China

Duplicate Login Details Enabled Hack of More Than 20 Million Chinese Consumers (thestack.com) 14

An anonymous reader writes: According to various Chinese sources including Techweb (Chinese language), police in Zhejiang held a conference on Monday announcing that 20.59 million users of the 'Chinese eBay', taobao.com, had their login details stolen by proxy, when hackers ran user/pass combos from a stolen database of 99 million other users and found that more than 20% were using the same login credentials across different ecommerce sites.
Crime

San Francisco Bay Area In Superbowl Surveillance Mode (wired.com) 95

An anonymous reader links to Wired's description of a surveillance society in miniature assembling right now in San Francisco: Super Bowl 50 will be big in every way. A hundred million people will watch the game on TV. Over the next ten days, 1 million people are expected to descend on the San Francisco Bay Area for the festivities. And, according to the FBI, 60 federal, state, and local agencies are working together to coordinate surveillance and security at what is the biggest national security event of the year.
Previous year's Superbowl security measures have included WMD sensors, database-backed facial recognition, and gamma-ray vehicle scanners. Given the fears and cautions in the air about this year's contest, it's easy to guess that the scanning and sensing will be even more prevalent this time.
Google

Google Testing Project Loon: Concerns Are Without Factual Basis (thestack.com) 78

An anonymous reader writes: In a filing submitted to the FCC, Google has stated that while concerns for health and environmental risks posed by Project Loon testing were 'genuinely held,' 'there is no factual basis for them.' Google's filing attempts to address a wide range of complaints, from environmental concerns related to increased exposure to RF and microwave radiation, to concerns for loss of control and crashes of the balloons themselves. First, it states that its proposed testing poses no health or environmental risks, and is all well within the standards of experimentation that the FCC regularly approves. It also pledges to avoid interference with any other users of the proposed bandwidth, by collocating transmitters on shared platforms and sharing information kept current daily by an FCC-approved third party database manager.
Science

Why the Calorie Is Broken (arstechnica.com) 425

An anonymous reader writes: Nutrition is a subject for which everybody should understand the basics. Unfortunately, this is hard. Not only is there a ton of conflicting research about how to properly fuel your body, there's a multi-billion-dollar industry with financial incentive to muddy the waters. Further, one of the most basic concepts for how we evaluate food — the calorie — is incredibly imprecise. "Wilbur Atwater, a Department of Agriculture scientist, began by measuring the calories contained in more than 4,000 foods. Then he fed those foods to volunteers and collected their faeces, which he incinerated in a bomb calorimeter. After subtracting the energy measured in the faeces from that in the food, he arrived at the Atwater values, numbers that represent the available energy in each gram of protein, carbohydrate and fat. These century-old figures remain the basis for today's standards."

In addition to the measuring system being outdated, the amount of calories taken from a meal can vary from person to person. Differences in metabolism and digestive efficiency add sizable error bars. Then there are issues with serving sizes and preparation methods. Research is now underway to find a better measure of food intake than the calorie. One possibility for the future is mapping your internal chemistry and having it analyzed with a massive database to see what foods work best for you. Another may involve tweaking your gut microbiome to change how you extract energy from certain foods.

Electronic Frontier Foundation

NSA Wants To Dump the Phone Records It Gathered Over 14 Years (thenextweb.com) 56

According to The Next Web, the NSA would like to get rid of something that a lot of people wish they'd never had in the first place: phone records that the agency has collected over a decade and a half (more, really) of mass surveillance. However, the EFF wants to make sure that the evidence of snooping doesn't get buried along with the actual recorded data. From the article: [T]he government says that it can't be sued by bodies like the EFF. The organization is currently involved in two pending cases seeking a remedy for the past 14 years of illegal phone record collection. EFF wrote a letter (PDF) to the secret Foreign Intelligence Surveillance Act court last December which it has now made public, explaining that it is ready to discuss options that will allow destruction of the records in ways that still preserve its ability to prosecute the cases. It'll be interesting to see how this pans out: if the government doesn't agree to a discussion about how to handle these phone records, it's possible that they will remain on file for years to come. Plus, it could allow the NSA to avoid being held accountable for its illegal mass surveillance.
Education

How Have Large Donations Affected Education Policy In New York City? 37

theodp writes: According to Chalkbeat, the expansion of charter schools, the movement to break New York City's large schools into smaller ones, and the push to teach computer science have something in common: the influence of philanthropy. Though contributions from big donors amount to only a fraction of New York City's education spending, they still have a real impact on public school policy, said Jeffrey Henig, the co-author of The New Education Philanthropy: Politics, Policy and Reform, which details how powerful individuals and organizations increasingly use donations to advance policies they support. Increasingly, Henig adds, some of those donors are paying more attention to advocacy, creating at least the appearance, if not the reality, of grassroots support.
The Military

More Air Force Drones Are Crashing Than Ever As Mysterious New Problems Emerge (washingtonpost.com) 141

schwit1 points out that a record number of Air Force drones crashed in major accidents last year. Leading the accident count is the Reaper which has seen a number of sudden electrical failures. The Washington Post reports: "A record number of Air Force drones crashed in major accidents last year, documents show, straining the U.S. military's fleet of robotic aircraft when it is in more demand than ever for counterterrorism missions in an expanding array of war zones. Driving the increase was a mysterious surge in mishaps involving the Air Force's newest and most advanced 'hunter-killer' drone, the Reaper, which has become the Pentagon's favored weapon for conducting surveillance and airstrikes against the Islamic State, al-Qaeda and other militant groups. The Reaper has been bedeviled by a rash of sudden electrical failures that have caused the 21/2-ton drone to lose power and drop from the sky, according to accident-investigation documents obtained under the Freedom of Information Act. Investigators have traced the problem to a faulty starter-generator,but have been unable to pinpoint why it goes haywire or devise a permanent fix.
Privacy

IRS: Identity Theft Protection a Tax Deductible Benefit - Even Without a Breach (wordpress.com) 51

chicksdaddy writes: The U.S. Internal Revenue Service has announced that it will treat identity theft protection as a non-taxable, non-reportable benefit that companies can offer — even when the company in question hasn't experienced a data breach, and regardless of whether it is offered by an employer to employees, or by other businesses (such as online retailers) to its customers, the blog E for ERISA reports. In short: companies can now deduct the cost of offering identity theft protection as a benefit for employees or extending it to customers, even if their data hasn't been exposed to hackers.

The announcement comes only four months after an earlier announcement by the IRS that it would treat identity theft protection offered to employees or customers in the wake of a data breach as a non-taxable event. Comments to the IRS following the earlier decision suggested that many businesses view a data breach as "inevitable" rather than as a remote risk.

The truth of that statement was made clear to the IRS itself, which had to provide identity theft protection earlier this year in response to a hack of its online database of past-filed returns and other filed documents which ultimately affected over 300,000 taxpayers. The new IRS guidance could be a boon to providers of identity protection services such as Experian and Lifelock, though maybe not as much as one would expect. Data from Experian suggests that consumer adoption rates for identity theft protection services is low. Fewer than 10% of those potentially affected by a breach opt for free identity protection services when they are offered. For very large breaches that number is even lower — in the single digit percentages.

Databases

PostgreSQL 9.5 Does UPSERT Right (thenewstack.io) 105

joabj writes: For years, PostgreSQL users would ask when their favorite open source database system would get the UPSERT operator, which can either insert an entry or update it if a previous version already existed. Other RDMS have long offered this feature. Bruce Momjian, one of the chief contributors to PostgreSQL, admits to being embarrassed that it wasn't supported. Well, PostgreSQL 9.5, now generally available, finally offers a version of UPSERT and users may be glad the dev team took their time with it. Implementations of UPSERT on other database systems were "handled very badly," sometimes leading to unexpected error messages Momjian said. Turns out it is very difficult to implement on multi-user systems. "What is nice about our implementation is that it never generates an unexpected error. You can have multiple people doing this, and there is very little performance impact," Momjian said. Because it can work on multiple tables at once, it can even be used to merge one table into another.
Databases

Oracle Named Database of the Year, MongoDB Comes In Second (softpedia.com) 122

An anonymous reader writes: Oracle's database management system has seen the biggest rise in terms of popularity in the past year. Oracle didn't only see a rise in the number of deployed instances, job offerings and mentions on LinkedIn profiles, but for the first time also became a popular topic on Twitter and a constant mention on StackOverflow, a popular Q&A support forum for developers. Second on DB-Engine's popularity list was MongoDB, which barely missed winning the DBMS of the Year award for the third time in a row.
Privacy

Uber To Pay $20,000 In Settlement On Privacy Issues (csoonline.com) 17

itwbennett writes: Uber has agreed to pay a penalty of $20,000 in a settlement with New York Attorney General Eric T. Schneiderman for delaying telling drivers about the data breach of their personal information in 2014. The company has also agreed to tighten employee access to geo-location data of passengers, following reports that the company's executives had an aerial 'God View' of such data, the office of the attorney general said in a statement Wednesday.
Databases

PostgreSQL 9.5 Released 104

iamvego writes: Later than the typical release cadence, PostgreSQL 9.5 has finally been released, and brings with it a slew of new features including UPSERT functionality, row-level security, and some big data features (CUBE/ROLLUP, join pushdown for foreign data wrappers, TABLESAMPLE, BRIN indexing and more). The previous release had brought about some new JSON functions and operators, but they only queried the data; 9.5 comes with new operators which now allow modification of JSON values, so it no longer has to be manipulated outside of the database. PostgreSQL's wiki has a more detailed overview of the new features.
Cloud

Linode Resets Passwords After Credentials Leak (linode.com) 55

New submitter qmrq sends news that Linode, a major provider of virtual private servers, has been compromised again. In a blog post, they said, "A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds." The Linode team said it found evidence of unauthorized access to three customer accounts. They don't yet know who is behind the attacks.

An employee for PagerDuty said they were compromised through Linode Manager all the way back in July. "In our situation the attacker knew one of our user's passwords and MFA secret. This allowed them to provide valid authentication credentials for an account in the Linode Manager. It's worth noting that all of our active user accounts had two-factor authentication enabled. ... We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database."
Security

18 Million Targeted Voter Records Exposed By Database Error (csoonline.com) 75

itwbennett writes: Last week, a database containing 191 million voter records was exposed because of a misconfigured database that no on wants to claim ownership of. Around the same time, a second, smaller database containing fewer than 57 million records similar to those previously discovered was also found by researcher Chris Vickery. But the second database also includes 18 million records that hold targeted demographic information. And as was the case with the previous voter database, no one wants to claim ownership.
Communications

Ask Slashdot: Jamming UK Metadata Collection? 192

AmiMoJo writes: It looks likely that the UK will try to require ISPs to collect metadata on behalf of its security services, and various other agencies will have access to this vast, privacy- and security-destroying database.

How can individuals resist? Some metadata is trivial to hide, e.g. much email is encrypted between the user and server, but a record of an access will still exist. Would there be much benefit to creating fake traffic, say by sending dummy emails to yourself? What about fake browsing, or keeping TOR running 24/7 (not as an exit node, just a client)?

The goal is to make the data less useful and harder to tie to an individual or separate from fake data, and to increase the cost of collecting and storing such data. Don't worry, I'm already on the list of known dissidents anyway.
Facebook

Epoch Time Bug Causes Facebook To Congratulate Users On 46 Years of Friendship (gizmodo.com) 108

An anonymous reader writes: A bunch of Facebook users received mysterious messages yesterday congratulating them on 46 years of being friends with somebody on Facebook. An astute observer may note that Facebook hasn't been around for 46 years. An even more astute observer might note that 46 years ago yesterday would be 12/31/1969 — easily recognizable as value '0' in the Unix Epoch with a time zone adjustment. A Microsoft engineer posits that the messages were sent because of how Facebook implemented its congratulatory messages. Many people were Facebook friends when the feature was rolled out, and instead of finding or estimating the date they became friends, Facebook simply set that database value to '0'. When the script fired to send those messages, it grabbed that value expecting a time, and interpreted the 0 accordingly. "The developer who wrote the "friends with since" memories algorithm should have added a case WHERE friendsWithSinceDate != '0' or something along those lines."
Software

Windows, OS X, and iOS Top 2015's List of Software With the Most Vulnerabilities (venturebeat.com) 111

An anonymous reader writes: Which software had the most publicly disclosed vulnerabilities in 2015? According to a site called CVE Details, which organizes data provided by the National Vulnerability Database, Apple's Mac OS X was near the top, with 384 vulnerabilities. iOS followed closely, with 375 vulnerabilities. The list splits out Windows into its separate versions, so it's hard to get an accurate count — simply adding them all together yields a total of over 1,000, but there are likely many duplicates. Other top spots went to Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. The four major web browsers also ranked quite highly.
Programming

Coding Styles Survive Binary Compilation, Could Lead Investigators Back To Programmers (princeton.edu) 164

An anonymous reader writes: Researchers have created an algorithm that can accurately detect code written by different programmers (PDF), even if the code has been compiled into an executable binary. Because of open source coding repositories like GitHub, state agencies can build a database of all developers and their coding styles, and then easily compare the coding style used in "anti-establishment" software to detect the culprit. Despite all the privacy implications this research may have, the algorithm can also be used by security researchers to track down malware authors. We also discussed an earlier phase of this research.
Government

Drone Registration Is FAA's Way of Getting You To Read Their "EULA" (hackaday.com) 131

szczys writes: There is little to complain about when it comes to the new FAA rules regarding drones (unless perhaps you live in DC). The regulations are basically an End User Licensing Agreement and focus on educating responsible operators. Eight simple rules cover how to avoid doing dangerous things with Unmanned Aerial Systems. The FAA has even left alone the small toy drones, and the certification system for those above 55 lbs remains. The one aspect that is concerning is that of privacy; the drone database will be publicly searchable and contains names and addresses of drone owners. If the DMV keeps license plate data protected, the FAA should do the same.
Music

Discogs Turns Record Collectors' Obsessions Into Big Business 31

HughPickens.com writes: Ben Sisario writes at the NYT that Discogs has built one of the most exhaustive collections of discographical information in the world, and with 24 million items for sale, (eBay's music section lists 11 million) Discogs is on track to do nearly $100 million in business by the end of the year. One of Discog's secrets is the use of Wikipedia's model of user-generated content with historical data cataloged by thousands of volunteer editors in extreme detail. The site's entry for the Beatles' White Album, for instance, contains 309 distinct versions of the record, including its original releases in countries like Uruguay, India and Yugoslavia — in mono and stereo configurations — and decades of reissues, from Greek eight-tracks to Japanese CDs. "There's a record-collector gene," says Kevin Lewandowski. "Some people want to know every little detail about a record."

The site, once run from a computer in Lewandowski's closet and originally restricted to electronic music, has grown rapidly. "It took about six months working nights and weekends on Discogs, and I launched it in November 2000. It was very simplistic compared to what it is now, but it started growing right away." Discogs now has 37 employees around the world, 20 million online visitors a month and three million registered users. Lewandowski, who is the sole owner of Discogs, says he had no interest in selling the business. He has watched other players enter the field over the last 15 years, including Amazon, which in 2008 introduced SoundUnwound, a Wikipedia-like site for music that was quietly shut down four years later. Discogs may have survived because of the innovation of its marketplace, giving collectors an incentive to expand the database with every imaginable detail. "I want it to go on forever," says Lewandowski.

Slashdot Top Deals