Slashdot.org

Slashdot
News for nerds, stuff that matters
Updated: 1 hour 25 min ago

Instagram Displayed Negative Related Hashtags For Biden, But Hid Them For Trump

Wed, 08/05/2020 - 13:05
An anonymous reader shares a report: For at least the last two months, a key Instagram feature, which algorithmically pushes users toward supposedly related content, has been treating hashtags associated with President Donald Trump and presumptive Democratic presidential nominee Joe Biden in very different ways. Searches for Biden also return a variety of pro-Trump messages, while searches for Trump-related topics only returned the specific hashtags, like #MAGA or #Trump -- which means searches for Biden-related hashtags also return counter-messaging, while those for Trump do not. Earlier this week, a search on Instagram for #JoeBiden would have surfaced nearly 390,000 posts tagged with the former vice president's name along with related hashtags selected by the platform's algorithm. Users searching Instagram for #JoeBiden might also see results for #joebiden2020, as well as pro-Trump hashtags like #trump2020landslide and #democratsdestroyamerica. A similar search for #DonaldTrump on the platform, however, provided a totally different experience. Besides showing 7 million posts tagged with the president's name, Instagram did not present any related hashtags that would have pushed users toward different content or promoted alternative viewpoints. The difference between these two results, which an Instagram spokesperson told BuzzFeed News was a "bug," prevented hashtags including #Trump and #MAGA from being associated with potentially negative content. Meanwhile, Instagram hashtags associated with the Democratic presidential candidate -- #JoeBiden and #Biden, for example -- were presented alongside content that included overtly pro-Trump content and attacks on the former vice president.

Read more of this story at Slashdot.

Twitter Says Android Security Bug Gave Access To Direct Messages

Wed, 08/05/2020 - 12:28
Twitter says a security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited. From a report: The bug could have allowed a malicious Android app running on the same device to siphon off a user's direct messages stored in the Twitter app by bypassing Android's in-built data permissions. But, Twitter said that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed. A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher "a few weeks ago" through HackerOne, which Twitter uses for its bug bounty program. "Since then, we have been working to keep accounts secure," said the spokesperson. "Now that the issue has been fixed, we're letting people know." Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed.

Read more of this story at Slashdot.

Apple and Google's COVID-19 Tracking System Will Make Its Full US Debut in New Virginia App

Wed, 08/05/2020 - 11:45
This week, Virginia plans to release a COVID-19 exposure notification app based on the specifications published by Apple and Google in April. From a report: The app, called COVIDWISE, is the first fully deployed implementation of Apple and Google's system in the US and was beta tested by the state department of health. The specification is designed to preserve patient privacy, particularly around their location and whether they have tested positive for COVID-19. "No location data or personal information is ever collected, stored or transmitted to VDH as part of the app," a health department official told Virginia Public Media, which first reported the news. "You can delete the app or turn off exposure notifications at any time." If someone tests positive for the coronavirus, the Virginia Department of Health (VDH) will give them a PIN number that they can choose to use to report that result within the app. Then, other users of the app should get a notification if their phones were near the sick person at some point in the past 14 days. However, those notifications will only go out to phones when the exposure met a threshold for a strength and duration of the Bluetooth signal that can be estimated as a user being within six feet of the other user for 15 minutes (based on the Centers for Disease Control and Prevention's definition of "close contact").

Read more of this story at Slashdot.

The Galaxy Note 20 Ultra Has Lasers, Plays Xbox Games, And is Just Massive

Wed, 08/05/2020 - 11:04
Samsung today unveiled two Galaxy Note 20 models -- the Note 20 (which starts at $999) and Note 20 Ultra (which starts at $1,299) -- arriving later this month on August 21. Both Note 20 smartphones come with an S Pen, but there are some major differences. Notably, the screen and the cameras are a little bit different. From a report: The smaller Note 20 has a 6.7-inch display with flat edges and the larger Note 20 Ultra has a 6.9-inch 120Hz screen with curved sides. Curved glass has long been a signature design on Samsung phones and it looks like the company is at least considering a change. But the one thing I'm most excited for is the Note 20 Ultra's 108-megapixel camera. This is the same image sensor on the S20 Ultra with one important change: a laser sensor that enables faster autofocusing. In other words: Samsung says it has fixed the S20 Ultra's autofocusing issues on the Note 20 Ultra. I'll test that out soon enough to verify the claim, but for now, here's everything else you need to know about the Note 20 phones. Expand to a TV with DeX: In addition to plugging your Note 20 into a laptop or monitor to turn it into a desktop-like computer experience with DeX mode, Note 20 users can wirelessly connect to a TV with Miracast support. Samsung says all of its 2019 and newer smart TVs support the wireless DeX mode. Smarter Windows integration: Samsung's growing partnership with Microsoft is yielding even tighter synergy between its devices and Windows 10. Samsung says Windows 10 will let you run multiple Note 20 apps simultaneously later this year and has better drag-and-drop support between devices. Xbox Game Pass Ultimate: If you're a gamer, you'll be able to stream over 100 Xbox games directly to the Note 20 phones with Xbox Game Pass Ultimate. This feature doesn't go live until September 15. Ultra-wideband: Like the iPhone 11 and 11 Pro, the Note 20 phones have an ultra-wideband chip inside. Samsung says UWB will allow people to share files to another UWB-supported device by pointing them at each other. UWB can also be used to unlock smart locks (for homes or cars).

Read more of this story at Slashdot.

White House Unveils Partnership To Boost Quantum Science Education

Wed, 08/05/2020 - 10:26
The White House Office of Science and Technology Policy said on Wednesday the Trump administration is launching a national education partnership to expand access to K-12 quantum information science (QIS) education with major companies and research institutions. From a report: The public-private initiative with the National Science Foundation includes Amazon's Amazon Web Services, Boeing, Alphabet's Google, IBM Corp, Lockheed Martin, Microsoft, the University of Illinois and University of Chicago. The National Science Foundation is also awarding $1 million to QIS education. The initiative is designed in part to help introduce students to quantum information themes before college.

Read more of this story at Slashdot.

Facebook's Instagram Launches TikTok Copycat in Political Storm

Wed, 08/05/2020 - 09:49
Facebook's Instagram photo-sharing app is launching its clone of TikTok in more than 50 countries, a week after Chief Executive Officer Mark Zuckerberg defended the company's copycat strategies to U.S. lawmakers at an antitrust hearing. From a report: The product, called Reels, lets people edit 15-second clips of videos together alongside music, just like on TikTok. It will be embedded into Instagram in the U.S. and elsewhere, the company said Wednesday in blog post. Reels is the second major Instagram feature that follows an almost identical one popularized by a competitor. Instagram Stories, the tool for posting videos and photos that disappear, was inspired by Snap. Reels isn't Facebook's first attempt at challenging TikTok. Facebook's Lasso, a separate application with similar features that was tested in limited markets, was shut down last month after it failed to win over an audience. Reels may have better luck: it's launching just as TikTok's existence in the U.S. is being challenged by President Donald Trump.

Read more of this story at Slashdot.

FBI Issues Warning Over Windows 7 End-of-Life

Wed, 08/05/2020 - 09:01
The Federal Bureau of Investigation sent a private industry notification (PIN) on Monday to partners in the US private sector about the dangers of continuing to use Windows 7 after the operating system reached its official end-of-life (EOL) earlier this year. From a report: "The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status," the agency said. "Continuing to use Windows 7 within an enterprise may provide cyber criminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. "With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target," the FBI warned. The Bureau is now asking companies to look into upgrading their workstations to newer versions of the Windows operating system.

Read more of this story at Slashdot.

Anthony Levandowski Sentenced To 18 Months In Prison, As New $4 Billion Lawsuit Against Uber Is Filed

Wed, 08/05/2020 - 08:00
An anonymous reader quotes a report from TechCrunch: Anthony Levandowski, the former Google engineer and serial entrepreneur who was at the center of a lawsuit between Uber and Waymo, has been sentenced to 18 months on one count of stealing trade secrets. Judge Alsup said that home confinement would "[give] a green light to every future brilliant engineer to steal trade secrets. Prison time is the answer to that." During court proceedings today, Levandowski also agreed to pay $756,499.22 in restitution to Google and a fine of $95,000. "Today marks the end of three and a half long years and the beginning of another long road ahead. I'm thankful to my family and friends for their continued love and support during this difficult time," Levandowski said in a statement provided by his attorneys after the sentencing. The sentencing is the latest in a series of legal blows that have seen Levandowski vilified as a thieving tech bro, unceremoniously ejected from Uber, and forced into bankruptcy by a $179 million award against him. And yet, Levandowski is not skulking away. Even as he faced years in prison, the maverick engineer was plotting a comeback that could see him netting upwards of $4 billion from Uber. TechCrunch has learned that Levandowski recently filed a lawsuit making explosive claims against Waymo and Uber that, if proven, could turn his fortunes around with a multi-billion dollar payout. Whether this is a last-ditch effort by a desperate man whose career has been upended by his own poor choices or a viable claim against a double-dealing tech titan, will be up to the courts to decide. This new lawsuit, filed as part of Levandowski's bankruptcy proceedings, mostly focuses on Uber's agreement to indemnify Levandowski against legal action when it bought his self-trucking company, Otto Trucking. It also includes new allegations concerning the settlement that Waymo and Uber reached over trade secret theft claims.

Read more of this story at Slashdot.

Hacker Leaks Passwords For 900+ Enterprise VPN Servers

Wed, 08/05/2020 - 05:00
A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet reports: According to a review, the list includes: IP addresses of Pulse Secure VPN servers, Pulse Secure VPN server firmware version, SSH keys for each server, a list of all local users and their password hashes, admin account details, last VPN logins (including usernames and cleartext passwords), and VPN session cookies. Bank Security, a threat intelligence analyst specialized in financial crime [...] noted that all the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability. Bank Security believes that the hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository. Making matters worse, the list has been shared on a hacker forum that is frequented by multiple ransomware gangs. For example, the REvil (Sodinokibi), NetWalker, Lockbit, Avaddonm, Makop, and Exorcist ransomware gangs have threads on the same forum, and use it to recruit members (developers) and affiliates (customers). Many of these gangs perform intrusions into corporate networks by leveraging network edge devices like Pulse Secure VPN servers, and then deploy their ransomware payload and demand huge ransom demands. As Bank Security told ZDNet, companies have to patch their Pulse Secure VPNs and change passwords with the utmost urgency.

Read more of this story at Slashdot.

Riot Games Addresses Burnout and Crunch By Giving Employees a Week Off

Wed, 08/05/2020 - 02:00
Riot Games, the developer of League of Legends and Valorant, will be giving employees the week of August 10th off to "disconnect, recharge, and reboot," the studio announced in a blog post published Tuesday. The Verge reports: Riot has recently expanded beyond its global smash hit League of Legends, including releasing auto battler Teamfight Tactics, Hearthstone-like card game Legends of Runeterra (which are both set in the League of Legends universe), and Valorant, a brand-new tactical shooter that takes cues from Counter Strike: Global Offensive and Overwatch. But in an industry known for overwork and enforced overtime, referred to as "crunch," to ship and maintain games, Riot is giving employees a break to help with their health. "As game developers, we're all hyper aware of the effects of crunch and project-based deadlines," Riot said in its blog. "We owe it to ourselves and to you to prioritize our health as a team (well, many teams) so we can bring you new experiences long into the future." Riot also said it would be "shifting some patches and release timelines a bit" to accommodate the break and that "a few teams are also staggering their time off to make sure everything is running smoothly."

Read more of this story at Slashdot.

Hackers Could Use IoT Botnets To Manipulate Energy Markets

Tue, 08/04/2020 - 22:30
An anonymous reader quotes a report from Wired: At the Black Hat security conference on Wednesday, [researchers at the Georgia Institute of Technology] will present their findings, which suggest that high-wattage IoT botnets -- made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats -- could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both. The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags. "Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he's basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage." An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen. "The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack," the report adds. "Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. [...] The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed." The researchers say market manipulators could take home as much as $245 million a year, and cause as much as $350 million per year in economic damage.

Read more of this story at Slashdot.

Honda Recalls 608,000 Vehicles For Faulty Software

Tue, 08/04/2020 - 21:03
Honda is recalling 608,000 vans and SUVs because of faulty software that can, among other things, cause the backup camera to fail and the driver display to malfunction or reboot. The recalls will begin on September 23rd. The Verge reports: Certain 2018-2020 Odysseys, 2019-2020 Passports, and 2019-2021 Pilots were outfitted with "[i]ncorrect instrument panel control module software" that can cause the display to not show critical information like speed, engine oil pressure, and gear selector position until the car is turned off and on again. The displays can also randomly reboot, according to the National Highway Traffic Safety Administration (NHTSA). The malfunctioning software can also prevent the backup camera feed from showing up. Honda will notify owners, but they'll have to get the software reprogrammed by a dealer. No easy over-the-air software fix here. Another recall involves 500,000 of those same vehicles -- the 2019-2021 Pilots and the 2019-2020 Passports again, but only 2019-2020 Odysseys. These vehicles also have a problem with their "[i]ncorrect central network software programming" that can cause "several errors to occur that can delay or prevent the rearview camera image from displaying." The issue can also mess with the in-car audio. Owners of these cars will have the option of either downloading an over-the-air fix or visiting a dealer. Honda also announced two other recalls on Tuesday for some of these vehicles. Some 2019-2020 Odysseys were outfitted with faulty backup cameras that have developed distorted images over time, while 2018-2020 Odysseys may have a problem with the sliding door latching.

Read more of this story at Slashdot.

Virtual House Hunting Gets a Pandemic Boost

Tue, 08/04/2020 - 20:25
Padraig Belton from the BBC writes about how house hunters are using virtual-reality headsets to tour homes in the age of coronavirus. From the report: It's not for everyone as, at the moment, house hunters have to use their own headsets. But Giles Milner, marketing director at estate agent Chestertons, says he will sometimes send buyers headsets for new-build properties, if a development has multiple near-identical apartments with some still being built. "Developers are often selling off-plan, and it's hard to sell a product just on a 2D floor plan," he says. "So developers these days have virtual tours budgeted in from the start." Once you have a headset, it's a fairly simple process to find a virtual property on the estate agent's website, using a hand controller to work a virtual keyboard. It's still a fairly limited option, at the moment just 8% of Zoopla's listings have an option for a virtual tour. But Zoopla says there was a surge of activity during the first month of lockdown, when virtual reality (VR) viewings of new-build properties tripled. [...] Virtual reality offers greater detail than the traditional photos on a website. It also saves time for estate agents and is safer for everyone: "The last thing you want is for your staff members to get struck down with Covid-19," Mr Shipside says. Growing adoption of VR viewing also makes life easier for clients moving internationally, when travel back and forth is hard. Buyers from mainland China looking at homes in Singapore have to observe the country's strict fortnight quarantine on nearly all arrivals. So it makes sense to treat buying a house "just like online shopping," says Christopher Wang, founder of Imme VR, a Singaporean virtual-reality property company. A coming use of all this technology is letting prospective sellers find their property's value without estate agents visiting. Another will be letting possible buyers see a property as if it had their furniture already installed in the home. Having this record of your property's contents and their condition is especially beneficial if you ever have to submit an insurance claim -- for something stolen, or fire or flood damage. Another use will be in getting quotes from builders. Instead of contractors measuring and taking photos, going away and coming back with bids, a digital twin could instead let more contractors bid on the work -- giving power to the homeowner.

Read more of this story at Slashdot.

It's Official: EU Launches Antitrust Probe Into Google's Fitbit Takeover

Tue, 08/04/2020 - 19:45
It was rumored last week and now it's official: the European Commission announced it is launching an in-depth antitrust investigation into Google's $2.1 billion bid for Fitbit. CNN reports: The European Union's top antitrust regulator said it is concerned that the takeover would further strengthen Google's market position in online advertising by "increasing the already vast amount of data that Google could use for personalization of the ads it serves and displays." Google announced it was buying Fitbit, the world's leading maker of wearable fitness activity trackers, in November. The deal, worth about $2.1 billion, is one of Google's largest acquisitions and represents an important step for the company into smartwatches and other wearable devices. The Commission had already launched a preliminary investigation into the transaction. It said a commitment by Google not to use Fitbit data for advertising purposes was insufficient to address the concerns identified in the initial probe. The Commission's top antitrust official, Margrethe Vestager, said in a statement that the use of wearable devices by European consumers, as well as the data generated by them, is expected to grow significantly. "Our investigation aims to ensure that control by Google over data collected through wearable devices as a result of the transaction does not distort competition," Vestager said. In a blog post, Google Senior Vice President for Devices and Services Rick Osterloh said the deal "is about devices, not data," a market he said is full of competition. "We've been clear from the beginning that we will not use Fitbit health and wellness data for Google ads," Osterloh said. "We recently offered to make a legally binding commitment to the European Commission regarding our use of Fitbit data. As we do with all our products, we will give Fitbit users the choice to review, move or delete their data."

Read more of this story at Slashdot.

Amazon's Engineers Are Building Robots In Their Garages

Tue, 08/04/2020 - 19:02
An anonymous reader quotes a report from ZDNet: The next generation of Amazon's Scout bots -- the fully-electric autonomous delivery devices the company is hoping to deploy soon -- is currently being designed and built by a team of mechanical engineers in Seattle, and not in the most orthodox of settings. Instead of working in sleek labs, Amazon's engineers have effectively resorted to re-arranging their homes and garages to accommodate the development of the sophisticated piece of technology the Scout bot is promising to be. The cooler-sized bot is already deployed in a handful of US cities where it is being tested, albeit always accompanied by a human. And to make sure that Scout bots ever reach the next stage of development, Amazon's team had to work their way around the new restrictions suddenly imposed by the COVID-19 pandemic. Unfortunately, engineers need a lot more than a decent internet connection to be able to work remotely. In early March, therefore, Seattle-based Amazon mechanical engineer Jeff Gorges transformed his garage into an R&D lab of motors and wheels in anticipation of office closures. Since then, Gorges has been iterating the bot from his garage workbench, testing various new features by driving the device around his patio. The new Scout bot has now been assembled and debugged by Gorges, all from the comfort from his own home. Amazon's Canvas robotics team, which works on small autonomous carts that use spatial AI to move items through the company's fulfillment centers, moved their testing and manufacturing equipment from their office and lab space to several team members' homes. "With the new tools set up in their apartment living rooms, hardware engineers were able to build and assemble the sub-components for the carts, and then to pass the prototypes onto an R&D technician's home, who set up test and safety systems from his garage," reports ZDNet. "The robots were then sent to a computer vision scientist who worked on calibrating the devices' cameras by reconstructing the carts' future surroundings in the fulfillment center in 3D. All in all, six robots circulated through seven team members home, with precautions taken to disinfect the devices on each transition."

Read more of this story at Slashdot.

Tesla's Touchscreen Wiper Controls Ruled Illegal In Germany

Tue, 08/04/2020 - 18:20
New submitter Rei_is_a_dumbass shares a report from Electrek: Tesla's wiper controls through its touchscreen have been ruled illegal in Germany after someone crashed their Model 3 while using them and fought a fine and driving ban through the court system. A Tesla Model 3 driver got into an accident while using the touchscreen to adjust the speed of the automatic windshield wipers. In Model 3 and Model Y vehicles, Tesla didn't install normal windshield wiper settings through a steering wheel stalk. Instead, the automaker is detecting the rain through its Autopilot cameras and automatically adjusting the speed based on the strength of the rainfall. If the driver wants to adjust the speed, they need to do it through the center touchscreen. The driver in Germany was adjusting those settings when he lost control of the vehicle and crashed. A local district court gave him a fine and a one-month driving ban and that's where the problem started for Tesla. He decided to fight the punishment -- bringing the case to the Higher Regional Court (OLG). "It comes as no surprise that enlightened Germans would be the first to rule Tesla's poly engineered cars a road hazard," adds Slashdot reader Rei_is_a_dumbass. "Touch screen interfaces have no place in cars."

Read more of this story at Slashdot.

Disney+ Passes 60.5 Million Subs, Reaches 5-Year Streaming Goal In First Eight Months

Tue, 08/04/2020 - 17:40
In Disney's earnings call today, CEO Bob Chapek said there are now 60.5 million global subscribers to Disney+, reaching the 60 million-90 million range it told investors it would get to by 2024. Deadline reports: He also said today that Mulan, long in limbo amid the COVID-19 pandemic, will debut September 24 on Disney+ for $24.99, a new wrinkle for the streamer. Disney also announced it will launch a new streaming service internationally under its Star brand and using Disney's own content, starting in September. After rising from 54.5 million subscribers as of the beginning of May, Disney+ reached 57.5 million subscribers by the end of June before surpassing the 60M mark in the last couple of days. The overall results came up short of Wall Street analysts' expectations of a loss of 64 cents per share and total revenue of $12.4 billion. Disney has already reached its five-year target for Disney+ global subscribers less than nine months after launching the $7-a-month service. While it is a far more targeted offering than Amazon Prime Video or Hulu, it has quickly vaulted into the No. 2 spot in the subscription streaming game after Netflix, which has nearly 193 million global subscribers. When the company reported its last batch of quarterly results in May, Disney said it had 54.5 million Disney+ subscribers, up from 33.5 million as of March 28. Hulu, which Disney has controlled since the spring of 2019, had 32.1 million total subscribers at the end of the March quarter. Hulu, the company said in its fiscal third-quarter earnings report, now has 35.5 million subscribers to its on-demand service and live TV bundle combined, while ESPN+ is now at 8.5 million, more than triple its level a year ago.

Read more of this story at Slashdot.

Twitter Faces FTC Probe, Likely Fine Over Use of Phone Numbers For Ads

Tue, 08/04/2020 - 17:04
An anonymous reader quotes a report from Ars Technica: Twitter is facing a Federal Trade Commission probe and believes it will likely owe a fine of up to $250 million after being caught using phone numbers intended for two-factor authentication for advertising purposes. The company received a draft complaint from the FTC on July 28, it disclosed in its regular quarterly filing with the Securities and Exchange commission. The complaint alleges that Twitter is in violation of its 2011 settlement with the FTC over the company's "failure to safeguard personal information." That agreement included a provision banning Twitter from "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers." In October 2019, however, Twitter admitted that phone numbers and email addresses users provided it with for the purpose of securing their accounts were also used "inadvertently" for advertising purposes between 2013 and 2019. In the filing, Twitter estimates the "range of probable loss" it faces in the probe is between $150 million and $250 million, although it adds that "the matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome."

Read more of this story at Slashdot.

Microsoft Goes Big in Security Bug Bounties: Its $13.7m is Double Google's 2019 Payouts

Tue, 08/04/2020 - 16:26
Microsoft has revealed it has awarded security researchers $13.7m for reporting bugs in Microsoft software since July last year. From a report: Microsoft's bug bounties are one of the largest source of financial awards for researchers probing software for flaws and, importantly, reporting them to the relevant vendor rather than selling them to cybercriminals via underground markets or exploit brokers who distribute them to government agencies. The Redmond company has 15 bug-bounty programs through which researchers netted $13.7m between July 1, 2019 and June 30, 2020. That figure is triple the $4.4m it awarded in the same period the previous year. [...] Microsoft's total annual bug-bounty payouts are now much larger than Google's awards for security flaws in its software, which totaled $6.5m in calendar year 2019. That figure was double the previous year's payouts from the ad and search giant, which called it a "record-breaking year."

Read more of this story at Slashdot.

Decades-Old Email Flaws Could Let Attackers Mask Their Identities

Tue, 08/04/2020 - 15:45
At the Black Hat security conference on Thursday, researchers will present "darn subtle" flaws in industry-wide protections used to ensure that emails come from the address they claim to. From a report: The study looked at the big three protocols used in email sender authentication -- Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) -- and found 18 instances of what the researchers call "evasion exploits." The vulnerabilities don't stem from the protocols themselves, but from how different email services and client applications implement them. Attackers could use these loopholes to make spearphishing attacks even harder to detect. "I think I'm a savvy, educated user and the reality is, no, that's actually not enough," says Vern Paxson, cofounder of the network traffic analysis firm Corelight and a researcher at the University of California, Berkeley, who worked on the study along with Jianjun Chen, a postdoctoral researcher at the International Computer Science Institute, and Jian Jiang, senior director of engineering at Shape Security. "Even users who are pretty savvy are going to look at the indicators that Gmail or Hotmail or others provide and be fooled," Paxson says. Think about when you hand a friend a birthday card at their party. You probably only write their first name on the outside of the envelope, and maybe underline it or draw a heart. If you mail that letter instead, though, you need the recipient's full name and detailed address, a stamp, and ultimately a postmark with a date on it. Sending email across the internet works similarly. Though email services only require you to fill out the "To" and "Subject" fields, there's a whole list of more detailed information getting filled out behind the scenes. Those industry-standard "headers," as they're known, include date and time sent and received, language, a unique identifier called a Message-ID, and routing information.

Read more of this story at Slashdot.

Comment