Databases

Vermont DMV Caught Using Illegal Facial Recognition Program (vocativ.com) 34

schwit1 quotes a report from Vocativ: The Vermont Department of Motor Vehicles has been caught using facial recognition software -- despite a state law preventing it. Documents obtained by the American Civil Liberties Union of Vermont describe such a program, which uses software to compare the DMV's database of names and driver's license photos with information with state and federal law enforcement. Vermont state law, however, specifically states that "The Department of Motor Vehicles shall not implement any procedures or processes that involve the use of biometric identifiers." The program, the ACLU says, invites state and federal agencies to submit photographs of persons of interest to the Vermont DMV, which it compares against its database of some 2.6 million Vermonters and shares potential matches. Since 2012, the agency has run at least 126 such searches on behalf of local police, the State Department, FBI, and Immigrations and Customs Enforcement.
Robotics

Robot Police Officer Goes On Duty In Dubai (bbc.com) 27

The first robot officer has joined the Dubai Police force tasked with patrolling the city's malls and tourist attractions. "People will be able to use it to report crimes, pay fines and get information by tapping a touchscreen on its chest," reports BBC. "Data collected by the robot will also be shared with the transport and traffic authorities." From the report: The government said the aim was for 25% of the force to be robotic by 2030 but they would not replace humans. "We are not going to replace our police officers with this tool," said Brig Khalid Al Razooqi, director general of smart services at Dubai Police. "But with the number of people in Dubai increasing, we want to relocate police officers so they work in the right areas and can concentrate on providing a safe city. "Most people visit police stations or customer service, but with this tool we can reach the public 24/7. It can protect people from crime because it can broadcast what is happening right away to our command and control center."
Government

The Trump Administration Wants To Be Able To Track and Hack Your Drone (fastcompany.com) 182

An anonymous reader shares a report: The Trump administration wants federal agencies to be able to track, hack, or even destroy drones that pose a threat to law enforcement and public safety operations, The New York Times reports. A proposed law, if passed by Congress, would let the government take down unmanned aircraft posing a danger to firefighting and search-and-rescue missions, prison operations, or "authorized protection of a person." The government will be required to respect "privacy, civil rights, and civil liberties" when exercising that power, the draft bill says. But records of anti-drone actions would be exempt from public disclosure under freedom of information laws, and people's right to sue over damaged and seized drones would be limited, according to the text of the proposal published by the Times. The administration, which would not comment on the proposal, scheduled a classified briefing on Wednesday for congressional staff members to discuss the issue.
IT

JSON Feed Announced As Alternative To RSS (jsonfeed.org) 167

Reader Anubis IV writes: With Slashdot recently asking whether we still use RSS, it may come as a surprise that something interesting has happened in the world of news feeds this week. JSON Feed was launched as an alternative to RSS and Atom, eschewing the XML they rely on -- which is frequently malformed and difficult to parse -- in favor of a human readable JSON format that reflects the decades of combined experience its authors have in the field. The JSON Feed spec is a simple read that lays out a number of pragmatic benefits the format has over RSS and Atom, such as eliminating duplicate entries, adding the ability to paginate feeds so that old entries remain available, and reducing the need for clients to scrape sites to find images and other resources. Given that it's authored by the developers behind one of the earliest, popular RSS clients and a recently Kickstarted blogging platform, the format is intended to address the common pain points currently faced by developers when producing and parsing feeds.

While it remains to be seen whether JSON Feed will escape the chicken-and-egg stage of adoption, several clients have already added support for the fledging format in the week since its announcement, including Feedbin, Inoreader, and NewsBlur.

Security

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com) 114

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.
Security

Wikimedia Is Clear To Sue the NSA Over Its Use of Warrantless Surveillance Tools (engadget.com) 56

The Wikimedia Foundation has the right to sue the National Security Agency over its use of warrantless surveillance tools, a federal appeals court ruled. "A district judge shot down Wikimedia's case in 2015, saying the group hadn't proved the NSA was actually illegally spying on its communications," reports Engadget. "In this case, proof was a tall order, considering information about the targeted surveillance system, Upstream, remains classified." From the report: The appeals court today ruled Wikimedia presented sufficient evidence that the NSA was in fact monitoring its communications, even if inadvertently. The Upstream system regularly tracks the physical backbone of the internet -- the cables and routers that actually transmit our emoji. With the help of telecom providers, the NSA then intercepts specific messages that contain "selectors," email addresses or other contact information for international targets under U.S. surveillance. "To put it simply, Wikimedia has plausibly alleged that its communications travel all of the roads that a communication can take, and that the NSA seizes all of the communications along at least one of those roads," the appeals court writes. "Thus, at least at this stage of the litigation, Wikimedia has standing to sue for a violation of the Fourth Amendment. And, because Wikimedia has self-censored its speech and sometimes forgone electronic communications in response to Upstream surveillance, it also has standing to sue for a violation of the First Amendment."
Security

DEFCON Conference To Target Voting Machines (politico.com) 105

An anonymous reader quotes a report from Politico: Hackers will target American voting machines -- as a public service, to prove how vulnerable they are. When over 25,000 of them descend on Caesar's Palace in Las Vegas at the end of July for DEFCON, the world's largest hacking conference, organizers are planning to have waiting what they call "a village" of different opportunities to test how easily voting machines can be manipulated. Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks. With all the attention on Russia's apparent attempts to meddle in American elections -- former President Barack Obama and aides have made many accusations toward Moscow, but insisted that there's no evidence of actual vote tampering -- voting machines were an obvious next target, said DEFCON founder Jeff Moss.
Programming

'Coding Is Not Fun, It's Technically and Ethically Complex' (qz.com) 331

An anonymous reader shares an article: For starters, the profile of a programmer's mind is pretty uncommon. As well as being highly analytical and creative, software developers need almost superhuman focus to manage the complexity of their tasks. Manic attention to detail is a must; slovenliness is verboten. Coding isn't the only job that demands intense focus. But you'd never hear someone say that brain surgery is "fun," or that structural engineering is "easy." When it comes to programming, why do policymakers and technologists pretend otherwise? For one, it helps lure people to the field at a time when software (in the words of the venture capitalist Marc Andreessen) is "eating the world" -- and so, by expanding the labor pool, keeps industry ticking over and wages under control. Another reason is that the very word "coding" sounds routine and repetitive, as though there's some sort of key that developers apply by rote to crack any given problem. It doesn't help that Hollywood has cast the "coder" as a socially challenged, type-first-think-later hacker, inevitably white and male, with the power to thwart the Nazis or penetrate the CIA. Insisting on the glamor and fun of coding is the wrong way to acquaint kids with computer science. It insults their intelligence and plants the pernicious notion in their heads that you don't need discipline in order to progress. As anyone with even minimal exposure to making software knows, behind a minute of typing lies an hour of study. It's better to admit that coding is complicated, technically and ethically. Computers, at the moment, can only execute orders, to varying degrees of sophistication. So it's up to the developer to be clear: the machine does what you say, not what you mean. More and more "decisions" are being entrusted to software, including life-or-death ones: think self-driving cars; think semi-autonomous weapons; think Facebook and Google making inferences about your marital, psychological, or physical status, before selling it to the highest bidder. Yet it's rarely in the interests of companies and governments to encourage us to probe what's going on beneath these processes.
Encryption

Hackers Unlock Samsung Galaxy S8 With Fake Iris (vice.com) 72

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.
Microsoft

Microsoft Announces 'Windows 10 China Government Edition', Lets Country Use Its Own Encryption (windows.com) 108

At an event in China on Tuesday, Microsoft announced yet another new version of Windows 10. Called Windows 10 China Government Edition, the new edition is meant to be used by the Chinese government and state-owned enterprises, ending a standoff over the operating system by meeting the government's requests for increased security and data control. In a blog post, Windows chief Terry Myerson writes: The Windows 10 China Government Edition is based on Windows 10 Enterprise Edition, which already includes many of the security, identity, deployment, and manageability features governments and enterprises need. The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.
Microsoft

Microsoft Says a Chinese 'Gaming Service' Company Is Hacking Xbox Accounts (theverge.com) 30

An anonymous reader shares a report: Since 2015, a Chinese gaming website has been hacking Xbox accounts and selling the proceeds on the open market, according to a complaint filed by Microsoft in federal court on Friday. On its website, iGSKY presents itself as a gaming service company, offering players a way to pay for in-game credits and rare items -- but according to Microsoft, many of those credits were coming from someone else's wallet. The complaint alleges that the company made nearly $2 million in purchases through hacked accounts and their associated credit cards, using purchases as a way to launder the resulting cash. On the site, cheap in-game points are also available for the FIFA games, Forza Horizon 3, Grand Theft Auto V, and Pokemon Go, among others.
Businesses

Tech-Savvy Workers Increasingly Common in Non-IT Roles (betanews.com) 124

An anonymous reader shares an article: IT professionals are becoming an increasingly common presence outside of the traditional IT departments, new research has found. According to CompTIA, it seems executives are calling for specialized skills, faster reflexes and more teamwork in their workers. According to the report, a fifth (21 percent) of CFOs say they have a dedicated tech role in their department. Those roles include business scientists, analysts, and software developers. There are also hybrid positions -- in part technical, but also focused on the business itself. "This isn't a case of rogue IT running rampant or CIOs and their teams becoming obsolete," says Carolyn April, senior director, industry analysis, CompTIA. "Rather, it signals that a tech-savvier workforce is populating business units and job roles."
Android

Hackers Hit Russian Bank Customers, Planned International Cyber Raids (reuters.com) 19

Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters. From the report: Their campaign raised a relatively small sum by cyber-crime standards -- more than 50 million roubles ($892,000) -- but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations. Russia's relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers. The Kremlin has repeatedly denied the allegation. The gang members tricked the Russian banks' customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry.
Government

Indian Election Officials Challenges Critics To Hack Electronic Voting Machine (thehindu.com) 52

Slashdot reader erodep writes: Following the recent elections in India, there have been multiple allegations of electoral fraud by hacking of Electronic Voting Machines... Two weeks ago, a party even "demonstrated" that these machines can be hacked. The Election Commission of India has rubbished these claims and they have thrown an open challenge, starting June 3rd to hack these EVMs using WiFi, Bluetooth or any internet device. This is a plea to the hackers of Slashdot to help secure the future of the largest democracy on the planet.
Each party can nominate three experts -- though India's Aam Aaadmi Party is already complaining that there's too many terms and conditions. And party leader Sanjay Singh has said he also wants paper ballots for all future elections, arguing "All foreign countries like America, Japan, Germany and Britain have gone back to ballot paper."
Networking

Netgear Adds Support For "Collecting Analytics Data" To Popular R7000 Router 109

An anonymous reader writes: Netgear's latest firmware update for the R7000 includes new support for collecting analytics data. The update release notes include this caution:

NOTE:It is strongly recommended that after the firmware is updated to this version, log back in to the router s web GUI and configure the settings for this feature.

An article on Netgear's KB states updated last week that Netgear collects information including IP addresses, MAC, certain WiFi information, and information about connected devices.

AI

The Working Dead: Which IT Jobs Are Bound For Extinction? (infoworld.com) 565

Slashdot reader snydeq shares an InfoWorld article identifying "The Working Dead: IT Jobs Bound For Extinction." Here's some of its predictions.
  • The president of one job leadership consultancy argues C and C++ coders will soon be as obsolete as Cobol programmers. "The entire world has gone to Java or .Net. You still find C++ coders in financial companies because their systems are built on that, but they're disappearing."
  • A data scientist at Stack Overflow "says demand for PHP, WordPress, and LAMP skills are seeing a steady decline, while newer frameworks and languages like React, Angular, and Scala are on the rise."
  • The CEO and co-founder of an anonymous virtual private network service says "The rise of Azure and the Linux takeover has put most Windows admins out of work. Many of my old colleagues have had to retrain for Linux or go into something else entirely."
  • In addition, "Thanks to the massive migration to the cloud, listings for jobs that involve maintaining IT infrastructure, like network engineer or system administrator, are trending downward, notes Terence Chiu, vice president of careers site Indeed Prime."
  • The CTO of the job site Ladders adds that Smalltalk, Flex, and Pascal "quickly went from being popular to being only useful for maintaining older systems. Engineers and programmers need to continually learn new languages, or they'll find themselves maintaining systems instead of creating new products."
  • The president of Dice.com says "Right now, Java and Python are really hot. In five years they may not be... jobs are changing all the time, and that's a real pain point for tech professionals."

But the regional dean of Northeastern University-Silicon Valley has the glummest prediction of all. "If I were to look at a crystal ball, I don't think the world's going to need as many coders after 2020. Ninety percent of coding is taking some business specs and translating them into computer logic. That's really ripe for machine learning and low-end AI."


Botnet

Attackers DDoS WannaCry Kill Switch (venturebeat.com) 73

An anonymous reader quotes VentureBeat: As of late Friday, after many of the deadlines threatening data deletion had passed, few victims had paid ransoms. According to Elliptic Enterprises, only about $94,000 worth of ransoms had been paid via Bitcoin, which works out to less than one in a thousand of the 300,000 victims who were reportedly affected by WannaCry... While not as bad as feared, ransomware (not to mention cybersecurity threats in general) isn't going away. Wired reported that the domain registered by Hutchins has been under intense denial-of-service attacks delivered by an army of IoT devices marshalled, zombie-like, by Mirai.
Security

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two (bleepingcomputer.com) 115

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.

Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."
Botnet

Groups War Over Resources For DDoS Attacks (csoonline.com) 23

An anonymous reader quotes CSO: As more groups get into the denial-of-service attack business they're starting to get in each other's way, according to a report released Thursday... There are only so many devices around that have the kind of vulnerabilities that make them potential targets for a botnet. That translates into a smaller average attack size, said Martin McKeay, senior security advocate at Cambridge, Mass.-based Akamai Technologies Inc. There are only so many devices around that have the kind of vulnerabilities that make them potential targets for a botnet. "And other people can come in and take over the device, and take those resources to feed their own botnet," he said. "I'm seeing that over and over."
The article reports a median size for DDoS attacks of 4 gigabits per second at the start of 2015 -- which droped in the first quarter of 2017 down to 500 megabits per second.
Security

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com) 53

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.

Slashdot Top Deals