Senators to Google: Why didn’t you disclose massive Google+ vulnerability sooner? Oh, and Why can’t you Google the breach itself?

3 GOP senators want Google to give answers over data leak that affected 500,000 users.

Source: Senators to Google: Why didn’t you disclose Google+ vulnerability sooner?

It’s only three senators and chances are you haven’t heard of the massive, millions affected data breach suffered by Google, that they didn’t report. Interestingly, if you try to Google the breach you get loads of hits on Google’s bug reporting program, but almost nothing on the breach. Google has done an astoundly good job of keeping this under their hats.

The US military wants to teach AI some basic common sense

Wherever artificial intelligence is deployed, you will find it has failed in some amusing way. Take the strange errors made by translation algorithms that confuse having someone for dinner with, well, having someone for dinner.

But as AI is used in ever more critical situations, such as driving autonomous cars, making medical diagnoses, or drawing life-or-death conclusions from intelligence information, these failures will no longer be a laughing matter. That’s why DARPA, the research arm of the US military, is addressing AI’s most basic flaw: it has zero common sense.

“Common sense is the dark matter of artificial intelligence,” says Oren Etzioni, CEO of the Allen Institute for AI, a research nonprofit based in Seattle that is exploring the limits of the technology. “It’s a little bit ineffable, but you see its effects on everything.”

DARPA’s new Machine Common Sense (MCS) program will run a competition that asks AI algorithms to make sense of questions like this one:

A student puts two identical plants in the same type and amount of soil. She gives them the same amount of water. She puts one of these plants near a window and the other in a dark room. The plant near the window will produce more (A) oxygen (B) carbon dioxide (C) water.

A computer program needs some understanding of the way photosynthesis works in order to tackle the question. Simply feeding a machine lots of previous questions won’t solve the problem reliably.

These benchmarks will focus on language because it can so easily trip machines up, and because it makes testing relatively straightforward. Etzioni says the questions offer a way to measure progress toward common-sense understanding, which will be crucial.

Tech companies are busy commercializing machine-learning techniques that are powerful but fundamentally limited. Deep learning, for instance, makes it possible to recognize words in speech or objects in images, often with incredible accuracy. But the approach typically relies on feeding large quantities of labeled data—a raw audio signal or the pixels in an image—into a big neural network. The system can learn to pick out important patterns, but it can easily make mistakes because it has no concept of the broader world.

Source: The US military wants to teach AI some basic common sense – MIT Technology Review

Google’s AI Bots Invent New Legs to Scamper Through Obstacle Courses

Using a technique called reinforcement learning, a researcher at Google Brain has shown that virtual robots can redesign their body parts to help them navigate challenging obstacle courses—even if the solutions they come up with are completely bizarre.

Embodied cognition is the idea that an animal’s cognitive abilities are influenced and constrained by its body plan. This means a squirrel’s thought processes and problem-solving strategies will differ somewhat from the cogitations of octopuses, elephants, and seagulls. Each animal has to navigate its world in its own special way using the body it’s been given, which naturally leads to different ways of thinking and learning.

“Evolution plays a vital role in shaping an organism’s body to adapt to its environment,” David Ha, a computer scientist and AI expert at Google Brain, explained in his new study. “The brain and its ability to learn is only one of many body components that is co-evolved together.”

[…]

Using the OpenAI Gym framework, Ha was able to provide an environment for his walkers. This framework looks a lot like an old-school, 2D video game, but it uses sophisticated virtual physics to simulate natural conditions, and it’s capable of randomly generating terrain and other in-game elements.

As for the walker, it was endowed with a pair of legs, each consisting of an upper and lower section. The bipedal bot had to learn how to navigate through its virtual environment and improve its performance over time. Researchers at DeepMind conducted a similar experiment last year, in which virtual bots had to learn how to walk from scratch and navigate through complex parkour courses. The difference here is that Ha’s walkers had the added benefit of being able to redesign their body plan—or at least parts of it. The bots could alter the lengths and widths of their four leg sections to a maximum of 75 percent of the size of the default leg design. The walkers’ pentagon-shaped head could not be altered, serving as cargo. Each walker used a digital version of LIDAR to assess the terrain immediately in front of it, which is why (in the videos) they appear to shoot a thin laser beam at regular intervals.

Using reinforcement-learning algorithms, the bots were given around a day or two to devise their new body parts and come up with effective locomotion strategies, which together formed a walker’s “policy,” in the parlance of AI researchers. The learning process is similar to trial-and-error, except the bots, via reinforcement learning, are rewarded when they come up with good strategies, which then leads them toward even better solutions. This is why reinforcement learning is so powerful—it speeds up the learning process as the bots experiment with various solutions, many of which are unconventional and unpredictable by human standards.

Left: An unmodified walker joyfully skips through easy terrain. Right: With training, a self-modified walker chose to hop instead.
GIF: David Ha/Google Brain/Gizmodo

For the first test (above), Ha placed a walker in a basic environment with no obstacles and gently rolling terrain. Using its default body plan, the bot adopted a rather cheerful-looking skipping locomotion strategy. After the learning stage, however, it modified its legs such that they were thinner and longer. With these modified limbs, the walker used its legs as springs, quickly hopping across the terrain.

The walker chose a strange body plan and an unorthodox locomotion strategy for traversing challenging terrain.
GIF: David Ha/Google Brain/Gizmodo

The introduction of more challenging terrain (above), such as having to walk over obstacles, travel up and down hills, and jump over pits, introduced some radical new policies, namely the invention of an elongated rear “tail” with a dramatically thickened end. Armed with this configuration, the walkers hopped successfully around the obstacle course.

By this point in the experiment, Ha could see that reinforcement learning was clearly working. Allowing a walker “to learn a better version of its body obviously enables it to achieve better performance,” he wrote in the study.

Not content to stop there, Ha played around with the idea of motivating the walkers to adopt some design decisions that weren’t necessarily beneficial to its performance. The reason for this, he said, is that “we may want our agent to learn a design that utilizes the least amount of materials while still achieving satisfactory performance on the task.”

The tiny walker adopted a very familiar gait when faced with easy terrain.
GIF: David Ha/Google Brain/Gizmodo

So for the next test, Ha rewarded an agent for developing legs that were smaller in area (above). With the bot motivated to move efficiently across the terrain, and using the tiniest legs possible (it no longer had to adhere to the 75 percent rule), the walker adopted a rather conventional bipedal style while navigating the easy terrain (it needed just 8 percent of the leg area used in the original design).

The walker struggled to come up with an effective body plan and locomotion style when it was rewarded for inventing small leg sizes.
GIF: David Ha/Google Brain/Gizmodo

But the walker really struggled to come up with a sensible policy when having to navigate the challenging terrain. In the example shown above, which was the best strategy it could muster, the walker used 27 percent of the area of its original design. Reinforcement learning is good, but it’s no guarantee that a bot will come up with something brilliant. In some cases, a good solution simply doesn’t exist.

Source: Google’s AI Bots Invent Ridiculous New Legs to Scamper Through Obstacle Courses

EU hijacking: self-driving car data will be copyrighted…by the manufacturer – not to be released by drivers / engineers / researchers / mechanics

Today, the EU held a routine vote on regulations for self-driving cars, when something decidedly out of the ordinary happened…

The autonomous vehicle rules contained a clause that affirmed that “data generated by autonomous transport are automatically generated and are by nature not creative, thus making copyright protection or the right on databases inapplicable.”

This is pretty inoffensive stuff. Copyright protects creative work, not factual data, and the telemetry generated by your car — self-driving or not — is not copyrighted.

But just before the vote, members of the European Peoples’ Party (the same bloc that pushed through the catastrophic new Copyright Directive) stopped the proceedings with a rare “roll call” and voted down the clause.

In other words, they’ve snuck in a space for the telemetry generated by autonomous vehicles to become someone’s property. This is data that we will need to evaluate the safety of autonomous vehicles, to fine-tune their performance, to ensure that they are working as the manufacturer claims — data that will not be public domain (as copyright law dictates), but will instead be someone’s exclusive purview, to release or withhold as they see fit.

Who will own this data? It’s unlikely that it will be the owners of the vehicles. Just look at the data generated by farmers who own John Deere tractors. These tractors create a wealth of soil data, thanks to humidity sensors, location sensors and torque sensors — a centimeter-accurate grid of soil conditions in the farmer’s own field.

But all of that data is confiscated by John Deere, locked up behind the company’s notorious DRM and only made available in fragmentary form to the farmer who generated it (it comes bundled with the app that you get if you buy Monsanto seed) — meanwhile, the John Deere company aggregates the data for sale into the crop futures market.

It’s already the case that most auto manufacturers use license agreements and DRM to lock up your car so that you can’t fix it yourself or take it to an independent service center. The aggregated data from millions of self-driving cars across the EU aren’t just useful to public safety analysts, consumer rights advocates, security researchers and reviewers (who would benefit from this data living in the public domain) — it is also a potential gold-mine for car manufacturers who could sell it to insurers, market researchers and other deep-pocketed corporate interests who can profit by hiding that data from the public who generate it and who must share their cities and streets with high-speed killer robots.

Source: EU hijacking: self-driving car data will be copyrighted…by the manufacturer / Boing Boing

Ancestry Sites Could Soon Expose Nearly Anyone’s Identity, Researchers Say

Genetic testing has helped plenty of people gain insight into their ancestry, and some services even help users find their long-lost relatives. But a new study published this week in Science suggests that the information uploaded to these services can be used to figure out your identity, regardless of whether you volunteered your DNA in the first place.

The researchers behind the study were inspired by the recent case of the alleged Golden State Killer.

Earlier this year, Sacramento police arrested 72-year-old Joseph James DeAngelo for a wave of rapes and murders allegedly committed by DeAngelo in the 1970s and 1980s. And they claimed to have identified DeAngelo with the help of genealogy databases.

Traditional forensic investigation relies on matching certain snippets of DNA, called short tandem repeats, to a potential suspect. But these snippets only allow police to identify a person or their close relatives in a heavily regulated database. Thanks to new technology, the investigators in the Golden State Killer case isolated the genetic material that’s now collected by consumer genetic testing companies from the suspected killer’s DNA left behind at a crime scene. Then they searched for DNA matches within these public databases.

This information, coupled with other historical records, such as newspaper obituaries, helped investigators create a family tree of the suspect’s ancestors and other relatives. After zeroing on potential suspects, including DeAngelo, the investigators collected a fresh DNA sample from DeAngelo—one that matched the crime scene DNA perfectly.

But while the detective work used to uncover DeAngelo’s alleged crimes was certainly clever, some experts in genetic privacy have been worried about the grander implications of this method. That includes Yaniv Erlich, a computer engineer at Columbia University and chief science officer at MyHeritage, an Israel-based ancestry and consumer genetic testing service.

Erlich and his team wanted to see how easy it would be in general to use the method to find someone’s identity by relying on the DNA of distant and possibly unknown family members. So they looked at more than 1.2 million anonymous people who had gotten testing from MyHeritage, and specifically excluded anyone who had immediate family members also in the database. The idea was to figure out whether a stranger’s DNA could indeed be used to crack your identity.

They found that more than half of these people had distant relatives—meaning third cousins or further—who could be spotted in their searches. For people of European descent, who made up 75 percent of the sample, the hit rate was closer to 60 percent. And for about 15 percent of the total sample, the authors were also able to find a second cousin.

Much like the Golden State investigators, the team found they could trace back someone’s identity in the database with relative ease by using these distant relatives and other demographic but not overly specific information, such as the target’s age or possible state residence.

[…]

According to the researchers, it will take only about 2 percent of an adult population having their DNA profiled in a database before it becomes theoretically possible to trace any person’s distant relatives from a sample of unknown DNA—and therefore, to uncover their identity. And we’re getting ever closer to that tipping point.

“Once we reach 2 percent, nearly everyone will have a third cousin match, and a substantial amount will have a second cousin match,” Erlich explained. “My prediction is that for people of European descent, we’ll reach that threshold within two or three years.”

[…]

What this means for you: If you want to protect your genetic privacy, the best thing you can do is lobby for stronger legal protections and regulations. Because whether or not you’ve ever submitted your DNA for testing, someone, somewhere, is likely to be able to pick up your genetic trail.

Source: Ancestry Sites Could Soon Expose Nearly Anyone’s Identity, Researchers Say

Stanford AI bot to negotiate sales for you with Craigslist

Artificially intelligent bots are notoriously bad at communicating with, well, anything. Conversations with the code, whether it’s between themselves or with people, often go awry, and veer off topic. Grammar goes out the window, and sentences become nonsensical.

[…]

Well, a group of researchers at Stanford University in the US have figured out how to, in theory, prevent that chaos and confusion from happening. In an experiment, they trained neural networks to negotiate when buying stuff in hypothetical situations, mimicking the process of scoring and selling stuff on sites like Craigslist or Gumtree.

Here’s the plan: sellers post adverts trying to get rid off their old possessions. Buyers enquire about the condition of the items, and if a deal is reached, both parties arrange a time and place to exchange the item for cash.

Here’s an example of a conversation between a human, acting as a seller, and a Stanford-built bot, as the buyer:

craiglist_bot_2

Example of a bot (A) interacting with a human (B) to buy a Fitbit. Image credit: He et al.

The dialogue is a bit stiff, and the grammar is wrong in places, but it does the job even though no deal is reached. The team documented their work in this paper, here [PDF], which came to our attention this week.

The trick is to keep the machines on topic and stop them from generating gibberish. The researchers used supervised learning and reinforcement learning together with hardcoded rules to force the bots to stay on task.

The system is broadly split into three parts: a parser, a manager and a generator. The parser inspects keywords that signify a specific action that is being taken. Next, the manager stage chooses how the bot should respond. These actions, dubbed “course dialogue acts”, guide the bot through the negotiation task so it knows when to inquire, barter a price, agree or disagree. Finally, the generator produces the response to keep the dialogue flowing.

craiglist_bot_1

Diagram of how the system works. The interaction is split into a series of course dialogue acts, the manager chooses what action the bot should take, and a generator spits out words for the dialogue. Image credit: He et al.

In the reinforcement learning method, the bots are encouraged to reach a deal and penalized with a negative reward when it fails to reach an agreement. The researchers train the bot by collecting 6,682 dialogues between humans working on the Amazon Mechanical Turk platform.

They call it the Craigslist Negotiation Dataset since they modeled the scenarios by scraping postings for the items in the six most popular categories on Craigslist. These include items filed under housing, furniture, cars, bikes, phones and electronics.

The conversations are represented as a sequence of actions or course dialogue acts. A long short-term memory network (LSTM) encodes the course dialogue act and another LSTM decodes it.

The manager part chooses the appropriate response. For example, it can propose a price, argue to go lower or higher, and accepts or rejects a deal. The generator conveys all these actions in plain English.

During the testing phase, the bots were pitted against real humans. Participants were then asked to how humans the interaction seemed. The researchers found that their systems were more successful at bargaining for a deal and were more human-like than other bots.

It doesn’t always work out, however. Here’s an example of a conversation where the bot doesn’t make much sense.

craiglist_bot_3

A bot (A) trying to buy a Fitbit off a human seller (B). This time, however, it fails to communicate effectively. Image credit: He et al.

If you like the idea of crafting a bot to help you automatically negotiate for things online then you can have a go at making your own. The researchers have posted the data and code on CodaLab. ®

Source: Those Stanford whiz kids have done it again. Now a chatty AI bot to negotiate sales for you with Craigslist riffraff • The Register

Slow your roll: VMware urges admins to apply workarounds to DoS-inducing 3D render vuln

The vuln (CVE-2018-6977) allows an attacker with normal local user privileges to trigger an infinite loop in a 3D-rendering shader. According to VMware, a “specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device”.

If that happens, VMware warned, the hypervisor may rely on the host box’s graphics driver to ensure other users of the physical machine are not impacted by the infinite graphical loop.

“However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected,” said VMware in a statement.

Source: Slow your roll: VMware urges admins to apply workarounds to DoS-inducing 3D render vuln • The Register

MindBody-owned FitMetrix exposed millions of user records — thanks to servers without passwords – AWS strikes again

FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password.

The company builds fitness tracking software for gyms and group classes — like CrossFit and SoulCycle — that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing.

Last week, a security researcher found three FitMetrix unprotected servers leaking customer data.

It isn’t known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.

The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users.

Bob Diachenko, Hacken.io’s director of cyber risk research, found the databases containing 113.5 million records — though it’s not known how many users were directly affected. Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.

Source: MindBody-owned FitMetrix exposed millions of user records — thanks to servers without passwords | TechCrunch

The US Democracy is turning away so many people at polling stations, they need a What to Do If You’re Turned Away at the Polls guide

Several states have instituted stricter voter ID laws since the 2016 presidential election; more, still, are purging voter rolls in the lead up to the election, and the recent Supreme Court decision to uphold Ohio’s aggressive purging law means you can expect many more people to be removed. So, even if you’re registered to vote (and you should really double check) you might find yourself turned away at the polls come November 6.

Source: What to Do If You’re Turned Away at the Polls

One man, one vote? Not so much. Two parties and no voters.

Why are Xiaomi’s fitness tracker and Apple watches detecting a heartbeat from a roll of toilet paper and bananas?

Why is Xiaomi’s fitness tracker detecting a heartbeat from a roll of toilet paper?

Weibo users are confused, but the answer isn’t as wild as it seems

Does a roll of toilet paper have a heart? Obviously not. So why does Xiaomi’s fitness band display a heart rate when it’s wrapped around a roll of toilet paper?

Weibo users have been discussing the phenomenon, with plenty of pictures from mystified users who say the Xiaomi Mi Band 3 fitness tracker is “detecting” a heart rate on toilet paper.

So we decided to get a Mi Band 3 — and of course, a roll of toilet paper — to check it out.

Bizarrely, it’s true.

It didn’t work all the time — only around a quarter of attempts gave us a heartbeat. The numbers were pretty random (ranging from 59bpm to 88bpm), but they were real.

So what about other objects? We tried wrapping the Mi Band 3 around a mug, because we had a mug, and a banana, because the internet likes bananas. Both gave us a heart rate quickly and far more consistently than the toilet paper did.

59bpm? That roll of toilet paper is so chill right now. (Picture: Abacus)

But the Xiaomi band isn’t alone. We also tried the banana and mug with an Apple Watch Series 4 and a Ticwatch, an Android Wear smartwatch. Both also displayed a heartbeat for the two heartless objects, ranging from 33bpm on the banana (Apple Watch) to 130bpm for the mug (Ticwatch).

Source: Why is Xiaomi’s fitness tracker detecting a heartbeat from a roll of toilet paper? | Abacus

Pentagon’s weapons systems are laughably easy to hack

New computerized weapons systems currently under development by the US Department of Defense (DOD) can be easily hacked, according to a new report published today.

The report was put together by the US Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress.

Congress ordered the GAO report in preparation to approve DOD funding of over $1.66 trillion, so the Pentagon could expand its weapons portfolio with new toys in the coming years.

But according to the new report, GAO testers “playing the role of adversary” found a slew of vulnerabilities of all sort of types affecting these new weapons systems.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” GAO officials said.

The report detailed some of the most eye-catching hacks GAO testers performed during their analysis.

In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.

Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.

In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.

Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

One test report indicated that the test t eam was able to guess an administrator password in nine seconds.

For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system.

Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.

Source: Pentagon’s new next-gen weapons systems are laughably easy to hack | ZDNet

Who would have thought it – after they decided to use  Windows (95) for Warships

AI lifeline to help devs craft smartmobe apps that suck a whole lot less… battery capacity

Artificial intelligence can help developers design mobile phone apps that drain less battery, according to new research.

The system, dubbed DiffProff, will be presented this week at the USENIX Symposium on Operating Systems Design and Implementation conference in California, was developed by Charlie Hu and Abhilash Jindal, who have a startup devoted to better battery testing via software.

DiffProf rests on the assumption that apps that carry out the same function perform similar tasks in slightly different ways. For example, messaging apps like Whatsapp, Google Hangouts, or Skype, keep old conversations and bring up a keyboard so replies can be typed and sent. Despite this, Whatsapp is about three times more energy efficient than Skype.

“What if a feature of an app needs to consume 70 percent of the phone’s battery? Is there room for improvement, or should that feature be left the way it is?” said Hu, who is also a professor of electrical and computer engineering at Purdue University.

The research paper describing DiffProf is pretty technical. Essentially, it describes a method that uses “differential energy profiling” to create energy profiles for different apps. First, the researchers carry out a series of automated tests on apps by performing identical tasks on each app to work out energy efficiency.

Next, the profile also considers the app’s “call tree” also known as a call graph. These describe the different computer programs that are executed in order to perform a broader given task.

Apps that have the same function, like playing music or sending emails, should have similar call trees. Slight variances in the code, however, lead to different energy profiles. DiffProf uses an algorithm to compare the call trees and highlights what programs are causing an app to drain more energy.

Developers running the tool receive a list of Java packages, that describe the different software features, which appear in the both apps being compared. They can then work out which programs in the less energy efficient app suck up more juice and if it can be altered or deleted altogether. The tool is only useful if the source code for similar apps have significant overlap.

Source: AI lifeline to help devs craft smartmobe apps that suck a whole lot less… battery capacity • The Register

DoNotPay App Lets You ‘Sue Anyone By Pressing a Button’. Success rate: 50%

a new, free app promises to let you “sue anyone by pressing a button” and have an AI-powered lawyer fight your case.

Do Not Pay, a free service that launched in the iOS App store today, uses IBM Watson-powered artificial intelligence to help people win up to $25,000 in small claims court. It’s the latest project from 21-year-old Stanford senior Joshua Browder, whose service previously allowed people to fight parking tickets or sue Equifax; now, the app has streamlined the process. It’s the “first ever service to sue anyone (in all 3,000 counties in 50 states) by pressing a button.”

The crazy part: the robot lawyer actually wins in court. In its beta testing phase, which included releases in the UK and in select numbers across all 50 US states, Do Not Pay has helped its users get back $16 million in disputed parking tickets. In a phone call with Motherboard, Browder said that the success rate of Do Not Pay is about 50 percent, with average winnings of about $7,000.

[…]

The app works by having a bot ask the user a few basic questions about their legal issue. The bot then uses the answers to classify the case into one of 15 different legal areas, such as breach of contract or negligence. After that, Do Not Pay draws up documents specific to that legal area, and fills in the specific details. Just print it out, mail it to the courthouse, and violá—you’re a plaintiff. And if you have to show up to court in person, Do Not Pay even creates a script for the plaintiff to read out loud in court.

[…]

Browder told Motherboard that data protection is a central part of his service, which is free (users keep 100 percent of what they win in court, Browder says.) Per Do Not Pay’s privacy policy, all user data is protected with 256-bit encryption, and no third parties get access to personal user information such as home address, email address, or information pertaining to a particular case.

[…]

Of all of Do Not Pay’s legal disputes, Browder told Motherboard that he’s most proud of an instance where a woman took Equifax to court and won, twice. After her data was compromised by Equifax last year, she took the $3 billion company to small claims court and won. When Equifax appealed the verdict and sent a company lawyer to fight for an appeal, the woman won again.

Source: DoNotPay App Lets You ‘Sue Anyone By Pressing a Button’

World’s largest CCTV maker Xiongmai leaves at least 9 million cameras open to public viewing

Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

This time, it’s Chinese surveillance camera maker Xiongmai who was named and shamed by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.

“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.

“The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

Source: World’s largest CCTV maker leaves at least 9 million cameras open to public viewing • The Register

Google shutting down Google+ after exposing data of up to 500,000 users and not disclosing breach

A vulnerability in the Google+ social network exposed the personal data of up to 500,000 people using the site between 2015 and March 2018, the search giant said Monday.

Google said it found no evidence of data misuse. Still, as part of the response to the incident, Google plans to shut down the social network permanently.

The company didn’t disclose the vulnerability when it fixed it in March because the company didn’t want to invite regulatory scrutiny from lawmakers, according to a report Monday by The Wall Street Journal. Google CEO Sundar Pichai was briefed on the decision to not disclose the finding, after an internal committee had already decided the plan, the Journal said.

Google said it found the bug as part of an internal review called Project Strobe, an audit started earlier this year that examines access to user data from Google accounts by third-party software developers. The bug gave apps access to information on a person’s Google+ profile that can be marked as private. That includes details like email addresses, gender, age, images, relationship statuses, places lived and occupations. Up to 438 applications on Google Plus had access to this API, though Google said it has no evidence any developers were aware of the vulnerability.

Source: Google shutting down Google+ after exposing data of up to 500,000 users – CNET

The real story here is that they didn’t disclose.

Nanoscale pillars as a building block for future information technology

Researchers from Linköping University and the Royal Institute of Technology in Sweden have proposed a new device concept that can efficiently transfer the information carried by electron spin to light at room temperature—a stepping stone toward future information technology. They present their approach in an article in Nature Communications.

Light and electron charge are the main media for information processing and transfer. In the search for information technology that is even faster, smaller and more energy-efficient, scientists around the globe are exploring another property of —their spin. Electronics that exploit both the spin and the charge of the electron are called “spintronics.”

[…]

“The main problem is that electrons easily lose their spin orientations when the temperature rises. A key element for future spin-light applications is efficient quantum information transfer at room temperature, but at room temperature, the electron spin orientation is nearly randomized.
[…]

Now, researchers from Linköping University and the Royal Institute of Technology have devised an efficient spin-light interface.

“This interface can not only maintain and even enhance the electron spin signals at . It can also convert these spin signals to corresponding chiral light signals travelling in a desired direction,” says Weimin Chen.

The key element of the device is extremely small disks of gallium nitrogen arsenide, GaNAs. The disks are only a couple of nanometres high and stacked on top of each other with a thin layer of gallium arsenide (GaAs) between to form chimney-shaped nanopillars. For comparison, the diameter of a human hair is about a thousand times larger than the diameter of the nanopillars.

The unique ability of the proposed device to enhance spin signals is due to minimal defects introduced into the material by the researchers. Fewer than one out of a million gallium atoms are displaced from their designated lattice sites in the material. The resulting defects in the material act as efficient spin filters that can drain electrons with an unwanted spin orientation and preserve those with the desired spin orientation.

“An important advantage of the nanopillar design is that light can be guided easily and more efficiently coupled in and out,” says Shula Chen, first author of the article.

Read more at: https://phys.org/news/2018-10-nanoscale-pillars-block-future-technology.html#jCp

Read more at: https://phys.org/news/2018-10-nanoscale-pillars-block-future-technology.html#jCp

Source: Nanoscale pillars as a building block for future information technology

Inside Hurricane Maria in 360°

Two days before Hurricane Maria devastated Puerto Rico, the NASA-Japan Global Precipitation Measurement Core Observatory satellite captured a 3-D view of the storm. At the time Maria was a Category 1 hurricane. The 3-D view reveals the processes inside the hurricane that would fuel the storm’s intensification to a category 5 within 24 hours. For the first time in 360-degrees, this data visualization takes you inside the hurricane. The precipitation satellite has an advanced radar that measures both liquid and frozen water. The brightly colored dots show areas of rainfall, where green and yellow show low rates and red and purple show high rates. At the top of the hurricane, where temperatures are colder, blue and purple dots show light and heavy frozen precipitation. The colored areas below the dots show how much rain is falling at the surface.

California bans default passwords on any internet-connected device

In less than two years, anything that can connect to the internet will come with a unique password — that is, if it’s produced or sold in California. The “Information Privacy: Connected Devices” bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate.

The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

The law is clearly aimed at stopping the spread of botnets made up of compromised network devices, such as routers, smart switches or even security cameras and other IoT equipment. Malicious software could often take control of them by trying easy-to-guess or publicly disclosed default login credentials. It’s not entirely clear yet as to how the new regulation will affect legacy industry hardware from the 1980s and 1990s where passwords are either hard-coded or next to impossible to change.

Source: California bans default passwords on any internet-connected device

A simple and very effective start to legislation on IoT

iPhone Shortcut Automatically Records Police, turns off face and fingerprint ID

According to Mic, Reddit user Robert Peterson created a trick using the virtual assistant, Siri, that lowers the phone’s brightness, turns on Do Not Disturb, texts the iPhone owner’s location to an emergency contact and lets them know you have been pulled over by police. The shortcut will also automatically start recording video and, when finished, the phone will send the video to the contact or save it to a cloud service.

The shortcut is available here, while another user created a workflow that automatically reboots the phone, rendering the fingerprint or face ID feature useless until a person enters a passcode. The Washington Post reports that police can’t legally compel a suspect to give up the passcode, although they can force a phone owner to use fingerprint ID or a face scan.

“I noticed in news articles and reports on TV that in many cases, police say one thing happened and the citizen pulled over says something else,” Peterson told Mic. “Sometimes police have body cameras, sometimes not. When they do, the video is not always released in a timely manner. I wanted a way for the person being pulled over to have a record for themselves.”

Source: iPhone Shortcut Automatically Records Police

Sans Forgetica font May Help You Remember What You Read

We’re all used to skimming past the boring parts of a reading assignment or a web article. But when researchers from RMIT University in Australia printed information in a weird, hard-to-read font, they found that people were more likely to remember what they read.

There’s a sweet spot, their experiments suggest: If the font is too chaotic, it becomes too hard to read. So they settled on small tweaks: gaps in the lines of the letters, and a slight backwards tilt (the opposite direction as the slant in more-familiar italic type).

The resulting font is called Sans Forgetica and you can download it here. The researchers also created a Chrome extension that will render any web page in Sans Forgetica, the better to study with. But don’t use it everywhere: they suspect that if we get too used to reading in Sans Forgetica, its memory-boosting effect will fade.

Source: Sans Forgetica May Help You Remember What You Read

Researchers Created ‘Quantum Artificial Life’ For the First Time

For the first time, an international team of researchers has used a quantum computer to create artificial life—a simulation of living organisms that scientists can use to understand life at the level of whole populations all the way down to cellular interactions.

With the quantum computer, individual living organisms represented at a microscopic level with superconducting qubits were made to “mate,” interact with their environment, and “die” to model some of the major factors that influence evolution.

The new research, published in Scientific Reports on Thursday, is a breakthrough that may eventually help answer the question of whether the origin of life can be explained by quantum mechanics, a theory of physics that describes the universe in terms of the interactions between subatomic particles.

Modeling quantum artificial life is a new approach to one of the most vexing questions in science: How does life emerge from inert matter, such as the “primordial soup” of organic molecules that once existed on Earth?

[…]

Individuals were represented in the model using two qubits. One qubit represented the individual’s genotype, the genetic code behind a certain trait, and the other its phenotype, or the physical expression of that trait.

To model self-replication, the algorithm copied the expectation value (the average of the probabilities of all possible measurements) of the genotype to a new qubit through entanglement, a process that links qubits so that information is instantaneously exchanged between them. To account for mutations, the researchers encoded random qubit rotations into the algorithm that were applied to the genotype qubits.

The algorithm then modeled the interaction between the individual and its environment, which represented aging and eventually death. This was done by taking the new genotype from the self-replicating action in the previous step and transferring it to another qubit via entanglement. The new qubit represented the individual’s phenotype. The lifetime of the individual—that is, how long it takes the information to degrade or dissipate through interaction with the environment—depends on the information coded in this phenotype.

Finally, these individuals interacted with one another. This required four qubits (two genotypes and two phenotypes), but the phenotypes only interacted and exchanged information if they met certain criteria as coded in their genotype qubits.

Source: Researchers Created ‘Quantum Artificial Life’ For the First Time – Motherboard

Japan’s silent submarines extend range with li-ion batteries

The Oryu is the eleventh submarine based on the Soryu’s design. Soryu-class vessels, which started being built in 2005, are among the largest diesel-electric submarines in the world.

But the Oryu is a vastly updated version of the Soryu, the biggest change being the replacement of lead-acid batteries with lithium-ion ones. Mitsubishi Heavy tapped GS Yuasa to supply the high-performance batteries, which store about double the power.

Submarine batteries are recharged by the energy generated by Oryu’s diesel engines. The vessel switches to batteries during operations and actual combat in order to silence the engines and become harder to detect. The lithium-ion batteries radically extend the sub’s range and time it can spend underwater.

Source: Japan’s silent submarines extend range with new batteries – Nikkei Asian Review

Instagram explores sharing your precise location history with Facebook even when not using the app

Instagram is currently testing a feature that would allow it to share your location data with Facebook, even when you’re not using the app, reports app researcher Jane Manchun Wong (via TechCrunch). The option, which Wong notes is being tested as a setting you have to opt-in to, allows Facebook products to “build and use a history of precise locations” which the company says “helps you explore what’s around you, get more relevant ads and helps improve Facebook.” When activated, the service will report your location “even if you leave the app.”

The discovery of the feature comes just weeks after Instagram’s co-founders resigned from the company, reportedly as a result of Facebook CEO Mark Zuckerberg’s meddling in the service. Examples of this meddling include removing Instagram’s attribution from posts re-shared to Facebook, and badged notifications inside Instagram that encouraged people to open the Facebook app. With the two men who were deeply involved in the day-to-day running of Instagram now gone, such intrusions are expected to increase.

Instagram is not the only service that Facebook has sought to share data between. Back in 2016 the company announced that it would be sharing user data between WhatsApp and Facebook in order to offer better friend suggestions. The practice was later halted in the European Union thanks to its GDPR legislation, although WhatsApp’s CEO and co-founder later left over data privacy concerns.

Source: Instagram explores sharing your precise location history with Facebook – The Verge

Wait – instagram continually monitors your location too?!

Lawyers for Vizio data grabbing Smart TV owners propose final deal, around $20 per person. Lawyers themselves get $5.6 million.

Lawyers representing Vizio TV owners have asked a federal judge in Orange County, California to sign off on a proposed class-action settlement with the company for $17 million, for an affected class of 16 million people, who must opt-in to get any money. Vizio also agrees to delete all data that it collected.

Notice of the lawsuit will be shown directly on the Vizio Smart TVs, three separate times, as well as through paper mailings.

When it’s all said and done, new court filings submitted on Thursday say each of those 16 million people will get a payout of somewhere between $13 and $31. By contrast, their lawyers will collectively earn a maximum payout of $5.6 million in fees.

Source: Lawyers for Vizio Smart TV owners propose final deal, around $20 per person | Ars Technica

‘Real’ fake research hoodwinks US journals, shows bias against white men gets published regardless of content

Three US researchers have pulled off a sophisticated hoax by publishing fake research with ridiculous conclusions in sociology journals to expose what they see as ideological bias and a lack of rigorous vetting at these publications.

Seven of the 20 fake articles written by the trio were accepted by journals after being approved by peer-review committees tasked with checking the authors’ research.

A faux study claiming that “Dog parks are Petri dishes for canine ‘rape culture'” by one “Helen Wilson” was published in May in the journal Gender, Place and Culture.

The article suggests that training men like dogs could reduce cases of sexual abuse.

Faux research articles are not new: one of the most notable examples is physicist Alan Sokal, who in a 1996 article for a cultural studies journal wrote about cultural and philosophical issues concerning aspects of physics and math.

This time the fake research aims at mocking weak vetting of articles on hot-button social issues such as gender, race and sexuality.

The authors, writing under pseudonyms, intended to prove that academics in these fields are ready to embrace any thesis, no matter how outrageous, so long as it contributes to denouncing domination by white men.

“Making absurd and horrible ideas sufficiently politically fashionable can get them validated at the highest level of academic grievance studies,” said one of the authors, James Lindsay, in a video revealing the project.

Lindsay—that is his real name—obtained a doctorate in mathematics in 2010 from the University of Tennessee and has been fully dedicated to this project for a year and a half.

One of the published journal articles analyzes why a man masturbating while thinking of a woman without her consent commits a sexual assault.

Another is a feminist rewrite of a chapter of “Mein Kampf.”

Some articles—such as a study of the impact of the use of an anal dildo by heterosexual men on their transphobia —even claimed to rely on data such as interviews, which could have been verified by the journal gatekeepers.

For that “study” the authors claimed to have interviewed 13 men. In the dog article, the authors claimed to have examined the genitals of nearly 10,000 canines.

“If our project shows anything, it shows that what’s coming out of these disciplines cannot currently be trusted,” Lindsay told AFP.

Read more at: https://phys.org/news/2018-10-real-fake-hoodwinks-journals.html#jCp

Source: ‘Real’ fake research hoodwinks US journals

 
Skip to toolbar