Daily Archives: December 22, 2018

The Amazon Alexa Eavesdropping Nightmare Came True: Creepy Recordings sent to random stranger

Posted on by

An Amazon user in Germany recently requested data about his personal activities and inadvertently gained access to 1,700 audio recordings of someone he didn’t know.

Germany’s c’t magazine reports that in August the Amazon user—exercising his rights under the EU’s General Data Protection Regulation—requested his own data that Amazon has stored. Two months later, Amazon sent him a downloadable 100Mb zip file.

Some of the files reportedly related to his Amazon searches. But according to the report there were also hundreds of Wav files and a PDF cataloging transcripts of Alexa’s interpretations of voice commands. According to c’t magazine, this was peculiar to this user because he doesn’t own any Alexa devices and had never used the service. He also didn’t recognize the voices in the files.

The user reported the matter to Amazon and asked for information. He reportedly didn’t receive a response, but soon found that the link to the data was dead. However, he had already saved the files, and he shared his experience with c’t magazine out of concern that the person whose privacy had been compromised was not told about the mistake.

C’t magazine listened to many of the files and was able “to piece together a detailed picture of the customer concerned and his personal habits.” It found that he used Alexa in various places, has an Echo at home, and has a Fire device on his TV. They noticed that a woman was around at times. They listened to him in the shower.

We were able to navigate around a complete stranger’s private life without his knowledge, and the immoral, almost voyeuristic nature of what we were doing got our hair standing on end. The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.

Using the information they gathered from the recordings, the magazine contacted the victim of the data leak. He “was audibly shocked,” and confirmed it was him in the recordings and that the outlet had figured out the identity of his girlfriend. He said Amazon did not contact him.

Days later, both the victim and the receiver of the files were called by Amazon to discuss the incident. Both were reportedly called three days after c’t magazine contacted Amazon about the matter. An Amazon representative reportedly told them that one of their staff members had made a one-time error.

When asked for comment on the matter, Amazon sent Gizmodo the same statement it had shared with Reuters. “This was an unfortunate case of human error and an isolated incident. We have resolved the issue with the two customers involved and have taken steps to further improve our processes. We were also in touch on a precautionary basis with the relevant regulatory authorities.”

Amazon did not answer Gizmodo’s questions about how a human error led to this privacy infringement, or whether the company had initially contacted the victim to inform them their sensitive information was shared with a stranger.

Source: The Amazon Alexa Eavesdropping Nightmare Came True

Breakthrough ultrasound treatment to reverse dementia moves to human trials

Posted on by

An extraordinarily promising new technique using ultrasound to clear the toxic protein clumps thought to cause dementia and Alzheimer’s disease is moving to the first phase of human trials next year. The innovative treatment has proven successful across several animal tests and presents an exciting, drug-free way to potentially battle dementia.

The ultrasound treatment was first developed back in 2015 at the University of Queensland. The initial research was working to find a way to use ultrasound to temporarily open the blood-brain barrier with the goal of helping dementia-battling antibodies better reach their target in the brain. However, early experiments with mice surprisingly revealed the targeted ultrasound waves worked to clear toxic amyloid protein plaques from the brain without any additional therapeutic drugs.

“The ultrasound waves oscillate tremendously quickly, activating microglial cells that digest and remove the amyloid plaques that destroy brain synapses,” explained Jürgen Götz, one of the researchers on the project back in 2015. “The word ‘breakthrough’ is often mis-used, but in this case I think this really does fundamentally change our understanding of how to treat this disease, and I foresee a great future for this approach.”

Source: Breakthrough ultrasound treatment to reverse dementia moves to human trials

At Blind – a whistleblower site -, a security lapse revealed private complaints from Silicon Valley employees. Turns out it’s not very safe to blow your whistle there after all.

Posted on by

Thousands of people trusted Blind, an app-based “anonymous social network,” as a safe way to reveal malfeasance, wrongdoing and improper conduct at their companies.But Blind left one of its database servers exposed without a password, making it possible (for anyone who knew where to look) to access each user’s account information and identify would-be whistleblowers.

[…]

The exposed server was found by a security researcher, who goes by the name Mossab H, who informed the company of the security lapse. The security researcher found one of the company’s Kibana dashboards for its backend ElasticSearch database, which contained several tables, including private messaging data and web-based content, for both of its U.S. and Korean sites. Blind said the exposure only affects users who signed up or logged in between November 1 and December 19, and that the exposure relates to “a single server, one among many servers on our platform,” according to Blind executive Kyum Kim in an email.

Blind only pulled the database after TechCrunch followed up by email a week later. The company began emailing its users on Thursday after we asked for comment.

“While developing an internal tool to improve our service for our users, we became aware of an error that exposed user data,” the email to affected users said.

Kim said there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion. When asked, the company would not say if it will notify U.S. state regulators of the breach.

[…]

At its core, the app and anonymous social network allows users to sign up using their corporate email address, which is said to be linked only to Blind’s member ID. Email addresses are “only used for verification” to allow users to talk to other anonymous people in their company, and the company claims that email addresses aren’t stored on its servers.

But after reviewing a portion of the exposed data, some of the company’s claims do not stand up.

We found that the database provided a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts. The database also revealed the unencrypted private messages between members but not their associated email addresses. (Given the high sensitivity of the data and the privacy of the affected users, we’re not posting data, screenshots or specifics of user content.)

Blind claims on its website that its email verification “is safe, as our patented infrastructure is set up so that all user account and activity information is completely disconnected from the email verification process.” It adds: “This effectively means there is no way to trace back your activity on Blind to an email address, because even we can’t do it.” Blind claims that the database “does not show any mapping of email addresses to nicknames,” but we found streams of email addresses associated with members who had not yet posted. In our brief review, we didn’t find any content, such as comments or messages, linked to email addresses, just a unique member ID, which could identify a user who posts in the future.

Many records did, however, contain plain text email addresses. When other records didn’t store an email address, the record contained the user’s email as an unrecognized encrypted hash — which may be decipherable to Blind employees, but not to anyone else.

The database also contained passwords, which were stored as an MD5 hash, a long-outdated algorithm that is nowadays easy to crack. Many of the passwords were quickly unscrambled using readily available tools when we tried. Kim denied this. “We don’t use MD5 for our passwords to store them,” he said. “The MD5 keys were a log and it does not represent how we are managing data. We use more advanced methods like salted hash and SHA2 on securing users’ data in our database.” (Logging in with an email address and unscrambled password would be unlawful, therefore we cannot verify this claim.) That may pose a risk to employees who use the same password on the app as they do to log in to their corporate accounts.

Despite the company’s apparent efforts to disassociate email addresses from its platform, login records in the database also stored user account access tokens — the same kind of tokens that recently put Microsoft and Facebook accounts at risk. If a malicious actor took and used a token, they could log in as that user — effectively removing any anonymity they might have had from the database in the first place.

As well-intentioned as the app may be, the database exposure puts users — who trusted the app to keep their information safe and their identities anonymous — at risk.

These aren’t just users, but also employees of some of the largest companies in Silicon Valley, who post about sexual harassment in the workplace and discussing job offers and workplace culture. Many of those who signed up in the past month include senior executives at major tech companies but don’t realize that their email address — which identifies them — could be sitting plain text in an exposed database. Some users sent anonymous, private messages, in some cases made serious allegations against their colleagues or their managers, while others expressed concern that their employers were monitoring their emails for Blind sign-up emails.

Yet, it likely escaped many that the app they were using — often for relief, for empathy or as a way to disclose wrongdoing — was almost entirely unencrypted and could be accessed, not only by the app’s employees but also for a time anyone on the internet.

Source: At Blind, a security lapse revealed private complaints from Silicon Valley employees | TechCrunch

New Photo Wake-Up System Turns Still Images Into 3D animations

Posted on by

The system, called Photo Wake-Up, creates a 3D animation from a single photo. In the paper, the researchers compare it to the moving portraits at Hogwarts, a fictitious part of the Harry Potter world that a number of tech companies have tried to recreate. Previous attempts have been mildly successful, but this system is impressive in its ability to isolate and create a pretty realistic 3D animation from a single image.

The researchers tested the system on 70 different photos they downloaded online, which included pictures of Stephen Curry, the anime character Goku, a Banksy artwork, and a Picasso painting. The team used a program called SMPL and deep learning, starting with a 2D cutout of the subject and then superimposing a 3D skeleton onto it. “Our key technical contribution, then, is a method for constructing an animatable 3D model that matches the silhouette in a single photo,” the team told MIT Technology Review.

The team reportedly used a warping algorithm to ensure the cutout and the skeleton were aligned. The team’s algorithm is also reportedly able to detect the direction a subject is looking and the way their head is angled. What’s more, in order to make sure the final animation is realistic and precise, the team used a proprietary user interface to correct for any errors and help with the animation’s texturing. An algorithm then isolates the subject from the 2D image, fills in the remaining space, and animates the subject.

Source: New Photo Wake-Up System Turns Still Images Into 3D animations

An Amoeba-Based Computer Calculated Approximate Solutions to an 8 city Travelling Salesman Problem

Posted on by

A team of Japanese researchers from Keio University in Tokyo have demonstrated that an amoeba is capable of generating approximate solutions to a remarkably difficult math problem known as the “traveling salesman problem.”

The traveling salesman problem goes like this: Given an arbitrary number of cities and the distances between them, what is the shortest route a salesman can take that visits each city and returns to the salesman’s city of origin. It is a classic problem in computer science and is used as a benchmark test for optimization algorithms.

The traveling salesman problem is considered “NP hard,” which means that the complexity of calculating a correct solution increases exponentially the more cities are added to the problem. For example, there are only three possible solutions if there are four cities, but there are 360 possible solutions if there are six cities. It continues to increase exponentially from there.

Despite the exponential increase in computational difficulty with each city added to the salesman’s itinerary, computer scientists have been able to calculate the optimal solution to this problem for thousands of cities since the early 90s and recent efforts have been able to calculate nearly optimal solutions for millions of cities.

Amoebas are single-celled organisms without anything remotely resembling a central nervous system, which makes them seem like less than suitable candidates for solving such a complex puzzle. Yet as these Japanese researchers demonstrated, a certain type of amoeba can be used to calculate nearly optimal solutions to the traveling salesman problem for up to eight cities. Even more remarkably, the amount of time it takes the amoeba to reach these nearly optimal solutions grows linearly, even though the number of possible solutions increases exponentially.

As detailed in a paper published this week in Royal Society Open Science, the amoeba used by the researchers is called Physarum polycephalum, which has been used as a biological computer in several other experiments. The reason this amoeba is considered especially useful in biological computing is because it can extend various regions of its body to find the most efficient way to a food source and hates light.

To turn this natural feeding mechanism into a computer, the Japanese researcher placed the amoeba on a special plate that had 64 channels that it could extend its body into. This plate is then placed on top of a nutrient rich medium. The amoeba tries to extend its body to cover as much of the plate as possible and soak up the nutrients. Yet each channel in the plate can be illuminated, which causes the light-averse amoeba to retract from that channel.

To model the traveling salesman problem, each of the 64 channels on the plate was assigned a city code between A and H, in addition to a number from 1 to 8 that indicates the order of the cities. So, for example, if the amoeba extended its body into the channels A3, B2, C4, and D1, the correct solution to the traveling salesman problem would be D, B, A, C, D. The reason for this is that D1 indicates that D should be the first city in the salesman’s itinerary, B2 indicates B should be the second city, A3 that A should be the third city and so on.

To guide the amoeba toward a solution to the traveling salesman problem, the researchers used a neural network that would incorporate data about the amoeba’s current position and distance between the cities to light up certain channels. The neural network was designed such that cities with greater distances between them are more likely to be illuminated than channels that are not.

When the algorithm manipulates the chip that the amoeba is on it is basically coaxing it into taking forms that represent approximate solutions to the traveling salesman problem. As the researchers told Phys.org, they expect that it would be possible to manufacture chips that contain tens of thousands of channels so that the amoeba is able to solve traveling salesman problems that involve hundreds of cities.

For now, however, the Japanese researchers’ experiment remains in the lab, but it provides the foundation for low-energy biological computers that harness the natural mechanisms of amoebas and other microorganisms to compute.

Source: An Amoeba-Based Computer Calculated Approximate Solutions to a Very Hard Math Problem – Motherboard

FCC fines Swarm $900,000 for unauthorized satellite launch

Posted on by

Swarm Technologies Inc will pay a $900,000 fine for launching and operating four small experimental communications satellites that risked “satellite collisions” and threatened “critical commercial and government satellite operations,” the Federal Communications Commission said on Thursday.

The Federal Communications Commission (FCC) logo is seen before the FCC Net Neutrality hearing in Washington February 26, 2015. REUTERS/Yuri Gripas

The California-based start-up founded by former Google and Apple engineers in 2016 also agreed to enhanced FCC oversight and a requirement of pre-launch notices to the FCC for three years.

Swarm launched the satellites in India last January after the FCC rejected its application to deploy and operate them, citing concerns about the company’s tracking ability.

It said Swarm had unlawfully transmitted signals between earth stations in the state of Georgia and the satellites for over a week. The investigation also found that Swarm performed unauthorized weather balloon-to-ground station tests and other unauthorized equipment tests prior to the satellites’ launch.

Swarm aims to provide low-cost space-based internet service and plans eventually to use a constellation of 100 satellites.

Swarm won permission in August from the FCC to reactivate the satellites and said then it is “fully committed to complying with all regulations and has been working closely with the FCC,” noting that its satellites are “100 percent trackable.”

Source: FCC fines Swarm $900,000 for unauthorized satellite launch | Reuters