Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users ( 37

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

Chinese Police Begin Tracking Citizens With Face-Recognizing Smart Glasses ( 112

An anonymous reader quotes Reuters: At a highway check point on the outskirts of Beijing, local police are this week testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects. The AI-powered glasses, made by LLVision, scan the faces of vehicle occupants and the plates, flagging with a red box and warning sign to the wearer when any match up with a centralized "blacklist".

The test -- which coincides with the annual meeting of China's parliament in central Beijing -- underscores a major push by China's leaders to leverage technology to boost security in the country... Wu Fei, chief executive of LLVision, said people should not be worried about privacy concerns because China's authorities were using the equipment for "noble causes", catching suspects and fugitives from the law. "We trust the government," he told Reuters at the company's headquarters in Beijing.

This weekend while China's President Xi Jinping is expected to push through a reform allowing him to stay in power indefinitely, Reuters reports that the Chinese goverment is pushing the use of cutting-edge technology "to track and control behavior that goes against the interests of the ruling Communist Party online and in the wider world... A key concern is that blacklists could include a wide range of people stretching from lawyers and artists to political dissidents, charity workers, journalists and rights activists...

"The new technologies range from police robots for crowd control, to drones to monitor border areas, and artificially intelligent systems to track and censor behavior online," Reuters reports, citing one Hong Kong researcher who argues that China now sees internet and communication technologies "as absolutely indispensable tools of social and political control."

Google Is Selling Off Zagat ( 33

An anonymous reader quotes a report from TechCrunch: Seven years after picking up Zagat for $151 million, Google is selling off the perennial restaurant recommendation service. The New York Times is reporting this morning that the technology giant is selling off the company to The Infatuation, a review site founded nine years back by former music execs. The company had been rumored to be courting a buyer since early this year. As Reuters noted at the time, Zagat has increasingly become less of a focus for Google, as the company began growing its database of restaurant recommendations organically. Zagat, meanwhile, has lost much of the shine it had when Google purchased it nearly a decade ago. The Infatuation, which uses an in-house team of reviewers to write up restaurants in major cities like New York, San Francisco, Los Angeles and London, is picking up the service for an undisclosed amount. The site clearly believes there's value left in the Zagat brand, even as the business of online reviews has changed significantly in the seven years sinceGoogle picked it up.

GitHub Survived the Biggest DDoS Attack Ever Recorded ( 144

A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."

Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.


NBC Publishes 200,000 Tweets Tied To Russian Trolls 270

An anonymous reader quotes a report from NBC News: NBC News is publishing its database of more than 200,000 tweets that Twitter has tied to "malicious activity" from Russia-linked accounts during the 2016 U.S. presidential election. These accounts, working in concert as part of large networks, pushed hundreds of thousands of inflammatory tweets, from fictitious tales of Democrats practicing witchcraft to hardline posts from users masquerading as Black Lives Matter activists. Investigators have traced the accounts to a Kremlin-linked propaganda outfit founded in 2013 known as the Internet Research Association (IRA). The organization has been assessed by the U.S. Intelligence Community to be part of a Russian state-run effort to influence the outcome of the 2016 U.S. presidential race. And they're not done. At the request of NBC News, three sources familiar with Twitter's data systems cross-referenced the partial list of names released by Congress to create a partial database of tweets that could be recovered. You can download the streamlined spreadsheet (29 mb) with just usernames, tweet and timestamps, view the full data for ten influential accounts via Google Sheets, download tweets.csv (50 mb) and users.csv with full underlying data, and/or explore a graph database in Neo4j, whose software powered the Panama Papers and Paradise Papers investigations.

NBC News' partners at Neo4j have put together a "get started" guide to help you explore the database of Russian tweets. "To recreate a link to an individual tweet found in the spreadsheet, replace 'user_key' in with the screenname from the 'user_key' field and 'tweet_id' with the number in the 'tweet_id' field," reports NBC News. "Following the links will lead to a suspended page on Twitter. But some copies of the tweets as they originally appeared, including images, can be found by entering the links on webcaches like the Internet Archive's Wayback Machine and"
Open Source

The Future of Free and Open-Source Maps ( 56

Grady Martin writes: Former OpenStreetMap contributor and Google Summer of Code mentor Serge Wroclawski has outlined why OpenStreetMap is in serious trouble, citing unclear usage policies, poor geocoding (address-to-coordinate conversion), and a lack of a review model as reasons for the project's decline in quality. Perhaps more interesting, however, are the problems purported to stem from OpenStreetMap's power structure. Wroclawski writes: "In the case of OpenStreetMap, there is a formal entity which owns the data, called the OpenStreetMap Foundation. But at the same time, the ultimate choices for the website, the geographic database and the infrastructure are not under the direct control of the Foundation, but instead rest largely on one individual, who (while personally friendly) ranges from skeptical to openly hostile to change."

AI is Being Used To Raise Better Pigs in China ( 48

Alibaba's Cloud Unit has signed an agreement on with the Tequ Group, a Chinese food-and-agriculture conglomerate that raises about 10 million pigs each year, to deploy facial and voice recognition on Tequ's pig farms. From a report: According to an Alibaba representative, the company will offer software to Tequ that it will deploy on its farms with its own hardware. Using image recognition, the software will identify each pig based on a mark placed on its body. This corresponds with a file for each pig kept in a database, which records and tracks characteristics such as the pig's breed type, age, and weight. The software can monitor changes in the level of a pig's physical activity to assess its level of fitness. In addition, it can monitor the sounds on the farm -- picking up a pig's cough, for example, to assess whether or not the pig is sick and at risk of spreading a disease. The software will also draw from its data to assess which pigs are most capable of giving birth to healthy offspring. Tequ's CIO stressed that taking care of pigs is no easy task for large pig farms. "If you have 10 million pigs, relying on manpower is already not enough," he said, according to a report by local publication Tianxia Wangshang, adding that it's impossible to manually count each pig given how many are born every day.

119,000 Passports, Photo IDs of FedEx Customers Found On Unsecured Amazon Server ( 34

FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.

Police In China Are Scanning Travelers With Facial Recognition Glasses ( 87

Baron_Yam shares a report from Engadget: Police in China are now sporting glasses equipped with facial recognition devices and they're using them to scan train riders and plane passengers for individuals who may be trying to avoid law enforcement or are using fake IDs. So far, police have caught seven people connected to major criminal cases and 26 who were using false IDs while traveling, according to People's Daily. The Wall Street Journal reports that Beijing-based LLVision Technology Co. developed the devices. The company produces wearable video cameras as well and while it sells those to anyone, it's vetting buyers for its facial recognition devices. And, for now, it isn't selling them to consumers. LLVision says that in tests, the system was able to pick out individuals from a database of 10,000 people and it could do so in 100 milliseconds. However, CEO Wu Fei told the Wall Street Journal that in the real world, accuracy would probably drop due to "environmental noise." Additionally, aside from being portable, another difference between these devices and typical facial recognition systems is that the database used for comparing images is contained in a hand-held device rather than the cloud."

ICE Is About To Start Tracking License Plates Across the US 167

Presto Vivace shares a report from The Verge: The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month. The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions, the leading network for license plate recognition data. While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like vehicle repossession agencies and other private groups. ICE agents would be able to query that database in two ways. A historical search would turn up every place a given license plate has been spotted in the last five years, a detailed record of the target's movements. That data could be used to find a given subject's residence or even identify associates if a given car is regularly spotted in a specific parking lot. Presto Vivace adds, "This will not end well."

China, Unhampered by Rules, Races Ahead in Gene-Editing Trials ( 159

U.S. scientists helped devise the Crispr biotechnology tool. First to test it in humans are Chinese doctors (Editor's note: the link may be paywalled; alternative link). WSJ reports: In a hospital west of Shanghai, Wu Shixiu since March has been trying to treat cancer patients using a promising new gene-editing tool. U.S. scientists helped devise the tool, known as Crispr-Cas9, which has captured global attention since a 2012 report said it can be used to edit DNA. Doctors haven't been allowed to use it in human trials in America. That isn't the case for Dr. Wu and others in China. In a quirk of the globalized technology arena, Dr. Wu can forge ahead with the tool because he faces few regulatory hurdles to testing it on humans. [...] There is little doubt China was first out of the block testing Crispr on humans. Nine trials in China are listed in a U.S. National Library of Medicine database. The Wall Street Journal found at least two other hospital trials, including one beginning in 2015 -- a year earlier than previously reported. Journal reporting found at least 86 Chinese patients have had their genes edited.

Software 'No More Accurate Than Untrained Humans' At Predicting Recidivism ( 166

An anonymous reader quotes a report from The Guardian: The credibility of a computer program used for bail and sentencing decisions has been called into question after it was found to be no more accurate at predicting the risk of reoffending than people with no criminal justice experience provided with only the defendant's age, sex and criminal history. The algorithm, called Compas (Correctional Offender Management Profiling for Alternative Sanctions), is used throughout the U.S. to weigh up whether defendants awaiting trial or sentencing are at too much risk of reoffending to be released on bail. Since being developed in 1998, the tool is reported to have been used to assess more than one million defendants. But a new paper has cast doubt on whether the software's predictions are sufficiently accurate to justify its use in potentially life-changing decisions.

The academics used a database of more than 7,000 pretrial defendants from Broward County, Florida, which included individual demographic information, age, sex, criminal history and arrest record in the two year period following the Compas scoring. The online workers were given short descriptions that included a defendant's sex, age, and previous criminal history and asked whether they thought they would reoffend. Using far less information than Compas (seven variables versus 137), when the results were pooled the humans were accurate in 67% of cases, compared to the 65% accuracy of Compas. In a second analysis, the paper found that Compas's accuracy at predicting recidivism could also be matched using a simple calculation involving only an offender's age and the number of prior convictions.


India To Add Facial Authentication For Its Aadhaar Card Security ( 20

India will build facial recognition into its national identity card in addition to fingerprints after a series of breaches in the world's biggest biometric identification programme, the government said on Monday. From a report: A local newspaper reported this month that access to the "Aadhaar" database which has identity details of more than 1 billion citizens was being sold for just $8 on social media. The Unique Identification Authority of India (UIDAI), which issues the identity cards, said it would add face recognition software as an additional layer of security from July. Card holders will be required to match their photographs with that stored in the data base for authentication in addition to fingerprints and iris scans, the agency said in a statement.

Will Facial Recognition in China Lead To Total Surveillance? ( 122

schwit1 shares a new Washington Post article about China's police and security state -- including the facial recognition cameras allow access to apartment buildings. "If I am carrying shopping bags in both hands, I just have to look ahead and the door swings open," one 40-year-old woman tells the Post. "And my 5-year-old daughter can just look up at the camera and get in. It's good for kids because they often lose their keys." But for the police, the cameras that replaced the residents' old entry cards serve quite a different purpose. Now they can see who's coming and going, and by combining artificial intelligence with a huge national bank of photos, the system in this pilot project should enable police to identify what one police report, shared with The Washington Post, called the "bad guys" who once might have slipped by... Banks, airports, hotels and even public toilets are all trying to verify people's identities by analyzing their faces. But the police and security state have been the most enthusiastic about embracing this new technology.

The pilot in Chongqing forms one tiny part of an ambitious plan, known as "Xue Liang," which can be translated as "Sharp Eyes." The intent is to connect the security cameras that already scan roads, shopping malls and transport hubs with private cameras on compounds and buildings, and integrate them into one nationwide surveillance and data-sharing platform... At the back end, these efforts merge with a vast database of information on every citizen, a "Police Cloud" that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments -- and link it to everyone's identity card and face.


Erroneous 'Spam' Flag Affected 102 npm Packages ( 84

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.

They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."

Pandora CEO Roger Lynch Wants To Create the Podcast Genome Project ( 19

Janko Roettgers, reporting for Variety: Pandora's new CEO Roger Lynch has big plans for podcasts: Lynch told Variety on the sidelines of CES in Las Vegas Thursday that he wants to create "the equivalent of the podcast genome project" as the company plans to add many more podcasts to its catalog. Lynch, who joined Pandora as president and CEO in September, said that the company is working on a deep integration of podcasts that will allow users of the service to easily browse and discover new shows. Describing these efforts as a kind of podcast genome project is a nod to Pandora's Music Genome Project -- a massive database of dozens of musical attributes for every single song in the company's music library that is being used to compile stations and aid discovery. Pandora is also looking to offer podcasters monetization options that will be superior to the current state of podcast advertising. Currently, many podcasters still rely on ads that they read themselves on air, Lynch said. "It is not the most effective advertising model."

Snowden Joins Outcry Against World's Biggest Biometric Database ( 36

Former U.S. intelligence-contractor-turned whistleblower Edward Snowden joined critics of India's digital ID program as the nation's top court is due to decide on its legality. From a report: Snowden on Tuesday tweeted in support of an Indian journalist who faces police charges after she reported that personal details of over a billion citizens enrolled in the program could be illegally accessed for just $8 paid through a digital wallet. Named Aadhaar, the program is backed by the world's biggest biometric database, which its operator Unique Identification Authority of India, or UIDAI, says wasn't breached. Snowden tweeted, "The journalists exposing the Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI."

Linus Torvalds Says Intel Needs To Admit It Has Issues With CPUs ( 271

troublemaker_23 shares an article from ITWire: Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two bugs that were found to affect most of the company's processors... Torvalds was clearly unimpressed by Intel's bid to play down the crisis through its media statements, saying: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed... Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he asked. "Because if that's the case, maybe we should start looking towards the ARM64 people more."
Elsewhere Linus told ZDNet that "there's no one number" for the performance drop users will experience after patches. "It will depend on your hardware and on your load. I think 5 percent for a load with a noticeable kernel component (e.g. a database) is roughly in the right ballpark. But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation. A number of loads will spend almost all their time in user space, and not see much of an impact at all."

Personal Data of a Billion Indians Sold Online For $8, Report Claims ( 74

Michael Safi, reporting for The Guardian: The personal information of more than a billion Indians stored in the world's largest biometric database can be bought online for less than $8, according to an investigation by an Indian newspaper. The reported breach is the latest in a series of alleged leaks from the Aadhaar database, which has been collecting the photographs, thumbprints, retina scans and other identifying details of every Indian citizen. The report in the Chandigarh-based Tribune newspaper claimed that software is also being sold online that can generate fake Aadhaar cards, an identity document that is required to access a growing number of government services including free meals and subsidised grain. The Unique Identification Authority of India (UIDAI), which administers the Aadhaar system, said it appeared the newspaper had accessed only limited details through a search facility that had been made available to government officials.

'Kernel Memory Leaking' Intel Processor Design Flaw Forces Linux, Windows Redesign ( 416

According to The Register, "A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug." From the report: Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in this month's Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December. Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features -- specifically, PCID -- to reduce the performance hit. Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated -- the flaw is in the Intel x86 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or buy a new processor without the design blunder. Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue. The report goes on to share some details of the flaw that have surfaced. "It is understood the bug is present in modern Intel processors produced in the past decade," reports The Register. "It allows normal user programs -- from database applications to JavaScript in web browsers -- to discern to some extent the contents of protected kernel memory. The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI."

Slashdot Top Deals