ByFlow sells 3D Food Printers in NL

Focus 3D Food Printer

10x Voedsel veilige en hervulbare cartridges.

4 nozzles in 2 verschillende grootte.

5 voorbereide designs om meteen te kunnen beginnen met printen.

Toegang to meerdere recepten en designs voor 3D Food Printing

Source: Bestel uw 3D voedsel Printer |byFlow

EUR3300,-

Internet of Babies – 52000 baby monitors open for public viewing

Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research.

Baby monitors serve an important purpose in securing and monitoring our loved ones. Unfortunately, the investigated device “Mi-Cam” from miSafes (and potentially further devices) is affected by a number of critical security vulnerabilities which raise serious security and privacy concerns. An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors). Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process. Hence the issues are (up until the publication of this article) not patched and our recommendation is to keep the video baby monitors offline until further notice.

Source: Internet of Babies – When baby monitors fail to be smart | SEC Consult

The “Black Mirror” scenarios that are leading some experts to call for more secrecy on AI – MIT Technology Review

a new report by more than 20 researchers from the Universities of Oxford and Cambridge, OpenAI, and the Electronic Frontier Foundation warns that the same technology creates new opportunities for criminals, political operatives, and oppressive governments—so much so that some AI research may need to be kept secret.

Included in the report, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation, are four dystopian vignettes involving artificial intelligence that seem taken straight out of the Netflix science fiction show Black Mirror.

Source: The “Black Mirror” scenarios that are leading some experts to call for more secrecy on AI – MIT Technology Review

This is completely ridiculous. The knowledge is out there and if not, will be stolen. In that case, if you don’t know about potential attack vectors, you are completely defenseless against them and so are security firms trying to help you.

Besides this, basing security on Movie Plots you can think up (and I’m pretty sure any reader can think up loads more, quite easily!) doesn’t work, because then you are vulnerable to any of the movie plots the other thought up and you didn’t.

Good security is basic and intrinsic. AI / ML is here and we need a solid discussion in our societies as to how we want it to impact us, instead of all this cold war fear mongering.

IBM Finds Fortune 500 Companies will lose $9 billion to phishing scams in 2018 – this is what these attacks look like

IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. These threat groups successfully used business email compromise (BEC) scams to convince accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
[…]
Business email compromise scams involve taking over or impersonating a trusted user’s email account to target companies that conduct international wire transfers with the goal of diverting payments to an attacker-controlled account.

These attacks are almost entirely based on phishing and social engineering, and are thus attractive to cybercriminals due to their relative simplicity. In most cases, BEC scams involve little to no technical knowledge, malware or special tools.

A recent report by Trend Micro predicted that BEC attacks will comprise over $9 billion in losses in 2018, up from $5.3 billion at the end of 2016. According to the FBI, BEC scams have been reported in every U.S. state and across 131 nations, and have resulted in high-profile arrests.
[…]
The following tactics were common to the attacks examined by X-Force IRIS researchers:

Phishing emails were sent either directly from or spoofed to appear to be from known contacts in the target employee’s address book.

Attackers mimicked previous conversations or inserted themselves into current conversations between business email users.

Attackers masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an “updated” bank account number or beneficiary.

Attackers created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox.

In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals.

Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise.
[…]
The BEC scams identified by IBM incident responders consist of two separate but connected goals. The first is to harvest mass amounts of business user credentials, and the second is to use these credentials to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control.

To achieve the first goal, the attackers used credential sets they had already compromised to send a mass phishing email to the user’s internal and external contacts. The phish was often sent to several hundred contacts at a time and was engineered to look legitimate to the spammed contacts.
[…]
To accomplish the second goal, the attackers focused on stolen credentials from companies that use single-factor authentication and an email web portal. For example, companies that only require a username and password for employees to access their Microsoft Office 365 accounts were compromised. Using email web portals ensured the attackers’ ability to complete these attacks online and without compromising the victim’s corporate network. The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.

Before engaging with any employee, the attackers likely undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
[…]
Since the attackers conducted correspondence from a victim user’s email, they created email rules to keep the victim unaware of the compromise. In cases in which the attackers impersonated the user, the attackers auto-deleted all emails delivered from within the user’s company. They likely did this to prevent the user from seeing any fraudulent correspondence or unusual messages in his or her inbox. Additionally, the attacker auto-forwarded email responses to a different email to read the responses without logging in to the compromised account.

Separately, when attackers used stolen credentials to send mass phishing emails, they simultaneously set up an email rule to filter all responses to the phish, undelivered messages, or messages containing words such as “hacked” or “email” to the user’s RSS feeds folder and marked them as read.

Source: IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies

Glitch on Bitcoin Exchange Drops Prices to Zero Dollars, User Tries to Make Off With Trillions

Zaif, A cryptocurrency exchange in Japan reportedly experienced a temporary glitch last week that suddenly offered investors their pick of coins for the low, low price of zero dollars. Several customers took advantage of the opportunity, but one really ran with it.

According to Reuters, it was possible to buy cryptocurrencies for free on the Zaif exchange for about 20 minutes on February 16th. The exchange reportedly revealed the problem to reporters on Tuesday.
[…]
there’s still one customer that’s putting up a fight over their heavily-discounted purchase. How much did they try to pull out? According to Japanese outlet Asahi Shimbun, one customer apparently “purchased” 2,200 trillion yen worth of bitcoin and proceeded to try to cash it out. That’s about $20 trillion. Considering the fact that Bitcoin has a market cap of just over $183 billion, that sell order really must have confused some traders for a bit.

Reuters points out that the glitch couldn’t have come at a worse time for the Japanese cryptocurrency exchange business. Following the recent $400 million heist at the Japanese exchange Coincheck, two separate industry groups have agreed to form a self-regulating body that would strive to protect investors with stronger safeguards. It would also, presumably, demonstrate to authorities that they don’t need to get involved. The Japanese yen is by far the most exchanged national currency in the Bitcoin world, so attracting regulations would have a global impact.

Source: Glitch on Bitcoin Exchange Drops Prices to Zero Dollars, User Tries to Make Off With Trillions

The Car of the Future Will Sell Your Data

Picture this: You’re driving home from work, contemplating what to make for dinner, and as you idle at a red light near your neighborhood pizzeria, an ad offering $5 off a pepperoni pie pops up on your dashboard screen.

Are you annoyed that your car’s trying to sell you something, or pleasantly persuaded? Telenav Inc., a company developing in-car advertising software, is betting you won’t mind much. Car companies—looking to earn some extra money—hope so, too.

Automakers have been installing wireless connections in vehicles and collecting data for decades. But the sheer volume of software and sensors in new vehicles, combined with artificial intelligence that can sift through data at ever-quickening speeds, means new services and revenue streams are quickly emerging. The big question for automakers now is whether they can profit off all the driver data they’re capable of collecting without alienating consumers or risking backlash from Washington.

“Carmakers recognize they’re fighting a war over customer data,” said Roger Lanctot, who works with automakers on data monetization as a consultant for Strategy Analytics. “Your driving behavior, location, has monetary value, not unlike your search activity.”

Carmakers’ ultimate objective, Lanctot said, is to build a database of consumer preferences that could be aggregated and sold to outside vendors for marketing purposes, much like Google and Facebook do today.
[…]
Telenav, the Silicon Valley company looking to bring pop-up ads to your infotainment screen, has been testing a “freemium” model borrowed from streaming music services to entice drivers to share their data.

Say you can’t afford fancy features like embedded navigation or the ability to start your car through a mobile app. The original automaker will install them for free, so long as you’re willing to tolerate the occasional pop-up ad while idling at a red light. Owners of luxury cars won’t have to suffer such indignities, since the higher price tag paid likely would have already included an internet connection.
[…]
The pop-up car ads could generate an average of $30 annually per vehicle, to be split between Telenav and the automaker. He declined to say whether anyone has signed up for the software, which was just unveiled at CES, but added Telenav is in “deep discussions” with several manufacturers. Because of the long production cycles of the industry, it’ll be about three years before the ads will show up in new models.

Source: The Car of the Future Will Sell Your Data – Bloomberg

of course they bring in the fear factor, they wouldn’t be honest and talk about the profit factor. As soon as people start trying to scare you, you know they are trying to con you.

Auto executives emphasize that data-crunching will allow them to build a better driving experience—enabling cars to predict flat tires, find a parking space or charging station, or alert city managers to dangerous intersections where there are frequent accidents. Data collection could even help shield drivers from crime, Ford Motor Co.’s chief executive officer said last month at the CES technology trade show.

“If a robber got in the car and took off, would you want us to know where that robber went to catch him?” Jim Hackett asked the audience during a keynote in Las Vegas. “Are you willing to trade that?”

You spend huge amounts on a car, I really really don’t want it sending information back to the maker, much less having the maker sell that data!

Tesla accused of knowingly selling defective vehicles in new lawsuit

A former Tesla employee claims the company knowingly sold defective cars, often referred to as “lemons,” and that he was demoted and eventually fired after reporting the practice to his superiors. He made these allegations in a lawsuit filed in late January in New Jersey Superior Court under the Conscientious Employee Protection Act (CEPA).The former employee, Adam Williams, worked for Tesla as a regional manager in New Jersey dating back to late 2011. While there, he says he watched the company fail “to disclose to consumers high-dollar, pre-delivery damage repairs” before delivering its vehicles, according to the complaint. Instead, he says the company sold these cars as “used,” or labeled as “demo/loaner” vehicles.
[…]
This is not the first time Tesla has dealt with a lawsuit that involved accusations of lemon law issues. The company settled a lawsuit with a Model X owner in 2016 who complained about problems with the doors and software of his vehicle.

Source: Tesla accused of knowingly selling defective vehicles in new lawsuit – The Verge

Ouch. Sounds like something Musk would do though.

Game industry pushes back against efforts to restore gameplay servers

A group of video game preservationists wants the legal right to replicate “abandoned” servers in order to re-enable defunct online multiplayer gameplay for study. The game industry says those efforts would hurt their business, allow the theft of their copyrighted content, and essentially let researchers “blur the line between preservation and play.”

Both sides are arguing their case to the US Copyright Office right now, submitting lengthy comments on the subject as part of the Copyright Register’s triennial review of exemptions to the Digital Millennium Copyright Act (DMCA). Analyzing the arguments on both sides shows how passionate both industry and academia are about the issue, and how mistrust and misunderstanding seem to have infected the debate.

Source: Game industry pushes back against efforts to restore gameplay servers | Ars Technica

That’s the problem with the Cloud(tm). IMHO you paid for the game and thus should have the right to play it, also after the games company takes down the server hosting it. If the game industry doesn’t like it, they should keep the servers up. Maybe that’s the case they should argue: once you sell a server centralised game, you are obligated to keep up the server for perpituity.

uTorrent file-swappers urged to upgrade after PC hijack flaws sort of fixed

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software.

If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site can connect to your uTorrent app and leverage it to potentially rifle through your downloaded files or run malware.

The flaws were found by Googler Tavis Ormandy: he spotted and reported the vulnerabilities in BitTorrent’s uTorrent Classic and uTorrent Web apps in early December. This month, BitTorrent began emitting new versions of these products for people to install by hand or via the built-in update mechanism. These corrected builds were offered first as beta releases, and in the coming days will be issued as official updates, we’re told.

Look out for version 3.5.3.44352 or higher of the desktop flavor, or version 0.12.0.502 and higher of the Spotify-styled Web build.

The latest classic desktop app looks to be secured. However, Ormandy was skeptical the uTorrent Web client had been fully fixed, believing the software to still be vulnerable to attack. On Wednesday this week, he went public with his findings since he had, by this point, given BitTorrent three months to address their coding cockup.

“The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway,” Ormandy wrote in his advisory.

“I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch. We’ve done all we can to give BitTorrent adequate time, information and feedback, and the issue remains unsolved.”

Source: uTorrent file-swappers urged to upgrade after PC hijack flaws fixed • The Register

Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders

When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account.

Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Kit’s website. Account Kit verifies the code is correct, and if it is, issues Tinder an authorization token, allowing the login attempt to complete.

It’s a simple, easy, and supposedly secure password-less system: your Tinder account is linked to your phone number, and as long as you can receive texts to that number, you can log into your Tinder account.

However, Appsecure founder Anand Prakash discovered Account Kit didn’t check whether the confirmation code was correct when the toolkit’s software interface – its API – was used in a particular way. Supplying a phone number as a “new_phone_number” parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid “aks” authorization token.

Thus, you could supply anyone’s phone number to Account Kit, and it would return a legit “aks” access token as a cookie in the API’s HTTP response. That’s not great.
Prepare for trouble, and make it double

Now to Tinder. The app’s developers forgot to check the client ID number in the login token from Account Kit, meaning it would accept the aforementioned “aks” cookie as a legit token. Thus it was possible to create an authorization token belonging to a stranger from Account Kit, and then send it to Tinder’s app to log in as that person.

All you’d need is a victim’s phone number, and bam, you’re in their Tinder profile, reading their saucy messages between hookups or discovering how much of an unloved sad sack they were, and setting up dates.

Source: Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders • The Register

Coinbase empies bank accounts without consent

Digital currency exchange Coinbase said it inadvertently charged punters for transactions they never made, effectively draining money from their bank accounts. It has promised to refund the money taken.

For the last few days, netizens have been complaining that funds had vanished from bank accounts linked to Coinbase without reason. Some people report multiple charges being made that drained their accounts and left them with heavy overcharge fees and the inability to pay bills and rent.

“We can confirm that the unexpected charges are originating from our payment processing network, and are related to charges from previous purchases,” a company rep called Olga said on Reddit.

“To the best of our knowledge, these unexpected charges are not permanent and are in the process of being refunded. We apologize for the poor experience.”

Rather bizarrely the post also asks those people affected by the errors to post up details of the transactions, including their location, the bank used, the number of bogus charges and the case number from the bank. From a security situation that’s very poor practice indeed.

Source: Oh sh-itcoin! Crypto-dosh swap-shop Coinbase empties punters’ bank accounts • The Register

Electronics-recycling innovator faces prison for trying to extend computers’ lives

Eric Lundgren is obsessed with recycling electronics.

He built an electric car out of recycled parts that far outdistanced a Tesla in a test. He launched what he thinks is the first “electronic hybrid recycling” facility in the United States, which turns discarded cellphones and other electronics into functional devices, slowing the stream of harmful chemicals and metals into landfills and the environment. His Chatsworth company processes more than 41 million pounds of e-waste each year and counts IBM, Motorola and Sprint among its clients.

But an idea Lundgren had to prolong the life of personal computers could land him in prison.

Prosecutors said the 33-year-old ripped off Microsoft Corp. by manufacturing 28,000 counterfeit discs with the company’s Windows operating system on them. He was convicted of conspiracy and copyright infringement, which brought a 15-month prison sentence and a $50,000 fine.

In a rare move though, a federal appeals court has granted an emergency stay of the sentence, giving Lundgren another chance to make his argument that the whole thing was a misunderstanding. Lundgren does not deny that he made the discs or that he hoped to sell them. But he says this was no profit-making scheme. By his account, he just wanted to make it easier to extend the usefulness of secondhand computers — keeping more of them out of the trash.

The case centers on “restore discs,” which can be used only on computers that already have the licensed Windows software and can be downloaded free from the computer’s manufacturer, in this case Dell. The discs are routinely provided to buyers of new computers to enable them to reinstall their operating systems if the computers’ hardware fails or must be wiped clean. But they often are lost by the time used computers find their way to a refurbisher.

Lundgren said he thought electronics companies wanted the reuse of computers to be difficult so that people would buy new ones. “I started learning what planned obsolescence was,” he said, “and I realized companies make laptops that only lasted as long as the insurance would last. It infuriated me. That’s not what a healthy society should have.”

He thought that producing and selling restore discs to computer refurbishers — saving them the hassle of downloading the software and burning new discs — would encourage more secondhand sales. In his view, the new owners were entitled to the software, and this just made it easier.

The government, and Microsoft, did not see it that way. Federal prosecutors in Florida obtained a 21-count indictment against Lundgren and his business partner, and Microsoft filed a letter seeking $420,000 in restitution for lost sales. Lundgren claims that the assistant U.S. attorney on the case told him, “Microsoft wants your head on a platter and I’m going to give it to them.”
[…]
In 2013, federal authorities intercepted shipments of 28,000 restore discs that Lundgren had manufactured in China and sent to his sales partner in Florida. The discs had labels nearly identical to the discs provided by Dell for its computers and had the Windows and Dell logos. “If I had just written ‘Eric’s Restore Disc’ on there, it would have been fine,” Lundgren said.

As a result of violating the copyright of Windows and Dell, Lundgren pleaded guilty to two of the 21 counts against him. But he believed that because the discs had no retail value and were seized before they were sold, he would not receive any prison time. His sentence was based on the financial loss involved.

Source: Electronics-recycling innovator faces prison for trying to extend computers’ lives

Russians behind bars in US after nicking $300m+ in credit-card hacks

Two Russian criminals have been sent down in America after pleading guilty to helping run the largest credit-card hacking scam in US history.Muscovites Vladimir Drinkman, 37, and Dmitriy Smilianets, 34, ran a massive criminal ring that spent months hacking companies to get hold of credit and debit card information. They then sold it online to the highest bidders, who then recouped their investment by ripping off companies and citizens around the world.”Drinkman and Smilianets not only stole over 160 million credit card numbers from credit card processors, banks, retailers, and other corporate victims, they also used their bounty to fuel a robust underground market for hacked information,” said acting assistant attorney general John Cronan on Thursday.
[…]
Rytikov, prosecutors allege, acted as the group’s ISP, supplying internet access that the gang knew would be unlogged and unrecorded. Smilianets handled the sales side, working dark web forums to find buyers for the cards at a cost of $50 per EU card, $10 for American accounts, and $15 for Canadian credit cards.

NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard were among the victims of the gang, the Feds claim. The final cost is difficult to estimate but just three of the companies targeted reported losses of over $300m thanks to the gang.

Source: Russians behind bars in US after nicking $300m+ in credit-card hacks • The Register

Cleaning products as large a source of urban air pollution as cars

Household cleaners, paints and perfumes have become substantial sources of urban air pollution as strict controls on vehicles have reduced road traffic emissions, scientists say.

Researchers in the US looked at levels of synthetic “volatile organic compounds”, or VOCs, in roadside air in Los Angeles and found that as much came from industrial and household products refined from petroleum as from vehicle exhaust pipes.

The compounds are an important contributor to air pollution because when they waft into the atmosphere, they react with other chemicals to produce harmful ozone or fine particulate matter known as PM2.5. Ground level ozone can trigger breathing problems by making the airways constrict, while fine airborne particles drive heart and lung disease.
Ammonia emissions rise in UK, as other air pollutant levels fall
Read more

In Britain and the rest of Europe, air pollution is more affected by emissions from diesel vehicles than in the US, but independent scientists said the latest work still highlighted an important and poorly understood source of pollution that is currently unregulated.

“This is about all those bottles and containers in your kitchen cabinet below the sink and in the bathroom. It’s things like cleaners, personal products, paints and glues,” said Joost de Gouw, an author on the study at the University of Colorado in Boulder.

Source: Cleaning products a big source of urban air pollution, say scientists | Environment | The Guardian

Koinz Trading Bitcoin mining pyramid game enters receivership

At least 60 people fall for Koinz Trading, that claimed to buy and run a BTC miner for you for the price of EUR 6100 + EUR 23 per month. Payments stopped in September. Rumor has it that the founder Barry van Mourik was selling the computers to pay for his debts.

Zeker zestig gedupeerden van Koinz Trading, het Nederlandse bedrijf dat klanten zogenoemde Miners S9-machines had beloofd, zijn hun geld zo goed als zeker kwijt. Het bedrijf is woensdag door de rechtbank in Amsterdam failliet verklaard. Bij de politie zijn tientallen aangiften binnengekomen.

Source: Bitcoinfabriek Koinz Trading failliet – Emerce

IBM Watson to generate sales solutions

“We’ve trained Watson on our standard solutions and offerings, plus all the prior solutions IBM has designed for large enterprises,” the corporate files state. “This means we can review a client’s RFP [request for proposal] and come up with a new proposed architecture and technical solution design for a state of the art system that can run enterprise businesses at scale.” Proposed solutions will be delivered “in minutes,” it is claimed.
[…]
IBM is not leaving all the work to Watson: a document we’ve seen also details “strong governance processes to ensure high quality solutions are delivered globally.”

Big Blue’s explanation for cognitive, er, solutioning’s role is that it will be “greatly aiding the work of the Technical Solutions Managers” rather than replacing them.

Source: If you don’t like what IBM is pitching, blame Watson: It’s generating sales ‘solutions’ now • The Register

EU Commission wants to spy on and filter your uploads.

De Europese Commissie wil een uploadfilter tegen illegale content. Dat blijkt uit het een dezer dagen gelekte concept Aanbeveling van de Europese Commissie over de zorgvuldigheidsverplichting van (legale) online platforms, waaruit de Stichting BREIN citeert.

Source: Europese Commissie wil uploadfilter tegen illegale content – Emerce

Apple Is Rushing to Fix the Telugu Bug as Assholes Use It to ‘Bomb’ People’s iPhones and Macs

While many bugs are relatively benign, often getting patched before the user knows anything is wrong, the latest plague to hit Apple devices is already wreaking havoc on internet.

The issue, which has become known as the Telugu bug, gives people the ability to crash a wide range of iPhone, Mac, and iPad apps just by sending a single character from the third most spoken language in India.

To help address the situation, Apple says its already working on a patch that will fix the bug, which should arrive in the form of an intermediary update before iOS 11.3 (which is currently in beta) gets officially released.

However, in the meantime, some more mean-spirited users have taken to using the Telugu symbol to “bomb” other peoples devices. Motherboard has reported that by adding the symbol to a user’s Twitter name, you can crash the iOS Twitter app simply by liking someone’s tweet. And while it’s possible to address the issue by uninstalling and reinstalling the Twitter app, there’s not much stopping the same person from liking another tweet and causing the app to go haywire again.

Others have gotten even more devious, such as a security researcher who added the symbol to his Uber handle, which would crash the app anytime a driver with an iPhone tried to pick them up. And then there’s Darren Martyn, who posted a video on Twitter where he crashes people’s Mac networking app after he added the Telugu symbol to the name of a Wi-Fi network.

Source: Apple Is Rushing to Fix the Telugu Bug as Assholes Use It to ‘Bomb’ People’s iPhones and Macs

A Hacker Has Wiped a Spyware Company’s Servers—Again

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again.

Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners’ and children’s phones in order to spy on them. This software has been called “stalkerware” by some. This spyware allows people to have practically full access to the smartphone or computer of their targets. Whoever controls the software can see the photos the target snaps with their phone, read their text messages, or see what websites they go to, and track their location.

Source: A Hacker Has Wiped a Spyware Company’s Servers—Againp – Motherboard

Yay to the hackers!

macOS may lose data on APFS-formatted disk images

This week we reported to Apple a serious flaw in macOS that can lead to data loss when using an APFS-formatted disk image. Until Apple issues a macOS update that resolves this problem, we’re dropping support for APFS-formatted disk images.

Note: What I describe below applies to APFS sparse disk images only — ordinary APFS volumes (e.g. your SSD startup disk) are not affected by this problem. While the underlying problem here is very serious, this is not likely to be a widespread problem, and will be most applicable to a small subset of backups. Disk images are not used for most backup task activity, they are generally only applicable when making backups to network volumes. If you make backups to network volumes, read on to learn more.
[…]
Earlier this week I noticed that an APFS-formatted sparsebundle disk image volume showed ample free space, despite that the underlying disk was completely full. Curious, I copied a video file to the disk image volume to see what would happen. The whole file copied without error! I opened the file, verified that the video played back start to finish, checksummed the file – as far as I could tell, the file was intact and whole on the disk image. When I unmounted and remounted the disk image, however, the video was corrupted.

Source: macOS may lose data on APFS-formatted disk images | Carbon Copy Cloner | Bombich Software

Missing data hinder replication of artificial intelligence studies

Last year, computer scientists at the University of Montreal (U of M) in Canada were eager to show off a new speech recognition algorithm, and they wanted to compare it to a benchmark, an algorithm from a well-known scientist. The only problem: The benchmark’s source code wasn’t published. The researchers had to recreate it from the published description. But they couldn’t get their version to match the benchmark’s claimed performance, says Nan Rosemary Ke, a Ph.D. student in the U of M lab. “We tried for 2 months and we couldn’t get anywhere close.”
[…]
The most basic problem is that researchers often don’t share their source code. At the AAAI meeting, Odd Erik Gundersen, a computer scientist at the Norwegian University of Science and Technology in Trondheim, reported the results of a survey of 400 algorithms presented in papers at two top AI conferences in the past few years. He found that only 6% of the presenters shared the algorithm’s code. Only a third shared the data they tested their algorithms on, and just half shared “pseudocode”—a limited summary of an algorithm. (In many cases, code is also absent from AI papers published in journals, including Science and Nature.)
[…]
Assuming you can get and run the original code, it still might not do what you expect. In the area of AI called machine learning, in which computers derive expertise from experience, the training data for an algorithm can influence its performance. Ke suspects that not knowing the training for the speech-recognition benchmark was what tripped up her group. “There’s randomness from one run to another,” she says. You can get “really, really lucky and have one run with a really good number,” she adds. “That’s usually what people report.”
[…]
Henderson’s experiment was conducted in a test bed for reinforcement learning algorithms called Gym, created by OpenAI, a nonprofit based in San Francisco, California. John Schulman, a computer scientist at OpenAI who helped create Gym, says that it helps standardize experiments. “Before Gym, a lot of people were working on reinforcement learning, but everyone kind of cooked up their own environments for their experiments, and that made it hard to compare results across papers,” he says.

IBM Research presented another tool at the AAAI meeting to aid replication: a system for recreating unpublished source code automatically, saving researchers days or weeks of effort. It’s a neural network—a machine learning algorithm made of layers of small computational units, analogous to neurons—that is designed to recreate other neural networks. It scans an AI research paper looking for a chart or diagram describing a neural net, parses those data into layers and connections, and generates the network in new code. The tool has now reproduced hundreds of published neural networks, and IBM is planning to make them available in an open, online repository.

Source: Missing data hinder replication of artificial intelligence studies | Science | AAAS

A phishing attack scored credentials for more than 50,000 Snapchat users

In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords.

The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website.
[…]
Snap says it uses machine-learning techniques to look for suspicious links being sent within the app, and proactively blocks thousands of suspicious URLs per year. Users who were affected by the July attack were notified that their passwords had been reset via an email from the company.

In the July case, the company noticed that a single device had been logging into a large number of accounts and began flagging it as suspicious. But thousands of accounts had already been compromised.
[…]
It is unclear how long the attack went on, or when the attack Dominican Republic attack had begun. But by the morning of July 24th, Google had blocked klkviral.org from appearing in search results and flagged it as a malicious site for people trying to visit it. (Snap works with Google and other tech companies to maintain a list of known malicious sites.)

The accounts compromised in July represent a tiny fraction of Snap’s 187 million active users. But the incident illustrates how sites set up to mimic login screens can do an outsized amount of damage — and how companies must increasingly rely on machine-learning techniques to identify them in real time.

Source: A phishing attack scored credentials for more than 50,000 Snapchat users – The Verge

Pirates Crack Microsoft’s UWP Protection, Five Layers of DRM Defeated

Video games pirates have reason to celebrate today after scene cracking group CODEX defeated Microsoft’s Universal Windows Platform system on Zoo Tycoon Ultimate Animal Collection. While the game it was protecting isn’t exactly a fan favorite, it was reportedly protected by five layers of DRM within the UWP package, including the Denuvo-like Arxan anti-tamper technology
[…]
After being released on October 31, 2017, the somewhat underwhelming Zoo Tycoon Ultimate Animal Collection became the first victim at the hands of popular scene group, CODEX.
[…]
CODEX did reveal that various layers of protection had to be bypassed to make the game work. They’re listed by the group as MSStore, UWP, EAppX, XBLive, and Arxan, the latter being an anti-tamper system.

“It’s the equivalent of Denuvo (without the DRM License part),” cracker Voksi previously explained. “It’s still bloats the executable with useless virtual machines that only slow down your game.”

Source: Pirates Crack Microsoft’s UWP Protection, Five Layers of DRM Defeated – TorrentFreak

When will people learn that DRM will always be defeated by annoyed users?

New scanning technique reveals secrets behind great paintings

Researchers in the US have used a new scanning technique to discover a painting underneath one of Pablo Picasso’s great works of art, the Crouching Woman (La Misereuse Accroupie).

Underneath the oil painting is a landscape of Barcelona which, it turns out, Picasso used as the basis of his masterpiece.

The new x-ray fluorescence system is cheaper than alternative art scanning systems – and it is portable, making it available to any gallery that wants it.
[…]
Until now scanning was only for the greatest of great works of art – and for the wealthiest galleries.

This new system can be used by anyone to find the story behind any painting they are interested in.

Source: New scanning technique reveals secrets behind great paintings – BBC News

Facebook admits SMS notifications sent using two-factor number was caused by bug

The issue, which may have persisted for months or perhaps even longer, was flagged by Bay Area software engineer Gabriel Lewi, who tweeted about it earlier this week. Prominent technology critic and sociologist Zeynep Tufekci then used the situation as a springboard to criticize Facebook’s alleged unethical behavior, thinking the 2FA notifications may have been an intentional method for Facebook to boost user engagement.

“I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past,” Stamos writes in the blog post. “We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”

Source: Facebook admits SMS notifications sent using two-factor number was caused by bug – The Verge

A bit worrying when your two factor security system starts acting up on its own and sending messages randomly.

 
Skip to toolbar