Monthly Archives: November 2019

Fresh efforts at Google to understand why an AI system says yes or no launches Explainable AI product

Posted on by

Google has announced a new Explainable AI feature for its cloud platform, which provides more information about the features that cause an AI prediction to come up with its results.

Artificial neural networks, which are used by many of today’s machine learning and AI systems, are modelled to some extent on biological brains. One of the challenges with these systems is that as they have become larger and more complex, it has also become harder to see the exact reasons for specific predictions. Google’s white paper on the subject refers to “loss of debuggability and transparency”.

The uncertainty this introduces has serious consequences. It can disguise spurious correlations, where the system picks on an irrelevant or unintended feature in the training data. It also makes it hard to fix AI bias, where predictions are made based on features that are ethically unacceptable.

AI Explainability has not been invented by Google but is widely researched. The challenge is how to present the workings of an AI system in a form which is easily intelligible.

Google has come up with a set of three tools under this heading of “AI Explainability” that may help. The first and perhaps most important is AI Explanations, which lists features detected by the AI along with an attribution score showing how much each feature affected the prediction. In an example from the docs, a neural network predicts the duration of a bike ride based on weather data and previous ride information. The tool shows factors like temperature, day of week and start time, scored to show their influence on the prediction.

Scored attributions shows by the AI Explainability tool

Scored attributions shown by the AI Explainability tool

In the case of images, an overlay shows which parts of the picture were the main factors in the classification of the image content.

There is also a What-If tool that lets you test model performance if you manipulate individual attributes, and a continuous evaluation tool that feeds sample results to human reviewers on a schedule to assist monitoring of results.

AI Explainability is useful for evaluating almost any model and near-essential for detecting bias, which Google considers part of its approach to responsible AI.

Source: Explain yourself, mister: Fresh efforts at Google to understand why an AI system says yes or no • The Register

Internet Society CEO: Most people don’t care about the .org sell-off. Grabbing money at the expense of non-profits is fine by everyone we didn’t consult or listen to their opinion.

Posted on by

El Reg has quizzed Andrew Sullivan, the president and CEO of the Internet Society (ISOC), about his organistion’s decision to sell the non-profit .org registry to private equity outfit Ethos Capital.

We have previously covered the controversy over the proposed sale, the continued failure of ISOC and DNS overseer ICANN to answer detailed questions, and efforts by both to push the deal forward even while opposition to it grows.

Your correspondant asked Sullivan whether he expected the amount of criticism from the internet community that has erupted in recent days.

“I did expect some people to be unhappy with the decision, I expected some pushback,” he told The Register, adding: “But the level of pushback has been very strong.”

He was aware, he says, that people would not like two key aspects of the decision: the move from a non-profit model to a for-profit one; and the lack of consultation. He had explanations ready for both: “The registry business is still a business, and this represented a really big opportunity, and one that is good for PIR [Public Interest Registry].”

As for the lack of consultation: “We didn’t go looking for this. If we had done that [consulted publicly about the sale .org], the opportunity would have been lost. If we had done it in public, it would have created a lot of uncertainty without any benefit.”

Overblown

But when we pressed him on the fact that the concerns seem much deeper and broader than that – one ISOC Chapter has accused the organization of “severely harming” its reputation “by even contemplating this transaction” – he rejected the idea.

“I think claims that there has been an outpouring of support against the sale are overblown. If you look there is a relatively small number of people complaining. We may be overstating the feeling; most people haven’t noticed. Most people don’t care one way or another.”

It’s hard to simultaneously argue that there was no need for consultation and then claim that the lack of responses indicates implicit approval, we note. More importantly, though, what about the 10 million registrants of .org, the vast majority of which are unlikely to hear about the sale at all and who likely bought their .org domain precisely because it represented a non-profit ethos?

Source: Internet Society CEO: Most people don’t care about the .org sell-off – and nothing short of a court order will stop it • The Register

MarioNETte: with only a few pictures a human behind a webcam can “drive” the picture to copy facial expressions realistically

Posted on by

When there is a mismatch between the target identity and the driver identity, face reenactment suffers severe degradation in the quality of the result, especially in a few-shot setting. The identity preservation problem, where the model loses the detailed information of the target leading to a defective output, is the most common failure mode. The problem has several potential sources such as the identity of the driver leaking due to the identity mismatch, or dealing with unseen large poses. To overcome such problems, we introduce components that address the mentioned problem: image attention block, target feature alignment, and landmark transformer. Through attending and warping the relevant features, the proposed architecture, called MarioNETte, produces high-quality reenactments of unseen identities in a few-shot setting. In addition, the landmark transformer dramatically alleviates the identity preservation problem by isolating the expression geometry through landmark disentanglement. Comprehensive experiments are performed to verify that the proposed framework can generate highly realistic faces, outperforming all other baselines, even under a significant mismatch of facial characteristics between the target and the driver.

Source: MarioNETte: Few-shot Face Reenactment Preserving Identity of Unseen Targets

Arvix paper: MarioNETte: Few-shot Face Reenactment Preserving Identity of Unseen Targets

Bose customers beg for firmware ceasefire after headphones fall victim to another crap update which kills noise cancelling

Posted on by

Owners of Bose QuietComfort 35 headphones are still trying to get the company to either fix or roll back a firmware update that removed noise-cancelling functions from their over-ear gear.

The problems date back to July and some owners seem to have managed to get Bose to exchange their cans for the company’s shiny new 700 headphones.

We were contacted by a reader who was first given a set of version II headphones when his V1 set were borked. When the updated firmware borked them as well, he declined the offer of a replacement set and was given a pair of 700s. Firmware version 4.5.2 was fingered as the main culprit.

Like all Bose gear, the cans don’t come cheap – they’ll set you back £259.95 to be precise, or £349.95 for a pair of limited edition white 700s.

Pissed-off punters have filled a deafening 182 pages of Bose’s support forums with complaints.

One has even set up a Change.org petition to beg for a pause on firmware updates until a fix is found.

The main complaint is that Bose seems to be deaf to the problem and the easiest solution – to roll everyone back to the previous firmware and restore noise cancelling.

As of Thursday, Bose was claiming that new firmware is coming soon to solve the problem, a long five-month wait for angry customers.

We’ve contacted Bose’s UK PR again but don’t expect to hear back. The company kept very quiet when firmware updates stopped their TV soundbars making any sound.

We asked if the replacement policy was open to all customers worldwide – our contact is in Europe.

One poor punter on the forum is from Brazil and pointed out it was a long trip to his nearest Bose service centre – in Mexico.

Source: Bose customers beg for firmware ceasefire after headphones fall victim to another crap update • The Register

Princesses make terrible passwords – quite possible Disney+ hacks related to this being your password.

Posted on by

If you used the same password for an account that was previously breached as you did for your Disney+ password, a bad actor could gain access. Furthermore, hackers with stolen datasets at their fingertips could easily filter on key terms to find the Disney fans. Just look how many times the 12 Disney princesses showed up in breached datasets, according to haveibeenpwned.com:

Then there are these terms that a dedicated Disney fan might choose in a moment of weakness:

Friends, it’s a whole new world out there. Data breaches happen, with data files swapped and sold in the dark corners of the web. No one knows how far it goes. That’s why good password habits are more important than ever, and you can’t let it go. Picking unique passwords for each account is one of the the bare necessities of online life. It’s OK to admit that you need help, because when it comes to remembering passwords, who among us can snap our fingers and say “remember me.”

Source: Princesses make terrible passwords | The Firefox Frontier

Job loss predictions over rising minimum wages haven’t come true – Axios

Posted on by

Eighteen states rang in 2019 with minimum wage increases — some that will ultimately rise as high as $15 an hour — and so far, opponents’ dire predictions of job losses have not come true.

What it means: The data paint a clear picture: Higher minimum wage requirements haven’t reduced hiring in low-wage industries or overall.

State of play: Opponents have long argued that raising the minimum wage will cause workers to lose their jobs and prompt fast food chains (and other stores) to raise prices.

But job losses and price hikes haven’t been pronounced in the aftermath of a recent wave of city and state wage-boost laws.

  • And more economists are arguing that the link between minimum wage hikes and job losses was more hype than science.

What we’re hearing: “The minimum wage increase is not showing the detrimental effects people once would’ve predicted,” Diane Swonk, chief economist at international accounting firm Grant Thornton, tells Axios.

  • “A lot of what we’re seeing in politics is old economic ideology, not what economics is telling us today.”

[…]

Axios used Bureau of Labor Statistics data to compare job growth rates in four states with low minimum wages vs. eight states with high minimum wages:

  • Since 2016, when California became the first state to pass the $15 minimum wage law, all 12 states have seen growth in restaurant, bar and hotel jobs.
  • Three of the four states with job growth higher than the U.S. median have passed laws that will raise the state minimum wage to at least $13.50.
  • Three of the five states with the slowest job growth rates did not have a state minimum wage above the federal minimum of $7.25 an hour.
  • An outlier was Massachusetts, which had the slowest job growth in the sector and currently has the highest state minimum wage: $12 an hour.

The big picture: A number of peer-reviewed academic studies have found little to no impact on hiring as states and municipalities have raised the minimum wage.

  • Rather, such increases are likely to have increased hiring in the strong U.S. economy, Bill Spriggs, chief economist at labor union AFL-CIO, tells Axios.

Source: Job loss predictions over rising minimum wages haven’t come true – Axios

We are absolutely, definitively, completely and utterly out of IPv4 addresses, warns RIPE

Posted on by

It happened four years ago. And again two years ago. And last year. But this time, on November 25, 2019, we have finally, finally, finally run out of IPv4 addresses.

That’s according to RIPE, Europe’s regional internet registry, which announced on Monday “we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses.”

That’s not to be confused with the time in April 2018 when RIPE announced it had allocated its last /8 block. Or six years earlier than that when RIPE said it has run out of IPv4 addresses. Because this time, it really has run out. No more IPv4 addresses ever.

Well, except for those that it “will continue to recover… from organizations that have gone out of business or are closed, or from networks that return addresses they no longer need.” There is a waiting list for that however.

What the hell is going on? Do we have IPv4 addresses or not?

Well, yes and no. We are all using them as we speak. And engineers will continue to figure out ways of making what we have work for them. And blocks continue to crop up when old businesses die and sell them off. And then there’s the growing grey market in IPv4 sales.

Source: We are absolutely, definitively, completely and utterly out of IPv4 addresses, warns RIPE • The Register

Elon Musk Explains Why Tesla’s Cybertruck Windows Smashed During Presentation

Posted on by

When Elon Musk unveiled the Tesla Cybertruck last week, things didn’t go according to plan when lead designer Franz von Holzhausen tested the durability of the Cybertruck’s “armor glass.” He managed to smash two of the vehicle’s windows onstage with a metal ball, soon after smacking the door with a sledgehammer (unlike the glass, it was fine). We have now learned that, according to Musk, it was this sledgehammer impact that damaged the glass, which is why the windows subsequently smashed when hit by the ball. The Verge reports: This seems plausible, especially as Musk also shared a slow motion video of von Holzhausen performing the same exact test before the event, with the ball bouncing harmlessly off the window. The combined impacts likely weakened the glass, setting the stage for the eventual smash. (Though why the back window broke as well isn’t clear: the passenger door didn’t get whomped by the sledgehammer.) At any rate, the smashed glass was just one moment in an event which gave viewers plenty to talk about without the on-stage mishaps. The divisive design and impressive specs of the Cybertruck have caught the world’s attention, and since the unveiling Musk has been drip-feeding bits of information on Twitter to keep people engaged.

Source: Elon Musk Explains Why Tesla’s Cybertruck Windows Smashed During Presentation – Slashdot

.org being sold off to richest people in world and ex-ceo in massive moneygrab, harming non-profits in the process.

Posted on by

This past weekend, the board of the organization that is selling the rights to .org, and which will likely make $1bn or more from the sale, the Internet Society, met. On both the Saturday and Sunday, the proposed sale was a key topic of conversation. It has just to provide any details on what was discussed or decided.

The same cannot be said for those opposed to the deal.

One of the earliest indicators that the deal was going to meet a very different response from the internet community than the Internet Society (ISOC) expected came in the form of an article written by one person who has set up and run their own registry.

Co-founder of the .eco top-level domain Jacob Malthouse wrote an impassioned plea online that began, “I woke up this morning feeling a profound sense of loss.” An environmental campaigner as well as a former staffer of ICANN, Malthouse compared the sale of the .org registry to the paving over of forests.

The proudly non-profit .org registry, that had for years sold its domains for just $1 to non-profits in developing countries, is “our Yosemite,” Malthouse opined, referring to America’s world-famous national park. In selling it to a for-profit private equity firm, he argued, “we’ve lost more than a digital Yosemite. We’ve lost our principles. We can do better. The millions of nonprofits who rely on .org deserve better.”

That sentiment was quickly echoed in the broader internet industry community, which, even in the era of Twitter, Facebook and Instagram, continues to rely on mailing lists as its main form of communication.

Both ICANN and ISOC are member-based organizations and, theoretically at least, give as an equal voice to ordinary netizens as to the corporations that make billions a year from the sale and resale of internet addresses.

[…]

As we reported last week, the situation is especially fraught due to two additional factors. The first is that the offer to sell the rights to .org only came about because ICANN had approved the lifting of longstanding price caps on .org domains just months earlier.

The price of .org domains has been limited to an increase of 10 per cent per year since it was first handed over to the non-profit PIR in 2003. The request to remove those price caps entirely received an extraordinary response – more than 3,200 comments in a process that rarely elicits more than 50 – and a stark 98 per cent of those comments were opposed to the idea.

Approved

And yet ICANN approved the change, along with a 10-year contract extension, in an unannounced staff decision that some called a “sham” and others claimed was a sign that the organization was subject to regulatory capture.

Then came the news that ISOC had decided to sell the registry to Ethos Capital, an unknown private equity firm that had been established only months earlier.

That is where the second factor comes in. It quickly became apparent that Ethos Capital was likely the brainchild of a former CEO of ICANN, Fadi Chehade, who had been largely responsible for pushing free-market economics into the internet registry market and now appeared to be using that knowledge to profit from one of its oldest institutions.

[…]

who is funding the purchase of .org? – has been a key one. And in response to repeat questions from his community, the CEO of ISOC Andrew Sullivan provided an answer on a closed ISOC members mailing list.

The response shocked as many people as the initial sale announcement: the bulk of the money would come from the investment vehicles of renowned US Republican billionaires: Perot Holdings, tied to former presidential candidate Ross Perot; FMR LLC, closely associated with the Johnson family, one of the Republican Party’s biggest backers; and Solamere Capital, tied to Republican senator Mitt Romney.

Everything must go

To some, the fact that the .org registry was being sold to the richest men in the United States who would then profit from non-profit organizations was doubly insulting.

After its board meeting ended on Sunday, ISOC published an information website about the sale on a separate website: Key Points About.org.

The site contains two pieces of information that has not previously been shared with The Register and the community: the connection between former ICANN CEO Chehade and Ethos Capital, and a support quote from ISOC president, former ICANN chair and revered internet figure Vint Cerf.

[…]

Asked on the ISOC members list about the risks of .org domain holders facing domains as much as $60 a year, Cerf surprised many when he responded: “Hard to imagine that $60/year would be a deal breaker for even small non-profits.”

Trust and wealth

That comment prompted Malthouse to point out that $60 is the equivalent of two weeks’ wages in sub-Sahara Africa, where a large number of non-profits rely on their internet presence for awareness of their efforts.

[…]

A coalition of 27 high-profile non-profits, including the Electronic Frontier Foundation (EFF), National Council of Nonprofits, YMCA, Free Software Foundation (FSF), Girls Scouts of the USA, Internet Archive, and Wikimedia Foundation, have signed a letter to ICANN urging it to stop the sale and launched a petition site that, at the time of writing, has over 7,000 supporters,

The letter warns that the sale could “do significant harm to the global NGO sector,” and that Ethos Capital “has not earned the trust of the NGO community.”

While the idea of “trust” may seem unusual in the context of internet addresses, it also underscores the growing anger being directed at those on the boards of both ICANN and ISOC that the internet community feels are supposed to protect ordinary users from the profit-making imperatives of large corporations and corporate raiders.

Source: As pressure builds over .org sell-off, internet governance orgs fall back into familiar pattern: Silence • The Register

NextCry Ransomware Targets NextCloud Linux Servers and Remains Undetected Features

Posted on by

The ransom note that NextCry victims receive reads ““READ_FOR_DECRYPT”, and demands 0.025 BTC for a victim’s files to be unlocked.

One NextCloud user, xact64, shared his experience with the malware on a Bleeping Computer forum in an effort to find a way to decrypt personal files which had been instantaneously locked in a NextCry attack: “I realized immediately that my server got hacked and those files got encrypted. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted).” He added, “I have my own Linux server (an old thin client I gave a second life) with NGINX reverse-proxy”.

This statement provides insight into how hackers may have been able to access his system. On October 24, NextCloud disclosed a remote code execution vulnerability (CVE-2019-11043) which has been exploited to compromise servers with the default Nextcloud NGINX configuration.

NextCloud recommends that administrators upgrade their PHP packages and NGINX configuration file to the latest version to protect against NextCry attacks.

Source: NextCry Ransomware Targets NextCloud Linux Servers and Remains Undetected Features

Bad news: ‘Unblockable’ web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much

Posted on by

Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today’s blocking techniques.

A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.

The tracker relies on DNS queries to get past browser defenses, so some form of domain-name look-up filtering could thwart this snooping. As far as netizens armed with just their browser and a regular old content-blocker plugin are concerned, this tracker can sneak by unnoticed. It can be potentially used by advertising and analytics networks to fingerprint netizens as they browse through the web, and silently build up profiles of their interests and keep count of pages they visit.

And, interestingly enough, it’s seemingly a result of an arms race between browser makers and ad-tech outfits as they battle over first and third-party cookies.

[…]

Many marketers, keen on maintaining their tracking and data collection capabilities, have turned to a technique called DNS delegation or DNS aliasing. It involves having a website publisher delegate a subdomain that the third-party analytics provider can use and aliasing it to an external server using a CNAME DNS record. The website and its external trackers thus seem to the browser to be coming from the same domain and are allowed to operate.

As Eulerian explains on its website, “The collection taking place under the name of the advertiser, and not under a third party, neither the ad blockers nor the browsers, interrupt the calls of tags.”

But wait, there’s more

Another marketing analytics biz, Wizaly, also advocates this technique to bypass Apple’s ITP 2.2 privacy protections.

As does Adobe, which explains on its website that one of the advantages of CNAME records for data collection is they “[allow] you to track visitors between a main landing domain and other domains in browsers that do not accept third-party cookies.”

In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe’s GDPR, which “clearly states that ‘user-centric tracking’ requires consent, especially in the case of a third-party service usage.”

A recent statement from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany notes that Google Analytics and similar services can only be used with consent.

“This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox,” said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.

“This is an exploit, not an ‘oopsies,’ because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the ‘badtech industrial complex’ protecting its river of gold.”

[…]

Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.

“uBO is now equipped to deal with third-party disguised as first-party as far as Firefox’s browser.dns allows it,” Hill wrote, adding that he assumes this can’t be fixed in Chrome at the moment because Chrome doesn’t have an equivalent DNS resolution API.

Aeris said, “For Chrome, there is no DNS API available, and so no easy way to detect this,” adding that Chrome under Manifest v3, a pending revision of Google’s extension platform, will break uBO. Hill, uBO’s creator, recently confirmed to The Register that’s still the case.

Even if Chrome were to implement a DNS resolution API, Google has made it clear it wants to maintain the ability to track people on the web and place cookies, for the sake of its ad business.

Apple’s answer to marketer angst over being denied analytic data by Safari has been to propose a privacy-preserving ad click attribution scheme that allows 64 different ad campaign identifiers – so marketers can see which worked.

Google’s alternative proposal, part of its “Privacy Sandbox” initiative, calls for an identifier field capable of storing 64 bits of data – considerably more than the integer 64.

As the Electronic Frontier Foundation has pointed out, this enables a range of numbers up to 18 quintillion, allowing advertisers to create unique IDs for every ad impression they serve, information that could then be associated with individual users.

Source: Bad news: ‘Unblockable’ web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much • The Register

Extraterrestrial ribose and other sugars found in primitive meteorites

Posted on by

Ribose is an essential sugar for present life as a building block of RNA, which could have both stored information and catalyzed reactions in primitive life on Earth. Meteorites contain a number of organic compounds including components of proteins and nucleic acids. Among the constituent molecular classes of proteins and nucleic acids (i.e., amino acids, nucleobases, phosphate, and ribose/deoxyribose), the presence of ribose and deoxyribose in space remains unclear. Here we provide evidence of extraterrestrial ribose and other bioessential sugars in primitive meteorites. Meteorites were carriers of prebiotic organic molecules to the early Earth; thus, the detection of extraterrestrial sugars in meteorites implies the possibility that extraterrestrial sugars may have contributed to forming functional biopolymers like RNA.

Source: Extraterrestrial ribose and other sugars in primitive meteorites | PNAS

1.2 Billion Records Found Exposed Online in a Single Server, contain social media profiles

Posted on by

In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information—about 1.2 billion records in all.

While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.

“It’s bad that someone had this whole thing wide open,” Troia says. “This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That’s a lot of information in one place to get you started.”

Source: 1.2 Billion Records Found Exposed Online in a Single Server  | WIRED

Sacha Baron Cohen gave the greatest speech on why social networks need to be kept in check, biggest propaganda machines in history

Posted on by

Cohen gave the speech yesterday, at an awards gala for the Anti-Defamation League (ADL), where he was the recipient of ADL’s International Leadership Award.

While accepting his award, Cohen touched on the role companies like Facebook, Google, and Twitter have played in spreading lies and hate speech online, calling the sites “the greatest propaganda machine in history.”

Cohen’s speech, in video format is embedded above. Below is a short summary of his main talking points. A full transcript, courtesy of the ADL, is embedded below the summary:

  • Cohen called Facebook, YouTube and Google, Twitter and others — the biggest propaganda machine in history.
  • He coined the term “Silicon Six” to describe the six US billionaires that control this machine — naming Zuckerberg at Facebook, Sundar Pichai at Google, Larry Page and Sergey Brin at Alphabet, Susan Wojcicki at YouTube, and Jack Dorsey at Twitter.
  • The actor ripped Zuckerberg for defending holocaust deniers.
  • He ripped Zuckerberg for his platform facilitating Russia’s interference in US elections.
  • He ripped Zuckerberg for facilitating the Myanmar genocide.
  • Said if another genocide takes place, Zuckerberg needs to go to jail.
  • Cohen ripped Facebook for allowing political ads. Said if Facebook existed in the 1930s they would have allowed Hitler to post “post 30-second ads on his ‘solution’ to the ‘Jewish problem’.”
  • Cohen likened the Christchurch massacre video to “a snuff film broadcast by social media.”
  • He said social media sites are today’s largest publishers, and should have to abide to the same standards that newspapers, radio, and TV stations abide.
  • He agreed that social media should function based on government-mandated rules, and not by internal policies set by billionaires more focused on protecting share prices than human life. He called “for regulation and legislation to curb the greed of these high-tech robber barons.”

Source: Sacha Baron Cohen gave the greatest speech on why social networks need to be kept in check | ZDNet

Monero Wallet downloads compromised for 35 minutes

Posted on by

Security Warning: CLI binaries available on getmonero.org may have been compromised at some point during the last 24h.
byu/binaryFate inMonero

Some users noticed the hash of the binaries they downloaded did not match the expected one: https://github.com/monero-project/monero/issues/6151
It appears the box has been indeed compromised and different CLI binaries served for 35 minutes. Downloads are now served from a safe fallback source.

Always check the integrity of the binaries you download!

If you downloaded binaries in the last 24h, and did not check the integrity of the files, do it immediately. If the hashes do not match, do NOT run what you downloaded. If you have already run them, transfer the funds out of all wallets that you opened with the (probably malicious) executables immediately, using a safe version of the Monero wallet (the one online as we speak is safe — but check the hashes).

More information will be posted as several people are currently investigating to get to the bottom of this.

Correct hashes are available here (check the signature): https://web.getmonero.org/downloads/hashes.txt

Police can keep Amazon Ring camera video forever, and share with whomever they’d like, company tells senator

Posted on by

More than 600 police forces across the country have entered into partnerships with the camera giant allowing them to quickly request and download video captured by Ring’s motion-detecting, internet-connected cameras inside and around Americans’ homes.

The company says the videos can be a critical tool in helping law enforcement investigate crimes such as trespassing, burglary and package theft. But some lawmakers and privacy advocates say the systems could also empower more widespread police surveillance, fuel racial profiling and spark new neighborhood fears.

In September, following a report about Ring’s police partnerships in The Washington Post, Sen. Edward Markey, D-Mass., wrote to Amazon asking for details about how it protected the privacy and civil liberties of people caught on camera. Since that report, the number of law enforcement agencies working with Ring has increased nearly 50%.

In two responses from Amazon’s vice president of public policy, Brian Huseman, the company said it placed few restrictions on how police used or shared the videos offered up by homeowners. (Amazon CEO Jeff Bezos also owns The Washington Post.)

Police in those communities can use Ring software to request up to 12 hours of video from anyone within half a square mile of a suspected crime scene, covering a 45-day time span, Huseman said. Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.

Markey said in a statement that Ring’s policies showed the company had failed to enact basic safeguards to protect Americans’ privacy.

“Connected doorbells are well on their way to becoming a mainstay of American households, and the lack of privacy and civil rights protections for innocent residents is nothing short of chilling,” he said.

“If you’re an adult walking your dog or a child playing on the sidewalk, you shouldn’t have to worry that Ring’s products are amassing footage of you and that law enforcement may hold that footage indefinitely or share that footage with any third parties.”

Ring, which Amazon bought last year for more than $800 million, did not immediately respond to requests for comment.

Source: Police can keep Ring camera video forever, and share with whomever they’d like, company tells senator – Stripes

Why tech companies need to hire philosophers

Posted on by

I have spent the better half of the last two years trying to convince companies like Google, Facebook, Microsoft, DeepMind, and OpenAI that they need to hire philosophers.

My colleagues and I—a small collective of academics that make up a program called Transformations of the Human at the Los Angeles-based think tank called the Berggruen Institute—think that the research carried out by these companies has been disrupting the very concept of the human that we—in the West particularly—have taken for granted for almost half a millennium.

It’s not only that, though. These companies have helped create realities that we can no longer navigate with the old understanding of what it means to be human.

We need new ones—for ourselves, so that we are able to navigate and regulate the new worlds we live in, but also for the engineers who create tech products, tools, and platforms, so that they can live up to the philosophical stakes of their work.

To make that possible, we need philosophers and artists working alongside computer and software engineers.

[…]

I realized that fields like AI and microbiome research or synthetic biology not only undermine the historic way we think of the human—they also allow for new possibilities for understanding the world.

It suddenly dawned on me that I could look at each one of these fields, not just AI and the microbiome, but also synthetic biology, biogeochemistry, and others, as if they were a kind of philosophical laboratory for re-articulating our reality.

[…]

We are living in an era of a major, most far-reaching philosophical event: A radical re-articulation of what it is to be human and of the relation between humans, nature, and technology.

Yet at present, no one really formally talks about this philosophical quality of tech. Hence, no one attends to it, with the inevitable consequence that the sweeping re-articulation of the human unfolds around us in a haphazard, entirely unconscientious way.

Shouldn’t we try to change this?

When I shared my enthusiasm with my colleagues in academia, I found that what was exciting to me was an unbearable provocation for many others.

My suggestion that the question concerning the human has migrated into the fields of the natural sciences and engineering—that is, into fields not concerned with the traditional study of the human and humanity at all—were received as threat to academics in the arts. If humans are no longer more than nature or machines, then what are the arts even good for?

[…]

Today, we have philosophy and art teams at Element AI, Facebook, and Google, and also at AI labs at MIT, Berkeley, and Stanford. Our researchers are in regular conversation with DeepMind, OpenAI, and Microsoft.

[…]

What we need now is a completely new model for an educational institution, one that can produce a new kind of practitioner.

We need a workforce that thinks differently, and that can understand engineering, from AI to microbiome research to synthetic biology to geoengineering and many other fields—as philosophical and artistic practices that ceaselessly re-invent the human.

Almost every month, you’ll likely read about another billion-dollar endowment for a new tech school. On the one hand, there’s nothing wrong with this—I agree we always need better, smarter, tech.

On the other hand, these tech schools tend to reproduce the old division of labor between the faculty of arts and the faculties of science and engineering. That is, they tend to understand tech as just tech and not as the philosophical and artistic field that it is.

What we need are not so much tech schools, as institutions that combine philosophy, art, and technology into one integrated curriculum.

Source: Why tech companies need to hire philosophers — Quartz

I completely agree with Mr Tobias Rees

This article is absolutely worth reading in full.

Android Users: Check Now to See If a Rogue App Can Control Your Phone’s Camera

Posted on by

According to an investigation by Checkmarx security researchers, some Android devices may have an unpatched security flaw that an app could use to record you without your knowledge using your device’s camera and mic.

No attacks that exploit the bug have been reported so far, thankfully. Still, the Checkmarx researchers were able to successfully create and execute commands that could remotely record phone calls; capture photos, video, and audio; access GPS metadata from photos; and even check whether the phone was facing down—meaning hackers may one day create their own clever attacks for devices running an unpatched version of a device’s default camera apps.

Google and Samsung released patches for impacted smartphones earlier this year, but Checkmarx’s report suggests that many other Android smartphones may still be affected. Fortunately, there are ways you can check if your device has been patched.

Check for the bug on Pixel phones

Pay attention to the “Last Updated” date
Pay attention to the “Last Updated” date
Screenshot: Brendan Hesse

Pixel users can check for the patch easily: simply open your device’s settings then go to Apps & Notifications > See All Apps > Camera > Advanced > App details to open the app’s Google Play Store page. If the app has been updated since July 2019, you’re in the clear.

Check for the bug on other Android devices (manually)

If you’re not sure whether your smartphone’s manufacturer has issued an update for your phone’s camera app that fixes this bug, one way to find out is to try exploiting the bug yourself (which comes care of Ars Technica).

You’ll need:

  • A PC (this will work on Windows, Mac, and Linux).
  • Your Android device.
  • A USB cable to connect them.

Once you have those materials, here’s what you need to do:

  1. First, you’ll need to install and configure ADB tools on your PC. All the necessary files and instructions for installing ADB for your PC’s OS can be found on the XDA Developer Forums.
  2. After ADB is installed and configured, plug your Android phone into your PC with the USB cable. Next, we’re going to try to use codes to force the phone to take videos and photos without accessing the phone’s camera app.
  3. Open your PC’s command terminal. On Windows: Press “Windows Key+R,” then type “cmd” and hit “run.” On Mac: Press “Command+Space” to open the Finder, then type “Terminal” and double click the Terminal icon to run.
  4. In the command prompt window, run the following commands one at a time:

adb
shell am start-activity
-ncom.google.android.GoogleCamera/com.android.camera.CameraActivity
—ezextra_turn_screen_on true -a android.media.action.VIDEO_CAMERA
—ezandroid.intent.extra.USE_FRONT_CAMERA true

Then:

adb
shell am start-activity
-ncom.google.android.GoogleCamera/com.android.camera.CameraActivity
—ezextra_turn_screen_on true -a android.media.action.STILL_IMAGE_CAMERA
—ez android.intent.extra.USE_FRONT_CAMERA true
—eiandroid.intent.extra.TIMER_DURATION_SECONDS 3

Open your phone’s camera app and go to your photo/video library to check if the commands worked. If you find a new photo or video, then the bug is present on your device.

If you haven’t updated your device’s camera app in awhile, try checking for updates via the Google Play Store. Once you’ve installed anything that’s available for your phone’s default camera app, try the above ADB commands again. If they still work, you should report the issue to your device’s manufacturer as soon as possible. In addition, stay away from unknown camera, video, or audio recording apps, since this is the most likely method for hackers to slip malicious code onto your device and take a few photos.

Source: Android Users: Check Now to See If a Rogue App Can Control Your Phone’s Camera

Shopped online at Macy’s last month? Might want to toss, or at least check, that card

Posted on by

A notice (PDF) posted by the long-operating department store chain said that, between October 7 and October 15 of this year, a Magecart script was running on the checkout page of its retail website.

The script was able to capture payment card details in two different ways: as it was being entered through the checkout page when placing an order, or if it was stored in the “wallet” page on the Macy’s website and then used to place an order.

“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website,” the retailer told exposed punters.

“Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com.”

Unfortunately for Macy’s customers, the script got pretty much everything needed for card fraud: card number, security code, and expiration date. Additionally, the malware was able to collect customer names as well as email and mailing addresses and phone numbers.

Macy’s notes that only the webpage was compromised: users who made purchases with the mobile app were not exposed. Experts say that the attack appears to be a rather bog-standard Magecart operation, albeit an extremely successful one.

Source: Shopped online at Macy’s last month? Might want to toss, or at least check, that card

Half of Oracle E-Business customers open to months-old bank fraud flaw

Posted on by

Security company Onapsis estimates that roughly half of all companies using the Oracle EBS software have not yet patched CVE-2019-2648 and CVE-2019-2633, despite Big Red having pushed out fixes for both bugs back in April.

The two vulnerabilities are found in the Thin Client Framework API and are described as reflected SQL injections. An attacker who could remotely access the EBS server via HTTPS would be able to exploit the bug and send arbitrary commands to the vulnerable machine.

While this flaw is dangerous to EBS as a whole, it is particularly bad for servers that use the Payments module included with the suite. The Payments tool allows companies to set up and schedule direct deposits and automatic money transfers to suppliers or partners as well as handle invoices and orders. The bank routing and account numbers for transfer orders are kept on the server as text files and automatically loaded when needed.

You can guess where this is going.

An attacker who exploited either of the SQL injection flaws would be able to remotely modify those transfer order files to include instructions to move cash to an account of their choosing. Instant bank fraud.

Source: Half of Oracle E-Business customers open to months-old bank fraud flaw • The Register

Elon Musk’s Starlink Satellites Are Already Causing a Headache for Astronomers

Posted on by

Astronomers at a Chilean observatory were rudely interrupted earlier this week when a SpaceX satellite train consisting of 60 Starlink satellites drifted overhead, in what scientists are apparently going to have to accept as the new normal.

Launched into orbit on November 11, the Starlink smallsat train took five minutes to pass over the Cerro Tololo Inter-American Observatory in Chile, according to a tweet from astronomer Clarae Martínez-Vázquez.

“Wow!! I am in shock!!,” tweeted Martínez-Vázquez. “The huge amount of Starlink satellites crossed our skies tonight at [Cerro Tololo]. Our DECam [Dark Energy Camera] exposure was heavily affected by 19 of them!,” to which she added: “Rather depressing… This is not cool!”

Responding to this tweet, astronomer Cliff Johnson, a team member and a CIERA Postdoc Fellow in Astronomy at Northwestern, tweeted out a view of the disrupted data, showing an array of satellite trails strewn across an image of space.

The astronomers were collecting data using the DECam instrument, a high-performance, wide-field imager on the CTIO Blanco 4-meter telescope, as part of the DELVE survey, which is currently mapping the outer fringes of the Large and Small Magellanic Clouds as well as a significant fraction of the southern sky at optical wavelengths. Key goals of the project are to study the stellar halo around the Magellanic Clouds and detect new dwarf galaxies in orbit around the Clouds or the nearby Milky Way.

The Starlink-tarnished DECam frame, showing satellite trails across the field of view.
The Starlink-tarnished DECam frame, showing satellite trails across the field of view.
Image: Clara Martínez-Vázquez, Cliff Johnson, CTIO/AURA/NSF

But this research was punctuated as the Starlink train passed overhead during the early morning of Monday, November 18.

Source: Elon Musk’s Starlink Satellites Are Already Causing a Headache for Astronomers

SpaceX Starship Mk1 explodes during cryogenic loading test

Posted on by

SpaceX’s first full-scale Starship prototype – Mk1 – has experienced a failure at its Boca Chica test site in southern Texas. The failure occurred late in the afternoon on Wednesday, midway through a test of the vehicle’s propellant tanks.

As of a few weeks ago, the Mk1 Starship – which was shown off to the world in September as part of SpaceX’s and Elon Musk’s presentation of the design changes to the Starship system – was to fly the first 20 km test flight of the program in the coming weeks.

The main event of today, the Mk1 Starship’s first cryogenic loading test, involved filling the methane and oxygen tanks with a cryogenic liquid.

During the test, the top bulkhead of the vehicle ruptured and was ejected away from the site, followed by a large cloud of vapors and cryogenic liquid from the tank.

The cryogenic liquid – likely liquid oxygen or liquid nitrogen – was carried by the wind and dispersed over the launch complex.

The top bulkhead was seen landing nearby, but its precise location is unknown.

The bottom tank bulkhead appeared to fail as well. A second cloud of vapor appeared out of the base of the vehicle at the same time that the top ruptured – signaling that the entire internal tank structure may have failed.

Source: SpaceX Starship Mk1 fails during cryogenic loading test – NASASpaceFlight.com

Elon Musk is fine with it though. I’m glad I’m not sitting in it!

Windows will go DNS over HTTPS – Take over your DNS queries, grab more of your browsing behaviour

Posted on by

we are making plans to adopt DNS over HTTPS (or DoH) in the Windows DNS client. As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future. For now, we’re prioritizing DoH support as the most likely to provide immediate value to everyone. For example, DoH allows us to reuse our existing HTTPS infrastructure.

For our first milestone, we’ll start with a simple change: use DoH for DNS servers Windows is already configured to use. There are now several public DNS servers that support DoH, and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server. However, since these servers and their DoH configurations are well known, Windows can automatically upgrade to DoH while using the same server.

Source: Windows will improve user privacy with DNS over HTTPS – Microsoft Tech Community – 1014229

There is a lot of discussion about this – MS is putting it over as being a user privacy tool, but really it’s a datagrab going on by the tech giants.

House Antitrust Investigators Now Scrutinizing Google’s Plans to Add DNS Encryption to Chrome

 

Cayman Bank Targeted By Phineas Fisher Confirms it Was Hacked – 2 TB of data can be searched through now, find the money launderers

Posted on by

On Sunday, Motherboard reported that the hacker or hackers known as Phineas Fisher targeted a bank, stole money and documents, and is offering other hackers $100,000 to carry out politically motivated hacks. Now, the bank Phineas Fisher targeted, Cayman National Bank from the Isle of Man, confirmed it has suffered a data breach.

“It is known that Cayman National Bank (Isle of Man) Limited was amongst a number of banks targeted and subject to the same hacking activity,” Cayman National told Motherboard in a statement issued Monday.

Source: Offshore Bank Targeted By Phineas Fisher Confirms it Was Hacked – VICE

RELEASE: Sherwood – Copies of the servers of Cayman National Bank and Trust (CNBT), which has allegedly been used for money laundering by Russian oligarchs and others. Includes a HackBack readme explaining Phineas Fisher’s hack and exfiltration of funds.

Source:  Twitter

‘Royalty-Free’ Music Supplied By YouTube Audio Library Results in Mass Copyright claims to all YouTube income by Sony – for using a sample from a 1956(!!!!) song

Posted on by

A YouTuber who used a royalty-free track supplied by YouTube itself has had all of his videos copyright claimed by companies including SonyATV and Warner Chappell. According to the music outfits, Matt Lownes’ use the use of the track ‘Dreams’ by Joakim Karud means that they are now entitled to all of his revenue.

[…]

In common with many YouTubers, Matt didn’t want any copyright issues on his channel. So, to play things safely, he obtained the track ‘Dreams‘ by Joakim Karud from YouTube’s very own audio library for use in his intro. Unfortunately, this strategy of obtaining supposedly risk-free music from a legitimate source still managed to backfire. (See update below, YouTube statement)

Very early last Friday, Matt says he received a “massive barrage” of emails from YouTube, targeting “pretty much all” of his KSP videos. The emails said that Matt’s videos “may have content owned or licensed by SonyATV, PeerMusic, Warner Chappell, Audiam and LatinAutor.”

[…]

A clearly exasperated Matt took to YouTube, noting that any ads that now show up on his videos “split up the revenue between all the companies listed” in the emails, with Matt himself “allowed to keep what’s left of that.” He doesn’t know what that amount might be, because he says there’s just no way of knowing.

After highlighting the vague use of the word “may” in YouTube’s emails to him, Matt then went on to describe the real “kick in the gut”, which revolves around the track itself.

‘Dreams’ composer Joakim Karud allows anyone to use his music on YouTube, even commercially, for free. And the fact that Matt downloaded the track from YouTube’s own library was the icing on this particularly bitter cake.

Matt said he had to time out to manually protest the automated claims against his account but he says his overtures were immediately rejected, “almost like it’s an automated bot or something.” But things get worse from there.

After contesting each claim and having all of those rejected, Matt says the only option left is to appeal every single one. However, if an appeal is lost, the video in question will be removed completely and a strike will be placed against his account.

It’s three strikes and you’re out on YouTube, so this is not an attractive option for Matt if the music companies somehow win the fight. So, instead, Matt is appealing against just one of the complaints in the hope that he can make some progress without putting his entire account at risk.

[…]

“SonyATV & Warner Chappell have claimed 24 of my videos because the royalty free song Dreams by Joakim Karud (from the OFFICIAL YOUTUBE AUDIO LIBRARY BTW) uses a sample from Kenny Burrell Quartet’s ‘Weaver of Dream’,” a Twitter user wrote on Saturday.

Sure enough, if one turns to the WhoSampled archive, Dreams is listed as having sampled Weaver of Dreams, a track from 1956 to which Sony/ATV Music Publishing LLC and Warner/Chappell Music, Inc. own the copyrights.

[…]

YouTube have been in touch to state that the music in question was not part of its official audio library. In a tweet directed at Matt Lowne, YouTube further added that it may have been made available by an unofficial channel that confusingly calls itself the YouTube Audio Library.

Source: ‘Royalty-Free’ Music Supplied By YouTube Results in Mass Video Demonetization (Updated) – TorrentFreak

There we go, copyright is completely insane.