Democrats have proposed the "Stopping Grinch Bots Act" to make it illegal to use bots to shop online and also outlaw reselling items purchased by bots. "Lawmakers label them 'Grinch' bots because, during the holiday season, resellers use them to buy inventory of highly coveted toys that can be resold at highly inflated prices," reports CNET. "Often times, these bots are so quick that they can purchase entire stocks of items before people can even add them to their carts." From the report: Sens. Tom Udall, Richard Blumenthal and Chuck Schumer along with Rep. Paul Tonko made the announcement on Black Friday. While the proposed legislation is focused around the holiday season and toys, the Grinch Bots act would apply to all retailers online. Toys aren't the only items that resellers online send swarms of bots to. Security researchers noted that bots designed to buy rare sneakers are a persistent issue, as developers will create AI to buy shoes from companies like Nike and Adidas as quickly as possible. The proposed bill leaves it open for security researchers to use bots on retailer websites to find vulnerabilities. "Middle class folks save up -- a little here, a little there -- working to afford the hottest gifts of the season for their kids but ever-changing technology and its challenges are making that very difficult. It's time we help restore an even playing field by blocking the bots," said Schumer, a Democrat from New York, in a statement.

An anonymous reader quotes a report from ABC News: Amid reports that first daughter and White House senior advisor Ivanka Trump exchanged hundreds of official government business emails using a personal email account, top Democrats on Capitol Hill "want to know if Ivanka complied with the law" and in the next Congress plan to continue their investigation of the Presidential Records Act and Federal Records Act. Rep. Elijah Cummings, the ranking Democrat who's in line to become the next chairman of the House Oversight and Government Reform Committee next year, promises any potential investigation into Jared Kushner and Ivanka Trump's emails won't be like the "spectacle" Republicans led in the Clinton email probe.

The Oversight committee has jurisdiction over records and transparency laws, and Cummings helped write an update to the Presidential and Federal Records Acts that was signed into law by President Barack Obama in 2014. That measure mandates that every federal employee, including the President, forward any message about official business sent using a private account to the employee's official email account within 20 days. "We launched a bipartisan investigation last year into White House officials' use of private email accounts for official business, but the White House never gave us the information we requested," Cummings, D-Md., noted. "We need those documents to ensure that Ivanka Trump, Jared Kushner, and other officials are complying with federal records laws and there is a complete record of the activities of this Administration. My goal is to prevent this from happening again -- not to turn this into a spectacle the way Republicans went after Hillary Clinton. My main priority as Chairman will be to focus on the issues that impact Americans in their everyday lives."

Forget the old American campaign slogan of a chicken in every pot, or the Indian politician's common pledge to put rice in every bowl. The New York Times reports: Here in the state of Chhattisgarh, the chief minister, Raman Singh, has promised a smartphone in every home -- and he is using the government-issued devices to reach voters as he campaigns in legislative elections that conclude on Tuesday. [...] The phones are the latest twist in digital campaigning by the B.J.P., which controls the national and state government and is deft at using tools like WhatsApp groups and Facebook posts to influence voters. The B.J.P. government in Rajasthan, which holds state elections next month, is also subsidizing phones and data plans for residents, and party leaders are considering extending the model to other states.

Chhattisgarh's $71 million free-phone program -- known by the acronym SKY after its name in Hindi -- is supposed to bridge the digital divide in this state of 26 million people, which is covered by large patches of forest and counts 7,000 villages that do not even have a wireless data signal. The plan is to add hundreds of cellphone towers and give a basic smartphone to every college student and one woman in every household to connect more families to the internet and help fulfill the central government's goal of a "Digital India." But this election season, many of the 2.9 million people who have received the phones have found themselves targeted by the B.J.P.

An anonymous reader quotes a report from ZDNet: The Russian Federation has responded to a lawsuit filed by the Democratic National Committee and has requested the overseeing court to throw out the lawsuit altogether. The lawsuit, filed by the DNC in April 2018, names a slew of figures as defendants, such as the Russian state, Russia's military intelligence service GRU, the hacker known as Guccifer 2.0, WikiLeaks and its founder Julian Assange, and several members of the Trump campaign, such as Donald Trump, Jr., Paul Manafort, Roger Stone, Jared Kushner, and George Papadopoulos. According to an 87-page indictment, the DNC accused Russia and the other defendants of carrying out the hacking of DNC servers in 2016 and then leaking data online via the WikiLeaks portal in an orchestrated manner for the benefit of the Trump presidential campaign.

The lawsuit, which has its own Wikipedia page and was likened to a lawsuit the DNC filed against Nixon after the Watergate scandal, seeks damages, but also for the court to issue a declaration about the defendants' conspiracy. But in a letter sent to a New York court, presented by the Russian Embassy in the U.S. and signed by a representative of the Russian Ministry of Justice, the Russian Federation wants the lawsuit thrown out. In the 12-page letter, the Russian Federation argues that the U.S. Foreign Sovereign Immunities Act ("FSIA") grants Russia immunity. "The FSIA provides that foreign sovereign States enjoy absolute jurisdictional immunity from suit unless a plaintiff can demonstrate that one of the FSIA's enumerated 'exceptions' applies'," the letter argues. "The DNC's allegations regarding a purported 'military attack' by 'Russia's military intelligence agency' do not fall within any of the FSIA's enumerated exceptions to the Russian Federation's sovereign immunity."

"Any alleged 'military attack' is a quintessential sovereign act that does not fall within any exception to the FSIA or the customary international law of foreign sovereign immunity. The Russian Federation's sovereign immunity with respect to claims based upon such allegations is absolute."

Slate argues that Facebook "is a normal sleazy company now," saying the company "obscured its problems and fought dirty against its critics" -- but that now its failings are being publicly aired. And Reason provides yet another example: The Times also reveals that Facebook chose to support FOSTA (and its Senate counterpart, SESTA) -- legislation that guts a fundamental protection for digital publishers and platforms, and makes prostitution advertising a federal crime -- not as a matter of principle but as a political tactic to tar opponents and cozy up to Congressional critics.
Even Steve Wozniak has joined the critics, saying this week that Facebook should "stop putting money before morals," adding later that "I haven't seen them do one real thing." Woz also suggested that Facebook should allow users to export their data so they could upload it onto competing social networks.

Now long-time Slashdot reader pcjunky reports that the same scammy ad has been running on Facebook for a full two months after it was reported. But maybe they're just understaffed? Engadget reports that over the last six months Facebook has discoverd and eliminated 1.5 billion different fake accounts -- which is 200 million more than the 1.3 billion accounts it removed in the previous six months. On the Blind app, one Facebook employee reportedly asked the ultimate question: "Why does our company suck at having a moral compass?"

So where will it all lead? According to Fortune, Senators Chris Coons and Bob Corker "warned Friday that Congress would impose new regulations to rein in Facebook unless the social-media company addresses concerns about privacy and the spread of misinformation on its platform."

But will anything change?

An anonymous reader quotes a report from ZDNet: U.S. President Donald Trump signed today a bill into law, approving the creation of the Cybersecurity and Infrastructure Security Agency (CISA). The bill, known as the CISA Act, reorganizes and rebrands the National Protection and Programs Directorate (NPPD), a program inside the Department of Homeland Security (DHS), as CISA, a standalone federal agency in charge of overseeing civilian and federal cybersecurity programs. The NPPD, which was first established in 2007, has already been handling almost all of the DHS' cyber-related issues and projects.

As part of the DHS, the NPPD was the government entity in charge of physical and cyber-security of federal networks and critical infrastructure, and oversaw the Federal Protective Service (FPS), the Office of Biometric Identity Management (OBIM), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C), and the Office of Infrastructure Protection (OIP). As CISA, the agency's prerogatives will remain the same, and nothing is expected to change in day-to-day operations, but as a federal agency, CISA will now benefit from an increased budget and more authority in imposing its directives. "Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation's critical infrastructure and cyber platforms," said NPPD Under Secretary Christopher Krebs. "The changes will also improve the Department's ability to engage with industry and government stakeholders and recruit top cybersecurity talent."

An anonymous reader quotes a report from Ars Technica: Three U.S. Senate Democrats today asked the four major wireless carriers about allegations they've been throttling video services and -- in the case of Sprint -- the senators asked about alleged throttling of Skype video calls. Sens. Edward Markey (D-Mass.), Richard Blumenthal (D-Conn.), and Ron Wyden (D-Ore.) sent the letters to AT&T, Verizon, Sprint, and T-Mobile, noting that recent research using the Wehe testing platform found indications of throttling by all four carriers.

"All online traffic should be treated equally, and Internet service providers should not discriminate against particular content or applications for competitive advantage purposes or otherwise," the senators wrote. Specifically, the Wehe tests "indicated throttling on AT&T for YouTube, Netflix, and NBC Sports... throttling on Verizon for Amazon Prime, YouTube, and Netflix... throttling on Sprint for YouTube, Netflix, Amazon Prime, and Skype Video calls... [and] delayed throttling, or boosting, on T-Mobile for Netflix, NBC Sports, and Amazon Prime by providing un-throttled streaming at the beginning of the connection, and then subsequently throttling the connection," the senators' letters said.

Futurepower(R) shares a report: A lot of people don't use computers. Most of them aren't in charge of a nation's cybersecurity. But one is. Japanese lawmakers were aghast on Wednesday when Yoshitaka Sakurada, 68, the minister who heads the government's cybersecurity office, said during questioning in Parliament that he had no need for the devices, and appeared confused when asked basic technology questions. "I have been independently running my own business since I was 25 years old," he said. When computer use is necessary, he said, "I order my employees or secretaries" to do it. [Editor's note: the link may be paywalled; alternative source.] "I don't type on a computer," he added.

Asked by a lawmaker if nuclear power plants allowed the use of USB drives, a common technology widely considered to be a security risk, Mr. Sakurada did not seem to understand what they were. "I don't know details well," he said. "So how about having an expert answer your question if necessary, how's that?" The comments were immediately criticized. "I can't believe that a person who never used a computer is in charge of cybersecurity measures," said Masato Imai, an opposition lawmaker.

ZDNet's Steven J. Vaughan-Nichols argues that the founder of Oculus, Palmer Luckey, wasn't fired because of his political views, as a recently-published Wall Street Journal article suggests, but because the virtual-reality company lost a $500 million intellectual property theft case to game maker ZeniMax. An anonymous reader shares the report: According to The Wall Street Journal, Palmer Luckey, the founder of Oculus, a virtual reality company, was fired by Facebook because "he donated $10,000 to an anti-Hillary Clinton group" during the 2016 U.S. Presidential campaign. But the article fails to mention a simple little fact: On Feb. 1, 2017, Oculus lost an intellectual property (IP) theft case against game maker ZeniMax, to the tune of $500 million. So, if one of your employees just cost your company a cool half-billion bucks for doing wrong what would you do? Well, Facebook isn't saying, even now, but on March 30, 2017, it let Luckey go.

Yes, Luckey also lied about his political moves, which went well beyond donating to an anti-Hillary billboard campaign. But let's look at the record. Everyone knew he'd lied by Feb. 22, 2016. Was he fired then? No. Was he fired after being found guilty of stealing ZeniMax's trade secrets? Yes. Officially, Facebook stated: "All details associated with specific personnel matters are kept strictly confidential. This is our policy for all employees, no matter their seniority. But we can say unequivocally that Palmer's departure was not due to his political views." Let me spell it out for you: He made some political waves. Nothing happened. He cost Facebook $500 million. He was fired. Can anyone here seriously not draw the lines between the dots?

You can have a disaster-free Election Day in the social media age, writes New York Times columnist Kevin Roose, "but it turns out that it takes constant vigilance from law enforcement agencies, academic researchers and digital security experts for months on end." It takes an ad hoc "war room" at Facebook headquarters with dozens of staff members working round-the-clock shifts. It takes hordes of journalists and fact checkers willing to police the service for false news stories and hoaxes so that they can be contained before spreading to millions. And even if you avoid major problems from bad actors domestically, you might still need to disclose, as Facebook did late Tuesday night, that you kicked off yet another group of what appeared to be Kremlin-linked trolls...

Most days, digging up large-scale misinformation on Facebook was as easy as finding baby photos or birthday greetings... Facebook was generally responsive to these problems after they were publicly called out. But its scale means that even people who work there are often in the dark... Other days, combing through Facebook falsehoods has felt like watching a nation poison itself in slow motion. A recent study by the Oxford Internet Institute, a department at the University of Oxford, found that 25 percent of all election-related content shared on Facebook and Twitter during the midterm election season could be classified as "junk news"...

Facebook has framed its struggle as an "arms race" between itself and the bad actors trying to exploit its services. But that mischaracterizes the nature of the problem. This is not two sovereign countries locked in battle, or an intelligence agency trying to stop a nefarious foreign plot. This is a rich and successful corporation that built a giant machine to convert attention into advertising revenue, made billions of dollars by letting that machine run with limited oversight, and is now frantically trying to clean up the mess that has resulted... It's worth asking, over the long term, why a single American company is in the position of protecting free and fair elections all over the world.
Despite whatever progress has been made, the article complains that "It took sustained pressure from lawmakers, regulators, researchers, journalists, employees, investors and users to force the company to pay more attention to misinformation and threats of election interference. Facebook has shown, time and again, that it behaves responsibly only when placed under a well-lit microscope.

"So as our collective attention fades from the midterms, it seems certain that outsiders will need to continue to hold the company accountable, and push it to do more to safeguard its users -- in every country, during every election season -- from a flood of lies and manipulation."

China has violated an accord it signed with the U.S. three years ago pledging not to engage in hacking for the purpose of economic espionage, a senior U.S. intelligence official said this week. From a report: The 2015 bilateral agreement had significantly reduced the amount of Chinese cybertheft targeting American companies, but Beijing's commitment to the deal has eroded, said Rob Joyce, senior adviser for cybersecurity strategy at the National Security Agency. "It is clear they are well beyond the bounds of the agreement today that was forged between our two countries," Joyce said during a panel conversation at the Aspen Cyber Summit.

Joyce's comments were the latest sign of Washington's rising frustration over China's alleged violation of the pact signed between then-President Barack Obama and Chinese President Xi Jinping. Last week, then-Attorney General Jeff Sessions also said China wasn't adhering to the deal, in which the U.S. and China agreed not to conduct cyber operations against each other to steal intellectual property or other forms of economic intelligence.

An anonymous reader quotes a report from TechCrunch: Georgia's secretary of state and candidate for state governor in the midterm election, Brian Kemp, has taken the unusual, if not unprecedented step of posting the personal details of 291,164 absentee voters online for anyone to download. Kemp's office posted an Excel file on its website within hours of the results of the general election, exposing the names and addresses of state residents who mailed in an absentee ballot -- including their reason why, such as if a person is "disabled" or "elderly."

The file, according to the web page, allows Georgia residents to "check the status of your mail-in absentee ballot." Millions of Americans across the country mail in their completed ballots ahead of election day, particularly if getting to a polling place is difficult -- such as if a person is disabled, elderly or traveling. When reached, Georgia secretary of state's press secretary Candice Broce told TechCrunch that all of the data "is clearly designated as public information under state law," and denied that the data was "confidential or sensitive." "State law requires the public availability of voter lists, including names and address of registered voters," she said in an email. "While the data may already be public, it is not publicly available in aggregate like this," said security expert Jake Williams, founder of Rendition Infosec, who lives in Georgia. Williams took issue with the reasons that the state gave for each absentee ballot, saying it "could be used by criminals to target currently unoccupied properties." "Releasing this data in aggregate could be seen as suppressing future absentee voters in Georgia who do not want their information released in this manner," he said.

An anonymous reader quotes a report from Ars Technica: If you talk to experts on election security (I studied with several of them in graduate school) they'll tell you that we're nowhere close to being ready for online voting. "Mobile voting is a horrific idea," said election security expert Joe Hall when I asked him about a West Virginia experiment with blockchain-based mobile voting back in August. But on Tuesday, The New York Times published an opinion piece claiming the opposite. "Building a workable, scalable, and inclusive online voting system is now possible, thanks to blockchain technologies," writes Alex Tapscott, whom the Times describes as co-founder of the Blockchain Research Institute. Tapscott is wrong -- and dangerously so. Online voting would be a huge threat to the integrity of our elections -- and to public faith in election outcomes.

Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible -- and I think it probably is -- this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms. For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials -- or simply trick them into thinking they've cast a vote when they haven't.

A look at VoteWithMe and OutVote, two new political apps that are trying to use peer pressure to get people to vote. From a story: The apps are to elections what Zillow is to real estate -- services that pull public information from government records, repackage it for consumer viewing and make it available at the touch of a smartphone button. But instead of giving you a peek at house prices, VoteWithMe and OutVote let you snoop on which of your friends voted in past elections and their party affiliations -- and then prod them to go to the polls by sending them scripted messages like "You gonna vote?" "I don't want this to come off like we're shaming our friends into voting," said Naseem Makiya, the chief executive of OutVote, a start-up in Boston. But, he said, "I think a lot of people might vote just because they're frankly worried that their friends will find out if they didn't."

Whom Americans vote for is private. But other information in their state voter files is public information; depending on the state, it can include details like their name, address, phone number and party affiliation and when they voted. The apps try to match the people in a smartphone's contacts to their voter files, then display some of those details. The data's increasing availability may surprise people receiving messages nudging them to vote -- or even trouble them, by exposing personal politics they might have preferred to keep to themselves. Political campaigns have for years purchased voter files from states or bought national voter databases from data brokers, but the information has otherwise had little public exposure outside of campaign use. Now any app user can easily harness such data to make inferences about, and try to influence, their contacts' voting behavior.

An anonymous reader shares a report: In Idaho, Nebraska, and Utah, voters will directly decide whether their states should expand their Medicaid programs. In Wisconsin, they could elect a candidate for governor who has pledged to sharply curtail drug prices. And across the country, Democratic congressional candidates are running on platforms highlighting their support for protecting insurance coverage for those with pre-existing conditions and lowering drug prices. Health care is on the ballot across the country, with issues ranging from medical marijuana to abortion rights to insurance coverage dominating the conversation.

An anonymous reader quotes a report from Motherboard: An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor's tabulation system. The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor's name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases -- alternating between two of them -- and in other cases to simply change a number appended to the end of some passwords to change them.

The vendor, California-based Unisyn Voting Solutions, makes an optical-scan system called OpenElect Voting System for use in both precincts and central election offices. The passwords in the manual appear to be for the Open Elect Central Suite, the backend election-management system used to create election definition files for each voting machine before every election -- the files that tell the machine how to apportion votes based on the marks voters make on a ballot. The suite also tabulates votes collected from all of a county's Unisyn optical scan systems. The credentials listed in the manual include usernames and passwords for the initial log-in to the system as well as credentials to log into the client software used to tabulate and store official election results.

An anonymous reader quotes a report from ProPublica: As recently as Monday, computer servers that powered Kentucky's online voter registration and Wisconsin's reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries.

The service, known as FTP, provides public access to files -- sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server's operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states' infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica's inquiries. Kentucky left its password-free service running and said ProPublica didn't understand its approach to security. "FTP is a 40-year-old protocol that is insecure and not being retired quickly enough," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. "Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change."

Twitter has deleted over 10,000 disinformation bots discouraging Americans from voting in Tuesday's midterm elections.

An anonymous reader quotes CNN: Twitter said that the Democratic Congressional Campaign Committee had brought the accounts to their attention. "For the election this year we have established open lines of communication and direct, easy escalation paths for state election officials, DHS, and campaign organizations from both major parties," the spokesperson said. The company said it believes the network of accounts was run from the United States.
The 10,000 accounts were deleted in late September and early October, Reuters reports: The number is modest, considering that Twitter has previously deleted millions of accounts it determined were responsible for spreading misinformation in the 2016 U.S. presidential election. Yet the removals represent an early win for a fledgling effort... The DCCC launched the effort this year in response to the party's inability to respond to millions of accounts on Twitter and other social media platforms that spread negative and false information about Democratic presidential candidate Hillary Clinton and other party candidates in 2016, three people familiar with the operation told Reuters... The DCCC developed its own system for identifying and reporting malicious automated accounts on social media, according to the three party sources.

Apple, Amazon, Facebook and Google, and dozens of other tech companies have come together to condemn discrimination against transgender people in the face of actions President Donald Trump is reportedly considering to reduce their legal protections. From a report: The move is a response to an Oct. 21 New York Times report that the Trump administration is considering limiting the definition of gender to birth genitalia. "Sex means a person's status as male or female based on immutable biological traits identifiable by or before birth," the Department of Health and Human Services proposed in a memo obtained by the Times. If legislation were to move forward, it would jeopardize legal protections for an estimated 1.4 million Americans who identify as a gender other than the one they were assigned at birth, the Times said.

The statement from the companies, which have nearly 4.8 million employees, said diversity and inclusion are good for business. "Transgender people are our beloved family members and friends, and our valued team members," the statement said. "What harms transgender people harms our companies."

From a report: Facebook's new political ad transparency tools allowed Business Insider to run adverts as being "paid for" by Cambridge Analytica, the political consultancy that dragged Facebook into a major data scandal this year. The investigation demonstrates that political advertising on Facebook is still open to manipulation by bad actors, even with greater efforts at transparency. This is despite commitments from chief executive Mark Zuckerberg to solve the company's misinformation problem. Vice first reported last week that the Facebook political ads tool could be manipulated, with the publication securing approval to buy fake Facebook ads on behalf of US Vice President Mike Pence, terrorist group ISIS, and 100 US senators. Business Insider carried out a similar test, setting up false political ads that were captioned as being "paid for by Cambridge Analytica," the defunct political advertising firm which harvested Facebook data and weaponized it during the 2016 US election. Cambridge Analytica is banned from Facebook and has gone into administration.