinese authorities far easier access to text messages, email and other data stored in the cloud. From a report: That's because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system. Now, according to Apple , for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.

New Tech Industry Lobbying Group Argues 'Right to Repair' Laws Endanger Consumers ( 146

chicksdaddy brings this report from Security Ledger: The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers. The group released a survey last week warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members... In an interview with The Security Ledger, Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center's main purpose is to push back on efforts to pass right to repair laws in the states.

He said the group thinks such measures are dangerous, citing the "power of connected products and devices" and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves... Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety... "People say 'It's just my washing machine. Why can't I fix it on my own?' But we saw the Mirai botnet attack last year... Those kinds of products in the wrong hands can be used to do bad things."


Signal, WhatsApp Co-Founder Launch 'Open Source Privacy Technology' Nonprofit ( 45

An anonymous reader quotes The Next Web:One of the first messaging services to offer end-to-end encryption for truly private conversations, Signal has largely been developed by a team that's never grown larger than three full-time developers over the years it's been around. Now, it's getting a shot in the arm from the co-founder of a rival app. Brian Acton, who built WhatsApp with Jan Koum into a $19 billion business and sold it to Facebook, is pouring $50 million into an initiative to support the ongoing development of Signal. Having left WhatsApp last fall, he's now free to explore projects whose ideals he agrees with, and that includes creating truly private online services.
"Starting with an initial $50,000,000 in funding, we can now increase the size of our team, our capacity, and our ambitions," wrote Signal founder Moxie Marlinspike (a former Twitter executive).

Acton will now also serve as the executive chairman of the newly-formed Signal Foundation, which according to its web site will "develop open source privacy technology that protects free expression and enables secure global communication."

'Critical' T-Mobile Bug Allowed Hackers To Hijack Users' Accounts ( 16

An anonymous reader quotes a report from Motherboard: The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn't been revealed until now. Within a day, T-Mobile classified it as "critical," patched the bug, and gave the researcher a $5,000 reward. That's good news, but it's unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed. The newly disclosed bug allowed hackers to log into T-Mobile's account website as any customer. "It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down," Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat. Shortly after we published this story, a T-Mobile spokesperson sent us a statement: "This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours," the emailed statement read. "We found no evidence of customer information being compromised."

Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency ( 56

Louise Matsakis, writing for Wired: The internet is full of Facebook users frustrated with how the company handles malware threats. For nearly four years, people have complained about Facebook's anti-malware scan on forums, Twitter, Reddit, and on personal blogs. The problems appear to have gotten worse recently. While the service used to be optional, Facebook now requires it if it flags your device for malware. And according to screenshots reviewed by WIRED from people recently prompted to run the scan, Facebook also no longer allows every user to select what type of device they're on. The malware scans likely only impact a relatively small population of Facebook's billions of users, some of whose computers may genuinely be infected. But even a fraction of Facebook's users still potentially means millions of impacted people.

The mandatory scan has caused widespread confusion and frustration; WIRED spoke to people who had been locked out of their accounts by the scan, or simply baffled by it, on four different continents. The mandatory malware scan has downsides beyond losing account access. Facebook users also frequently report that the feature is poorly designed, and inconsistently implemented. In some cases, if a different user logs onto Facebook from the same device, they sometimes won't be greeted with the malware message. Similarly, if the "infected" user simply switches browsers, the message also appears to occasionally go away.


Samsung Rescues Data-Saving Privacy App Opera Max and Relaunches it as Samsung Max ( 16

Samsung has rescued Opera Software's Opera Max data-saving, privacy-protecting Android app from oblivion and relaunched it today as Samsung Max. From a report: Norwegian tech company Opera, which first became known for its desktop browser when it launched in 1995, has offered mobile browser apps across various platforms for years. But in 2014, it launched the standalone Opera Max app for Android, designed to get its users more bang from their data plan, along with some VPN-like features. The app compresses data such as photos, music, and videos while promising "no noticeable loss of quality." Opera Max can also block background processes to conserve battery and data. The app was given a number of new features over the past few years, but last August the company revealed it was pulling the plug on Opera Max once and for all.

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software ( 141

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

The Los Angeles Times Website Is Unintentionally Serving a Cryptocurrency Mining Script ( 58

troublemaker_23 shares a report from iTWire: The Los Angeles Times website is serving a cryptocurrency mining script which appears to have been placed there by malicious attackers, according to a well-known security expert. British infosec researcher Kevin Beaumont, who has warned that Amazon AWS servers could be held to ransom due to lax security, tweeted that the newspaper's site was serving a script created by Coinhive. The Coinhive script mines for the monero cryptocurrency. The S3 bucket used by the LA Times is apparently world-writable and an ethical hacker appears to have left a warning in the repository, warning of possible misuse and asking the owner to secure the bucket.

100-Page Report Warns of the Many Dangers of AI ( 62

dmoberhaus writes: Last year, 26 top AI researchers from around the globe convened in Oxford to discuss the biggest threats posed by artificial intelligence. The result of this two day conference was published today as a 100-page report. The report details three main areas where AI poses a threat: political, physical systems, and cybersecurity. It discusses the specifics of these threats, which range from political strife caused by fake AI-generated videos to catastrophic failure of smart homes and autonomous vehicles, as well as intentional threats, such as autonomous weapons. Although the researchers offer only general guidance for how to deal with these threats, they do offer a path forward for policy makers.

Hackers Hijacked Tesla's Amazon Cloud Account To Mine Cryptocurrency 29

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to "mine" cryptocurrency, security researchers said. The breach also exposed proprietary data for the electric carmaker. From a report: The researchers, who worked for RedLock, a 3-year-old cybersecurity startup, said they discovered the intrusion last month while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account turned out to be Tesla, they said. "We weren't the first to get to it," Varun Badhwar, CEO and cofounder of RedLock, told Fortune on a call. "Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment." The incident is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims' computers to generate virtual currencies like Bitcoin. The schemes have seen a resurgence in popularity as cryptocurrency prices have soared over the past year. In a statement, Tesla said, "We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."

Why Decentralization Matters ( 93

Chris Dixon has an essay about the long-term promise of blockchain-based networks to upend web-based businesses such as Facebook and Twitter. He writes: When they hit the top of the S-curve, their relationships with network participants change from positive-sum to zero-sum. The easiest way to continue growing lies in extracting data from users and competing with complements over audiences and profits. Historical examples of this are Microsoft vs Netscape, Google vs Yelp, Facebook vs Zynga, and Twitter vs its 3rd-party clients. Operating systems like iOS and Android have behaved better, although still take a healthy 30% tax, reject apps for seemingly arbitrary reasons, and subsume the functionality of 3rd-party apps at will. For 3rd parties, this transition from cooperation to competition feels like a bait-and-switch. Over time, the best entrepreneurs, developers, and investors have become wary of building on top of centralized platforms. We now have decades of evidence that doing so will end in disappointment. In addition, users give up privacy, control of their data, and become vulnerable to security breaches. These problems with centralized platforms will likely become even more pronounced in the future.

Flight Sim Company Embeds Malware To Steal Pirates' Passwords ( 225

TorrentFreak: Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure. Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.

Contractors Pose Cyber Risk To Government Agencies ( 78

Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.

Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug ( 50

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.

Phishing Attack Scores Credentials For More Than 50,000 Snapchat Users ( 11

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.

Slashdot Top Deals