Censorship

Google Is Shuttering Domain Fronting, Creating a Big Problem For Anti-Censorship Tools (theverge.com) 33

"The Google App Engine is discontinuing a practice called domain fronting, which lets services use Google's network to get around state-level internet blocks," reports The Verge. While the move makes sense from a cybersecurity perspective as domain fronting is widely used by malware to evade network-based detection, it will likely frustrate app developers who use it to get around internet censorship. From the report: First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon's VPN services. Reached by The Verge, Google said the changes were the result of a long-planned network update. "Domain fronting has never been a supported feature at Google," a company representative said, "but until recently it worked because of a quirk of our software stack. We're constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don't have any plans to offer it as a feature."

Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper.
We do not yet know exactly why and when Google is shutting down the practice, but will update this post once we learn more.
Education

100 Top Colleges Vow To Enroll More Low-Income Students (npr.org) 79

Research shows that just 3 percent of high-achieving, low-income students attend America's most selective colleges. And, it's not that these students just aren't there -- every year tens of thousands of top students who don't come from wealthy families never even apply to elite colleges. Universities are taking note -- and banding together under something called the American Talent Initiative -- a network backed by Bloomberg Philanthropies, the Aspen Institute and the research firm Ithaka S+R. To join the club, schools have to graduate 70 percent of their students in six years -- a qualification that leaves just under 300 schools in the U.S. eligible. Nearly a third of those schools -- exactly 100 -- have signed on. Their goal? Enroll 50,000 additional low- and moderate-income students by 2025. From a report: Each school has its own goals, too -- many want to increase the number of Pell Grant students on campus, others aim to improve graduation rates -- but they're all on board to share strategies, learn from each other's missteps and provide data to monitor their progress.
United States

Facebook Must Face Class-Action Lawsuit Over Facial Recognition, Says Judge (kfgo.com) 79

U.S. District Judge James Donato ruled on Monday that Facebook must face a class-action lawsuit alleging that the social network unlawfully used a facial recognition process on photos without user permission. Donato ruled that a class-action was the most efficient way to resolve the dispute over facial templates. KFGO reports: Facebook said it was reviewing the ruling. "We continue to believe the case has no merit and will defend ourselves vigorously," the company said in a statement. Lawyers for the plaintiffs could not immediately be reached for comment. Facebook users sued in 2015, alleging violations of an Illinois state law about the privacy of biometric information. The class will consist of Facebook users in Illinois for whom Facebook created and stored facial recognition algorithms after June 7, 2011, Donato ruled. That is the date when Facebook launched "Tag Suggestions," a feature that suggests people to tag after a Facebook user uploads a photo. In the U.S. court system, certification of a class is typically a major hurdle that plaintiffs in proposed class actions need to overcome before reaching a possible settlement or trial.
Wireless Networking

Planet Fitness Evacuated After WiFi Network Named 'Remote Detonator' Causes Scare (windsorstar.com) 167

An anonymous reader quotes a report from Windsor Star: A Michigan gym patron looking for a Wi-Fi connection found one named "remote detonator," prompting an evacuation and precautionary search of the facility by a bomb-sniffing dog. The Saginaw News reports nothing was found in the search Sunday at Planet Fitness in Saginaw Township, about 85 miles (140 kilometers) northwest of Detroit. Saginaw Township police Chief Donald Pussehl says the patron brought the Wi-Fi connection's name to the attention of a manager, who evacuated the building and called police. The gym was closed for about three hours as police responded. Pussehl says there's "no crime or threat," so no charges are expected. He notes people often have odd names for WiFi connections. Planet Fitness says the manager was following company procedure for when there's suspicion about a safety issue.
Transportation

Why New York City Stopped Building Subways (citylab.com) 219

New York City, which once saw an unprecedented infrastructure boom -- putting together iconic bridges, opulent railway terminals to build the then world's largest underground and rapid transit network in just 20 years -- has not built a single new subway line in more than seven decades. As New York's rapid transit system froze, cities across the globe expanded their networks. A closer inspection reveals that things have actually moved backward -- New York's rapid transit network is actually considerably smaller than it was during the Second World War, and due to this, today's six million daily riders are facing constant delays, infrastructure failures, and alarmingly crowded cars and platforms. This raises two questions: Why did New York abruptly stop building subways after the 1940s? And how did a construction standstill that started nearly 80 years ago lead to the present moment of transit crisis? The Atlantic's CityLab explores: Three broad lines of history provide an explanation. The first is the postwar lure of the suburbs and the automobile -- the embodiment of modernity in its day. The second is the interminable battles of control between the city and the private transit companies, and between the city and the state government. The third is the treadmill created by rising costs and the buildup of deferred maintenance -- an ever-expanding maintenance backlog that eventually consumed any funds made available for expansion.

To see exactly how and why New York's subway went off the rails requires going all the way back to the beginning. What follows is a 113-year timeline of the subway's history, organized by these three narratives (with the caveat that no history is fully complete).

United Kingdom

State-Sponsored Russian Hackers Actively Seeking To Hijack Essential Internet Hardware, US and UK Intelligence Agencies Say (bbc.com) 169

State-sponsored Russian hackers are actively seeking to hijack essential internet hardware, US and UK intelligence agencies say. BBC reports: The UK's National Cyber Security Centre (NCSC), the FBI and the US Department of Homeland Security issued a joint alert warning of a global campaign. The alert details methods used to take over essential network hardware. The attacks could be an attempt by Russia to gain a foothold for use in a future offensive, it said. "Russia is our most capable hostile adversary in cyber-space, so dealing with their attacks is a major priority for the National Cyber Security Centre and our US allies," said Ciaran Martin, head of the NCSC in a statement. The alert said attacks were aimed at routers and switches that directed traffic around the net. Compromised devices were used to look at data passing through them, so Russia could scoop up valuable intellectual property, business information and other intelligence.
United States

US Bans American Companies From Selling To Chinese Electronics Maker ZTE (reuters.com) 64

An anonymous reader shares a report: The U.S. Department of Commerce is banning American companies from selling components to leading Chinese telecom equipment maker ZTE Corp for seven years for violating the terms of a sanctions violation case, U.S. officials said on Monday. The Chinese company, which sells smartphones in the United States, pleaded guilty last year in federal court in Texas for conspiring to violate U.S. sanctions by illegally shipping U.S. goods and technology to Iran. It paid $890 million in fines and penalties, with an additional penalty of $300 million that could be imposed. As part of the agreement, Shenzhen-based ZTE Corp promised to dismiss four senior employees and discipline 35 others by either reducing their bonuses or reprimanding them, senior Commerce Department officials told Reuters. Update: The UK's cyber security watchdog has warned the UK telecoms sector not to use network equipment or services from Chinese supplier ZTE as it would have a "long term negative effect on the security of the UK."
Security

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 245

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

Microsoft

Microsoft Engineer Charged In Reveton Ransomware Case (bleepingcomputer.com) 24

An anonymous reader writes: A Microsoft network engineer is facing federal charges in Florida for allegedly helping launder money obtained from victims of the Reventon ransomware. Florida investigators say that between October 2012 and March 2013, Uadiale worked with a UK citizen going online by the moniker K!NG. The latter would distribute and infect victims with the Reveton ransomware, while Uadiale would collect payments and send the money to K!NG, in the UK. Investigators tracked down Uadiale because this happened before Bitcoin became popular with ransomware authors and they used the now-defunct Liberty Reserve digital currency to move funds. Authorities from 18 countries seized and shut down Liberty Reserve servers in May 2013.
Facebook

Facebook Competitor Orkut Relaunches as 'Hello' (bloombergquint.com) 103

An anonymous reader quotes Bloomberg: In 2004, one of the world's most popular social networks, Orkut, was founded by a former Google employee named Orkut Buyukkokten... Orkut was shut down by Google in 2014, but in its heyday, the network had hit 300 million users around the world... "Hello.com is a spiritual successor of Orkut.com," Buyukkokten told BloombergQuint... "People have lost trust in social networks and the main reason is social media services today don't put the users first. They put advertisers, brands, third parties, shareholders before the users," Buyukkokten said. "They are also not transparent about practices. The privacy policy and terms of services are more like black boxes. How many users actually read them?"

Buyukkokten said users need to be educated about these things and user consent is imperative in such situations when data is shared by such platforms. "On Hello, we do not share data with third parties. We have our own registration and login and so the data doesn't follow you anywhere," he said. "You don't need to sell user data in order to be profitable or make money."

Robotics

Tesla Relied On Too Many Robots To Build the Model 3, Elon Musk Says (theverge.com) 103

An anonymous reader quotes a report from The Verge: Elon Musk says Tesla relied on too many robots to build the Model 3, which is partly to blame for the delays in manufacturing the crucial mass-market electric car. In an interview with CBS Good Morning, Musk agreed with Tesla's critics that there was over-reliance on automation and too few human assembly line workers building the Model 3. Earlier this month, Tesla announced that it had officially missed its goal of making 2,500 Model 3 vehicles a week by the end of the first financial quarter of this year. It will start the second quarter making just 2,000 Model 3s per week, but the company says it still believes it can get to a rate of 5,000 Model 3s per week at the midway point of 2018. Previously, Tesla has blamed bottlenecks in the production of the Model 3's batteries at the company's Gigafactory for the delays. But in a wide-ranging (and largely positive) interview with CBS's Gayle King, Musk also admits it was Tesla's over-reliance on robots in the production. Musk then said the company needs more people working in the factory and that automation slowed the Model 3 production process. He alluded to a "crazy, complex network of conveyor belts" the company had previously used and said the company eliminated it after it became clear it wasn't working.
Piracy

Telegram is Riddled With Tens of Thousands of Piracy Channels; Apple and Google Have Ignored Requests From Creators To Take Action (theoutline.com) 49

joshtops writes: Instant messaging platform Telegram, which is used by more than 200 million users, has had an open secret since its inception: The platform has served as a haven for online pirates. The Outline reports that the platform is riddled with thousands of groups and channels, many with more than 100,000 members, whose sole purpose of existence is to share illegally copied movies, music albums, apps, and other content. The files are stored directly to Telegram's servers, allowing users to download movies, songs, and other content with one click. Channel admins told The Outline that they have not come across any resistance from Telegram despite the company, along with Apple and Google, maintaining a 'zero tolerance' stance on copyright infringement. This permissiveness on Telegram's part has led to the proliferation of a cottage industry of piracy marketplaces on the service.

[...] The Outline also discovered several groups and channels on Telegram in which stolen credentials -- i.e., the username and password for a website -- from Netflix, Spotify, Hulu, HBO, CBS, EA Sports, Lynda, Sling, WWE Network, Mega, India's Hotstar, and dozens of other services were being offered to tens of thousands of members each day. The Outline sourced nearly three-dozen free credentials from six Telegram channels, all of which worked as advertised.
The report says that content creators have reached out to Apple, requesting the iPhone-maker to intervene, but the company has largely ignored the issue.

In an unrelated development, a Moscow court cleared the way on Friday for the local government to ban Telegram, the messaging app, over its failure to give Russian security services the ability to read users' encrypted messages.
Network

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks (bleepingcomputer.com) 22

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.
Social Networks

Instagram Will Soon Let You Download a Copy of Your Data (techcrunch.com) 22

An Instagram spokesperson has confirmed to TechCrunch that the site will soon let users download a copy of what they've shared on Instagram, including their photos, videos and messages. The new data portability tool could make it much easier for users to leave Instagram and go to a competing image social network. It will also help the site comply with the upcoming European GDPR privacy law that requires data portability, assuming the feature launches before May 25th. From the report: Instagram has historically made it very difficult to export your data. You can't drag, or tap and hold on images to save them. And you can't download images you've already posted. That's despite Instagram now being almost 8 years old and having over 800 million users. For comparison, Facebook launched its Download Your Information tool in 2010, just six years after launch. We're awaiting more info on whether you'll only be able to download your photos, videos, and messages; or if you'll also be able to export your following and follower lists, Likes, comments, Stories, and the captions you share with posts. It's also unclear whether photos and videos will export in the full fidelity that they're uploaded or displayed in, or whether they'll be compressed. Instagram told me "we'll share more details very soon when we actually launch the tool. But at a high level it allows you to download and export what you have shared on Instagram" so we'll have to wait for more clarity.
Democrats

Democratic Senators Propose 'Privacy Bill of Rights' To Prevent Websites From Sharing Or Selling Sensitive Info Without Opt-In Consent (arstechnica.com) 136

Democratic Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) today proposed a "privacy bill of rights" that would prevent Facebook and other websites from sharing or selling sensitive information without a customer's opt-in consent. The proposed law would protect customers' web browsing and application usage history, private messages, and any sensitive personal data such as financial and health information. Ars Technica reports: Markey teamed with Sen. Richard Blumenthal (D-Conn.) to propose the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. You can read the full legislation here. "Edge providers" refers to websites and other online services that distribute content over consumer broadband networks. Facebook and Google are the dominant edge providers when it comes to advertising and the use of customer data to serve targeted ads. No current law requires edge providers to seek customers' permission before using their browsing histories to serve personalized ads. The online advertising industry uses self-regulatory mechanisms in which websites let visitors opt out of personalized advertising based on browsing history, and websites can be punished by the Federal Trade Commission (FTC) if they break their privacy promises.

The Markey/Blumenthal bill's stricter opt-in standard would require edge providers to "obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer." Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements. The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers "to develop reasonable data security practices" and to notify customers about data breaches that affect them.

Businesses

How Much VR User Data Is Oculus Giving To Facebook? (theverge.com) 60

Facebook owns many other apps and services, including the Oculus virtual-reality platform, which collects incredibly detailed information about where users are looking and how they're moving. Since most of the discussion about how Facebook handles user information is focused on the social network itself, The Verge's Adi Robertson looks into the link between Facebook and Oculus: A VR platform like Oculus offers lots of data points that could be turned into a detailed user profile. Facebook already records a "heatmap" of viewer data for 360-degree videos, for instance, flagging which parts of a video people find most interesting. If it decided to track VR users at a more detailed level, it could do something like track overall movement patterns with hand controllers, then guess whether someone is sick or tired on a particular day. Oculus imagines people using its headsets the way they use phones and computers today, which would let it track all kinds of private communications. The Oculus privacy policy has a blanket clause that lets it share and receive information from Facebook and Facebook-owned services. So far, the company claims that it exercises this option in very limited ways, and none of them involve giving data to Facebook advertisers. "Oculus does not share people's data with Facebook for third-party advertising," a spokesperson tells The Verge.

Oculus says there are some types of data it either doesn't share or doesn't retain at all. The platform collects physical information like height to calibrate VR experiences, but apparently, it doesn't share any of it with Facebook. It stores posts that are made on the Oculus forums, but not voice communications between users in VR, although it may retain records of connections between them. The company also offers a few examples of when it would share data with Facebook or vice versa. Most obviously, if you're using a Facebook-created VR app like Spaces, Facebook gets information about what you're doing there, much in the same way that any third-party app developer would. You can optionally link your Facebook account to your Oculus ID, in which case, Oculus will use your Facebook interests to suggest specific apps or games. If you've linked the accounts, any friend you add on Facebook will also become your friend on Oculus, if they're on the platform.
Oculus does, however, share data between the two services to fight certain kinds of banned activity. "If we find someone using their account to send spam on one service, we can disable all of their accounts," an Oculus spokesperson says. "Similarly, if there's 'strange activity' on a specific Oculus account, they can share the IP address it's coming from with Facebook," writes Robertson. "The biggest problem is that there's nothing stopping Facebook and Oculus from choosing to share more data in the future."
Facebook

Facebook Donated To 46 of 55 Members On Committee That Will Question Zuckerberg (usatoday.com) 160

Facebook CEO Mark Zuckerberg will be questioned about user privacy protections next week by members of the House and Senate committees, but as USA Today notes, many of these members were also "some of the biggest recipients of campaign contributions from Facebook employees directly and the political action committee funded by employees." An anonymous reader shares the report: The congressional panel that got the most Facebook contributions is the House Energy and Commerce Committee, which announced Wednesday morning it would question Zuckerberg on April 11. Members of the committee, whose jurisdiction gives it regulatory power over Internet companies, received nearly $381,000 in contributions tied to Facebook since 2007, according to the Center for Responsive Politics. The center is a non-partisan, non-profit group that compiles and analyzes disclosures made to the Federal Election Commission.

The second-highest total, $369,000, went to members of the Senate Commerce, Science and Transportation Committee, which announced later that it would have a joint hearing with the Senate Judiciary Committee to question Zuckerberg on Tuesday. Judiciary Committee members have received $235,000 in Facebook contributions. On the House committee, Republicans got roughly twice as much as Democrats, counter to the broader trend in Facebook campaign gifts. Of the $7 million in contributions to all federal candidates tied to the Menlo Park, Calif.-based social network, Democrats got 65% to Republicans' 33%. Of the 55 members on the Energy and Commerce Committee this year, all but nine have received Facebook contributions in the past decade. The average Republican got $6,800, while the average Democrat got $6,750.

Twitter

Twitter Bans 270,000 Accounts For 'Promoting Terrorism' (theguardian.com) 95

According to Twitter's latest transparency report, the social media company removed more than 270,000 accounts around the world for promoting terrorism in the second half of 2017. The number of accounts permanently suspended for sharing what the firm called extremist content between July and December represents a drop for the second period in a row. The Guardian reports: The social network puts this down to "years of hard work making our site an undesirable place for those seeking to promote terrorism." Nick Pickles, Twitter UK's head of public policy, said: "The overwhelming majority of these accounts were detected by our own technology, with just 0.2% of the accounts we suspended in 2017 being flagged by the police." Almost 75% of accounts were suspended before they sent their first tweet, according to the report, and 93% were discovered by tools that Twitter engineers had built. Twitter is understood to also use a combination of US and EU lists of terrorist organizations as well as research from academics and experts to identify terrorists on its network. The number of reports of abusive behavior submitted by government representatives also dropped amid a marked change in the type of abusive behavior reported. Two-thirds of the 10,000 reports concerned violated rules over impersonation, with only 16% of the reports for harassment and 12% for hateful conduct. Harassment and hateful conduct each accounted for a third of reported accounts in the first half of 2017. Only a quarter of reports of abusive behavior submitted by government representatives were acted upon by Twitter, compared with 98% of reports relating to the "promotion of terrorism."
Intel

Intel Tells Users to Uninstall Remote Keyboard App Over Unpatched Security Bugs (bleepingcomputer.com) 16

Intel has decided that instead of fixing three security bugs affecting the Intel Remote Keyboard Android app, it would be easier to discontinue the application altogether. BleepingComputer: The company announced its decision on Tuesday, following the discovery of three security bugs that affect all versions of the Intel Remote Keyboard. This is an Android application that Intel launched in 2015 to allow users to wirelessly control Intel NUC and Intel Compute Stick single-board computers. The bugs, discovered by three different researchers, when exploited, allow a nearby network attacker to inject keystrokes into remote keyboard sessions, and also execute malicious code on the user's Android device.
Bitcoin

Hacker Uses Exploit To Generate Verge Cryptocurrency Out of Thin Air (bleepingcomputer.com) 85

An anonymous reader quotes a report from Bleeping Computer: An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air. The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state before the attack to neutralize the hacker's gains. The attack took place yesterday, and initially users thought it was a over "51% attack," an attack where a malicious actor takes control over the more than half of the network nodes, giving himself the power to forge transactions. Nonetheless, users who later looked into the suspicious network activity eventually tracked down what happened, revealing that a mysterious attacker had mined Verge coins at a near impossible speed of 1,560 Verge coins (XVG) per second, the equivalent of $78/s. The malicious mining lasted only three hours, according to the Verge team. According to users who tracked the illegally mined funds on the Verge blockchain said the hacker appears to have made around 15.6 million Verge coins, which is around $780,000.

Slashdot Top Deals