On Thursday, the security firm Crowdstrike published detailed findings on Nigerian confraternities, cultish gangs that engage in various criminal activities and have steadily evolved email fraud into a reliable cash cow. The groups, like the notorious Black Axe syndicate, have mastered the creation of compelling and credible-looking fraud emails. Crowdstrike notes that the groups aren't very regimented or technically sophisticated, but flexibility and camaraderie still allow them to develop powerful scams.
Oculus says there are some types of data it either doesn't share or doesn't retain at all. The platform collects physical information like height to calibrate VR experiences, but apparently, it doesn't share any of it with Facebook. It stores posts that are made on the Oculus forums, but not voice communications between users in VR, although it may retain records of connections between them. The company also offers a few examples of when it would share data with Facebook or vice versa. Most obviously, if you're using a Facebook-created VR app like Spaces, Facebook gets information about what you're doing there, much in the same way that any third-party app developer would. You can optionally link your Facebook account to your Oculus ID, in which case, Oculus will use your Facebook interests to suggest specific apps or games. If you've linked the accounts, any friend you add on Facebook will also become your friend on Oculus, if they're on the platform. Oculus does, however, share data between the two services to fight certain kinds of banned activity. "If we find someone using their account to send spam on one service, we can disable all of their accounts," an Oculus spokesperson says. "Similarly, if there's 'strange activity' on a specific Oculus account, they can share the IP address it's coming from with Facebook," writes Robertson. "The biggest problem is that there's nothing stopping Facebook and Oculus from choosing to share more data in the future."
Update 20:30 GMT: Google has issued the following statement, "we are coordinating with authorities and will provide official information here from Google and YouTube as it becomes available." San Bruno Police said it was "responding to an active shooter. Please stay away from Cherry Ave & Bay Hill Drive."
Update 20:40 GMT: CBS San Francisco reports: KPIX 5 reporter Andria Borba said at least two Homeland Security units were responding. Police radio transmissions describe casualties being taken to local hospitals. San Francisco General Hospital spokesman Brent Andrew said the hospital received patients from the incident but could not confirm a number. Update 21:20 GMT: ABC News is reporting that the suspected shooter is a white adult female, and that this is "leaning towards a workplace violence situation."
Update 21:30 GMT: Law enforcement has confirmed that the shooter was a white female dressed in a headscarf. The woman reportedly shot her boyfriend then herself. It's unclear exactly how many people have been injured, but early reports estimate at least 9-10 victims. There is no word on their conditions.
Update 03:10 GMT: ABC7 News is reporting that the shooter has been identified as Nasim Aghdam. She reportedly had a website with an alleged manifesto that targeted YouTube for censorship and demonetization of her video content. Contrary to previous reports, she is said to have no relationship with anyone in the YouTube facility.
UPDATE 03:40 GMT: Aghdam's website can be found here.
Update 04:15 GMT: The shooter is believed to have known at least one of the victims, two law enforcement officials told CNN. Other sources suggest the shooter drove up from San Diego. YouTube says her YouTube channel "has been terminated due to multiple or severe violations of YouTube's policy against spam, deceptive practices, and misleading content or other Terms of Service violations."
"Silicon Valley is not monolithic," Jobs responded, "We've always had a very different view of privacy than some of our colleagues in the Valley." Apple, for instance, does not leave it up to developers to decide whether to be dutiful about warning users that their apps are tracking their location data, instead forcing pop-ups on users to alert them that an app is tracking them, and to turn off that ability if they don't want. "We do a lot of things like that, to ensure that people know what these apps are doing," he added. It's a stance his successor, Tim Cook, still holds. Mossberg then asked Jobs if that applied to Apple's own apps in the cloud. Here's what Jobs said: "Privacy means people know what they're signing up for, in plain English, and repeatedly. I'm an optimist; I believe people are smart, and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you're going to do with their data." If the company had been more forthright about how developers could take data shared with them by Facebook users and sold to third parties, it may not have been in the mess it's in today. Additionally, TechCrunch reports that Zuckerberg was warned about app permissions in 2011 by European privacy campaigner and lawyer Max Schrems. "In August 2011, Schrems filed a complaint with the Irish Data Protection Commission exactly flagging the app permissions data sinkhole (Ireland being the focal point for the complaint because that's where Facebook's European HQ is based)."
"[T]his means that not the data subject but 'friends' of the data subject are consenting to the use of personal data," wrote Schrems in the 2011 complaint, fleshing out consent concerns with Facebook's friends' data API. "Since an average facebook user has 130 friends, it is very likely that only one of the user's friends is installing some kind of spam or phishing application and is consenting to the use of all data of the data subject. There are many applications that do not need to access the users' friends personal data (e.g. games, quizzes, apps that only post things on the user's page) but Facebook Ireland does not offer a more limited level of access than 'all the basic information of all friends.'" [...] "The data subject is not given an unambiguous consent to the processing of personal data by applications (no opt-in). Even if a data subject is aware of this entire process, the data subject cannot foresee which application of which developer will be using which personal data in the future. Any form of consent can therefore never be specific," he added. It took Facebook from September 2012 until May 2014 and May 2015 to implement changes and tighten app permissions.
But the biggest change involves permanently removing support for three weak cryptographic standards, both on github.com and api.github.com.
The three weak cryptography standards that are no longer supported are:
- TLSv1/TLSv1.1. "This applies to all HTTPS connections, including web, API, and Git connections to https://github.com and https://api.github.com."
- diffie-hellman-group1-sha1. "This applies to all SSH connections to github.com."
- diffie-hellman-group14-sha1. "This applies to all SSH connections to github.com."
"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea. Adobe said it plans to patch this zero-day on Monday, February 5.
Thompson was ordered to forfeit $1.5 million in "fraud proceeds," according to the article, and was convicted of conspiracy, wire fraud, identity theft and money laundering.
Seven other people also pleaded guilty to participating in the scam -- and one has already been sentenced to 33 months in prison.
In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.
They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."