Daily Archives: March 20, 2017

20,000 Worldclass University Lectures Made Illegal, So We Irrevocably Mirrored Them – LBRY

Posted on by
Reply

Today, the University of California at Berkeley has deleted 20,000 college lectures from its YouTube channel. Berkeley removed the videos because of a lawsuit brought by two students from another university under the Americans with Disabilities Act.

We copied all 20,000 and are making them permanently available for free via LBRY.

This makes the videos freely available and discoverable by all, without reliance on any one entity to provide them (even us!).

Source: 20,000 Worldclass University Lectures Made Illegal, So We Irrevocably Mirrored Them – LBRY

Web security products introduce man in the middle insecurities

Posted on by
Reply

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned.

The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on.

However, the very method by which these devices skirt the encryption on network traffic through protocols like SSL, and more recently TLS, is opening up the network to man-in-the-middle attacks.

In the paper [PDF], titled The Security Impact of HTTPS Interception, the researchers tested out a range of the most common TLS interception middleboxes and client-side interception software and found that the vast majority of them introduced security vulnerabilities.
[…]
the user can only be sure that their connection to the interception product is legit, but has no idea whether the rest of the communication – to the web server, over the internet – is secure or has been compromised.

And, it turns out, many of those middleboxes and interception software suites do a poor job of security themselves. Many do not properly verify the certificate chain of the server before re-encrypting and forwarding client data. Some do a poor job forwarding certificate-chain verification errors, keeping users in the dark over a possible attack.

In other words: the effort to check that a security system is working undermines the very security it is supposed to be checking.

Source: Are you undermining your web security by checking on it with the wrong tools? • The Register

Towards a lip-reading computer

Posted on by
Reply

The system, which has been trained on thousands of hours of BBC News programmes, has been developed in collaboration with Google’s DeepMind AI division.

“Watch, Attend and Spell”, as the system has been called, can now watch silent speech and get about 50% of the words correct. That may not sound too impressive – but when the researchers supplied the same clips to professional lip-readers, they got only 12% of words right.

Joon Son Chung, a doctoral student at Oxford University’s Department of Engineering, explained to me just how challenging a task this is. “Words like mat, bat and pat all have similar mouth shapes.” It’s context that helps his system – or indeed a professional lip reader – to understand what word is being spoken.

“What the system does,” explains Joon, “is to learn things that come together, in this case the mouth shapes and the characters and what the likely upcoming characters are.”

The BBC supplied the Oxford researchers with clips from Breakfast, Newsnight, Question Time and other BBC news programmes, with subtitles aligned with the lip movements of the speakers. Then a neural network combining state-of-the-art image and speech recognition set to work to learn how to lip-read.

After examining 118,000 sentences in the clips, the system now has 17,500 words stored in its vocabulary. Because it has been trained on the language of news, it is now quite good at understanding that “Prime” will often be followed by “Minister” and “European” by “Union”, but much less adept at recognising words not spoken by newsreaders.

Source: Towards a lip-reading computer – BBC News

WikiLeaks will disclose CIA vulns to companies that sign standard responsible disclosures – or maybe not so standard?

Posted on by
Reply

“WikiLeaks has made initial contact with us via secure@microsoft.com,” a Microsoft spokesperson told Motherboard — but then things apparently stalled. An anonymous reader quotes Fortune:
Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security “zero days” and other surveillance methods in the possession of the Central Intelligence Agency… Wikileaks’ demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard’s sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.

Julian Assange announced Friday that Mozilla had already received information after agreeing to their “industry standard responsible disclosure plan,” then added that “most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies… such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA.” Assange suggested users “may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves.”

Source: WikiLeaks Won’t Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met – Slashdot

Seeing as we don’t know what the documents are that wikileaks is asking the affected companies to sign, I have no idea whether this is a good or bad thing tbh.