The Internet

Net Neutrality Is Over Monday, But Experts Say ISPs Will Wait To Screw Us (inverse.com) 44

An anonymous reader quotes a report from Inverse: Parts of the Federal Communication Commission's repeal of net neutrality is slated to take effect on April 23, causing worry among internet users who fear the worst from their internet service providers. However, many experts believe there won't be immediate changes come Monday, but that ISPs will wait until users aren't paying attention to make their move. "Don't expect any changes right out of the gate," Dary Merckens, CTO of Gunner Technology, tells Inverse. Merckens specializes in JavaScript development for government and business, and sees why ISPs would want to lay low for a while before enacting real changes. "It would be a PR nightmare for ISPs if they introduced sweeping changes immediately after the repeal of net neutrality," he says.

While parts of the FCC's new plan will go into effect on Monday, the majority of the order still doesn't have a date for when it will be official. Specific rules that modify data collection requirements still have to be approved by the Office of Management and Budget, and the earliest that can happen is on April 27. Tech experts and consumer policy advocates don't expect changes to happen right away, as ISPs will likely avoid any large-scale changes in order to convince policymakers that the net neutrality repeal was no big deal after all.

Google

Who Has More of Your Personal Data Than Facebook? Try Google (wsj.com) 71

Facebook may be in the hot seat right now for its collection of personal data without our knowledge or explicit consent, but as The Wall Street Journal points out, "Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps." From the report (alternative source): It's likely that Google has shadow profiles (data the company gathers on people without accounts) on as at least as many people as Facebook does, says Chandler Givens, CEO of TrackOff, which develops software to fight identity theft. Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting, though, like Facebook, it continues to gather your data. Google Analytics is far and away the web's most dominant analytics platform. Used on the sites of about half of the biggest companies in the U.S., it has a total reach of 30 million to 50 million sites. Google Analytics tracks you whether or not you are logged in. Meanwhile, the billion-plus people who have Google accounts are tracked in even more ways. In 2016, Google changed its terms of service, allowing it to merge its massive trove of tracking and advertising data with the personally identifiable information from our Google accounts.

Google uses, among other things, our browsing and search history, apps we've installed, demographics like age and gender and, from its own analytics and other sources, where we've shopped in the real world. Google says it doesn't use information from "sensitive categories" such as race, religion, sexual orientation or health. Because it relies on cross-device tracking, it can spot logged-in users no matter which device they're on. Google fuels even more data harvesting through its dominant ad marketplaces. There are up to 4,000 data brokers in the U.S., and collectively they know everything about us we might otherwise prefer they didn't -- whether we're pregnant, divorced or trying to lose weight. Google works with some of these brokers directly but the company says it vets them to prevent targeting based on sensitive information. Google also is the biggest enabler of data harvesting, through the world's two billion active Android mobile devices.

Security

'Drupalgeddon2' Touches Off Arms Race To Mass-Exploit Powerful Web Servers (arstechnica.com) 42

Researchers with Netlab 360 warn that attackers are mass-exploiting "Drupalgeddon2," the name of an extremely critical vulnerability Drupal maintainers patched in late March. The exploit allows them to take control of powerful website servers. Ars Technica reports: Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers.

Drupalgeddon2 "is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses," Daniel Cid, CTO and founder of security firm Sucuri, told Ars. "Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can." China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.

Crime

UK Teen Who Hacked CIA Director Sentenced To 2 Years In Prison (gizmodo.com) 97

An anonymous reader quotes a report from Gizmodo: A British teenager who gained notoriety for hacking a number of high profile United States government employees including former CIA director John Brennan and former director of intelligence James Clapper was sentenced Friday to two years in prison. Eighteen-year-old Kane Gamble pleaded guilty to 10 separate charges, including eight counts of "performing a function with intent to secure unauthorized access" and two counts of "unauthorized modification of computer material," the Guardian reported.

Gamble, otherwise known by his online alias Cracka, was 15 at the time that he started his hacking campaigns. The alleged leader of a hacking group known as Crackas With Attitude (CWA), Gamble made it a point to target members of the U.S. government. The young hacker's group managed to successfully gain access to ex-CIA director John Brennan's AOL email account. The group hacked a number of accounts belonging to former Director of National Intelligence James Clapper, including his personal email, his wife's email, and his phone and internet provider account. The hackers allegedly made it so every call to Clapper's home phone would get forwarded to the Free Palestine Movement.

The Internet

Pornhub Hasn't Been Actively Enforcing Its Deepfake Ban (engadget.com) 73

Pornhub said in February that it was banning AI-generated deepfake videos, but BuzzFeed News found that it's not doing a very good job at enforcing that policy. The media company found more than 70 deepfake videos -- depicting graphic fake sex scenes with Emma Watson, Scarlett Johanson, and other celebrities -- were easily searchable from the site's homepage using the search term "deepfake." From the report: Shortly after the ban in February, Mashable reported that there were dozens of deepfake videos still on the site. Pornhub removed those videos after the report, but a few months later, BuzzFeed News easily found more than 70 deepfake videos using the search term "deepfake" on the site's homepage. Nearly all the videos -- which included graphic and fake depictions of celebrities like Katy Perry, Scarlett Johansson, Daisy Ridley, and Jennifer Lawrence -- had the word "deepfake" prominently mentioned in the title of the video and many of the names of the videos' uploaders contained the word "deepfake." Similarly, a search for "fake deep" returned over 30 of the nonconsensual celebrity videos. Most of the videos surfaced by BuzzFeed News had view counts in the hundreds of thousands -- one video featuring the face of actor Emma Watson garnered over 1 million views. Some accounts posting deepfake videos appeared to have been active for as long as two months and have racked up over 3 million video views. "Content that is flagged on Pornhub that directly violates our Terms of Service is removed as soon as we are made aware of it; this includes non-consensual content," Pornhub said in a statement. "To further ensure the safety of all our fans, we officially took a hard stance against revenge porn, which we believe is a form of sexual assault, and introduced a submission form for the easy removal of non-consensual content." The company also provided a link where users can report any "material that is distributed without the consent of the individuals involved."
Software

Dutch Study Finds Some Video Game Loot Boxes Broke the Law (vice.com) 64

The Netherlands Gaming Authority has published a study it conducted of 10 video games that reward players with loot boxes, packages players can sometimes buy with real money that contain random-in game rewards, and found that 4 of the 10 games it studied violated the Dutch Gaming Act. "It determined that loot boxes are, in general, addictive and that four of the games allowed players to trade items they'd won outside of the game, which means they've got a market value," reports Motherboard. From the report: According to the study, the authorities picked games "based on their popularity on a leading Internet platform that streams videos of games and players." Motherboard has reached out to the Gaming Authority for clarification on both the games it picked (the study doesn't name them) and the method by which it picked them, but did not receive an immediate reply. However, Twitch is the most popular way gamers watch others play and it's a good bet that Twitch is how the Gaming Authority focused its attention. Six of the ten games the Gaming Authority studied aren't in violation of Dutch law. "With these games, there is no opportunity to sell the prizes won outside of the game," the press release said. "This means that the goods have no market value and these loot boxes do not satisfy the definition of a prize in Section 1 of the Betting and Gaming Act."

The four others though offer the opportunity for players to trade items outside of the game and therefore meet the the Netherlands definition of gambling. To come into compliance, those games need to make their loot boxes less interesting to open. The Gaming Authority wants the companies to "remove the addiction-sensitive elements ('almost winning' effects, visual effects, ability to keep opening loot boxes quickly one after the other and suchlike)...and to implement measures to exclude vulnerable groups or to demonstrate that the loot boxes on offer are harmless."

Businesses

SmugMug Buys Flickr, Vows To Revitalize the Photo Service (usatoday.com) 48

On Friday, Silicon Valley photo-sharing and storage company SmugMug announced it had acquired Flickr, the photo-sharing site created in 2004 by Ludicorp and acquired in 2005 by Yahoo. SmugMug CEO Don MacAskill told USA TODAY he's committed to revitalizing the faded social networking site, which hosted photos and videos long before it became trendy. Flickr will reportedly continue to operate separately, and SmugMug and Flickr accounts will "remain separate and independent for the foreseeable future." From the report: He declined to disclose the terms of the deal, which closed this week. "Flickr is an amazing community, full of some of the world's most passionate photographers. It's a fantastic product and a beloved brand, supplying tens of billions of photos to hundreds of millions of people around the world," MacAskill said. "Flickr has survived through thick-and-thin and is core to the entire fabric of the Internet." The surprise deal ends months of uncertainty for Flickr, whose fate had been up in the air since last year when Yahoo was bought by Verizon for $4.5 billion and joined with AOL in Verizon's Oath subsidiary.
Facebook

Silicon Valley Investors Wants to Fund a 'Good For Society' Facebook Replacement (calacanis.com) 198

Silicon Valley angel investor Jason Calacanis just announced the "Openbook Challenge," a competition to create a replacement for Facebook.

"Over the next three months, 20 finalists will compete for seven $100,000 incubator grants," explains long-time Slashdot reader reifman. "Their goal is to find startups with a sustainable business model e.g. subscriptions, reasonable advertising, cryptocurrency. etc. And they want it to be 'good for society.'"

Jason Calacanis writes: All community and social products on the internet have had their era, from AOL to MySpace, and typically they're not shut down by the government -- they're slowly replaced by better products. So, let's start the process of replacing Facebook... We already have two dozen quality teams cranking on projects and we hope to get to 100...

This is not an idea or business plan competition. We're looking for teams that can actually build a better social network, and we'll be judging teams primarily based upon their ability to execute... Keep in mind, that while ideas really matter, Zuckerberg has shown us, execution matters more.

Calacanis has even created a discussion group for the competition...on Facebook. And his announcement includes a famous quote from Mark Zuckerberg.

"Don't be too proud to copy."
Social Networks

Former Reddit Executive Sees 'No Hope' For Reddit (nymag.com) 159

An anonymous reader quotes former Reddit product head Dan McComas: I think, ultimately, the problem that Reddit has is the same as Twitter and Discord. By focusing on growth and growth only and ignoring the problems, they amassed a large set of cultural norms on their platforms. Their cultural norms are different for every community, but they tend to stem from harassment or abuse or bad behavior, and they have worked themselves into a position where they're completely defensive... I really don't believe it's possible for either of them to catch up on the problem. I think the best that they can do is figure out how to hide this behavior from an average user.

I don't see any way that it's going to improve. I have no hope for either of those platforms. I just think that the problems are too ingrained, in not only the site and the site's communities and users but in the general understanding and expectations of the public... I don't think that they're going to be able to turn these things around...

I fundamentally believe that my time at Reddit made the world a worse place. And that sucks, and it sucks to have to say that about myself... I've got a lot of advice for start-ups, and it's not very fucking complicated. It's just: Think about the impact that you want to have on your users and on the people consuming your content and do the right thing... Don't be idiots about it. You're people, you see what's going on, you see trends that are forming, just fucking do something. It's not that hard.

The Internet

Lycos Finally Discontinues Its Free Email Service (lycos.com) 49

Long-time Slashdot reader williamyf writes: You may think of it as the end of an era, or as the final nail in the coffin. Today Lycos, one of the pioneering web portals of the '90s, notified all it's users that "On May 15th, 2018, we will no longer be offering free Lycos Mail accounts." They have been very upfront about the reason:

"Q: Why are you doing this?

A: Providing mailboxes costs us money, and we no longer make enough from ads to support the cost of the mailboxes."


At it's heyday, Lycos was acquired by Terra Networks (a division of Telefonica), then sold to Daum Communications in Korea and then to Ybrant Digital in India. The search engine and other parts (like Angelfire, Tripod and Gamesville) continue working. In the meantime, instructions are provided to download all your mail via POP3 for offline archiving, or to upgrade to Paid Accounts.

Facebook

Facebook Starts Its Facial Recognition Push To Europeans (techcrunch.com) 41

An anonymous reader quotes a report from TechCrunch: Jimmy Nsubuga, a journalist at Metro, is among several European Facebook users who have reported getting notifications asking if they want to turn on face recognition technology. Facebook has previously said an opt-in option would be pushed out to all European users, and also globally, as part of changes to its T&Cs and consent flow. In Europe, the company is hoping to convince users to voluntarily allow it to deploy the privacy-hostile tech -- which was turned off in the bloc after regulatory pressure, back in 2012, when Facebook began using facial recognition to offer features such as automatically tagging users in photo uploads. But under impending changes to its T&Cs -- ostensibly to comply with the EU's incoming GDPR data protection standard -- the company has crafted a manipulative consent flow that tries to sell people on giving it their data; including filling in its own facial recognition blanks by convincing Europeans to agree to it grabbing and using their biometric data after all. Users who choose not to switch on facial recognition still have to click through a "continue" screen before they get to the off switch. On this screen Facebook attempts to convince them to turn it on -- using manipulative examples of how the tech can "protect" them.
The Internet

The 'Terms and Conditions' Reckoning Is Coming (bloomberg.com) 129

Everyone from Uber to PayPal is facing a backlash against their impenetrable legalese. From a report: Personal finance forums online are brimming with complaints from hundreds of PayPal customers who say they've been suspended because they signed up before age 18. PayPal declined to comment on any specific cases, but says it's appropriate to close accounts created by underage people "to ensure our customers have full legal capacity to accept our user agreement." While that may seem "heavy-handed," says Sarah Kenshall, a technology attorney with law firm Burges Salmon, the company is within its rights because the users clicked to agree to the rules -- however difficult the language might be to understand.

Websites have long required users to plow through pages of dense legalese to use their services, knowing that few ever give the documents more than a cursory glance. In 2005 security-software provider PC Pitstop LLC promised a $1,000 prize to the first user to spot the offer deep in its terms and conditions; it took four months before the reward was claimed. The incomprehensibility of user agreements is poised to change as tech giants such as Uber Technologies and Facebook confront pushback for mishandling user information, and the European Union prepares to implement new privacy rules called the General Data Protection Regulation, or GDPR. The measure underscores "the requirement for clear and plain language when explaining consent," British Information Commissioner Elizabeth Denham wrote on her blog last year.

The Internet

Cloudflare: FOSTA Was a 'Very Bad Bill' That's Left the Internet's Infrastructure Hanging (vice.com) 192

Last week, President Donald Trump signed the Fight Online Sex Trafficking Act (FOSTA) into law. It's a bill that penalizes any platform found "facilitating prostitution," and has caused many advocacy groups to come out against the bill, saying that it undermines essential internet freedoms. The most recent entity to decry FOSTA is Cloudflare, which recently decided to terminate its content delivery network services for an alternative, decentralized social media platform called Switter. Motherboard talked to Cloudflare's general counsel, Doug Kramer, about the bill and he said that FOSTA was an ill-consider bill that's now become a dangerous law: "[Terminating service to Switter] is related to our attempts to understand FOSTA, which is a very bad law and a very dangerous precedent," he told me in a phone conversation. "We have been traditionally very open about what we do and our roles as an internet infrastructure company, and the steps we take to both comply with the law and our legal obligations -- but also provide security and protection, let the internet flourish and support our goals of building a better internet." Cloudflare lobbied against FOSTA, Kramer said, urging lawmakers to be more specific about how infrastructure companies like internet service providers, registrars and hosting and security companies like Cloudflare would be impacted. Now, he said, they're trying to figure out how customers like Switter will be affected, and how Cloudflare will be held accountable for them.

"We don't deny at all that we have an obligation to comply with the law," he said. "We tried in this circumstance to get a law that would make sense for infrastructure companies... Congress didn't do the hard work of understanding how the internet works and how this law should be crafted to pursue its goals without unintended consequences. We talked to them about this. A lot of groups did. And it was hard work that they decided not do." He said the company hopes, going forward, that there will be more clarity from lawmakers on how FOSTA is applied to internet infrastructure. But until then, he and others there are having to figure it out along with law enforcement and customers. "Listen, we've been saying this all along and I think people are saying now, this is a very bad law," Kramer said. "We think, for now, it makes the internet a different place and a little less free today as a result. And there's a real-world implication of this that people are just starting to grapple with."

Advertising

German Supreme Court Rules Ad Blockers Legal (faz.net) 132

New submitter paai writes: The publishing company Axel Springer tried to ban the use of ad blockers in Germany because they endanger the digital publishing of news stories. The Oberlandesgericht Koln (Germany's Higher Regional Court of Cologne) followed this reasoning and forbade the use of ad blockers on the grounds that the use of white lists was an aggressive marketing technique. [The business model allows websites to pay a fee so that their "non aggressive" advertisements can bypass AdBlock Pro's filters. Larger companies like Google can afford to pay to have the ban lifted on their website.] The Bundesgerichtshof (Federal Court of Justice or BGH) destroyed this court ruling today and judged that users had a right to filter out advertisements in web pages.
Security

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com) 24

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."
The Internet

4.9% of Websites Use Flash, Down From 28.5% in 2011 (bleepingcomputer.com) 129

Web makers continue to ditch the infamous Flash for other safer, improved technologies. In 2011, more than 28.5 percent of websites used Flash in their code, a figure technology survey site W3Techs estimates to have dropped to 4.9 percent today. BleepingComputer: The number confirms Flash's decline, and a reason why Adobe has decided to retire the technology at the end of 2020. A decline from 28.5 percent to 4.9 percent doesn't look that bad, but we're talking about all Internet sites, not just a small portion of Top 10,000 or Top 1 Million sites. Taking into account the sheer number of abandoned sites on today's Internet, the decline is quite considerable, and W3Techs' findings confirm similar statistics put out by a Google security engineer in February.
EU

Facebook To Put 1.5 Billion Users Out of Reach of New EU Privacy Law (reuters.com) 95

An anonymous reader quotes a report from Facebook: If a new European law restricting what companies can do with people's online data went into effect tomorrow, almost 1.9 billion Facebook users around the world would be protected by it. The online social network is making changes that ensure the number will be much smaller. Facebook members outside the United States and Canada, whether they know it or not, are currently governed by terms of service agreed with the company's international headquarters in Ireland. Next month, Facebook is planning to make that the case for only European users, meaning 1.5 billion members in Africa, Asia, Australia and Latin America will not fall under the European Union's General Data Protection Regulation (GDPR), which takes effect on May 25. That removes a huge potential liability for Facebook, as the new EU law allows for fines of up to 4 percent of global annual revenue for infractions, which in Facebook's case could mean billions of dollars.
Censorship

Google Is Shuttering Domain Fronting, Creating a Big Problem For Anti-Censorship Tools (theverge.com) 59

"The Google App Engine is discontinuing a practice called domain fronting, which lets services use Google's network to get around state-level internet blocks," reports The Verge. While the move makes sense from a cybersecurity perspective as domain fronting is widely used by malware to evade network-based detection, it will likely frustrate app developers who use it to get around internet censorship. From the report: First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon's VPN services. Reached by The Verge, Google said the changes were the result of a long-planned network update. "Domain fronting has never been a supported feature at Google," a company representative said, "but until recently it worked because of a quirk of our software stack. We're constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don't have any plans to offer it as a feature."

Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper.
We do not yet know exactly why and when Google is shutting down the practice, but will update this post once we learn more.
Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
The Internet

Russia Admits To Blocking Millions of IP Addresses (sfgate.com) 72

It turns out, the Russian government, in its quest to block Telegram, accidentally shut down several other services as well. From a report: The chief of the Russian communications watchdog acknowledged Wednesday that millions of unrelated IP addresses have been frozen in a so-far futile attempt to block a popular messaging app. Telegram, the messaging app that was ordered to be blocked last week, was still available to users in Russia despite authorities' frantic attempts to hit it by blocking other services. The row erupted after Telegram, which was developed by Russian entrepreneur Pavel Durov, refused to hand its encryption keys to the intelligence agencies. The Russian government insists it needs them to pre-empt extremist attacks but Telegram dismissed the request as a breach of privacy. Alexander Zharov, chief of the Federal Communications Agency, said in an interview with the Izvestia daily published Wednesday that Russia is blocking 18 networks that are used by Amazon and Google and which host sites that they believe Telegram is using to circumvent the ban.

Slashdot Top Deals