A folder containing an estimated 14.8 million Texas voter records was left on an unsecured server without a password. Considering Texas has 19.3 million registered voters, this leak is very substantial. The file was discovered by a New Zealand-based data breach hunter who goes by the pseudonym Flash Gordon. TechCrunch reports: It's not clear who owned the server where the exposed file was found, but an analysis of the data reveals that it was likely originally compiled by Data Trust, a Republican-focused data analytics firm created by the GOP to provide campaigns with voter data. The file -- close to 16 gigabytes in size -- contained dozens of fields, including personal information like a voter's name, address, gender and several years' worth of voting history, including primaries and presidential elections. It's not known exactly when the data was compiled, but an analysis of the data suggests it was prepared in time for the 2016 presidential election. It's also not known if the file is a subset of the 198 million records leak last year -- or if it's a standalone data set.

An anonymous reader quotes a report from The Register: Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors -- after the previous wording outlawed public benchmarking of the chips. The reason for Intel's insistence on a vow of silence is that -- even with the new microcode in place -- turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow -- and that move comes with a potential performance hit. Predictably, Intel's contractual omerta had the opposite effect and drew attention to the problem. "Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks," said Lucas Holt, MidnightBSD project lead, via Twitter.

In response to the outcry, Intel subsequently said it would rewrite the licensing terms. And now the fix is in. Via Twitter, Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, on Thursday said: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community." The reworked license no longer prohibits benchmarking. Long-time Slashdot reader and open-source pioneer, Bruce Perens, first brought Intel's microcode update to our attention. In a phone interview with The Register, Perens said he approved of the change. "This is a relatively innocuous license for proprietary software and it can be distributed in the non-free section of Debian, which is where is used to be, and it should be distributable by other Linux distributions," he said. "You can't expect every lawyer to understand CPUs. Sometimes they have to have a deep conversation with their technical people."

The cybersecurity gig economy has expanded to hundreds of thousands of hackers, many of whom have had some experience in the IT security industry. Some still have jobs and hunt bugs in their spare time, while others make a living from freelancing. They are playing an essential role in helping to make code more secure at a time when attacks are rapidly increasing and the cost of maintaining dedicated internal security teams is skyrocketing. From a report: The best freelance bug spotters can make significant sums of money. HackerOne, which has over 200,000 registered users, says about 12 percent of the people using its service pocket $20,000 or more a year, and around 3 percent make over $100,000. The hackers using these platforms hail mostly from the US and Europe, but also from poorer countries where the money they can earn leads some to work full time on bug hunting.

Isobel Koshiw, reporting for The Verge: At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he'd been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits. Oleksandr Ieremenko, one of the hackers at the club that night, had worked with Turchynov before and decided he wanted in on the scam. With his friend Vadym Iermolovych, he hacked Business Wire, stole Turchynov's inside access to the site, and pushed the main Moscovite ringleader, known by the screen name eggPLC, to bring them in on the scheme. The hostile takeover meant Turchynov was forced to split his business. Now, there were three hackers in on the game.

Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts. Through interviews with sources involved with both the scheme and the investigation, chat logs, and court documents, The Verge has traced the evolution of what law enforcement would later call one of the largest securities fraud cases in US history.

An anonymous reader shares a report: Within the detailed federal allegations against former Trump lawyer Michael Cohen, who pleaded guilty earlier this week to eight charges including campaign finance violations, are multiple references to texts sent by Cohen and even a call made "through an encrypted telephone application." Cohen was apparently a fan of encrypted communications apps like WhatsApp and Signal, but those tools failed to keep his messages and calls out of sight from investigators. In June, prosecutors said in a court filing the FBI had obtained 731 pages of messages and call logs from those apps from Cohen's phones. Investigators also managed to reconstruct at least 16 pages of physically shredded documents. Those logs, judging by the charging document, appear to have helped document at least Cohen's communications with officials at the National Enquirer about allegations from porn actress Stormy Daniels -- whom Cohen allegedly paid on behalf of Trump, violating campaign finance law. It's unclear if the FBI actually broke through any layers of encryption to get the data. It's possible that Cohen, who apparently at times taped conversations, stored the conversation logs in a less-than-secure way.

A former government contractor who pleaded guilty to leaking U.S. secrets about Russia's attempts to hack the 2016 presidential election was sentenced Thursday to five years and three months in prison. From a report: It was the sentence that prosecutors had recommended in the plea deal -- the longest sentence ever given for a federal crime involving leaks to the news media -- for Reality Winner, the Georgia woman at the center of the case. Winner was also sentenced to three years of supervised release and no fine, except for a $100 special assessment fee. The crime carried a maximum penalty of 10 years. U.S. District Court Judge J. Randal Hall in Augusta, Georgia, was not bound to follow the plea deal, but elected to give Winner the amount of time prosecutors requested. Winner, 26, who contracted for the National Security Agency, pleaded guilty in June to copying a classified report that detailed the Russian government's efforts to penetrate a Florida-based voting software supplier. Further reading: How a Few Yellow Dots Burned the Intercept's NSA Leaker.

An anonymous reader writes: I know PHP isn't to some devs liking, but chances are you know people who work with PHP or have sites that are built with it. PHP 5.6 and 7.0 are shortly coming to the end of the support period for security patches, so what plans have you made to migrate code and sites to newer platforms? With apparently huge numbers (80%) of sites still running PHP 5.6, there appears to be little industry acknowledgement of the issue. Is there a ticking PHP Time Bomb waiting to go off?

An anonymous reader quotes a report from TechCrunch: Australia has blocked Huawei and ZTE from providing equipment for its 5G network, which is set to launch commercially next year. In a tweet, Huawei stated that the Australian government told the company that both it and ZTE are banned from supplying 5G technology to the country, despite Huawei's assurances that it does not pose a threat to national security. Earlier today, the Australian government issued new security guidelines for 5G carriers. Although it did not mention Huawei, ZTE or China specifically, it did strongly hint at them by stating "the Government considers that the involvement of vendors who are likely to be subject to extrajudicial directions from foreign government that conflict with Australian law, may risk failure by the carrier to adequately protect a 5G network from unauthorized access or interference." In its new security guidelines, the Australian government stated that differences in the way 5G operates compared to previous network generations introduces new risks to national security. In particular, it noted the diminishing distinctions between the core network, where more sensitive functions like access control and data routing occur, and the edge, or radios that connect customer equipment, like laptops and mobile phones, to the core. Huawei Australia said in a statement: "We have been informed by the Govt that Huawei & ZTE have been banned from providing 5G technology to Australia. This is a extremely disappointing result for consumers. Huawei is a world leader in 5G. Has safely & securely delivered wireless technology in Aust for close to 15 yrs."