By msmash from Slashdot's catching-the-wrong-fish department
Earlier this month, technology publication Gizmodo published a report on how it "phished" members of the administration and campaign teams of President Donald Trump. The blog said it identified 15 prominent figures on Trump's team and sent e-mails to each posing as friends, family members, or associates containing a faked Google Docs link. But did the publication inadvertently break the law? ArsTechnica reports: "This was a test of how public officials in an administration whose president has been highly critical of the security failures of the DNC stand up to the sort of techniques that hackers use to penetrate networks," said John Cook, executive editor of Gizmodo's Special Projects Desk, in an e-mail conversation with Ars. Gizmodo targeted some marquee names connected to the Trump administration, including Newt Gingrich, Peter Thiel, (now-ex) FBI director James Comey, FCC chairman Ajit Pai, White House press secretary Sean Spicer, presidential advisor Sebastian Gorka, and the administration's chief policymakers for cybersecurity. The test didn't appear to prove much. Gingrich and Comey responded to the e-mail questioning its provenance. And while about half of the targeted officials may have clicked the link -- eight devices' IP addresses were recorded accessing the linked test page -- none entered their login credentials. The test could not determine whose devices clicked on the link. What the test did manage to do is raise the eyebrows of security experts and some legal experts. That's because despite their efforts to make it "reasonably" apparent that this was a test, Gizmodo's phishing campaign may have violated several laws, ignoring many of the restrictions usually placed on similar tests by penetration-testing and security firms. At a minimum, Gizmodo danced along the edges of the Computer Fraud and Abuse Act (CFAA).Read Replies (0)
By msmash from Slashdot's business-vs-moral-responsibility department
In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times: At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, "pay extra money to us or we will withhold critical security updates" can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more. Microsoft supported Windows XP for over a decade before finally putting it to sleep. In the wake of ransomware attacks, it stepped forward to release a patch -- a move that has been lauded by columnists. That said, do you folks think it should continue to push security updates to older operating systems as well?Read Replies (0)
By EditorDavid from Slashdot's protecting-privacy department
An anonymous reader quotes The Guardian:
The human rights group Cage is preparing to mount a legal challenge to UK anti-terrorism legislation over a refusal to hand over mobile and laptop passwords to border control officials at air terminals, ports and international rail stations... The move comes after its international director, Muhammad Rabbani, a UK citizen, was arrested at Heathrow airport in November for refusing to hand over passwords. Rabbani, 35, has been detained at least 20 times over the past decade when entering the UK, under schedule 7 of terrorism legislation that provides broad search powers, but this was the first time he had been arrested... On previous occasions, when asked for his passwords, he said he had refused and eventually his devices were returned to him and he was allowed to go. But there was a new twist this time: when he refused to reveal his passwords, he was arrested under schedule 7 provisions of the terrorism act and held overnight at Heathrow Polar Park police station before being released on bail. He expects to be charged on Wednesday.
Rabbani "argues that the real objective...is not stopping terrorists entering the UK, but as a tool to build up a huge data bank on thousands of UK citizens." And his position drew support from Jim Killock, executive director of the UK-based Open Rights Group. "Investigations should take place when there is actual suspicion, and the police should be able to justify their actions on that basis, rather than using wide-ranging powers designed for border searches."Read Replies (0)
By EditorDavid from Slashdot's search-and-destroy department
An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches." The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.Read Replies (0)
By EditorDavid from Slashdot's Boston-tier-party department
An anonymous reader writes:Thursday the FCC stopped accepting comments as part of long-standing rules "to provide FCC decision-makers with a period of repose during which they can reflect on the upcoming items" before their May 18th meeting. Techdirt wondered if this time to reflect would mean less lobbying from FCC Chairman Ajit Pai, but on Friday Pai recorded a Jimmy Kimmel-style video mocking mean tweets, with responses Gizmodo called "appalling" and implying "that anyone who opposes his cash grab for corporations is a moron."
Meanwhile, Wednesday The Consumerist reported the FCC's sole Democrat "is deploying some scorched-earth Microsoft Word table-making to use FCC Chair Ajit Pai's own words against him." (In 2014 Pai wrote "A dispute this fundamental is not for us five, unelected individuals to decide... We should also engage computer scientists, technologists, and other technical experts to tell us how they see the Internet's infrastructure and consumers' online experience evolving.") But Pai seemed to be mostly sticking to friendlier audiences, appearing with conservative podcasters from the Taxpayer Protection Alliance, the AEI think tank and The Daily Beast.
The Verge reports the flood of fake comments opposing Net Neutrality may have used names and addresses from a breach of 1.4 billion personal information records from marketing company River City Media. Reached on Facebook Messenger, one woman whose named was used "said she hadn't submitted any comments, didn't live at that address anymore and didn't even know what net neutrality is, let alone oppose it."
Techdirt adds "If you do still feel the need to comment, the EFF is doing what the FCC itself should do and has set up its own page at DearFCC.org to hold any comments."Read Replies (0)
By EditorDavid from Slashdot's writer-rights department
An anonymous reader quotes Deadline:
Netflix, Amazon and Hulu will be paying a lot more in writers' residuals under the new WGA film and TV contract. New details, outlined by WGA West, reveal that high-budget shows they run will generate anywhere between $3,448-$34,637 more residuals per episode over the life of the three-year contract than they did under the old contract, depending on the platform and the length of the show. Essentially, it's the same deal the Director's Guild of America got in their negotiations last December. The WGA contract, which has been unanimously approved by the WGA West board and the WGA East council, now goes to the guilds' members for final ratification. Voting begins Friday and concludes May 24.
For every half-hour of a high-budget show, Netflix will be paying $19,058 more in residuals than it did under the old contract.Read Replies (0)
By EditorDavid from Slashdot's AMT-vs-EFF department
The EFF is issuing a warning about the "tiny homunculus computer" in most of Intel's chipsets -- the largely-undocumented "Management Engine" which houses more than just the AMT module. An anonymous reader quotes their report:
While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one....vulnerabilities in any of the other modules could be as bad, if not worse, for security. Some of the other modules include hardware-based authentication code and a system for location tracking and remote wiping of laptops for anti-theft purposes... It should be up to hardware owners to decide if this code will be installed in their computers or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user's interests, and should never be installed in a Management Engine by default...
While Intel may put a lot of effort into hunting for security bugs, vulnerabilities will inevitably exist, and having them lurking in a highly privileged, low-level component with no OS visibility or reliable logging is a nightmare for defensive cybersecurity. The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility... EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.
TLDR: "We have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure."Read Replies (0)
By EditorDavid from Slashdot's what's-in-Vogue department
Slashdot reader Dan Drollette shares an article by the executive director and publisher of the Bulletin of the Atomic Scientists:On Friday, an elite group of the world's nuclear experts and advisers launched a Nuclear Crisis Group, to help manage the growing risk of nuclear conflict. The group includes leading diplomats with decades of experience, and retired military officers who were once responsible for launching nuclear weapons if given the order to do so. China, India, Pakistan, Russia, and the United States, all countries that have nuclear weapons, are represented. The group intends to create a "shadow security council," or an expert group capable of providing advice to world leaders on nuclear matters...
Building on grass-roots support, the Nuclear Crisis Group could serve as a brake on nuclear escalation and be an early step in reversing the downward nuclear security spiral. Not only will they be able to offer expertise to inexperienced leaders who are dabbling in nuclear security, but they will be able to develop and endorse proposals that could make the world safer such as expanding the decision time that leaders have to respond to a nuclear threat, further protecting nuclear systems against cyber attacks and unintended escalations, reenergizing the appetite for arms control negotiations, and questioning global nuclear upgrade programs.Read Replies (0)
By EditorDavid from Slashdot's pesky-humans department
An anonymous reader writes:
Will millions be unemployed after a job-destroying robot apocalypse? That's "starkly at odds with the evidence," argues a Wall Street Journal columnist, who says the real problem is robots aren't destroying enough jobs. "Too many sectors, such as health care or personal services, are so resistant to automation that they are holding back the entire country's standard of living." Noting that "churn relative to total employment" is the lowest it's ever been, he writes that "The pessimism would be more plausible if the evidence weren't moving in exactly the opposite direction...
"In April, nonfarm private employment rose for the 86th straight month, the longest such streak on record. Monthly job creation has averaged 185,000 this year, more than double what the U.S. can sustain given its demographics. This has driven unemployment down to 4.4%, a 10-year low and below most estimates of 'full employment.' Growing labor shortages have boosted the typical worker's annual wage gain to more than 3% now from 2% in 2012, according to the Federal Reserve Bank of Atlanta. Instead of worrying about robots destroying jobs, business leaders need to figure out how to use them more, especially in low-productivity sectors... The alternative is a tightening labor market that forces companies to pay ever higher wages that must be passed on as inflation, which usually ends with recession. "That is a more imminent threat than an army of androids."Read Replies (0)