Your rights online

Syndicate content Slashdot: Your Rights Online
News for nerds, stuff that matters
Updated: 2 weeks 6 days ago

Is Russia Trying to Deanonymize Tor Traffic?

Sat, 07/20/2019 - 15:34
A contractor for Russia's intelligence agency suffered a breach, revealing projects they were pursuing -- including one to deanonymize Tor traffic. An anonymous reader shared this report from ZDNet: The breach took place last weekend, on July 13, when a group of hackers going by the name of 0v1ru$ hacked into SyTech's Active Directory server from where they gained access to the company's entire IT network, including a JIRA instance. Hackers stole 7.5TB of data from the contractor's network, and they defaced the company's website with a "yoba face," an emoji popular with Russian users that stands for "trolling..." Per the different reports in Russian media, the files indicate that SyTech had worked since 2009 on a multitude of projects. In February ZDNet reported that Russia disconnected itself from the rest of the internet in a test -- and suggests today that it was a real-world test of one of these leaked "secret projects" from the Russian intelligence agency. But the other projects include: Nautilus-S - a project for deanonymizing Tor traffic with the help of rogue Tor servers. Nautilus - a project for collecting data about social media users (such as Facebook, MySpace, and LinkedIn). Reward - a project to covertly penetrate P2P networks, like the one used for torrents. Mentor - a project to monitor and search email communications on the servers of Russian companies. Tax-3 - a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state's IT networks. ZDNet also reports that the Tor-deanonymizing project, started in 2012, "appears to have been tested in the real world," citing a 2014 paper which found 18 malicious Tor exit nodes located in Russia. Each of those hostile Russian exit nodes used version 0.2.2.37 of Tor -- the same one described in these leaked files.

Read more of this story at Slashdot.

Categories: Privacy

New Map Shows Where America's Police, Businesses Are Using Facial Recognition and Other Surveillance Tech

Sat, 07/20/2019 - 13:34
"Fight For the Future, a tech-focused nonprofit, on Thursday released its Ban Facial Recognition map, logging the states and cities using surveillance technology," reports CNET -- noting that "surveillance technology" in this case includes Amazon's Ring doorbell security cameras. A CNET investigation earlier this year highlighted the close ties between Ring and police departments across the US, many of which offer free or discounted Ring doorbells using taxpayer money. The cameras have helped police create an easily accessible surveillance network in neighborhoods and allowed law enforcement to request videos through an app. The arrangement has critics worried about the erosion of privacy. Until the release of Fight for the Future's map, there was no comprehensive directory of all the police departments that had partnered with Ring. Now you can find them by going on the map and toggling it to "Police (Local)." It lists more than 40 cities where police have partnered with Amazon for Ring doorbells.... The map is far from complete. Police departments aren't always up front about the technology that they're using. On the interactive map, Fight for the Future asked visitors to send it any new entries to add to the map.... The map also has filters for airports, stores and stadiums that are using facial recognition, as well as states that provide driver's license photos to the FBI's database of faces... . Fight for the Future's map also features a filter for regions where facial recognition use by government is banned. For now, that's only in San Francisco; Somerville, Massachusetts; and Oakland, California. The group's deputy director told CNET that the map's goal is allowing people "to turn their ambient anxiety into effective action by pushing at the local and state level to ban this dangerous tech. "No amount of regulation will fix the threat posed by facial recognition," he added. "It must be banned."

Read more of this story at Slashdot.

Categories: Privacy

China's Tech Giants Have a Second Job: Helping Beijing Spy on Its People

Fri, 07/19/2019 - 10:43
Tencent and Alibaba are among the firms that assist authorities in hunting down criminal suspects, silencing dissent and creating surveillance cities. From a report: Alibaba Group's sprawling campus has collegial workspaces, laid-back coffee bars and, on the landscaped grounds, a police outpost. Employees use the office to report suspected crimes to the police, according to people familiar with the operation. Police also use it to request data from Alibaba for their own investigations, these people said, tapping into the trove of information the tech giant collects through its e-commerce and financial-payment networks. In one case, the police wanted to find out who had posted content related to terrorism, said a former Alibaba employee. "They came to me and asked me for the user ID and information," he recalled. He turned it over. The Chinese government is building one of the world's most sophisticated, high-tech systems to keep watch over its citizens, including surveillance cameras, facial-recognition technology and vast computers systems that comb through terabytes of data. Central to its efforts are the country's biggest technology companies, which are openly acting as the government's eyes and ears in cyberspace. Companies including Alibaba Group Holding, Tencent Holdings and Baidu, are required to help China's government hunt down criminal suspects and silence political dissent. Their technology is also being used to create cities wired for surveillance.

Read more of this story at Slashdot.

Categories: Privacy

Google and Facebook Might Be Tracking Your Porn History, Researchers Warn

Fri, 07/19/2019 - 03:00
Researchers at Microsoft, Carnegie Mellon University and the University of Pennsylvania analyzed 22,484 porn sites and found that 93% leak user data to a third party. Normally, for extra protection when surfing the web, a user might turn to incognito mode. But, the researchers said, incognito mode only ensures that your browsing history is not stored on your computer. CNET reports: According to a study released Monday, Google was the No. 1 third-party company. The research found that Google, or one of its subsidiaries like the advertising platform DoubleClick, had trackers on 74% of the pornography sites examined. Facebook had trackers on 10% of the sites. "In the U.S., many advertising and video hosting platforms forbid 'adult' content. For example, Google's YouTube is the largest video host in the world, but does not allow pornography," the researchers wrote. "However, Google has no policies forbidding websites from using their code hosting (Google APIs) or audience measurement tools (Google Analytics). Thus, Google refuses to host porn, but has no limits on observing the porn consumption of users, often without their knowledge."

Read more of this story at Slashdot.

Categories: Privacy

Chuck Schumer Asks FBI To Investigate FaceApp

Thu, 07/18/2019 - 21:25
Senate minority leader Chuck Schumer is calling on the FBI to investigate FaceApp after privacy concerns have been raised about the Russian company which developed the app. In a letter posted on Twitter, Mr Schumer called it "deeply disturbing" that personal data of U.S. citizens could go to a "hostile foreign power." The BBC reports: Wireless Lab, a company based in St. Petersburg, says it does not permanently store images, and does not collect troves of data -- only uploading specific photos selected by users for editing. "Even though the core R&D team is located in Russia, the user data is not transferred to Russia," a company statement reported by news site TechCrunch said. Mr Schumer however has asked that the FBI and the Federal Trade Commission (FTC) investigate FaceApp. "I have serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it," his letter reads.

Read more of this story at Slashdot.

Categories: Privacy

EFF Hits AT&T With Class-Action Lawsuit For Selling Customers' Location To Bounty Hunters

Thu, 07/18/2019 - 20:03
An anonymous reader quotes a report from Motherboard: Tuesday, the Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T and two data brokers over their sale of AT&T customers' real-time location data. The lawsuit seeks an injunction against AT&T, which would ban the company from selling any more customer location data and ensure that any already sold data is destroyed. The move comes after multiple Motherboard investigations found AT&T, T-Mobile, Sprint, and Verizon sold their customers' data to so-called location aggregators, which then ended up in the hands of bounty hunters and bail bondsman. The lawsuit, focused on those impacted in California, represents three Californian AT&T customers. Katherine Scott, Carolyn Jewel, and George Pontis are all AT&T customers who were unaware the company sold access to their location. The class action complaint says the three didn't consent to the sale of their location data. The complaint alleges that AT&T violated the Federal Communications Act by not properly protecting customers' real-time location data; and the California Unfair Competition Law and the California Consumers Legal Remedies Act for misleading its customers around the sale of such data. It also alleges AT&T and the location aggregators it sold data through violated the California Constitutional Right to Privacy. The lawsuit highlights AT&T's Privacy Policy that says "We will not sell your personal information to anyone, for any purpose. Period." An AT&T spokesperson said in a statement "While we haven't seen this complaint, based on our understanding of what it alleges we will fight it. Location-based services like roadside assistance, fraud protection, and medical device alerts have clear and even life-saving benefits. We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse."

Read more of this story at Slashdot.

Categories: Privacy

Data Broker LocationSmart Will Fight Class Action Lawsuit Over Selling AT&T Data

Thu, 07/18/2019 - 18:03
A broker that helped sell AT&T customers' real-time location data says it will fight a class action lawsuit against it. From a report: The broker, called LocationSmart, was involved in a number of data selling and cybersecurity incidents, including selling location data that ended up in the hands of bounty hunters. "LocationSmart will fight this lawsuit because the allegations of wrongdoing are meritless and rest on recycled falsehoods," a LocationSmart spokesperson said in an emailed statement. LocationSmart did not point to any specific part of the lawsuit to support these claims. On Tuesday, activist group the Electronic Frontier Foundation (EFF) and law firm Pierce Bainbridge filed a class action lawsuit against LocationSmart, another data broker called Zumigo, and telecom giant AT&T. The lawsuit's plaintiffs are three California residents who say they did not consent to AT&T selling their real-time location data through the data brokers. The lawsuit alleges all three companies violated the California Constitutional Right to Privacy, and seeks monetary damages as well as an injunction against AT&T to ensure the deletion of any sold data.

Read more of this story at Slashdot.

Categories: Privacy

Ex-Microsoft Worker Charged in Alleged Scheme To Steal $10M in Gift Cards and Use Funds To Finance Extravagant Purchases

Thu, 07/18/2019 - 14:06
An anonymous reader shares a report: A former Microsoft worker has been arrested and charged with mail fraud, in an alleged scheme to steal $10 million worth of digital currency from his ex-employer and use the funds to finance extravagant purchases, including a Tesla and lakefront home. Volodymyr Kvashuk, a 25-year-old software developer and Ukrainian citizen who worked for Microsoft from 2016 to 2018, allegedly took advantage of a testing program meant to simulate customer purchases. He made test accounts to obtain Microsoft gift cards and then sold some or all of them through online resellers.

Read more of this story at Slashdot.

Categories: Privacy

Bulgaria's Hacked Database Leaks To Hacking Forums

Thu, 07/18/2019 - 13:28
The database of Bulgaria's National Revenue Agency (NRA), which was hacked over the weekend and sent to local reporters, is now being shared on hacking forums, ZDNet has learned from sources in the threat intelligence community. From a report: Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of Bulgaria. ZDNet obtained a copy of the database and verified its authenticity with local sources, and this is a copy of the same database sent to local media over the weekend. The database contains 57 folders, 10.7 GB in size, and holds personal and financial information consistent with what Bulgarian newspapers reported receiving over the weekend. This includes personally identifiable information, tax information, from both the NRA, and from other government agencies who shared their data.

Read more of this story at Slashdot.

Categories: Privacy

To Foil Hackers, 'Morpheus' Chip Can Change Its Code In the Blink of An Eye

Thu, 07/18/2019 - 03:00
Todd Austin, a professor at the University of Michigan, is working on an approach known as Morpheus that aims to frustrate hackers trying to gain control of microchips by presenting them with a rapidly changing target. At a conference in Detroit this week organized by the U.S. Defense Department's Defense Advanced Research Projects Agency (DARPA), Austin described how the prototype Morpheus chip works. MIT Technology Review reports: The aim is to make it incredibly difficult for hackers to exploit key software that helps govern the chip's operation. Morpheus does this by repeatedly randomizing elements of the code that attackers need access to in order to compromise the hardware. This can be achieved without disrupting the software applications that are powered by the processor. Austin has been able to get the chip's code "churning" to happen once every 50 milliseconds -- way faster than needed to frustrate the most powerful automated hacking tools. So even if hackers find a vulnerability, the information needed to exploit it disappears in the blink of an eye. There's a cost to all this: the technology causes a slight drop in performance and requires somewhat bigger chips. The military may accept this trade-off in return for greater security on the battlefield, but it could limit Morpheus's appeal to businesses and consumers. Austin said a prototype has already resisted every known variant of a widely-used hacking technique known as a control-flow attack, which does things like tampering with the way a processor handles memory in order to allow hackers to sneak in malware. More tests lie ahead. A team of U.S. national security experts will soon begin probing the prototype chip to see if they can compromise its defenses, and Austin also plans to post some of Morpheus's code online so that other researchers can try to find flaws in it, too.

Read more of this story at Slashdot.

Categories: Privacy