Group items tagged

The White House on Wednesday made public for the first time the rules by which the government decides to disclose or keep secret software flaws that can be turned into cyberweapons — whether by U.S. agencies hacking for foreign intelligence, money-hungry criminals or foreign spies seeking to penetrate American computers. The move to publish an un­classified charter responds to years of criticism that the process was unnecessarily opaque, fueling suspicion that it cloaked a stockpile of software flaws that the National Security Agency was hoarding to go after foreign targets but that put Americans’ cyber­security at risk.

The rules are part of the “Vulnerabilities Equities Process,” which the Obama administration revamped in 2014 as a multi­agency forum to debate whether and when to inform companies such as Microsoft and Juniper that the government has discovered or bought a software flaw that, if weaponized, could affect the security of their product. The Trump administration has mostly not altered the rules under which the government reaches a decision but is disclosing its process. Under the VEP, an “equities review board” of at least a dozen national security and civilian agencies will meet monthly — or more often, if a need arises — to discuss newly discovered vulnerabilities. Besides the NSA, the CIA and the FBI, the list includes the Treasury, Commerce and State departments, and the Office of Management and Budget. The priority is on disclosure, the policy states, to protect core Internet systems, the U.S. economy and critical infrastructure, unless there is “a demonstrable, overriding interest” in using the flaw for intelligence or law enforcement purposes. The government has long said that it discloses the vast majority — more than 90 percent — of the vulnerabilities it discovers or buys in products from defense contractors or other sellers. In recent years, that has amounted to more than 100 a year, according to people familiar with the process. But because the process was classified, the National Security Council, which runs the discussion, was never able to reveal any numbers. Now, Joyce said, the number of flaws disclosed and the number retained will be made public in an annual report. A classified version will be sent to Congress, he said.

Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising. Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers. Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived “hash” summary of the file itself. The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking.

The information security world is focused on two new security vulnerabilities, “Spectre” and “Meltdown”, that represent vulnerabilities embedded in computer hardware. Lawfare readers should respond in two ways: keep their operating systems up to date and, critically, install an ad-blocker for your web browser. (Here are guides on how to do so in Chrome and Firefox.) In fact, a proper response to Spectre should involve ad-blocking on all government computers. Other than that, don’t worry. Readers who just wanted to know what to do can stop reading. But for those curious about some of the technical background on these vulnerabilities and why ad-blocking is an essential security measure for a modern computer, read on.

Google plans to stop selling ads based on individuals’ browsing across multiple websites, a change that could hasten upheaval in the digital advertising industry. The Alphabet Inc. company said Wednesday that it plans next year to stop using or investing in tracking technologies that uniquely identify web users as they move from site to site across the internet. The decision, coming from the world’s biggest digital advertising company, could help push the industry away from the use of such individualized tracking, which has come under increasing criticism from privacy advocates and faces scrutiny from regulators. Google’s heft means the change could reshape the digital ad business, where many companies rely on tracking individuals to target their ads, measure the ads’ effectiveness and stop fraud. Google accounted for 52% of last year’s global digital ad spending of $292 billion, according to Jounce Media, a digital ad consultancy.

A former Google engineer has released nearly 1,000 pages of documents that he says prove that the company, at least in some of its products, secretly boosts or demotes content based on what it deems to be true or false, while publicly claiming to be a neutral platform. The software engineer, Zach Vorhies, first provided the documents to Project Veritas, a right-leaning investigative journalism nonprofit, as well as the Justice Department’s antitrust division, which has been investigating Google for potentially anti-competitive behavior.

When he returned to work, however, Google sent him a letter demanding, among other things, that he turn over his employee badge and work laptop, which he did, and “cease and desist” from disclosing “any non-public Google files.” Afraid for his safety, he posted on Twitter that if something would happen to him, all the documents he took would be released to the public.Google then did a “wellness check” on him, he said. The San Francisco police received a call that Vorhies may be mentally ill. A group of officers waited for him outside his house and put him in handcuffs. “This is a large way in which they intimidate their employees that go rogue on the company,” he said.Vorhies then decided that it would be safer for him to go public.

One of the goals of the effort was a “clean & regularly sanitized news corpus,” it reads.

One week after we reported that Facebook's Libra stablecoin project, Libra, was imploding, as online payment giant PayPal quite the Libra network, we can now set the time of death to today - that's when first eBay, then Stripe and finally Mastercard all abandoned Mark Zuckerberg's pet "cryptocurrency" (which was anything but) project. As the FT reports, Ebay and Stripe became the second and third major companies in a week to drop out of Facebook’s planned cryptocurrency, following sustained political pressure and just days before the project’s backers are due to meet for their first board meeting, which may soon be empty.

WhatsApp sued Israeli surveillance firm NSO Group on Tuesday, accusing it of helping government spies break into the phones of roughly 1,400 users across four continents in a hacking spree whose targets included diplomats, political dissidents, journalists and senior government officials.

In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified. WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.” NSO denied the allegations.

Citizen Lab, a cybersecurity research laboratory based at the University of Toronto that worked with WhatsApp to investigate the phone hacking, told Reuters that the targets included well-known television personalities, prominent women who had been subjected to online hate campaigns and people who had faced “assassination attempts and threats of violence.”

While everyone was focused on the release of the Mueller report Thursday, Facebook quietly notified the public that the passwords of "millions of Instagram users" were stored in an unencrypted format on an internal server, and searchable by any employee.

In March, security expert Brian Krebs of KrebsonSecurity noted:  The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012. My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords. -KrebsonSecurity In short, if you believe Facebook that the passwords were not improperly accessed, rest well. If you don't believe them, and you use your Instagram password for other things, perhaps it's time to think of a new one.  

Facebook expects to pay a fine of up to $5 billion in a settlement with federal regulators. The tech giant disclosed that figure in its first-quarter 2019 financial results. Facebook has been in negotiations with the Federal Trade Commission following concerns that the company violated a 2011 consent decree. Back then, company leaders promised to give consumers "clear and prominent notice" when sharing their data with others and to get "express consent."

But, experts say, Facebook broke its promise. Just one example: giving user data to Cambridge Analytica, the political consulting firm that did work for the 2016 Trump campaign. Facebook estimates the fine will be in the $3 billion to $5 billion range and has set aside $3 billion for payment. "The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome," the company's statement says.

Alongside new products and features, Google Tuesday announced a series of moves designed to offer users more privacy. The move builds on an announcement last week that it would allow users to automatically delete their location and activity history. Why it matters: The changes come as Google, along with other tech giants including Facebook, is under pressure to give people more control over what personal information online platforms collect and store.

Israel is aiming to build an international coalition to force the world’s leading social media giants to prevent their platforms from being abused to peddle incitement to terrorism. The move, which was unveiled by Public Security Minister Gilad Erdan at Sunday’s cabinet meeting, aims at requiring Facebook, Twitter, Youtube, and other social networks to take greater responsibility for such content.

While some experts consider the idea unworkable — arguing that the terms of service of such platforms protect them from any legal threat, and that the preventative measures Erdan wants to see introduced are not possible technologically, others say a coalition pushing for change could be effective, and certainly stands more of a chance than an effort led by Israel alone.

A Chinese internet technology company has announced a plan to provide free satellite internet worldwide by 2026, joining companies like SpaceX, Facebook and Google in the mission to run a global internet service.

Shanghai-based company LinkSure Network, which says its mission is to bridge the world's digital inequalities, unveiled on Tuesday the first satellite in their ambitious plan to ensure that everyone in the world can access the internet free of charge.The plan — dubbed the "LinkSure Swarm Constellation System" — would see 272 satellites set at different orbits and heights in order to span the entire globe.The first satellite, LinkSure No 1, is set to launch in north-west China in 2019 from the Jiuquan Satellite Launch Centre as part of the payload on board one of China's Long March rockets.Ten further satellites will be sent into orbit by 2020.

Google cuts Huawei off Android; so Huawei may migrate to Aurora. Call it mobile Eurasia integration; the evolving Russia-China strategic partnership may be on the verge of spawning its own operating system – and that is not a metaphor. Aurora is a mobile operating system currently developed by Russian Open Mobile Platform, based in Moscow. It is based on the Sailfish operating system, designed by Finnish technology company Jolla, which featured a batch of Russians in the development team. Quite a few top coders at Google and Apple also come from the former USSR – exponents of a brilliant scientific academy tradition.

Aurora could be regarded as part of Huawei’s fast-evolving Plan B. Huawei is now turbo-charging the development and implementation of its own operating system, HongMeng, a process that started no less than seven years ago. Most of the work on an operating system is writing drivers and APIs (application programming interfaces). Huawei would be able to integrate their code to the Russian system in no time.

No Google? Who cares? Tencent, Xiaomi, Vivo and Oppo are already testing the HongMeng operating system, as part of a batch of one million devices already distributed. HongMeng’s launch is still a closely guarded secret by Huawei, but according to CEO Richard Yu, it could happen even before the end of 2019 for the Chinese market, running on smartphones, computers, TVs and cars. HongMeng is rumored to be 60% faster than Android.

Google and Facebook, the No. 1 and No. 2 players in online advertising, made a secret illegal pact in 2018 to divide up the market for ads on websites and apps, according to an antitrust suit filed Wednesday against the search giant. The suit — filed by Texas and eight other states — alleges that the companies colluded to fix prices and divvy up the market for mobile advertising between them.

The allegation that Google teamed up with Facebook to suppress competition mirrors a major claim in a separate antitrust suit the Justice Department filed against the company in October: that Google teamed up with Apple to help ensure the continued dominance of its search engine. Such allegations provide some of the strongest ammunition yet to advocates who argue that the U.S. major tech companies have gotten too big and are using their power — sometimes in conjunction with each other — to control markets.Many of the details about the Google-Facebook agreement, including its specific language, are redacted from the complaint. But the states say it “fixes prices and allocates markets between Google and Facebook as competing bidders in the auctions for publishers’ web display and in-app advertising inventory.”

The complaint alleges that the agreement was prompted by Facebook’s move in 2017 to use “header bidding” — a technology popular with website publishers that helped them increase the money they made from advertising. While Facebook sells ads on its own platform, it also operates a network to let advertisers offer ads on third-party apps and mobile websites.

Google and Apple, which already battle over mobile operating systems, are opening a new front in their fight. How that plays out may determine the future of the web. Google was born on the web, and its business reflects its origin. The company depends on the web for search and advertising revenue. So it isn't a surprise that Google sees the web as key to the future of software. Front and center are web apps, interactive websites with the same power as conventional apps that run natively on operating systems like Windows, Android, MacOS and iOS.  Apple has a different vision of the future, one that plays to its strengths. The company revolutionized mobile computing with its iPhone line. Its profits depend on those products and the millions of apps that run on them. Apple, unsurprisingly, appears less excited about developments, like web apps, that could cut into its earnings.

hina’s ByteDance has agreed to divest the U.S. operations of TikTok completely in a bid to save a deal with the White House, after President Donald Trump said on Friday he had decided to ban the popular short-video app, two people familiar with the matter said on Saturday. ByteDance was previously seeking to keep a minority stake in the U.S. business of TikTok, which the White House had rejected. Under the new proposed deal, ByteDance would exit completely and Microsoft Corp would take over TikTok in the United States, the sources said. Some ByteDance investors that are based in the United States may be given the opportunity to take minority stakes in the business, the sources added. The White House did not respond to a request for comment on whether Trump would accept ByteDance’s concession. ByteDance in Beijing did not respond to a request for comment. Under ByteDance’s new proposal, Microsoft will be in charge of protecting all U.S. user data, the sources said. The plan allows for another U.S. company other than Microsoft to take over TikTok in the United States, the sources added.

Bytedance has apparently gotten the "tap on the shoulder" from the CCP bigwigs who apparently aren't super thrilled about the optics of a mighty Chinese conglomerate kowtowing to the Trump Administration. Earlier today, it appeared that President Trump's late-night threat about banning TikTok had motivated ByteDance and Microsoft to speed up their talks. But as the New York afternoon wore on, a Dow Jones headline proclaimed that Microsoft and ByteDance had decided to abruptly stop negotiations.

Facebook said on Wednesday that it had agreed to pay $550 million to settle a class-action lawsuit over its use of facial recognition technology in Illinois, giving privacy groups a major victory that again raised questions about the social network’s data-mining practices.The case stemmed from Facebook’s photo-labeling service, Tag Suggestions, which uses face-matching software to suggest the names of people in users’ photos. The suit said the Silicon Valley company violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission and without telling them how long the data would be kept. Facebook has said the allegations have no merit.Under the agreement, Facebook will pay $550 million to eligible Illinois users and for the plaintiffs’ legal fees. The sum dwarfs the $380.5 million that the Equifax credit reporting agency agreed this month to pay to settle a class-action case over a 2017 consumer data breach.

The Justice Department plans to bring an antitrust case against Google as soon as this month, after Attorney General William P. Barr overruled career lawyers who said they needed more time to build a strong case against one of the world’s wealthiest, most formidable technology companies, according to five people briefed on internal department conversations.Justice Department officials told lawyers involved in the antitrust inquiry into Alphabet, the parent company of Google and YouTube, to wrap up their work by the end of September, according to three of the people. Most of the 40-odd lawyers who had been working on the investigation opposed the deadline. Some said they would not sign the complaint, and several of them left the case this summer.Some argued this summer in a memo that ran hundreds of pages that they could bring a strong case but needed more time, according to people who described the document. Disagreement persisted among the team over how broad the complaint should be and what Google could do to resolve the problems the government uncovered. The lawyers viewed the deadline as arbitrary.While there were disagreements about tactics, career lawyers also expressed concerns that Mr. Barr wanted to announce the case in September to take credit for action against a powerful tech company under the Trump administration.

The Federal Trade Commission sued to break up Facebook on Wednesday, asking a federal court to force the sell-off of assets such as Instagram and WhatsApp as independent businesses.“Facebook has maintained its monopoly position by buying up companies that present competitive threats and by imposing restrictive policies that unjustifiably hinder actual or potential rivals that Facebook does not or cannot acquire,” the commission said in the lawsuit filed in federal court in Washington, D.C.The lawsuit asks the court to order the “divestiture of assets, divestiture or reconstruction of businesses (including, but not limited to, Instagram and/or WhatsApp),” as well as other possible relief the court might want to add.

Attorneys general from 48 states and territories said they were filing their own lawsuit against Facebook, reflecting the broad and bipartisan concern about how much power Facebook and its CEO, Mark Zuckerberg, have accumulated on the internet.

Three states and the District of Columbia allege that the tech giant misled consumers by continuing to track those who had changed their privacy settings to prevent data collection.

Google is also fighting an antitrust lawsuit led by Texas in which states have accused the company of obtaining and abusing a monopoly over the systems that allow publishers to auction off ad space to marketers. On Friday, Google asked a federal court to dismiss the lawsuit.The lawsuits add to a mounting offensive by regulators to curtail the power and business practices of Silicon Valley giants like Google, Facebook, Amazon and Apple. State and federal regulators have filed dozens of antitrust, consumer protection, privacy and trade lawsuits in an attempt to curb the business models or break up the companies. A Senate committee last week advanced potentially landmark antitrust legislation that tries to weaken the dominance of the internet giants.