A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
An anonymous reader shares a report: The "Internet of Things" (IoT) category is starting to mature in terms of startup investments, according to a new report from Silicon Valley venture capital firm Wing. Like any other trendy area of tech, IoT is in the midst of its own hype cycle, so it's important to get a more detailed picture of how the money is flowing.
Tim Wu, a law professor at the Colombia University, and best known for coining the term "net neutrality," has published an open letter to Tim Berners-Lee, the creator of the web and director of the World Wide Web Consortium (W3C). In the letter, Wu has asked Berners-Lee to "seriously consider extending a protective covenant to legitimate circumventers who have cause to bypass EME, should it emerge as a W3C standard." Cory Doctorow, writes for BoingBoing: But Wu goes on to draw a connection between the problems of DRM and the problems of network discrimination: DRM is wrapped up in a layer of legal entanglements (notably section 1201 of America's Digital Millennium Copyright Act), which allow similar kinds of anticompetitive and ugly practices that make net neutrality so important. This is a live issue, too, because the W3C just held the most contentious vote in its decades-long history, on whether to publish a DRM standard for the web without any of the proposed legal protections for companies that create the kinds of competing products and services that the law permits, except when DRM is involved. As Wu points out, this sets up a situation where the incumbents get to create monopolies that produce the same problems for the open web that network neutrality advocates -- like Berners-Lee -- worry about.
A group of more than 800 startups has sent a letter to the FCC chairman Ajit Pai saying they are "deeply concerned" about his decision to kill net neutrality -- reversing the Title II classification of internet service providers. The group, which includes Y Combinator, Etsy, Foursquare, GitHub, Imgur, Nextdoor, and Warby Parker, added that the decision could end up shutting their businesses. They add, via an article on The Verge: "The success of America's startup ecosystem depends on more than improved broadband speeds. We also depend on an open Internet -- including enforceable net neutrality rules that ensure big cable companies can't discriminate against people like us. We're deeply concerned with your intention to undo the existing legal framework. Without net neutrality, the incumbents who provide access to the Internet would be able to pick winners or losers in the market. They could impede traffic from our services in order to favor their own services or established competitors. Or they could impose new tolls on us, inhibiting consumer choice. [...] Our companies should be able to compete with incumbents on the quality of our products and services, not our capacity to pay tolls to Internet access providers."
AT&T announced plans to deliver what it's calling the "5G Evolution" network to more than 20 markets by the end of the year. While the company is "using some wordsmithing to deliver to you faster internet speeds," it's important to note that this is not actually a real 5G network. Yahoo reports: 5G still has years of development and testing before it will be rolled out across the U.S. So don't let AT&T's use of "5G" make you think that the next-generation wireless standard has arrived. In reality, the 5G AT&T is talking about is a bumped-up version of its 4G LTE to help it bridge the gap until the real 5G, with its ultra-fast speeds and better bandwidth, is rolled out. It's also important to note that AT&T won't offer its 5G Evolution technology to all of its customers initially. In fact, it's currently only available in Austin, TX, and the company plans to extend it to Atlanta, Boston, Chicago, Los Angeles, and other big markets in the coming months. If you're in a smaller metro market, you'll be out of luck. Perhaps the biggest limitation, and the reason few people will likely have the chance to actually use the 5G Evolution, is that AT&T is restricting it to select devices -- specifically, the Samsung Galaxy S8 and S8+. While that's great if you have one of those particular phones in one of the specific cities where AT&T's faster service exists, it's not so great if you're using another device.
Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.
New submitter happyfeet2000 quotes a report from TorrentFreak: Broad pirate sites blockades are disproportional, Mexico's Supreme Court of Justice has ruled. The government can't order ISPs to block websites that link to copyright-infringing material because that would also restrict access to legitimate content and violate the public's freedom of expression. The ruling is a win for local ISP Alestra, which successfully protested the government's blocking efforts. Alestra was ordered to block access to the website mymusiic.com by the government's Mexican Institute of Industrial Property (IMPI). The website targeted a Mexican audience and offered music downloads, some of which were shared without permission. "The ISP was not pleased with the order and appealed it in court," reports TorrentFreak. "Among other things, the defense argued that the order was too broad, as it also restricted access to music that might not be infringing." The Supreme Court of Justice of the Nation heard the case and ruled that the government's order is indeed disproportional.
An anonymous reader quotes a report from The Verge: The Federal Communications Commission is cracking open the net neutrality debate again with a proposal to undo the 2015 rules that implemented net neutrality with Title II classification. FCC chairman Ajit Pai called the rules "heavy handed" and said their implementation was "all about politics." He argued that they hurt investment and said that small internet providers don't have "the means or the margins" to withstand the regulatory onslaught. "Earlier today I shared with my fellow commissioners a proposal to reverse the mistake of Title II and return to the light touch framework that served us so well during the Clinton administration, Bush administration, and first six years of the Obama administration," Pai said today. His proposal will do three things: first, it'll reclassify internet providers as Title I information services; second, it'll prevent the FCC from adapting any net neutrality rules to practices that internet providers haven't thought up yet; and third, it'll open questions about what to do with several key net neutrality rules -- like no blocking or throttling of apps and websites -- that were implemented in 2015. Pai will publish the full text of his proposal tomorrow, and it will be voted on by the FCC on May 18th.
An anonymous reader quotes a report from Ars Technica: It's been more than five years since the government accused Megaupload and its founder Kim Dotcom of criminal copyright infringement. While Dotcom himself was arrested in New Zealand, U.S. government agents executed search warrants and grabbed a group of more than 1,000 servers owned by Carpathia Hosting. That meant that a lot of users with gigabytes of perfectly legal content lost access to it. Two months after the Dotcom raid and arrest, the Electronic Frontier Foundation filed a motion in court asking to get back data belonging to one of those users, Kyle Goodwin, whom the EFF took on as a client. Years have passed. The U.S. criminal prosecution of Dotcom and other Megaupload executives is on hold while New Zealand continues with years of extradition hearings. Meanwhile, Carpathia's servers were powered down and are kept in storage by QTS Realty Trust, which acquired Carpathia in 2015. Now the EFF has taken the extraordinary step of asking an appeals court to step in and effectively force the hand of the district court judge. Yesterday, Goodwin's lawyers filed a petition for a writ of mandamus (PDF) with the U.S. Court of Appeals for the 4th Circuit, which oversees Virginia federal courts. "We've been asking the court for help since 2012," said EFF attorney Mitch Stolz in a statement about the petition. "It's deeply unfair for him to still be in limbo after all this time."
An anonymous reader writes from a report via Bleeping Computer: Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month, on April 10. The attack, which the company claimed was a "malicious hacking event," was the work of BrickerBot, an IoT malware family that bricks unsecured IoT and networking devices. "BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity." The crook, going by Janit0r, tried to pin some of the blame on Mirai, but all the clues point to BrickerBot, as Sierra Tel had to replace bricked modems altogether, or ask customers to bring in their modems at their offices to have them reset and reinstalled. Mirai brought down over 900,000 Deutsche Telekom modems last year, but that outage was fixed within hours with a firmware update. All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.
An anonymous reader quotes a report from TechCrunch: Facebook wants you to think about whether a headline is true and see other perspectives on the topic before you even read the article. In its next step against fake news, Facebook today begins testing a different version of its Related Articles widget that normally appears when you return to the News Feed after opening a link. Now Facebook will also show Related Articles including third-party fact checkers before you read an article about a topic that many people are discussing. If you saw a link saying "Chocolate cures cancer!" from a little-known blog, the Related Article box might appear before you click to show links from the New York Times or a medical journal noting that while chocolate has antioxidants that can lower your risk for cancer, it's not a cure. If an outside fact checker like Snopes had debunked the original post, that could appear in Related Articles too. Facebook says this is just a test, so it won't necessarily roll out to everyone unless it proves useful. It notes that Facebook Pages should not see a significant change in the reach of their News Feed posts. There will be no ads surfaced in Related Articles.
According to a new study from UC Berkeley's Haas Institute for a Fair and Inclusive Society, AT&T has been focused on deploying fiber-to-the-home in the higher-income neighborhoods of California, giving wealthy people access to gigabit internet while others are stuck with DSL internet that doesn't even meet state and federal broadband standards. Ars Technica reports: California households with access to AT&T's fiber service have a median income of $94,208, according to "AT&T's Digital Divide in California," in which the Haas Institute analyzed Federal Communications Commission data from June 2016. The study was funded by the Communications Workers of America, an AT&T workers' union that's been involved in contentious negotiations with the company. By contrast, the median household income is $53,186 in California neighborhoods where AT&T provides only DSL, with download speeds typically ranging from 768kbps to 6Mbps. At the low end, that's less than 1 percent of the gigabit speeds offered by AT&T's fiber service. The median income in areas with U-verse VDSL, which ranges from 12Mbps to 75Mbps, is $67,021. In 4.1 million California households, representing 42.8 percent of AT&T's California service area, AT&T's fastest speeds fell short of the federal broadband definition of 25Mbps downloads and 3Mbps uploads, the report said.
Jimmy Wales, a founder of Wikipedia, is launching a new online publication which will aim to fight fake news by pairing professional journalists with an army of volunteer community contributors. The news site is called Wikitribune. From a report: "We want to make sure that you read fact-based articles that have a real impact in both local and global events," the publication's website states. The site will publish news stories written by professional journalists. But in a page borrowed from Wikipedia, internet users will be able to propose factual corrections and additions. The changes will be reviewed by volunteer fact checkers. Wikitribune says it will be transparent about its sources. It will post the full transcripts of interviews, as well as video and audio, "to the maximum extent possible." The language used will be "factual and neutral."
Vindu Goel, reporting for the NYTimes: Yahoo shareholders will vote June 8 on whether to sell the company's internet businesses to Verizon Communications for $4.48 billion. A yes vote, which is widely expected, would end Marissa Mayer's largely unsuccessful five-year effort to restore the internet pioneer to greatness. But Ms. Mayer, the company's chief executive, will be well compensated for her failure. Her Yahoo stock, stock options and restricted stock units are worth a total of $186 million, based on Monday's stock price of $48.15, according to data filed on Monday in the documents sent to shareholders about the Verizon deal. That compensation, which will be fully vested at the time of the shareholder vote, does not include her salary and bonuses over the past five years, or the value of other stock that Ms. Mayer has already sold. All told, her time at Yahoo will have netted her well over $200 million, according to calculations based on company filings.
An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.
Thelasko shares an excerpt from a report via The Atlantic, which describes how price discrimination is used in online shopping and how businesses like Amazon try to extract consumer surplus: Will you pay more for those shoes before 7 p.m.? Would the price tag be different if you lived in the suburbs? Standard prices and simple discounts are giving way to far more exotic strategies, designed to extract every last dollar from the consumer. We live in the age of the variable airfare, the surge-priced ride, the pay-what-you-want Radiohead album, and other novel price developments. But what was this? Some weird computer glitch? More like a deliberate glitch, it seems. "It's most likely a strategy to get more data and test the right price," Guru Hariharan explained, after I had sketched the pattern on a whiteboard. The right price -- the one that will extract the most profit from consumers' wallets -- has become the fixation of a large and growing number of quantitative types, many of them economists who have left academia for Silicon Valley. It's also the preoccupation of Boomerang Commerce, a five-year-old start-up founded by Hariharan, an Amazon alum. He says these sorts of price experiments have become a routine part of finding that right price -- and refinding it, because the right price can change by the day or even by the hour. (Amazon says its price changes are not attempts to gather data on customers' spending habits, but rather to give shoppers the lowest price out there.)
An anonymous reader quotes a report from TechCrunch: Uber has another lawsuit on its hands. This time, it's about Uber's alleged use of a program called "Hell." The plaintiff, Michael Gonzales, drove for Lyft during the time Uber allegedly used the software. He's seeking $5 million in a class action lawsuit. As the story goes, Uber allegedly tracked Lyft drivers using a secret software program internally referred to as "Hell." It allegedly let Uber see how many Lyft drivers were available to give rides, and what their prices were. Hell could allegedly also determine if people were driving for both Uber and Lyft. The lawsuit, filed in the U.S. District Court for the Northern District of California, alleges Uber broadly invaded the privacy of the Lyft drivers, specifically violated the California Invasion of Privacy Act and Federal Wiretap Act and engaged in unfair competition. Uber has not confirmed nor outright denied the claims.
msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.
An anonymous reader quotes a report from Ars Technica: Verizon is now selling what it calls "FiOS Gigabit Connection" for $69.99 a month in a change that boosts top broadband speeds and makes lower prices available to many Internet subscribers. Actual bandwidth will be a bit lower than a gigabit per second, with "downloads as fast as 940Mbps and uploads as fast as 880Mbps," Verizon's announcement today said. The gigabit service is available in most of Verizon's FiOS territory, specifically to "over 8 million homes in parts of the New York, New Jersey, Philadelphia, Richmond, Va., Hampton Roads, Va., Boston, Providence and Washington, D.C. areas," Verizon said. Just three months ago, Verizon boosted its top speeds from 500Mbps to 750Mbps. The standalone 750Mbps Internet service cost $150 a month, more than twice the price of the new gigabit tier. Existing customers who bought that 750Mbps plan "will automatically receive FiOS Gigabit Connection and will see their bills lowered," Verizon said. It's not clear whether they will get their price lowered all the way to $70. It's important to note that the $70 price is only available to new customers, and it's a promotional rate that will "increase after promo period." Additionally, Verizon will charge you a $10 per month router charge unless you pay $150 for the Verizon router, plus other taxes and fees.
Reader BrianFagioli writes: Today, The Linux Foundation launches the open source EdgeX Foundry -- an attempt to unify and simplify the Internet of Things. The Linux Foundation says, "EdgeX Foundry is unifying the marketplace around a common open framework and building an ecosystem of companies offering interoperable plug-and-play components. Designed to run on any hardware or operating system and with any combination of application environments, EdgeX can quickly and easily deliver interoperability between connected devices, applications, and services, across a wide range of use cases. Interoperability between community-developed software will be maintained through a certification program."