October 30, 2019

Uber sues LA in bid to protect scooter riders’ geolocation data

By Lisa Vaas

Los Angeles wants to know exactly when you hop on an Uber scooter or bike, when you hop off, and where you go, promising that such location data is “respectful of user privacy” because it’s not asking for personally identifiable information (PII) about users – well, at least not directly.

Uber’s response: Nope. Geolocation data is clearly PII, and LA’s requirements that companies like Uber and Lyft share scooter-sharing data could compromise user privacy, as well as the companies’ own trade secrets.

Uber, better known for its ride-hailing car service, on Monday filed a lawsuit after months of refusing to give the LA Department of Transportation (LADOT) what the city’s after, CNET reports.

The publication quoted an Uber spokesperson:

Independent privacy experts have clearly and repeatedly asserted that a customer’s geolocation is personally identifiable information, and – consistent with a recent legal opinion by the California legislative counsel – we believe that LADOT’s requirements to share sensitive on-trip data compromises our customers’ expectations of data privacy and security.

Therefore, we had no choice but to pursue a legal challenge, and we sincerely hope to arrive at a solution that allows us to provide reasonable data and work constructively with the City of Los Angeles while protecting the privacy of our riders.

Like other cities, LA is wrestling with a newly chaotic traffic situation, with Uber and Lyft drivers whizzing around, picking up, dropping off or waiting for fares, as city buses, bicyclists and scooter riders – some using rent-by-the-hour bikes and scooters – jostle for space.

Those ubiquitous dockless e-scooters and bikes often wind up randomly scattered or piled up in heaps on city sidewalks. Some cities have gone so far as to ban them.

Read more at https://nakedsecurity.sophos.com/2019/10/30/uber-sues-la-in-bid-to-protect-scooter-riders-geolocation-data/

Gradient “celebrity matching” photo app sparks privacy fears

By Paul Ducklin

If you’ve been following trendy news sites over the past week, you’ve probably heard of a new – or at least a newly popular – app called Gradient.

Gradient pitches itself as “the next big thing in the world of mobile photo editing”, heavily promoting a new feature that supposedly lets you:

Find what famous person do [sic] you look like with our brand-new AI feature! Our precise technology powered by artificial intelligence will amaze you with an accurate result. Don’t forget to share it with your friends as a post or a story!

Despite the “photo editor” category being a crowded field on both Google Play and in Apple’s App Store. The company that produces the app, Ticket to the Moon, Inc. (TttM) has hit the publicity jackpot in the last few days, splashing out on celebrity advertising on social media sites such as Instagram.

Apparently, three of the Kardashian sisters have recently posted paid endorsements for the Gradient’s You Look Like… feature, with Kourtney claiming the app matched her to Audrey Hepburn, Kim looking like Elizabeth Taylor, and Khloe coming up as the doppelgänger of the late Anna Nicole Smith.

Read more at https://nakedsecurity.sophos.com/2019/10/29/gradient-celebrity-matching-photo-app-sparks-privacy-fears/

PHP team fixes nasty site-owning remote execution bug

By Danny Bradbury

The PHP development team has fixed a bug that could allow remote code execution in some setups of the programming language, possibly allowing attackers to take over any site running the code remotely.

PHP is a common programming language used to run dynamic websites. It operates everything from online forums to ecommerce systems. The bug, found in version 7 of PHP, only affects instances running the PHP FastCGI Process Manager (PHP-FPM), which is an alternative implementation of a standard PHP module called FastCGI. It lets an interpreter outside the web server execute scripts. The process manager version includes some extra features to support high-volume websites.

For the bug to work, the website must also be running the Nginx web server, which runs on around one in every three websites, according to W3techs.

When calling a script, the PHP language failed to check that its path was correct. The researcher used this to manipulate a variable within PHP that developers use to configure it. The researcher explained:

Using this technique, I was able to create a fake PHP_VALUE fcgi variable and then use a chain of carefully chosen config values to get code execution.

The team acknowledged the bug and began working on a patch, publishing an untested one on 6 October on its own forum so that its developers could test it. They also collaborated with the researcher to help prepare the patch for testing.

Read more at https://nakedsecurity.sophos.com/2019/10/29/php-team-fixes-nasty-site-owning-remote-execution-bug/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation