China

China Forces Muslim Minority To Install Spyware On Their Phones (bleepingcomputer.com) 367

An anonymous reader quotes a report from Bleeping Computer: Chinese authorities in the province of Xinjiang are forcing locals of the Uyghur Muslim minority to install an app on their phones that will allow the government to scan their device for "terrorist propaganda," local media reports. In reality, the app creates MD5 hashes for the user's files and matches them against a database of known terrorist content. The app also makes copies of the user's Weibo and WeChat databases and uploads it to a government server, along with the user's IMEI, IMSI, and WiFi login information. The app is called Jingwang (Citizen Safety) and was developed by police forces from Urumqi, Xinjiang's capital. Authorities launched the app in April, and also included the ability to report suspicious activity to the police. At the start of July, Xinjiang officials started sending WeChat messages in Uyghur and Chinese to locals, asking them to install the app or face detainment of up to 10 days. Police have also stopped people on the street to check if they installed the app. Several were detained for refusing to install it. Locals are now sharing the locations of checkpoints online, so others can avoid getting arrested.
Medicine

Global Network of Labs Will Test Security of Medical Devices (securityledger.com) 49

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

Privacy

Sweden Accidentally Leaks Personal Details of Nearly All Citizens (thehackernews.com) 241

An anonymous reader quotes a report from The Hacker News: Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 203

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Transportation

Is Homeland Security's Face-Scanning At Airports An Unreasonable Search? (technologyreview.com) 146

schwit1 shares an article from MIT's Technology Review: Facial-recognition systems may indeed speed up the boarding process, as the airlines rolling them out promise. But the real reason they are cropping up in U.S. airports is that the government wants to keep better track of who is leaving the country, by scanning travelers' faces and verifying those scans against photos it already has on file... The U.S. Department of Homeland Security has partnered with airlines including JetBlue and Delta to introduce such recognition systems at New York's JFK International Airport, Washington's Dulles International, and airports in Atlanta, Boston, and Houston, among others. It plans to add more this summer...

As facial-recognition technology has improved significantly in recent years, it has attracted the interest of governments and law enforcement agencies. That's led to debates over whether certain uses of the technology violate constitutional protections against unreasonable searches... Harrison Rudolph, a law fellow at Georgetown Law's Center on Privacy and Technology, and others are raising alarms because as part of the process, U.S. Customs and Border Protection is also scanning the faces of U.S. citizens... They say Congress has never expressly authorized the collection of facial scans from U.S. citizens at the border routinely and without suspicion.

"We aren't entirely sure what the government is doing with the images," the article adds, though it notes that the Department of Homeland Security is saying that it deletes all data pertaining to the images after two weeks. But Slashdot reader schwit1 is still worried about the possibility of an irretrievable loss of privacy, writing that "If the DHS database gets hacked, it's hard to get a new face."
Medicine

New Study Finds How Much Sleep Fitbit Users Really Get 75

Fitbit has published the results of a study that uses their longitudinal sleep database to analyze millions of nights of Sleep Stages data to determine how age, gender, and duration affect sleep quality. (Sleep Stages is a relatively new Fitbit feature that "uses motion detection and heart rate variability to estimate the amount of time users spend awake in light, deep, and REM sleep each night.") Here are the findings: The average Fitbit user is in bed for 7 hours and 33 minutes but only gets 6 hours and 38 minutes of sleep. The remaining 55 minutes is spent restless or awake. That may seem like a lot, but it's actually pretty common. That said, 6 hours and 38 minutes is still shy of the 7+ hours the the CDC recommends adults get. For the second year in a row Fitbit data scientists found women get about 25 minutes more sleep on average each night compared to men. The percentage of time spent in each sleep stage was also similar -- until you factor in age. Fitbit data shows that men get a slightly higher percentage of deep sleep than women until around age 55 when women take the lead. Women win when it comes to REM, logging an average of 10 more minutes per night than men. Although women tend to average more REM than men over the course of their lifetime, the gap appears to widen around age 50.
Security

WikiLeaks Dump Reveals CIA Malware For Tracking Windows Devices Via WiFi Networks (bleepingcomputer.com) 85

WikiLeaks has published the documentation manual for an alleged CIA tool that can track users of Wi-Fi-capable Windows devices based on the Extended Service Set (ESS) data of nearby Wi-Fi networks. According to the tool's 42-page manual, the tool's name is ELSA. Bleeping Computer has an image embedded in its report that explains how the tool works. There are six steps that summarize the ELSA operation. Bleeping Computer reports: Step 1: CIA operative configures ELSA implant (malware) based on a target's environment. This is done using a tool called the "PATCHER wizard," which generates the ELSA payload, a simple DLL file.
Step 2: CIA operative deploys ELSA implant on target's Wi-Fi-enabled Windows machine. Because ELSA is an implant (malware), the CIA operator will likely have to use other CIA hacking tools and exploits to place the malware on a victim's PC.
Step 3: The implant begins collecting Wi-Fi access point information based on the schedule set by the operator. Data collection can happen even if the user is disconnected from a Wi-Fi network.
Step 4: When the target user connects to the Internet, ELSA will take the collected Wi-Fi data and query a third-party database for geolocation information.
Step 5: The CIA operative connects to the target's computer and fetches the ELSA log. This is done via the tools that allowed the operator to place ELSA on his system, or through other tools.
Step 6: The operator decrypts the log and performs further analysis on their target. Optionally, he can use the collected WiFi data to query alternate EES geo-location databases, if he feels they provide a better accuracy.

Wireless Networking

How A Contractor Exploited A Vulnerability In The FCC Website (wirelessestimator.com) 69

RendonWI writes: A Wisconsin wireless contractor discovered a flaw in the FCC's Antenna Structure Registration (ASR) database, and changed the ownership of more than 40 towers from multiple carriers and tower owners into his company's name during the past five months without the rightful owners being notified by the agency, according to FCC documents and sources knowledgeable of the illegal transfers. Sprint, AT&T and key tower companies were targeted in the wide-ranging thefts... Changing ASR ownership is an easy process by applying online for an FCC Registration Number (FRN) which is instantly granted whether the factual or inaccurate information is provided. Then, once logged in, an FRN holder can submit a form stating that they are the new owner of any or multiple structures in the database. As soon as it is submitted, the change is immediately reflected in the ASR.
Cloud

Should Your Company Switch To Microservices? (cio.com) 118

Walmart Canada claims that it was microservices that allowed them to replace hardware with virtual servers, reducing costs by somewhere between 20 and 50 percent. Now Slashdot reader snydeq shares an article by a senior systems automation engineer arguing that a microservices approach "offers increased modularity, making applications easier to develop, test, deploy, and, more importantly, change and maintain."

The article touts things like cost savings and flexibility for multiple device types, suggesting microservices offer increased resilience and improved scalabiity (not to mention easier debugging and a faster time to market with an incremental development model). But it also warns that organizations need the resources to deploy the new microservices quicky (and the necessary server) -- along with the ability to test and monitor them for database errors, network latency, caching issues and ongoing availability. "You must embrace devops culture," argues the article, adding that "designing for failure is essential... In a traditional setting, developers are focused on features and functionalities, and the operations team is on the hook for production challenges. In devops, everyone is responsible for service provisioning -- and failure."

The original submission ends with a question for Slashdot reader. "What cautions do you have to offer for folks considering tapping microservices for their next application?"
Security

Facial Recognition Is Coming To US Airports (theverge.com) 148

Facial recognition systems will be coming to U.S. airports in the very near future. "Customs and Border Protection first started testing facial recognition systems at Dulles Airport in 2015, then expanded the tests to New York's JFK Airport last year," reports The Verge. "Now, a new project is poised to bring those same systems to every international airport in America." From the report: Called Biometric Exit, the project would use facial matching systems to identify every visa holder as they leave the country. Passengers would have their photos taken immediately before boarding, to be matched with the passport-style photos provided with the visa application. If there's no match in the system, it could be evidence that the visitor entered the country illegally. The system is currently being tested on a single flight from Atlanta to Tokyo, but after being expedited by the Trump administration, it's expected to expand to more airports this summer, eventually rolling out to every international flight and border crossing in the U.S. U.S. Customs and Border Protection's Larry Panetta, who took over the airport portion of the project in February, explained the advantages of facial recognition at the Border Security Expo last week. "Facial recognition is the path forward we're working on," Panetta said at the conference. "We currently have everyone's photo, so we don't need to do any sort of enrollment. We have access to the Department of State records so we have photos of U.S. Citizens, we have visa photos, we have photos of people when they cross into the U.S. and their biometrics are captured into [DHS biometric database] IDENT."
Classic Games (Games)

Original Colossal Cave Adventure Now Playable On Alexa (amazon.com) 36

Last month Eric Raymond announced the open sourcing of the world's very first text adventure. Now Slashdot reader teri1337 brings news about their own special project: A few old-timers here may recall with fond memories the phrase "Somewhere nearby is Colossal Cave..." Well, a voice-playable version of Colossal Cave "Adventure" is now available on Amazon Echo devices as a [free] Alexa Skill. This is a port of the original 1976 text adventure game written by Willie Crowther and Don Woods, which started the interactive fiction genre and led to later games like Infocom's Zork. This version was written from scratch as an AWS Lamda function incorporating the original 350-point game database, and made available with permission from Don Woods.
Government

Russian Cyber Hacks On US Electoral System Far Wider Than Previously Known (bloomberg.com) 520

An anonymous reader shares a Bloomberg article: Russia's cyberattack on the U.S. electoral system before Donald Trump's election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported. In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said. The scope and sophistication so concerned Obama administration officials that they took an unprecedented step -- complaining directly to Moscow over a modern-day "red phone." In October, two of the people said, the White House contacted the Kremlin on the back channel to offer detailed documents of what it said was Russia's role in election meddling and to warn that the attacks risked setting off a broader conflict.
Programming

Developer Accidentally Deletes Production Database On Their First Day On The Job (qz.com) 418

An anonymous reader quotes Quartz: "How screwed am I?" asked a recent user on Reddit, before sharing a mortifying story. On the first day as a junior software developer at a first salaried job out of college, his or her copy-and-paste error inadvertently erased all data from the company's production database. Posting under the heartbreaking handle cscareerthrowaway567, the user wrote, "The CTO told me to leave and never come back. He also informed me that apparently legal would need to get involved due to severity of the data loss. I basically offered and pleaded to let me help in someway to redeem my self and i was told that I 'completely fucked everything up.'"
The company's backups weren't working, according to the post, so the company is in big trouble now. Though Qz adds that "the court of public opinion is on the new guy's side. In a poll on the tech site the Register, less than 1% of 5,400 respondents thought the new developer should be fired. Forty-five percent thought the CTO should go."
EU

EU Seeks New Powers To Obtain Data 'Directly' From Tech Firms (zdnet.com) 40

Zack Whittaker reports via ZDNet: European authorities are seeking new powers to allow police and intelligence agencies to directly obtain user data stored on the continent by U.S. tech companies. The move comes in the wake of an uptick in terrorist attacks, including several attacks in Britain and France, among others across the bloc. Tech companies have been asked to do more to help law enforcement, while police have long argued the process for gathering data overseas is slow and cumbersome. The bloc's justice commissioner, Vera Jourova, presented several plans to a meeting of justice ministers in Luxembourg on Thursday to speed up access for EU police forces to obtain evidence -- including one proposal to allow police to obtain data "directly" from the cloud servers of U.S. tech companies in urgent cases. "Commissioner Jourova presented at the Justice Council three legislative options to improve access to e-evidence," said Christian Wiga, an EU spokesperson, in an email. "Based on the discussion between justice ministers, the Commission will now prepare a legislative proposal," he added. Discussions are thought to have included what kind of data could be made available, ranging from geolocation data to the contents of private messages. Such powers would only be used in "emergency" situations, said Jourova, adding that safeguards would require police to ensure that each request is "necessary" and "proportionate." Further reading: Reuters
Businesses

China Arrests Apple Distributors Who Made Millions on iPhone Data (engadget.com) 9

An anonymous reader shares a report: Police in China's Zhejiang province have arrested 22 (apparently third-party) Apple distributors for allegedly selling iPhone user data. Officials say the workers searched an internal Apple database for sensitive info, such as Apple IDs and phone numbers, and peddled it on the black market for between 10 to 180 yuan with each sale ($1.50 to $26). All told, the distributors reportedly raked in more than 50 million yuan, about $7.36 million, before authorities stepped in.
Databases

Insecure Hadoop Servers Expose Over 5 Petabytes of Data (bleepingcomputer.com) 51

An anonymous reader quotes the security news editor at Bleeping Computer: Improperly configured HDFS-based servers, mostly Hadoop installs, are exposing over five petabytes of information, according to John Matherly, founder of Shodan, a search engine for discovering Internet-connected devices. The expert says he discovered 4,487 instances of HDFS-based servers available via public IP addresses and without authentication, which in total exposed over 5,120 TB of data.

According to Matherly, 47,820 MongoDB servers exposed only 25 TB of data. To put things in perspective, HDFS servers leak 200 times more data compared to MongoDB servers, which are ten times more prevalent... The countries that exposed the most HDFS instances are by far the US and China, but this should be of no surprise as these two countries host over 50% of all data centers in the world.

Transportation

Your Face or Fingerprint Could Soon Replace Your Plane Ticket (washingtonpost.com) 89

Headed on a trip? You may soon be able to ditch your boarding pass in favor of your fingers or face. From a report: Delta announced, on Wednesday, a new biometric identification pilot program that will eventually let you use your fingerprints instead of a plane ticket (Editor's note: the link could be paywalled; alternative source). That followed a JetBlue announcement hours earlier that it is testing a program in Boston that will match pictures of customers' faces with the passport database maintained by U.S. Custom and Border Protections. Delta's program, which kicked off at Washington's Reagan National Airport, is in partnership with Clear, a company that already lets customers skip to the front of security lines without identification.
Security

Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers (bleepingcomputer.com) 83

An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a duplicate replacement key. Gang members used one code to cut the key, while they used the second code while stealing the car, connecting a handheld programming computer to the car, and programming the replacement key's chip, synchronizing it to the car's dashboard. All of this took under 2 minutes and was also possible because Jeep Wranglers allow thieves to pop the hood from the outside of the car and disable the alarm even before using their non-authenticated replacement key. Officials say that all the database queries for the stolen VIN codes came from a Jeep dealer in Cabo San Lucas, Mexico. Court documents don't say if the dealer cooperated or gang members hacked its system. The motorcycle gang's name was Hooligans and the sub-unit that stole the Jeeps was named Dirty 30.
Databases

Vermont DMV Caught Using Illegal Facial Recognition Program (vocativ.com) 109

schwit1 quotes a report from Vocativ: The Vermont Department of Motor Vehicles has been caught using facial recognition software -- despite a state law preventing it. Documents obtained by the American Civil Liberties Union of Vermont describe such a program, which uses software to compare the DMV's database of names and driver's license photos with information with state and federal law enforcement. Vermont state law, however, specifically states that "The Department of Motor Vehicles shall not implement any procedures or processes that involve the use of biometric identifiers." The program, the ACLU says, invites state and federal agencies to submit photographs of persons of interest to the Vermont DMV, which it compares against its database of some 2.6 million Vermonters and shares potential matches. Since 2012, the agency has run at least 126 such searches on behalf of local police, the State Department, FBI, and Immigrations and Customs Enforcement.
AI

How AI Can Infer Human Emotions (oreilly.com) 25

An anonymous reader quotes OReilly.com's interview with the CEO of Affectiva, an emotion-measurement technology company that grew out of MIT's Media Lab. We can mine Twitter, for example, on text sentiment, but that only gets us so far. About 35-40% is conveyed in tone of voice -- how you say something -- and the remaining 50-60% is read through facial expressions and gestures you make. Technology that reads your emotional state, for example by combining facial and voice expressions, represents the emotion AI space. They are the subconscious, natural way we communicate emotion, which is nonverbal and which complements our language... Facial expressions and speech actually deal more with the subconscious, and are more unbiased and unfiltered expressions of emotion...

Rather than encoding specific rules that depict when a person is making a specific expression, we instead focus our attention on building intelligent algorithms that can be trained to recognize expressions. Through our partnerships across the globe, we have amassed an enormous emotional database from people driving cars, watching media content, etc. A portion of the data is then passed on to our labeling team, who are certified in the Facial Action Coding System...we have gathered 5,313,751 face videos, for a total of 38,944 hours of data, representing nearly two billion facial frames analyzed.

They got their start testing advertisements, and now are already working with a third of all Fortune 500 companies. ("We've seen that pet care and baby ads in the U.S. elicit more enjoyment than cereal ads -- which see the most enjoyment in Canada.") One company even combined their technology with Google Glass to help autistic children learn to recognize emotional cues.

Slashdot Top Deals