Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 hours 31 min ago

Microsoft Wants To Close the UWP, Win32 Divide With 'Windows Apps'

Wed, 05/08/2019 - 13:25
An anonymous reader quotes a report from ZDNet: When Microsoft launched UWP in 2015, officials promised that the platform would provide apps with better performance and security because they'd be distributable and updatable from the Microsoft Store. Developers would be able to use a common set of programming interfaces across Windows 10, Windows Phone, HoloLens and more, officials said, when selling the UWP vision. The downside: UWP apps would work on Windows 10-based devices only. Developers would have to do work to get their apps to be UWP/Store-ready. And Win32 apps wouldn't get UWP features like touch and inking. Arguably, [Kevin Gallo, Corporate Vice President of the Windows Developer Platform] told me, "we shouldn't have gone that way," meaning creating this schism. But Microsoft execs -- including Gallo -- continue to maintain that UWP is not dead. Over the past year or so, Microsoft has been trying to undo some of the effects of what Gallo called the "massive divide" between Win32 and UWP by adding "modern desktop" elements to Win32 apps. "By the time we are done, everything will just be called 'Windows apps,'" Gallo told me. "We're not quite there yet." But the ultimate idea is to make "every platform feature available to every developer." In short, Microsoft's new goal is to try to make all features available to all of the Windows frameworks. Saying that Microsoft is dropping or deprecating any of the Windows frameworks seems to have been declared from on-high as a big no-no. Instead, Win32, UWP, Windows Presentation Foundation are all "elevated to full status," as Gallo told me. What about the Microsoft Store? Gallo says it's not dead. In Gallo's view, "the Store is about commerce. It's another channel for distribution." But it's not the only way Windows users will be able to get apps. "You can trust apps differently. They don't need to be in the Store. People really just want to know if Microsoft considers an app good," he said. ZDNet's Mary Jo Foley says "it sounds like Microsoft may be moving toward a model of getting apps Microsoft-certified and trusted and then allowing Windows developers to decide how best to distribute them -- via the Microsoft Store, the Web or other methods of their choosing."

Google Chrome To Support Same-Site Cookies, Get Anti-Fingerprinting Protection

Wed, 05/08/2019 - 12:06
Google plans to add support for two new privacy and security features in Chrome, namely same-site cookies and anti-fingerprinting protection. From a report: The biggest change that Google plans to roll out is in regards to how it treats cookie files. These new controls will be based on a new IETF standard that Chrome and Mozilla developers have been working on for more than three years. This new IETF specification describes a new attribute that can be set inside HTTP headers. Called "SameSite," the attribute must be set by the website owner and should describe the situations in which a site's cookies can be loaded. [...] Google engineers also announced a second major new privacy feature for Chrome. According to Google, the company plans to add support for blocking certain types of "user fingerprinting" techniques that are being abused by online advertisers. Google didn't go into details of what types of user fingerprinting techniques it was planning to block. It is worth mentioning that there are many, which range from scanning locally installed system fonts to abusing the HTML5 canvas element, and from measuring a user's device screen size to reading locally installed extensions.

Facebook and Instagram Don't Wreck Kids' Lives, Claims New Study

Tue, 05/07/2019 - 16:10
A new study from the University of Oxford claims screen time doesn't have a detrimental impact on young people's brains, like so many researchers have claimed. Instead, it says family, friends and school life all had a greater impact on wellbeing. An anonymous reader shares the report from ZDNet: The researchers' skepticism was based on the Grand Theory of Chicken and Egg. As one of the lead researchers, Amy Orben explained: "The previous literature was based almost entirely on correlations with no means to dissociate whether social media use leads to changes in life satisfaction or changes in life satisfaction influence social media use." Quite. Does social media make kids -- or anyone else, for that matter -- miserable? Or do miserable people turn to social media in search of, well, something? These researchers spoke to 12,000 UK teens and concluded that the effect of social media on their life satisfaction was tiny. Indeed, as another of the lead researchers, Professor Andrew Przybylski told the BBC: "99.75 percent of a person's life satisfaction has nothing to do with their use of social media." Nothing has really changed, he said. Family, friends and school life are still the dominating factors in teen happiness. Moreover, Przybylski took the time to completely contradict Apple CEO and his pained worries about screen time. Przybylski put it quite baldly: "Parents shouldn't worry about time on social media. Thinking about it that way is wrong." For perfect measure, he added: "We need to retire this notion of screen time."

Android Q Gets Dark Mode, Live Video Captioning, Better Gestures and More

Tue, 05/07/2019 - 14:50
At its annual I/O developer event, Google announced a bunch of new features available in the latest Android Q beta. Engadget reports: The most obvious new feature is dark mode, which will be released system-wide in Android Q. It's accessible via a toggle switch in the quick settings area and it'll also be activated when you turn on battery saver mode. We just saw a quick screenshot of it, but it looks like it'll apply to any apps you're using regardless of whether they're Google-made or from other developers. Another notable new feature is called Live Caption. If you're watching a video, Google's machine-learning algorithms can now add captions on the fly by just pressing the volume button and then a "live caption" button that'll show up on on the onscreen volume slider. From there, you can expand and contract the panel as you see fit, and move it up and down on the screen so it doesn't obscure your video. Google is also able to do all of this on-device, so it's more secure and also doesn't need a network connection. [T]he company says that there are 50 new privacy and security settings in Android Q. Perhaps most notable are new location services settings that let you limit location tracking to only when the app is running. It'll also give you notifications to let users see when apps are using your location in the background. New settings also let you keep apps from accessing media on your phone and collecting information about your device like its IMEI and serial number. [...] Google's adding a new "focus mode" to help shut down various distractions. It'll block most app alerts and notifications while allowing important contacts like your family members to reach you. There are also more tools for parents to manage their kids' phone time -- it'll let you review how they're using their phone from your own device, set daily time limits, review app requests and more. There are also tweaks to the gesture-based navigation bar to make it more closely resemble the navigation gestures first introduced in the iPhone X. Google's also adding a new chat-focused interface called "bubbles" that lets users keep messaging conversations accessible regardless of what they're doing with the phone. We can expect the final desert-themed name and release date later in the summer. The Q beta 3 is currently available on 21 devices, including all Pixel devices.

Google Merges Nest and Home Brands, Debuts $229 Nest Hub Max

Tue, 05/07/2019 - 12:50
At its Google I/O developer conference today, the company announced that Google and Nest are combining into a single smart home brand aptly called Google Nest. For now, the newly announced Google Nest Hub Max and Google Home Hub, which will now be called the Google Nest Hub, are the only products that will carry the new name in their official branding. CNET reports: Other products are expected to be rebranded in the future. All of Nest's smart home products will fall under this brand, which includes the company's famous smart thermostats and security cameras, although their names won't change retroactively. Google's smart speakers, including the Google Home; smart displays such as the Google Home Hub; Google Wifi routers and Google Chromecast streamers will also fit under the purview of Google Nest. Several products under the new brand are getting a price cut, including the Google Home Max, which now costs $100 less than before at $299. As part of the new unified brand, customers with Nest accounts will be encouraged to merge them into Google accounts. You can control your Nest devices with the Google Home app. You won't be able to set up new Nest devices using that app yet, so customers can't remove the separate Nest app from their phones entirely. Nest accounts will be moved to a maintenance mode, where they will still get security updates, but Google will provide new features only to Google accounts. Similarly, companies that had joined the Works with Nest program will be encouraged to use Actions on Google -- a platform that allows third-party developers to create commands for Google Assistant -- to be compatible with the new joined brand. As for the Google Nest Hub Max, it's basically a big Google Assistant smart display with a camera on top that can be used for video calls and home security monitoring. It's coming this summer, and it will retail for $229. The Verge reports: Like the smaller $149 Google Home Hub, the Nest Hub Max has a matte display that adjusts its color temperature to match the room. The 10-inch screen often looks more like a regular photo in a frame than a standard LCD panel. It comes in both gray and white, though the bezel around the display will always be white. Also, it lets Google know when you're home, and it can recognize your face so it can show customized personal information on the screen. [...] The other thing that's bigger is the sound. There are two front-firing 10W tweeters and one 30W woofer on the back. I wasn't able to do a real sound-quality test in the couple of hours I spent with the Hub Max, but I can tell you that it's definitely louder than the smaller Hub, and it didn't obviously distort at high volumes. But a Sonos One or Apple HomePod this is not...

WordPress Finally Gets the Security Features a Third of the Internet Deserves

Tue, 05/07/2019 - 11:32
The WordPress content management system (CMS) is set to receive an assortment of new security features today that will finally add the protection level that many of its users have desired for years. From a report: These features are expected to land with the official release of WordPress 5.2, expected for later today. Included are support for cryptographically-signed updates, support for a modern cryptography library, a Site Health section in the admin panel backend, and a feature that will act as a White-Screen-of-Death (WSOD) protection -- letting site admins access their backend in the case of catastrophic PHP errors. With WordPress being installed on around 33.8 percent of all internet sites, these features are set to put some fears at ease in regards to some attack vectors. Probably the biggest and the most important of today's new security features is WordPress' offline digital signatures system. Starting with WordPress 5.2, the WordPress team will digitally sign its update packages with the Ed25519 public-key signature system so that a local installation will be able to verify the update package's authenticity before applying it to a local site.

Chinese Spies Got the NSA's Hacking Tools, and Used Them For Attacks

Tue, 05/07/2019 - 08:10
Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia [Editor's note: the link may be paywalled; alternative source], a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal. From a report: Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers -- like a gunslinger who grabs an enemy's rifle and starts blasting away. The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries' infrastructure. The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world's most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key. The Chinese hacking group that co-opted the N.S.A.'s tools is considered by the agency's analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers. Now, Symantec's discovery, unveiled on Monday, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.

How a Mark Cuban-Backed Facial Recognition Firm Pushed To Get Driver License Photo Data

Tue, 05/07/2019 - 05:00
An anonymous reader quotes a report from Motherboard: Now, emails obtained through a public records request provide insight into how facial recognition companies attempt to strike deals with local law enforcement as well as gain access to sensitive data on local residents. The emails show how a firm backed by Shark Tank judge, Dallas Mavericks owner, and billionaire entrepreneur Mark Cuban pushed a local police department to try and gain access to state driver's license photos to train its product. The emails also show the company asked the police department to vouch for it on a government grant application in exchange for receiving the technology for free. "Chief, you seemed pretty keen on the use of facial recognition in stadiums. If you know of any place to start, please let me know," a 2016 email from Jacob Sniff, a co-founder of facial recognition startup Suspect Technologies, addressed to Michael Botieri, chief of the Plymouth Police Department in Massachusetts, reads. In the emails, Sniff repeatedly asked Botieri to deploy the technology in his district to help improve the product. Sniff mentioned plans for the technology to search through results for people of a particular gender or ethnicity, and deploy "emotion recognition." "So you would aim to do this on all or most of the buildings you showed me in person? We would be fine on the privacy concerns for this?" Sniff wrote in a November 2017 email to the police department. "I do realize the technology could be perceived as controversial, though the stark reality is that it could save lives." "Ed, you mentioned that if we did the lobby idea in Boston, that they would go absolutely nuts and it would be a privacy disaster. Our discussion last week was that police departments are supposed to be welcoming and this would ultimately deter people from showing up," Sniff wrote in an April 2018 email chain including Ed Davis, former Boston Police Commissioner and who now runs a security consulting firm. [...] Sniff asked Chief Botieri to sign a letter helping Suspect Technologies receive a grant from the National Institute of Standards and Technology (NIST), according to a January 2017 email. Sniff offered to give the police department the facial recognition technology for free in exchange for signing the letter.

Refunds For 300 Million Phone Users Sought In Lawsuits Over Location-Data Sales

Mon, 05/06/2019 - 13:30
An anonymous reader quotes a report from Ars Technica: The four major U.S. wireless carriers are facing proposed class-action lawsuits accusing them of violating federal law by selling their customers' real-time location data to third parties. The complaints seeking class action status and financial damages were filed last week against AT&T, Verizon, T-Mobile, and Sprint in U.S. District Court for the District of Maryland. The four suits, filed on behalf of customers by lawyers from the Z Law firm in Maryland, all begin with text nearly identical to this intro found in the suit against AT&T: "This action arises out of Defendant's collection of geolocation data and the unauthorized dissemination to third-parties of the geolocation data collected from its users' cell phones. AT&T admittedly sells customer geolocation data to third-parties, including but not limited to data aggregators, who in turn, are able to use or resell the geolocation data with little or no oversight by AT&T. This is an action seeking damages for AT&T gross failure to safeguard highly personal and private consumer geolocation data in violation of federal law." The proposed classes would include all of the four carriers' customers in the U.S. between 2015 and 2019. In all, that would be 300 million or more customers, as the lawsuits say the proposed classes consist of at least 100 million customers each for AT&T and Verizon and at least 50 million each for Sprint and T-Mobile. Each lawsuit seeks damages for consumers "in an amount to be proven at trial." In June 2018, the four major U.S. carriers promised to stop selling their mobile customers' location info to third-party data brokers after a security problem leaked the real-time location of U.S. cellphone users. Despite the carriers' promises, a Motherboard investigation found in January 2019 that they were still selling access to their customers' location data. "The lawsuits accuse the carriers of violating Section 222 of the U.S. Communications Act, which says that carriers may not use or disclose location information 'without the express prior authorization of the customer,'" reports Ars Technica. "The lawsuits also say that each carrier failed to follow its own privacy policy and 'profited from the sale and unauthorized dissemination of Plaintiff and Class Members' [private data].'"

Microsoft Offers Software Tools To Secure Elections

Mon, 05/06/2019 - 12:10
Alongside sharing updates on many of its platforms, Microsoft said at its Build developer conference today that is also getting ready to release several new tools to shore up security for political parties and candidates and at the ballot box. From a report: Microsoft announced an ambitious effort it says will make voting secure, verifiable and subject to reliable audits. Two of the three top U.S elections vendors have expressed interest in potentially incorporating the open-source software into their proprietary voting systems. The software kit is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon's advanced research agency, DARPA. Dubbed "ElectionGuard," the Microsoft kit will be available this summer, the company says, with early prototypes ready to pilot for next year's general elections. CEO Satya Nadella announced the initiative Monday at a developer's conference in Seattle. Nadella said the project's software, provided free of charge as part of Microsoft's Defending Democracy Program, would help "modernize all of the election infrastructure everywhere in the world." Microsoft also announced a cut-rate Office 365 application suite for political parties and campaigns for what it charges nonprofits. Both Microsoft and Google provide anti-phishing email support for campaigns. Three little-known U.S. companies control about 90 percent of the market for election equipment, but have long faced criticism for poor security, antiquated technology and insufficient transparency around their proprietary, black-box voting systems.

Windows 10 Will Now Ask Before Installing Massive Feature Updates

Sun, 05/05/2019 - 11:34
An anonymous reader quotes ZDNet: As Microsoft promised in early April, Windows 10 is gaining a new option that gives users better control over when its twice-yearly major feature updates are installed. That option is called 'Download and install now' and should help Windows 10 users avoid unintentionally accepting a feature update after using Windows Update to check for new patches. While clicking 'Check for updates' could mean checking for monthly or security updates, historically it's also triggered the installation of a feature update, which can be a major disruption... Choosing to download and install when offered a feature update is taken as confirmation that the user wants that update. From that point on, the feature update can then only be paused for up to 35 days. By not clicking on 'Download and install now', the new feature update can be avoided so long as the version of Windows 10 currently running is supported and not nearing end of support.

Top Cybersecurity Experts Unite to Counter Right-to-Repair FUD

Sun, 05/05/2019 - 09:34
Long-time Slashdot reader chicksdaddy writes: Some of the world's leading cybersecurity experts have come together to counter electronics and technology industry efforts to paint proposed right to repair laws in 20 states as a cyber security risk. The experts have launched, a group that is galvanizing information security industry support for right to repair laws that are being debated in state capitols. Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel. Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security. "False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws," said Paul Roberts, the founder of and Editor in Chief at The Security Ledger, an independent cyber security blog. " is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future." "As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws," said Joe Grand of Grand Idea Studio, a hardware hacker and embedded systems security expert. The group will counter a stealthy but well-funded industry efforts to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center, which has enlisted technology industry executives and academics to write opinion pieces casting right to repair laws as a giveaway to cybercriminals. Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.

When an AI Tries to Name Racehorses

Sat, 05/04/2019 - 17:39
In December the breed registry for Thoroughbred horses released their list of the over 42,000 names for currently-registered racehorses. Then research scientist Janelle Shane turned their list into training data for two neural networks, reports Fast Company: It came up with names like She's a Babe, North Storm, Fabulous Charm, Frisky Joe, and Velvet One, which are so good, it's kind of surprising they haven't already been used by the professional horse namers. Of course, not every name was quite as successful. For example, Ginky's Rental, Moretowiththebotterfron, Orcha Shuffleston, Oats and is Fuct, Pat's Glory Dance, Exclusive Bear, and The Madland Cookie. Although if I were a betting man, I would put all my nonexistent trust fund on Snuckles (or maybe Unbridled Dave or Pick's Lilver or maybe Pickle Rake or Rapple Musty. (Look, there's a reason I don't bet). As an added treat, Shane opted to have a few of the names illustrated by BigGAN, a neural net that generates pictures. Unfortunately, according to Shane, "horse" was not an image option, so Shane used "horse cart" instead, resulting in some very interesting images. In 2017 Shane trained a neural network on 162,000 Slashdot headlines, coming up with alternate reality-style headlines like "Microsoft To Develop Programming Law" and "More Pong Users for Kernel Project." But for racehorses, Shane points out that there's already a real-world prizewinner named "Cloud Computing" -- so there's obviously room for improvement. And today the fastest horse in this year's Kentucky Derby was "Maximum Security", who ironically was disqualified for interference for the first time in the race's 145-year history, making the winner a 65-to-1 longshot named "Country House."

Scammers Exploit Home Rental Listings With 'Let Yourself In' Link

Sat, 05/04/2019 - 13:34
"American Homes For Rent is a publicly traded company that owns more than 50,000 properties," writes Slashdot reader McGruber -- calling our attention to a glaring security error. "Its website has a tab on its listings that says 'Let Yourself In.' If you click it, you are taken to, a website that sells the lockbox codes to anyone for only $0.99." And those lockboxes contain a key to the vacant home being advertised. But what's to stop a scammer from pretending that they're the home-owner, and then sending you the code for that same lockbox so you can tour "their" home -- before they then ask you to wire a deposit? Ciarra McConnell was one of the scam's "several" unsuspecting victims, reports CBS46 in Atlanta: "The lockbox is what made it seem legitimate, and he gave me the key," said Ciarra. Once she got the key, the scammer emailed a phony lease. Ciarra then wired a $1,900 deposit and moved in. The next morning an American Homes For Rent employee was at her door. "They were just like yup, nope sorry we can't do anything for you but you need to get out," she explained. The scammers post duplicates of real home listings on Craigslist -- and then ask to be paid through a bitcoin ATM.

Amazon's Doorbell Company Is Selling Fear

Sat, 05/04/2019 - 12:34
Amazon Ring is building "a team of news editors who deliver breaking crime news alerts to our neighbors," reports the director Nieman Journalism Lab, in a post from The Atlantic: That's right: A doorbell company wants to report crime news. It already is, actually. Several people on LinkedIn describe their jobs as "news editors" at Ring... I'm going to go out on a limb and say that this is a really bad idea. Crime has declined enormously over the past 25 years, but people's perception of how much crime there is has not. A majority of Americans have said that crime is increasing in each of the past 16 years -- despite crime in each major category being significantly lower today than it used to be. A 2016 Pew survey found that only 15 percent of Americans believed (correctly) that crime was lower in 2016 than it had been in 2008 -- versus 57 percent who thought it had gotten worse... These mistaken beliefs are driven largely by the editorial decisions of local media -- especially local TV newscasts, which are just as bloody today as they were when murder rates were twice as high. There's a term for it: "mean world syndrome," the phenomenon where media consumption makes people see the world as more violent and dangerous than it really is... But news organizations have multiple and sometimes conflicting incentives that might affect how they present the local police blotter. A company that sells security-optimized doorbells has only one incentive: emphasizing that the world is a scary place, and you need to buy our products to protect you.... So think about this managing-editor job. Ring wants to be "covering local crime" everywhere, down to the house and neighborhood level. So one managing editor, plus however many other people are on this team, is supposed to be creating a thoughtful, nonexploitative editorial product that is sending journalistically sound "breaking news crime alerts," in real time, all across the country. Are they really delivering news or just regular pulses of fear in push-notification form? If that's the job, it is literally impossible to do responsibly... It's like relying on the people who make antivirus software to tell you about the latest cybersecurity issues: Even when the reporting is sound, it's still prone to exaggerating the scale of the threat and still aimed at making you so afraid that you give them money. The article's author spent 10 years working for newspapers (most recently the Dallas Morning News), and argues that "the reality is that 'breaking crime news alerts' are not something the majority of people needs -- especially if 'two Greenpeace volunteers stood on my porch for 30 seconds' is the bar we're talking about. It's not actionable intelligence -- it's puffing a little more air into an atmosphere of fear..." He concludes that Amazon Ring "says it's selling safety, but it's really selling fear. "

How Amazon's Facial-Recognition Technology is Supercharging Local Police

Sat, 05/04/2019 - 11:34
An anonymous reader quotes the Washington Post: Deputies in this corner of western Oregon outside ultraliberal Portland used to track down criminals the old-fashioned way, faxing caught-on-camera images of a suspect around the office in hope that someone might recognize the face. Then, in late 2017, the Washington County Sheriff's Office became the first law enforcement agency in the country known to use Amazon's artificial-intelligence tool Rekognition, transforming this thicket of forests and suburbs into a public testing ground for a new wave of experimental police surveillance techniques. Almost overnight, deputies saw their investigative powers supercharged, allowing them to scan for matches of a suspect's face across more than 300,000 mug shots taken at the county jail since 2001. A grainy picture of someone's face -- captured by a security camera, a social media account or a deputy's smartphone -- can quickly become a link to their identity, including their name, family and address. More than 1,000 facial-recognition searches were logged last year, said deputies, who sometimes used the results to find a suspect's Facebook page or visit their home... "Just like any of our investigative techniques, we don't tell people how we catch them," said Robert Rookhuyzen, a detective on the agency's major crimes team who said he has run "several dozen" searches and found it helpful about 75% of the time. "We want them to keep guessing... But lawyers in Oregon said the technology should not be, as many see it, an imminent step forward for the future of policing, and they frame the system not as a technical milestone but a moral one: Is it OK to nab more bad guys if more good guys might get arrested, too? "People love to always say, âHey, if it's catching bad people, great, who cares,' " said Joshua Crowther, a chief deputy defender in Oregon, "until they're on the other end." The article acknowledges that no one's challenged their arrests on the grounds of a mistaken photo match -- but it still feels a little creepy. "In one case, an inmate was talking to his girlfriend on a jailhouse phone when she said there was a warrant out for her arrest. Deputies went to the inmate's Facebook page, found an old video with her singing and ran a facial-recognition search to get her name; she was arrested within days." And the article also notes that Amazon's doorbell camera Ring "applied last year for a facial-recognition patent that could flag 'suspicious' people at a user's doorstep. "A Ring spokeswoman said the company's patent applications are intended to 'explore the full possibilities of new technology.'"

Security Lapse Exposed a Chinese Smart City Surveillance System

Sat, 05/04/2019 - 04:30
An anonymous reader shares a report: Smart cities are designed to make life easier for their residents: better traffic management by clearing routes, making sure the public transport is running on time and having cameras keeping a watchful eye from above. But what happens when that data leaks? One such database was open for weeks for anyone to look inside. Security researcher John Wethington found a smart city database accessible from a web browser without a password. He passed details of the database to TechCrunch in an effort to get the data secured. The database was an Elasticsearch database, storing gigabytes of data -- including facial recognition scans on hundreds of people over several months. The data was hosted by Chinese tech giant Alibaba. The customer, which Alibaba did not name, tapped into the tech giant's artificial intelligence-powered cloud platform, known as City Brain. "This is a database project created by a customer and hosted on the Alibaba Cloud platform," said an Alibaba spokesperson. "Customers are always advised to protect their data by setting a secure password." "We have already informed the customer about this incident so they can immediately address the issue. As a public cloud provider, we do not have the right to access the content in the customer database," the spokesperson added. The database was pulled offline shortly after TechCrunch reached out to Alibaba. But while Alibaba may not have visibility into the system, we did.

UK's Tax Authority To Delete Five Million Biometric Voice Records Because it Did Not Have Clear Consent From Its Customers

Fri, 05/03/2019 - 10:01
The UK's tax authority is to delete the biometric voice records of five million people because it did not have clear consent from its customers to have those files. From a report: HM Revenue and Customs (HMRC) uses the Voice ID biometric voice security system to make it easier for callers to pass its security processes when discussing their account. It says using the system will reduce the time it takes to speak to an advisor and will help prevent anyone else accessing accounts. But the UK's data privacy watchdog the Information Commissioners Office (ICO) said that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. "This is a breach of the General Data Protection Regulation," the ICO said. Steve Wood, Deputy Commissioner at the ICO, said: "We welcome HMRC's prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law -- HMRC appears to have given little or no consideration to it with regard to its Voice ID service." Under the GDPR, biometric data is considered special category information and is subject to stricter conditions.

Western Allies Agree 5G Security Guidelines, Warn of Outside Influence

Fri, 05/03/2019 - 09:00
Global security officials agreed a set of proposals on Friday for future 5G networks, highlighting concerns about equipment supplied by vendors that might be subject to state influence. From a report: No suppliers were named, but the United States has been pressing allies to limit the role of Chinese telecom equipment makers such as Huawei over concerns their gear could be used by Beijing for spying. Huawei denies this. "The overall risk of influence on a supplier by a third country should be taken into account," participants at the conference in the Czech capital said in a non-binding statement released on the last day of the two-day gathering. Representatives from 30 European Union, NATO and countries such as the United States, Germany, Japan and Australia attended the meeting to hash out an outline of practices that could form a coordinated approach to shared security and policy measures.