Windows 10 S (for Surface) and Cortana force you to use Edge and Bing, and Windows Mail forces links to open in Edge

Windows 10 S, Microsoft’s new locked-down operating system that comes bundled with the Surface Laptop, won’t allow you to change the default Web browser away from Microsoft’s own Edge. Furthermore, Edge’s default search provider can’t be altered: Bing is all you get.

Curiously you can download other browsers from the Windows Store, such as Opera Mini, but Windows 10 S won’t let you set it as the default browser: if you try to open an HTML file, or click a link in another app, it will always open in Edge, according to Microsoft’s official FAQ on the topic.

The FAQ uses very direct language: “Microsoft Edge is the default web browser on Microsoft 10 S. The default search provider in Microsoft Edge and Internet Explorer cannot be changed.” It isn’t clear if OEMs will be able to override this feature of Windows 10 S.

It’s worth noting at this juncture that Windows 10 S, much like its spiritual predecessor Windows RT, will only run apps that you download from the Windows Store—and currently, neither Firefox or Chrome have been packaged up for the Windows Store. I can’t imagine that Google will be super-keen to bring Chrome to the Windows Store if Windows 10 S users can’t change the default browser.

Source: Windows 10 S forces you to use Edge and Bing | Ars Technica

Edge might be Windows 10’s built-in browser, but it definitely isn’t the most popular browser — NetMarketShare reported just under 4 percent usage share as of February 2018, slipping well below Chrome’s 59 percent. And now, it looks like the company may be trying to boost its share through software policies. The company is testing a Windows 10 preview release in the Skip Ahead ring which opens all Windows Mail web links in Edge, regardless of your app defaults. It provides the “best, most secure and consistent experience,” Microsoft argued.

The move isn’t coming completely out of the blue. Microsoft required Cortana users to rely on Bing search and open any web content in Edge, so this is arguably an extension of that policy.

Even so, the move is likely to irk at least some Windows 10 users. To start, its claims are highly subjective. Edge certainly isn’t immune to security exploits, and relying on it could actually create an inconsistent experience if you aren’t completely invested in Microsoft software. If you use Chrome on an Android phone, wouldn’t you want every link on your PC to open in Chrome so that they’re easier to retrieve when you’re on your handset? We can’t imagine that European antitrust regulators would be happy about Microsoft locking users into its own browser, either. We’ve asked Microsoft if it can comment on the concerns and will let you know if it has something to say.

Microsoft tests forcing Windows Mail users to open links in Edge

Booking Flights: Our Data Flies with Us – the huge dataset described

Every time you book a flight, you generate personal data that is ripe for harvesting: information like the details on an ID card, your address, your passport information and your travel itinerary, as well as your frequent-flyer number, method of payment and travel preferences (dietary restrictions, mobility restrictions, etc.). All that data becomes part of a registry, in the form of a Passenger Name Record (PNR) – a generic name given to records created by aircraft operators or their authorised agents for each journey booked by or on behalf of any passenger.

When we book a flight or travel itinerary, the travel agent or booking website creates our PNR. Most airlines or travel agents choose to host their PNR databases on a specialised computer reservation system (CRS) or a Global Distribution System (GDS), which coordinates the information from all the travel agents and airlines worldwide, to avoid things like duplicated flight reservations. This means that CRSs/GDSs centralise and store vast amounts of data about travellers. Though we are focusing on air travel here, it is important to note that the PNR is not only flight-related. It can also include other services such as car rentals, hotel reservations and train trips.
A PNR isn’t necessarily created all at once. If we use the same agency or airline to book our flight and other services, like a hotel, the agency will use the same PNR. Therefore, information from many different sources will be gradually added to our PNR through different channels over time. That means the dataset is much larger than just the flight info: a PNR can contain data as important as our exact whereabouts at specific points in time.

What are the implications of all this for our privacy? The journalist and travel advocate Edward Hasbrouck has been researching and denouncing the PNR’s effects on privacy in the US for decades. In Europe, organisations like European Digital Rights (EDRi) have also criticised PNRs extensively through their advocacy and awareness campaigns. According to Hasbrouck:

PNR data reveals our associations, our activities, and our tastes and preferences. It shows where we went, when, with whom, for how long, and at whose expense. Through departmental and project billing codes, business travel PNR’s reveal confidential internal corporate and other organisation structures and lines of authority and show which people were involved in work together, even if they travelled separately. PNRs typically contain credit card numbers, telephone numbers, email addresses, and IP addresses, allowing them to be easily merged with financial and communications metadata

Your individual PNR also contains a section for free-text “remarks” that can be entered by the airline, the travel agency, a tour operator, a third-party call centre or the staff of the ground-handling contractor. Such texts might include sensitive and private information, like special meal requests and particular medical needs. This may seem innocuous, but information like special meal requests can indicate our religious or political affiliations, especially when it is cross-referenced with other details included in our PNR. Regardless of whether the profile assigned to us is accurate, the repercussions and implications of that profiling are concerning – especially in the absence of public awareness about them.
In the United States, PNRs are stored in the Automated Targeting System-Passenger (ATS-P), where they become part of an active database for up to five years (after the first six months, they are de-personalised and masked). After five years, the data is transferred to a dormant database for up to ten more years, where it remains available for counter-terrorism purposes for the full duration of its 15-year retention.

According to Edward Hasbrouck, PNRs cannot be deleted: once created, they are archived and retained in the Computer Reservation Data and You and/or Global Distribution Data and You (CRS/GDS), and can still be viewed, even if we never bought a ticket and cancelled our reservations:

“CRS’s retain flown, archived, purged, and deleted PNR’s indefinitely. It doesn’t really matter whether governments store copies of entire PNR’s or only portions of them, whether they filter out certain especially “sensitive” data from their copies of PNR’s, or for how long they retain them. As long as a government agency has the record locator or the airline name, flight number, and date, they can retrieve the complete PNR from the CRS. That’s especially true for the U.S. government, since even PNR’s created by airlines, travel agencies, tour operators, or airline offices in other countries, for flights within and between other countries that don’t touch the USA, are routinely stored in CRS’s based in the USA.
Under EU regulations, governments can retain PNR data for a maximum of five years, to allow law-enforcement officials to access it if necessary. The regulations state that after six months, the data is masked out or anonymised. But according to research by the EDRi, records are not necessarily anonymised or encrypted, and, in fact, the data can be easily re-personalised.
PNR is a relatively old system, pre-dating the internet as we know it today. Airlines have built their own systems on top of this, allowing passengers to make adjustments to their reservations using a six-character booking confirmation number or PNR locator. But although the PNR system was originally designed to facilitate the sharing of information rather than the protection of it, in the current digital environment and with the cyber-threats facing our data online, this system needs to be updated to keep up with the existing risks. PNRs are information-rich files are not only of interest for governments; they are also valuable to third parties – whether corporations or adversaries. Potential uses of the data could include anything from marketing research to hacks aimed at obtaining our personal information for financial scams or even doxxing or inflicting harm on activists.

According to Hasbrouck, the controls over who can access PNR data are insufficient, and there are no limitations on how CRS/GDS users (whether governments or travel agents) can access it. Furthermore, there are no records of when a CRS/GDS user has retrieved a PNR, from where they retrieved the record, or for what purpose. This means that any travel agent or any government can retrieve our PNR and access all the data it contains, no questions asked and without leaving a trace.
Photos of our tickets or luggage tags pose particular risks because of the sensitive information printed on them. In addition to our name and flight information, they also include our PNR locator, though sometimes only inside the barcode. Even if we cannot “see” information in the barcodes or sequences of letters and numbers on our tickets, other people may be able to derive meaning from them.

Source: Booking Flights: Our Data Flies with Us – Our Data Our Selves

Palantir has secretly been using New Orleans to test its predictive policing technology, was given huge access to lots of private data without oversight due to loophole

The program began in 2012 as a partnership between New Orleans Police and Palantir Technologies, a data-mining firm founded with seed money from the CIA’s venture capital firm. According to interviews and documents obtained by The Verge, the initiative was essentially a predictive policing program, similar to the “heat list” in Chicago that purports to predict which people are likely drivers or victims of violence.

The partnership has been extended three times, with the third extension scheduled to expire on February 21st, 2018. The city of New Orleans and Palantir have not responded to questions about the program’s current status.

Predictive policing technology has proven highly controversial wherever it is implemented, but in New Orleans, the program escaped public notice, partly because Palantir established it as a philanthropic relationship with the city through Mayor Mitch Landrieu’s signature NOLA For Life program. Thanks to its philanthropic status, as well as New Orleans’ “strong mayor” model of government, the agreement never passed through a public procurement process.

In fact, key city council members and attorneys contacted by The Verge had no idea that the city had any sort of relationship with Palantir, nor were they aware that Palantir used its program in New Orleans to market its services to another law enforcement agency for a multimillion-dollar contract.

Even within the law enforcement community, there are concerns about the potential civil liberties implications of the sort of individualized prediction Palantir developed in New Orleans, and whether it’s appropriate for the American criminal justice system.

“They’re creating a target list, but we’re not going after Al Qaeda in Syria,” said a former law enforcement official who has observed Palantir’s work first-hand as well as the company’s sales pitches for predictive policing. The former official spoke on condition of anonymity to freely discuss their concerns with data mining and predictive policing. “Palantir is a great example of an absolutely ridiculous amount of money spent on a tech tool that may have some application,” the former official said. “However, it’s not the right tool for local and state law enforcement.”

Six years ago, one of the world’s most secretive and powerful tech firms developed a contentious intelligence product in a city that has served as a neoliberal laboratory for everything from charter schools to radical housing reform since Hurricane Katrina. Because the program was never public, important questions about its basic functioning, risk for bias, and overall propriety were never answered.
Palantir’s prediction model in New Orleans used an intelligence technique called social network analysis (or SNA) to draw connections between people, places, cars, weapons, addresses, social media posts, and other indicia in previously siloed databases. Think of the analysis as a practical version of a Mark Lombardi painting that highlights connections between people, places, and events. After entering a query term — like a partial license plate, nickname, address, phone number, or social media handle or post — NOPD’s analyst would review the information scraped by Palantir’s software and determine which individuals are at the greatest risk of either committing violence or becoming a victim, based on their connection to known victims or assailants.

The data on individuals came from information scraped from social media as well as NOPD criminal databases for ballistics, gangs, probation and parole information, jailhouse phone calls, calls for service, the central case management system (i.e., every case NOPD had on record), and the department’s repository of field interview cards. The latter database represents every documented encounter NOPD has with citizens, even those that don’t result in arrests. In 2010, The Times-Picayune revealed that Chief Serpas had mandated that the collection of field interview cards be used as a measure of officer and district performance, resulting in over 70,000 field interview cards filled out in 2011 and 2012. The practice resembled NYPD’s “stop and frisk” program and was instituted with the express purpose of gathering as much intelligence on New Orleanians as possible, regardless of whether or not they committed a crime.
NOPD then used the list of potential victims and perpetrators of violence generated by Palantir to target individuals for the city’s CeaseFire program. CeaseFire is a form of the decades-old carrot-and-stick strategy developed by David Kennedy, a professor at John Jay College in New York. In the program, law enforcement informs potential offenders with criminal records that they know of their past actions and will prosecute them to the fullest extent if they re-offend. If the subjects choose to cooperate, they are “called in” to a required meeting as part of their conditions of probation and parole and are offered job training, education, potential job placement, and health services. In New Orleans, the CeaseFire program is run under the broader umbrella of NOLA For Life, which is Mayor Landrieu’s pet project that he has funded through millions of dollars from private donors.

According to Serpas, the person who initially ran New Orleans’ social network analysis from 2013 through 2015 was Jeff Asher, a former intelligence agent who joined NOPD from the CIA. If someone had been shot, Serpas explained, Asher would use Palantir’s software to find people associated with them through field interviews or social media data. “This data analysis brings up names and connections between people on FIs [field interview cards], on traffic stops, on victims of reports, reporting victims of crimes together, whatever the case may be. That kind of information is valuable for anybody who’s doing an investigation,” Serpas said.
Of the 308 people who participated in call-ins from October 2012 through March 2017, seven completed vocational training, nine completed “paid work experience,” none finished a high school diploma or GED course, and 32 were employed at one time or another through referrals. Fifty participants were detained following their call-in, and two have since died.

By contrast, law enforcement vigorously pursued its end of the program. From November 2012, when the new Multi-Agency Gang Unit was founded, through March 2014, racketeering indictments escalated: 83 alleged gang members in eight gangs were indicted in the 16-month period, according to an internal Palantir presentation.
Call-ins declined precipitously after the first few years. According to city records, eight group call-ins took place from 2012 to 2014, but only three took place in the following three years. Robert Goodman, a New Orleans native who became a community activist after completing a prison sentence for murder, worked as a “responder” for the city’s CeaseFire program until August 2016, discouraging people from engaging in retaliatory violence. Over time, Goodman noticed more of an emphasis on the “stick” component of the program and more control over the non-punitive aspects of the program by city hall that he believes undermined the intervention work. “It’s supposed to be ran by people like us instead of the city trying to dictate to us how this thing should look,” he said. “As long as they’re not putting resources into the hoods, nothing will change. You’re just putting on Band-Aids.”

After the first two years of Palantir’s involvement with NOPD, the city saw a marked drop in murders and gun violence, but it was short-lived. Even former NOPD Chief Serpas believes that the preventative effect of calling in dozens of at-risk individuals — and indicting dozens of them — began to diminish.

“When we ended up with nearly nine or 10 indictments with close to 100 defendants for federal or state RICO violations of killing people in the community, I think we got a lot of people’s attention in that criminal environment,” Serpas said, referring to the racketeering indictments. “But over time, it must’ve wore off because before I left in August of ‘14, we could see that things were starting to slide”

Nick Corsaro, the University of Cincinnati professor who helped build NOPD’s gang database, also worked on an evaluation of New Orleans’ CeaseFire strategy. He found that New Orleans’ overall decline in homicides coincided with the city’s implementation of CeaseFire program, but the Central City neighborhoods targeted by the program “did not have statistically significant declines that corresponded with November 2012 onset date.”
The secrecy surrounding the NOPD program also raises questions about whether defendants have been given evidence they have a right to view. Sarah St. Vincent, a researcher at Human Rights Watch, recently published an 18-month investigation into parallel construction, or the practice of law enforcement concealing evidence gathered from surveillance activity. In an interview, St. Vincent said that law enforcement withholding intelligence gathering or analysis like New Orleans’ predictive policing work effectively kneecaps the checks and balances of the criminal justice system. At the Cato Institute’s 2017 Surveillance Conference in December, St. Vincent raised concerns about why information garnered from predictive policing systems was not appearing in criminal indictments or complaints.

“It’s the role of the judge to evaluate whether what the government did in this case was legal,” St. Vincent said of the New Orleans program. “I do think defense attorneys would be right to be concerned about the use of programs that might be inaccurate, discriminatory, or drawing from unconstitutional data.”

If Palantir’s partnership with New Orleans had been public, the issues of legality, transparency, and propriety could have been hashed out in a public forum during an informed discussion with legislators, law enforcement, the company, and the public. For six years, that never happened.

Source: Palantir has secretly been using New Orleans to test its predictive policing technology – The Verge

One of the big problems here is that there is no knowledge and hardly any oversight on the program. There is no knowledge if the system is being implemented fairly or cost effectively (costs are huge!) or even if it works. It seemed to have worked for a while but the effects seemed also to drop off after two years in operations, mainly because they used the “stick” method to counter crime but more and more got rid of the “carrot”. The amount of private data given to Palantir without any discussion or consent is worrying to say the least.

The Lottery Hackers

That’s when it hit him. Right there, in the numbers on the page, he noticed a flaw—a strange and surprising pattern, like the cereal-box code, written into the fundamental machinery of the game. A loophole that would eventually make Jerry and Marge millionaires, spark an investigation by a Boston Globe Spotlight reporter, unleash a statewide political scandal and expose more than a few hypocrisies at the heart of America’s favorite form of legalized gambling.
This particular game was called Winfall. A ticket cost $1. You picked six numbers, 1 through 49, and the Michigan Lottery drew six numbers. Six correct guesses won you the jackpot, guaranteed to be at least $2 million and often higher. If you guessed five, four, three, or two of the six numbers, you won lesser amounts. What intrigued Jerry was the game’s unusual gimmick, known as a roll-down: If nobody won the jackpot for a while, and the jackpot climbed above $5 million, there was a roll-down, which meant that on the next drawing, as long as there was no six-number winner, the jackpot cash flowed to the lesser tiers of winners, like water spilling over from the highest basin in a fountain to lower basins. There were lottery games in other states that offered roll-downs, but none structured quite like Winfall’s. A roll-down happened every six weeks or so, and it was a big deal, announced by the Michigan Lottery ahead of time as a marketing hook, a way to bring bettors into the game, and sure enough, players increased their bets on roll-down weeks, hoping to snag a piece of the jackpot.

The brochure listed the odds of various correct guesses. Jerry saw that you had a 1-in-54 chance to pick three out of the six numbers in a drawing, winning $5, and a 1-in-1,500 chance to pick four numbers, winning $100. What he now realized, doing some mental arithmetic, was that a player who waited until the roll-down stood to win more than he lost, on average, as long as no player that week picked all six numbers. With the jackpot spilling over, each winning three-number combination would put $50 in the player’s pocket instead of $5, and the four-number winners would pay out $1,000 in prize money instead of $100, and all of a sudden, the odds were in your favor. If no one won the jackpot, Jerry realized, a $1 lottery ticket was worth more than $1 on a roll-down week—statistically speaking.

“I just multiplied it out,” Jerry recalled, “and then I said, ‘Hell, you got a positive return here.’”
This was an uncomfortable leap for a guy with no experience in gambling, but if he stopped now, he would never know if his theory was correct. During the next roll-down week, he returned to Mesick and made a larger bet, purchasing $3,400 in Winfall tickets. Sorting 3,400 tickets by hand took hours and strained his eyes, but Jerry counted them all right there at the convenience store so that Marge would not discover him. This time he won $6,300—an impressive 46 percent profit margin. Emboldened, he bet even more on the next roll-down, $8,000, and won $15,700, a 49 percent margin.
he lottery is like a bank vault with walls made of math instead of steel; cracking it is a heist for squares. And yet a surprising number of Americans have pulled it off. A 2017 investigation by the Columbia Journalism Review found widespread anomalies in lottery results, difficult to explain by luck alone. According to CJR’s analysis, nearly 1,700 Americans have claimed winning tickets of $600 or more at least 50 times in the last seven years, including the country’s most frequent winner, a 79-year-old man from Massachusetts named Clarance W. Jones, who has redeemed more than 10,000 tickets for prizes exceeding $18 million.
he and Marge were willing to do the grunt work, which, as it turned out, was no small challenge. Lottery terminals in convenience stores could print only 10 slips of paper at a time, with up to 10 lines of numbers on each slip (at $1 per line), which meant that if you wanted to bet $100,000 on Winfall, you had to stand at a machine for hours upon hours, waiting for the machine to print 10,000 tickets. Code in the purchase. Push the “Print” button. Wait at least a full minute for the 10 slips to emerge. Code in the next purchase. Hit “Print.” Wait again. Jerry and Marge knew all the convenience store owners in town, so no one gave them a hard time when they showed up in the morning to print tickets literally all day. If customers wondered why the unassuming couple had suddenly developed an obsession with gambling, they didn’t ask. Sometimes the tickets jammed, or the cartridges ran out of ink. “You just have to set there,” Jerry said.

The Selbees stacked their tickets in piles of $5,000, rubber-banded them into bundles and then, after a drawing, convened in their living room in front of the TV, sorting through tens or even hundreds of thousands of tickets, separating them into piles according to their value (zero correct numbers, two, three, four, five). Once they counted all the tickets, they counted them again, just to make sure they hadn’t missed anything. If Jerry had the remote, they’d watch golf or the History Channel, and if Marge had it, “House Hunters” on HGTV. “It looked extremely tedious and boring, but they didn’t view it that way,” recalled their daughter Dawn. “They trained their minds. Literally, they’d pick one up, look at it, put it down. Pick one up, put it down.” Dawn tried to help but couldn’t keep pace; for each ticket she completed, Jerry or Marge did 10.
That June, Jerry created a corporation to manage the group. He gave it an intentionally boring name, GS Investment Strategies LLC, and started selling shares, at $500 apiece, first to the kids and then to friends and colleagues in Evart. Jerry would eventually expand the roster to 25 members, including a state trooper, a parole officer, a bank vice president, three lawyers and even his personal accountant, a longtime local with a smoker’s scratchy voice named Steve Wood. Jerry would visit Wood’s storefront office downtown, twist the “Open” sign to “Closed,” and seek his advice on how to manage the group.
And business was good. By the spring of 2005, GS Investment Strategies LLC had played Winfall on 12 different roll-down weeks, the size of the bets increasing along with the winnings. First $40,000 in profits. Then $80,000. Then $160,000. Marge squirreled her share away in a savings account. Jerry bought a new truck, a Ford F350, and a camping trailer that hooked onto the back of it. He also started buying coins from the U.S. Mint as a hedge against inflation, hoping to protect his family from any future catastrophe. He eventually filled five safe deposit boxes with coins of silver and gold.
A mathematics major in his final semester, Harvey had been researching lottery games for an independent study project, comparing the popular multistate games Powerball and MegaMillions to see which offered players a better shot at winning. He’d also analyzed different state games, including Cash WinFall, and it hadn’t taken him long to spot its flaw: On a roll-down week, a $2 lottery ticket was worth more than $2, mathematically.

Within days, Harvey had recruited some 50 people to pony up $20 each, for a total of $1,000, enough to buy 500 Cash WinFall tickets for the February 7 roll-down drawing. The Patriots won the Super Bowl on February 6, and the following day, the MIT group took home $3,000, for a $2,000 profit.

Curiously enough, the MIT students weren’t the only ones playing Cash WinFall for high stakes that day. A biomedical researcher at Boston University, Ying Zhang, had also discovered the flaw, after an argument with friends about the nature of the lottery. Believing it to be exploitative, Zhang had researched the Massachusetts State Lottery to bolster his point. Then he found the glitch in Cash WinFall, and as happens so often in America, a skeptic of capitalism became a capitalist. Zhang encouraged friends to play and formed his own betting club, Doctor Zhang Lottery Club Limited Partnership. His group began wagering between $300,000 and $500,000 on individual roll-down weeks, and eventually Zhang quit his job as a biomedical researcher to focus on the lottery full time. He bought tickets in bulk at a convenience store near his home, in the Boston suburb of Quincy, and stored the losing tickets in boxes in his attic until the weight made his ceiling crack.

As energetically as Zhang played the game, however, he couldn’t match the budding lottery moguls at MIT. After the first roll-down, Harvey assembled 40 to 50 regular players—some of them professors with substantial resources—and recruited his classmate, Yuran Lu, to help manage the group. Lu was an electrical engineering, computer science and math major with a mischievous streak: one time, to make a point about security, he’d stolen 620 passwords from students and professors. Now he helped Harvey form a corporation, named Random Strategies LLC, after their dorm. Their standard wager on a roll-down week was $600,000—300,000 tickets. Unlike the Selbees, who allowed the computer to pick numbers for them (“Quic Pics”), the MIT students preferred to choose their own, which avoided duplicates but also meant that the students had to spend weeks filling in hundreds of thousands of tiny ovals on paper betting slips.

Source: The Lottery Hackers – The Huffington Post

A great article on how three groups of people were hacking this lottery and how it all ended.

MIT builds Neural network chip with 95% reduction in power consumption, allowing it to be used in a mobile

Most recent advances in artificial-intelligence systems such as speech- or face-recognition programs have come courtesy of neural networks, densely interconnected meshes of simple information processors that learn to perform tasks by analyzing huge sets of training data.

But neural nets are large, and their computations are energy intensive, so they’re not very practical for handheld devices. Most smartphone apps that rely on neural nets simply upload data to internet servers, which process it and send the results back to the phone.

Now, MIT researchers have developed a special-purpose chip that increases the speed of neural-network computations by three to seven times over its predecessors, while reducing power consumption 94 to 95 percent. That could make it practical to run neural networks locally on smartphones or even to embed them in household appliances.

“The general processor model is that there is a memory in some part of the chip, and there is a processor in another part of the chip, and you move the data back and forth between them when you do these computations,” says Avishek Biswas, an MIT graduate student in electrical engineering and computer science, who led the new chip’s development.

“Since these machine-learning algorithms need so many computations, this transferring back and forth of data is the dominant portion of the energy consumption. But the computation these algorithms do can be simplified to one specific operation, called the dot product. Our approach was, can we implement this dot-product functionality inside the memory so that you don’t need to transfer this data back and forth?”

Source: Neural networks everywhere | MIT News

Hey Microsoft, Stop Installing Apps On My PC Without Asking

I’m getting sick of Windows 10’s auto-installing apps. Apps like Facebook are now showing up out of nowhere, and even displaying notifications begging for me to use them. I didn’t install the Facebook app, I didn’t give it permission to show notifications, and I’ve never even used it. So why is it bugging me?

Windows 10 has always been a little annoying about these apps, but it wasn’t always this bad. Microsoft went from “we pinned a few tiles, but the apps aren’t installed until you click them” to “the apps are now automatically installed on your PC” to “the automatically installed apps are now sending you notifications”. It’s ridiculous.
The “Microsoft Consumer Experience” Is Consumer-Hostile…

This is all thanks to the “Microsoft Consumer Experience” program, which can’t be disabled on normal Windows 10 Home or Professional systems. That’s why every Windows 10 computer you start using has these bonus apps. The exact apps preinstalled can vary, but I’ve never seen a Windows 10 PC without Candy Crush.

The Microsoft Consumer Experience is actually a background task that runs whenever you sign into a Windows 10 PC with a new user account for the first time. It kicks into gear and automatically downloads apps like Candy Crush Soda Saga, FarmVille 2: Country Escape, Facebook, TripAdvisor, and whatever else Microsoft feels like promoting.

You can uninstall the apps from your Start menu, and they shouldn’t come back on your user account the same hardware. However, the apps will also come back whenever you sign into a new PC with the same Microsoft account, forcing you to remove them on each device you use. And, if someone signs into your same PC with their own Microsoft account, Microsoft will “helpfully” download those apps for their account as well. There’s no way to tell Microsoft “stop downloading these apps on my PC” or “I never want these apps on this Microsoft account”.
…and Microsoft Won’t Let Us Disable It

There is, technically, a way to disable this and stop Windows from installing these apps…but it’s only for Windows 10 Enterprise and Education users. Even if you spent $200 for a Windows 10 Professional license because you want to use your PC for business, Microsoft won’t let you stop the “Consumer Experience” on a professional PC.

Source: Hey Microsoft, Stop Installing Apps On My PC Without Asking

Together with Windows 10 sending private data to Redmond without permission this is another reason I have left the world of MS operating systems. I now use Linux Mint.

119,000 Passports and Photo IDs of FedEx Customers Found on Unsecured Amazon Server

Thousands of FedEx customers were exposed after the company left scanned passports, drivers licenses, and other documentation on a publicly accessible Amazon S3 server.

The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes.

The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday.

According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017.

Source: 119,000 Passports and Photo IDs of FedEx Customers Found on Unsecured Amazon Server

Tesla’s Amazon Cloud Account Hacked to Mine Cryptocurrency

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to “mine” cryptocurrency, security researchers said. The breach also exposed proprietary data for the electric carmaker.

The researchers, who worked for RedLock, a 3-year-old cybersecurity startup, said they discovered the intrusion last month while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account turned out to be Tesla, they said.

“We weren’t the first to get to it,” Varun Badhwar, CEO and cofounder of RedLock, told Fortune on a call. “Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment.”

The incident is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims’ computers to generate virtual currencies like Bitcoin. The schemes have seen a resurgence in popularity as cryptocurrency prices have soared over the past year.

Earlier this month, websites for the U.S. federal court system and the U.K.’s National Health Service roped their visitors into similar virtual money-minting operations.

Source: Tesla’s Amazon Cloud Account Hacked to Mine Cryptocurrency | Fortune

Uzi Nissan Spent 8 Years Fighting The Car Company With His Name. He Nearly Lost Everything To Win. The legal system doesn’t work very well if you have no money.

Nissan the car company never really cared who Uzi Nissan was. Then it decided he had something it wanted very much—the website, which he created for his small retail computer business in 1994—and it sued him for $10 million. When the two Nissans went to war, Uzi Nissan prevailed in the end, but lost almost everything along the way.

If you visit expecting a polished presentation of Nissan’s latest lineup, you’re in for quite a shock. What you land in is Uzi Nissan’s corner of the internet; a shrine to the years of his life spent fighting what is now the largest car company on the planet.

You’re greeted with a straight-out-of-the-’90s web design with 3D-effect link buttons, minimal advertising, crossed-out Nissan Motor badges and a Nissan Computer logo design that seems to resemble a stamped business card.
If you further postpone your quest to get a quote on an Altima or a Rogue Sport and spend time to explore the site, you find pages and pages of articles on the Nissan Motor vs. Nissan Computer lawsuit, taught in business schools and law schools as one of the most notable domain cases from the age of the dotcom bubble.

“The study there is that you should first have your domain before you decide your name of business, and in law school it’s just to show that sometimes even the little guy can win,” he said.
At the time, it didn’t seem like the start of an all-consuming legal battle, a David vs. Goliath fight that took nearly 10 years and cost the small business owner millions of dollars—to say nothing of the incalculable toll on his personal life.

Source: Uzi Nissan Spent 8 Years Fighting The Car Company With His Name. He Nearly Lost Everything To Win

The story is well told and shows you how ridiculous it is that this guy who clearly had prior ownership to the Nissan name and domain name had to pony up near to $3m and 8 years of his life to keep what is rightfully his. There is no punishment for the big guy throwing resources to wast another person’s time and money in the courts.

Cisco NFV elastic services controller accepts empty admin password

Cisco’s Elastic Services Controller’s release 3.0.0 software has a critical vulnerability: it accepts an empty admin password.

The Controller (ESC) is Cisco’s automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling.

Cisco’s advisory about the flaw explains the bug is in ESC’s Web service portal: “An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal.”

Once past the (non)-authentication, the attacker has administrative rights to “execute arbitrary actions” on the target system.

Source: Cisco NFV controller is a bit too elastic: It has an empty password bug • The Register

Crooks opt for Monero, paypal, ebay and gamesfor laundering

“Platforms like Monero are designed to be truly anonymous, and tumbler services like CoinJoin can [further] obscure transaction origins,” said Dr Mike McGuire, senior lecturer in criminology at Surrey University and author of the study.

Many cybercriminals are using virtual currency to convert the illegal proceeds of crime into hard cash and assets. Digital payment systems are used to help hide the money trail.
Methods like “micro laundering”, where thousands of small electronic payments are made through platforms like PayPal, are increasingly common and more difficult to detect. Another common technique is to use online transactions – via sites like eBay – to facilitate laundering.

Crooks are circumventing PayPal and eBay’s anti-fraud controls, even though both are “getting better at picking up laundering techniques”, according to Dr McGuire.
“Keeping transactions low, say $10-12, makes laundering almost impossible to spot, as they look like ordinary transactions. It would be impossible to investigate every transaction of this size. By making repeated small payments, or limited transactions, your profile begins to gain the ‘trust’ of controls systems, which makes it even harder to detect laundering as payments are less likely to be flagged.”

Botnets can be used to make thousands of these transactions and increase your trust rating.

“I have also seen evidence of multi-stage laundering, where criminals will make payments through websites like Airbnb which look completely legitimate. Cybercriminals are also gaining access or control of legitimate PayPal accounts by phishing emails. I also saw it was easy to buy stolen credentials from online forums to gain access to hundreds of PayPal accounts which can then be used to launder payments.”

McGuire said cybercriminals are working with the fraud controls to then manipulate them by applying to go beyond current annual payment limits and then providing false or hacked documentation to support the checks which permit larger payments.
Cybercriminals elsewhere are active in converting stolen income into video game currency or in-game items like gold, which are then converted into Bitcoin or other electronic formats. Games such as Minecraft, FIFA, World of Warcraft, Final Fantasy and GTA 5 are among the most popular options because they allow covert interactions with other players to facilitate the trade of currency and goods.

“Gaming currencies and items that can be easily converted and moved across borders offer an attractive prospect to cybercriminals,” Dr McGuire told The Register. “This trend appears to be particularly prevalent in countries like South Korea and China – with South Korean police arresting a gang transferring $38m laundered in Korean games back to China.

“The advice on how to do this is readily available online and explains how cybercriminals can launder proceeds through both in-game currencies and goods.”

The findings come from a nine-month study into the macro economics of cybercrime, sponsored by infosec vendor Bromium

Source: Crooks opt for Monero as crypto of choice to launder ill-gotten gains • The Register

2017: Dutch Military Intelligence 348 and Internal Intelligence 3205 taps placed. No idea how many the police did, but wow, that’s a lot!

De MIVD tapte vorig jaar in totaal 348 keer. De AIVD plaatste dat jaar 3.205 taps. Vandaag publiceerden beide diensten de tapstatistieken over de periode 2002 tot en met 2017 op hun website.

Source: MIVD tapte vorig jaar 348 keer | Nieuwsbericht |

And of course we have no idea how many of these taps led to arrests or action.

Music Video and Artificial Intelligence – Jean Pierre by Hardcore Anal Hydrogen

This page shows how they used Deep Dream, Neural Style Transfer and OpticalFlow tools to create this music video

Source: Music Video and Artificial Intelligence – Jean Pierre by Hardcore Anal Hydrogen

Microsoft updates its Quantum Development Kit and adds support for Linux and Mac

Today we’re announcing updates to our Quantum Development Kit, including support for macOS and Linux, additional open source libraries, and interoperability with Python. These updates will bring the power of quantum computing to even more developers on more platforms. At Microsoft, we believe quantum computing holds the promise of solving many of today’s unsolvable problems and we want to make it possible for the broadest set of developers to code new quantum applications.When we released the Quantum Development Kit last December, we were excited about the possibilities that might result from opening the world of quantum programming to more people. We delivered a new quantum programming language – Q#, rich integration with Visual Studio, and extensive libraries and samples. Since then, thousands of developers have explored the Quantum Development Kit and experienced the world of quantum computing, including students, professors, researchers, algorithm designers, and people new to quantum development who are using these tools to gain knowledge.

Source: Microsoft updates its Quantum Development Kit and adds support for Linux and Mac – Microsoft Quantum

A video game-playing AI beat Q*bert in a way no one’s ever seen before

paper published this week by a trio of machine learning researchers from the University of Freiburg in Germany. They were exploring a particular method of teaching AI agents to navigate video games (in this case, desktop ports of old Atari titles from the 1980s) when they discovered something odd. The software they were testing discovered a bug in the port of the retro video game Q*bert that allowed it to rack up near infinite points.

As the trio describe in the paper, published on pre-print server arXiv, the agent was learning how to play Q*bert when it discovered an “interesting solution.” Normally, in Q*bert, players jump from cube to cube, with this action changing the platforms’ colors. Change all the colors (and dispatch some enemies), and you’re rewarded with points and sent to the next level. The AI found a better way, though:

First, it completes the first level and then starts to jump from platform to platform in what seems to be a random manner. For a reason unknown to us, the game does not advance to the second round but the platforms start to blink and the agent quickly gains a huge amount of points (close to 1 million for our episode time limit).
It’s important to note, though, that the agent is not approaching this problem in the same way that a human would. It’s not actively looking for exploits in the game with some Matrix-like computer-vision. The paper is actually a test of a broad category of AI research known as “evolutionary algorithms.” This is pretty much what it sounds like, and involves pitting algorithms against one another to see which can complete a given task best, then adding small tweaks (or mutations) to the survivors to see if they then fare better. This way, the algorithms slowly get better and better.

Source: A video game-playing AI beat Q*bert in a way no one’s ever seen before – The Verge

How to Disable Facebook’s Facial Recognition Feature

To turn off facial recognition on your computer, click on the down arrow at the top of any Facebook page and then select Settings. From there, click “Face Recognition” from the left column, and then click “Do you want Facebook to be able to recognize you in photos and videos?” Select Yes or No based on your personal preferences.

On mobile, click on the three dots below your profile pic labeled “More” then select “View Privacy Shortcuts” then “More Settings,” followed by “Facial Recognition.” Click on the “Do you want Facebook to be able to recognize you in photos and videos?” button and select “No” to disable the feature.
The setting isn’t available in all countries, and will only appear as an option in your profile if you’re at least 18 years old and have the feature available to you.

Source: How to Disable Facebook’s Facial Recognition Feature

AI models leak secret data too easily

A paper released on arXiv last week by a team of researchers from the University of California, Berkeley, National University of Singapore, and Google Brain reveals just how vulnerable deep learning is to information leakage.

The researchers labelled the problem “unintended memorization” and explained it happens if miscreants can access to the model’s code and apply a variety of search algorithms. That’s not an unrealistic scenario considering the code for many models are available online. And it means that text messages, location histories, emails or medical data can be leaked.

Nicholas Carlini, first author of the paper and a PhD student at UC Berkeley, told The Register, that the team “don’t really know why neural networks memorize these secrets right now”.

“At least in part, it is a direct response to the fact that we train neural networks by repeatedly showing them the same training inputs over and over and asking them to remember these facts. At the end of training, a model might have seen any given input ten or twenty times, or even a hundred, for some models.

“This allows them to know how to perfectly label the training data – because they’ve seen it so much – but don’t know how to perfectly label other data. What we exploit to reveal these secrets is the fact that models are much more confident on data they’ve seen before,” he explained.
Secrets worth stealing are the easiest to nab

In the paper, the researchers showed how easy it is to steal secrets such as social security and credit card numbers, which can be easily identified from neural network’s training data.

They used the example of an email dataset comprising several hundred thousand emails from different senders containing sensitive information. This was split into different senders who have sent at least one secret piece of data and used to train a two-layer long short-term memory (LSTM) network to generate the next the sequence of characters.
The chances of sensitive data becoming available are also raised when the miscreant knows the general format of the secret. Credit card numbers, phone numbers and social security numbers all follow the same template with a limited number of digits – a property the researchers call “low entropy”.
Luckily, there are ways to get around the problem. The researchers recommend developers use “differential privacy algorithms” to train models. Companies like Apple and Google already employ these methods when dealing with customer data.

Private information is scrambled and randomised so that it is difficult to reproduce it. Dawn Song, co-author of the paper and a professor in the department of electrical engineering and computer sciences at UC Berkeley, told us the following:

Source: Boffins baffled as AI training leaks secrets to canny thieves • The Register

SITA: uses AI to get rid of lost luggage

Ok, to reduce the amount significantly. Using ML they figure out which baggage routes create the most stress in the system and then they can optimise these routes.

Source: SITA: met AI geen zoekgeraakte bagage meer – Emerce

Larry Page’s Flying Taxis, Now Exiting Stealth Mode – The New York Times

Since October, a mysterious flying object has been seen moving through the skies over the South Island of New Zealand. It looks like a cross between a small plane and a drone, with a series of small rotor blades along each wing that allow it to take off like a helicopter and then fly like a plane. To those on the ground, it has always been unclear whether there was a pilot aboard.

Well, it turns out that the airborne vehicle has been part of a series of “stealth” test flights by a company personally financed by Larry Page, the co-founder of Google and now the chief executive of Google’s parent, Alphabet.

The company, known as Kitty Hawk and run by Sebastian Thrun, who helped start Google’s autonomous car unit as the director of Google X, has been testing a new kind of fully electric, self-piloting flying taxi. This is an altogether different project from the one you might have seen last year in a viral video of a single-pilot recreational aircraft that was being tested over water, and it’s much more ambitious.
Now that project is about to go public: On Tuesday, Mr. Page’s company and the prime minister of New Zealand, Jacinda Ardern, will announce they have reached an agreement to test Kitty Hawk’s autonomous planes as part of an official certification process. The hope is that it will lead to a commercial network of flying taxis in New Zealand in as soon as three years.
Mr. Page’s ambitions to create taxis in the sky has a sense of gravity, excuse the pun, not just because of his deep pockets and the technological prowess of his team but also because of Mr. Reid, who is a former chief executive of Virgin America. Before that he was president of Delta Air Lines and president of Lufthansa Airlines, where he was co-architect of the Star Alliance.

In an interview, Mr. Reid said the opportunity to use New Zealand as the first place to commercialize the autonomous taxi service was a step-change in the advancement of the sector. Kitty Hawk is already working on an app that would allow customers to hail one of its air taxis.

The aircraft, known as Cora, has a wingspan of 36 feet with a dozen rotors all powered by batteries. It can fly about 62 miles and carry two passengers. (Its code name had been Zee.Aero — hence all the speculation and confusion.) The plan, at least for now, isn’t for Kitty Hawk to sell the vehicles; it wants to own and operate a network of them itself.

Source: Larry Page’s Flying Taxis, Now Exiting Stealth Mode – The New York Times

Artists Protest Elite Art World With Unauthorized AR Gallery at the MoMA

On Friday, eight artists launched an augmented reality gallery at the Museum of Modern Art in New York, digitally overlaying their artwork over the museum’s. Motherboard reports the guerrilla installation was created and deployed without the museum’s permission. “Hello, we’re from the internet” is an “unauthorized gallery concept aimed at democratizing physical exhibition spaces, museums, and the curation of art within them,” according to MoMAR, which developed the exhibit. “MoMAR is non-profit, non-owned, and exists in the absence of any privatized structures,” the group’s website states.

Source: Artists Protest Elite Art World With Unauthorized AR Gallery at the MoMA

MoMAR inaugural show 'Hello, we're from the internet' from Damjanski on Vimeo.

World’s biggest DDoS attack record broken after just five days using poorly configured memcache servers

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

The attacks use shoddily secured memcached database servers to amplify attacks against a target. The assailant spoofs the UDP address of its victim and pings a small data packet at a memcached server that doesn’t have an authenticated traffic requirement in place. The server responds by firing back as much as 50,000 times the data it received.

With multiple data packets sent out a second, the memcached server unwittingly amplifies the deluge of data that can be sent against the target. Without proper filtering and network management, the tsunami of data can be enough to knock some providers offline.

There are some simple mitigation techniques, notably blocking off UDP traffic from Port 11211, which is the default avenue for traffic from memcached servers. In addition, the operators of memcached servers need to lock down their systems to avoid taking part in such denial of service attacks.

Source: World’s biggest DDoS attack record broken after just five days • The Register

Air gapping PCs won’t stop data sharing thanks to sneaky speakers

Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure.

In an academic paper published on Friday through preprint service ArXiv, researchers from Israel’s Ben-Gurion University of the Negev describe a novel data exfiltration technique that allows the transmission and reception of data – in the form of inaudible ultrasonic sound waves – between two computers in the same room without microphones.

The paper, titled, “MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication,” was written by Mordechai Guri, Yosef Solwicz, Andrey Daidakulov and Yuval Elovici, who have developed a number other notable side-channel attack techniques.

These include: ODINI, a way to pass data between Faraday-caged computers using electrical fields; MAGNETO, a technique for passing data between air-gapped computers and smartphones via electrical fields; and FANSMITTER, a way to send acoustic data between air-gapped computers using fans.

Source: Air gapping PCs won’t stop data sharing thanks to sneaky speakers • The Register

Amadeus invests in CrowdVision to help airports manage growing passenger volumes using AI camera tech

CrowdVision is an early stage company that uses computer vision software and artificial intelligence to help airports monitor the flow of passengers in real time to minimise queues and more efficiently manage resources. The software is designed to comply fully with data privacy and security legislation.

CrowdVision data improves plans and can help airports react decisively to keep travellers’ moving and make their experience more enjoyable. CrowdVision’s existing airport customers are benefiting from reduced queues and waiting times, leaving passengers to spend more time and more money in retail areas. Others have optimised allocation of staff, desks, e-gates and security lanes to make the most of their existing infrastructure and postpone major capital expenditure on expansions.

Source: Amadeus invests in CrowdVision to help airports manage growing passenger volumes

It Took Almost 10 Days to 3D-Print This Giant Millennium Falcon Model

Typically, when we see 3D-printed replicas as large as this 2.3-foot long Millennium Falcon, they’re assembled from hundreds of smaller 3D-printed parts. But YouTube’s stonefx83 didn’t want to go to all that trouble, so he simply scaled up Andrew Askedall’s 3D model of the Falcon, and then let his printer run for over nine days and 21 hours straight.

The machine consumed over six-and-a-half pounds of plastic filament in the process, and thankfully didn’t screw up once, which would have required the entire print to be restarted from scratch. Oh, that’s why no one 3D-prints giant models like this in one pass.

Source: It Took Almost 10 Days to 3D-Print This Giant Millennium Falcon Model

Stanford brainiacs say they can predict Reddit raids

A study [PDF] based on observations from 36,000 subreddit communities has found that online dust-ups can be predicted, and the people most likely to cause them can be identified.

“Our analysis revealed a number of important trends related to conflict on Reddit, with general implications for intercommunity conflict on the web.”

Among the takeaways were that a small group of bad actors are indeed stirring up most of the conflict; around 75 per cent of the raids were triggered by 1 per cent of users.

The study also noted that ignoring the trolls doesn’t always work – conflicts grow worse when users stay within ‘echo chambers’ on their own threads, and long-term traffic losses were lessened when the ‘defending’ users directly confronted the forum intruders rather than keep to themselves.

Perhaps the most important takeaway, however, was that forum conflicts could actually be predicted. The Stanford group say they developed an long short-term memory (LSTM) deep-learning formula that, when trained on the set of Reddit posts and user information gathered over the 40 month period, was able to reliably flag when a conflict or raid was likely to flare up on a subreddit.

Now, the Stanford group says it would like to extend the research to other platforms (such as Facebook and Twitter) and look at areas not addressed in the first report, including forums that restrict negative content.

Source: Stanford brainiacs say they can predict Reddit raids • The Register

Skip to toolbar