Missouri governor threatens reporter who discovered state site spilling private info

Missouri Governor Mike Parson is threatening legal action against a reporter and newspaper that found and responsibly disclosed a security vulnerability that left teacher and educational staffs’ social security numbers exposed and easily accessible.

The St. Louis Post-Dispatch reports that it notified the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools was returning HTML pages that contained employee SSNs, potentially putting the information of over 100,000 employees at risk. Despite the fact that the outlet waited until the tool was taken down by the state to publish its story, the reporter has been called a “hacker” by Governor Parson, who says he’ll be getting the county prosecutor and investigators involved.

According to the Post-Dispatch, the tool that contained the vulnerability was designed to let the public see teachers’ credentials. However, it reportedly also included the employee’s SSN in the page it returned — while it apparently didn’t appear as visible text on the screen, KrebsOnSecurity reports that accessing it would be as easy as right-clicking on the page and clicking Inspect Element or View Source.

While the reporter followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teacher’s private information for nefarious purposes.

In a press conference, Governor Parson described the reporter’s actions as “decoding the HTML source code,” which makes it seem suspicious and clandestine. He is, however, literally describing how viewing a website works — it’s the server’s job to send an HTML file to your computer so you can view it, and anything included in that file isn’t secret (even if it’s not physically visible on your screen when viewing that webpage). Governor Parson says that nothing on DESE’s website gave users permission to access the SSN data, but it was being freely provided.

You can view the governor’s full press conference below.

The Verge has reached out to Missouri DESE to clarify whether the tool was publicly accessible or required logging in, and in response, the DESE says its only comment (due to the ongoing investigation) is that the data is now protected. Of course, it being accessible at all is an issue, regardless of whether it was behind a login.

Missouri’s response is, to put it lightly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which they’ll pay to hackers who find and responsibly disclose flaws like these. The reason these exist is that they’ll make your systems safer — yes, people will look for and find vulnerabilities, but there was likely already somebody doing that anyways. With a bug bounty, they’re telling you so you can fix it rather than selling that info on the dark web or using it for personal gain. Obviously, those kinds of sums aren’t reasonable for school districts, which often have underfunded IT departments due to shrinking budgets, but there’re a lot of options between paying out large sums of money and threatening legal action.

Governor Parson says that the incident could cost the state’s taxpayers $50 million. If a malicious hacker had found the treasure trove of SSNs, it likely would’ve been even more expensive: the state still would’ve had to fix the system, and it’d have teachers who would have solid claims against it if they needed identity protection services.

Governor Parson (along with a press release by the Office of Administration) clarifies that the SSNs were only accessible one at a time — a list of all employees’ private info wasn’t included in the HTML files. But as anyone who’s watched the opening scene of The Social Network knows, it can be trivial for hackers to download all the pages from an application and strip specific pieces of information out of them. Just because the reporter didn’t do it (it would’ve arguably been irresponsible if he had) doesn’t mean that it wasn’t possible and doesn’t speak to good security practices.

To be clear: prosecuting the reporter, news outlet, and anyone involved will only serve to put people in Missouri at risk because no one will want to report security flaws they’ve found in public systems if the state’s response will be sending law enforcement after them. Security flaws like this are extremely unfortunate, but they will inevitably happen (the Post-Dispatch reports that the DESE was found to have been storing student SSNs by an audit in 2015). With public entities and companies alike, the real test isn’t whether it happens but how you respond to it. Unfortunately, it seems like Governor Parson is failing that test.

Updated October 14th, 5:52PM ET: Updated to reflect comment from the DESE.

Repost: Original Source and Author Link


PS5 VR details leak from private developers conference

It’s arguable that Facebook’s Oculus now takes up the majority of the attention in the virtual reality market, but it is hardly the only major player. HTC is still actively working on Vive, and Microsoft’s Windows Mixed Reality also dips into that field. And then there’s PlayStation VR, the only console-based system among the VR giants. With the new PlayStation 5 console, however, the interest in a VR system to match has also grown. Fortunately, Sony does seem to have big plans for what the PS5 VR will offer, both in hardware and content.

The Next-Gen VR or NGVR, the alleged codename for the PS5 VR, will come with a headset that will boast significant upgrades over its predecessor. Considering the PSVR pictured above hasn’t exactly gotten major upgrades since it launched in 2016, that’s not exactly a surprising revelation.

According to the details reported by PSVR Without Parole, the headset will feature a new HDR OLED screen with a combined 4000×2040 resolution and 110 field-of-view. Eye-tracking will be used to implement foveated rendering, and a new flexible scaling resolution will supposedly improve performance. The new controllers will also allegedly have capacitive touch sensors for the thumb, index, and middle finger, probably for finger tracking.

An upgraded VR system, however, also needs upgraded VR experiences, and Sony is looking into bringing AAA titles to its VR ecosystem. That might mean requiring new titles to support a hybrid VR version alongside the regular flat screen game. There is no word yet on backward compatibility, though.

This PS5 VR upgrade could take Sony’s VR system to the next level and help it catch up with its peers. Unfortunately, it seems that fans will have to wait next year for that to happen.

Repost: Original Source and Author Link


WhatsApp starts a private beta test of multi-device support

Until now, using WhatsApp web on your desktop or any other device has required having a phone that’s powered on and connected, but a new beta test is trying out support for multiple devices without needing a phone in the mix. In a June interview, WhatsApp head Will Cathcart and his boss, Facebook CEO Mark Zuckerberg, commented on the technical challenge of maintaining end-to-end encryption. With a blog post today, Cathcart explains more about what has been done behind the scenes to maintain security.

WhatsApp’s message architecture.
Image: Facebook

As the image comparing the legacy and new systems (above) tries to explain, previously, a user’s phone managed the key determining their identity and ability to encrypt/decrypt messages. The encrypted synchronization also applies to message history, contact names, and other data, with keys maintained on the individual devices.

To start, the beta is going out to a limited group of testers who are already in WhatsApp’s beta program, while the team says it’s working on improving performance and adding more features.

Repost: Original Source and Author Link

Tech News

Get Private Internet Access VPN for almost 70% off — and get a $15 credit too

TLDR: Protect your information and all your online activity with a subscription to Private Internet Access, now at nearly 70 percent off.

If you’re worried about being watched while online, it’s because you already are. Internet service providers (ISPs) can log everything you do. Online destinations from retail giants to social media platforms harvest information about you and can sell that data to virtually anyone. And yeah, getting emails or Facebook ads about the book you just did a Google search for are more than a little creepy.

A VPN is your first and best initial line of defense against constant surveillance. As one of the industry leaders, a subscription to Private Internet Access ($39.95 for 1 year, 69 percent off, from TNW Deals) can go a long way to erecting a staunch barrier against becoming an online privacy victim or, even worse, a victim of cybercrime.

With over a decade as a top VPN option, PIA remains one of the most respected names in data security, including a spot among CNET’s Best VPN Services of 2021 and a cumulative 4.6 out of 5 star rating from over 100,000 reviews among Apple App Store and Google Play users.

With one of the biggest service networks in the business, PIA allows users to log into a network of over 34,000 servers in 77 countries worldwide, shielding you and your vital information from online schemes, thieves and prying eyes. With a PIA connection cloaking a user’s location and IP address, they can do all their online business secure in the knowledge their information won’t be stolen or misused.  PIA also uses powerful Blowfish CBC encryption technology to protect all your data, even while ensuring unlimited bandwidth so browsing speeds always remain lightning quick.

And as an industry veteran, PIA is constantly adding new features to further safeguard connections and improve service, including free email breach monitoring, an advanced firewall for blocking unwanted connections, and their MACE feature with knocks out ads, trackers and malware as you surf the web. 

Unlike other services that usually only protect 2, 3 or even 5 devices, PIA allows coverage for up to 10 devices simultaneously, all while also bypassing censored and geographically blocked websites, apps and services you could never otherwise access.

Right now, new members can enjoy a year of Private Internet Access protection for almost 70 percent off its regular price at just $39.99; or get two years of coverage for an even more cost effective $69.95. And with both offers, shoppers will also receive a $15 store credit for their next purchase through TNW Deals. 

Prices are subject to change.

Repost: Original Source and Author Link


Some Accounts Had Private Messages Stolen in Twitter Hack

Twitter has shared more details about how dozens of high-profile accounts were accessed and used to promote a cryptocurrency scam this week.

Twitter has already revealed that around 130 accounts were targeted in the hack, including accounts of prominent political figures like Barack Obama and Joe Biden as well as cryptocurrency enthusiasts Elon Musk and other celebrities like Kanye West.

The company announced that the attack had been made possible due to “a social engineering scheme” in which cybercriminals targeted Twitter employees using “intentional manipulation of people into performing certain actions and divulging confidential information.”

Describing the scheme in more detail, Twitter said that attackers managed to trick or manipulate employees into handing over their credentials. The attackers then used these credentials to get inside Twitter’s systems, getting past the two-factor authentication protections and using an internal management tool for resetting passwords.

Of the 130 targeted accounts, the attackers were able to reset the passwords and log in to 45 accounts. This resulted in the sending of the cryptocurrency scam tweets. But many are worried that the attackers may have done even more damage, as they had full access to these accounts. A particular worry was whether the attackers would have been able to access private content such as direct messages.

It seems that, for at least some of the targets, that fear was well-founded. Twitter announced that, “For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our ‘Your Twitter Data’ tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity.”

The Your Twitter Data tool gives a complete list of account activity which, according to The Verge, includes an archive of direct messages. This data may even include deleted direct messages, which is an extra worry. The concern is that these personal messages could be used for blackmail or spread around maliciously.

Twitter did confirm that, of the eight accounts who had their data downloaded, none were verified, and that it has reached out to all eight people to let them know. The company has said it will not be announcing the identity of these accounts publicly.

Twitter is conducting an investigation into what happened and how it can improve the security of its systems. The company acknowledges the huge loss of trust the public has in its services, saying, “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”

Editors’ Choice

Repost: Original Source and Author Link

Tech News

Hushed offers a second private phone line for talking or texting for under $20

TLDR: You can organize your life on the phone with a second private number from Hushed that’s a whole lot cheaper than getting a second costly phone service plan.

In 2004, more than 90 percent of American adults lived in a household with a landline. By last year, that number had tumbled to just under 37 percent. Increasingly, users are deciding that the smartphone is the one and only device they need, often with one single phone number as that primary point of contact.

If you’re conducting business by phone, you need that number to be available and accessible for promoting and growing that business. But a phone number is also an easy key for hackers and scammers to uncover your personal data or for spammers to unleash a steady barrage of sales calls and texts that you don’t need.

The answer: one number for the world, another one just for you and your nearest and dearest. With a Hushed Private Phone Line second number ($19.99, 86 percent off, from TNW Deals), you can achieve that separation of church and state so your business line can reach far and wide, while your private line stays protected and available only to those you really trust.

Hushed has quickly become one of the most reliable phone safeguards around, amassing a 4.6 out of 5 star rating from more than 5,600 Apple App Store reviewers.

With a Hushed second phone number, you can keep business and personal separate. You can choose from hundreds of possible area codes, so your new number can look just like any other in your area, but without committing to another expensive phone plan. 

Send all their business calls, Craigslist offers, and more there, making it easy to maintain distance between work time and free time. Or use it to field personal calls like Tinder or Bumble contacts without exposing your business to the world. You can even manage multiple numbers, all from Hushed’s easy to use and navigate app.

Users can make calls or send texts with up to 1,000 call minutes and 6,000 SMS minutes for texting each year. So long as the Hushed number gets used at least once every six months, it’ll remain active and ready forever.

You can streamline all your communications now with a lifetime subscription to a Hushed Private Phone Line, a $150 value now on sale at almost 90 percent off that price, down to only $19.99.

Prices are subject to change.

Repost: Original Source and Author Link

Tech News

Make Amazon dropshipping and private labels your ultimate business launch pad with this training

TLDR: The 2021 Complete Amazon Dropshipping and Private Label Master Class Bundle can help you launch a new side hustle with Amazon that you can grow into thousands a month.

Kate was a journalist and salesperson who’d never considered starting her own business before. But after learning about dropshipping, Kate launched an anime-themed online storefront – and soon was making $32,000 a month. Meanwhile, Zach went from being an ecommerce newbie to making $23,000 in Amazon sales in just 5 months after launching his own stable of private label products.

No road to riches is easy, but understanding how successful entrepreneurs have turned the concepts of dropshipping and private label brands via Amazon into serious moneymakers should be enough to get the attention of anyone with business aspirations.

With the training in The 2021 Complete Amazon Dropshipping and Private Label Master Class Bundle ($34.99, over 90 percent off, from TNW Deals), interested self-starters with the talent and eye for opportunity can follow a path to a quickly self-sustaining business turning reliable profits every month.

This collection covers everything, 11 courses including nearly 100 hours of training in all the steps for launching successful Fulfilled by Amazon (FBA) business operations.

Even if this is your first time starting a business, courses like Amazon FBA Course 2021 and Launch a Successful Amazon FBA Brand paint a realistic picture. Students get schooled in the right processes and procedures for running a digital storefront in the Amazon environment before finding the right products, sourcing suppliers who won’t rip you off or underdeliver, and marketing your new brand into bestseller status.

Meanwhile, further coursework plunges into more detail in several of those key business areas, covering topics like how to find winning products time and time again, how to properly advertise your business online, and how to make sure your account never runs afoul of Amazon’s strict seller code of conduct or intellectual property and copyright laws. There’s even a step-by-step model here for launching your own book reselling business with profits of 100 percent.

While selling other people’s products can certainly make you money, selling your own is even better. That’s why this package also features three courses dedicated to creating your own Amazon private label line, from sourcing and creating products you’d be proud to put your brand name on, to understanding the software to oversee that operation. There are even five reasons your Amazon private label business might fail so you can short circuit any trap doors before they become a problem.

The 2021 Complete Amazon Dropshipping and Private Label Master Class Bundle includes nearly $2,200 worth of intensive training, but right now, you can launch your new Amazon business future for just over $3 per course at $34.99.

Prices are subject to change.

Repost: Original Source and Author Link

Tech News

Venmo is finally adding a private friend list feature following Biden report

Venmo, the PayPal-owned financial app that makes it easy to send money to your friends, is rolling out an important update that adds a major new privacy option. Going forward, Venmo users will have the option to hide their friend lists, making it harder for other people to identify their social circle. The change follows the discovery of President Biden’s Venmo account and the people he was linked to through it.

Earlier this month, The New York Times published an article that included a brief mention about Joe Biden’s use of Venmo — and that quickly led to a report from BuzzFeed announcing that it had discovered the president’s account. Though the report didn’t reveal his associates, it did detail the number of people in his social circle the writers were able to find, renewing talk about the financial app and related privacy concerns.

Though Venmo users have had the option of hiding their transactions from public view, the app has never offered a way for users to hide their friend lists. Many have pointed out the potential privacy issues this can cause, including making it possible for someone to stalk an ex, get an idea about a person’s life and routines, and even shed light on whistleblowers.

Only days after the report detailing Biden’s Venmo account, the company has revealed that it will enable users to hide their friend lists — though these lists will be made public by default. As well, users will be able to set their list to ‘friends-only,’ Venmo told BuzzFeed News, offering a compromise between privacy and the app’s social network foundation.

This is a win for privacy advocates who have spent years highlighting the issue public friend lists pose to users. The ability to make transactions private only offered a certain degree of protection, particularly if friends on their public list made their own transactions public. Everyone from scammers to stalkers could leverage this information, and that’s a big concern when it comes to public figures like the president.

Repost: Original Source and Author Link


Venmo now lets you make your friends list private

Venmo has added new privacy controls for friend lists following a jaw-dropping incident where BuzzFeed News was able to track down President Joe Biden’s Venmo account because of the app’s leaky privacy protocols. App researcher Jane Manchun Wong discovered earlier on Friday that Venmo was working on the new controls.

“We’re consistently evolving and strengthening the Venmo platform for all of our customers. As part of these ongoing efforts, we are enhancing our in-app controls providing customers an option to select a public, friends-only, or private setting for their friends list,” a Venmo spokesperson said in a statement to The Verge.

To find the new controls, tap the hamburger icon while on the main feed, then tap “Settings,” “Privacy,” and then “Friends List.” The Friends List menu appeared for me and another Verge staffer while I was writing this article, so if it hasn’t rolled out to you just yet, sit tight.

In the new menu, you can pick if you want your friends list to be public, visible to friends, or private. You can also toggle whether or not you want to appear in others users’ friends list.

The new toggles fix a major privacy hole in Venmo that has been known for years: there previously was no way to keep your list of Venmo contacts private, meaning that you could see the contact list of any other user on the platform. The hole was bad enough that following a brief mention of Biden using Venmo in a recent New York Times profile, BuzzFeed News was able to track down the president’s account in less than 10 minutes. The publication also found the accounts for many in his inner circle.

While you’re in your privacy settings, I’d also recommend setting your Venmo feed to private.

Correction: Clarified that Venmo’s previous friend settings included a privacy flaw, not a security flaw.

Repost: Original Source and Author Link


Niantic Lightship private beta aims to power next Pokemon GO

Niantic announced a new name and a new aim for their augmented reality platform this week. The Niantic Real World Platform is now called Niantic Lightship. This platform will be offered on a broader level with a Niantic Lightship Augmented Reality Developer Kit, AKA “ARDK”. This new kit will be delivered in a Private Beta at first – if you’re a creator of games, now’s the time to act.

Niantic Lightship and the ARDK was made to enable developer to “build their own immersive, imaginative and unique AR applications.” Thanks to the success of games like Ingress and Pokemon GO, Niantic developed this universe to bring about a future in mobile gaming that goes beyond the screen.

Niantic’s ARDK works with Real-time Mapping, Semantic Segmentation, and robust Multiplayer functionality. With what Niantic describes as “advanced Meshing,” smart devices take smart computing (ARDK’s neural network) and expands on what’s seen through a smartphone camera. Environments can be “mapped” in real time, “resulting in a machine-readable representation of the physical world.”

Instead of using LiDAR scanners to do this, Niantic’s decided to work with RGB color sensors that can be found in the vast majority of cameras in smartphones. Niantic notes that their “approach to meshing” incorporates the work of acquisitions including Matrix Mill and

Semantic Segmentation in Lightship allows the quick analysis of a space and application of characteristics to individual elements. Lightship knows that the sky is the sky, the ground is the ground, and that people are people. Virtual objects can “look, feel and move” in a space in as realistic a set of ways as possible.

The Niantic Augmented Reality Developer Kit works with tools that allow developers to bring next-level physics, depth, occlusions and semantic segmentation to their ideas and apps. Niantic wants creators to make multiplayer experiences that use what’s been done with the bones of Pokemon GO to launch into the stratosphere.

To participate, developers will need to head over to Niantic dot dev, where they’ll find the new Niantic Lightship ARDK and a sign-up process. Niantic will also suggest that users join their publishing group, and take a peek at the games they’ve already published, like Ingress, Harry Potter Wizards Unite, Catan World Explorers, and Pokemon GO.

Repost: Original Source and Author Link