Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Encryption

Lavabit Is Relaunching (theintercept.com) 51

The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.
China

Viral Chinese Selfie App Meitu, Valued at Over $5 Billion, Phones Home With Personal Data (theregister.co.uk) 79

The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say. The app, which has been featured on several popular outlets including the NYTimes, USA Today, and NYMag, harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded. From a report: But worst of all, the free app appears to be phoning some to share personal data with its makers. Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset's MAC address. "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found. The app, which was valued at over $5 billion last year due its popularity, seeks access to device and app history; accurate location; phone status; USB, photos, and files storage read and write; camera; Wifi connections; device ID & call information; full network access, run at startup, and prevent device from sleeping on Android phones.
Security

ProtonMail Adds Tor Onion Site To Fight Risk Of State Censorship (techcrunch.com) 26

ProtonMail now has a home on the dark web. The encrypted email provider announced Thursday it will allow its users to access the site through the Tor anonymity service. From a report: Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network -- in what it describes as an active measure aimed at defending against state-sponsored censorship. The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago, says it's worried about an increased risk of state-level blocking of pro-privacy tools -- pointing to recent moves such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation that mandates tracking of web activity and can also require companies to eschew e2e encryption and backdoor products. The service also saw a bump in sign ups after the election of Donald Trump as US president, last fall -- with web users apparently seeking a non-US based secure email provider in light of the incoming commander-in-chief's expansive digital surveillance powers.
Microsoft

Microsoft is Bringing Cortana To Android Lock Screen (mspoweruser.com) 93

Microsoft is testing out a new way to access Cortana, its digital assistant, from the Android lock screen, with just a swipe. It's a new feature that's clearly designed to replace Google's own quick access, and to convince Android users to switch to Cortana. According to MSPowerUser, Cortana on the lock screen doesn't replace existing lock screens, so you can still use a custom one or the default experience that ships with your Android device. Cortana is activated simply by swiping left or right on the floating logo. Microsoft is currently testing this new feature, and any Android users can opt-in to trial the new beta features over at the Google Play Store.
Government

Julian Assange Will Not Hand Himself In Because Chelsea Manning's Release Won't Happen Immediately, Lawyer Says (independent.co.uk) 540

President Obama commuted Chelsea Manning's prison sentence yesterday, reducing her time required to serve behind bars from 35 years to just over seven years. Prior to the commutation, WikiLeaks' Julian Assange pledged to surrender himself to U.S. authorities if Manning was pardoned. Roughly 24 hours have passed since the news broke and it appears that Assange will not hand himself in to the Department of Justice. The Independent reports: Mr Assange's lawyers initially seemed to suggest that promise would be carried through -- telling reporters that he stood by his earlier comments -- but it appears now that Mr Assange will stay inside the embassy. The commitment to accept extradition to the U.S. was based on Ms Manning being released immediately, Mr Assange's lawyer told The Hill. Ms Manning won't actually be released until May -- to allow for a standard 120-day transition period, which gives people time to prepare and find somewhere to live, an official told The New York Times for its original report about Ms Manning's clemency. "Mr. Assange welcomes the announcement that Ms. Manning's sentence will be reduced and she will be released in May, but this is well short of what he sought," Barry Pollack, Assange's U.S.-based attorney, told the site. "Mr. Assange had called for Chelsea Manning to receive clemency and be released immediately."
Desktops (Apple)

Malwarebytes Discovers 'First Mac Malware of 2017' (securityweek.com) 60

wiredmikey writes: Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities. From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."
Crime

Dutch Developer Added Backdoor To Websites He Built, Phished Over 20,000 Users (bleepingcomputer.com) 122

An anonymous reader quotes a report from BleepingComputer: A Dutch developer illegally accessed the accounts of over 20,000 users after he allegedly collected their login information via backdoors installed on websites he built. According to an official statement, Dutch police officials are now in the process of notifying these victims about the crook's actions. The hacker, yet to be named by Dutch authorities, was arrested on July 11, 2016, at a hotel in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek. According to Dutch police, the 35-years-old suspect was hired to build e-commerce sites for various companies. After doing his job, the developer also left backdoors in those websites, which he used to install various scripts that allowed him to collect information on the site's users. Police say that it's impossible to determine the full breadth of his hacking campaign, but evidence found on his laptop revealed he gained access to over 20,000 email accounts. Authorities say the hacker used his access to these accounts to read people's private email conversations, access their social media profiles, sign-up for gambling sites with the victim's credentials, and access online shopping sites to make purchases for himself using the victim's funds.
Windows

Windows 10 Privacy Changes Appease Watchdogs, But Still No Data 'Off-Switch' (zdnet.com) 210

Earlier this month, Microsoft announced several privacy changes in Windows 10, but it didn't give users an option to completely opt-out of data-collection feature. The announcement came at a time to coincide with a statement by the Swiss data protection and privacy regulator, the FDPIC, which last week said it would drop its threats of a lawsuit after the company "agreed to implement" a string of recommendations it made last year. The news closed the books on an investigation that began in 2015, shortly after Windows 10 was released. Though the Swiss appear satisfied, other critics are waiting for more. The French data protection watchdog, the CNIL, was equally unimpressed by Microsoft's actions, and it served the company with a notice in July to demand that it clean up its privacy settings. In an email, the CNIL said that the changes "seem to comply" with its complaint, but it's "now analyzing more in [sic] details Microsoft answers in order to know whether all the failures underlined in the formal notice do now comply with the law." ZDNet adds: Microsoft still hasn't said exactly what gets collected as part of the basic level of collection, except that the data is used to improve its software and services down the line; a reasonable ask -- but one that nonetheless lacks specifics. Microsoft said it wants users to "trust" it. And while the likelihood that the company is doing anything nefarious with users' information is frankly unlikely, the running risk is that the data could somehow be turned over to a government agency or even stolen by hackers is inescapable. That risk alone is enough for many to want to keep what's on their computer in their homes. While changing the privacy controls is a move in the right direction, it's still short of what many have called for. By ignoring the biggest privacy complaint from its consumer users -- the ability to switch off data collection altogether -- Microsoft has favored the "just enough" approach to appease the regulators. Without a way to truly opt-out, Microsoft's repeated pledge (eight times in the blog post, no less) to give its users "control" of their data comes off as a hollow soundbite.
Privacy

Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com) 144

Long-time Slashdot reader t0qer writes: I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.

"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
Security

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com) 180

An anonymous reader quotes Motherboard: A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.

Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.

The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.
Privacy

Tor Onion Browser's Creator Explains Free Version For iOS (mike.tig.as) 26

The free iOS version of the Tor browser "sparked a tidal wave of interest" after its release in December, according to Silicon.co. Mickeycaskill writes: The cost has been scrapped due to developer Mike Tigas' worries that the price was limiting access to anonymous browsing for those who need it most. "Given recent events, many believe it's more important than ever to exercise and support freedom of speech, privacy rights, and digital security," Tigas wrote in a blog post. "I think now is as good a time as ever to make Onion Browser more accessible to everyone."
"I'm still a little terrified that I've made this change," Tigas adds. For four years the Tor Onion browser was available on the Apple App Store for $0.99, the lowest non-free price allowed by Apple, providing a "reliable" income to Tigas which helped him move to New York for a new job while allowing him "the economic freedom to continue working on side projects that have a positive impact in the world." Tigas also writes that "there's now a Patreon page and other ways to support the project."

Last month the Tor Project also released the first alpha version of the sandboxed Tor Browser.
Government

Petition With Over 1 Million Signatures Urges President Obama To Pardon Snowden (cnet.com) 273

An anonymous reader quotes a report from CNET: More than 1 million people signed onto a petition asking President Barack Obama to pardon Edward Snowden, proponents of the pardon said Friday. The campaign began in September, when Snowden, his attorney Ben Wizner from the ACLU, and other privacy activists announced they would formally petition Obama for a pardon. Snowden leaked classified NSA documents detailing surveillance programs run by the U.S. and its allies to journalists in 2013, kicking off a heated debate on whether Americans should be willing to sacrifice internet privacy to help the government protect the country from terrorist attacks. Obama and White House representatives have said repeatedly that Snowden must face the charges against him and that he'll be afforded a fair trial. In the U.S., a pardon is "an expression of the president's forgiveness and ordinarily is granted in recognition of the applicant's acceptance of responsibility for the crime and established good conduct for a significant period of time after conviction or completion of sentence," according to the Office of the Pardon Attorney. It does not signify innocence. Also on Friday, David Kaye urged Obama to consider a pardon for Snowden. Kaye, the special rapporteur to the United Nations Human Rights Council on the freedom of expression, said U.S. law doesn't allow Snowden to argue that his disclosures were made for the benefit of the public. The jury would merely be asked to decide whether Snowden stole government secrets and distributed them -- something Snowden himself concedes he did. In response to the petition, Edward Snowden tweeted: "Whether or not this President ends the war on whistleblowers, you've sent a message to history: I feared no one would care. I was wrong."
Republicans

Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website (theregister.co.uk) 280

mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"
Security

Security Experts Rebut The Guardian's Report That Claimed WhatsApp Has a Backdoor (gizmodo.com) 113

William Turton, writing for Gizmodo: This morning, the Guardian published a story with an alarming headline: "WhatsApp backdoor allows snooping on encrypted messages." If true, this would have massive implications for the security and privacy of WhatsApp's one-billion-plus users. Fortunately, there's no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian's story is a "major league fuckwittage." [...] Fredric Jacobs, who was the iOS developer at Open Whisper Systems, the collective that designed and maintains the Signal encryption protocol, and who most recently worked at Apple, said, "Nothing new. Of course, if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications." "I characterize the threat posed by such reportage as being fear and uncertainty and doubt on an 'anti-vaccination' scale," Muffett, who previously worked on Facebook's engineering security infrastructure team, told Gizmodo. "It is not a bug, it is working as designed and someone is saying it's a 'flaw' and pretending it is earth shattering when in fact it is ignorable." The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do. "There's a feature in WhatsApp that -- when you swap phones, get a new phone, factory reset, whatever -- when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone," Muffett told Gizmodo. Other security experts and journalists have also criticized The Guardian's story.
Privacy

Switzerland Agrees To Its Own New Data Sharing Pact With the US (silicon.co.uk) 15

Mickeycaskill quotes a report from Silicon.co.uk: Switzerland has agreed its own new data transfer agreement with the United States, basing the framework on the deal struck by the European Union (EU) following the invalidation of Safe Harbour. The previous arrangement was invalidated because of concerns about U.S. mass surveillance but Switzerland says the new Swiss-U.S. Privacy Shield will allow Swiss companies to transfer customer data without the need for additional contractual guarantees. The Swiss Federal Council, a seven member executive council that is effectively the head of government in Switzerland, claim citizens will benefit from additional protections and the ability to contact an ombudsman about data issues. Although not part of the EU, Switzerland is a member of the European Economic Area (EEA) and has several bilateral agreements with the EU that sees it adopt many of the bigger bloc's policies. The Federal Council says the alignment between the EU and the Swiss transatlantic data sharing partnerships is good news for multinational organizations.
Privacy

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com) 88

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
Government

Obama Changed Rules Regarding Raw Intelligence, Allowing NSA To Share Raw Data With US's Other 16 Intelligence Agencies (schneier.com) 205

An anonymous reader quotes a report from Schneier on Security: President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the U.S.'s other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. Here are the new procedures. This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.
Privacy

Japan Researchers Warn of Fingerprint Theft From 'Peace' Sign (phys.org) 119

Tulsa_Time quotes a report from Phys.Org: Could flashing the "peace" sign in photos lead to fingerprint data being stolen? Research by a team at Japan's National Institute of Informatics (NII) says so, raising alarm bells over the popular two-fingered pose. Fingerprint recognition technology is becoming widely available to verify identities, such as when logging on to smartphones, tablets and laptop computers. But the proliferation of mobile devices with high-quality cameras and social media sites where photographs can be easily posted is raising the risk of personal information being leaked, reports said. The NII researchers were able to copy fingerprints based on photos taken by a digital camera three meters (nine feet) away from the subject.
Chrome

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension (bleepingcomputer.com) 144

An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"
Medicine

Microsoft Anti-Porn Workers Sue Over PTSD (thedailybeast.com) 305

An anonymous reader shares with us a report from The Daily Beast: When former Microsoft employees complained of the horrific pornography and murder films they had to watch for their jobs, the software giant told them to just take more smoke breaks, a new lawsuit alleges. Members of Microsoft's Online Safety Team had "God-like" status, former employees Henry Soto and Greg Blauert allege in a lawsuit filed on Dec. 30. They "could literally view any customer's communications at any time." Specifically, they were asked to screen Microsoft users' communications for child pornography and evidence of other crimes. But Big Brother didn't offer a good health care plan, the Microsoft employees allege. After years of being made to watch the "most twisted" videos on the internet, employees said they suffered severe psychological distress, while the company allegedly refused to provide a specially trained therapist or to pay for therapy. The two former employees and their families are suing for damages from what they describe as permanent psychological injuries, for which they were denied worker's compensation. "Microsoft applies industry-leading, cutting-edge technology to help detect and classify illegal images of child abuse and exploitation that are shared by users on Microsoft Services," a Microsoft spokesperson wrote in an email. "Once verified by a specially trained employee, the company removes the image, reports it to the National Center for Missing and Exploited Children, and bans the users who shared the images from our services. We have put in place robust wellness programs to ensure the employees who handle this material have the resources and support they need." But the former employees allege neglect at Microsoft's hands.

Slashdot Top Deals