Home / Tag Archives: policy

Tag Archives: policy

Here’s how to see if you’re among the 30 million compromised Facebook users

Enlarge (credit: Getty Images | NurPhoto ) The attackers who carried out the mass hack that Facebook disclosed two weeks ago obtained user account data belonging to as many as 30 million users, the social network said on Friday. Some of that data—including phone numbers, email addresses, birth dates, searches, location check-ins, and the types of devices used to access the site—came from private accounts or was supposed to be restricted only to friends. The revelation is the latest black eye for Facebook as it tries to recover from the scandal that came to light earlier this year in which Cambridge Analytica funneled highly personal details of more than 80 million users to an organization supporting then-presidential candidate Donald Trump. When Facebook disclosed the latest breach two weeks ago, CEO Mark Zuckerberg said he didn’t know if it allowed attackers to steal users’ private data. Friday’s update made clear that it did, although the 30 million people affected was less than the 50 million estimate previously given. Readers can check this link to see what, if any, data was obtained by the attackers. On a conference call with reporters, Vice President of Product Management Guy Rosen said that at the request of the FBI, which is investigating the hack, Facebook isn’t providing any information about who the attackers are or their motivations or intentions. That means that for now, affected users should be extra vigilant when reading emails, taking calls, and receiving other types of communications. The ability to know the search queries, location check-ins, phone numbers, email addresses, and other personal details of so many people gives the attackers the ability to send highly customized emails, texts, and voice calls that may try to trick people into turning over money, passwords, or other high-value information. Read 7 remaining paragraphs | Comments

Read More »

If Supermicro boards were so bug-ridden, why would hackers ever need implants?

Enlarge / A Supermicro motherboard. (credit: Supermicro) By now, everyone knows the premise behind two unconfirmed Bloomberg articles that have dominated security headlines over the past week: spies from China got multiple factories to sneak data-stealing hardware into Supermicro motherboards before the servers that used them were shipped to Apple, Amazon, an unnamed major US telecommunications provider, and more than two dozen other unnamed companies. Motherboards that wound up inside the networks of Apple, Amazon, and more than two dozen unnamed companies reportedly included a chip no bigger than a grain of rice that funneled instructions to the baseboard management controller, a motherboard component that allows administrators to monitor or control large fleets of servers, even when they’re turned off or corrupted. The rogue instructions, Bloomberg reported, caused the BMCs to download malicious code from attacker-controlled computers and have it executed by the server’s operating system. Motherboards that Bloomberg said were discovered inside a major US telecom had an implant built into their Ethernet connector that established a “covert staging area within sensitive networks.” Citing Yossi Appleboum, a co-CEO of the security company reportedly hired to scan the unnamed telecom’s network for suspicious devices, Bloomberg said the rogue hardware was implanted at the time the server was being assembled at a Supermicro subcontractor factory in Guangzhou. Like the tiny chip reportedly controlling the BMC in Apple and Amazon servers, Bloomberg said the Ethernet manipulation was “designed to give attackers invisible access to data on a computer network.” Read 22 remaining paragraphs | Comments

Read More »

Robocallers “evolved” to sidestep new call blocking rules, AGs tell FCC

Enlarge (credit: Getty Images | vladru) The Federal Communications Commission should let phone companies get more aggressive in blocking robocalls, 35 state attorneys general told the commission yesterday. The FCC last year authorized voice service providers to block more types of calls in which the Caller ID has been spoofed or in which the number on the Caller ID is invalid. But the FCC did not go far enough, and robocallers have "evolved" to evade the new rules, the 35 attorneys general wrote in an FCC filing : One specific method which has evolved recently is a form of illegal spoofing called " neighbor spoofing ." A neighbor-spoofed call will commonly appear on a consumer's caller ID with the same area code and local exchange as the consumer to increase the likelihood he/she will answer the call. In addition, consumers have recently reported receiving calls where their own phone numbers appeared on their caller ID. A consumer who answered one such call reported the caller attempted to trick her by saying he was with the phone company and required personal information to verify the account, claiming it had been hacked. The attorneys general said they "encourage the FCC to adopt rules authorizing providers to block these and other kinds of illegally spoofed calls." Read 14 remaining paragraphs | Comments

Read More »

Ajit Pai’s 5G plans make it harder for small ISPs to deploy broadband

Enlarge / FCC Chairman Ajit Pai speaking at a press conference on October 1, 2018 in Washington, DC. (credit: Getty Images | Mark Wilson ) The Federal Communications Commission is changing the rules for an upcoming spectrum auction in a way that will make it harder for small carriers to buy spectrum for deploying broadband. The change—requested by T-Mobile, AT&T, and Verizon—will help the big carriers deploy nationwide 5G networks, according to Chairman Ajit Pai's proposal. But the change will also make it harder for small companies to buy spectrum that could be used to fill broadband gaps in rural areas. In 2015, the Obama-era FCC set aside spectrum between 3550MHz and 3700MHz for a new Citizens Broadband Radio Service (CBRS) and ruled that 10MHz licenses would be auctioned off in individual Census tracts, which are small areas containing between 1,200 and 8,000 people each. Selling spectrum licenses in such small areas was meant to give small companies a shot at buying spectrum and deploying wireless broadband in underserved areas. Read 17 remaining paragraphs | Comments

Read More »

Why would Exxon donate $1 million to a carbon tax initiative?

Enlarge / MIDLAND, Tex. - JANUARY 20: A pumpjack sits on the outskirts of town at dawn in the Permian Basin oil field on January 21, 2016 in the oil town of Midland, Texas. (credit: Spencer Platt/Getty Images ) On Wednesday,  The Wall Street Journal reported that ExxonMobil had committed $1 million to a Republican-led carbon tax initiative called Americans for Carbon Dividends (AFCD). The story is a bit surprising on its face: it seems counterintuitive that an oil company would want to give money to an initiative that would tax its (considerable) carbon contribution. The other surprising factor is that some Republicans, who have traditionally resisted both climate policy and tax increases, are advocating for both. But dig a little deeper and the story isn't terribly surprising. For ExxonMobil's part, the company has been fighting an image battle in recent years: it's facing significant lawsuits alleging that its scientists knew about climate change for decades and actively misled investors about it through advertisements and other public denials. Consequently, Exxon has made choices in recent years to reflect a more "eco-conscious" oil company, pledging to reduce methane emissions by 15 percent by 2020 , for example. Furthermore, Exxon's $1 million commitment is a drop in the company's considerable bucket. The donation to AFCD is just 0.00027 percent of ExxonMobil's $366 billion market capitalization, suggesting it isn't reflective of any serious change of course for the company. Additionally, that donation will be split up into two payments of $500,000, so the burden is even less significant.

Read More »

After throttling firefighters, Verizon praises itself for “saving lives”

Enlarge / A firefighter in a Verizon ad touting the carrier's commitment to public safety. (credit: Verizon) Verizon is touting its commitment to firefighters and public safety in a new ad, released weeks after Verizon throttled the Santa Clara County fire department while it was fighting California's largest-ever wildfire. "From coast to coast and everywhere in between, people rely on us to ensure they can communicate when they need it most," Verizon said in an introduction to the new ad. "Our innovations and technology allow first responders to do their jobs. What we do saves lives." The ad, titled "Enabling heroes," received a chilly reception on YouTube , leading Verizon to disable comments and voting on the video. The video is still being panned in a Reddit discussion . Read 11 remaining paragraphs | Comments

Read More »

Hidden fees that raise price of broadband would be banned by proposed law

Enlarge / Bill shock. (credit: Getty Images | Biddiboo) US Rep. Anna Eshoo (D-Calif.) today introduced legislation that would require telecom companies to include all charges in their advertised prices, potentially ending the practice of advertising low prices and then socking customers with loads of extra fees. The bill would also force telecom companies to justify price increases that occur during a contract term, and it would let consumers opt out of contracts without paying termination fees when prices are increased. The bill would also prohibit providers from requiring arbitration in the case of billing errors, thus preserving consumers' rights to sue the providers over price disputes. Eshoo's TRUE Fees Act (Truth-In-Billing, Remedies, and User Empowerment over Fees) would apply to phone, TV, and home or mobile Internet providers. The bill isn't likely to get much support from Republicans in Congress, who have generally protected Internet providers from new requirements. Read 14 remaining paragraphs | Comments

Read More »

Boeing/Saab joint T-X design wins Air Force’s jet trainer competition

Enlarge / The Boeing/Saab T-X has won the Air Force's advanced jet trainer contract. (credit: Boeing) The end-of-the-year contract rush for the US Defense Department has been good to Boeing. As the clock ticks down on the fiscal year, Boeing grabbed its third DOD contract in a month. This time, it's the Air Force's T-X next-generation advanced jet trainer contract. Boeing's joint bid with Swedish aerospace company Saab came in more than 50 percent below the Air Force's initial cost estimate, shutting out Lockheed and the US subsidiary of Leonardo (formerly Finmeccanica). Both of those entities bid trainers based on existing aircraft. The award comes less than a week after the Air Force awarded a Boeing-Leonardo bid the win for the Air Force's replacement of its UH-1 nuclear security helicopters . And on August 30, Boeing won the Navy's MQ-25 unmanned carrier-launched tanker contract . The T-X is designed to bring pilot training into the 21st century, providing an aircraft to train pilots in the pipeline to fly the F-35 Lightning II. The new jets—at least 351 of them—will replace the Air Force's aging fleet of Northrop T-38 trainers. Those T-38s, based on the Northrop F-5 fighter, have been in service since the 1960s. The new contract also includes 46 training simulators and ground equipment. It could eventually be expanded to 475 aircraft and may also result in international sales to other countries who have committed to buying the F-35

Read More »

Defcon Voting Village report: Bug in one system could “flip Electoral College”

Enlarge / A voting machine is submitted to abuse in DEFCON's Voting Village. (credit: Sean Gallagher) Today, six prominent information-security experts who took part in DEF CON's Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. "Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election," the authors of the report warned. The machine in question, the ES&S M650 , is used for counting both regular and absentee ballots. The device from Election Systems & Software of Omaha, Nebraska, is essentially a networked high-speed scanner like those used for scanning standardized-test sheets, usually run on a network at the county clerk's office. Based on the QNX 4.2 operating system—a real-time operating system developed and marketed by BlackBerry, currently up to version 7.0—the M650 uses Iomega Zip drives to move election data to and from a Windows-based management system. It also stores results on a 128-megabyte SanDisk Flash storage device directly mounted on the system board. The results of tabulation are output as printed reports on an attached pin-feed printer. The report authors—Matt Blaze of the University of Pennsylvania, Jake Braun of the University of Chicago, David Jefferson of the Verified Voting Foundation, Harri Hursti and Margaret MacAlpine of Nordic Innovation Labs, and DEF CON founder Jeff Moss—documented dozens of other severe vulnerabilities found in voting systems. They found that four major areas of "grave and undeniable" concern need to be addressed urgently. One of the most critical is the lack of any sort of supply-chain security for voting machines—there is no way to test the machines to see if they are trustworthy or if their components have been modified. Read 3 remaining paragraphs | Comments

Read More »

Facebook rolls out photo/video fact checking so partners can train its AI

Sometimes fake news lives inside of Facebook as photos and videos designed to propel misinformation campaigns, instead of off-site on news articles that can generate their own ad revenue. To combat these politically rather than financially motivated meddlers, Facebook has to be able to detect fake news inside of images and the audio that accompanies video clips. Today its expanding its photo and video fact checking program from four countries to all 23 of its fact-checking partners in 17 countries. “Many of our third-party fact-checking partners have expertise evaluating photos and videos and are trained in visual verification techniques, such as reverse image searching and analyzing image metadata, like when and where the photo or video was taken” says Facebook product manager Antonia Woodford. “As we get more ratings from fact-checkers on photos and videos, we will be able to improve the accuracy of our machine learning model.” The goal is for Facebook to be able to automatically spot manipulated images , out of context images that don’t show what they say they do, or text and audio claims that are provably false. In last night’s epic 3,260-word security manifesto , Facebook CEO Mark Zuckerberg explained that “The definition of success is that we stop cyberattacks and coordinated information operations before they can cause harm.” That means using AI to proactively hunt down false news rather than waiting for it to be flagged by users. For that, Facebook needs AI training data that will be produced as exhaust from its partners’ photo and video fact checking operations. Facebook is developing technology tools to assist its fact checkers in this process. “ we  use optical character recognition (OCR) to extract text from photos and compare that text to headlines from fact-checkers’ articles. We are also working on new ways to detect if a photo or video has been manipulated” Woodford notes, referring to DeepFakes that use AI video editing software to make someone appear to say or do something they haven’t. Image memes were one of the most popular forms of disinformation used by the Russian IRA election interferers. The problem is that since they’re so easily re-shareable and don’t require people to leave Facebook to view them, they can get viral distribution from unsuspecting users who don’t realize they’ve become pawns in a disinformation campaign

Read More »

UK’s mass surveillance regime violated human rights law, finds ECHR

In another blow to the UK government’s record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law. Arguments against the UK intelligence agencies’ bulk collection and data sharing practices were heard by the court in November last year . In today’s ruling the ECHR has ruled that only some aspects of the UK’s surveillance regime violate human rights law. So it’s not all bad news for the government — which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower Edward Snowden, back in 2013. The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it — reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges. The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka ‘mass surveillance’); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers. The challenge actually combines three cases, with the action brought by a coalition of civil and human rights campaigners, including the American Civil Liberties Union, Amnesty International, Big Brother Watch, Liberty, Privacy International and nine other human rights and journalism groups based in Europe, Africa, Asia and the Americas. The Chamber judgment from the ECHR found, by a majority of five votes to two, that the UK’s bulk interception regime violates Article 8 of the European Convention on Human Rights (a right to respect for private and family life/communications) — on the grounds that “t here was insufficient oversight both of the selection of Internet bearers for interception and the filtering; search and selection of intercepted communications for examination; and the safeguards governing the selection of ‘related communications data’ for examination were inadequate”. The judges did not find bulk collection itself to be in violation of the convention but noted that such a regime must respect criteria set down in case law. In an even more pronounced majority vote, the Chamber found by six votes to one that the UK government’s regime for obtaining data from communications service providers violated Article 8 as it was “not in accordance with the law”. While both the bulk interception regime and the regime for obtaining communications data from communications service providers were deemed to have violated Article 10 of the Convention (the right to freedom of expression and information,) as the judges found there were insufficient safeguards in respect of confidential journalistic material

Read More »

Facebook assigns you a fake-news-flagging trustworthiness score

A new way to attack Facebook is to fraudulently report a news story as false in hopes of reducing its visibility, either because someone wants to censor it or just doesn’t agree with it. Sometimes known as “brigading,” a concerted effort by trolls to flag a piece of content can reduce its visibility. Facebook now sends stories reported as false to third-party fact checkers, and these purposefully inaccurate reports can clog the already-overcrowded queues that fact checkers struggle to worth through. That’s why Facebook gives users a trustworthiness score ranging from 0 to 1 depend on the reliability of their flags of false news,  The Washington Post reports. If they flag something as false news but fact checkers verify it as true, that could hurt their score and reduce how heavily Facebook factors in their future flagging.  If users consistently report false news that’s indeed proven to be false, their score improves and Facebook will trust their future flagging more. Facebook’s News Feed product manager Tessa Lyons confirmed the scoring system exists. There’s currently no way to see your own or someone else’s trustworthiness score. And other signals are used to compute the score as well, though Facebook won’t reveal them for fear of trolls gaming the system. Friend-ranking scores This isn’t the only way Facebook ranks users, though. It assigns you a shifting score of affinity toward each of your friends that determines how frequently you see them in the News Feed.

Read More »

Microsoft shuts down phishing sites, accuses Russia of new election meddling

Enlarge / Russian President Vladimir Putin speaks during the Moscow Urban Forum 2018 on July 18, 2018 in Moscow, Russia. (credit: Getty Images | Mikhail Svetlov ) Russia has denied any knowledge of a spear phishing attempt that allegedly mimicked the domains of the US Senate and two US-based think tanks. Russia's denial came after Microsoft said it detected and shut down the campaign. "Last week, Microsoft's Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six Internet domains created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28," Microsoft Chief Legal Officer Brad Smith wrote in Microsoft's announcement Monday. "We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group." Read 15 remaining paragraphs | Comments

Read More »

Caesars Palace not-so-Praetorian guards intimidate DEF CON goers, seize soldering irons

Enlarge / This sign is an invitation for a room search at some Las Vegas hotels. (credit: Getty Images ) In the wake of the mass shooting in Las Vegas in October of 2017, hotels in the city started drafting more aggressive policies regarding security. Just as Caesars Entertainment was rolling out its new security policies, the company ran head on into DEF CON—an event with privacy tightly linked to its culture. The resulting clash of worlds—especially at Caesars Palace, the hotel where much of DEF CON was held—left some attendees feeling violated, harassed, or abused, and that exploded onto Twitter this past weekend. Caesars began rolling out a new security policy in February  that mandated room searches when staff had not had access to rooms for over 24 hours. Caesars has been mostly tolerant of the idiosyncratic behavior of the DEF CON community, but it's not clear that the company prepared security staff for dealing with the sorts of things they would find in the rooms of DEF CON attendees. Soldering irons and other gear were seized, and some attendees reported being intimidated by security staff. Read 8 remaining paragraphs | Comments

Read More »

Caesars Palace not-so-Praetorian guards intimidate DEF CON goers with searches Updated

Enlarge / This sign is an invitation for a room search at some Las Vegas hotels. (credit: Getty Images ) In the wake of the mass shooting in Las Vegas in October of 2017, hotels in the city started drafting more aggressive policies regarding security. Just as Caesars Entertainment was rolling out its new security policies, the company ran head on into DEF CON—an event with privacy tightly linked to its culture. The resulting clash of worlds—especially at Caesars Palace, the hotel where much of DEF CON was held—left some attendees feeling violated, harassed, or abused, and that exploded onto Twitter this past weekend. Caesars began rolling out a new security policy in February  that mandated room searches when staff had not had access to rooms for over 24 hours. Caesars has been mostly tolerant of the idiosyncratic behavior of the DEF CON community, but it's not clear that the company prepared security staff for dealing with the sorts of things they would find in the rooms of DEF CON attendees. Soldering irons and other gear were seized, and some attendees reported being intimidated by security staff. Read 12 remaining paragraphs | Comments

Read More »