Huawei Executive Arrest Inspires Advance Fee Scams

UnderAttack writes: Scammers are attempting to trick Chinese victims into sending thousands of dollars in order to secure the release of Chinese Huawei executive Meng who was arrested in Canada last week. The messages claim to originate from Ms. Meng and suggest that she found a corrupt guard who will let her go for a few thousand dollars. Of course, there will be riches for anybody who is willing to help (and more). The scam is reportedly targeting people via WeChat, which may have a higher success rate than more widely distributed scams. One of the messages reads (translated): "Hello, I am MENG Wanzou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei. I will be good on my word. if you are single, we can also discuss the important thing in life. The guard's name is David, the account number is 52836153836252, swift 55789034. I will be good on my word."

Read more of this story at Slashdot.

More People Get Their News From Social Media Than Newspapers, Study Finds

The Pew Research Center has found that more adults get their news from social media than newspapers. "In a survey conducted earlier this year, 20 percent of adults said they often get news via social media while just 16 percent said the same about print newspapers," reports Engadget. "Television topped the list, with 49 percent of respondents saying they get news from TV often while 33 percent and 26 percent of respondents said news websites and radio were significant news sources for them." From the report: Though television is still the dominant news source for American adults, it has been on a decline -- 57 percent of surveyed adults reported getting their news from television regularly back in 2016. And Pew points out that when you look at online news sources together, so either news websites or social media, it's creeping up to TV as the top source, pulling 43 percent of adults combined. But there are significant differences between age groups. TV is by far the most popular news source for adults aged 50 and over while just 16 percent of 18- to 29-year-olds and 36 percent of 30- to 49-year-olds say they often get news via television. Among the youngest adults (aged 18 to 29), social media is the most popular platform for news, and for 30- to 49-year-olds, websites are the top news source.

Read more of this story at Slashdot.

Crivella terceiriza gestão e quem manda no Rio é Paulo Messina, um vereador com 15 mil votos

Às vésperas de completar dois anos à frente da Prefeitura do Rio, Marcelo Crivella terceirizou a gestão municipal na esperança de reverter os números negativos de seu mandato, o mais impopular dos últimos 25 anos, segundo o DataFolha. Nos bastidores da política municipal, o desconhecido vereador Paulo Messina, responsável pela Casa Civil, passou a ser tratado como primeiro-ministro e vê seu poder aumentar à medida que o bispo-prefeito diminui enquanto gestor.

Pouco interessado no rame-rame da administração municipal e tido como gestor hesitante, Crivella não demorou a vestir a carapuça de monarca meramente decorativo. É Messina, e não Crivella, que responde publicamente sempre que a prefeitura é cobrada por algum tema mais espinhoso, caso das chuvas que provocaram alagamentos em vários pontos da cidade no fim de novembro. Foi o secretário e não o prefeito que passou a segunda-feira no Centro de Operações minimizando os problemas em entrevistas à imprensa.

“O prefeito não tem a mínima vocação para a administração pública e, por isso, terceirizou sua função para o chefe da Casa Civil”, diz um ex-aliado político e servidor de carreira, exonerado de uma função de chefia após desavenças com o “primeiro-ministro”. “Crivella quer aplausos, não vaias.”

Mas tanto acúmulo de poder nas mãos de Messina vem gerando insatisfação e disputas entre antigos aliados de Crivella. No último domingo, uma reportagem sobre o racha na gestão municipal publicada no Jornal do Brasil levou Messina à beira de um ataque de nervos. Indignado, ele foi ao Facebook e num textão não poupou críticas aos “inúteis que ficam espreitando nas suas salas, tão próximos ao prefeito, fazendo negócios escusos na cara de todo mundo, cantando bravatas e, agora, passando notas”. “Infelizmente, ou melhor, felizmente, esse tipo de merda dentro da prefeitura me odeia”, ataca o primeiro-ministro, sem citar os nomes dos funcionários que estariam envolvidos em negócios escusos tão próximos a Crivella.

Crivella costuma fazer trocadilhos com o nome do vereador: “Me ensina”.  

Vereador de pequena expressão, reeleito com pouco mais de 15 mil votos, Messina se identifica em seus perfis no Facebook, Twitter e Instagram como “Matemático, professor e vereador do Rio”. Com a ressalva de que os perfis são “exclusivamente pessoais”, ele pede que respeitem seu espaço. Neles, não há referência ao cargo de chefe da Casa Civil. Ele começou a carreira política no PV nas eleições de 2012, mas, logo no primeiro mandato, pulou para o Solidariedade, ficou um breve período sem partido, depois entrou para o antigo PMDB. De lá, saiu para se reeleger pelo PROS, mas logo se converteu ao PRB do bispo-prefeito. Ideologia parece não ser o forte do político, que em seis anos passou por cinco partidos.

O tom professoral usado por Messina nas reuniões encantou Crivella, que costuma fazer trocadilhos com o nome do vereador: “Me ensina”, pede o prefeito em reuniões. Enquanto Crivella passou o primeiro ano do mandato tentando em vão emplacar o filho Marcelo na Casa Civil, decisão proibida pelo STF por caracterizar nepotismo, Messina cresceu.

10-12-18-crivella-1544468253

Enquanto Crivella tentou, em vão, emplacar o filho Marcelo na Casa Civil,  Messina cresceu.

Foto: Thiago Ribeiro/AGIF/AP Images

As contas que não fecham

Ex-líder do governo na Câmara Municipal, Messina pavimentou o caminho até a Casa Civil conseguindo a aprovação de quatro dezenas de projetos de lei de autoria do Executivo. Entre eles, o que permitiu a revisão dos valores da base de cálculo do IPTU do Rio. Há 20 anos ela não era atualizada. Messina foi à lousa e fez contas para mostrar aos vereadores a necessidade de atualização da alíquota do tributo, mas convenceu mesmo com a velha política do toma lá, dá cá. Vereadores que votaram a favor do aumento do IPTU foram agraciados com a indicação de aliados para ocuparem postos na Prefeitura.

Na ponta do lápis, o matemático falhou. A atualização do IPTU não corrigiu antigas discrepâncias e fez aumentar injustiças na cobrança do tributo. Os bairros da zona oeste foram os mais impactados. Em Vila Kennedy, por exemplo, moradores que eram isentos receberam carnês com valores acima de R$ 1 mil. Muitos desses contribuintes vivem em imóveis antigos e em ruas sem pavimentação e mal iluminadas. Com a aprovação do imposto progressivo, o próximo carnê vai chegar com valores ainda mais salgados.

Na ponta do lápis, o matemático falhou. A atualização do IPTU aumentou as injustiças na cobrança do tributo.  

A conta também pesou para o município, que é a capital recordista na concessão de isenções ao IPTU: 40% dos imóveis cadastrados na base de IPTU continuam sem pagar o imposto o que gera perda estimada aos cofres da cidade de aproximadamente R$ 500 milhões ao ano. Parte desses imóveis são ocupados por igrejas, isentas do pagamento de IPTU graças à uma lei aprovada por Crivella enquanto senador.

Paulo Messina também errou nas contas ao defender a aprovação de uma escala de serviço de 12 horas trabalhadas por 60 horas de descanso para os guardas municipais. A GM do Rio é a única entre as capitais a ter essa escala de serviço. Na ponta do lápis, quem perdeu foi o controle urbano – a escala anterior era de 12 horas de trabalho, para 36 de descanso. A cidade está tomada pela desordem.

Na mesma enchente em que Messina se desdobrou para defender a falta de ação do município para impedir alagamentos, quase não haviam guardas municipais trabalhando para orientar os moradores. Tampouco a prefeitura parece se importar com o sem fim de ambulantes que tomam às ruas do centro e mesmo os trilhos do VLT.

É Messina, e não Crivella, que responde publicamente sempre que a prefeitura é cobrada por algum tema mais espinhoso.

Foto: Celso Barbosa/Codigo19/Folhapress

Napoleão de hospício

Além de garantir a aprovação de projetos controversos, Messina também conseguiu o feito de arquivar ao menos três pedidos de impeachment contra Crivella. Para isso, chegou a ser exonerado do cargo para voltar à Câmara e votar a favor do chefe. Habilidade que não demonstrou para evitar que o ex-secretário de Educação César Benjamin fosse alvo de uma CPI que apura suposta prática de assédio moral e os contratos emergenciais assinados durante a sua gestão. Talvez a falta de empenho se explique pelo fato de Benjamin ter lhe pespegado o apelido de Napoleão de Hospício.

As desavenças entre Benjamin e Messina começaram em meio a reuniões de secretariado, com direito a acalourados bate-bocas, que não raro se estendiam às redes sociais, indo parar, claro, na imprensa. O primeiro ministro de Crivella queria ampliar sua área de influência e não poupou esforços até conseguir a saída de Benjamin. A queda de braço terminou em julho com a exoneração do secretário de Educação. Benjamin, ex-guerrilheiro do MR-8 no período da ditadura militar, saiu atirando e num dos posts repetiu publicamente no Facebook o apelido de Messina nos corredores da prefeitura. A alcunha pegou.

Messina cortou recursos de pastas, exonerou indicados de velhos aliados de Crivella e aumentou seu próprio orçamento.  

Benjamin não foi o único a ter problemas com o escolhido de Crivella. Desde que assumiu a Casa Civil, Messina cortou recursos de pastas, exonerou indicados de velhos aliados do bispo-prefeito e aumentou seu próprio orçamento. Para 2019, vai ter a disposição um orçamento de cerca de R$ 588 milhões, com direito a um acréscimo de R$ 42 milhões.

Em contrapartida, a secretaria de Saúde vai sofrer um corte de R$ 725 milhões. Por trás da tesoura, o matemático planeja agora gerir também os recursos do Feop, o Fundo Especial de Ordem Pública, criado no primeiro ano de governo com o objetivo de garantir caixa para a Secretaria de Ordem Pública investir em… ações de controle urbano.

Para concretizar a mudança, Messina vem articulando na Câmara a aprovação de um novo texto que passe à Casa Civil a responsabilidade de gerir o dinheiro. Até outubro, o Feop já havia recebido cerca de R$ 75 milhões. Pouco antes, o primeiro ministro já havia anexado ao seu espólio o Centro de Operações Rio, o COR, que também estava na estrutura da Seop – com um orçamento de R$ 18 milhões. O COR é a principal vitrine da prefeitura do Rio, pois alimenta o cidadão e a imprensa com informações em tempo real sobre a rotina na cidade.

O matemático, que prefere o colchão ao sistema financeiro, no entanto, parece não ter sido capaz de fazer muito mais do que manter o bispo afastado de processos de impeachment. A presença do primeiro-ministro na Casa Civil não reverteu a imagem de Crivella, tampouco tem ajudado seus aliados. Prova disso foram os resultados das urnas nas últimas eleições. Crivella Filho teve 56 mil votos e não se elegeu deputado federal pelo PRB – ficou na suplência. O coringa do prefeito, Rubens Teixeira (PRB), que em um ano de gestão passou por duas secretarias (Conservação e Meio Ambiente e de Transportes), teve apenas 20 mil votos para deputado federal, ficando de fora do Congresso.

10-12-18-rio-1544468689

No fim de novembro, parte do Rio ficou alagada após uma enchente. Mais uma vez foi Messina, e não Crivella, quem se desdobrou para defender a Prefeitura.

Foto: Armando Paiva/AGIF/AP Images

Dinheiro fora do banco

O guru do bispo-prefeito já foi condenado pela Justiça Federal. Em junho de 2017, quando ainda era líder do governo Crivella na Câmara Municipal, o então vereador Paulo Messina foi condenado à revelia a três anos de detenção pela 1ª Vara da Justiça Federal em Tupã, no interior de São Paulo. Seu crime: “desenvolver clandestinamente atividades de telecomunicações” por meio da empresa Global Info, da qual é sócio – uma espécie de gato de serviço de radiodifusão.

Messina recorreu da decisão, mas, antes do novo julgamento na segunda instância na Justiça Federal de São Paulo, a Anatel mudou as regras do jogo. Em resposta ao Intercept, a assessoria do Ministério Público Federal esclareceu que, em 2017, Agência Nacional de Telecomunicações deixou de considerar prática adotada pela empresa de Messina crime. Com isso, o MPF decidiu pela extinção da pena na segunda instância, apesar de o crime ter sido cometido antes da nova regra.

Paulo Messina tem participação em outras quatro empresas e no Instituto Paulo Messina, que tem como atividade fim a prestação de serviço de assistência social sem alojamento. À exceção da Info House Informática, as demais funcionam em duas salas no mesmo endereço, no Centro do Rio. Contudo, nas duas declarações de bens enviadas pelo político à Justiça Eleitoral, Messina não citou o instituto que leva o próprio nome e as empresas: Tp Info Internet Ltda, Info House Informática Ltda e a Rede Global Info. Na comparação entre as declarações enviadas ao TRE em 2012 e 2016, além da ausência das empresas citadas acima, chama a atenção o fato de o político informar ter guardado em espécie R$ 60 mil e não relacionar nenhuma conta bancária ou aplicação.

O Intercept enviou e-mails com 16 perguntas às assessorias de comunicação do prefeito Marcelo Crivella, do chefe da Casa Civil, Paulo Messina, e à Secretaria Municipal de Fazenda. O bispo-prefeito não se pronunciou. Tampouco Paulo Messina, o primeiro ministro dos aliados, e Napoleão de hospício dos desafetos.

The post Crivella terceiriza gestão e quem manda no Rio é Paulo Messina, um vereador com 15 mil votos appeared first on The Intercept.

Ubuntu Security Notice USN-3842-1

Ubuntu Security Notice 3842-1 - Jann Horn discovered that CUPS incorrectly handled session cookie randomness. A remote attacker could possibly use this issue to perform cross-site request forgery attacks.

Ubuntu Security Notice USN-3841-2

Ubuntu Security Notice 3841-2 - USN-3841-1 fixed a vulnerability in lxml. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that lxml incorrectly handled certain HTML files. An attacker could possibly use this issue to conduct cross-site scripting attacks. Various other issues were also addressed.

Red Hat Security Advisory 2018-3806-01

Red Hat Security Advisory 2018-3806-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Telco Update Service for Red Hat Enterprise Linux 6.6 will be retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.6 TUS after December 31, 2018.

Red Hat Security Advisory 2018-3805-01

Red Hat Security Advisory 2018-3805-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.7 will be retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.7 EUS after December 31, 2018.

Red Hat Security Advisory 2018-3800-01

Red Hat Security Advisory 2018-3800-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include improper path handling.

Red Hat Security Advisory 2018-3804-01

Red Hat Security Advisory 2018-3804-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 7.3 will be retired as of November 30, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 7.3 EUS after November 30, 2018.

Red Hat Security Advisory 2018-3803-01

Red Hat Security Advisory 2018-3803-01 - Chromium is an open-source web browser, powered by WebKit. This update upgrades Chromium to version 71.0.3578.80. Issues addressed include buffer overflow and out of bounds write vulnerabilities.

Venafi and DigiCert machine identity protection partnership delivers new solution for enterprise PKI

Venafi and DigiCert unveiled a new integration that simplifies and automates complex machine identity programs for the demanding, security-conscious organizations. The combined solution enables organizations to customize and orchestrate public key infrastructure (PKI) and machine identity protection at machine speed and scale. “The rapid adoption of DevOps, microservices, cloud, and IoT requires a new level of technical sophistication and innovation to deliver protection for all machine identities,” said Kevin Bocek, vice president of security strategy … More

The post Venafi and DigiCert machine identity protection partnership delivers new solution for enterprise PKI appeared first on Help Net Security.

Walmart Is Reportedly Testing a Burger-Flipping Robot

Flippy, a burger-flipping robot that's been trialed in a number of restaurants this year, is coming to Walmart's headquarters in Bentonville, Arkansas, to see whether or not it's the right fit for its in-store delis. Yahoo News reports: Flippy is the world's first autonomous robotic kitchen assistant powered by artificial intelligence from Miso Robotics, a two-year-old startup. Flippy got a gig at Dodger Stadium in Los Angeles with vending food service company Levy Restaurants, part of Compass Group, to fry up chicken tenders and tater tots. Through the World Series, Flippy churned out 17,000 pounds worth of the fried foods. It's able to fry up to eight baskets of food simultaneously. "Walmart saw what we were doing and said, 'Could you bring Flippy from Dodgers Stadium to our Culinary Institute?'" Miso Robotics CEO David Zito told Yahoo Finance. In practice, a Walmart associate would place a frozen product on the rack. Using visual recognition technology, Flippy identifies the food in the basket and sets it in the cooking oil. The machine then "agitates" the basket by shaking it to make sure the product cooks evenly. When the food is finished cooking, Flippy moves the basket to the drip rack. An associate then tests the food's internal temperature. A few minutes later, the associate can season the food before it hits the hot display case. The reason Walmart is looking at the robot is so it can do some of the more mundane and repetitive tasks at the deli. The robot is supposed to serve as an "extra set of hands," letting the associate spend less time putting potato wedges and chicken tenders in fryers and more time on other services like taking customer orders and prepping other foods.

Read more of this story at Slashdot.

No, It’s Not Just You. Crypto Funds are Also Seeing Red

While your cryptocurrency holdings may be severely underwater, at least you do not have to publicly disclose it. It is coming to that time of year that all of the cryptocurrency funds have to report the quarterly numbers, and they are not looking pretty. They are all coming to grips with the impact of previous […]

The post No, It’s Not Just You. Crypto Funds are Also Seeing Red appeared first on Hacked: Hacking Finance.

Karamba Security collaborates with Ficosa to secure smart mobility against cyberattacks

Karamba Security revealed that Ficosa is partnering with Karamba Security to harden its Telematics Control Unit (TCU) and keep vehicles protected from cyberattacks when communicating with the internet. Ficosa, through Onboard Ventures, its Open Innovation initiative, has identified Karamba Security’s Carwall solution as a hardening software that is integrated into the vehicle Electronic Control Units (ECU’s), without disrupting the development process or delay the vehicle’s time to market. Karamba Security’s software prevents in-memory cyberattacks, by … More

The post Karamba Security collaborates with Ficosa to secure smart mobility against cyberattacks appeared first on Help Net Security.

Packet Storm: Red Hat Security Advisory 2018-3804-01

Red Hat Security Advisory 2018-3804-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 7.3 will be retired as of November 30, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 7.3 EUS after November 30, 2018.

Packet Storm

Packet Storm: Ubuntu Security Notice USN-3841-2

Ubuntu Security Notice 3841-2 - USN-3841-1 fixed a vulnerability in lxml. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that lxml incorrectly handled certain HTML files. An attacker could possibly use this issue to conduct cross-site scripting attacks. Various other issues were also addressed.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3800-01

Red Hat Security Advisory 2018-3800-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include improper path handling.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3805-01

Red Hat Security Advisory 2018-3805-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.7 will be retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.7 EUS after December 31, 2018.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3806-01

Red Hat Security Advisory 2018-3806-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Telco Update Service for Red Hat Enterprise Linux 6.6 will be retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.6 TUS after December 31, 2018.

Packet Storm

Pharmaceutical Industry – wilsoncgrp

wilsoncgrp.com - Regulatory compliance and information security has become critical in every facet of the pharmaceutical industry. The widespread use information technology and network applications make pharmaceutica…


Tweeted by @WilsonCGroupLLC https://twitter.com/WilsonCGroupLLC/status/1072291136088272896

At Least One Major Carrier Lied About Its 4G Coverage, FCC Review Finds

An anonymous reader quotes a report from Ars Technica: Four months after receiving a complaint claiming that Verizon "grossly overstated" its 4G LTE coverage in government filings, the Federal Communications Commission says that at least one carrier is apparently guilty of significant rules violations. The FCC did not name any specific carrier in its announcement and did not respond to our question about whether Verizon is among the carriers being investigated. But the investigation was apparently triggered by a complaint about Verizon filed in August by the Rural Wireless Association (RWA). The RWA, which represents rural carriers, made its case to the FCC by submitting speed test data. The speed tests showed the Verizon network wasn't providing 4G LTE service in areas that Verizon claimed to cover, according to the RWA. Inaccurate coverage maps could make it difficult for rural carriers to get money from the Mobility Fund, a government fund intended for unserved areas. "A preliminary review of speed test data submitted through the challenge process suggested significant violations of the Commission's rules," FCC Chairman Ajit Pai said Friday in his announcement of the FCC investigation. The FCC said its investigation focuses on "whether one or more major carriers violated the Mobility Fund Phase II (MF-II) reverse auction's mapping rules and submitted incorrect coverage maps."

Read more of this story at Slashdot.

GoPro To Move US-Bound Camera Production Out of China

In an effort to counter the potential impact from new tariffs, GoPro is moving most of its U.S.-bound camera production out of China by the summer of 2019. The company said international-bound camera production will remain in China. Reuters reports: The company had previously said it was being "very proactive" about the situation regarding tariffs as U.S. and China ramped up its bitter trade war, in which both nations have imposed tariffs on hundreds of billions of dollars of each other's imports. "It's important to note that we own our own production equipment while our manufacturing partner provides the facilities, so we expect to make this move at a relatively low cost," said Chief Financial Officer Brian McGee. In the company's earnings call in November, GoPro said it had the option to move U.S.-bound production out of China in the first half of 2019, if necessary.

Read more of this story at Slashdot.

Rights Groups Turn Up Pressure on Google Over China Censorship Ahead of Congressional Hearing

Google is facing a renewed wave of criticism from human rights groups over its controversial plan to launch a censored search engine in China.

A coalition of more than 60 leading groups from countries across the world have joined forces to blast the internet giant for failing to address concerns about the secretive China project, known as Dragonfly. They come from countries including China, the United States, the United Kingdom, Argentina, Bolivia, Chile, France, Kazakhstan, Mexico, Norway, Pakistan, Palestine, Romania, Syria, Tibet, and Vietnam.

A prototype for the censored search engine was designed to blacklist broad categories of information about human rights, democracy, and peaceful protest. It would link Chinese users’ searches to their personal cellphone number and store people’s search records inside the data centers of a Chinese company in Beijing or Shanghai, which would be accessible to China’s authoritarian Communist Party government.

If the plan proceeds, “there is a real risk that Google would directly assist the Chinese government in arresting or imprisoning people simply for expressing their views online, making the company complicit in human rights violations,” the human rights groups wrote in a letter that will be sent to Google’s leadership on Tuesday.

The letter highlights mounting anger and frustration within the human rights community that Google has rebuffed concerns about Dragonfly, concerns that have been widely raised both inside and outside the company since The Intercept first revealed the plan in August. The groups say in their 900-word missive that Google’s China strategy is “reckless,” piling pressure on CEO Sundar Pichai, who is due to appear Tuesday before the House Judiciary Committee, where he will likely face questions on Dragonfly.

The groups behind the letter include Amnesty International, the Electronic Frontier Foundation, Access Now, Human Rights Watch, Reporters Without Borders, the Center for Democracy and Technology, Human Rights in China, the International Campaign for Tibet, and the World Uyghur Congress. They have been joined in their campaign by several high-profile individual signatories, such as former National Security Agency contractor Edward Snowden and Google’s former head of free expression in Asia, Lokman Tsui.

In late August, some of the same human rights groups had contacted Google demanding answers about the censored search plan. In October, the groups revealed on Monday, Google’s policy chief Kent Walker responded to them. In a two-page reply, Walker appeared to make the case for launching the search engine, saying that “providing access to information to people around the world is central to our mission.”

Walker did not address specific human rights questions on Dragonfly and instead claimed that the company is “still not close to launching such a product and whether we would or could do so remains unclear,” contradicting a leaked transcript from Google search chief Ben Gomes, who stated that the company aimed to launch the search engine between January and April 2019 and instructed employees to have it ready to be “brought off the shelf and quickly deployed.”

Walker agreed in his letter that Google would “confer” with human rights groups ahead of launching any search product in China, and said that the company would “carefully consider” feedback received. “While recognizing our obligations under the law in each jurisdiction in which we operate, we also remain committed to promoting access to information as well as protecting the rights to freedom of expression and privacy for our users globally,” Walker wrote.

“The company may knowingly compromise its commitments to human rights and freedom of expression.”

The human rights groups were left unsatisfied with Walker’s comments. They wrote in a new letter of reply, to be sent Tuesday, that he “failed to address the serious concerns” they had raised. “Instead of addressing the substantive issues,” they wrote, Walker’s response “only heightens our fear that the company may knowingly compromise its commitments to human rights and freedom of expression, in exchange for access to the Chinese search market.”

The groups added: “We welcome that Google has confirmed the company ‘takes seriously’ its responsibility to respect human rights. However, the company has so far failed to explain how it reconciles that responsibility with the company’s decision to design a product purpose-built to undermine the rights to freedom of expression and privacy.”

Separately, former Google research scientist Jack Poulson, who quit the company in protest over Dragonfly  has teamed up with Chinese, Tibetan, and Uighur rights groups to launch an anti-Dragonfly campaign. In a press conference on Monday, Poulson said it was “time for Google to uphold its own principles and publicly end this regressive experiment.”

Teng Biao, a Chinese human rights lawyer who said he had been previously detained and tortured by the country’s authorities for his work, recalled how he had celebrated in 2010 when Google decided to pull its search services out of China, with the company citing concerns about the Communist Party’s censorship and targeting of activists. Teng said he had visited Google headquarters in Beijing and laid flowers outside the company’s doors to thank the internet giant for its decision. He was dismayed by the company’s apparent reversal on its anti-censorship stance, he said, and called on “every one of us to stop Google from being an accomplice in China’s digital totalitarianism.”

Lhadon Tethong, director of the Tibet Action Institute, said there is currently a “crisis of repression unfolding across China and territories it controls.” Considering this, “it is shocking to know that Google is planning to return to China and has been building a tool that will help the Chinese authorities engage in censorship and surveillance,” she said. “Google should be using its incredible wealth, talent, and resources to work with us to find solutions to lift people up and help ease their suffering  not assisting the Chinese government to keep people in chains.”

Google did not respond to a request for comment.

The post Rights Groups Turn Up Pressure on Google Over China Censorship Ahead of Congressional Hearing appeared first on The Intercept.

Air Force Reserve

afreserve.com - Overview: The mission statement of the U.S. Air Force is to fly, fight and win...in air, space and cyberspace. The emerging 21st Century battleground is cyberspace; the computer networks and communic…


Tweeted by @AirForceReserve https://twitter.com/AirForceReserve/status/1072279830987751424

Verizon Announces 10,400 Employees Will Voluntarily Leave the Company

Verizon today announced that 10,400 employees -- about 7 percent of its worldwide workforce -- are taking buyouts to leave the company. "This is part of an effort to trim the telecom giant's workforce ahead of its push toward 5G," reports TechCrunch. From the report: Verizon put this offer on the table in September with a goal to save $10 billion in cash by 2021. The offer, which included 60 weeks of salary bonus and benefits depending on length of service, applied to 44,000 employees across Verizon's business. "For those who were accepted, the coming weeks and months will be a transition. For the entire V Team, there will be opportunities to work differently as we prepare for the great things to come at Verizon," CEO Hans Vestberg said in a note to employees, CNBC reports.

Read more of this story at Slashdot.

Wat is de toekomst van oorlog?

portal.eo.nl - Als er één Nederlander is die veel weet van oorlog voeren is het Rietdijk wel. In zijn loopbaan bij Defensie heeft hij verschillende gevechtsmissies meegemaakt, was hij verantwoordelijk voor de weder…


Tweeted by @teunvoeten https://twitter.com/teunvoeten/status/1072268252234039300

Crypto Update: Weekend Bounce Fails to Turn Bearish Tide

The major cryptocurrencies continue to be stuck in declining trends, despite the bounce that followed the latest technical breakdown in the segment. The top coins failed to recover above the prior bear market lows sustainably, and today, the market turned lower again, with the weakest currencies already threatening with new lows. The long-term picture remains […]

The post Crypto Update: Weekend Bounce Fails to Turn Bearish Tide appeared first on Hacked: Hacking Finance.

House Panel Issues Scathing Report On ‘Entirely Preventable’ Equifax Data Breach

An anonymous reader quotes a report from The Hill: The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation. The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. "In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable." The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.

Read more of this story at Slashdot.

CVE-2018-20050

Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.

CVE-2018-20051

Mishandling of '>' on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via certain ONVIF methods such as CreateUsers, SetImagingSettings, GetStreamUri, and so on.

Security Affairs: A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.



Security Affairs

A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.

Scientists Identify Vast Underground Ecosystem Containing Billions of Micro-organisms

The Earth is far more alive than previously thought, according to "deep life" studies that reveal a rich ecosystem beneath our feet that is almost twice the size of that found in all the world's oceans. From a report: Despite extreme heat, no light, minuscule nutrition and intense pressure, scientists estimate this subterranean biosphere is teeming with between 15bn and 23bn tonnes of micro-organisms, hundreds of times the combined weight of every human on the planet. Researchers at the Deep Carbon Observatory say the diversity of underworld species bears comparison to the Amazon or the Galapagos Islands, but unlike those places the environment is still largely pristine because people have yet to probe most of the subsurface. "It's like finding a whole new reservoir of life on Earth," said Karen Lloyd, an associate professor at the University of Tennessee in Knoxville. "We are discovering new types of life all the time. So much of life is within the Earth rather than on top of it." The team combines 1,200 scientists from 52 countries in disciplines ranging from geology and microbiology to chemistry and physics. A year before the conclusion of their 10-year study, they will present an amalgamation of findings to date before the American Geophysical Union's annual meeting opens this week.

Read more of this story at Slashdot.

U.S. Stocks Bounce Back and Brexit Brakes: Market Wrap

U.S. stocks overcame a volatile morning to finish higher on Monday, though trade-related risks remained in focus following the arrest of a high-ranking Chinese technology executive. The U.K.’s Brexit process stalled on the eve of a critical parliamentary vote after Prime Minister Theresa May’s cabinet warned of a major backlash in the House of Commons. […]

The post U.S. Stocks Bounce Back and Brexit Brakes: Market Wrap appeared first on Hacked: Hacking Finance.

Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks

­­

Security researchers discovered that several new malware strains are targeting known Cloudera Hadoop vulnerabilities.

The malware variants, including XBash and DemonBot, target Hadoop clusters that are connected to the internet and do not use Kerberos authentication, according to Cloudera. This can lead to certain exploits such as bitcoin mining and distributed denial-of-service (DDoS) attacks, which can create significant negative performance impacts within client environments.

These vulnerability attacks can occur when your Cloudera Hadoop system is not properly configured and secured. For example, when Kerberos is not enabled clusterwide, your Hadoop clusters become yet another possible attack vector.

The good news is that the attack techniques in question are not sophisticated and utilize known exploits, meaning organizations can protect themselves by taking the right precautions.

Protect Yourself With Strong Kerberos Authentication

Countering such attacks requires the use of strong Kerberos authentication to identify the right access for privileged users. Without proper Kerberos authentication, any user can connect to Hadoop clusters, access the system and make bad choices.

To follow best practices, implement additional authentication steps to secure your Cloudera Hadoop clusters, including the following:

  • Secure default accounts and passwords.
  • Utilize Lightweight Directory Access Protocol (LDAP) authentication for Cloudera Manager.
  • Enable Sentry service using Kerberos.
  • Use a secure protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • Secure default ports.

How do you know whether or not your environment is at risk to begin with? That’s where vulnerability scans come into play.

How to Identify if Your Cloudera Hadoop Clusters Are Affected

Vulnerability assessment solutions for Cloudera Hadoop can provide critical insight into your environment to help mitigate potential attacks. Advanced tools offer security checks and hardening rules to help customers secure their Hadoop clusters, provide rules to help identify Hadoop-specific vulnerabilities, and list detailed recommendations to fix and resolve the vulnerabilities.

To use vulnerability assessment tests to check whether a Cloudera authentication parameter is appropriately set to Kerberos — which is strongly recommended by Cloudera — an organization should take the following steps:

  1. Leverage a vulnerability assessment solution to run the following test: “Authentication method set to Kerberos.”
  2. If a cluster is properly configured, it will pass the test. Multiple systems can be connected to check for this test and get visibility into configuration statuses in minutes.
  3. After running the tests, organizations should attend to the clusters that did not pass. Note that such vulnerabilities can only be addressed with proper configuration, not by simply applying the latest security patches.
  4. Once the configurations have been updated and all nodes authenticate using Kerberos, the problem will be resolved.

As these recent attacks illustrate, vulnerability assessment is a critical piece of any comprehensive data protection program. Last year alone, more than 2 billion records were exposed due to misconfigurations — a number that could have been drastically reduced if teams had been leveraging vulnerability scanning tools.

Source: Cloudera

The post Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks appeared first on Security Intelligence.

What is the Future of Office Spaces?

An anonymous reader shares a World Economic Forum report: A lot of us spend long stretches in the office, but outdated design could be damaging our wellbeing and mental health. What's more, it's killing our productivity. One study found that office workers spend more time sitting than pensioners, which increases the risk of cardiovascular disease, type II diabetes and even cancer. That's why forward-looking designers are finding ways to build spaces that heal rather than hurt us. Going beyond the already ubiquitous standing desks and social "breakout sofas," the office of the future is healthy, harmonious and happy. Here's how it's beginning to take shape.

Read more of this story at Slashdot.

A GOP Governor Has a Chance to Fix a Blue State’s Draconian Approach to Paroling Juvenile Offenders

In 1993, a 40-year-old man in Maryland who was serving a life sentence for a 1975 murder left prison on the state’s prerelease program. Correctional officers had described Rodney Stokes as a model prisoner who had demonstrated no inclination to reoffend. Stokes had been in the work-release program since 1988 and had worked for the Baltimore Department of Public Works as a laborer since 1989. But one day after leaving, he killed his former girlfriend and then himself.

The murder-suicide came on the heels of three other incidents in Maryland involving the prerelease of prisoners. The Willie Horton ad that derailed Democratic presidential candidate Michael Dukakis’s 1988 presidential campaign was also still fresh in the public’s mind. Horton was a convicted felon serving a life sentence in Massachusetts; while on a weekend furlough, he committed assault, armed robbery, and rape. He was captured and sentenced in Maryland, where he remains to this day.

In reaction to the Stokes incident, Maryland’s Democratic governor at the time, Parris Glendening, removed all lifers from the prerelease program and announced, in 1995, that he would approve no recommendations to parole lifers going forward. “A life sentence means life,” he declared. Maryland, along with California and Oklahoma, is one of just three states in which the governor’s signature is required in order to parole prisoners with life sentences; in the 25 years leading up to Glendening’s decision, three Maryland governors had paroled 181 prisoners with life sentences. The state courts upheld Glendening’s pronouncement in 1999, and it remains effectively in place today — even with respect to juvenile offenders, who in recent years have seen their life sentences revisited around the country.

There are an estimated 2,100 people in prison nationwide who were sentenced to life for crimes they committed when they were 17 or younger. But recently, some states have eliminated life without parole sentences for juveniles altogether. Others have devised alternative sentencing schemes to give juvenile offenders a “meaningful opportunity” for release. The changes were prompted by a bevy of scientific evidence about adolescent brain development and powerful U.S. Supreme Court decisions that have been issued in the past eight years.

Maryland, however, appears to be stuck in the tough-on-crime fervor of the 1990s. Not one juvenile lifer in Maryland has been paroled outright — released on a formal recommendation to the governor based on the prisoner’s good behavior and signs of rehabilitation — since 1995. There are currently more than 200 parole-eligible juveniles toiling away in the state’s prisons. That’s in large part, criminal justice reformers say, because of the governor’s role in the process, which they describe as highly politicized — and which leads to people being locked up forever.

Republican Gov. Larry Hogan was re-elected to a second term last month. He now has an opening to parole more individuals with life sentences, and then ultimately remove himself from the parole approval process altogether.

“Republicans are presumed to be about law and order, and it can be easier for law-and-order politicians to move on criminal justice reform or grant clemency,” said Jane Murphy, a University of Baltimore law professor. “There’s a lot of pressure on him, but it’s also politically easier for him to [grant parole]. We’re sort of hopeful now, because this is his second term and he’s term-limited. … If this is the end of the road for Hogan, he might be more courageous.”

Hogan’s approach to juvenile lifers is rooted in the Maryland Court of Appeals’s 1999 decision upholding Glendening’s decree. The court found that the rights of lifers were not violated by the governor’s blanket refusal to approve any recommendation from the Maryland Parole Commission.

From then on, Maryland’s governors would reject recommendations — typically without explanation — to parole lifers who had demonstrated good behavior. Sometimes recommendations to parole lifers would be left in limbo, sitting on the governor’s desk for years.

In 2011, advocates confronted the Maryland legislature with evidence that parole and commutation requests were pending indefinitely, and the General Assembly responded by modifying the statute, requiring the governor to act on a parole recommendation within six months. The governor at the time, Democrat Martin O’Malley, responded by swiftly rejecting all pending recommendations.

Criminal justice reformers have continued to press the legislature to take the governor out of the process, and to leave parole decisions up to the Parole Commission. Those efforts, however, have been routinely stymied by legislators that are fearful of being blamed for another Rodney Stokes or Willie Horton. “It’s hard for someone to say, ‘I’m going to undo this policy,’” said Sonia Kumar, a juvenile justice-focused attorney with the American Civil Liberties Union of Maryland. “They’ll say, “Well, one bad headline and my political career is in the toilet.’”

In 2017, the Maryland House of Delegates approved a bill that would have removed the governor from the decision-making process, leaving it up to the Parole Commission to make a final determination. “It is the Parole Commission that sits in front of these individuals who are serving life sentences, and can aptly gauge the person’s rehabilitation, remorse, and disposition, while conducting a thorough review of the relevant records and documents,” reads testimony in support of the bill from the University of Baltimore law school’s Juvenile Justice Project and the University of Maryland law school’s Gender Violence Clinic.

But Hogan fought the bill in the Senate and wrote on Facebook that he “strongly disagree[s] with giving this important responsibility to a nameless board with no accountability to voters and people of this state.” He described it as a partisan attempt to “radically change our state government” and deny Marylanders the “needed and appropriate oversight” they deserve. The bill ended up floundering in the Senate, due to some proposed amendments that advocates deemed unacceptable.

“I think the pushback came because [Hogan] views it as just a challenge to his authority,” said Walter Lomax, the executive director of the Maryland Restorative Justice Initiative. Lomax was released from prison in 2006, after serving 40 years for a murder he did not commit. “We try not to be adversarial when pushing for this legislation,” Lomax added. “We’ve just tried to present the hard facts as to why this policy should be changed.”

ANNAPOLIS, MD - FEBRUARY 1:  Maryland Senator Delores Kelley shows a page of people still serving life terms ,during a press conference organized in part by the ACLU of Maryland and Legislators in Annapolis proposing to take the governor -- and politics -- out of the parole process for people serving life in prison. Many who were juvenile offenders when they committed their crimes.(Photo by Jonathan Newton/The Washington Post via Getty Images)

At a press conference on Feb. 1, 2018, organized in part by the American Civil Liberties Union of Maryland and legislators, Maryland Sen. Delores Kelley holds a page showing people still serving life terms, many of whom were juvenile offenders when they committed their crimes.

Photo: Jonathan Newton/The Washington Post via Getty Images

These political battles are especially urgent, criminal justice reform advocates say, because the process for parole and commutation is shrouded in secrecy.

Murphy, who directs the Juvenile Justice Project at the University of Baltimore law school, put it this way: “Our sources of information are occasional leaks from the Parole Commission, or if the ACLU can glean facts through a lawsuit discovery. We don’t know how many people have been commuted, and the only reason we have any information at all is because we push and [file requests under the Freedom of Information Act] and call and write letters and ask for favors, but the vast majority of people in the parole system are unrepresented and there’s no accountability at all.”

There’s “a recognition that secrecy does not tend to breed fair outcomes,” said Kumar of the ACLU. Unlike many other states, Maryland does not recognize a right to counsel in parole hearings, and there are no records of what happens during the proceedings. When the ACLU of Maryland filed a public records request in order to learn how many people had been recommended for clemency, the Parole Commission refused to even disclose that number, saying the information was protected by executive privilege.

The consequence of all this, advocates say, is a loss of hope for people who have spent decades in prison working to rehabilitate themselves, while being told that good behavior could one day lead to parole.

When Hogan ran for governor in 2014, he gave the impression that he would govern differently on this issue, promising to parole lifers who were recommended for release more quickly. And his record on approving parole requests has been slightly better than that of his Democratic predecessor, O’Malley, but that bar is so low that advocates see the situation as still fundamentally broken.

“In office, he’s dealt with it like [Republican Gov. Robert] Ehrlich dealt with it,” said Lomax, “where he’d commute a few sentences and then let people be paroled out that way.”

As of February, according to a letter sent to the state Senate by Hogan’s chief counsel and reviewed by The Intercept, the governor approved two out of nine parole requests during his first three years and granted seven commutations. By contrast, O’Malley, in his eight years in office, granted three commutations and authorized just two medical paroles, a form of release granted to prisoners who are terminally ill and need to move into hospice.

Amelia Chasse, a Hogan spokesperson, told The Intercept that the governor received one recommendation to parole a juvenile lifer, which he denied, but he commuted the sentence of another juvenile lifer, and has granted medical parole to three juvenile lifers. Chasse did not answer questions about whether the bases for the governor’s decisions are available for public review or available to the prisoners themselves.

The nationwide push to eliminate life sentences without parole for juvenile offenders came to a head in 2010, when the U.S. Supreme Court, in Graham v. Florida, struck down such sentences for non-homicide offenses. “The juvenile should not be deprived of the opportunity to achieve maturity of judgment and self-recognition of human worth and potential,” Justice Anthony Kennedy wrote in the majority opinion.

Two years later, in Miller v. Alabama, the Supreme Court held that life sentences without parole for juvenile offenders, even in cases of homicide, violated the Eighth Amendment, which prohibits cruel and unusual punishment. “Mandatory life without parole for a juvenile precludes consideration of his chronological age and its hallmark features — among them, immaturity, impetuosity, and failure to appreciate risks and consequences,” wrote Justice Elena Kagan in the majority opinion. In Miller, the court held that juvenile offenders, unless they were “irreparably corrupt,” were entitled to a “meaningful opportunity” for release from prison. Four years later, in Montgomery v. Louisiana, the Supreme Court held that Miller should be applied to juvenile offenders retroactively — giving juveniles who’d previously been sentenced to life without parole for killing someone a chance to reopen their cases.

In Maryland, attorneys and advocates argue that while juvenile offenders are technically eligible for parole, in reality they’re systematically denied it, given the politicized nature of the governor’s approval process.

“Graham was decided in 2010, and we have people who are still not getting anything close to a meaningful opportunity for release eight years later,” said Kumar of the ACLU of Maryland.

In February, Hogan issued an executive order that stipulated he would consider “the same factors and information assessed by the Maryland Parole Commission” when deciding whether to parole juvenile lifers, as well as “other lawful factors deemed relevant by the Governor.” Hogan said this was codifying what he already did but stressed that the order would not apply retroactively. In other words, he was not opening a chance to review past decisions.

Advocates blasted Hogan’s executive order as a political stunt. “He issued something he can change at any time, and there’s nothing enforceable about the order,” said Kumar. “As a practical matter, the order doesn’t alter the system in any way that shifts it from one of clemency to parole, which is the fundamental failing.”

The state’s highest court, however, disagrees. This past summer, in a 4-3 ruling, Maryland’s Court of Appeals held that state law provides a meaningful opportunity for release for juvenile defenders. The court cited Hogan’s executive order, finding that it “attempts to bridge the gap between unfettered discretion that the legislature has given to the governor with respect to parole of inmates serving life sentences and the requirements of the Eighth Amendment as to juvenile offenders.”

In a dissent, Chief Judge Mary Ellen Barbera said the majority opinion does not apply the U.S. Supreme Court’s rulings to Maryland’s situation in a “realistic manner.” She was unconvinced that Hogan’s executive order “cures the constitutional infirmity of Maryland’s current parole system,” she wrote.

While the August decision was a blow for criminal justice reformers, Kumar described it as a “mixed bag,” since it also brought about some positive new pressure. It was the first time the state’s highest court spoke to any of the questions that had grown out of the U.S. Supreme Court’s cases on youth serving life sentences.

In contrast, other states have taken real steps to respond to the decisions of the Supreme Court, including Pennsylvania, which has more juvenile lifers than any other state in the country. In 2017, in the case of Commonwealth v. Batts, the Pennsylvania Supreme Court set forth a series of protections to effectuate the constitutional decrees of Montgomery and Miller. As a result of these protections, explained Riya Saha Shah, an attorney at the Pennsylvania-based Juvenile Law Center, fewer people have received life without parole at resentencing hearings, and Pennsylvania has also been paroling out people who have served long prison sentences on good behavior. “Overall, the parole process offers a more meaningful opportunity for release than a state like Maryland, which effectively denies it,” she said.

The pressure on Hogan to take criminal justice reform more seriously is coming from a number of directions. A group of about 50 attorneys came together in 2017 to fight for protections for juvenile offenders. The Maryland Juvenile Lifer Parole Representation Project offers pro bono legal services to juvenile offenders languishing in jail. “Our goal is not only to provide individual representation, but to unleash these large firm lawyers on this system,” explained Murphy.

The state is also currently defending itself against a 2016 federal lawsuit, brought by the ACLU, that challenges the constitutionality of Maryland’s parole scheme for juveniles. The case remains pending.

There is also an economic argument for enacting reform. During the gubernatorial campaign, Hogan’s Democratic opponent, Ben Jealous, spent significant time talking about the amount of money wasted on mass incarceration that could be better spent elsewhere. In a 2015 report, the ACLU of Maryland found that the detention of more than 2,000 with life sentences costs the state more than $70 million per year. By contrast, a recent report from the Justice Policy Institute estimated that it would cost about $6,000 per year to support the successful re-entry of prisoners into society. (The report focused on about 200 former Maryland prisoners who were freed on probation under a landmark 2012 decision and who provided with substantial philanthropic support upon release. Less than 3 percent of them have reoffended, the Justice Policy Institute found, compared to a recidivism rate of 40 percent for the general prison population. Chasse, Hogan’s spokesperson, did not return request for comment on the findings.)

While Maryland has taken some recent steps to tackle its prison system — notably, the Justice Reinvestment Act of 2016, which took effect last fall — the bulk of the new reforms have focused on low-level, nonviolent offenders.

“We’re not really going to take on mass incarceration,” said Kumar, “until we help people who made horrible mistakes with tragic outcomes and have turned their lives around.”

The post A GOP Governor Has a Chance to Fix a Blue State’s Draconian Approach to Paroling Juvenile Offenders appeared first on The Intercept.

CVE-2018-15800

Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.

CVE-2018-15805

Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).

CVE-2018-1279

Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.