Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 171

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Transportation

Is Homeland Security's Face-Scanning At Airports An Unreasonable Search? (technologyreview.com) 146

schwit1 shares an article from MIT's Technology Review: Facial-recognition systems may indeed speed up the boarding process, as the airlines rolling them out promise. But the real reason they are cropping up in U.S. airports is that the government wants to keep better track of who is leaving the country, by scanning travelers' faces and verifying those scans against photos it already has on file... The U.S. Department of Homeland Security has partnered with airlines including JetBlue and Delta to introduce such recognition systems at New York's JFK International Airport, Washington's Dulles International, and airports in Atlanta, Boston, and Houston, among others. It plans to add more this summer...

As facial-recognition technology has improved significantly in recent years, it has attracted the interest of governments and law enforcement agencies. That's led to debates over whether certain uses of the technology violate constitutional protections against unreasonable searches... Harrison Rudolph, a law fellow at Georgetown Law's Center on Privacy and Technology, and others are raising alarms because as part of the process, U.S. Customs and Border Protection is also scanning the faces of U.S. citizens... They say Congress has never expressly authorized the collection of facial scans from U.S. citizens at the border routinely and without suspicion.

"We aren't entirely sure what the government is doing with the images," the article adds, though it notes that the Department of Homeland Security is saying that it deletes all data pertaining to the images after two weeks. But Slashdot reader schwit1 is still worried about the possibility of an irretrievable loss of privacy, writing that "If the DHS database gets hacked, it's hard to get a new face."
Medicine

New Study Finds How Much Sleep Fitbit Users Really Get 75

Fitbit has published the results of a study that uses their longitudinal sleep database to analyze millions of nights of Sleep Stages data to determine how age, gender, and duration affect sleep quality. (Sleep Stages is a relatively new Fitbit feature that "uses motion detection and heart rate variability to estimate the amount of time users spend awake in light, deep, and REM sleep each night.") Here are the findings: The average Fitbit user is in bed for 7 hours and 33 minutes but only gets 6 hours and 38 minutes of sleep. The remaining 55 minutes is spent restless or awake. That may seem like a lot, but it's actually pretty common. That said, 6 hours and 38 minutes is still shy of the 7+ hours the the CDC recommends adults get. For the second year in a row Fitbit data scientists found women get about 25 minutes more sleep on average each night compared to men. The percentage of time spent in each sleep stage was also similar -- until you factor in age. Fitbit data shows that men get a slightly higher percentage of deep sleep than women until around age 55 when women take the lead. Women win when it comes to REM, logging an average of 10 more minutes per night than men. Although women tend to average more REM than men over the course of their lifetime, the gap appears to widen around age 50.
Security

WikiLeaks Dump Reveals CIA Malware For Tracking Windows Devices Via WiFi Networks (bleepingcomputer.com) 85

WikiLeaks has published the documentation manual for an alleged CIA tool that can track users of Wi-Fi-capable Windows devices based on the Extended Service Set (ESS) data of nearby Wi-Fi networks. According to the tool's 42-page manual, the tool's name is ELSA. Bleeping Computer has an image embedded in its report that explains how the tool works. There are six steps that summarize the ELSA operation. Bleeping Computer reports: Step 1: CIA operative configures ELSA implant (malware) based on a target's environment. This is done using a tool called the "PATCHER wizard," which generates the ELSA payload, a simple DLL file.
Step 2: CIA operative deploys ELSA implant on target's Wi-Fi-enabled Windows machine. Because ELSA is an implant (malware), the CIA operator will likely have to use other CIA hacking tools and exploits to place the malware on a victim's PC.
Step 3: The implant begins collecting Wi-Fi access point information based on the schedule set by the operator. Data collection can happen even if the user is disconnected from a Wi-Fi network.
Step 4: When the target user connects to the Internet, ELSA will take the collected Wi-Fi data and query a third-party database for geolocation information.
Step 5: The CIA operative connects to the target's computer and fetches the ELSA log. This is done via the tools that allowed the operator to place ELSA on his system, or through other tools.
Step 6: The operator decrypts the log and performs further analysis on their target. Optionally, he can use the collected WiFi data to query alternate EES geo-location databases, if he feels they provide a better accuracy.

Wireless Networking

How A Contractor Exploited A Vulnerability In The FCC Website (wirelessestimator.com) 69

RendonWI writes: A Wisconsin wireless contractor discovered a flaw in the FCC's Antenna Structure Registration (ASR) database, and changed the ownership of more than 40 towers from multiple carriers and tower owners into his company's name during the past five months without the rightful owners being notified by the agency, according to FCC documents and sources knowledgeable of the illegal transfers. Sprint, AT&T and key tower companies were targeted in the wide-ranging thefts... Changing ASR ownership is an easy process by applying online for an FCC Registration Number (FRN) which is instantly granted whether the factual or inaccurate information is provided. Then, once logged in, an FRN holder can submit a form stating that they are the new owner of any or multiple structures in the database. As soon as it is submitted, the change is immediately reflected in the ASR.
Cloud

Should Your Company Switch To Microservices? (cio.com) 118

Walmart Canada claims that it was microservices that allowed them to replace hardware with virtual servers, reducing costs by somewhere between 20 and 50 percent. Now Slashdot reader snydeq shares an article by a senior systems automation engineer arguing that a microservices approach "offers increased modularity, making applications easier to develop, test, deploy, and, more importantly, change and maintain."

The article touts things like cost savings and flexibility for multiple device types, suggesting microservices offer increased resilience and improved scalabiity (not to mention easier debugging and a faster time to market with an incremental development model). But it also warns that organizations need the resources to deploy the new microservices quicky (and the necessary server) -- along with the ability to test and monitor them for database errors, network latency, caching issues and ongoing availability. "You must embrace devops culture," argues the article, adding that "designing for failure is essential... In a traditional setting, developers are focused on features and functionalities, and the operations team is on the hook for production challenges. In devops, everyone is responsible for service provisioning -- and failure."

The original submission ends with a question for Slashdot reader. "What cautions do you have to offer for folks considering tapping microservices for their next application?"
Security

Facial Recognition Is Coming To US Airports (theverge.com) 148

Facial recognition systems will be coming to U.S. airports in the very near future. "Customs and Border Protection first started testing facial recognition systems at Dulles Airport in 2015, then expanded the tests to New York's JFK Airport last year," reports The Verge. "Now, a new project is poised to bring those same systems to every international airport in America." From the report: Called Biometric Exit, the project would use facial matching systems to identify every visa holder as they leave the country. Passengers would have their photos taken immediately before boarding, to be matched with the passport-style photos provided with the visa application. If there's no match in the system, it could be evidence that the visitor entered the country illegally. The system is currently being tested on a single flight from Atlanta to Tokyo, but after being expedited by the Trump administration, it's expected to expand to more airports this summer, eventually rolling out to every international flight and border crossing in the U.S. U.S. Customs and Border Protection's Larry Panetta, who took over the airport portion of the project in February, explained the advantages of facial recognition at the Border Security Expo last week. "Facial recognition is the path forward we're working on," Panetta said at the conference. "We currently have everyone's photo, so we don't need to do any sort of enrollment. We have access to the Department of State records so we have photos of U.S. Citizens, we have visa photos, we have photos of people when they cross into the U.S. and their biometrics are captured into [DHS biometric database] IDENT."
Classic Games (Games)

Original Colossal Cave Adventure Now Playable On Alexa (amazon.com) 36

Last month Eric Raymond announced the open sourcing of the world's very first text adventure. Now Slashdot reader teri1337 brings news about their own special project: A few old-timers here may recall with fond memories the phrase "Somewhere nearby is Colossal Cave..." Well, a voice-playable version of Colossal Cave "Adventure" is now available on Amazon Echo devices as a [free] Alexa Skill. This is a port of the original 1976 text adventure game written by Willie Crowther and Don Woods, which started the interactive fiction genre and led to later games like Infocom's Zork. This version was written from scratch as an AWS Lamda function incorporating the original 350-point game database, and made available with permission from Don Woods.
Government

Russian Cyber Hacks On US Electoral System Far Wider Than Previously Known (bloomberg.com) 520

An anonymous reader shares a Bloomberg article: Russia's cyberattack on the U.S. electoral system before Donald Trump's election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported. In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said. The scope and sophistication so concerned Obama administration officials that they took an unprecedented step -- complaining directly to Moscow over a modern-day "red phone." In October, two of the people said, the White House contacted the Kremlin on the back channel to offer detailed documents of what it said was Russia's role in election meddling and to warn that the attacks risked setting off a broader conflict.
Programming

Developer Accidentally Deletes Production Database On Their First Day On The Job (qz.com) 418

An anonymous reader quotes Quartz: "How screwed am I?" asked a recent user on Reddit, before sharing a mortifying story. On the first day as a junior software developer at a first salaried job out of college, his or her copy-and-paste error inadvertently erased all data from the company's production database. Posting under the heartbreaking handle cscareerthrowaway567, the user wrote, "The CTO told me to leave and never come back. He also informed me that apparently legal would need to get involved due to severity of the data loss. I basically offered and pleaded to let me help in someway to redeem my self and i was told that I 'completely fucked everything up.'"
The company's backups weren't working, according to the post, so the company is in big trouble now. Though Qz adds that "the court of public opinion is on the new guy's side. In a poll on the tech site the Register, less than 1% of 5,400 respondents thought the new developer should be fired. Forty-five percent thought the CTO should go."
EU

EU Seeks New Powers To Obtain Data 'Directly' From Tech Firms (zdnet.com) 40

Zack Whittaker reports via ZDNet: European authorities are seeking new powers to allow police and intelligence agencies to directly obtain user data stored on the continent by U.S. tech companies. The move comes in the wake of an uptick in terrorist attacks, including several attacks in Britain and France, among others across the bloc. Tech companies have been asked to do more to help law enforcement, while police have long argued the process for gathering data overseas is slow and cumbersome. The bloc's justice commissioner, Vera Jourova, presented several plans to a meeting of justice ministers in Luxembourg on Thursday to speed up access for EU police forces to obtain evidence -- including one proposal to allow police to obtain data "directly" from the cloud servers of U.S. tech companies in urgent cases. "Commissioner Jourova presented at the Justice Council three legislative options to improve access to e-evidence," said Christian Wiga, an EU spokesperson, in an email. "Based on the discussion between justice ministers, the Commission will now prepare a legislative proposal," he added. Discussions are thought to have included what kind of data could be made available, ranging from geolocation data to the contents of private messages. Such powers would only be used in "emergency" situations, said Jourova, adding that safeguards would require police to ensure that each request is "necessary" and "proportionate." Further reading: Reuters
Businesses

China Arrests Apple Distributors Who Made Millions on iPhone Data (engadget.com) 9

An anonymous reader shares a report: Police in China's Zhejiang province have arrested 22 (apparently third-party) Apple distributors for allegedly selling iPhone user data. Officials say the workers searched an internal Apple database for sensitive info, such as Apple IDs and phone numbers, and peddled it on the black market for between 10 to 180 yuan with each sale ($1.50 to $26). All told, the distributors reportedly raked in more than 50 million yuan, about $7.36 million, before authorities stepped in.
Databases

Insecure Hadoop Servers Expose Over 5 Petabytes of Data (bleepingcomputer.com) 51

An anonymous reader quotes the security news editor at Bleeping Computer: Improperly configured HDFS-based servers, mostly Hadoop installs, are exposing over five petabytes of information, according to John Matherly, founder of Shodan, a search engine for discovering Internet-connected devices. The expert says he discovered 4,487 instances of HDFS-based servers available via public IP addresses and without authentication, which in total exposed over 5,120 TB of data.

According to Matherly, 47,820 MongoDB servers exposed only 25 TB of data. To put things in perspective, HDFS servers leak 200 times more data compared to MongoDB servers, which are ten times more prevalent... The countries that exposed the most HDFS instances are by far the US and China, but this should be of no surprise as these two countries host over 50% of all data centers in the world.

Transportation

Your Face or Fingerprint Could Soon Replace Your Plane Ticket (washingtonpost.com) 89

Headed on a trip? You may soon be able to ditch your boarding pass in favor of your fingers or face. From a report: Delta announced, on Wednesday, a new biometric identification pilot program that will eventually let you use your fingerprints instead of a plane ticket (Editor's note: the link could be paywalled; alternative source). That followed a JetBlue announcement hours earlier that it is testing a program in Boston that will match pictures of customers' faces with the passport database maintained by U.S. Custom and Border Protections. Delta's program, which kicked off at Washington's Reagan National Airport, is in partnership with Clear, a company that already lets customers skip to the front of security lines without identification.
Security

Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers (bleepingcomputer.com) 83

An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a duplicate replacement key. Gang members used one code to cut the key, while they used the second code while stealing the car, connecting a handheld programming computer to the car, and programming the replacement key's chip, synchronizing it to the car's dashboard. All of this took under 2 minutes and was also possible because Jeep Wranglers allow thieves to pop the hood from the outside of the car and disable the alarm even before using their non-authenticated replacement key. Officials say that all the database queries for the stolen VIN codes came from a Jeep dealer in Cabo San Lucas, Mexico. Court documents don't say if the dealer cooperated or gang members hacked its system. The motorcycle gang's name was Hooligans and the sub-unit that stole the Jeeps was named Dirty 30.
Databases

Vermont DMV Caught Using Illegal Facial Recognition Program (vocativ.com) 109

schwit1 quotes a report from Vocativ: The Vermont Department of Motor Vehicles has been caught using facial recognition software -- despite a state law preventing it. Documents obtained by the American Civil Liberties Union of Vermont describe such a program, which uses software to compare the DMV's database of names and driver's license photos with information with state and federal law enforcement. Vermont state law, however, specifically states that "The Department of Motor Vehicles shall not implement any procedures or processes that involve the use of biometric identifiers." The program, the ACLU says, invites state and federal agencies to submit photographs of persons of interest to the Vermont DMV, which it compares against its database of some 2.6 million Vermonters and shares potential matches. Since 2012, the agency has run at least 126 such searches on behalf of local police, the State Department, FBI, and Immigrations and Customs Enforcement.
AI

How AI Can Infer Human Emotions (oreilly.com) 25

An anonymous reader quotes OReilly.com's interview with the CEO of Affectiva, an emotion-measurement technology company that grew out of MIT's Media Lab. We can mine Twitter, for example, on text sentiment, but that only gets us so far. About 35-40% is conveyed in tone of voice -- how you say something -- and the remaining 50-60% is read through facial expressions and gestures you make. Technology that reads your emotional state, for example by combining facial and voice expressions, represents the emotion AI space. They are the subconscious, natural way we communicate emotion, which is nonverbal and which complements our language... Facial expressions and speech actually deal more with the subconscious, and are more unbiased and unfiltered expressions of emotion...

Rather than encoding specific rules that depict when a person is making a specific expression, we instead focus our attention on building intelligent algorithms that can be trained to recognize expressions. Through our partnerships across the globe, we have amassed an enormous emotional database from people driving cars, watching media content, etc. A portion of the data is then passed on to our labeling team, who are certified in the Facial Action Coding System...we have gathered 5,313,751 face videos, for a total of 38,944 hours of data, representing nearly two billion facial frames analyzed.

They got their start testing advertisements, and now are already working with a third of all Fortune 500 companies. ("We've seen that pet care and baby ads in the U.S. elicit more enjoyment than cereal ads -- which see the most enjoyment in Canada.") One company even combined their technology with Google Glass to help autistic children learn to recognize emotional cues.
Security

Hacker Steals 17 Million Zomato Users' Data, Briefly Puts It On Dark Web (hackread.com) 32

Waqas reports via Hack Read: Recently, HackRead found out a vendor going by the online handle of âoenclayâ is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace. The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit. Here's a screenshot of the sample data publicly shared by "nclay." Upon testing the sample data on Zomato.com's login page, it was discovered that each and every account mentioned in the list exists on Zomato. Although Zomato didn't reply to our email but in their latest blog post the company has acknowledged the breach. Here's a full preview of the blog post published by Zomato 7hours ago: "Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously -- if you've been a regular at Zomato for years, you'd agree."
Databases

Font Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts (zdnet.com) 17

A popular font sharing site DaFont.com has been hacked, resulting in usernames, email addresses, and hashed passwords of 699,464 user accounts being stolen. ZDNet reports: The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums. The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database. "I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find." The hacker provided the database to ZDNet for verification.
Open Source

Open Source SQL Database CockroachDB Hits 1.0 (infoworld.com) 80

An anonymous reader quotes InfoWorld: CockroachDB, an open source, fault-tolerant SQL database with horizontal scaling and strong consistency across nodes -- and a name few people will likely forget -- is now officially available. Cockroach Labs, the company behind its development, touts CockroachDB as a "cloud native" database solution -- a system engineered to run as a distributed resource. Version 1.0 is available in both basic and for-pay editions, and both boast features that will appeal to enterprises.

The company is rolling the dice with its handling of the enterprise edition by also making those components open source and trusting that enterprises will pay for what they use in production.

Slashdot Top Deals