Google’s medical AI was super accurate in a lab. Real life was a different story, so they need to tweak

The covid-19 pandemic is stretching hospital resources to the breaking point in many countries in the world. It is no surprise that many people hope  AI could speed up patient screening and ease the strain on clinical staff. But a study from Google Health—the first to look at the impact of a deep-learning tool in real clinical settings—reveals that even the most accurate AIs can actually make things worse if not tailored to the clinical environments in which they will work.

Existing rules for deploying AI in clinical settings, such as the standards for FDA clearance in the US or a CE mark in Europe, focus primarily on accuracy. There are no explicit requirements that an AI must improve the outcome for patients, largely because such trials have not yet run. But that needs to change, says Emma Beede, a UX researcher at Google Health: “We have to understand how AI tools are going to work for people in context—especially in health care—before they’re widely deployed.”

[…]

Google’s first opportunity to test the tool in a real setting came from Thailand. The country’s ministry of health has set an annual goal to screen 60% of people with diabetes for diabetic retinopathy, which can cause blindness if not caught early. But with around 4.5 million patients to only 200 retinal specialists—roughly double the ratio in the US—clinics are struggling to meet the target. Google has CE mark clearance, which covers Thailand, but it is still waiting for FDA approval. So to see if AI could help, Beede and her colleagues outfitted 11 clinics across the country with a deep-learning system trained to spot signs of eye disease in patients with diabetes.

In the system Thailand had been using, nurses take photos of patients’ eyes during check-ups and send them off to be looked at by a specialist elsewhere­—a process that can take up to 10 weeks. The AI developed by Google Health can identify signs of diabetic retinopathy from an eye scan with more than 90% accuracy—which the team calls “human specialist level”—and, in principle, give a result in less than 10 minutes. The system analyzes images for telltale indicators of the condition, such as blocked or leaking blood vessels.

Sounds impressive. But an accuracy assessment from a lab goes only so far. It says nothing of how the AI will perform in the chaos of a real-world environment, and this is what the Google Health team wanted to find out. Over several months they observed nurses conducting eye scans and interviewed them about their experiences using the new system. The feedback wasn’t entirely positive.

When it worked well, the AI did speed things up. But it sometimes failed to give a result at all. Like most image recognition systems, the deep-learning model had been trained on high-quality scans; to ensure accuracy, it was designed to reject images that fell below a certain threshold of quality. With nurses scanning dozens of patients an hour and often taking the photos in poor lighting conditions, more than a fifth of the images were rejected.

Patients whose images were kicked out of the system were told they would have to visit a specialist at another clinic on another day. If they found it hard to take time off work or did not have a car, this was obviously inconvenient. Nurses felt frustrated, especially when they believed the rejected scans showed no signs of disease and the follow-up appointments were unnecessary. They sometimes wasted time trying to retake or edit an image that the AI had rejected.

Because the system had to upload images to the cloud for processing, poor internet connections in several clinics also caused delays. “Patients like the instant results, but the internet is slow and patients then complain,” said one nurse. “They’ve been waiting here since 6 a.m., and for the first two hours we could only screen 10 patients.”

The Google Health team is now working with local medical staff to design new workflows. For example, nurses could be trained to use their own judgment in borderline cases. The model itself could also be tweaked to handle imperfect images better.

[…]

Source: Google’s medical AI was super accurate in a lab. Real life was a different story. | MIT Technology Review

Of course the anti ML people are using this as some sort of AI will never work kind of way, but as far as I can see these kinds of tests are necessary and seemed to have been performed with oversight, meaning there was no real risk to patients involved. Lessons were learned and will be implemented, as with all new technologies. And going public with the lessons is incredibly useful for everyone in the field.

NSO Employee Abused Phone Hacking Tech to Target a Love Interest

An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned.

The previously unreported news is a serious abuse of NSO’s products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO’s can ultimately be abused by the humans who have access to it.

“There’s not [a] real way to protect against it. The technical people will always have access,” a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source’s account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company’s system. Motherboard granted multiple sources in this story anonymity to speak about sensitive NSO deliberations and to protect them from retaliation from the company.

NSO sells a hacking product called Pegasus to government clients. With Pegasus, users can remotely break into fully up-to-date iPhone or Android devices with either an attack that requires the target to click on a malicious link once, or sometimes not even click on anything at all. Pegasus takes advantage of multiple so-called zero day exploits, which use vulnerabilities that manufacturers such as Apple are unaware of.

[…]

esearchers have previously tracked installations of Pegasus to Saudi Arabia, the United Arab Emirates, Mexico, and dozens of other countries. NSO says its tool should exclusively be used to fight terrorism or serious crime, but researchers, journalists, and tech companies have found multiple instances of NSO customers using the tool to spy on dissidents and political opponents. David Kaye, the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has noted that there is a “legacy of harm” caused by Pegasus.

This latest case of abuse is different though. Rather than a law enforcement body, intelligence agency, or government using the tool, an NSO employee abused it for their own personal ends.

[…]

“It’s nice to see evidence that NSO Group is committed to preventing unauthorized use of their surveillance products where ‘unauthorized’ means ‘unpaid for.’ I wish we had evidence that they cared anywhere near as much when their products are used to enable human rights violations.”

“You have to ask, who else may have been targeted by NSO using customer equipment?” John Scott Railton, a senior researcher from University of Toronto’s Citizen Lab, which has extensively researched NSO’s proliferation, told Motherboard. “It also suggests that NSO, like any organisation, struggles with unprofessional employees. It is terrifying that such people can wield NSA-style hacking tools,” he said.

Source: NSO Employee Abused Phone Hacking Tech to Target a Love Interest – VICE

Mac Image Capture App Eats up your space

If you’ve been wondering why the free space on your Mac keeps getting smaller, and smaller, and smaller—even if you haven’t been using your Mac all that much—there’s a quirky bug with Apple’s Image Capture app that could be to blame.

According to a recent blog post from NeoFinder, you should resist the urge to use the Image Capture app to transfer photos from connected devices to your desktop or laptop. If you do, and you happen to uncheck the “keep originals” button because you want the app to convert your .HEIC images to friendlier .JPEGs, the bug kicks in:

Apples Image Capture will then happily convert the HEIF files to JPG format for you, when they are copied to your Mac. But what is also does is to add 1.5 MB of totally empty data to every single photo file it creates! We found that massive bug by pure chance when working on further improving the metadata editing capabilities in NeoFinder, using a so-called Hex-Editor “Hex Fiend”.

They continue:

Of course, this is a colossal waste of space, especially considering that Apple is seriously still selling new Macs with a ridiculously tiny 128 GB internal SSD. Such a small disk is quickly filled with totally wasted empty data.

With just 1000 photos, for example, this bug eats 1.5 GB off your precious and very expensive SSD disk space.

We have notified Apple of this new bug that was already present in macOS 10.14.6, and maybe they will fix it this time without adding yet additional new bugs in the process.

So, what are your options? First off, you don’t have to use the Image Capture app. Unless you’re transferring a huge batch of photos over, you could just sync your iPhone or iPad’s photo library to iCloud, and do the same on your Mac, to view anything you’ve shot. If that’s not an option, you could always just AirDrop your photos over to your Mac, too, or simply use Photos instead of Image Capture (if possible).

Source: How to Keep the Image Capture App From Eating Up Space on Your Mac

How Spies Snuck Malware Into the Google Play Store—Again and Again: by upgrading a vetted app

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say, PhantomLance’s hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app, and the victim will trust it because it’s Google Play.”

Kaspersky says it has tied the PhantomLance campaign to the hacker group OceanLotus, also known as APT32, widely believed to be working on behalf of the Vietnamese government. That suggests the PhantomLance campaign likely mixed spying on Vietnam’s Southeast Asian neighbors with domestic surveillance of Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus to previous operations that targeted Vietnamese dissidents and bloggers. FireEye also recently spotted the group targeting China’s Ministry of Emergency Management as well as the government of the Chinese province of Wuhan, apparently searching for information related to Covid-19.

The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks. In total, Firsh says, Kaspersky’s antivirus software detected the malicious apps attempting to infect around 300 of its customers phones.

In most instances, those earlier apps hid their intent better than the two that had lingered in Google Play. They were designed to be “clean” at the time of installation and only later add all their malicious features in an update. “We think this is the main strategy for these guys,” says Firsh. In some cases, those malicious payloads also appeared to exploit “root” privileges that allowed them to override Android’s permission system, which requires apps to ask for a user’s consent before accessing data like contacts and text messages. Kaspersky says it wasn’t able to find the actual code that the apps would use to hack Android’s operating system and gain those privileges.

Source: How Spies Snuck Malware Into the Google Play Store—Again and Again | WIRED

Space Launch Market for Heavy Lift Vehicles: Charts and Data Set of Addressable Launches 2007–2018

In 2019, the U.S. Air Force (USAF) asked the RAND Corporation to independently analyze the heavy lift space launch market to assess how potential USAF decisions in the near term could affect domestic launch providers and the market in general. RAND’s analysis was published as Assessing the Impact of U.S. Air Force National Security Space Launch Acquisition Decisions: An Independent Analysis of the Global Heavy Lift Launch Market. As part of their analysis, RAND researchers gathered open-source launch data that describes “addressable launches” of heavy lift vehicles — the commercial portion of the launch market over which launch firms compete. This tool charts the size of the total heavy lift launch market, as well as the addressable launch market for heavy lift vehicles, and offers filters to examine launches by comparisons of interest (such as vehicle, geographic region, and others).

launch market heavy lift vehicles

Source: Space Launch Market for Heavy Lift Vehicles: Charts and Data Set of Addressable Launches 2007–2018 | RAND

We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit

A vulnerability existed in Microsoft’s Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.

The pwn-with-GIF vuln was possible, said Cyberark, thanks to two compromisable Microsoft subdomains along with a carefully crafted animated image file.

Although it was a responsibly disclosed theoretical vuln, and was not abused in the wild as far as is known, it illustrates that not all online collaboration platforms are as secure as one might hope.

“Even if an attacker doesn’t gather much information from a Teams’ account, they could use the account to traverse throughout an organization (just like a worm),” mused Cyberark researcher Omer Tsarfati.

The Israeli infosec outfit said it had alerted Redmond to the two subdomains, resulting in their DNS entries being tweaked. The rest of the Teams vuln was patched last Monday, 20 April.

Source: We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit • The Register

Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

Britain’s Surveillance Camera Commissioner Tony Porter described the security lapse as “both astonishing and worrying,” and demanded a full probe into the snafu.

Source: Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard • The Register

Journalist Allegedly Spied on Zoom Meetings of Rivals in Hilariously Dumb Ways

Financial Times reporter Mark Di Stefano allegedly spied on Zoom meetings at rival newspapers the Independent and the Evening Standard to get scoops on staff cuts and furloughs due to the coronavirus pandemic, according to a report from the UK’s Independent. And Di Stefano he did a comedically bad job of covering his tracks.

Di Stefano reportedly logged in to a Zoom meeting being held by the Independent last week using his Financial Times email address, causing his name to appear for everyone else on the call, though his own video camera was disabled. Di Stefano logged out after “16 seconds,” according to the Independent, but a few minutes later, another login was recorded that was connected to Di Stefano’s phone number. That user stayed on the call until the end of the meeting, according to journalists in the Zoom meeting.

How do we know it was probably Di Stefano? It’s not like he made his knowledge of the call’s contents secret. After the call, he tweeted about the changes at the two news outlets on April 23, including the fact that ad revenue is down between 30 and 50 percent. The FT reporter also tweeted that the Independent’s website had just experienced its biggest traffic month ever.

Di Stefano’s tweets were apparently going out before some people at the two news outlets even knew what was going on at their own workplaces, according to the Independent.

[…]

Di Stefano caught plenty of flak from Twitter users over the past two days, making fun of his less-than-perfect deception on Zoom, with plenty of Simpsons references—like the time that Mr. Burns put on a bad mustache to appear as “Mr. Snrub.”

Source: Journalist Allegedly Spied on Zoom Meetings of Rivals in Hilariously Dumb Ways

Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks. That’s OK says maker, you download worse stuff as games.

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file.

Penned by independent security researcher Chris Culnane, University of Melbourne tutor, cryptography researcher and masters student Eleanor McMurtry, developer Robert Merkel and Australian National University associate professor and Thinking Security CEO Vanessa Teague and posted to GitHub, the analysis notes three concerning design choices.

The first-addressed is the decision to change UniqueIDs – the identifier the app shares with other users – once every two hours and for devices to only accept a new UniqueID if the app is running. The four researchers say this will make it possible for the government to understand if users are running the app.

“This means that a person who chooses to download the app, but prefers to turn it off at certain times of the day, is informing the Data Store of this choice,” they write.

The authors also suggest that persisting with a UniqueID for two hours “greatly increases the opportunities for third-party tracking.”

“The difference between 15 minutes’ and two hours’ worth of tracking opportunities is substantial. Suppose for example that the person has a home tracking device such as a Google home mini or Amazon Alexa, or even a cheap Bluetooth-enabled IoT device, which records the person’s UniqueID at home before they leave. Then consider that if the person goes to a shopping mall or other public space, every device that cooperates with their home device can share the information about where they went.”

The analysis also notes that “It is not true that all the data shared and stored by COVIDSafe is encrypted. It shares the phone’s exact model in plaintext with other users, who store it alongside the corresponding Unique ID.”

That’s worrisome as:

“The exact phone model of a person’s contacts could be extremely revealing information. Suppose for example that a person wishes to understand whether another person whose phone they have access to has visited some particular mutual acquaintance. The controlling person could read the (plaintext) logs of COVIDSafe and detect whether the phone models matched their hypothesis. This becomes even easier if there are multiple people at the same meeting. This sort of group re-identification could be possible in any situation in which one person had control over another’s phone. Although not very useful for suggesting a particular identity, it would be very valuable in confirming or refuting a theory of having met with a particular person.”

The authors also worry that the app shares all UniqueIDs when users choose to report a positive COVID-19 test.

“COVIDSafe does not give them the option of deleting or omitting some IDs before upload,” they write. “This means that users consent to an all-or-nothing communication to the authorities about their contacts. We do not see why this was necessary. If they wish to help defeat COVID-19 by notifying strangers in a train or supermarket that they may be at risk, then they also need to share with government a detailed picture of their day’s close contacts with family and friends, unless they have remembered to stop the app at those times.”

The analysis also calls out some instances of UniqueIDs persisting for up to eight hours, for unknown reasons.

The authors conclude the app is not an immediate danger to users. But they do say it presents “serious privacy problems if we consider the central authority to be an adversary.”

None of which seems to be bothering Australians, who have downloaded it more than two million times in 48 hours and blown away adoption expectations.

Atlassian co-founder Mike Cannon-Brookes may well have helped things along, by suggestingit’s time to “turn the … angry mob mode off. He also offered the following advice:

When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” – say “Yes” and help them understand. Fight the misinformation. Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!

Source: Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks • The Register

UNESCO Suggests COVID-19 Is A Reason To Create… Eternal Copyright

Yes, we’ve seen lots of folks using COVID-19 to push their specific agendas forward, but this one is just bizarre. UNESCO (the United Nations Educational, Scientific and Cultural Organization) is an organization that is supposed to be focused on developing education and culture around the globe. From any objective standpoint, you’d think it would be in favor of things like more open licensing and sharing of culture, but, in practice, the organization has long been hijacked by copyright maximalist interests. Almost exactly a decade ago, we were perplexed at the organization’s decision to launch an anti-piracy organization. After all, “piracy” (or sharing of culture) is actually how culture and ideas frequently spread in the developing countries where UNESCO focuses.

So, I guess it isn’t so surprising a decade later that UNESCO is using COVID-19 to float the idea of an eternal copyright. I only wish I was kidding:

They phrase this as “just started the conversation,” but that’s a trollish setup for a terrible, terrible idea. In case you can’t see the video, it’s electronic music creator Jean-Michel Jarre suggesting eternal copyright as a way to support future artists:

Why not going to the other way around, and to create the concept of eternal copyright. And I mean by this that after a certain period of time, the rights of movies, of music, of everything, would go to a global fund to help artists, and especially artists in emerging countries.

First, we can all agree that helping to enable and support artists in emerging countries is a good general idea. I’ve seen a former RIAA executive screaming about how everyone criticizing this idea is showing their true colors in how they don’t want to support artists. But that’s just silly. The criticism of this idea is that it doesn’t “support” artists at all, and will almost certainly make creativity and supporting artists more difficult. And that’s because art and creativity has always relied on building upon the works of those who came before — and locking up everything for eternity would make that cost prohibitive for all but the wealthiest of creators. Indeed, the idea that we need copyright and copyright alone to support artists shows (yet again) just how uncreative the people who claim to support copyright can be.

[…]

Source: UNESCO Suggests COVID-19 Is A Reason To Create… Eternal Copyright | Techdirt

Can you imagine – every time s omeone read your email, you asked them for $0,10 because that email is your copyright? What a complete scam

PSA: New Character Bug in Messages Causing iOS Devices to Crash [Updated]

There appears to be a new character-linked bug in Messages, Mail, and other apps that can cause the iPhone, iPad, Mac, and Apple Watch to crash when receiving a specific string of characters.

Image from Twitter

In this particular case, the character string involves the Italian flag emoji along with characters in the Sindhi language, and it appears the system crash happens when an incoming notification is received with the problem-causing characters.

Based on information shared on Reddit, the character string began circulating on Telegram, but has also been found on Twitter.

These kind of device-crashing character bugs surface every so often and sometimes become widespread, leading to a significant number of people ending up with a malfunctioning iPhone, iPad, or Mac. In 2018, for example, a character string in the Telugu language circulated around the internet, crashing thousands of devices before Apple addressed the problem in an iOS update.

There is often no way to prevent these characters from causing crashes and freezes when received from a malicious person, and crashes caused through notifications often cause operating system re-springs and in some cases, a need to restore a device in DFU mode.

MacRumors readers should be aware that such a bug is circulating, and for those who are particularly concerned, as this bug appears to impact notifications, turning off notifications may mitigate the effects. Apple typically fixes these character bugs within a few days to a week.

Update: According to MacRumors reader Adam, who tested the bug on a device running iOS 13.4.5, the issue is fixed in the second beta of that update.

Source: PSA: New Character Bug in Messages Causing iOS Devices to Crash [Updated] – MacRumors

Windows 10 Update: Would You Like Deleted Files And Blue Screens With That?

As users complain of blue screens of death, deleted files and reboot loops, here’s what you need to know about this Windows 10 update.

There’s a lot of truth in the notion that you can’t please all the people all of the time, as Microsoft knows only too well. With Windows 10 now installed on more than one billion devices, there will always be a wide variation in terms of user satisfaction. One area where this variation can be seen perhaps most clearly is that of updates.

[…]

The problems those users are reporting to the Microsoft support forums and on social media have included the installation failing and looping back to restart again, the dreaded Blue Screen of Death (BSOD) following a “successful” update and computers that simply refuse to boot again afterward. Among the more common issues, in terms of complaints after a Windows 10 update, were Bluetooth and Wi-Fi connectivity related ones. But there were have also been users complaining that after a restart, all files from the C drive had been deleted.

[…]

Microsoft asks that any users experiencing problems use the Windows + F keyboard shortcut, or select Feedback Hub from the Start menu, to provide feedback so it can investigate.

More practically speaking, if you are experiencing any Windows Update issues, I would always suggest you head for the Windows Update Troubleshooter. This, more often than not, fixes any error code problems, Be warned, though, I have known it take more than one running of the troubleshooter before updates are all successfully installed, so do persevere

Source: Windows 10 Update: Would You Like Deleted Files And Blue Screens With That?

US Navy wants to reinstate fired captain of coronavirus-hit aircraft carrier as another destroyer has a breakout of covid-19

In an extraordinary reversal, the U.S. Navy has recommended reinstating the fired captain of the coronavirus-hit aircraft carrier Theodore Roosevelt, whose crew hailed him as their hero for risking his job to safeguard their lives, officials said on Friday.

The Navy’s leadership made the recommendation to reinstate Captain Brett Crozier to Defense Secretary Mark Esper on Friday, just three weeks after Crozier was relieved of command after the leak of a letter he wrote calling on the Navy for stronger measures to protect the crew, the officials said, speaking on condition of anonymity.

[…]

sper’s deliberations raised questions about whether political or other considerations might override the Navy’s recommendations in a case that has seen Democrats vocally critical of the Trump administration’s handling of the matter.

Sources say Crozier is one of the 856 sailors from the Roosevelt’s 4,800-member crew who have tested positive for the coronavirus, effectively taking one of the Navy’s most powerful ships out of operation.

Crozier was fired by the Navy’s top civilian, then-acting Navy Secretary Thomas Modly, against the recommendations of uniformed leaders, who suggested he wait for an investigation into the letter’s leak.

Modly’s decision backfired badly, as members of the crew hailed their captain as a hero in an emotional sendoff captured on video that went viral on social media.

Embarrassed, Modly then compounded his problems by flying out to the carrier to ridicule Crozier over the leak and question his character in a speech to the Roosevelt’s crew, which also leaked to the media. Modly then resigned.

News of the Navy’s recommendations could boost morale among sailors on the Roosevelt, who were caught between the Navy’s desire to keep the ship operational and its duty to shield them from unnecessary risk in peacetime.

[…]

The disclosure of the Navy’s recommendation, which was first reported by the New York Times, came just hours after the Pentagon announced that at least 18 sailors aboard a U.S. Navy destroyer – the Kidd – had tested positive for the new coronavirus.

It was another blow to the military as it faces fallout over its handling of the Roosevelt, raising additional questions about whether the revamped safeguards in place to protect U.S. troops are sufficient.

The crisis being triggered by the coronavirus is the biggest facing Navy leadership since two crashes in the Asia Pacific region in 2017 that killed 17 sailors.

Those incidents raised questions about Navy training and the pace of operations, prompting a congressional hearing and the removal of a number of officers.

Source: Navy wants to reinstate fired captain of coronavirus-hit aircraft carrier – Reuters

‘Zombie’ Satellite shutdown in 1972 Found alive By Amateur Radio Operator On COVID-19 Lockdown

There are more than 2,000 active satellites orbiting Earth. At the end of their useful lives, many will simply burn up as they reenter the atmosphere. But some will continue circling as “zombie” satellites — neither alive nor quite dead.

“Most zombie satellites are satellites that are no longer under human control, or have failed to some degree,” says Scott Tilley.

Tilley, an amateur radio operator living in Canada, has a passion for hunting them down.

In 2018, he found a signal from a NASA probe called IMAGE that the space agency had lost track of in 2005. With Tilley’s help, NASA was able to reestablish contact.

But he has tracked down zombies even older than IMAGE.

“The oldest one I’ve seen is Transit 5B-5. And it launched in 1965,” he says, referring to a nuclear-powered U.S. Navy navigation satellite that still circles the Earth in a polar orbit, long forgotten by all but a few amateurs interested in hearing it “sing” as it passes overhead.

Recently, Tilley got interested in a communications satellite he thought might still be alive — or at least among the living dead. LES-5, built by the Massachusetts Institute of Technology’s Lincoln Laboratory, was launched in 1967.

By scouring the Internet, he found a paper describing the radio frequency that LES-5, an experimental military UHF communications satellite, should be operating on — if it was still alive. So he decided to have a look.

“This required the building of an antenna, erecting a new structure to support it. Pre-amps, filters, stuff that takes time to gather and put all together,” he says.

“When you have a family and a busy business, you don’t really have a lot of time for that,” he says.

But then came the COVID-19 pandemic.

British Columbia, where Tilley lives, was on lockdown. Like many of us, suddenly Tilley had time on his hands. He used it to look for LES-5, and on March 24, he hit the ham radio equivalent of pay dirt.

He’s been making additional measurements ever since.

“The reason this one is kind of intriguing is its telemetry beacon is still operating,” Tilley says.

In other words, says Tilley, even though the satellite was supposed to shut down in 1972, it’s still going. As long as the solar panels are in the sun, the satellite’s radio continues to operate. Tilley thinks it may even be possible to send commands to the satellite.

The MIT lab that built LES-5 still does a lot of work on classified projects for the military. NPR contacted its news office to ask if someone could say more about LES-5 and whether it really could still receive commands.

But after repeated requests, Lincoln Laboratory finally answered with a “no comment.”

It seems that even a 50-year-old zombie satellite might still have secrets.

Source: ‘Zombie’ Satellite Found By Amateur Radio Operator On COVID-19 Lockdown : NPR

Facebook Accuses NSO Group of Using U.S. Servers for Spying, infecting phones via WhatsApp

In a filing released on Thursday in federal court in Oakland, California, lawyers representing the social media giant alleged that NSO Group had used a network of remote servers in California to hack into phones and devices that were used by attorneys, journalists, human rights activists, government officials and others.

NSO Group has argued that Facebook’s case against it should be thrown out on the grounds that the court has no jurisdiction over its operations. In a 13 May legal document, lawyers representing NSO Group said that the company had no offices or employees in California and “do no business of any kind there.”

NSO has also argued that it has no role in operating the spyware and is limited to “providing advice and technical support to assist customers in setting up” the technology.

John Scott-Railton, a senior researcher at the Citizen Lab at the University Of Toronto’s Munk School, said evidence presented by Facebook on Thursday indicated NSO Group was in a position to “look over its customer’s shoulders” and monitor who its government clients were targeting.

“This is a gut punch to years of NSO’s claims that it can’t see what its customers are doing,” said Scott-Railton. He said it also shows that the Israeli company “probably knows a lot more about what its customers do than it would like to admit.”

NSO’s spyware, known as Pegasus, can gather information about a mobile phone’s location, access its camera, microphone and internal hard drive, and covertly record emails, phone calls and text messages. Researchers have accused the company of supplying its technology to countries that have used it to spy on dissidents, journalists and other critics.

A representative for NSO Group said its products are “used to stop terrorism, curb violent crime, and save lives.”

“NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States,” the representative said, adding that a response to Facebook’s legal filing was forthcoming.

In its filing, Facebook alleged that NSO had rented a Los Angeles-based server from a U.S. company, QuadraNet, that it used to launch 720 hacks on people’s smartphones or other devices. It’s unclear whether NSO Group’s software was used to target people within the U.S.. The company has previously stated that its technology “cannot be used on U.S. phone numbers.”

Facebook accused NSO Group of reverse-engineering WhatsApp, using an unauthorized program to access WhatsApp’s servers and deploying its spyware against approximately 1,400 targets. NSO Group was then able to “covertly transmit malicious code through WhatsApp servers and inject” spyware onto people’s devices without their knowledge, according to the Facebook’s legal filings.

“Defendants had no authority to access WhatsApp’s servers with an imposter program, manipulate network settings, and commandeer the servers to attack WhatsApp users,” Facebook alleged in the Thursday filing. “That invasion of WhatsApp’s servers and users’ devices constitutes unlawful computer hacking” under the Computer Fraud and Abuse Act.

Source: Facebook Accuses NSO Group of Using U.S. Servers for Spying – Bloomberg

Why should the UK pensions watchdog be able to spy on your internet activities? Same reason as the Environment Agency and more than 50 more

It has been called the “most extreme surveillance in the history of Western democracy.” It has not once but twice been found to be illegal. It sparked the largest ever protest of senior lawyers who called it “not fit for purpose.”

And now the UK’s Investigatory Powers Act of 2016 – better known as the Snooper’s Charter – is set to expand to allow government agencies you may never have heard of to trawl through your web histories, emails, or mobile phone records.

In a memorandum [PDF] first spotted by The Guardian, the British government is asking that five more public authorities be added to the list of bodies that can access data scooped up under the nation’s mass-surveillance laws: the Civil Nuclear Constabulary, the Environment Agency, the Insolvency Service, the UK National Authority for Counter Eavesdropping (UKNACE), and the Pensions Regulator.

The memo explains why each should be given the extraordinary powers, in general and specifically. In general, the five agencies “are increasingly unable to rely on local police forces to investigate crimes on their behalf,” and so should be given direct access to the data pipe itself.

Five Whys

The Civil Nuclear Constabulary (CNC) is a special armed police force that does security at the UK’s nuclear sites and when nuclear materials are being moved. It should be given access even though “the current threat to nuclear sites in the UK is assessed as low” because “it can also be difficult to accurately assess risk without the full information needed.”

The Environment Agency investigates “over 40,000 suspected offences each year,” the memo stated. Which is why it should also be able to ask ISPs to hand over people’s most sensitive communications information, in order “to tackle serious and organised waste crime.”

The Insolvency Service investigates breaches of company director disqualification orders. Some of those it investigates get put in jail so it is essential that the service be allowed “to attribute subscribers to telephone numbers and analyse itemised billings” as well as be able to see what IP addresses are accessing specific email accounts.

UKNACE, a little known agency that we have taken a look at in the past, is home of the real-life Qs, and one of its jobs is to detect attempts to eavesdrop on UK government offices. It needs access to the nation’s communications data “in order to identify and locate an attacker or an illegal transmitting device”, the memo claimed.

And lastly, the Pensions Regulator, which checks that companies have added their employees to their pension schemes, need to be able to delve into anyone’s emails so it can “secure compliance and punish wrongdoing.”

Taken together, the requests reflect exactly what critics of the Investigatory Powers Act feared would happen: that a once-shocking power that was granted on the back of terrorism fears is being slowly extended to even the most obscure government agency for no reason other that it will make bureaucrats’ lives easier.

None of the agencies would be required to apply for warrants to access people’s internet connection data, and they would be added to another 50-plus agencies that already have access, including the Food Standards Agency, Gambling Commission, and NHS Business Services Authority.

Safeguards

One of the biggest concerns remains that there are insufficient safeguards in place to prevent the system being abused; concerns that only grow as the number of people that have access to the country’s electronic communications grows.

It is also still not known precisely how all these agencies access the data that is accumulated, or what restrictions are in place beyond a broad-brush “double lock” authorization process that requires a former judge (a judicial commissioner, or JCs) to approve a minister’s approval.

Source: Why should the UK pensions watchdog be able to spy on your internet activities? Same reason as the Environment Agency and many more • The Register

Incredible New Map of Moon Shows Its Every Nook and Cranny

The colors divide the map into geologic units; scientists divide the Moon’s geologic history into a different eras, so a color represents the kind of rock and its era. For example, yellow on the map represents Copernican craters—the rim, wall, and floor of bright material from the Moon’s Copernican period, which lasted from a billion years ago to today. Shading represents topographical information.

Lunar maps have various uses to scientists. Skinner explained that they can show hazards as well as resources and where we might be able to develop the Moon, though mapping an extraterrestrial body to that level of detail is far off. Given this map’s scale, its main purpose is to serve as a summary of what scientists know about the Moon today. The map is available in a GIS (geographical information system) format that allows researchers to overlay their own scientific results on top of it in order to better put discoveries into context.

This isn’t the final version of the map, Skinner told Gizmodo. As scientists learn more about the Moon, we’ll start to see more tweaks. But ultimately, this map is a high-level overview, and higher-resolution maps will be needed to elucidate smaller sections of the Moon.

The team hopes their map will reach the broadest audience possible, and to be honest, I think it looks good enough to be framed on a wall. You can download the full map here.

Source: Incredible New Map of Moon Shows Its Every Nook and Cranny

Stripe Payment Provider is Silently Recording Your Movements On its Customers’ Websites

Among startups and tech companies, Stripe seems to be the near-universal favorite for payment processing. When I needed paid subscription functionality for my new web app, Stripe felt like the natural choice. After integration, however, I discovered that Stripe’s official JavaScript library records all browsing activity on my site and reports it back to Stripe. This data includes:

  1. Every URL the user visits on my site, including pages that never display Stripe payment forms
  2. Telemetry about how the user moves their mouse cursor while browsing my site
  3. Unique identifiers that allow Stripe to correlate visitors to my site against other sites that accept payment via Stripe

This post shares what I found, who else it affects, and how you can limit Stripe’s data collection in your web applications.

Source: Stripe is Silently Recording Your Movements On its Customers’ Websites · mtlynch.io

IBM No-auth remote root exec exploit in Data Risk Manager (an enterprise security program!) drops after Big Blue snubs bug report

IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.

The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.

Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” said Ribeiro in his disclosure.

The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there’s now a Metasploit module to do so. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There’s also a Metasploit module for that attack chain.

The flaws don’t yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now. The first three have been confirmed to affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes versions 2.0.4 to 2.0.6, the latest release, are also vulnerable but that has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The Register asked IBM whether 2.0.6 is affected but IBM’s spokesperson did not respond.

IBM however did say that it had fumbled the report. “A process error resulted in an improper response to the researcher who reported this situation to IBM,” a company spokesperson told The Register. “We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

Ribeiro dismissed IBM’s response in an email to The Register. “Well, what can I say,” he said. “It’s a joke right? I think it’s pretty sad that I have to disclose a zero-day and shame them publicly to get them to patch critical vulnerabilities in a security product, while they sell themselves as an elite company providing security services.”

Source: IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report • The Register

Zoom sex party moderation: app uses machine-learning to patrol nudity – will it record them to put up on the web?

As Rolling Stone reported, the app is now playing host to virtual sex parties,  “play parties,” and group check-ins which have become, as one host said, “the mutual appreciation jerk-off society.”

According to Zoom’s “acceptable use” policy, users may not use the technology to “engage in any activity that is harmful, obscene, or indecent, particularly as such would be understood in the context of business usage.” The policy specifies that this includes “displays of nudity, violence, pornography, sexually explicit material, or criminal activity.”

Zoom says that the platform uses ‘machine learning’ to identify accounts in violation of its policies — though it has remained vague about its methods for identifying offending users and content.

“We encourage users to report suspected violations of our policies, and we use a mix of tools, including machine learning, to proactively identify accounts that may be in violation,” a spokesperson for Zoom told Rolling Stone.

While Zoom executives did not respond to the outlet’s questions about the specifics of the machine-learning tools or how the platform might be alerted to nudity and pornographic content, a spokesperson did add that the company will take a “number of actions” against people found to be in violation of the specified acceptable use.

When reached for comment, a spokesperson for Zoom referred Insider to the “acceptable use” policy as well as the platform’s privacy policy which states that Zoom “does not monitor your meetings or its contents.”

The spokesperson also pointed to Yuan’s message in which he addressed how the company has “fallen short” of users’ “privacy and security expectations,” referencing instances of harassment and Zoom-bombing, and laid out the platform’s action plan going forward.

Source: Zoom sex party moderation: app uses machine-learning to patrol nudity – Insider

It’s not unthinkable that they will record the videos and them just leave them on the web for anyone to download. After all, they’ve left thousands of video calls just lying about before.

TalkTalk customers unable to opt out of ISP’s ad-jacking DNS – just like six years ago

TalkTalk broadband users are complaining they can’t opt out of its Error Replacement Service, which swaps NXDomain DNS results with an IP address. And if that sounds familiar, it should. Users of the budget ISP complained about the very same issue back in 2014.

The Error Replacement Service redirects links to DNS addresses that don’t exist, like those created by fat-fingered address bar typos, to a TalkTalk-run webpage. El Reg reader Louis described it thusly:

“If I type a non-existing domain in the browser, instead of getting the proper ‘Hmm. We’re having trouble finding that site’ message, I get a list of ‘search results’ vaguely linked to the the non-existing domain. This is mildly annoying, as I’d rather not send my typos to some random advertiser,” he said.

His woes don’t stop there – the “service” also prevents him from logging into his work VPN. “During connection, instead of seeing the login window, I see a TalkTalk-branded page with ‘search results’ and I can’t complete the login process,” he complained.

This isn’t an isolated problem. The TalkTalk support forum is flooded with similar complaints, no doubt partially thanks to the rise in home working caused by the COVID-19 epidemic.

TalkTalk offers a way to opt out of the service, requiring users to visit a specific web page and then restart their router. But this appears to be somewhat ineffective, with both Twitter and the TalkTalk forum filled with complaints.

Source: Baby, I swear it’s déjà vu: TalkTalk customers unable to opt out of ISP’s ad-jacking DNS – just like six years ago • The Register

Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox – in 2018!

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom’s videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended.

[…] The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them.

Source: Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox – Slashdot

Bad news: Cognizant hit by ransomware Maze, which leaks customers’ data online after non-payment

New Jersey IT services provider Cognizant has confirmed it is the latest victim of the Maze ransomware.

The infection was disclosed to the public this weekend. Cognizant said the malware outbreak will likely disrupt service for some of its customers, and possibly put them in danger as well.

Maze is unusual among ransomware strains in that it not only encrypts the data on infected Windows machines, it siphons off copies of the originals as well. This gives the malware’s masterminds extra leverage – don’t pay the ransom and confidential corporate data can be leaked or sold online. It is feared Maze may have infected Cognizant’s customers, via the US service provider, and if that did happen, those clients’ documents may have been stolen as well as scrambled.

“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” the announcement read.

“Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”

An update on Sunday included a rather ominous warning for customers: “We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature,” Cognizant said.

Cognizant provides on-premises and cloud-hosted IT services for companies as well as consultancy gigs. The biz has high-value customers in areas such as banking, health care, and manufacturing, and it is ranked in the Fortune 500, so any large-scale attack on its systems is potentially serious.

Source: Bad news: Cognizant hit by ransomware gang. Worse: It’s Maze, which leaks victims’ data online after non-payment • The Register

Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal

Bitdefender researchers have recently found spearphishing campaigns, either impersonating a well-known Egyptian engineering contractor or a shipment company, dropping the Agent Tesla spyware Trojan. The impersonated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others, based on Bitdefender telemetry. The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines.

Oil & gas has been under tremendous stress in recent weeks, as the global COVID-19 pandemic lowered oil demand. Oil prices per barrel have dropped by more than half to the lowest since 2002. However, a disruptive dispute over oil production between Russia and Saudi Arabia ended with an agreement at the recent meeting between the OPEC+ alliance and the Group of 20 nations, aiming to slash oil production output and balance prices.

While the malware payload itself is not as sophisticated as those used in more advanced and targeted attacks, the fact that they’ve been orchestrated and executed during this time, and before the “historic OPEC+ deal”, suggests motivation and interest in knowing how specific countries plan to address the issue.

Cybercriminals are often opportunistic and leverage popular media topics in spearphishing campaigns that usually target large numbers of victims. However, we recently found a campaign that seems to specifically target the oil & gas sector, based on a telemetry spike on March 31st. Interestingly, the payload is a spyware Trojan that packs keylogging capabilities, and has not been associated with oil & gas spearphishing campaigns in the past.

The second campaign that impersonated a shipping company seems to have started on April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days.

Carefully Crafted Spearphishing

The spearphishing email mimics Egyptian state oil company Engineering for Petroleum and Process Industries (Enppi) and claims to invite the recipient to submit a bid for equipment and materials, as part of a project (Rosetta Sharing Facilities Project) on behalf of a well-known gas company (Burullus).

[…]

The Agent Tesla spyware Trojan has reportedly been around since 2014, but has undergone constant improvements and updates. It reportedly operates under a malware-as-a-service offering, with its developers offering various pricing tiers based on different licensing models. Agent Tesla operators seem to have stayed in business for quite some time

Some of its most known and popular capabilities involve stealth, persistence and security evasion techniques that ultimately enable it to extract credentials, copy clipboard data, perform screen captures, form-grabbing, and keylogging functionality, and even collect credentials for a variety of installed applications.

Security researchers have already documented the full extent of Agent Tesla’s capabilities in various pieces of research. What’s interesting is that, until now, it has not been associated with campaigns targeting the oil & gas vertical.

Source: Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal – Bitdefender Labs

US Judge rules Twitter can’t be transparent about amount of surveillance requests processed per year due to “national security” of the 4th Reich

Six years ago, Twitter sued the US government in an attempt to detail surveillance requests the company had received, but a federal judge on Friday ruled in favor of the government’s case that detailing the requests would jeopardize the country’s safety.

If Twitter revealed the number of surveillance requests it received each calendar quarter, it “would be likely to lead to grave or imminent harm to the national security,” US District Judge Yvonne Gonzalez Rogers concluded after reviewing classified information from the government. See below for the full ruling.

“While we are disappointed with the court’s decision, we will continue to fight for transparency,” Twitter said in a statement Saturday.

The ruling shows the difficulties of balancing privacy and and security on the internet. Public posts and private communications have opened up a treasure trove of information that law enforcement and intelligence services can investigate, and people may not suspect the government is listening in. On the other hand, encryption technology also has opened up communication conduits that are fundamentally impenetrable to government and law enforcement.

In Twitter’s transparency report, now updated for six-month periods, the company publishes numbers on law enforcement information requests, copyright infringement allegations, attempts to spread disinformation, reports of abuse, and other goings-on. The company argued in its 2014 lawsuit it shouldn’t be barred from revealing detailed tallies of national security-related information requests.

“We think the government’s restriction on our speech not only unfairly impacts our users’ privacy, but also violates our First Amendment right to free expression and open discussion of government affairs,” Twitter argued at the time.

Six years later, Twitter says transparency is still important to show how it interacts with governments.

Source: Judge rules against Twitter transparency effort, citing national security – CNET

Edit: You can find some goverment requests here: https://comparite.ch/tech-giant-censorship