FBI: “The allegation that we paid CMU $1M to hack into Tor is inaccurate”

(credit: Wikipedia)

The FBI is denying that it paid $1 million to Carnegie Mellon University to exploit a vulnerability in Tor.

"The allegation that we paid [Carnegie Mellon University] $1 million to hack into Tor is inaccurate," an FBI spokeswoman told Ars in a Friday morning phone call.

Two days ago, the head of the Tor Project accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.

Read 4 remaining paragraphs | Comments

Apache Commons Collections Java Library Vulnerability

Original release date: November 13, 2015

US-CERT is aware of a deserialization vulnerability in the Apache Commons Collections (ACC) Java library. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.

US-CERT encourages users and administrators to review Vulnerability Note VU#576313 for more information and apply the necessary mitigations.


This product is provided subject to this Notification and this Privacy & Use policy.


Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC

1939, back when ads used to be safe. (credit: Flickr user: Lulu vision)

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking raises important privacy concerns, the Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. The FTC has scheduled a workshop on Monday to discuss the technology. Often, people use as many as five connected devices throughout a given day—a phone, computer, tablet, wearable health device, and an RFID-enabled access fob. Until now, there hasn't been an easy way to track activity on one and tie it to another.

Read 8 remaining paragraphs | Comments

Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC

1939, back when ads used to be safe. (credit: Flickr user: Lulu vision)

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking raises important privacy concerns, the Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. The FTC has scheduled a workshop on Monday to discuss the technology. Often, people use as many as five connected devices throughout a given day—a phone, computer, tablet, wearable health device, and an RFID-enabled access fob. Until now, there hasn't been an easy way to track activity on one and tie it to another.

Read 8 remaining paragraphs | Comments