Monthly Archives: January 2019

Project Alias is a DIY project that deafens your home voice assistant until you want it to listen to you

Posted on by

Alias is a teachable “parasite” that is designed to give users more control over their smart assistants, both when it comes to customisation and privacy. Through a simple app the user can train Alias to react on a custom wake-word/sound, and once trained, Alias can take control over your home assistant by activating it for you.

When you don’t use it, Alias will make sure the assistant is paralysed and unable to listen by interrupting its microphones.

Follow the build guide on Instructables
or get the source code on GitHub

alias_selected-9-no-wire

Alias acts as a middle-man device that is designed to appropriate any voice activated device. Equipped with speakers and a microphone, Alias is able to communicate and manipulate the home assistant when placed on top of it. The speakers of Alias are used to interrupt the assistance with a constant low noise/sound that feeds directly into the microphone of the assistant. First when Alias recognises the user created wake-word, it stops the noise and quietly activates the assistant with a sound recording of the original wake-word. From here the assistant can be used as normally.

The wake word detection is made with a small neural network that runs locally on Alias, which can be trained and modified through live examples. The app acts as a controller to reset, train and turn on/off Alias.

The way Alias manipulates the home assistance allows to create new custom functionalities and commands that the products were not originally intended for. Alias can be programmed to send any speech commands to the assistant’s speakers, which leaves us with a lot of new possibilities.

Source: Bjørn Karmann › project_alias

International stock trading scheme hacked into SEC database EDGAR – again

Posted on by

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission’s EDGAR corporate filing system.

The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were “test filings,” which corporations upload to the SEC’s website.

The charges were announced Tuesday by Craig Carpenito, U.S. Attorney for the District of New Jersey, alongside the SEC, the Federal Bureau of Investigation and the U.S. Secret Service, which investigates financial crimes.

watch now
VIDEO00:30
SEC sues traders for hacking Edgar system in 2016

The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services.

Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. “After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public,” he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies’ stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito.

watch now
VIDEO02:08
Risk factor

The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said. The EDGAR service operates in New Jersey, which is why the Justice Department office in Newark was involved in the case.

Stephanie Avakian, co-head of the SEC’s Division of Enforcement, said the same criminals also stole advance press releases sent to three newswire services, though she didn’t name the newswires. The hackers used multiple broker accounts to collect the illicit gains, she said.

Two Ukrainians were charged by the Justice Department with hacking the database — Oleksandr Ieremenko and Artem Radchenko. Seven further individuals and entities were also named in a civil suit by the SEC for trading on the illicit information: Sungjin Cho, David Kwon, Igor Sabodakha, Victoria Vorochek, Ivan Olefir, Andrey Sarafanov, Capyield Systems, Ltd. (owned by Olefir) and Spirit Trade Ltd.

Consolidated Audit Trail fears

Also at the time, the incident sparked fears over the SEC’s Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.

Full implementation of the CAT has been plagued by delays, with equities reporting now scheduled to begin in November. The New York Stock Exchange has asked the SEC to consider limiting the amount of data collected by the CAT, which would include data on around 58 billion daily trades, as well as the personal details of individuals making the trades, including their Social Security numbers and dates of birth.

In September 2017, SEC chairman Jay Clayton announced the EDGAR database had been hacked in a lengthy statement. The commission said the database was penetrated in 2016 but the incident wasn’t detected until August 2017.

“Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic,” Clayton said at the time. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Source: International stock trading scheme hacked into SEC database

North Korean Hackers Gain Access to Chilean ATMs Through Skype

Posted on by

The one thing no one expects on a job interview is North Korean hackers picking up on the other line. But that’s apparently exactly what happened to a hapless employee at Redbanc, the company that handles Chile’s ATM network.

The bizarre story was reported in trendTIC, a Chilean tech site. A Redbanc employee found a job opening on LinkedIn for a developer position. After setting up a Skype interview, the employee was then asked to install a program called ApplicationPDF.exe on their computer, trendTIC reports. The program was reportedly explained to be part of the recruitment process and generated a standard application form. But it was not an application form, it was malware.

Because the malware was then installed on a company computer, the hackers reportedly received important info about the employee’s work computer, including username, hardware and OS, and proxy settings. With all that info, the hackers would then be able to later deliver a second-stage payload to the infected computer.

As for the link to North Korea, an analysis by security firm Flashpoint indicates the malware utilized PowerRatankba, a malicious toolkit associated with Lazarus Group, a hacking organization with ties to Pyongyang. If you haven’t heard of these guys, you’ve definitely heard of the stuff they’ve been up to. Also known as Hidden Cobra, the Lazarus Group is linked with the Sony hack in 2014 and the WannaCry 2.0 virus, which infected 230,000 computers in 150 countries in 2017. They’re also known for targeting major banking and financial institutions and have reportedly absconded with $571 million in cryptocurrency since January 2017.

The hack reportedly took place at the end of December, but it was only made public after Chilean Senator Felipe Harboe took to Twitter last week to blast Redbanc for keeping the breach secret. Redbanc later acknowledged the breach occurred in a statement, but the company failed to mention any details.

That said, there were some serious security 101 no-no’s committed by the Redbanc employee that we can all learn from. Mainly, it doesn’t matter how much you hate your current gig, you should be suspicious if a prospective employer asks you to download any program that asks for personal information. Also, for multiple common-sense reasons, maybe don’t do job interviews on your dedicated work computer. And while it’s hard these days not to take work home, for security reasons, you should definitely be more discerning about the programs you download onto a work-issued device. Sounds simple enough, but then again, it happened to this poor fellow.

[ZDNet]

Source: North Korean Hackers Gain Access to Chilean ATMs Through Skype

Do you feel ‘lucky’, well, do you, punk? Google faces down magic button patent claim

Posted on by

Google has won a patent dispute over its famous “I’m feeling lucky” button that immediately connects a user to its top-raking search link with a single click.

The search engine giant was sued in 2016 by Israeli company Spring Ventures (previously Buy2 Networks) for allegedly infringing on its patent, US 8,661,094, that covers displaying a web page without extra user input.

The patent was originally filed in 1999, and the company won a continuation of it in 2014. Soon after it started sending letters to Google insisting that its button infringed at least 14 separate aspects of the patent because it allowed users to reach a webpage without providing a specific URL.

Google, funnily enough, ignored the upstart’s licensing demands, and so Spring Ventures sued in the United States. In response, Google went to the Patent Trial and Appeal Board (PTAB) and asked it to review the patent’s validity.

And the three-person review came back this week with its answer: the patent was not valid because of its “obviousness.”

That may sound like a harsh putdown but in the rarefied world of patent law, the term “obvious” has a tediously precise meaning. You can read the full decision to find out precisely what it means but we don’t recommend it: patent lawyers have habit of turning written English into a gaspingly turgid explanation of a concept.

And so here is the plain English version: Spring Ventures patent a system for finding web pages that were not written in English (presumably there is a Yiddish aspect in there). The internet and the world wide web to this day remain a painfully ASCII medium thanks to all its early inventors only speaking English and so only writing that in their code.

This created a lot of problems for people used to non-ASCII symbols and letters in their everyday written language and so Spring Ventures patented a way for people to type in something very close to a non-ASCII name in ASCII and have it automatically figure out what they were looking for. Useful stuff.

For example.com

At some point however it decided that this meant it had control over any system that automatically took a user to a website without them typing in the full website address e.g. example.com.

Google took issue with this argument and pointed out that this wasn’t exactly the first time that people had thought about how to make the vast landscape of web pages more manageable.

And so it dug back into the annals of internet browsing history and specifically Joe Belfiore’s patent for “Intelligent automatic searching” which he developed while working for Microsoft back in the Internet Explorer days (Belfiore is still at Microsoft btw). He filed it back in 1997.

There is another earlier patent too – Bernardo Sotomayor’s one for “Qualified searching of electronically stored documents” – which was explained in an article in Infoworld back in 1997 written by Serge Koren and talking about a product called EchoSearch.

Basically, Belfiore came up with a system for passing a search request in a browser bar that wasn’t a full URL through to a search engine and giving the user a results page – rather than just saying “this webpage doesn’t exist.” And EchoSearch was Java-run software that displayed results from several search engines pulled into a single page in response to a specific search.

Obvious, mate

Google argued that considering these two systems were already in place and in use before Spring Ventures made it patent application, that its whole concept was not some new imaginative leap that needed protecting but instead a pretty obvious thing that people were already doing.

And the patent board agreed [PDF].

The lawsuit that Spring Ventures initiated against Google has been on hold until the PTAB made a determination and will now die unless the Israeli appeals and successful persuades the board to reverse its decision – something that is possible given that the USPTO just changed its guidelines to make it easier to patent software applications. But it seems unlikely.

Which is lucky for Google. We can only imagine the payout if its one-click button was found to be infringing a patent

Source: Do you feel ‘lucky’, well, do you, punk? Google faces down magic button patent claim • The Register

Incredible, the amount of money that must have been spent on lawyers to come to this obvious conclusion.

South Korea says mystery hackers cracked advanced weapons servers

Posted on by

The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by North Korea unknown hackers .

Korea’s Dong-A Ilbo reports that the targeted machines belonged to the ministry’s Defense Acquisition Program Administration, the office in charge of military procurement.

The report notes that the breached machines would have held information on purchases for things such as “next-generation fighter jets,” though the Administration noted that no confidential information was accessed by North Korea the yet-to-be identified infiltrators.

North Korea The mystery hackers got into the machines on October 4 of last year. Initially trying to break into 30 machines, the intruders only managed to compromise 10 of their targets.

After traversing the networks for more than three weeks the intrusion was spotted on October 26 by the National Intelligence Service, who noticed unusual activity on the procurement agency’s intellectual property servers.

An investigation eventually unearthed the breach, and concluded that North Korea the mystery hackers did get into a number of machines but didn’t steal anything that would be of use to North Korea a hostile government .

The incident was disclosed earlier this week in a report from a South Korean politician.

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Dong-A Ilbo quotes Lthe politico as saying.

“Further investigation to find out if the source of attacks is North Korea or any other party.”

The report notes that the attack on the Defense Acquisition Program Administration appears to be part of a larger effort by North Korea an unknown group to infiltrate networks throughout the South Korean government in order to steal data.

The government says it is working on “extra countermeasures” to prevent future attacks by North Korea mystery foreign groups.

Source: South Korea says mystery hackers cracked advanced weapons servers • The Register

Converting Cancer Cells to Fat Cells to Stop Cancer’s Spread

Posted on by

A method for fooling breast cancer cells into fat cells has been discovered by researchers from the University of Basel. The team were able to transform EMT-derived breast cancer cells into fat cells in a mouse model of the disease – preventing the formation of metastases. The proof-of-concept study was published in the journal Cancer Cell.

Malignant cells can rapidly respond and adapt to changing microenvironmental conditions, by reactivating a cellular process called epithelial-mesenchymal transition (EMT), enabling them to alter their molecular properties and transdifferentiate into a different type of cell (cellular plasticity).

Senior author of the study Gerhard Christofori, professor of biochemistry at the University of Basel, commented in a recent press release: “The breast cancer cells that underwent an EMT not only differentiated into fat cells, but also completely stopped proliferating.”

“As far as we can tell from long-term culture experiments, the cancer cells-turned-fat cells remain fat cells and do not revert back to breast cancer cells,” he explained.

Source: Converting Cancer Cells to Fat Cells to Stop Cancer’s Spread | Technology Networks

Forget Finding Nemo: This AI can identify a single zebrafish out of a 100-strong shoal

Posted on by

AI systems excel in pattern recognition, so much so that they can stalk individual zebrafish and fruit flies even when the animals are in groups of up to a hundred.

To demonstrate this, a group of researchers from the Champalimaud Foundation, a private biomedical research lab in Portugal, trained two convolutional neural networks to identify and track individual animals within a group. The aim is not so much to match or exceed humans’ ability to spot and follow stuff, but rather to automate the process of studying the behavior of animals in their communities.

“The ultimate goal of our team is understanding group behavior,” said Gonzalo de Polavieja. “We want to understand how animals in a group decide together and learn together.”

The resulting machine-learning software, known as idtracker.ai, is described as “a species-agnostic system.” It’s “able to track all individuals in both small and large collectives (up to 100 individuals) with high identification accuracy—often greater than 99.9 per cent,” according to a paper published in Nature Methods on Monday.

The idtracker.ai software is split into a crossing-detector network and an identification network. First, it was fed video footage of the animals interacting in their enclosures. For example in the zebrafish experiment, the system pre-processes the fish as coloured blobs and learns to identify the animals as individuals or which ones are touching one another or crossing past each other in groups. The identification network is then used to identify the individual animals during each crossing event.

Surprisingly, it reached an accuracy rate of up to 99.96 per cent for groups of 60 zebrafish and increased to 99.99 per cent for 100 zebrafish. Recognizing fruit flies is harder. Idtracker.ai was accurate to 99.99 per cent for 38 fruit flies, but decreased slightly to 99.95 per cent for 72 fruit flies.

Source: Forget Finding Nemo: This AI can identify a single zebrafish out of a 100-strong shoal • The Register

Cottoning on: Chinese seed sprouts on moon

Posted on by

A small green shoot is growing on the moon in an out-of-this-world first after a cotton seed germinated on board a Chinese lunar lander, scientists said Tuesday.

The sprout has emerged from a lattice-like structure inside a canister since the Chang’e-4 lander set down earlier this month, according to a series of photos released by the Advanced Technology Research Institute at Chongqing University.

“This is the first time humans have done biological growth experiments on the ,” said Xie Gengxin, who led the design of the experiment.

The Chang’e-4 probe—named after a Chinese moon goddess—made the world’s first soft landing on the moon’s “dark side” on January 3, a major step in China’s ambitions to become a space superpower.

Scientists from Chongqing University —who designed the “mini lunar biosphere” experiment—sent an 18-centimetre (seven-inch) bucket-like container holding air, water and soil.

Inside are cotton, potato, and arabidopsis seeds—a plant of the mustard family—as well as fruit fly eggs and yeast.

Images sent back by the probe show a cotton sprout has grown well, but so far none of the other plants has taken, the university said.

Read more at: https://phys.org/news/2019-01-cottoning-chinese-seed-moon.html#jCp

Source: Cottoning on: Chinese seed sprouts on moon

Relying on karma: Research explains why outrage doesn’t usually result in revolution

Posted on by

If you’re angry about the political feud that drove the federal government to partially shut down, or about a golden parachute for a CEO who ran a business into the ground, you aren’t alone—but you probably won’t do much about it, according to new research by Carnegie Mellon University’s Tepper School of Business.

The research, coauthored by Rosalind Chow, Associate Professor of Organizational Behavior and Theory, and Jeffrey Galak, Associate Professor of Marketing, outlines how people respond to two types of injustices: when bad things happen to good people, and when good things happen to bad people.

In the first instance—a bad thing happening to a good person, such as a hurricane devastating a town—human beings are reliably motivated to help, but only in a nominal way, according to the research.

“Everybody wants to help. They just do it to a small degree,” Galak explains. “When a hurricane happens, we want to help, but we give them 10 bucks. We don’t try to build them a new house.”

This response illustrates that even a small amount can help us feel that justice is restored, Chow explains: “You checked the box of doing something good, and the world seems right again.”

But the converse is not necessarily true: When the universe rewards bad people despite their rotten behavior, people are usually reluctant to do anything about it, even when they’re angry at the unfairness of the situation.

That’s because people often feel that the forces at play in creating the unfair situation are beyond their control, or would at least be too personally costly to make the effort worthwhile, Galak says. So, we stay angry, but often we settle for the hope that karma will eventually catch up.

On the rare occasions when people do decide to take action against a bad person, the research says they go for broke, spending all their resources and energy—not just a token amount—in an effort to deprive that person of everything they shouldn’t have gotten. The desire to completely wipe out a bad person’s ill-gotten gains is driven by a sense that justice will not be served until the bad person will be effectively deterred from future bad behavior, which is unlikely to be the case if the punishment is a slap on the wrist. For example, for individuals who believe that President Trump was unjustly rewarded the presidency, indictment may be seen as insufficient to deter future bad behavior on his part. Only by completely removing his fortune—impeachment from the presidency, dissolution of his businesses—does justice seem to be adequately served. But given that those outcomes are unlikely, many Americans stew in anger and hope for the best.

So when ordinary people see bad things happening to good people, pitching in a few dollars feels good enough. Pitching in a few dollars to punish a bad person who has been unjustly rewarded, however, doesn’t cut it; only when people feel that their actions are guaranteed to send an effective signal to the bad person will they feel compelled to act. Since that sort of guarantee is hard to come by, most people will just stand by and wait for karma to catch up.

Read more at: https://phys.org/news/2019-01-karma-outrage-doesnt-result-revolution.html#jCp

Source: Relying on karma: Research explains why outrage doesn’t usually result in revolution

However, it doesn’t answer the question: what then does result in revolution?

202 Million private Chinese resumes exposed

Posted on by

On December 28th, Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, analyzed the data stream of BinaryEdge search engine and identified an open and unprotected MongoDB instance:

PIC1

The same IP also appeared in Shodan search results:

PIC2

Upon closer inspection, an 854 GB sized MongoDB database was left unattended, with no password/login authentication needed to view and access the details of what appeared to be more than 200 million very detailed resumes of Chinese job seekers.

Each of the 202,730,434 records contained the details not only on the candidates’ skills and work experience but also on their personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.

 

See more details in the PDF factsheet

 

The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository (page is no longer available but it is still saved in Google cache)  which contained a web app source code with identical structural patterns as those used in the exposed resumes:

git

 

git2

 

git3

 

The tool named “data-import” (created 3 years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like bj.58.com and others.

 

PIC3

 

It is unknown, whether it was an official application or illegal one used to collect all the applicants’ details, even those labeled as ‘private’.

Upon additional request, the security team of BJ.58.com did not confirm that the data originated from their source:

We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us.

It seems that the data is leaked from a third party who scrape data from many CV websites.

Shortly after my notification on Twitter, the database had been secured. It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline.

Source: No more privacy: 202 Million private resumes exposed – HackenProof Blog

A neural network can learn to organize the world it sees into concepts and MIT has found a way to show how it’s doing it

Posted on by

As good as they are at causing mischief, researchers from the MIT-IBM Watson AI Lab realized GANs are also a powerful tool: because they paint what they’re “thinking,” they could give humans insight into how neural networks learn and reason. This has been something the broader research community has sought for a long time—and it’s become more important with our increasing reliance on algorithms.

“There’s a chance for us to learn what a network knows from trying to re-create the visual world,” says David Bau, an MIT PhD student who worked on the project.

So the researchers began probing a GAN’s learning mechanics by feeding it various photos of scenery—trees, grass, buildings, and sky. They wanted to see whether it would learn to organize the pixels into sensible groups without being explicitly told how.

Stunningly, over time, it did. By turning “on” and “off” various “neurons” and asking the GAN to paint what it thought, the researchers found distinct neuron clusters that had learned to represent a tree, for example. Other clusters represented grass, while still others represented walls or doors. In other words, it had managed to group tree pixels with tree pixels and door pixels with door pixels regardless of how these objects changed color from photo to photo in the training set.

The GAN knows not to paint any doors in the sky.

MIT Computer Science & Artificial Intelligence Laboratory

“These GANs are learning concepts very closely reminiscent of concepts that humans have given words to,” says Bau.

Not only that, but the GAN seemed to know what kind of door to paint depending on the type of wall pictured in an image. It would paint a Georgian-style door on a brick building with Georgian architecture, or a stone door on a Gothic building. It also refused to paint any doors on a piece of sky. Without being told, the GAN had somehow grasped certain unspoken truths about the world.

This was a big revelation for the research team. “There are certain aspects of common sense that are emerging,” says Bau. “It’s been unclear before now whether there was any way of learning this kind of thing [through deep learning].” That it is possible suggests that deep learning can get us closer to how our brains work than we previously thought—though that’s still nowhere near any form of human-level intelligence.

Other research groups have begun to find similar learning behaviors in networks handling other types of data, according to Bau. In language research, for example, people have found neuron clusters for plural words and gender pronouns.

Being able to identify which clusters correspond to which concepts makes it possible to control the neural network’s output. Bau’s group can turn on just the tree neurons, for example, to make the GAN paint trees, or turn on just the door neurons to make it paint doors. Language networks, similarly, can be manipulated to change their output—say, to swap the gender of the pronouns while translating from one language to another. “We’re starting to enable the ability for a person to do interventions to cause different outputs,” Bau says.

The team has now released an app called GANpaint that turns this newfound ability into an artistic tool. It allows you to turn on specific neuron clusters to paint scenes of buildings in grassy fields with lots of doors. Beyond its silliness as a playful outlet, it also speaks to the greater potential of this research.

“The problem with AI is that in asking it to do a task for you, you’re giving it an enormous amount of trust,” says Bau. “You give it your input, it does it’s ‘genius’ thinking, and it gives you some output. Even if you had a human expert who is super smart, that’s not how you’d want to work with them either.”

With GANpaint, you begin to peel back the lid on the black box and establish some kind of relationship. “You can figure out what happens if you do this, or what happens if you do that,” says Hendrik Strobelt, the creator of the app. “As soon as you can play with this stuff, you gain more trust in its capabilities and also its boundaries.”

Source: A neural network can learn to organize the world it sees into concepts—just like we do – MIT Technology Review

GPU Accelerated Realtime Skin Smoothing Algorithms Make Actors Look Perfect

Posted on by

A recent Guardian article about the need for actors and celebrities — male and female — to look their best in a high-definition media world ended on the note that several low-profile Los Angeles VFX outfits specialize in “beautifying actors” in movies, TV shows and video ads. They reportedly use a software named “Beauty Box,” resulting in films and other motion content that are — for lack of a better term — “motion Photoshopped.” After some investigating, it turns out that “Beauty Box” is a sophisticated CUDA and OpenGL accelerated skin-smoothing plugin for many popular video production software that not only smooths even terribly rough or wrinkly looking skin effectively, but also suppresses skin spots, blemishes, scars, acne or freckles in realtime, or near realtime, using the video processing capabilities of modern GPUs.

The product’s short demo reel is here with a few examples. Everybody knows about photoshopped celebrities in an Instagram world, and in the print magazine world that came long before it, but far fewer people seem to realize that the near-perfect actor, celebrity, or model skin you see in high-budget productions is often the result of “digital makeup” — if you were to stand next to the person being filmed in real life, you’d see far more ordinary or aged skin from the near-perfection that is visible on the big screen or little screen. The fact that the algorithms are realtime capable also means that they may already be being used for live television broadcasts without anyone noticing, particularly in HD and 4K resolution broadcasts. The question, as was the case with photoshopped magazine fashion models 25 years ago, is whether the technology creates an unrealistic expectation of having to have “perfectly smooth looking” skin to look attractive, particularly in people who are past their teenage years.

Source: GPU Accelerated Realtime Skin Smoothing Algorithms Make Actors Look Perfect – Slashdot

If by perfect you mean looks like shot in a soft porn out of focus kind of way – but it’s pretty creepy

Amazon’s Ring Security Cameras Allow Anyone to Watch Easily – And They Do!

Posted on by

But for some who’ve welcomed in Amazon’s Ring security cameras, there have been more than just algorithms watching through the lens, according to sources alarmed by Ring’s dismal privacy practices.

Ring has a history of lax, sloppy oversight when it comes to deciding who has access to some of the most precious, intimate data belonging to any person: a live, high-definition feed from around — and perhaps inside — their house. The company has marketed its line of miniature cameras, designed to be mounted as doorbells, in garages, and on bookshelves, not only as a means of keeping tabs on your home while you’re away, but of creating a sort of privatized neighborhood watch, a constellation of overlapping camera feeds that will help police detect and apprehend burglars (and worse) as they approach. “Our mission to reduce crime in neighborhoods has been at the core of everything we do at Ring,” founder and CEO Jamie Siminoff wrote last spring to commemorate the company’s reported $1 billion acquisition payday from Amazon, a company with its own recent history of troubling facial recognition practices. The marketing is working; Ring is a consumer hit and a press darling.

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click. The Information, which has aggressively covered Ring’s security lapses, reported on these practices last month.

At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s “sense that encryption would make the company less valuable,” owing to the expense of implementing encryption and lost revenue opportunities due to restricted access. The Ukraine team was also provided with a corresponding database that linked each specific video file to corresponding specific Ring customers.

“If [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.””

At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home.

Source: For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching

Netflix password sharing may soon be impossible due to new AI tracking

Posted on by

A video software firm has come up with a way to prevent people from sharing their account details for Netflix and other streaming services with friends and family members.

UK-based Synamedia unveiled the artificial intelligence software at the CES 2019 technology trade show in Las Vegas, claiming it could save the streaming industry billions of dollars over the next few years.

Casual password sharing is practised by more than a quarter of millennials, according to figures from market research company Magid.

Separate figures from research firm Parks Associates predicts that by $9.9 billion (£7.7bn) of pay-TV revenues and $1.2 billion of revenue from subscription-based streaming services will be lost to credential sharing each year.

The AI system developed by Synamedia uses machine learning to analyse account activity and recognise unusual patterns, such as account details being used in two locations within similar time periods.

The idea is to spot instances of customers sharing their account credentials illegally and offering them a premium shared account service that will authorise a limited level of password sharing.

“Casual credentials sharing is becoming too expensive to ignore. Our new solution gives operators the ability to take action,” said Jean Marc Racine, Synamedia’s chief product officer.

“Many casual users will be happy to pay an additional fee for a premium, shared service with a greater number of concurrent users. It’s a great way to keep honest people honest while benefiting from an incremental revenue stream.”

Source: Netflix password sharing may soon be impossible due to new AI tracking | The Independent

I like the “keeping honest people honest” bit instead of “money grubbing firms richer”

Modlishka allows for very easy fishing / MITM

Posted on by

You basically just put it on a local domain, point people there and it forwards the traffic up and down to the target website – so no templates, no warnings. It will also push through two factor authentication requests and answers.

Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).

Enjoy 🙂

Features

Some of the most important ‘Modlishka’ features :

  • Support for majority of 2FA authentication schemes (by design).
  • No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).
  • Full control of “cross” origin TLS traffic flow from your victims browsers.
  • Flexible and easily configurable phishing scenarios through configuration options.
  • Pattern based JavaScript payload injection.
  • Striping website from all encryption and security headers (back to 90’s MITM style).
  • User credential harvesting (with context based on URL parameter passed identifiers).
  • Can be extended with your ideas through plugins.
  • Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.
  • Web panel with a summary of collected credentials and user session impersonation (beta).
  • Written in Go.

https://github.com/drk1wi/Modlishka

In an email to ZDNet, Duszyński described Modlishka as a point-and-click and easy-to-automate system that requires minimal maintenance, unlike previous phishing toolkits used by other penetration testers.

“At the time when I started this project (which was in early 2018), my main goal was to write an easy to use tool, that would eliminate the need of preparing static webpage templates for every phishing campaign that I was carrying out,” the researcher told us.

“The approach of creating a universal and easy to automate reverse proxy, as a MITM actor, appeared to be the most natural direction. Despite some technical challenges, that emerged on this path, the overall result appeared to be really rewarding,” he added.

“The tool that I wrote is sort of a game changer, since it can be used as a ‘point and click’ proxy, that allows easy phishing campaign automation with full support of the 2FA (an exception to this is a U2F protocol based tokens – which is currently the only resilient second factor).

zdnet https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/

Y’know how you might look at someone and can’t help but wonder if they have a genetic disorder? We’ve taught AI to do the same

Posted on by

Artificial intelligence can potentially identify someone’s genetic disorders by inspecting a picture of their face, according to a paper published in Nature Medicine this week.

The tech relies on the fact some genetic conditions impact not just a person’s health, mental function, and behaviour, but sometimes are accompanied with distinct facial characteristics. For example, people with Down Syndrome are more likely to have angled eyes, a flatter nose and head, or abnormally shaped teeth. Other disorders like Noonan Syndrome are distinguished by having a wide forehead, a large gap between the eyes, or a small jaw. You get the idea.

An international group of researchers, led by US-based FDNA, turned to machine-learning software to study genetic mutations, and believe that machines can help doctors diagnose patients with genetic disorders using their headshots.

The team used 17,106 faces to train a convolutional neural network (CNN), commonly used in computer vision tasks, to screen for 216 genetic syndromes. The images were obtained from two sources: publicly available medical reference libraries, and snaps submitted by users of a smartphone app called Face2Gene, developed by FDNA.

Given an image, the system, dubbed DeepGestalt, studies a person’s face to make a note of the size and shape of their eyes, nose, and mouth. Next, the face is split into regions, and each piece is fed into the CNN. The pixels in each region of the face are represented as vectors and mapped to a set of features that are commonly associated with the genetic disorders learned by the neural network during its training process.

DeepGestalt then assigns a score per syndrome for each region, and collects these results to compile a list of its top 10 genetic disorder guesses from that submitted face.

deepgestalt

An example of how DeepGestalt works. First, the input image is analysed using landmarks and sectioned into different regions before the system spits out its top 10 predictions. Image credit: Nature and Gurovich et al.

The first answer is the genetic disorder DeepGestalt believes the patient is most likely affected by, all the way down to its tenth answer, which is the tenth most likely disorder.

When it was tested on two independent datasets, the system accurately guessed the correct genetic disorder among its top 10 suggestions around 90 per cent of the time. At first glance, the results seem promising. The paper also mentions DeepGestalt “outperformed clinicians in three initial experiments, two with the goal of distinguishing subjects with a target syndrome from other syndromes, and one of separating different genetic subtypes in Noonan Syndrome.”

There’s always a but

A closer look, though, reveals that the lofty claims involve training and testing the system on limited datasets – in other words, if you stray outside the software’s comfort zone, and show it unfamiliar faces, it probably won’t perform that well. The authors admit previous similar studies “have used small-scale data for training, typically up to 200 images, which are small for deep-learning models.” Although they use a total of more than 17,000 training images, when spread across 216 genetic syndromes, the training dataset for each one ends up being pretty small.

For example, the model that examined Noonan Syndrome was only trained on 278 images. The datasets DeepGestalt were tested against were similarly small. One only contained 502 patient images, and the other 392.

Source: Y’know how you might look at someone and can’t help but wonder if they have a genetic disorder? We’ve taught AI to do the same • The Register

Professor exposing unethical academic publishing is being sued by university in childish discrediting counterclaims of being unethical for showing unethical behaviour

Posted on by

The three authors, who describe themselves as leftists, spent 10 months writing 20 hoax papers they submitted to reputable journals in gender, race, sexuality, and related fields. Seven were accepted, four were published online, and three were in the process of being published when questions raised in October by a skeptical Wall Street Journal editorial writer forced them to halt their project.

One of their papers, about canine rape culture in dog parks in Portland, Ore., was initially recognized for excellence by the journal Gender, Place, and Culture, the authors reported.

The hoax was dubbed “Sokal Squared,” after a similar stunt pulled in 1996 by Alan Sokal, then a physicist at New York University.

After their ruse was revealed, the three authors described their project in an October article in the webzine Areo, which Pluckrose edits. Their goal, they wrote, was to “to study, understand, and expose the reality of grievance studies, which is corrupting academic research.” They contend that scholarship that tends to social grievances now dominates some fields, where students and others are bullied into adhering to scholars’ worldviews, while lax publishing standards allow the publication of clearly ludicrous articles if the topic is politically fashionable.

[…]

In November the investigating committee reported that the dog-park article contained knowingly fabricated data and thus constituted research misconduct. The review board also determined that the hoax project met the definition for human-subjects research because it involved interacting with journal editors and reviewers. Any research involving human subjects (even duped journal editors, apparently) needs IRB approval first, according to university policy.

“Your efforts to conduct human-subjects research at PSU without a submitted nor approved protocol is a clear violation of the policies of your employer,” McLellan wrote in an email to Boghossian.

The decision to move ahead with disciplinary action came after a group of faculty members published a letter in the student newspaper decrying the hoax as “lies peddled to journals, masquerading as articles.” These “lies” are designed “not to critique, educate, or inspire change in flawed systems,” they wrote, “but rather to humiliate entire fields while the authors gin up publicity for themselves without having made any scholarly contributions whatsoever.” Such behavior, they wrote, hurts the reputations of the university as well as honest scholars who work there. “Worse yet, it jeopardizes the students’ reputations, as their degrees in the process may become devalued.”

[…]

Meanwhile, within the first 24 hours of news leaking about the proceedings against him, more than 100 scholars had written letters defending Boghossian, according to his media site, which posted some of them.

Steven Pinker, a professor of psychology at Harvard University, was among the high-profile scholars who defended him. “Criticism and open debate are the lifeblood of academia; they are what differentiate universities from organs of dogma and propaganda,” Pinker wrote. “If scholars feel they have been subject to unfair criticism, they should explain why they think the critic is wrong. It should be beneath them to try to punish and silence him.”

Richard Dawkins, an evolutionary biologist, author, and professor emeritus at the University of Oxford, had this to say: “If the members of your committee of inquiry object to the very idea of satire as a form of creative expression, they should come out honestly and say so. But to pretend that this is a matter of publishing false data is so obviously ridiculous that one cannot help suspecting an ulterior motive.”

Sokal, who is now at University College London, wrote that Boghossian’s hoax had served the public interest and that the university would become a “laughingstock” in academe as well as the public sphere if it insisted that duping editors constituted research on human subjects.

One of Boghossian’s co-author, Lindsay, urged him in the video they posted to emphasize that the project amounted to an audit of certain sectors of academic research. “People inside the system aren’t allowed to question the system? What kind of Orwellian stuff is that?” Lindsay asked.

Source: Proceedings Start Against ‘Sokal Squared’ Hoax Professor – The Chronicle of Higher Education

Pots and kettles? I think it’s just the American way of getting back at someone who has made you blush – destroy at all costs!

T-Mobile, Sprint, and AT&T Are Selling Customers’ Real-Time Location Data, And It’s Falling Into the Wrong Hands

Posted on by

Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States.

The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres.

Queens, New York. More specifically, the screenshot showed a location in a particular neighborhood—just a couple of blocks from where the target was. The hunter had found the phone (the target gave their consent to Motherboard to be tracked via their T-Mobile phone.)

The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

Whereas it’s common knowledge that law enforcement agencies can track phones with a warrant to service providers, IMSI catchers, or until recently via other companies that sell location data such as one called Securus, at least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard. Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt’s knowledge.

Source: T-Mobile, Sprint, and AT&T Are Selling Customers’ Real-Time Location Data, And It’s Falling Into the Wrong Hands

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

Posted on by

Among the 49 bug fixes were patches for remote code execution flaws in DHCP (CVE-2019-0547) and an Exchange memory corruption flaw (CVE-2019-0586) that Trend Micro ZDI researcher Dustin Childs warns is particularly dangerous as it can be exploited simply by sending an email to a vulnerable server.

“That’s a bit of a problem, as receiving emails is a big part of what Exchange is meant to do,” Childs explained.

“Microsoft lists this as Important in severity, but taking over an Exchange server by simply sending it an email puts this in the Critical category to me. If you use Exchange, definitely put this high on your test and deploy list.”

Source: Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing) • The Register

Millions of Americans Are Wrong About Having a Food Allergy: about 1/2 who think they have don’t, but have never seen a doc about it

Posted on by

Millions of Americans might be mistaken about their self-professed food allergy, suggests a new survey. It found that while nearly 20 percent of people said they had a food allergy, only half as many people reported the sort of symptoms you’d expect from eating something you’re allergic to.

Researchers surveyed more than 40,000 adults via the phone and internet between October 2015 to September 2016. The volunteers were asked if they had any food allergies and about what symptoms they typically had. They were also asked if they had ever been formally tested and diagnosed with a food allergy by a doctor.

All told, 19 percent of the nationally representative group reported having a food allergy. But only 10.8 percent said they had symptoms consistent with an allergic reaction to food, such as hives, swelling of the lips or throat, and chest pain. The main culprits behind these allergies were shellfish, milk, and tree nuts. Those who didn’t have a convincing food allergy instead reported symptoms like stomach cramps, a stuffy nose, or nausea.

The findings, published Friday in JAMA Network Open, roughly match up to estimates from other studies, including those that confirmed a person’s food allergy with testing or medical records. In terms of the U.S. population, the study estimates, there are about 26 million adult Americans with a food allergy—and there are likely nearly as many Americans who wrongly say they have one. But that doesn’t mean huge swaths of people are pretending to have food allergies; it’s just that we could be a little confused about the terminology.

True allergies, as they’re known, happen when the immune system overreacts very quickly and in a specific way to a foreign substance harmless to us, whether it’s food or a piece of clothing. The antibodies usually responsible for an allergic reaction are called immunoglobulin E, or IgE. When doctors test for allergies, it’s IgE antibodies they’re looking for. But people can react badly to food for other reasons outside of this process.

Lactose intolerance is probably the best known example of this, and it happens because many adults are less able to break down lactose, the sugar commonly found in dairy products, into simpler sugars. Another genetic condition, celiac disease, makes people unable to digest gluten. Some people also seem to have delayed immune reactions to food without IgE in the picture, though we’re less sure about how commonly this happens and how to accurately diagnose it. Many doctors, for instance, criticize tests that promise to find these so-called food sensitivities with ease.

It’s likely then, the researchers say, that people might be mixing up a food intolerance or sensitivity with a food allergy.

What’s also concerning is that many people with likely food allergies in their survey have seemingly never talked to a doctor about it. Only half of the group said they had an official diagnosis from a physician. And while many of us develop food allergies early on in childhood, just about half reported finding out about their allergy as adults.

Source: Millions of Americans Are Wrong About Having a Food Allergy, Study Suggests

Sony appears to be blocking Kodi on its recent Android TVs

Posted on by

For the unfamiliar, Kodi is an open source, cross-platform streaming and media player solution that allows you to access and play local, network, and remote content. The UI has been extensively optimized over the last 15 years since the XBMC days to provide one of the best big-screen experiences out there, and it’s been one of the most popular HTPC media playback applications for years.

The official Kodi project Twitter account pointed out Sony’s deficiency a couple of days ago, but reports on the Kodi forums of issues installing and running the app from the Play Store go even further back to last year. A handful of affected enthusiasts believe they have discovered the cause of the problem: Sony seems to be blocking the package ID for the app from being installed/run. Supporting this theory is the fact that recompiling the app from scratch with a different ID allows it to work.

Humorously enough, Samsung’s official US Twitter account has jumped on Sony’s snafu to encourage users to switch brands — unfortunately overlooking the fact that Samsung’s TVs don’t run Android TV, and can’t use the Android Kodi app without an external device. Even so, anything that increases the pressure against Sony for this consumer-unfriendly move is a good thing.

Source: Sony appears to be blocking Kodi on its recent Android TVs

Snips – a private, offline voice assistant

Posted on by

Snips is the first Voice Platform where you can build an Voice Assistant that is Private by Design.

Source: Snips — Using Voice to Make Technology Disappear

Which means, unlike Alexa or Google Home, your voice data doesn’t get listened to by the cloud, doesn’t get saved by strangers targetting advertising at you and works when the Cloud ™ goes down.

The homepage

If you don’t want to put together all the bits and bobs (Raspberry Pi, mic, speaker, etc) you can get the Seeed Voice Interaction Development Kit for $115 and satellites (which relay commands to your base kit) for $85,-

The Snips makers page is the starting point to join and see projects

They have an app store with loads of intents pre programmed for you to install

This is a pretty good github page of awesome snips

An example including how to install from base on how to do a multiplication table game

Another example on how to integrate Sonos

The forum

And a telegram page

the Facebook page

It also integrates with home assistant

From Edgar BV Wiki

NSA to release a free reverse engineering tool GHIDRA

Posted on by

The US National Security Agency will release a free reverse engineering tool at the upcoming RSA security conference that will be held at the start of March, in San Francisco.

The software’s name is GHIDRA and in technical terms, is a disassembler, a piece of software that breaks down executable files into assembly code that can then be analyzed by humans.

The NSA developed GHIDRA at the start of the 2000s, and for the past few years, it’s been sharing it with other US government agencies that have cyber teams who need to look at the inner workings of malware strains or suspicious software.

GHIDRA’s existence was never a state secret, but the rest of the world learned about it in March 2017 when WikiLeaks published Vault7, a collection of internal documentation files that were allegedly stolen from the CIA’s internal network. Those documents showed that the CIA was one of the agencies that had access to the tool.

According to these documents, GHIDRA is coded in Java, has a graphical user interface (GUI), and works on Windows, Mac, and Linux.

GHIDRA can also analyze binaries for all major operating systems, such as Windows, Mac, Linux, Android, and iOS, and a modular architecture allows users to add packages in case they need extra features.

According to GHIDRA’s description in the RSA conference session intro, the tool “includes all the features expected in high-end commercial tools, with new and expanded functionality NSA uniquely developed.”

US government workers to whom ZDNet has spoken today said the tool is well-known and liked, and generally used by operators in defensive roles, who normally analyze malware found on government networks.

Some people who know and used the tool and have shared opinions on social media, such as HackerNews, Reddit, and Twitter, have compared GHIDRA with IDA, a well-known reverse engineering tool -but also very expensive, with licenses priced in the range of thousands of dollars.

Most users say that GHIDRA is slower and buggier than IDA, but by open-sourcing it, the NSA will benefit from free maintenance from the open source community, allowing GHIDRA to quickly catch up and maybe surpass IDA.

The news of the NSA open-sourcing one of its internal tools should not surprise you. The NSA has open-sourced all sorts of tools over the past few years, with the most successful of them being Apache NiFi, a project for automating large data transfers between web apps, and which has become a favorite on the cloud computing scene.

In total, the NSA has open-sourced 32 projects as part of its Technology Transfer Program (TTP) so far and has most recently even opened an official GitHub account.

GHIDRA will be demoed at the RSA conference on March 5 and is expected to be released soon after on the agency’s Code page and GitHub account.

Source: NSA to release a free reverse engineering tool | ZDNet

A mathematical approach for understanding intra-plant communication

Posted on by

A team of researchers at the Gran Sasso Science Institute (GSSI) and Istituto Italiano di Technologia (IIT) have devised a mathematical approach for understanding intra-plant communication. In their paper, pre-published on bioRxiv, they propose a fully coupled system of non-linear, non-autonomous discontinuous and ordinary differential equations that can accurately describe the adapting behavior and growth of a single plant, by analyzing the main stimuli affecting plant behavior.

Recent studies have found that rather than being passive organisms, can actually exhibit complex behaviors in response to environmental stimuli, for instance, adapting their resource allocation, foraging strategies, and growth rates according to their surrounding environment. How plants process and manage this network of stimuli, however, is a complex biological question that remains unanswered.

Researchers have proposed several mathematical models to achieve a better understanding of plant behavior. Nonetheless, none of these models can effectively and clearly portray the complexity of the stimulus-signal-behavior chain in the context of a plant’s internal communication network.

Read more at: https://phys.org/news/2019-01-mathematical-approach-intra-plant.html#jCp

Source: A mathematical approach for understanding intra-plant communication

Can’t unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

Posted on by

A newly disclosed vulnerability in Skype for Android could be exploited by miscreants to bypass an Android phone’s passcode screen to view photos, contacts, and even launch browser windows.

Bug-hunter Florian Kunushevci today told The Register the security flaw, which has been reported to Microsoft, allows the person in possession of someone’s phone to receive a Skype call, answer it without unlocking the handset, and then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone. This is handy for thieves, pranksters, prying partners, and so on. Here’s a video demonstrating the bypass…

Kunushevci, a 19-year-old bug researcher from Kosovo, said he was an everyday user of the Skype for Android app when he noticed that something appeared to be amiss with the way the VoIP app accessed files on the handset. Curious, he decided to put his white hat on, and take a closer look.

Source: Can’t unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass • The Register