America's census bureau looked at how many people relocated into each state from another state, compared to the total number of people making a move in that state. The state with the lowest "inmigration" ratio? California.

From 2021 through 2022, "California's inmigration rate was 11.1% last year..." reports SFGate. "For comparison, nearby Oregon had a inmigration rate of 21%."

But the census bureau cautions that California — America's most populous state — "also had a relatively large base of movers overall" — over 4 million — which could help explain its low ratio in several statistics. SFGate reports: California's outmigration rate — defined as the "number of people moving out of a state as a share of that state's total number of movers" — was also below the national migration average. Texas had the country's lowest outmigration rate, at 11.7%, according to the Census Bureau's analysis.
California and Texas are America's two most populous states. (The total population of California is 39 million — roughly 11.7% of America's population — while Texas has another 30 million. Oregon's population is just 4,240,137.) Interestingly, most people moving to California arrived from... Texas. (44,279). At the same time, 102,422 people moved from California to Texas, with another 74,157 moving from California to Arizona.

New York state also lost 91,201 people to Florida, and another 75,103 people to New Jersey. The second-highest number of people (31,225) who moved from a different state to California came from New York...

According to the San Francisco Chronicle, California saw a net loss of 340,000 residents between 2021 and 2022, with most of the people who left heading to Florida or Arizona.

"Three out of four of the world's most popular websites are failing to meet minimum requirement standards" for password security, reports Georgia Tech's College of Computing. Which means three out of four of the world's most popular web sites are "allowing tens of millions of users to create weak passwords."

Using a first-of-its-kind automated tool that can assess a website's password creation policies, researchers also discovered that 12% of websites completely lacked password length requirements. Assistant Professor Frank Li and Ph.D. student Suood Al Roomi in Georgia Tech's School of Cybersecurity and Privacy created the automated assessment tool to explore all sites in the Google Chrome User Experience Report (CrUX), a database of one million websites and pages.

Li and Al Roomi's method of inferring password policies succeeded on over 20,000 sites in the database and showed that many sites:

- Permit very short passwords
- Do not block common passwords
- Use outdated requirements like complex characters

The researchers also discovered that only a few sites fully follow standard guidelines, while most stick to outdated guidelines from 2004... More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of had no length requirements, and 30% did not support spaces or special characters. Only 28% of the websites studied enforced a password block list, which means thousands of sites are vulnerable to cyber criminals who might try to use common passwords to break into a user's account, also known as a password spraying attack.
Georgia Tech describes the new research as "the largest study of its kind." ("The project was 135 times larger than previous works that relied on manual methods and smaller sample sizes.")

"As a security community, we've identified and developed various solutions and best practices for improving internet and web security," said assistant professor Li. "It's crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality."

The Slashdot community has already noticed the problem, judging by a recent post from eggegick. "Every site I visit has its own idea of the minimum and maximum number of characters, the number of digits, the number of upper/lowercase characters, the number of punctuation characters allowed and even what punctuation characters are allowed and which are not." The limit of password size really torques me, as that suggests they are storing the password (they need to limit storage size), rather than its hash value (fixed size), which is a real security blunder. Also, the stupid dots drive me bonkers, especially when there is no "unhide" button. For crying out loud, nobody is looking over my shoulder! Make the "unhide" default.
"The 'dots' are bad security," agrees long-time Slashdot reader Spazmania. "If you're going to obscure the password you should also obscure the length of the password." But in their comment on the original submission, they also point out that there is a standard for passwords, from the National Institute of Standards and Technology: Briefly:

* Minimum 8 characters
* Must allow at least 64 characters.
* No constraints on what printing characters can be used (including high unicode)
* No requirements on what characters must be used or in what order or proportion

This is expected to be paired with a system which does some additional and critical things:

* Maintain a database of known compromised passwords (e.g. from public password dictionaries) and reject any passwords found in the database.
* Pair the password with a second authentication factor such as a security token or cell phone sms. Require both to log in.
* Limit the number of passwords which can be attempted per time period. At one attempt per second, even the smallest password dictionaries would take hundreds of years to try...

Someone attempting to brute force a password from outside on a rate-limited system is limited to the rate, regardless of how computing power advances. If the system enforces a rate limit of 1 try per second, the time to crack an 8-character password containing only lower case letters is still more than 6,000 years.

Long-time Slashdot reader destinyland writes: The Linux Foundation recently funded a new "security developer in residence" position for Python. (It's funded through the Linux Foundation's own "Open Software Security foundation", which has a stated mission of partnering with open source project maintainers "to systematically find new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed to improve global software supply chain security.") The position went to the lead maintainer for the HTTP client library urllib3, the most downloaded package on the Python Package Index with over 10 billion downloads. But he hopes to create a ripple effect by demonstrating the impact of security investments in critical communities — ultimately instigating a wave of improvements to all software supply chains. (And he's also documenting everything for easy replication by other communities...)

So far he's improved the security of Python's release processes with signature audits and security-hardening automation. But he also learned that CVE numbers were being assigned to newly-discovered vulnerabilities by the National Cyber Security Division of the America's Department of Homeland Security — often without talking to anyone at the Python project. So by August he'd gotten the Python Software Foundation authorized as a CVE Numbering Authority, which should lead to more detailed advisories (including remediation information), now reviewed and approved by Python's security response teams.

"The Python Software wants to help other Open Source organizations, and will be sharing lessons learned," he writes in a blog post. And he now says he's already been communicating with the Curl program about his experiences to help them take the same step, and even authored a guide to the process for other open source projects.

FFmpeg 6.1's codename is a tribute to the great 19th century mathematician Oliver Heaviside. This version includes support for multi-threaded hardware-accelerated video decoding of H.264, HEVC, and AV1 video using the cross-platform Vulkan API, the next-gen replacement for OpenGL, which was added to the codebase in May. The Register adds: The pace of development of FFmpeg has been speeding up slightly in recent years, given that it took 13 years to get to version 2.0. We can't help but wonder if that's connected with the departure of the former project lead in 2015. The developers are planning to release version 7.0 in about February next year. Even so, the "Heaviside" release, which has been refactored to support even more formats and introduce new methods for faster performance or reduced processor utilization, is smaller than previous releases.

Chinese health authorities have provided the requested data on an increase in respiratory illnesses and reported clusters of pneumonia in children, and have not detected any unusual or novel pathogens, the World Health Organization (WHO) said. From a report: The WHO had asked China for more information on Wednesday after groups including the Program for Monitoring Emerging Diseases reported clusters of undiagnosed pneumonia in children in north China. As per the rule, China responded to the WHO within 24 hours. The WHO had sought epidemiologic and clinical information as well as laboratory results through the International Health Regulations mechanism.

Epidemiologists have warned that as, China heads into its first winter since the lifting of zero-Covid restrictions, natural levels of immunity to respiratory viruses may be lower than normal, leading to an increase in infections. Several countries, including the US and the UK, experienced large waves of respiratory viral infections in the first winter after Covid restrictions were lifted as people had lower natural levels of immunity. For young children, lockdowns delayed the age at which they were first exposed to common bugs.

Ubisoft is blaming an unspecified "technical error" for a fullscreen pop-up ad that appeared in Assassin's Creed Odyssey this week. From a report: Reddit users say they spotted the pop-up on Xbox and PlayStation versions of the game, with an ad appearing just when you navigate to the map screen. "This is disgusting to experience while playing," remarked one Reddit user, summarizing the general feeling against such pop-ups in the middle of gameplay. "We have been made aware that some players encountered pop-up ads while playing certain Assassin's Creed titles yesterday," says Ubisoft spokesperson Fabien Darrigues, in a statement to The Verge. "This was the result of a technical error that we addressed as soon as we learned of the issue."

Some Pixel 8 Pro owners have noticed circular bumps in several places on the screen that look to be the result of something pressing up against the underside, which is soft and fragile, of the 6.7-inch OLED panel. From a report: A statement from the company today acknowledges how "some users may see impressions from components in the device that look like small bumps" in specific conditions. Google says there is "no functional impact to Pixel 8 performance or durability," which does line up with all current reports.

The British Library has confirmed that personal data stolen in a cyber-attack has appeared online, apparently for sale to the highest bidder. From a report: The attack was carried out in October by a group known for such criminal activity, said the UK's national library, which holds about 14m books and millions of other items. This week, Rhysida, a known ransomware group, claimed it was responsible for the attack. It posted low-resolution images of personal information online, offering stolen data for sale with a starting bid of 20 bitcoins (about $750,000). Rhysida said the data was "exclusive, unique and impressive" and that it would be sold to a single buyer. It set a deadline for bids of 27 November.

The images appear to show employment contracts and passport information. The library said it was "aware that some data has been leaked, which appears to be from files relating to our internal HR information." It did not confirm that Rhysida was responsible for the attack, nor that the data offered for sale was information on personnel. Academics and researchers who use the library have been told that disruption to the institution's services after the serious ransomware attack was likely to continue for months. This week, the library advised its users to change any logins also used on other sites as a precaution.

An anonymous reader quotes a report from Ars Technica: Miscreants are actively exploiting two new zero-day vulnerabilities to wrangle routers and video recorders into a hostile botnet used in distributed denial-of-service attacks, researchers from networking firm Akamai said Thursday. Both of the vulnerabilities, which were previously unknown to their manufacturers and to the security research community at large, allow for the remote execution of malicious code when the affected devices use default administrative credentials, according to an Akamai post. Unknown attackers have been exploiting the zero-days to compromise the devices so they can be infected with Mirai, a potent piece of open source software that makes routers, cameras, and other types of Internet of Things devices part of a botnet that's capable of waging DDoSes of previously unimaginable sizes.

Akamai researchers said one of the zero-days under attack resides in one or more models of network video recorders. The other zero-day resides in an "outlet-based wireless LAN router built for hotels and residential applications." The router is sold by a Japan-based manufacturer, which "produces multiple switches and routers." The router feature being exploited is "a very common one," and the researchers can't rule out the possibility it's being exploited in multiple router models sold by the manufacturer. Akamai said it has reported the vulnerabilities to both manufacturers, and that one of them has provided assurances security patches will be released next month. Akamai said it wasn't identifying the specific devices or the manufacturers until fixes are in place to prevent the zero-days from being more widely exploited.

The Akamai post provides a host of file hashes and IP and domain addresses being used in the attacks. Owners of network video cameras and routers can use this information to see if devices on their networks have been targeted. [...] In an email, Akamai researcher Larry Cashdollar wrote: "The devices don't typically allow code execution through the management interface. This is why getting RCE through command injection is needed. Because the attacker needs to authenticate first they have to know some login credentials that will work. If the devices are using easy guessable logins like admin:password or admin:password1 those could be at risk too if someone expands the list of credentials to try." He said that both manufacturers have been notified, but only one of them has so far committed to releasing a patch, which is expected next month. The status of a fix from the second manufacturer is currently unknown. Cashdollar said an incomplete Internet scan showed there are at least 7,000 vulnerable devices. The actual number of affected devices may be higher.

Australia will give cyber health checks for small businesses, increase cyber law enforcement funding and introduce mandatory reporting of ransomware attacks under a security overhaul announced on Wednesday after a spate of attacks. From a report: The federal government said it will also subject telecommunications firms to tougher cyber reporting rules which apply to critical infrastructure, seek migrants to build up the cyber security workforce and set limits on inter-agency data sharing to encourage people to report incidents. The A$587 million ($382 million) plan shows the centre-left Labor government trying to get on the front foot after a year in which nearly half the country's 26 million population had personal information stolen in just two data breaches at companies, while a cyber attack at its biggest port operator this month brought supply chains to a standstill.

Microsoft's Windows Hello fingerprint authentication has been bypassed on laptops from Dell, Lenovo, and even Microsoft. From a report: Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops and used widely by businesses to secure laptops with Windows Hello fingerprint authentication. Microsoft's Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft's BlueHat conference in October.

The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack. Such an attack could provide access to a stolen laptop, or even an "evil maid" attack on an unattended device. A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device. Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.

An anonymous reader quotes a report from Ars Technica: A group of Russian-state hackers known for almost exclusively targeting Ukranian entities has branched out in recent months either accidentally or purposely by allowing USB-based espionage malware to infect a variety of organizations in other countries. The group -- known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm -- has been active since at least 2014 and has been attributed to Russia's Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn't care to. Its espionage-motivated campaigns targeting large numbers of Ukrainian organizations are easy to detect and tie back to the Russian government. The campaigns typically revolve around malware that aims to obtain as much information from targets as possible.

One of those tools is a computer worm designed to spread from computer to computer through USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written in the Visual Basic Scripting language. LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect to such drives with malware that permanently communicates with Gamaredon-operated command and control servers. "Gamaredon continues to focus on [a] wide variety [of] Ukrainian targets, but due to the nature of the USB worm, we see indications of possible infection in various countries like USA, Vietnam, Chile, Poland and Germany," Check Point researchers reported recently. "In addition, we've observed evidence of infections in Hong Kong. All this might indicate that much like other USB worms, LitterDrifter [has] spread beyond its intended targets."

The image [here], tracking submissions of LitterDrifter to the Alphabet-owned VirusTotal service, indicates that the Gamaredon malware may be infecting targets well outside the borders of Ukraine. VirusTotal submissions usually come from people or organizations that encounter unfamiliar or suspicious-looking software on their networks and want to know if it's malicious. The data suggests that the number of infections in the US, Vietnam, Chile, Poland, and Germany combined may be roughly half of those hitting organizations inside Ukraine.

Connor Jones reports via The Register: The government of Canada has confirmed its data was accessed after two of its third-party service providers were attacked. The third parties both provided relocation services for public sector workers and the government is currently analyzing a "significant volume of data" which could date back to 1999. No formal conclusions have yet been made about the number of workers impacted due to the large-scale task of analyzing the relevant data. However, the servers impacted by the breach held data related to current and former Canadian government staff, members of the Canadian armed forces, and Royal Canadian Mounted Police workers -- aka Mounties.

"At this time, given the significant volume of data being assessed, we cannot yet identify specific individuals impacted; however, preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies," a government statement read. Those who think they may be affected are advised to update any login details that may be similar to those used to access BGRS or Sirva's systems. Enabling MFA across all accounts that are used for online transactions is also advised, as is the manual monitoring of personal accounts for any potential malicious activity. Work is currently being carried out to identify and address any vulnerabilities that may have led to the incident, according to the statement.

Using fake names, sham LinkedIn profiles, counterfeit work papers and mock interview scripts, North Korean IT workers seeking employment in Western tech companies are deploying sophisticated subterfuge to get hired. From a report: Landing a job outside North Korea to secretly earn hard currency for the isolated country demands highly-developed strategies to convince Western hiring managers, according to documents reviewed by Reuters, an interview with a former North Korean IT worker and cybersecurity researchers. North Korea has dispatched thousands of IT workers overseas, an effort that has accelerated in the last four years, to bring in millions to finance Pyongyang's nuclear missile programme, according to the United States, South Korea, and the United Nations.

"People are free to express ideas and opinions," reads one interview script used by North Korean software developers that offers suggestions for how to describe a "good corporate culture" when asked. Expressing one's thoughts freely could be met with imprisonment in North Korea. The scripts totalling 30 pages, were unearthed by researchers at Palo Alto Networks, a U.S. cybersecurity firm which discovered a cache of internal documents online that detail the workings of North Korea's remote IT workforce. The documents contain dozens of fraudulent resumes, online profiles, interview notes, and forged identities that North Korean workers used to apply for jobs in software development.

Sunbird, the app that brings iMessage to Android, has temporarily shut down the service over "security concerns." From a report: In a notice to users, Sunbird says it has "decided to pause Sunbird usage for now" while it investigates reports that its messages aren't actually end-to-end encrypted. Sunbird launched in 2022 as a messaging app that attempts to put the blue versus green bubble battle to rest. It has only been available to those who sign up for its waitlist, touting numerous privacy features, like end-to-end encryption, no message data collection, and no ads.

Last week, Sunbird partnered with Nothing, the phone brand owned by OnePlus co-founder Carl Pei, on the launch of Nothing Chats. The Sunbird-powered messaging service is supposed to let owners of the Phone 2 send texts via iMessage, but it was pulled from the Google Play Store just one day after its launch. At the time, Nothing said it had to fix "several bugs" within the app. However, its removal from the Play Store came around the same time a post from Texts.blog revealed that messages sent via Sunbird may not be end-to-end encrypted.

An anonymous reader shares a report: Firefox users across the internet say that they are encountering an "artificial" five-second load time when they try to watch YouTube videos that exists on Firefox, but not Chrome. Google, meanwhile, told 404 Media that this is all part of its larger effort against ad blockers, and that it doesn't have anything to do with Firefox at all. [...] Mozilla, which makes Firefox, told 404 Media that it does not believe this is a Firefox-specific issue. Enough people have posted about it, however, that it is clearly happening for some users and not others.

In a statement to 404 Media, Google did not provide specifics but also did not deny implementing an artificial wait time. "To support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube, we've launched an effort to urge viewers with ad blockers enabled to allow ads on YouTube or try YouTube Premium for an ad free experience, the spokesperson said. "Users who have ad blockers installed may experience suboptimal viewing, regardless of the browser they are using."

Last week, Android smartphone manufacturer "Nothing" announced that it's bringing iMessage to its newest phone through a new "Nothing Chats" app powered by the messaging platform Sunbird. After launching Friday, the app was shut down within 24 hours and the Sunbird app, which Nothing Chat is a clone of, was put "on pause." The reason? It's a security nightmare. Ars Technica reports: The initial sales pitch for this app -- that it would log you into iMessage on Android if you handed over your Apple username and password -- was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as you could possibly be. Here's Nothing's statement: "We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users."

How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages. [...]

Despite being the cause of this huge catastrophe, Sunbird has been bizarrely quiet during this whole mess. The app's X (formerly Twitter) page still doesn't say anything about the shutdown of Nothing Chats or Sunbird. Maybe that's for the best because some of Sunbird's early responses to the security concerns raised on Friday do not seem like they came from a competent developer. [...] Nothing has always seemed like an Android manufacturer that was more hype than substance, but we can now add "negligent" to that list. The company latched on to Sunbird, reskinned its app, created a promo website and YouTube video, and coordinated a media release with popular YouTubers, all without doing the slightest bit of due diligence on Sunbird's apps or its security claims. It's unbelievable that these two companies made it this far -- the launch of Nothing Chats required a systemic security failure across two entire companies.

An anonymous reader quotes a report from Motherboard: Commercial air crews are reporting something "unthinkable" in the skies above the Middle East: novel "spoofing" attacks have caused navigation systems to fail in dozens of incidents since September. In late September, multiple commercial flights near Iran went astray after navigation systems went blind. The planes first received spoofed GPS signals, meaning signals designed to fool planes' systems into thinking they are flying miles away from their real location. One of the aircraft almost flew into Iranian airspace without permission. Since then, air crews discussing the problem online have said it's only gotten worse, and experts are racing to establish who is behind it.

OPSGROUP, an international group of pilots and flight technicians, sounded the alarm about the incidents in September and began to collect data to share with its members and the public. According to OPSGROUP, multiple commercial aircraft in the Middle Eastern region have lost the ability to navigate after receiving spoofed navigation signals for months. And it's not just GPS -- fallback navigation systems are also corrupted, resulting in total failure. According to OPSGROUP, the activity is centered in three regions: Baghdad, Cairo, and Tel Aviv. The group has tracked more than 50 incidents in the last five weeks, the group said in a November update, and identified three new and distinct kinds of navigation spoofing incidents, with two arising since the initial reports in September.

While GPS spoofing is not new, the specific vector of these new attacks was previously "unthinkable," according to OPSGROUP, which described them as exposing a "fundamental flaw in avionics design." The spoofing corrupts the Inertial Reference System, a piece of equipment often described as the "brain" of an aircraft that uses gyroscopes, accelerometers, and other tech to help planes navigate. One expert Motherboard spoke to said this was "highly significant." "This immediately sounds unthinkable," OPSGROUP said in its public post about the incidents. "The IRS (Inertial Reference System) should be a standalone system, unable to be spoofed. The idea that we could lose all on-board nav capability, and have to ask [air traffic control] for our position and request a heading, makes little sense at first glance" especially for state of the art aircraft with the latest avionics. However, multiple reports confirm that this has happened." [...] There is currently no solution to this problem, with its potentially disastrous effects and unclear cause. According to OPSGROUP's November update, "The industry has been slow to come to terms with the issue, leaving flight crews alone to find ways of detecting and mitigating GPS spoofing." If air crews do realize that something is amiss, Humphreys said, their only recourse is to depend on air traffic control.

This week the Microsoft Security Response Center celebrated the 20th anniversary of Patch Tuesday updates.

In a blog post they call the updates "an initiative that has become a cornerstone of the IT world's approach to cybersecurity." Originating from the Trustworthy Computing memo by Bill Gates in 2002, our unwavering commitment to protecting customers continues to this day and is reflected in Microsoft's Secure Future Initiative announced this month. Each month, we deliver security updates on the second Tuesday, underscoring our pledge to cyber defense. As we commemorate this milestone, it's worth exploring the inception of Patch Tuesday and its evolution through the years, demonstrating our adaptability to new technology and emerging cyber threats...

Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner. Senior leaders of the Microsoft Security Response Center (MSRC) at the time spearheaded the idea of a predictable schedule for patch releases, shifting from a "ship when ready" model to a regular weekly, and eventually, monthly cadence...

This led to a shift from a "ship when ready" model to a regular weekly, and eventually, monthly cadence. In addition to consolidating patch releases into a monthly schedule, we also organized the security update release notes into a consolidated location. Prior to this change, customers had to navigate through various Knowledge Base articles, making it difficult to find the information they needed to secure themselves. Recognizing the need for clarity and convenience, we provided a comprehensive overview of monthly releases. This change was pivotal at a time when not all updates were delivered through Windows Update, and customers needed a reliable source to find essential updates for various products.

Patch Tuesday has also influenced other vendors in the software and hardware spaces, leading to a broader industry-wide practice of synchronized security updates. This collaborative approach, especially with hardware vendors such as AMD and Intel, aims to provide a united front against vulnerabilities, enhancing the overall security posture of our ecosystems. While the volume and complexity of updates have increased, so has the collaboration with the security community. Patch Tuesday has fostered better relationships with security researchers, leading to more responsible vulnerability disclosures and quicker responses to emerging threats...

As the landscape of security threats evolves, so does our strategy, but our core mission of safeguarding our customers remains unchanged.

An anonymous reader quotes a report from The Intercept: A joint project of Human Rights Watch and New York University to document human rights abuses in the Democratic Republic of the Congo has been taken offline after exposing the identities of thousands of vulnerable people, including survivors of mass killings and sexual assaults. The Kivu Security Tracker is a "data-centric crisis map" of atrocities in eastern Congo that has been used by policymakers, academics, journalists, and activists to "better understand trends, causes of insecurity and serious violations of international human rights and humanitarian law," according to the deactivated site. This includes massacres, murders, rapes, and violence against activists and medical personnel by state security forces and armed groups, the site said. But the KST's lax security protocols appear to have accidentally doxxed up to 8,000 people, including activists, sexual assault survivors, United Nations staff, Congolese government officials, local journalists, and victims of attacks, an Intercept analysis found. Hundreds of documents -- including 165 spreadsheets -- that were on a public server contained the names, locations, phone numbers, and organizational affiliations of those sources, as well as sensitive information about some 17,000 "security incidents," such as mass killings, torture, and attacks on peaceful protesters.

The data was available via KST's main website, and anyone with an internet connection could access it. The information appears to have been publicly available on the internet for more than four years. [...] The spreadsheets, along with the main KST website, were taken offline on October 28, after investigative journalist Robert Flummerfelt, one of the authors of this story, discovered the leak and informed Human Rights Watch and New York University's Center on International Cooperation. HRW subsequently assembled what one source close to the project described as a "crisis team." Last week, HRW and NYU's Congo Research Group, the entity within the Center on International Cooperation that maintains the KST website, issued a statement that announced the takedown and referred in vague terms to "a security vulnerability in its database," adding, "Our organizations are reviewing the security and privacy of our data and website, including how we gather and store information and our research methodology." The statement made no mention of publicly exposing the identities of sources who provided information on a confidential basis. [...] The Intercept has not found any instances of individuals affected by the security failures, but it's currently unknown if any of the thousands of people involved were harmed. "We deeply regret the security vulnerability in the KST database and share concerns about the wider security implications," Human Rights Watch's chief communications officer, Mei Fong, told The Intercept. Fong said in an email that the organization is "treating the data vulnerability in the KST database, and concerns around research methodology on the KST project, with the utmost seriousness." Fong added, "Human Rights Watch did not set up or manage the KST website. We are working with our partners to support an investigation to establish how many people -- other than the limited number we are so far aware of -- may have accessed the KST data, what risks this may pose to others, and next steps. The security and confidentiality of those affected is our primary concern."