STE WILLIAMS

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms conditions and privacy policy, they would have seen the legalese that allows such practices.

However, not everyone reads the small print, Hedaya lamented, saying he was very bad at it himself. So the company is going to be clearer about how it sells its users’ information, he promised. Based on the comments so far, those users aren’t impressed.

“What a load of hand-in-the-cookie-jar bullshit this is,” remarked one comment poster on Hedaya’s blog, echoing the tone of many others furious that they’ve been screwed over by a tool they trusted. Unroll.me once billed itself as a privacy application.

“Your entire service – your entire reason for existence, as far as your cherished customers see it – exists solely, wholly for the purposes of reclaiming privacy and inbox peace and quiet. Yes, I bet it is heartbreaking that this information got out this way.”

Do yourself a favor and immediately stop using it. Don’t give third parties access to your inboxes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/unrollme_caught_selling_email_to_uber/

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms conditions and privacy policy, they would have seen the legalese that allows such practices.

However, not everyone reads the small print, Hedaya lamented, saying he was very bad at it himself. So the company is going to be clearer about how it sells its users’ information, he promised. Based on the comments so far, those users aren’t impressed.

“What a load of hand-in-the-cookie-jar bullshit this is,” remarked one comment poster on Hedaya’s blog, echoing the tone of many others furious that they’ve been screwed over by a tool they trusted. Unroll.me once billed itself as a privacy application.

“Your entire service – your entire reason for existence, as far as your cherished customers see it – exists solely, wholly for the purposes of reclaiming privacy and inbox peace and quiet. Yes, I bet it is heartbreaking that this information got out this way.”

Do yourself a favor and immediately stop using it. Don’t give third parties access to your inboxes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/unrollme_caught_selling_email_to_uber/

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms conditions and privacy policy, they would have seen the legalese that allows such practices.

However, not everyone reads the small print, Hedaya lamented, saying he was very bad at it himself. So the company is going to be clearer about how it sells its users’ information, he promised. Based on the comments so far, those users aren’t impressed.

“What a load of hand-in-the-cookie-jar bullshit this is,” remarked one comment poster on Hedaya’s blog, echoing the tone of many others furious that they’ve been screwed over by a tool they trusted. Unroll.me once billed itself as a privacy application.

“Your entire service – your entire reason for existence, as far as your cherished customers see it – exists solely, wholly for the purposes of reclaiming privacy and inbox peace and quiet. Yes, I bet it is heartbreaking that this information got out this way.”

Do yourself a favor and immediately stop using it. Don’t give third parties access to your inboxes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/unrollme_caught_selling_email_to_uber/

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms conditions and privacy policy, they would have seen the legalese that allows such practices.

However, not everyone reads the small print, Hedaya lamented, saying he was very bad at it himself. So the company is going to be clearer about how it sells its users’ information, he promised. Based on the comments so far, those users aren’t impressed.

“What a load of hand-in-the-cookie-jar bullshit this is,” remarked one comment poster on Hedaya’s blog, echoing the tone of many others furious that they’ve been screwed over by a tool they trusted. Unroll.me once billed itself as a privacy application.

“Your entire service – your entire reason for existence, as far as your cherished customers see it – exists solely, wholly for the purposes of reclaiming privacy and inbox peace and quiet. Yes, I bet it is heartbreaking that this information got out this way.”

Do yourself a favor and immediately stop using it. Don’t give third parties access to your inboxes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/unrollme_caught_selling_email_to_uber/

Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project.

Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That’s the latest version, by the way, and is dated July 2011.

The bug is a classic failure to sanitize user input, a shortcoming that makes it possible for authenticated attackers to execute arbitrary and malicious shell commands on a remote server running the vulnerable webmail software. The programming blunder is exploitable only in cases where SquirrelMail has been configured with Sendmail as the main transport.

Cavallarin went public with the bug, along with proof-of-concept exploit code, last week in a post to the Full Disclosure mailing list.

In response, Golunski – who had independently discovered the same vulnerability – went public with his own advisory about the same problem on Saturday. He said he reported the vulnerability to SquirrelMail at the start of the year, and was allocated CVE-2017-5181 for the as-yet unresolved flaw.

As a temporary workaround, users can configure their systems to not use Sendmail, Golunski recommends.

El Reg asked the SquirrelMail team to comment on the reported vulnerability: they were not immediately available to respond. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/squirrelmail_vuln/

Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project.

Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That’s the latest version, by the way, and is dated July 2011.

The bug is a classic failure to sanitize user input, a shortcoming that makes it possible for authenticated attackers to execute arbitrary and malicious shell commands on a remote server running the vulnerable webmail software. The programming blunder is exploitable only in cases where SquirrelMail has been configured with Sendmail as the main transport.

Cavallarin went public with the bug, along with proof-of-concept exploit code, last week in a post to the Full Disclosure mailing list.

In response, Golunski – who had independently discovered the same vulnerability – went public with his own advisory about the same problem on Saturday. He said he reported the vulnerability to SquirrelMail at the start of the year, and was allocated CVE-2017-5181 for the as-yet unresolved flaw.

As a temporary workaround, users can configure their systems to not use Sendmail, Golunski recommends.

El Reg asked the SquirrelMail team to comment on the reported vulnerability: they were not immediately available to respond. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/squirrelmail_vuln/

Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project.

Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That’s the latest version, by the way, and is dated July 2011.

The bug is a classic failure to sanitize user input, a shortcoming that makes it possible for authenticated attackers to execute arbitrary and malicious shell commands on a remote server running the vulnerable webmail software. The programming blunder is exploitable only in cases where SquirrelMail has been configured with Sendmail as the main transport.

Cavallarin went public with the bug, along with proof-of-concept exploit code, last week in a post to the Full Disclosure mailing list.

In response, Golunski – who had independently discovered the same vulnerability – went public with his own advisory about the same problem on Saturday. He said he reported the vulnerability to SquirrelMail at the start of the year, and was allocated CVE-2017-5181 for the as-yet unresolved flaw.

As a temporary workaround, users can configure their systems to not use Sendmail, Golunski recommends.

El Reg asked the SquirrelMail team to comment on the reported vulnerability: they were not immediately available to respond. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/squirrelmail_vuln/

Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project.

Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That’s the latest version, by the way, and is dated July 2011.

The bug is a classic failure to sanitize user input, a shortcoming that makes it possible for authenticated attackers to execute arbitrary and malicious shell commands on a remote server running the vulnerable webmail software. The programming blunder is exploitable only in cases where SquirrelMail has been configured with Sendmail as the main transport.

Cavallarin went public with the bug, along with proof-of-concept exploit code, last week in a post to the Full Disclosure mailing list.

In response, Golunski – who had independently discovered the same vulnerability – went public with his own advisory about the same problem on Saturday. He said he reported the vulnerability to SquirrelMail at the start of the year, and was allocated CVE-2017-5181 for the as-yet unresolved flaw.

As a temporary workaround, users can configure their systems to not use Sendmail, Golunski recommends.

El Reg asked the SquirrelMail team to comment on the reported vulnerability: they were not immediately available to respond. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/squirrelmail_vuln/

Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project.

Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That’s the latest version, by the way, and is dated July 2011.

The bug is a classic failure to sanitize user input, a shortcoming that makes it possible for authenticated attackers to execute arbitrary and malicious shell commands on a remote server running the vulnerable webmail software. The programming blunder is exploitable only in cases where SquirrelMail has been configured with Sendmail as the main transport.

Cavallarin went public with the bug, along with proof-of-concept exploit code, last week in a post to the Full Disclosure mailing list.

In response, Golunski – who had independently discovered the same vulnerability – went public with his own advisory about the same problem on Saturday. He said he reported the vulnerability to SquirrelMail at the start of the year, and was allocated CVE-2017-5181 for the as-yet unresolved flaw.

As a temporary workaround, users can configure their systems to not use Sendmail, Golunski recommends.

El Reg asked the SquirrelMail team to comment on the reported vulnerability: they were not immediately available to respond. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/squirrelmail_vuln/

Northrup Grumman has admitted its Equifax-powered internal portal was hacked, exposing employees’ sensitive tax records to miscreants.

In a letter [PDF] to workers and the California Attorney General’s office, the aerospace contractor said that between April 18, 2016 and March 29, 2017, crooks infiltrated the website, allowing them to access staffers’ W-2 paperwork for the 2016 tax year.

These W-2 forms can be used by identity thieves to claim tax rebates owed to employees, allowing the crims to pocket victims’ money. The corp sent out its warning letters on April 18, the last day to file 2016 tax returns.

“The personal information that may have been accessed includes your name, address, work email address, work phone number, Social Security number, employer identification number, and wage and tax information, as well as any personal phone number, personal email address, or answers to customized security questions that you may have entered on the W-2 online portal,” the contractor told its employees.

The Stealth Bomber maker says it will provide all of the exposed workers with three years of free identity-theft monitoring services. Northrup Grumman has also disabled access to the W-2 portal through any method other than its internal single sign-on tool.

We’re told it was not the aerospace giant itself that was directly breached, but rather the outfit it farmed out the paperwork processing to: Equifax Workforce Solutions. “Promptly after confirming the incident, we worked with Equifax to determine the details of the issue,” Northrup told its teams.

“Northrop Grumman and Equifax are coordinating with law enforcement authorities to assist them in their investigation of recent incidents involving unauthorized actors gaining access to individuals’ personal information through the W-2 online portal.”

A spokesperson for Equifax was not available for immediate comment. The credit-rating giant was ransacked in 2016 during which other customers also had their employees’ tax information compromised, too. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/24/northrop_grumman_breach_worker_w2s/