Android users can now take advantage of the Password Checkup feature that Google first introduced in its Chrome web browser in late 2019, the OS maker announced today. From a report: On Android, the Password Checkup feature is now part of the "Autofill with Google" mechanism, which the OS uses to select text from a cache and fill in forms. The idea is that the Password Checkup feature will take passwords stored in the Android OS password manager and check them against a database containing billions of records from public data breaches and see if the password has been previously leaked online. If it has, a warning is shown to the user.

Massachusetts-based amateur historian Jim Hamilton, who developed the Free Fall Research Page -- an online database of nearly every imaginable human plummet, documents one case of a sky diver who, upon total parachute failure, was saved by bouncing off high-tension wires. Contrary to popular belief, water is an awful choice. Like concrete, liquid doesn't compress. Hitting the ocean is essentially the same as colliding with a sidewalk, Hamilton explains, except that pavement (perhaps unfortunately) won't "open up and swallow your shattered body." Popular Mechanics: With a target in mind, the next consideration is body position. To slow your descent, emulate a sky diver. Spread your arms and legs, present your chest to the ground, and arch your back and head upward. This adds friction and helps you maneuver. But don't relax. This is not your landing pose. The question of how to achieve ground contact remains, regrettably, given your predicament, a subject of debate. A 1942 study in the journal War Medicine noted "distribution and compensation of pressure play large parts in the defeat of injury." Recommendation: wide-body impact. But a 1963 report by the Federal Aviation Agency argued that shifting into the classic sky diver's landing stance -- feet together, heels up, flexed knees and hips -- best increases survivability. The same study noted that training in wrestling and acrobatics would help people survive falls. Martial arts were deemed especially useful for hard-surface impacts: "A 'black belt' expert can reportedly crack solid wood with a single blow," the authors wrote, speculating that such skills might be transferable.

The ultimate learn-by-doing experience might be a lesson from Japanese parachutist Yasuhiro Kubo, who holds the world record in the activity's banzai category. The sky diver tosses his chute from the plane and then jumps out after it, waiting as long as possible to retrieve it, put it on and pull the ripcord. In 2000, Kubo -- starting from 9,842 feet -- fell for 50 seconds before recovering his gear. A safer way to practice your technique would be at one of the wind-tunnel simulators found at about a dozen U.S. theme parks and malls. But neither will help with the toughest part: sticking the landing. For that you might consider -- though it's not exactly advisable -- a leap off the world's highest bridge, France's Millau Viaduct; its platform towers 891 feet over mostly spongy farmland. Water landings -- if you must -- require quick decision-making. Studies of bridge-jump survivors indicate that a feet-first, knife-like entry (aka "the pencil") best optimizes your odds of resurfacing. The famed cliff divers of Acapulco, however, tend to assume a head-down position, with the fingers of each hand locked together, arms outstretched, protecting the head. Whichever you choose, first assume the free-fall position for as long as you can. Then, if a feet-first entry is inevitable, the most important piece of advice, for reasons both unmentionable and easily understood, is to clench your butt.

Slashdot reader b-dayyy quotes the Linux Security blog: What if you could block connections to your network in real-time from countries around the world such as Russia, China and Brazil where the majority of cyberattacks originate? What if you could redirect connections to a single network based on their origin? As you can imagine, being able to control these things would reduce the number of attack vectors on your network, improving its security. You may be surprised that this is not only possible, but straightforward and easy, by implementing GeoIP filtering on your nftables firewall with GeoIP for nftables.

GeoIp for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project's lead developer Mike Baxter explained the mission of GeoIP for nftables, "I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill GeoIP sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections."

This article will examine the concept of GeoIP filtering and how it could add a valuable layer of security to your firewall, and will then explore how the GeoIP for nftables project is leveraging Open Source to provide intuitive, customizable GeoIP filtering on Linux.

An anonymous reader quotes a report from TechCrunch: Minneapolis voted Friday to ban the use of facial recognition software for its police department, growing the list of major cities that have implemented local restrictions on the controversial technology. After an ordinance on the ban was approved earlier this week, 13 members of the city council voted in favor of the ban, with no opposition. The new ban will block the Minneapolis Police Department from using any facial recognition technology, including software by Clearview AI. That company sells access to a large database of facial images, many scraped from major social networks, to federal law enforcement agencies, private companies and a number of U.S. police departments. The Minneapolis Police Department is known to have a relationship with Clearview AI, as is the Hennepin County Sheriff's Office, which will not be restricted by the new ban.

A web hosting company named No Support Linux Hosting announced today it was shutting down after a hacker breached its internal systems and compromised its entire operation. From a report: According to a message posted on its official site, the company said it was breached on Monday, February 8. The hacker appears to have "compromised" the company's entire operation, including its official website, admin section, and customer database. A No Support Linux Hosting (NSLH) spokesperson did not return a request for comment seeking details about the attack. But while details about the intrusion are unclear, the attack appears to have been destructive in its nature. "We can no longer operate the No Support Linux Hosting business," the company flatly acknowledged today. "All customers should immediately download backups of their websites and databases through cPanel," NSLH said, urging clients to do so before servers go down for good. At the time of writing, the nature of the NSLH attack is unclear, and we don't know if the hacker downloaded & wiped the company's database and backups or if we're talking about a classic ransomware attack where the intruder encrypted files and demanded a ransom for the decryption key.

An anonymous reader quotes a report from Ars Technica: SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities. Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds' software development system and used it to distribute backdoored updates to Orion customers. It didn't take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There's no evidence any of the vulnerabilities have been exploited in the wild.

The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion's use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines. [...] The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that's readable by unprivileged users. Rakhmanov facetiously called this "Database Credentials for Everyone." While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser.

The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user. Rakhmanov wrote: "Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem." Fixes for Orion and Serv-U FTP are available here and here.

sinij shares a report from CBC.ca: American technology firm Clearview AI violated Canadian privacy laws by collecting photos of Canadians without their knowledge or consent, an investigation by four of Canada's privacy commissioners has found. The report found that Clearview's technology created a significant risk to individuals by allowing law enforcement and companies to match photos against its database of more than three billion images, including Canadians and children.

The commissioners called for Clearview to stop offering its technology in Canada, stop collecting images of Canadians and to delete the photos of Canadians it had already collected in its database. If the company refuses to follow the recommendations, the four privacy commissioners will "pursue other actions available under their respective acts to bring Clearview into compliance with Canadian laws," the statement said. However, the four acknowledged that under current laws, and even under proposed changes to federal privacy laws, their ability to penalize the company or force it to comply with Canadian orders is limited. "What Clearview does, is mass surveillance and it is illegal," federal privacy commissioner Daniel Therrien told reporters Wednesday. "It is an affront to individuals' privacy rights and inflicts broad based harm on all members of society who find themselves continually in a police lineup." "This is completely unacceptable."

Long-time Slashdot reader cusco quotes a new report from IEEE Spectrum: In August 2018, a passenger aircraft in Idaho, flying in smoky conditions, reportedly suffered GPS interference from military tests and was saved from crashing into a mountain only by the last-minute intervention of an air traffic controller. "Loss of life can happen because air traffic control and a flight crew believe their equipment are working as intended, but are in fact leading them into the side of the mountain," wrote the controller. "Had [we] not noticed, that flight crew and the passengers would be dead...."

There are some 90 reports on NASA's Aviation Safety Reporting System forum detailing GPS interference in the United States over the past eight years, the majority of which were filed in 2019 and 2020. Now IEEE Spectrum has new evidence that GPS disruption to commercial aviation is much more common than even the ASRS database suggests. Previously undisclosed Federal Aviation Administration data for a few months in 2017 and 2018 detail hundreds of aircraft losing GPS reception in the vicinity of military tests. On a single day in March 2018, 21 aircraft reported GPS problems to air traffic controllers near Los Angeles. These included a medevac helicopter, several private planes, and a dozen commercial passenger jets. Some managed to keep flying normally; others required help from air traffic controllers. Five aircraft reported making unexpected turns or navigating off course. In all likelihood, there are many hundreds, possibly thousands, of such incidents each year nationwide, each one a potential accident. The vast majority of this disruption can be traced back to the U.S. military, which now routinely jams GPS signals over wide areas on an almost daily basis somewhere in the country.

The military is jamming GPS signals to develop its own defenses against GPS jamming. Ironically, though, the Pentagon's efforts to safeguard its own troops and systems are putting the lives of civilian pilots, passengers, and crew at risk... Todd E. Humphreys, director of the Radionavigation Laboratory at the University of Texas at Austin, says. "When something works well 99.99 percent of the time, humans don't do well in being vigilant for that 0.01 percent of the time that it doesn't."

An anonymous reader quotes a report from ZDNet: A well-known hacker has leaked the details of more than 2.28 million users registered on MeetMindful.com, a dating website founded in 2014, ZDNet has learned this week from a security researcher. The dating site's data has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases. The leaked data, a 1.2 GB file, appears to be a dump of the site's users database.

The content of this file includes a wealth of information that users provided when they set up profiles on the MeetMindful site and mobile apps. Some of the most sensitive data points included in the file include: Real names; Email addresses; City, state, and ZIP details; Body details; Dating preferences; Marital status; Birth dates; Latitude and longitude; IP addresses; Bcrypt-hashed account passwords; Facebook user IDs; and Facebook authentication tokens. Messages exchanged by users were not included in the leaked file; however, this does not make the entire incident less sensitive. The data leak, which is still available for download, was released by a threat actor who goes by the name of ShinyHunters. They also were responsible for leaking the details of millions of users registered on Teespring.

An anonymous reader quotes a report from The New York Times: A military arm of the intelligence community buys commercially available databases containing location data from smartphone apps and searches it for Americans' past movements without a warrant, according to an unclassified memo obtained by The New York Times. Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past two and a half years, agency officials disclosed in a memo they wrote for Senator Ron Wyden, Democrat of Oregon.

The disclosure sheds light on an emerging loophole in privacy law during the digital age: In a landmark 2018 ruling known as the Carpenter decision, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers. But the government can instead buy similar data from a broker -- and does not believe it needs a warrant to do so. "D.I.A. does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes," the agency memo said.

Mr. Wyden has made clear that he intends to propose legislation to add safeguards for Americans' privacy in connection with commercially available location data. In a Senate speech this week, he denounced circumstances "in which the government, instead of getting an order, just goes out and purchases the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law." He called the practice unacceptable and an intrusion on constitutional privacy rights. "The Fourth Amendment is not for sale," he said.

The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping $12.6 million for keeping its employees under constant video surveillance at all times for the past two years without a legal basis. From a report: The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well. The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and retail chain dedicated to selling laptops and other IT supplies. The State Commissioner for Data Protection (LfD) for the state of Lower Saxony said that the company installed two years ago a video monitoring system inside its warehouses, salesrooms, and common workspaces for the purpose of preventing and investigating thefts and tracking product movements. Officials said the video surveillance system was active at all times, and recordings were saved for as much as 60 days in the company's database.

Wine 6.0 has been released today and contains over 8,300 changes, according to its full release notes. Windows Central reports: The new release of version 6.0 has thousands of changes, but Wine's website highlights some of the biggest improvements: Core modules in PE format; Vulkan backend for WineD3D; DirectShow and Media Foundation support; and Text console redesign. The full release notes for Wine 6.0 explain that the core DLLs, which include NTDLL, KERNEL32, GDI32, and USER32 are now built in the Portable Executable (PE) format. As a result, people should see improvements for certain copy protection schemes.

The update also includes a new mechanism to associate a Unix library with the PE module. This change makes it so systems can call Unix libraries from PE when trying to perform a function that can't be handled by Win32 APIs. Wine 6.0 also includes an experimental Vulkan rendered that translates Direct3D shaders to SPIR-V shaders. In another change related to Direct3D, the Direct3D graphics card database now recognizes more graphics cards and includes updated driver versions.

The OpenWRT forum, a large community of enthusiasts of alternative, open-source operating systems for routers, announced a data breach over the weekend. Bleeping Computer reports: The attack occurred on Saturday, around 04:00 (GMT), when an unauthorized third party gained admin access to and copied a list with details about forum users and related statistical information. The intruder used the account of an OpenWRT administrator. Although the account had "a good password," additional security provided by two-factor authentication (2FA) was not active. Email addresses and handles of the forum users have been stolen, the moderators say. They add that they believe the attacker was not able to download the forum database, meaning that passwords should be safe. However, they reset all the passwords on the forum just to be on the safe side and invalidated all the API keys used for project development processes.

Users have to set the new password manually from the login menu by providing their user name and following the "get a new password" instructions. Those logging in using GitHub credentials are advised to reset or refresh it. The OpenWRT forum credentials are separate from the Wiki. Currently, there is no suspicion that the Wiki credentials have been compromised in any way. OpenWRT forum administrators warn that since this breach exposed email addresses, users may become targets of credible phishing attempts.

Early last decade, Matthew Buchanan and Karl von Randow, web designers based in Auckland, New Zealand, were seeking a passion project. Their business, a boutique web design studio called Cactuslab, developed apps and websites for various clients, but they wanted a project of their own that their team could plug away at when there wasn't much else to do. From a report: Buchanan had an idea for a social media site about movies. At the time, he reflected, he used Flickr to share photos and Last.fm to share his taste in music. IMDb was a database; it wasn't, in essence, social. That left a gap in the field. The result was an app and social media network called Letterboxd, which its website describes, aptly, as "Goodreads for film." After it was introduced at the web conference Brooklyn Beta in the fall of 2011, Letterboxd steadily developed a modest but passionate following of film fans eager to track their movie-watching habits, create lists of favorites, and write and publish reviews. In 2020, however, the site's growth was explosive. Letterboxd has seen its user base nearly double since the beginning of the pandemic: They now have more than 3 million member accounts, according to the company, up from 1.7 million at this time last year.

The pandemic has ravaged the movie industry, as theaters have remained mostly shuttered and high-profile would-be blockbusters like "Tenet" have drastically underperformed. But for Letterboxd, all that time at home has been a boon. "We love talking about movies," said Gemma Gracewood, Letterboxd's editor in chief. "And we're talking even more about what we love lately because we're all stuck indoors." In the beginning, Letterboxd mainly attracted film obsessives: hard-core cinephiles, stats fanatics and professional critics looking to house their published work under one roof. Mike D'Angelo, a longtime contributor to Entertainment Weekly and Esquire, used Letterboxd to retroactively log every movie he has seen, by date, since January 1992. In addition to uploading his old reviews to the platform, he uses the site as a kind of diary for more off-the-cuff musings.

An anonymous reader quotes a report from The Register: Failed blood-testing unicorn Theranos trashed vital incriminating evidence of its fraud, prosecutors said on Monday. The imploded startup's extensive testing data over three years, including its accuracy and failure rate, was "stored on a specially-developed SQL database called the Laboratory Information System (LIS)," according to a filing [PDF] in the fraud case against Theranos's one-time CEO Elizabeth Holmes and COO Sunny Balwani. The database "even flagged blood test results that might require immediate medical attention, and communicated this to the patient's physician," we're told.

Theranos claimed to have perfected technology that would allow industry standard blood tests to be run at great speed and with just a drop of blood, revolutionizing the health industry, and causing the business to be valued at $10bn. The reality, however, was that for one set of tests, the failure rate was 51.3 per cent. What does that mean? Prosecutors explain: "In other words, Theranos's TT3 blood test results were so inaccurate, it was essentially a coin toss whether the patient was getting the right result. The data was devastating."

So devastating that the database was subpoenaed by a grand jury digging into fraud claims against Holmes and Balwani. But when investigators turned to take a copy of the database, guess what? From the filing: "On or about August 31, 2018 -- three months after a federal grand jury issued a subpoena requesting a working copy of this database -- the LIS was destroyed. The government has never been provided with the complete records contained in the LIS, nor been given the tools, which were available within the database, to search for such critical evidence as all Theranos blood tests with validation errors. The data disappeared."

chicksdaddy shares a report from The Security Ledger: Independent security researchers testing the security of the United Nations were able to compromise public-facing servers and a cloud-based GitHub development account used by the U.N. and lift data on more than 100,000 staff and employees, according to a report by The Security Ledger. Researchers affiliated with Sakura Samurai, a newly formed collective of independent security experts, exploited an exposed GitHub repository belonging to the International Labour Organization and the U.N.'s Environment Programme (UNEP) to obtain "multiple sets of database and application credentials" for UNEP applications, according to a blog post by one of the Sakura Samurai researchers, John Jackson, explaining the group's work.

Specifically, the group was able to obtain access to database backups for private UNEP projects that exposed a wealth of information on staff and operations. That includes a document with more than 1,000 U.N. employee names, emails; more than 100,000 employee travel records including destination, length of stay and employee ID numbers; more than 1,000 U.N. employee records and so on. The researchers stopped their search once they were able to obtain personally identifying information. However, they speculated that more data was likely accessible.

An anonymous reader quotes a report from ZDNet: President-elect Joe Biden's transition team announced that David Recordon, one of OpenId and oAuth's developers, has been named the White House Director of Technology. Recordon most recently was the VP of infrastructure and security at the non-profit Chan Zuckerberg Initiative Foundation. Before that, Recordon was Facebook's engineer director. There, he had led Facebook's open-source initiatives and projects. Among other programs, this included Phabricator, a suite of code review web apps, which Facebook used for its own development. He also led efforts on Cassandra, the Apache open-source distributed database management system; HipHop, a PHP to C++ source code translator; and Apache Thrift, a software framework, for scalable cross-language services development. In short, he's both a programmer and manager who knows open-source from the inside out.

Recordon learned to program at a public elementary school. According to the Biden-Harris transition team, he's spent his almost two-decade career working at the intersection of technology, security, open-source software, public service, and philanthropy. Looking forward to the challenges Recordon faces in his new position, he wrote on LinkedIn: "The pandemic and ongoing cybersecurity attacks present new challenges for the entire Executive Office of the President, but ones I know that these teams can conquer in a safe and secure manner together." The report notes that Recordon served as the first Director of White House Information Technology during President Barack Obama's term of office, working on IT modernization and cybersecurity issues. He's also served as the Biden-Harris transition team's deputy CTO.

Ho Mobile, an Italian mobile operator, owned by Vodafone, has confirmed a massive data breach on Monday and is now taking the rare step of offering to replace the SIM cards of all affected customers. From a report: The breach is believed to have impacted roughly 2.5 million customers. It first came to light last month on December 28 when a security analyst spotted the telco's database being offered for sale on a dark web forum. While the company initially played down these initial reports, Ho confirmed the incident on Monday, in a message posted on its official website and via SMS messages sent to all impacted customers. Ho's statement confirms the security researcher's assessment that hackers broke into Ho's servers and stole details on Ho customers, including full names, telephone numbers, social security numbers, email addresses, dates and places of birth, nationality, and home addresses. While the telco said no financial data or call details were stolen in the intrusion, Ho admitted that hackers got their hands on details related to customers' SIM cards.

An anonymous reader shares a report: Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location. While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer. However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first. This second technique relies on grabbing the infected user's BSSID. Known as a "Basic Service Set Identifier," the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi. You can see the BSSID on Windows systems by running the command: netsh wlan show interfaces | find "BSSID" Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

A marine biologist's ideas for singling out sharks that attack humans have prompted objections from other shark scientists. From a report: The war on sharks has been waged with shock and awe at times. When a shark bit or killed a swimmer, people within the past century might take out hundreds of the marine predators to quell the panic, like executing everyone in a police lineup in order to ensure justice was dispensed on the guilty party. Eric Clua, a professor of marine biology at the Ecole Pratique des Hautes Etudes in Paris, said the rationale behind shark culls in the past was simple: fewer sharks, fewer attacks. That reasoning also drives methods such as shark nets and baited hooks, which are currently in use at a number of Australian and South African beaches that are frequently visited by sharks. Nature, he notes, pays too great a price. "They are killing sharks that are guilty of nothing," said Dr. Clua, who studies the ocean predators up close in the South Pacific.

Dr. Clua said he has found a way to make precision strikes on sharks that have attacked people through a form of DNA profiling he calls "biteprinting." He believes it's usually just solo "problem sharks" that attack humans repeatedly, analogizing them to terrestrial predators that have been documented behaving the same way. Instead of culling every bear, tiger or lion when only one has serially attacked people, wildlife managers on land usually focus their ire on the culprit. Dr. Clua said that problem sharks could be dispatched the same way. This summer, Dr. Clua and several colleagues published their latest paper on collecting DNA from the biteprints of large numbers of sharks. Once a database is built, DNA could be collected from the wounds of people who were bitten by sharks, and matched to a known shark. The offending fish would then need to be found and killed. Critics have taken issue with every facet of this plan.