STE WILLIAMS

Analysis While the entire US political machinery has been caught up with one Trump-based scandal after another over the past three weeks, larger underlying issues are starting to re-emerge. And top of the list is mass surveillance.

Section 702 of the Foreign Intelligence Surveillance Act (FISA) expires at the end of the year – December 31, 2017. As such, it will need to be actively renewed by Congress. And the drumbeat has begun on getting Congress to have a full, public debate on the measure before it authorizes any extension.

Just this week, the American Civil Liberties Union (ACLU) called on tech companies to start pushing for reform as it fought a critical legal battle in Ireland over the legality of data sharing between Europe and the United States.

On Wednesday, a number of tech industry groups, including the Computer Communications Industry Association (CCIA), Consumer Technology Association (CTA), Information Technology Industry Council (ITI) and Internet Association, sent a letter [PDF] to the heads of four key congressional committees asking for “an open debate around the reauthorization of Section 702.”

And legal commentators have started writing up their thoughts on what needs to change to stop widespread abuse of the law. Or, as the tech groups argued, “includes meaningful safeguards for internet users’ privacy and civil liberties, measures to ensure transparency and accountability, and a commitment to continued Congressional oversight.”

Quick primer

So, what is Section 702 and why is it important?

When Edward Snowden exposed the depth and breadth of mass surveillance being carried out in secret by the US government, much of the subsequent attention revolved around Section 215 of the Patriot Act, which had been interpreted to allow for bulk collection of Americans’ phone records.

The reason for that focus was that while Section 215 was being used to gather Americans’ records, Section 702 of a different act was, according to the US authorities, never used to gather information on Americans.

In fact the first limitation in Section 702 is that it cannot be used to “intentionally target any person known at the time of acquisition to be located in the United States.”

Unfortunately, as Snowden documents and subsequent investigations made clear, the National Security Agency (NSA) had chosen to creatively interpret what seem like crystal clear rules to achieve the exact opposite of their intention. (It still claims [PDF] not to be doing what it is doing.)

The reality is that Section 702 has been used to create a vast database of information on millions of US citizens that is used every day by law enforcement to research even the smallest of crimes.

How did we get from a law specifically written to only target foreigners when they were outside the United States and only when it would result in “foreign intelligence information,” to a reality where an FBI agent can search the private emails of a US citizen who has never left the United States on suspicion of car theft? Here’s how:

• The term “foreign intelligence information” was first interpreted so broadly as to cover any and all information with any relevance to the United States.
• The NSA then decided that such information flows into and out of the United States all the time, thanks to servers hosted by US email providers, and so it should have access to all of that information – leading to the infamous PRISM program where email, chats, text messages and videos were pulled from Google, Facebook, Microsoft, Yahoo! and Apple and stored in a giant database.
• Any information from US citizens captured during this process is termed “incidental” by the NSA, which continues to pretend that the information gathered is no more than an accidental by-product of its legitimate search. It does not, however, delete that information.
• Other information on US citizens that really is captured by accident is called “inadvertent” collection. It is also retained.
• Critically, the NSA decided that the law only prevented it from capturing information on people that it actively knew to be US citizens. And as a result, it decided it could presume that everyone it gathered information on was a foreigner based overseas unless it had information to the contrary. So even though it was tapping the servers of US companies based in the United States, it allowed itself to believe that it was capturing the information of foreigners from outside the country.
• The NSA also decided that it was entitled to keep all this information it gathered in a database and the law would only apply to how it searched that database.
• Then the NSA decided that so long as it used search terms that gave it “51 per cent confidence” that the results would bring up information on a foreigner, it could access the database however it wished.
• In 2001 – after the terrorist attacks in New York and Washington – the NSA then persuaded the Foreign Intelligence Surveillance Court that it should be allowed to search using the personal identifiers of US citizens, ie, their telephone numbers or email addresses. This was despite the fact that the law had previously specifically prohibited this sort of “reverse targeting.”
• Following a recommendation from the 9/11 Commission that “the wall” between security services be removed to allow for greater sharing of intelligence, the FBI was granted access to the vast database.
• Under its guidelines for accessing the data, the FBI is allowed to search the database to investigate any federal crime and agents are in fact encouraged to do so.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/section_702_mass_surveillance/

US House Republicans Lamar Smith (R-TX) and Darin LaHood (R-IL) have demanded a probe into staff at the US Environmental Protection Agency who are apparently using private encrypted communications.

Earlier this month, insiders at the EPA, the US Department of Labor, the Foreign Service, and possibly other agencies and departments, have reportedly resorted to strong end-to-end encrypted messengers such as Signal to coordinate their resistance response to the Trump administration.

Their fear is that a discussion along the lines of “what do we do if we’re given an illegal order” on official channels will draw reprisals.

However, American government communications are subject to freedom of information laws, and that’s sparked the Smith-LaHood letter [PDF] to the US EPA’s watchdog – its inspector general.

Suggesting that “approximately a dozen” EPA officials are using Signal to “discuss potential strategies” to preserve Obama Administration priorities, the letter says this avoids federal records requirements and circumvents monitoring. Smith is the chairman of the US House Committee on Space, Science and Technology, and LaHood is chairman of the subcommittee on oversight. They both want a review into the EPA’s internal practices.

“In this instance, the committee is concerned that these encrypted and off-the-record communication practices, if true, run afoul of federal record-keeping requirements, leaving information that could be responsive to future Freedom of Information Act and congressional requests unattainable,” the letter, dated February 14, states.

Yesterday, House Rep Matt Gaetz (R-FL) introduced a one-line bill to terminate the EPA at the end of 2018. He also cosponsored a similar bill to shut down the US Department of Education. Let him know how you feel about that: call (202) 225-4136. Both bills are in their early stages of development.

If the rumors of Signal use are true, other agencies will most likely face similar encrypted comms probes by their overseers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/republicans_signal_us_govt/

For months now, the Windows 10 Anniversary Update has broken two-factor logins using certain smart cards – and Microsoft has refused to discuss it.

According to Reg readers writing in, and W10 users on support forums, folks who have Yubikey two-factor authentication gadgets have been hitting frustrating error messages when trying to log in with the latest flavor of Windows 10. Ideally, you plug your key into the USB port and type in your password, and together they authenticate you. For some, that stopped working.

In forum posts dating back all the way to September 2016, fed-up Microsoft customers have complained that when logging in locally to their machines with the smart cards, they get “Error 7” messages. The cards still work on earlier editions of Windows, and users running bleeding-edge Windows Insider builds say their now cards work.

Other users report speaking with Yubikey support staffers on this issue, only to be told the problem was on Microsoft’s end – and that there was no timetable for it to be fixed.

Despite this issue having been reported on for several months now, Redmond is keeping quiet. We asked the operating system giant for comment, and in return we got silence: no explanation, no workaround, no nothing. The lights are on, the barriers are down, but no train is coming.

“There is a bug in the windows 10 Anniversary Update that prevents the use of Yubikey smart cards for local login,” one cheesed-off Reg reader, a director-level tech pro in the UK, told us.

“This showstopper of a bug must be known to Microsoft, as they have fixed it in the Insider preview fast-ring release. They will not publicly acknowledge it, and there is no suggestion that they will patch it either.”

We pinged Yubikey-maker Yubico earlier in the day about this login issue. A couple of hours later, just as we were going to press, a spokesperson for the security hardware biz got in touch to say a hotfix is available to address the problem. This update was quietly crafted at the end of January, and will not automatically install. The spokesperson said:

We have confirmation from Microsoft that a hotfix has been released on the Windows Update Catalog that should solve the Windows 10 smart card login issue with the YubiKey. We do not have a timeframe when this will be available as an automatic Windows Update but it is available for a manual download and installation. We’ve done testing in our lab environment and found this has indeed solved the issue.

You can grab the fix, KB3216755, from here. Let your Yubico-using friends know about this bug fix because Microsoft won’t.

Meanwhile, Redmond has kicked February’s Patch Tuesday into next month: any bug fixes due to be released and installed this week will be rolled into patches released on March 14. Microsoft may be having problems with its build and distribution systems, hence the delayed Windows updates and the embarrassed silence.

Windows Insider previews for enterprises

Speaking of buggy, not-ready-for-business operating systems, Microsoft is going to offer company IT departments the chance to get in on the Windows Insider program. The Insider scheme gives loyalists an early look at forthcoming features, bugs and other beta-grade software in Windows 10. Folks can test drive the code, and send feedback to Redmond’s product managers.

And soon, Microsoft’s Insider for IT Professionals program will let corporate techies test out upcoming versions of Windows 10 within enterprise environments before the new builds are released, (presumably so sysadmins can check in advance for things like whether an update breaks Yubikey authentication).

“The Windows Insider Program recognizes IT Professionals as a critical asset to any organization,” purrs Microsoft in its pitch to the industry.

“From managing complex environments that incorporate Microsoft systems, to managing how they integrate with other applications inside their organization, IT Professionals understand ‘mission critical’ and know how to think through and resolve deployment issues. They are the front-line IT heroes of any organization. But we don’t have to tell you this.

“In the coming months, we’ll be adding additional features to the existing Windows Insider Program to better support you in your job. Incorporating the Windows Insider Program for IT Professionals into your deployment plans enables you to prepare your organization for Windows 10, to deploy new services and tools more quickly, to secure your applications, to increase productivity giving you confidence in the stability of your environment.”

The program will encourage IT pros to share advice among themselves on testing Windows 10 Insider builds on work systems; to vote on which bugs should be prioritized for fixes; to give feedback on how the operating system copes with business workflows; and to open a channel of comms between sysadmins and the Windows team. Let’s hope they fare better than Yubikey owners.

Microsoft has not yet said exactly when the program will go live, although you can register your interest using the above link. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/win10_anniversary_borks_smartcards/

Ridesharing firm Uber is going to be spending some time in court. A French businessman based on the Côte d’Azur has sued the company for divulging private ridesharing information that led his wife to divorce him.

The plaintiff, living  in the south of France, said in his claim that his wife was informed of his Uber trips whenever he took a ride, even though he had logged out of his account after using it on her smartphone. Ongoing notifications from Uber showed her his pickup points and destinations, and when his ride took place. She left him after suspecting that he was having an affair based on his ride data, said reports.

Let’s get the obvious question out of the way first. Does it matter if the Frenchman was cheating on his wife? Did he deserve privacy, or did he get the privacy he deserved?

The answer is that he deserved complete privacy. Privacy can’t be linked to moral judgements, because they change with the times. Yesterday’s crimes are today’s everyday, perfectly acceptable habits. Similarly, you may be doing something considered appropriate today, only for a future government to decide that it is immoral and therefore illegal. Privacy as a concept must stand above such things, otherwise it can’t be guaranteed, and therefore isn’t privacy.

So, what happened to land him in hot water?

The problem reportedly stemmed from a bug in Uber’s iPhone app. Once an account had been signed in on the phone, the digital authorization token used to notify the device about trip details don’t seem to have been revoked, meaning that the phone would continue to receive notifications even after the account was logged out.

The bug was reportedly fixed after December 16 last year, but that doesn’t help the now-divorced user.

A history of privacy problems at Uber

None of this helps Uber’s reputation for poor privacy practices. In December, chief security officer John Flynn sent a letter to staff reminding them of their privacy obligations, and warning staff to follow its rules about access to user data.

The letter referenced a feature article from the Centre For Investigative Reporting, which alleged poor privacy practices at Uber, even though the company had promised in the past to clean up its act. The CFIR report is based heavily on another lawsuit against the company, this time from a former employee, Ward Spangenberg. The former Uber forensic investigator is suing the company for discrimination after it fired him. He had been pushing for data privacy reform within the business for months prior.

In the CFIR report, others joined Spangenberg in alleging weak protections for private data at Uber. Employees could look up rider data with little justification, said former workers. Uber has admitted that it fired employees for improper access.

In the past, journalists have reported that Uber tracked their movements without permission, and added that executives had suggested digging up dirt on the press. This led to an investigation by Uber of its top executive in New York. The Electronic Privacy Information Center complained about the privacy infraction to the New York attorney-general, along with another relating to the breach of 50,000 Uber drivers’ data. This led to a state investigation and a January 2016 settlement that required Uber  to improve its data security.

Some of Uber’s past privacy infractions in the past have been jawdropping. Consider Rides of Glory, its data analysis of morning rideshares, designed to highlight who was on their way home from a one-night stand. It took down the original blogpost after an outcry, but there’s a copy here.

Normally you could pooh-pooh concerns over such stunts by claiming that the data was anonymized, but we know for certain that Uber employees had access to comprehensive data on each ride sharer on a per-ride basis when this blog post was written. As Uber says at the end of the post: “You people are fascinating.” Feeling creeped out yet?

EPIC also warned in mid 2015 that revised privacy terms and conditions enabled Uber to collect location data even after riders had finished their trips, based on its app’s background operation on their phones. Uber said at the time that it might add such features in the future. EPIC has accused the company of doing just that.

We asked Uber about this, and it confirmed that it had followed through on these plans in fall last year.

Specifically, for people who choose to use location services with the Uber app, we are only collecting their location from the time they request a trip until five minutes after the trip has finished.  This helps us improve ETAs, pick-ups, efficiency on Pool, and passenger safety. The collection and use of this data is explicitly communicated to users when they download the latest version of the app as well as in the device-level permissions on your phone, which you can change at any time.

Zero-sum games

These stories highlight a key point about modern mobile and internet-based services: there’s a trade-off between convenience and privacy. Uber, like many apps, puts highly useful services at your fingertips. It’s ridiculously convenient, and the convenience is tied to you leaving services such as location tracking on.

Users who want convenience from such services should be paying close attention to their privacy terms and conditions. That’s harder than it sounds in a world where attention is limited, and where people don’t always understand the legalese in such agreements.

Is there a way to have both convenience and privacy? Privacy by design, the set of seven design principles designed by the Ontario government in the mid 1990s, promises to help solve these problems. Its author, then-provincial privacy commissioner Ann Cavoukian, argues that it doesn’t need to be a trade-off; that privacy and security needn’t be a zero-sum game. If we can design data architectures and applications to be privacy-conscious from the outset, the theory goes, then we can have our cake and eat it. Hint: that probably means not having a God Mode in your system.

Privacy by design is mandated in the forthcoming General Data Protection Legislation (GDPR) which will become law in Europe in May 2018. Based on it, we could make the case for an easily digestible litmus test for privacy – a kind of gold, silver, bronze affair that could be used to rate an organization’s privacy practices.

If independently verified by an external authorized (and ideally federal) agency, it might go some way towards increasing awareness of an organization’s privacy stance among customers who in many cases might not be aware that privacy is an issue at all.

Beyond that, though, there are bigger problems. Such principles are only as good as the measures taken to monitor and enforce them, and rooting out potential privacy issues is a difficult process. Sometimes they only come out by accident, as our French businessman will tell you.

Even if a company does have the best of intentions for your data, there are flawed internal controls, and rogue staff. There are buggy programs that tell people – and governments – your business by accident. What happens to those good intentions then?

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6ffnUYMXvR8/

The World’s 10 Worst Spammers, according to spam-tracking organization Spamhaus, are the most threatening, “least repentant, most persistent, and generally the worst of the career spammers causing the most damage on the internet currently”.

Well, the world may become a fraction less spammy, now that the man Spamhaus has dubbed the world’s eighth-worst spammer has been indicted.

Michael Persaud, 36, from Scottsdale, Arizona, was indicted last week on federal fraud charges in Illinois for allegedly sending more than 1m spam emails worldwide over at least nine separate computer networks between 2012 and 2015.

Persaud’s been charged with 10 counts of wire fraud, each of which is punishable by up to 20 years in prison, although maximum sentences are rarely handed down. The indictment is also seeking forfeiture of four computers.

According to a press release from the US attorney-general’s Office of the Northern District of Illinois, Persaud allegedly cooked up fake names to register the domains. He also allegedly created fake “From” address fields to conceal his identity as the true sender of the emails.

The technique Persaud allegedly used is called “snowshoe spamming“. It involves the use of multiple IP addresses and domains to transmit spam.

As Chester Wisniewski has explained in summing up a Virus Bulletin talk from SophosLab’s Brett Cove on this type of spam, the name “snowshoe spam” was chosen because snowshoes are used to distribute your weight across a broad surface to prevent sinking.

You can see the aptness of the analogy: snowshoe spammers distribute their spamming across a large number of IP addresses and domains to distribute their wares widely. The tactic often defeats volume-based detection schemes used by large email hosts like Gmail and Yahoo.

Persaud allegedly changed names to escape his reputation, using aliases including “Michael Prescott”, “Michael Pearson” and “Jeff Martinez”.

The Department of Justice is also accusing Persaud of illegally transferring and selling millions of email addresses for the purpose of sending spam.

Persaud is innocent until proved guilty, but one thing’s for sure: he’s been around quite a while. Besides being listed as #8 on that World’s 10 Worst Spammers list, AOL sued him in 1998.

America Online charged Persaud with committing fraud by using aliases to send millions of work-at-home junk emails to its customers. Persaud didn’t contest the charges and was ordered to pay more than $500,000 in restitution and damages.

As KrebsOnSecurity reports, Persaud doesn’t consider it spamming. Rather, he classifies himself as an e-marketer.

According to a sealed affidavit seen by security journalist Brian Krebs, during an April 2016 search of his home by the FBI, Persaud allegedly told agents that he conducts internet marketing from his home by sending a million emails in under 15 minutes from various domains and internet addresses.

According to the indictment, Persaud allegedly does business under a California company called Impact Media LLC, sending spam on behalf of sellers of various goods and services and earning commissions for any sale generated by the spam.

He’ll next be in court for a status hearing on February 21.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/txRQtQoEpHQ/

Last week we reported how Syrian refugee Anas Modamani challenged Facebook on whether the company had the technical capability to put a halt to fake news. It was after his selfie with German chancellor Angela Merkel went viral and began to appear alongside statements claiming he was a “terror suspect”. The story pointed to technology to help social media tackle online abuse.

As fake news – particularly around refugees – continues to shake German politics, can we really just point the finger at Facebook?

Fake news on the rise

Drawing comparisons between the more sedate German election campaign and Trump’s rise to power in the US, the Financial Times reports that there are fears that

the German election debate will be hijacked by news peddlers, conspiracy theorists, racist ideologues, trolls and cyber-bullies

And Deutsche Welle reported recently that “Angela Merkel is being attacked in fake news spread by right-wing extremists”.

But Germany isn’t the only European country where elections are being held this year – ballots are also imminent in France and the Netherlands. French presidential candidate Emmanuel Macron’s party chief has claimed, a href=”http://www.dw.com/en/french-presidential-candidate-macron-target-of-russian-fake-news-his-party-chief-claims/a-37531519#8243; rel=”nofollow”according to Deutsche Welle, that the French democratic process is also a target:

Two big media outlets belonging to the Russian state, Russia Today and Sputnik, spread fake news on a daily basis, and then they are picked up, quoted and influence the democratic [process]

Who’s doing what?

With the problem real and threatening to influence democracies around the world, what is being done to combat not only the spread of fake news but also the release of hacked emails?

The Telegraph reports that officials in France, Germany and the Netherlands have agreed to share information in the run-up to their respective elections this year.

It’s a start, but is it enough? Across Europe:

• The European Commission, according to Media File, is committing more staff resources to its anti-disinformation task force under an initiative known as the East Stratcom Task Force.
• Germany, Deutsche Welle reports, is looking to setting up a centre to fight disinformation – and had urged political parties to not use social bots and fake news during campaigning.
• In France, 17 newsrooms are teaming up with Facebook and Google to fact-checking service called the CrossCheck project to tackle the rise of fake news, according to the BBC earlier this month. It’s not live yet, but should be up and running by February 27, The Disinformation Review reports.
• As far as the Netherlands is concerned, there’s no clear news on any initiatives to combat fake news specifically, but there are reports – this one in The Guardian – that votes are going to be counted manually to counteract any threat from hackers.

What you can do

So, that’s a brief summary of what the powers that be, political parties and the media are doing. But is there anything you can do personally?

Talking to Deutsche Welle, defense analyst and professional fake news hunter Ben Nimmo explains that part of the problem lies in the money that there is to be made from advertising:

… countless fake news stories are going around because money can be earned from advertising on the websites that publish the false stories.

He suggests you only need time and a familiarity with social media outlets and how they work together, rather than an understanding of technology, to hunt them out – and that’s something we all can do.

And the complex ones? While he does acknowledge that experts are needed so solve some cases, he also suggests that citizens must be taught how to uncover fake news. I agree. After all, the more of us that get involved, the better the detection rate and lower the effect.

If there’s one thing you take away from reading this, it should be his advice to us all. Noting that “The key is emotion”, he urges:

If a story appeals to your feelings, be they anger or rejection, and not your thoughts, then you have to check it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/niVkewimXsE/

The British government has pledged to deliver a “cyber curriculum”, aiming to address the much-talked-about skills shortage, which is causing pay hikes as well as security risks.

Called the Cyber Schools programme, it is aimed at people between 14 and 18 and is funded to the tune of £20m. For that, the scheme aims to have 5,700 teenagers trained by 2021.

Similar initiatives are happening internationally. Graham Hunter, VP Certifications, Europe and Middle East at industry body CompTIA, said his organisation had supported initiatives such as https://www.lifejourney.us and offered professional certifications as a result.

He approved of the UK scheme in principle, saying:

The plan is ambitious, but with the pressure already placed on teachers to deliver a packed curriculum, the idea of getting cross-industry partners to come together in a number of consortia to bid on this will ensure it has fresh, engaging material to inspire a new wave of schoolchildren interested in cybersecurity roles.

He also pointed to the resources available, saying:

CompTIA as well as other sponsors has already contributed to a schools programme as supporters of the Cyber Security Challenge. Adoption is often down to the interest of the teachers and not the student, so by having an extracurricular offering, utlilising industry advocates and trainers with real-world experience is a good thing. Scalability will be a challenge, but technology can help.

The apparently low amount of funding might be a good thing, he added.

The government wants to kickstart a sustainable programme. Much like the coding clubs you see inspiring a generation of coders, cyberclubs can play a role in developing the right mindset, skills and awareness of roles available.

£20m is sufficient to get industry to come together and if there is one thing that cybersecurity specialists are good at, it is finding solutions to tricky problems, be it the latest botnet or in this case making scarce resources go far.

It has perhaps taken this injection of cash to corral the industry resources, organisations such as BT have already have schools outreach programmes, it would be to their credit if they and other organisations come together in a non-competitive way to solve the skills gap issue, only then will the funding be sufficient.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LoINAg2J4dw/

Your daily round-up of some of the other stories in the news

Welcome back, Nokia 3310

Nokia, the Finnish mobile phone-maker that used to dominate the market, is set to stage a comeback at Mobile World Congress in Barcelona at the end of the month – with, it’s rumoured, a revamp of its most iconic and beloved device, the Nokia 3310 (pictured above).

Nokia sold its handset division to Microsoft in 2013 for €5.4bn, and Microsoft swiftly dropped the Nokia name when it launched its decent but unloved Windows Phone devices, retaining only the Lumia brand. However, Microsoft sold the Nokia brand name to HMD, formed by former Nokia workers, in May last year, paving the way for new devices with the venerable name.

HMD is due to launch several Nokia-branded devices, including the Android-based Nokia 6, which is already available in China, and, according to rumours, a reboot of the classic 3310. There’s no word yet on whether the 3310 will sport the iconic Nokia ringtone or Snake, one of the earliest mobile-phone games.

Amazon and Google mull voice calls for AI devices

The march of the AI assistants into our homes continues, with both Google and Amazon reported to be considering adding a voice-call functionality to their respective devices, the Google Home and the Amazon Echo and Dot.

Both tech giants are bidding to own this particular product space, as the devices tap in to the rich seams of data to help both companies sell their respective products.

There are technical issues to overcome, not least of which is the infrastructure required for voice calls, and here Google is probably out in front as it already offers VOIP technology with Hangouts and Google Voice in the US.

Amazon, however, coincidentally or otherwise, has this week debuted its Chime service, intended as a competitor to Skype and other conferencing apps. However, Amazon has grabbed the early-mover advantage, getting its Echo and Dot devices into millions of homes over the past few months, while Google has yet to get its Google Home devices launched outside the US.

Of course, there are privacy concerns with this plan: do you really want everyone you share a home with to hear your calls, and do you really want Amazon and Google scraping data from your phone calls? Still, it might put an end to missing calls because you can’t find your phone if all you have to do is shout to answer a call.

Verizon and Yahoo ‘agree reduced price’

Verizon and Yahoo are reported to be close to agreeing a reduced price for the former’s purchase of the latter.

The deal, originally priced at $4.8bn, seemed to be stalled after Yahoo reported its second giant data breach at the end of last year. Bloomberg reported that the agreed price could be reduced by about $250m, with Verizon and what’s left of Yahoo after the deal, to be named Altaba, sharing any continuing legal liabilities arising from the breaches.

Yahoo had already said that the sale would be delayed until the second quarter of this year as it continued to assess the fallout from the breaches.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/elEKYGoud6s/

A UK credit broker has been fined £120,000 for sending more than five million unlawful text messages.

Digitonomy besieged customers with unsolicited loan offers, prompting 1,464 complaints from privacy-conscious consumers between April 2015 and February 2016. An investigation by data privacy watchdogs at the Information Commissioner’s Office (ICO) prompted by these complaints concluded that Digitonomy sent the messages without obtaining proper consent from recipients.

The Chester-based business used affiliate marketing companies to send out more than five million messages offering cash loans as part of a marketing campaign. Digitonomy provided examples of the consent wording from the affiliate companies but the ICO ruled that the consent obtained was not sufficient to keep the aggressive marketing campaign within UK electronic marketing law.

Steve Eckersley, ICO head of enforcement, explained: “Businesses that rely on direct marketing must be able to confirm that people have given their permission to receive text messages and to comply with the law they must have the evidence to prove it.

“Depending on the word of another company is simply not acceptable and is not an excuse. Digitonomy is paying a hefty price for not meeting its responsibilities. We say it over again – any business that has instigated a marketing campaign is responsible for the information involved. Businesses need to get it right or we will take action.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/credit_broke_spam_text_fine/

Verizon will savagely slash its acquisition offer for hacker-ransacked Yahoo! by, wait a minute, just 5.2 per cent, it is claimed.

We’re hearing that the telecom giant has decided to lower its $4.8bn offer for what remains of the Purple Palace by roughly $250m. According to Bloomberg, the discount will be $250m, while The Wall Street Journal places the adjustment at $300m.

Verizon declined to comment on either report.

Yahoo! admitted in a pair of announcements last year that hackers had broken into the web company’s database of more a billion Yahoo! customers, swiping personal information and hashed passwords.

The intruders also snatched session cookies to log into Yahoo! accounts, a detail Yahoo! noted in a December note and has now begun formally alerting customers about.

Both companies say the revised takeover deal will include a provision that Verizon and Yahoo! share the liability for the legal fallout in the case.

The new figure is not a particularly steep discount from a buyout deal worth more than $4.5bn. It could be argued that this reflects just how little Verizon values Yahoo!‘s web services.

Verizon has long said that it is largely interested in the Purple Palace for its content network (read: desktop and mobile sites), and that it plans to fold those Yahoo! sites in with fellow internet has-been Aol to create a handful of properties it can flog to advertisers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/verizon_meh_on_yahoo_megabreaches/