Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys ( 16

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.

Another security research independently verified the results, and reported that one MySQL database had the root password "1234".

World Cities Go Dark For 'Earth Hour' Climate Campaign ( 64

An anonymous reader quotes the AFP: Earth Hour, which started in Australia in 2007, is being observed by millions of supporters in 187 countries, who are turning off their lights at 8.30pm local time in what organisers describe as the world's "largest grassroots movement for climate change"... In Paris, the Eiffel Tower plunged into darkness as President Emmanuel Macron urged people to join in and "show you are willing to join the fight for nature". "The time for denial is long past. We are losing not only our battle against climate change, but also our battle against the collapse of biodiversity," he said on Twitter. Moscow's Red Square also fell dark and the Russian section of the International Space Station dipped its lights, the Ria Novisti news agency said... UN Secretary-General Antonio Guterres said the event "comes at a time of huge pressure on people and planet alike. Resources and ecosystems across the world are under assault. Earth hour is an opportunity to show our resolve to change."
Other landmarks "going dark" include the Empire State Building in New York and the Sydney Opera House, as well as the harbour skylines of Hong Kong and Singapore.

Elon Musk Slows Tesla Deliveries On 'Dangerous' Trucks ( 64

An anonymous reader quotes Electrek: Tesla is always very busy in Norway, its biggest market per capita, but it has recently been difficult for the automaker to deliver its vehicles as its shipments keep being taken off the road for using transporters with "dangerous" trucks that do not conform to the rules. The California-based automaker generally ships its vehicles to Norway through the port of Drammen, but it is experiencing capacity issues so they are instead going through Gothenburg port and having to use more trucks to move the cars to its stores and service centers.

According to several media reports in Norway, over half a dozen of those trucks have been stopped by the authorities for a variety of safety reasons during inspections and one of the trucks that wasn't stopped ended up in an accident. Two Model S vehicles were crushed on the trailer involved in the accident. Tesla says that it is having difficulties finding competent transporters that comply to Norway's road requirements. On top of the safety issues, Tesla is also using transporters operating Euro 3 class trucks, which are more polluting.

Elon Musk tweeted in response to the article that "I have just asked our team to slow down deliveries.

"It is clear that we are exceeding the local logistics capacity due to batch build and delivery. Customer happiness & safety matter more than a few extra cars this quarter."
The Internet

Tim Berners-Lee Urges Web Users: 'Care About Your Data' ( 90

"As the web celebrated its 29th birthday last week, Berners-Lee expressed disappointment with how his invention has turned out," reports MarketWatch. "He criticized Facebook and other tech heavyweights last week, saying they have 'made it possible to weaponize the web at scale.'

"But on Monday, the British computer scientist essentially told Zuck to buck up. 'I would say to him: You can fix it,' Berners-Lee tweeted. 'It won't be easy, but if companies work with governments, activists, academics and web users, we can make sure platforms serve humanity.'"

Tim Berners-Lee writes: This is a serious moment for the web's future. But I want us to remain hopeful. The problems we see today are bugs in the system. Bugs can cause damage, but bugs are created by people, and can be fixed by people.... My message to all web users today is this: I may have invented the web, but you make it what it is. And it's up to all of us to build a web that reflects our hopes & fulfils our dreams more than it magnifies our fears & deepens our divisions... Get involved. Care about your data. It belongs to you.

If we each take a little of the time we spend using the web to fight for the web, I think we'll be ok. Tell companies and your government representatives that your data and the web matter.


William Shatner Criticizes Facebook Hoax Ad Announcing His Death ( 66

"William Shatner is alive and well -- in fact, he turned 87 on Thursday, so the actor was not pleased when he saw an ad on Facebook sharing a story about his alleged death," writes the Hollywood Reporter. An anonymous reader quotes People: "@WilliamShatner I thought you might want to know you're dead," a Twitter user wrote, along with a screenshot of the ad. Less than a half hour later, Shatner posted his own message calling out the social media company for spreading the phony news... "Thought you were doing something about this?" he wrote. Several hours after Shatner's tweet, Facebook's director of product management Rob Leathern messaged the actor to let him know that the ad had been removed. "Thank you," Shatner replied. "I'm not planning on dying so please continue to block those kinds of ads..." Fortunately, Shatner's in good company when it comes to celebrity death hoaxes... News of Sylvester Stallone's fake death originally began circulating on Facebook in 2016.
In late 2016 Mark Zuckerberg posted that "We take misinformation seriously..." while adding that "we know people want accurate information. We've been working on this problem for a long time and we take this responsibility seriously." Ironically, that announcement appeared next to a similar fake ad announcing that Hugh Hefner was dead, though at the time Hefner was very much alive.

"We've made significant progress," Zuckerberg's post continued, "but there is more work to be done."

Dropbox IPOs. Its Founders Are Now Billionaires ( 56

Yesterday Dropbox finally launched its stock on NASDAQ. Reuters reports: Dropbox Inc's shares closed at $28.42, up more than 35 percent in their first day of trading on Friday, as investors rushed to buy into the biggest technology initial public offering in more than a year even as the wider sector languished... At the stock's opening price, Dropbox had a market valuation of $12.67 billion, well above the $10 billion valuation it had in its last private funding round... It has yet to turn a profit, which is common for startups that invest heavily in growth. As a public company Dropbox will be under pressure to quickly trim its losses. The 11-year old company reported revenue of $1.11 billion in 2017, up from $844.8 million a year earlier. Its net loss nearly halved from $210.2 million in 2016.
CNBC reports that Y Combinator almost passed on a chance to invest in Dropbox -- which became its first IPO ever -- "because it had misgivings about bringing on a solo entrepreneur." After Drew Houston, the creator of Dropbox, scrambled to find a co-founder in time for his in-person interview, the company was admitted into YC in 2007. Four years later, venture capitalists poured money into Dropbox at a $4 billion valuation. YC has since become a power player in Silicon Valley, helping spawn numerous companies valued at over $1 billion today including Stripe, Airbnb, Instacart and Coinbase. It also backed Twitch, which Amazon acquired in 2014 for about $970 million, and the self-driving tech start-up Cruise, which GM bought in 2016 for over $1 billion. But in its 13-year history, YC had yet to see any of its companies go public until Dropbox's stock market debut on Friday...

Houston is now worth over $3 billion and co-founder Arash Ferdowsi owns shares valued at more than $1 billion.

Dropbox's Twitter feed posted a video from their NASDAQ debut, adding "We're so thankful for the 500 million registered users who helped us get here."

'What's Facebook?', Elon Musk Asks, As He Deletes SpaceX and Tesla Facebook Pages 227

It is unlikely that Facebook will see a significant drop in its mammoth userbase following the Cambridge Analytica scandal. But on Friday, the #DeleteFacebook campaign, which is seeing an increasingly growing number of people call it quits on the world's largest social network, found its biggest backer: Elon Musk. Responding to WhatsApp co-founder Brian Acton's "#DeleteFacebook" tweet, Musk asked "What's Facebook?" That was the beginning of a tweetstorm, which saw journalists asking Musk why his companies -- SpaceX and Tesla -- maintained their Facebook pages. Shouldn't Musk, they asked, delete them? Musk agreed. As of this writing, the official Facebook pages of SpaceX and Tesla, both of which had more than two million followers, are nowhere to be found. The Facebook page of SolarCity is gone too, if you were wondering.

The move comes months after Musk said Zuckerberg's understanding of AI was limited.

Atlanta City Government Systems Down Due To Ransomware Attack ( 64

An anonymous reader quotes a report from Ars Technica: The city of Atlanta government has apparently become the victim of a ransomware attack. The city's official Twitter account announced that the city government "is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information." According to a report from Atlanta NBC affiliate WXIA, a city employee sent the station a screen shot of a ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees received emails from the city's information technology department instructing them to unplug their computers if they noticed anything suspicious. An internal email shared with WXIA said that the internal systems affected include the city's payroll application. "At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue," a city spokesperson told Ars. "We are confident that our team of technology professionals will be able to restore applications soon." The city's primary website remains online, and the city government will continue to post updates there, the spokesperson added.

Mark Zuckerberg Apologizes For the Cambridge Analytica Scandal, Says He Isn't Opposed To Regulation ( 179

An anonymous reader quotes a report from The Verge: Mark Zuckerberg apologized on Wednesday evening for his company's handling of the Cambridge Analytica privacy scandal. "This was a major breach of trust and I'm really sorry this happened," he said in an interview on CNN. "Our responsibility now is to make sure this doesn't happen again." Zuckerberg's comments reflected the first time he apologized following an uproar over how Facebook allowed third-party developers to access user data. Earlier in the day, Zuckerberg wrote a Facebook post in which he said the company had made mistakes in its handling of the Cambridge Analytica data revelations. The company laid out a multipart plan designed to reduce the amount of data shared by users with outside developers, and said it would audit some developers who had access to large troves of data before earlier restrictions were implemented in 2014. Zuckerberg also told CNN that he is not totally opposed to regulation. "I'm not sure we shouldn't be regulated," he said. "There are things like ad transparency regulation that I would love to see."

Other highlights of Zuckerberg's interviews:
-He told multiple outlets that he would be willing to testify before Congress.
-He said the company would notify everyone whose data was improperly used.
-He told the New York Times that Facebook would double its security force this year, adding: "We'll have more than 20,000 people working on security and community operations by the end of the year, I think we have about 15,000 now."
-He told the Times that Facebook would investigate "thousands" of apps to determine whether they had abused their access to user data.

Regarding moderation, Zuckerberg told Recode: "[The] thing is like, 'Where's the line on hate speech?' I mean, who chose me to be the person that did that?" Zuckerberg said. "I guess I have to, because of where we are now, but I'd rather not."

A 15-Year-Old Hacked the Secure Ledger Crypto Wallet ( 66

An anonymous reader quotes a report from TechCrunch: A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a "supply chain attack" -- meaning a hack that could compromise the device before it was shipped to the customer -- and another attack that could allow a hacker to steal private keys after the device was initialized. The Ledger team described the vulnerabilities dangerous but avoidable. For the "supply chain attack," they wrote: "by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller." "If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised," wrote the team.

Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.


Twitter CEO Says Bitcoin Will Be the World's 'Single Currency' In 10 Years ( 254

In a recent interview with The Times, Twitter and Square CEO Jack Dorsey said he believes that bitcoin will become the world's single currency within 10 years. "The world ultimately will have a single currency, the internet will have a single currency," said Dorsey. "I personally believe that it will be bitcoin." Dorsey went on to say that the transition would happen "probably over ten years, but it could go faster." The Verge reports: That Dorsey is a fan of bitcoin isn't too surprising, though. In addition to serving as the CEO of Twitter, Dorsey is also the CEO of Square, which recently added the option to buy and sell Bitcoin directly from the Square Cash app. The company also released an illustrated children's story touting the benefits of the digital currency. As for Dorsey himself, he's gone on the record in an interview with The Verge's own Lauren Goode about the benefits of bitcoin as a currency, describing it as the "next big unlock" for the world of finance. (Dorsey owns an unspecified amount of the cryptocurrency.)

WhatsApp Co-Founder Tells Everyone To Delete Facebook, Further Fueling the #DeleteFacebook Movement ( 306

"In 2014, Facebook bought WhatsApp for $16 billion, making its co-founders -- Jan Koum and Brian Acton -- very wealthy men," reports The Verge. "Koum continues to lead the company, but Acton quit earlier this year to start his own foundation." Today, Acton told his followers on Twitter to delete Facebook. From the report: "It is time," Acton wrote, adding the hashtag #deletefacebook. Acton, who is worth $6.5 billion, did not immediately respond to a request for comment. Nor did Facebook and WhatsApp. It was unclear whether Acton's feelings about Facebook extend to his own app. But last month, Acton invested $50 million into Signal, an independent alternative to WhatsApp. The tweet came after a bruising five-day period for Facebook that has seen regulators swarm and its stock price plunge following concerns over data privacy in the wake of revelations about Cambridge Analytica's misuse of user data. Acton isn't the only one taking to Twitter to announce their breakup with Facebook. The #DeleteFacebook movement is gaining steam following the New York Times' report about how the data of 50 million users had been unknowingly leaked and purchased to aid President Trump's successful 2016 bid for the presidency. For many users, the news "highlighted the danger of Facebook housing the personal information of billions of users," reports SFGate. "And even before the Cambridge Analytica news, Facebook has been grappling with its waning popularity in the U.S. The company lost 1 million domestic users last quarter -- its first quarterly drop in daily users."

Sierra Leone Government Denies the Role of Blockchain In Its Recent Election ( 20

The National Electoral Commission Sierra Leone is denying the news that theirs was one of the first elections recorded to the blockchain. "While the blockchain voting company Agora claimed to have run the first blockchain-based election, it appears that the company did little more than observe the voting and store some of the results," reports TechCrunch. From the report: "The NEC [National Electoral Commission] has not used and is not using blockchain technology in any part of the electoral process," said NEC head Mohamed Conteh. Why he is adamant about this fact is unclear -- questions I asked went unanswered -- but he and his team have created a set of machine readable election results and posted [a] clarification. "Anonymized votes/ballots are being recorded on Agora's blockchain, which will be publicly available for any interested party to review, count and validate," said Agora's Leonardo Gammar. "This is the first time a government election is using blockchain technology." In Africa the reactions were mixed. "It would be like me showing up to the UK election with my computer and saying, 'let me enter your counting room, let me plug-in and count your results,'" said Morris Marah to RFI. "Agora's results for the two districts they tallied differed considerably from the official results, according to an analysis of the two sets of statistics carried out by RFI," wrote RFI's Daniel Finnan.

Twitter Will Ban Most Cryptocurrency-Related Ads ( 35

An anonymous reader writes: Twitter plans to ban most cryptocurrency-related ads in the next few weeks, as Sky News first reported and a source confirms to Axios. Why it matters: The recent boom in cryptocurrencies and digital tokens has unsurprisingly attracted some fraudsters. Twitter is following in the footsteps of Facebook and Google, though it's been having its own problems with accounts promoting scams.

Hackers Are So Fed Up With Twitter Bots They're Hunting Them Down Themselves ( 45

An anonymous reader writes: Even if Twitter hasn't invested much in anti-bot software, some of its most technically proficient users have. They're writing and refining code that can use Twitter's public application programming interface, or API, as well as Google and other online interfaces, to ferret out fake accounts and bad actors. The effort, at least among the researchers I spoke with, has begun with hunting bots designed to promote pornographic material -- a type of fake account that is particularly easy to spot -- but the plan is to eventually broaden the hunt to other types of bots. The bot-hunting programming and research has been a strictly volunteer, part-time endeavor, but the efforts have collectively identified tens of thousands of fake accounts, underlining just how much low-hanging fruit remains for Twitter to prune.

Among the part-time bot-hunters is French security researcher and freelance Android developer Baptiste Robert, who in February of this year noticed that Twitter accounts with profile photos of scantily clad women were liking his tweets or following him on Twitter. Aside from the sexually suggestive images, the bots had similarities. Not only did these Twitter accounts typically include profile photos of adult actresses, but they also had similar bios, followed similar accounts, liked more tweets than they retweeted, had fewer than 1,000 followers, and directed readers to click the link in their bios.


Ghana's Windows Blackboard Teacher And His Students Have a Rewarding Outcome ( 82

Quartz: A lot has changed in the life of Richard Appiah Akoto in the fortnight since he posted photos of himself on Facebook drawing a Microsoft Word processing window on a blackboard with multi-colored chalk, to teach his students about computers -- which the school did not have. The photos went viral on social media and media stories like Quartz's went all around the world. Akoto, 33, is the information and communication technology (ICT) teacher at Betenase M/A Junior High School in the town of Sekyedomase, about two and half hours drive north of Ghana's second city, Kumasi. The school had no computers even though since 2011, 14 and 15-year-olds in Ghana are expected to write and pass a national exam (without which students cannot progress to high school) with ICT being one of the subjects.

The story of the school and Twitter pressure from prominent players in the African tech space drew a promise from Microsoft to "equip [Akoto] with a device from one of our partners, and access to our MCE program & free professional development resources on." To fulfill this promise, the technology giant flew Akoto to Singapore this week where he is participating in the annual Microsoft Education Exchange.


Facebook and Its Executives Are Getting Destroyed After Botching the Handling of a Massive Data Breach ( 187

The way Facebook has disclosed the abuse of its system by Cambridge Analytica, which has been reported this week, speaks volumes of Facebook's core beliefs. Sample this except from Business Insider: Facebook executives waded into a firestorm of criticism on Saturday, after news reports revealed that a data firm with ties to the Trump campaign harvested private information from millions of Facebook users. Several executives took to Twitter to insist that the data leak was not technically a "breach." But critics were outraged by the response and accused the company of playing semantics and missing the point. Washington Post reporter Hamza Shaban: Facebook insists that the Cambridge Analytica debacle wasn't a data breach, but a "violation" by a third party app that abused user data. This offloading of responsibility says a lot about Facebook's approach to our privacy. Observer reporter Carole Cadwalladr, who broke the news about Cambridge Analytica: Yesterday Facebook threatened to sue us. Today we publish this. Meet the whistleblower blowing the lid off Facebook and Cambridge Analytica. [...] Facebook's chief strategy officer wading in. So, tell us @alexstamos (who expressed his displeasure with the use of "breach" in media reports) why didn't you inform users of this "non-breach" after The Guardian first reported the story in December 2015? Zeynep Tufekci: If your business is building a massive surveillance machinery, the data will eventually be used and misused. Hacked, breached, leaked, pilfered, conned, "targeted", "engaged", "profiled", sold.. There is no informed consent because it's not possible to reasonably inform or consent. [...] Facebook's defense that Cambridge Analytica harvesting of FB user data from millions is not technically a "breach" is a more profound and damning statement of what's wrong with Facebook's business model than a "breach." MIT Professor Dean Eckles: Definitely fascinating that Joseph Chancellor, who contributed to collection and contract-violating retention (?) of Facebook user data, now works for Facebook. Amir Efrati, a reporter at the Information: May seem like a small thing to non-reporters but Facebook loses credibility by issuing a Friday night press release to "front-run" publications that were set to publish negative articles about its platform. If you want us to become more suspicious, mission accomplished. Further reading: Facebook's latest privacy debacle stirs up more regulatory interest from lawmakers (TechCrunch).

Apple's Newest iPhone X Ad Captures an Embarrassing iOS 11 Bug ( 81

Tom Warren, writing for The Verge: If you blink during Apple's latest iPhone ad, you might miss a weird little animation bug. It's right at the end of a slickly produced commercial, where the text from an iMessage escapes the animated bubble it's supposed to stay inside. It's a minor issue and easy to brush off, but the fact it's captured in such a high profile ad just further highlights Apple's many bugs in iOS 11. 9to5Mac writer Benjamin Mayo spotted the bug in Apple's latest ad, and he's clearly surprised "that this was signed off for the commercial," especially as he highlighted it months ago and has filed a bug report with Apple.

Facebook Says It is Sorry For Suggesting Child Sex Videos in Search ( 48

Facebook issued an apology on Friday after offensive terms appeared in the social network's search predictions late Thursday. From a report: When users typed "videos of" into the search bar, Facebook prompted them to search phrases including "videos of sexuals," "videos of girl sucking dick under water" and, perhaps most disturbingly, "video of little girl giving oral." Shocked users reported the problem on Twitter, posting screenshots of the search terms, which also included multiple suggestions relating to the school shooting in Florida last month. The social network appeared to have fixed the problem by Friday morning.

Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report ( 115

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

Slashdot Top Deals