The Linkielist

Linking ideas with the world

The Linkielist

Monthly Archives: March 2018

Cisco NFV elastic services controller accepts empty admin password

Posted on by

Cisco’s Elastic Services Controller’s release 3.0.0 software has a critical vulnerability: it accepts an empty admin password.

The Controller (ESC) is Cisco’s automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling.

Cisco’s advisory about the flaw explains the bug is in ESC’s Web service portal: “An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal.”

Once past the (non)-authentication, the attacker has administrative rights to “execute arbitrary actions” on the target system.

Source: Cisco NFV controller is a bit too elastic: It has an empty password bug • The Register

Crooks opt for Monero, paypal, ebay and gamesfor laundering

Posted on by

“Platforms like Monero are designed to be truly anonymous, and tumbler services like CoinJoin can [further] obscure transaction origins,” said Dr Mike McGuire, senior lecturer in criminology at Surrey University and author of the study.

Many cybercriminals are using virtual currency to convert the illegal proceeds of crime into hard cash and assets. Digital payment systems are used to help hide the money trail.
[…]
Methods like “micro laundering”, where thousands of small electronic payments are made through platforms like PayPal, are increasingly common and more difficult to detect. Another common technique is to use online transactions – via sites like eBay – to facilitate laundering.

Crooks are circumventing PayPal and eBay’s anti-fraud controls, even though both are “getting better at picking up laundering techniques”, according to Dr McGuire.
[…]
“Keeping transactions low, say $10-12, makes laundering almost impossible to spot, as they look like ordinary transactions. It would be impossible to investigate every transaction of this size. By making repeated small payments, or limited transactions, your profile begins to gain the ‘trust’ of controls systems, which makes it even harder to detect laundering as payments are less likely to be flagged.”

Botnets can be used to make thousands of these transactions and increase your trust rating.

“I have also seen evidence of multi-stage laundering, where criminals will make payments through websites like Airbnb which look completely legitimate. Cybercriminals are also gaining access or control of legitimate PayPal accounts by phishing emails. I also saw it was easy to buy stolen credentials from online forums to gain access to hundreds of PayPal accounts which can then be used to launder payments.”

McGuire said cybercriminals are working with the fraud controls to then manipulate them by applying to go beyond current annual payment limits and then providing false or hacked documentation to support the checks which permit larger payments.
[…]
Cybercriminals elsewhere are active in converting stolen income into video game currency or in-game items like gold, which are then converted into Bitcoin or other electronic formats. Games such as Minecraft, FIFA, World of Warcraft, Final Fantasy and GTA 5 are among the most popular options because they allow covert interactions with other players to facilitate the trade of currency and goods.

“Gaming currencies and items that can be easily converted and moved across borders offer an attractive prospect to cybercriminals,” Dr McGuire told The Register. “This trend appears to be particularly prevalent in countries like South Korea and China – with South Korean police arresting a gang transferring $38m laundered in Korean games back to China.

“The advice on how to do this is readily available online and explains how cybercriminals can launder proceeds through both in-game currencies and goods.”

The findings come from a nine-month study into the macro economics of cybercrime, sponsored by infosec vendor Bromium

Source: Crooks opt for Monero as crypto of choice to launder ill-gotten gains • The Register

2017: Dutch Military Intelligence 348 and Internal Intelligence 3205 taps placed. No idea how many the police did, but wow, that’s a lot!

Posted on by

De MIVD tapte vorig jaar in totaal 348 keer. De AIVD plaatste dat jaar 3.205 taps. Vandaag publiceerden beide diensten de tapstatistieken over de periode 2002 tot en met 2017 op hun website.

Source: MIVD tapte vorig jaar 348 keer | Nieuwsbericht | Defensie.nl


And of course we have no idea how many of these taps led to arrests or action.

Microsoft updates its Quantum Development Kit and adds support for Linux and Mac

Posted on by

Today we’re announcing updates to our Quantum Development Kit, including support for macOS and Linux, additional open source libraries, and interoperability with Python. These updates will bring the power of quantum computing to even more developers on more platforms. At Microsoft, we believe quantum computing holds the promise of solving many of today’s unsolvable problems and we want to make it possible for the broadest set of developers to code new quantum applications.When we released the Quantum Development Kit last December, we were excited about the possibilities that might result from opening the world of quantum programming to more people. We delivered a new quantum programming language – Q#, rich integration with Visual Studio, and extensive libraries and samples. Since then, thousands of developers have explored the Quantum Development Kit and experienced the world of quantum computing, including students, professors, researchers, algorithm designers, and people new to quantum development who are using these tools to gain knowledge.

Source: Microsoft updates its Quantum Development Kit and adds support for Linux and Mac – Microsoft Quantum

A video game-playing AI beat Q*bert in a way no one’s ever seen before

Posted on by

paper published this week by a trio of machine learning researchers from the University of Freiburg in Germany. They were exploring a particular method of teaching AI agents to navigate video games (in this case, desktop ports of old Atari titles from the 1980s) when they discovered something odd. The software they were testing discovered a bug in the port of the retro video game Q*bert that allowed it to rack up near infinite points.

As the trio describe in the paper, published on pre-print server arXiv, the agent was learning how to play Q*bert when it discovered an “interesting solution.” Normally, in Q*bert, players jump from cube to cube, with this action changing the platforms’ colors. Change all the colors (and dispatch some enemies), and you’re rewarded with points and sent to the next level. The AI found a better way, though:

First, it completes the first level and then starts to jump from platform to platform in what seems to be a random manner. For a reason unknown to us, the game does not advance to the second round but the platforms start to blink and the agent quickly gains a huge amount of points (close to 1 million for our episode time limit).
[…]
It’s important to note, though, that the agent is not approaching this problem in the same way that a human would. It’s not actively looking for exploits in the game with some Matrix-like computer-vision. The paper is actually a test of a broad category of AI research known as “evolutionary algorithms.” This is pretty much what it sounds like, and involves pitting algorithms against one another to see which can complete a given task best, then adding small tweaks (or mutations) to the survivors to see if they then fare better. This way, the algorithms slowly get better and better.

Source: A video game-playing AI beat Q*bert in a way no one’s ever seen before – The Verge

How to Disable Facebook’s Facial Recognition Feature

Posted on by

To turn off facial recognition on your computer, click on the down arrow at the top of any Facebook page and then select Settings. From there, click “Face Recognition” from the left column, and then click “Do you want Facebook to be able to recognize you in photos and videos?” Select Yes or No based on your personal preferences.

On mobile, click on the three dots below your profile pic labeled “More” then select “View Privacy Shortcuts” then “More Settings,” followed by “Facial Recognition.” Click on the “Do you want Facebook to be able to recognize you in photos and videos?” button and select “No” to disable the feature.
[…]
The setting isn’t available in all countries, and will only appear as an option in your profile if you’re at least 18 years old and have the feature available to you.

Source: How to Disable Facebook’s Facial Recognition Feature

AI models leak secret data too easily

Posted on by

A paper released on arXiv last week by a team of researchers from the University of California, Berkeley, National University of Singapore, and Google Brain reveals just how vulnerable deep learning is to information leakage.

The researchers labelled the problem “unintended memorization” and explained it happens if miscreants can access to the model’s code and apply a variety of search algorithms. That’s not an unrealistic scenario considering the code for many models are available online. And it means that text messages, location histories, emails or medical data can be leaked.

Nicholas Carlini, first author of the paper and a PhD student at UC Berkeley, told The Register, that the team “don’t really know why neural networks memorize these secrets right now”.

“At least in part, it is a direct response to the fact that we train neural networks by repeatedly showing them the same training inputs over and over and asking them to remember these facts. At the end of training, a model might have seen any given input ten or twenty times, or even a hundred, for some models.

“This allows them to know how to perfectly label the training data – because they’ve seen it so much – but don’t know how to perfectly label other data. What we exploit to reveal these secrets is the fact that models are much more confident on data they’ve seen before,” he explained.
Secrets worth stealing are the easiest to nab

In the paper, the researchers showed how easy it is to steal secrets such as social security and credit card numbers, which can be easily identified from neural network’s training data.

They used the example of an email dataset comprising several hundred thousand emails from different senders containing sensitive information. This was split into different senders who have sent at least one secret piece of data and used to train a two-layer long short-term memory (LSTM) network to generate the next the sequence of characters.
[…]
The chances of sensitive data becoming available are also raised when the miscreant knows the general format of the secret. Credit card numbers, phone numbers and social security numbers all follow the same template with a limited number of digits – a property the researchers call “low entropy”.
[…]
Luckily, there are ways to get around the problem. The researchers recommend developers use “differential privacy algorithms” to train models. Companies like Apple and Google already employ these methods when dealing with customer data.

Private information is scrambled and randomised so that it is difficult to reproduce it. Dawn Song, co-author of the paper and a professor in the department of electrical engineering and computer sciences at UC Berkeley, told us the following:

Source: Boffins baffled as AI training leaks secrets to canny thieves • The Register

Larry Page’s Flying Taxis, Now Exiting Stealth Mode – The New York Times

Posted on by

Since October, a mysterious flying object has been seen moving through the skies over the South Island of New Zealand. It looks like a cross between a small plane and a drone, with a series of small rotor blades along each wing that allow it to take off like a helicopter and then fly like a plane. To those on the ground, it has always been unclear whether there was a pilot aboard.

Well, it turns out that the airborne vehicle has been part of a series of “stealth” test flights by a company personally financed by Larry Page, the co-founder of Google and now the chief executive of Google’s parent, Alphabet.

The company, known as Kitty Hawk and run by Sebastian Thrun, who helped start Google’s autonomous car unit as the director of Google X, has been testing a new kind of fully electric, self-piloting flying taxi. This is an altogether different project from the one you might have seen last year in a viral video of a single-pilot recreational aircraft that was being tested over water, and it’s much more ambitious.
[…]
Now that project is about to go public: On Tuesday, Mr. Page’s company and the prime minister of New Zealand, Jacinda Ardern, will announce they have reached an agreement to test Kitty Hawk’s autonomous planes as part of an official certification process. The hope is that it will lead to a commercial network of flying taxis in New Zealand in as soon as three years.
[…]
Mr. Page’s ambitions to create taxis in the sky has a sense of gravity, excuse the pun, not just because of his deep pockets and the technological prowess of his team but also because of Mr. Reid, who is a former chief executive of Virgin America. Before that he was president of Delta Air Lines and president of Lufthansa Airlines, where he was co-architect of the Star Alliance.

In an interview, Mr. Reid said the opportunity to use New Zealand as the first place to commercialize the autonomous taxi service was a step-change in the advancement of the sector. Kitty Hawk is already working on an app that would allow customers to hail one of its air taxis.

The aircraft, known as Cora, has a wingspan of 36 feet with a dozen rotors all powered by batteries. It can fly about 62 miles and carry two passengers. (Its code name had been Zee.Aero — hence all the speculation and confusion.) The plan, at least for now, isn’t for Kitty Hawk to sell the vehicles; it wants to own and operate a network of them itself.

Source: Larry Page’s Flying Taxis, Now Exiting Stealth Mode – The New York Times

Artists Protest Elite Art World With Unauthorized AR Gallery at the MoMA

Posted on by

On Friday, eight artists launched an augmented reality gallery at the Museum of Modern Art in New York, digitally overlaying their artwork over the museum’s. Motherboard reports the guerrilla installation was created and deployed without the museum’s permission. “Hello, we’re from the internet” is an “unauthorized gallery concept aimed at democratizing physical exhibition spaces, museums, and the curation of art within them,” according to MoMAR, which developed the exhibit. “MoMAR is non-profit, non-owned, and exists in the absence of any privatized structures,” the group’s website states.

Source: Artists Protest Elite Art World With Unauthorized AR Gallery at the MoMA

MoMAR inaugural show 'Hello, we're from the internet' from Damjanski on Vimeo.

Posted in Art

World’s biggest DDoS attack record broken after just five days using poorly configured memcache servers

Posted on by

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

The attacks use shoddily secured memcached database servers to amplify attacks against a target. The assailant spoofs the UDP address of its victim and pings a small data packet at a memcached server that doesn’t have an authenticated traffic requirement in place. The server responds by firing back as much as 50,000 times the data it received.

With multiple data packets sent out a second, the memcached server unwittingly amplifies the deluge of data that can be sent against the target. Without proper filtering and network management, the tsunami of data can be enough to knock some providers offline.

There are some simple mitigation techniques, notably blocking off UDP traffic from Port 11211, which is the default avenue for traffic from memcached servers. In addition, the operators of memcached servers need to lock down their systems to avoid taking part in such denial of service attacks.

Source: World’s biggest DDoS attack record broken after just five days • The Register

Air gapping PCs won’t stop data sharing thanks to sneaky speakers

Posted on by

Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure.

In an academic paper published on Friday through preprint service ArXiv, researchers from Israel’s Ben-Gurion University of the Negev describe a novel data exfiltration technique that allows the transmission and reception of data – in the form of inaudible ultrasonic sound waves – between two computers in the same room without microphones.

The paper, titled, “MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication,” was written by Mordechai Guri, Yosef Solwicz, Andrey Daidakulov and Yuval Elovici, who have developed a number other notable side-channel attack techniques.

These include: ODINI, a way to pass data between Faraday-caged computers using electrical fields; MAGNETO, a technique for passing data between air-gapped computers and smartphones via electrical fields; and FANSMITTER, a way to send acoustic data between air-gapped computers using fans.

Source: Air gapping PCs won’t stop data sharing thanks to sneaky speakers • The Register

Amadeus invests in CrowdVision to help airports manage growing passenger volumes using AI camera tech

Posted on by

CrowdVision is an early stage company that uses computer vision software and artificial intelligence to help airports monitor the flow of passengers in real time to minimise queues and more efficiently manage resources. The software is designed to comply fully with data privacy and security legislation.

CrowdVision data improves plans and can help airports react decisively to keep travellers’ moving and make their experience more enjoyable. CrowdVision’s existing airport customers are benefiting from reduced queues and waiting times, leaving passengers to spend more time and more money in retail areas. Others have optimised allocation of staff, desks, e-gates and security lanes to make the most of their existing infrastructure and postpone major capital expenditure on expansions.

Source: Amadeus invests in CrowdVision to help airports manage growing passenger volumes

It Took Almost 10 Days to 3D-Print This Giant Millennium Falcon Model

Posted on by

Typically, when we see 3D-printed replicas as large as this 2.3-foot long Millennium Falcon, they’re assembled from hundreds of smaller 3D-printed parts. But YouTube’s stonefx83 didn’t want to go to all that trouble, so he simply scaled up Andrew Askedall’s 3D model of the Falcon, and then let his printer run for over nine days and 21 hours straight.

The machine consumed over six-and-a-half pounds of plastic filament in the process, and thankfully didn’t screw up once, which would have required the entire print to be restarted from scratch. Oh, that’s why no one 3D-prints giant models like this in one pass.

Source: It Took Almost 10 Days to 3D-Print This Giant Millennium Falcon Model

Stanford brainiacs say they can predict Reddit raids

Posted on by

A study [PDF] based on observations from 36,000 subreddit communities has found that online dust-ups can be predicted, and the people most likely to cause them can be identified.

“Our analysis revealed a number of important trends related to conflict on Reddit, with general implications for intercommunity conflict on the web.”

Among the takeaways were that a small group of bad actors are indeed stirring up most of the conflict; around 75 per cent of the raids were triggered by 1 per cent of users.

The study also noted that ignoring the trolls doesn’t always work – conflicts grow worse when users stay within ‘echo chambers’ on their own threads, and long-term traffic losses were lessened when the ‘defending’ users directly confronted the forum intruders rather than keep to themselves.

Perhaps the most important takeaway, however, was that forum conflicts could actually be predicted. The Stanford group say they developed an long short-term memory (LSTM) deep-learning formula that, when trained on the set of Reddit posts and user information gathered over the 40 month period, was able to reliably flag when a conflict or raid was likely to flare up on a subreddit.

Now, the Stanford group says it would like to extend the research to other platforms (such as Facebook and Twitter) and look at areas not addressed in the first report, including forums that restrict negative content.

Source: Stanford brainiacs say they can predict Reddit raids • The Register

Google opens Maps to bring the real world into games

Posted on by

Pokémon Go and other games that use real-world maps are all the rage, but there’s a catch: they typically depend on semi-closed map frameworks that weren’t intended for gaming, forcing developers to jump through hoops to use that mapping info. Google doesn’t want that to be an issue going forward. The search firm is both opening its Maps platform’s real-time data and offering new software toolkits that will help developers build games based on that data.

The software includes both a kit to translate map info to the Unity game engine as well as another to help make games using that location data. The combination turns buildings and other landmarks into customizable 3D objects, and lets you manipulate those objects to fit your game world. It can replace every real hotel into an adventurer’s inn, for instance, or add arbitrary points of interest for the sake of checkpoints.

Source: Google opens Maps to bring the real world into games

Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users

Posted on by

Researchers from German security firm Kromtech Security allege that until recently, MBM Company was improperly handling customer details. On February 6, they identified an unsecured Amazon S3 storage bucket, containing a MSSQL database backup file.

According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. He also claims the database contained plaintext passwords — which is a big security ‘no-no.’

In a press release, Diachenko said: “Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.”

The backup file was named ‘MBMWEB_backup_2018_01_13_003008_2864410.bak,’ which suggests the file was created on January 13, 2018. It’s believed to contain current information about the company’s customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year.

Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company.

Source: Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users

Who still stores user credentials in plain text?!

Illusory movement perception improves motor control for prosthetic hands

Posted on by

The ability to sense the spatial position and movements of one’s own body (kinesthetic sense) is critical for limb use. Because prostheses do not provide physical feedback during movement, amputees may not feel that they are in control of their bodily movements (sense of agency) when manipulating a prosthesis. Marasco et al. developed an automated neural-machine interface that vibrates the muscles used for control of prosthetic hands. This system instilled kinesthetic sense in amputees, allowing them to control prosthetic hand movements in the absence of visual feedback and increasing their sense of agency. This approach might be an effective strategy for improving motor performance and quality of life in amputees.

To effortlessly complete an intentional movement, the brain needs feedback from the body regarding the movement’s progress. This largely nonconscious kinesthetic sense helps the brain to learn relationships between motor commands and outcomes to correct movement errors. Prosthetic systems for restoring function have predominantly focused on controlling motorized joint movement. Without the kinesthetic sense, however, these devices do not become intuitively controllable. We report a method for endowing human amputees with a kinesthetic perception of dexterous robotic hands. Vibrating the muscles used for prosthetic control via a neural-machine interface produced the illusory perception of complex grip movements. Within minutes, three amputees integrated this kinesthetic feedback and improved movement control. Combining intent, kinesthesia, and vision instilled participants with a sense of agency over the robotic movements. This feedback approach for closed-loop control opens a pathway to seamless integration of minds and machines.

Source: Illusory movement perception improves motor control for prosthetic hands | Science Translational Medicine

Can AMD Vulnerabilities Be Used to Game the Stock Market?

Posted on by

On Tuesday, a little known security company claimed to have found vulnerabilities and backdoors in some AMD processors. Within some parts of the security community, the story behind the researchers’ discovery quickly became more interesting than the discovery itself.

The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an “obituary” for AMD.

“We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries,” Viceroy wrote in its report.

CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock.

“We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD’s share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock?

Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook’s chief security officer Alex Stamos warned against a future where security research is driven by short selling.

Yaron Luk, co-founder of CTS Labs, told Motherboard that “Viceroy is not a client of CTS, and CTS did not send its research to Viceroy.” When asked about the company’s financial motivations, Luk said that “we are a for-profit company that gets paid for its research by a variety of research clients.”

“We do not discuss our research clients,” he wrote in an email sent after publication of this article. “In addition, we are driven by the desire to make products more secure, and to protect users, as we hold companies responsible for their security practices.”

Viceroy’s founder, Fraser Perring, was adamant about its company’s intentions.

“We haven’t hidden the fact that we short the stock,” Perring said in a phone call with Motherboard. “Where does a company with these serious issues go? For us you can’t invest in it.”

Source: Can AMD Vulnerabilities Be Used to Game the Stock Market? – Motherboard

The 600+ Companies PayPal Shares Your Data With – Schneier on Security

Posted on by

One of the effects of GDPR — the new EU General Data Protection Regulation — is that we’re all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here’s a good visualization of that data.

Is 600 companies unusual? Is it more than average? Less? We’ll soon know.

Source: The 600+ Companies PayPal Shares Your Data With – Schneier on Security

Google: 60.3% of potentially harmful Android apps in 2017 were detected via machine learning

Posted on by

When Google shared earlier this year that more than 700,000 apps were removed from Google Play in 2017 for violating the app store’s policies (a 70 percent year-over-year increase), the company credited its implementation of machine learning models and techniques to detect abusive app content and behaviors such as impersonation, inappropriate content, or malware.

But the company did not share any details. Now we’re learning that 6 out of every 10 detections were thanks to machine learning. Oh, and the team says “we expect this to increase in the future.”

Every day, Play Protect automatically reviews more than 50 billion apps — these automatic reviews led to the removal of nearly 39 million PHAs last year, Google shared.

Source: Google: 60.3% of potentially harmful Android apps in 2017 were detected via machine learning | VentureBeat

Major Survey of IT Pros Reveals Why Everything Gets Hacked All the Damn Time, paying for ransomware is like flipping a coin

Posted on by

More than 1,000 security employees in as many as 17 countries participated in the survey. Most said the biggest hurdle to mounting an adequate defense against cyber threats today is the lack of skilled personnel. (Poor security awareness and an inability to sift through enormous piles of data tied for second place.)

The survey, which included 1,200 respondents working in 19 industries, was compiled by CyberEdge Group, a research and marketing firm serving high-tech vendors and service providers.

More interesting is the feedback collected from respondents who said their organizations were infected with ransomware in the last year. (Ransomware tied with phishing attacks for the second most crucial security concern; the first, as per usual, is malware.)

Slightly more than half of the respondents’ organizations that actually paid a ransom to recover stolen or encrypted data—either in Bitcoin or some other anonymous currency—were unable to recover their data. In total, the report says, a little under 39 percent of the organizations resolved to pay.

“Flip a coin once to determine whether your organization will be affected by ransomware,” CyberEdge suggests. “If it will be, flip it again to determine whether paying the ransom will actually get your data back.”

Source: Major Survey of IT Pros Reveals Why Everything Gets Hacked All the Damn Time

Samba allows anyone to change everyone’s password

Posted on by 
On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).

The LDAP server incorrectly validates certain LDAP password
modifications against the "Change Password" privilege, but then
performs a password reset operation.

Source: Samba – Security Announcement Archive

Madison Square Garden Has Used Face-Scanning Technology on Customers

Posted on by

Madison Square Garden has quietly used facial-recognition technology to bolster security and identify those entering the building, according to multiple people familiar with the arena’s security procedures.

The technology uses cameras to capture images of people, and then an algorithm compares the images to a database of photographs to help identify the person and, when used for security purposes, to determine if the person is considered a problem. The technology, which is sometimes used for marketing and promotions, has raised concerns over personal privacy and the security of any data that is stored by the system.

Source: Madison Square Garden Has Used Face-Scanning Technology on Customers