On Monday, Amazon fired Chris Smalls, a worker at its Staten Island, New York, warehouse, who had organized a protest demanding more protection for workers amid the coronavirus outbreak.
Smalls, in a statement, said, “Amazon would rather fire workers than face up to its total failure to do what it should to keep us, our families, and our communities safe. I am outraged and disappointed but I am not shocked. As usual, Amazon would rather sweep a problem under the rug than act to keep workers and working communities safe.”
Amazon spokesperson Kristen Kish denied the firing had anything to do with protected labor activity. “We did not terminate Mr Smalls employment for organizing a 15-person protest,” she said in an emailed statement. “We terminated his employment for putting the health and safety of others at risk and violations of his terms of his employment.”
Strike organizers have disputed Amazon’s attendance figures, claiming about 50 people walked out.
Kish said Smalls had received multiple warnings for violating social distancing guidelines and had been asked to remain home with pay for two weeks because he had been in the proximity of another worker confirmed to have COVID-19. By ignoring that instruction and coming on-site, she said, he was putting colleagues at risk.
Concern about health safety has spread across Amazon’s workforce. Workers at Amazon’s Whole Foods grocery chain on Tuesday staged a sick-out, demanding 2x hazard pay for working in stores where they may be exposed to coronavirus.
The company last month boosted pay for Amazon and Whole Foods hourly employees in the US and Canada by $2 an hour and £2 per hour for employees in the UK during the month of April. And it said it would double its hourly base rate – ranging from $17.50 to $23/hour at JFK8, its Staten Island warehouse – for overtime from March 16, 2020 through May 3, 2020. The company has also offered two weeks of pay for workers quarantined for coronavirus.
But what many people may not know is that, until Thursday, a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.
The undisclosed data mining adds to growing concerns about Zoom’s business practices at a moment when public schools, health providers, employers, fitness trainers, prime ministers and queer dance parties are embracing the platform.
An analysis by The New York Times found that when people signed in to a meeting, Zoom’s software automatically sent their names and email addresses to a company system it used to match them with their LinkedIn profiles.
The data-mining feature was available to Zoom users who subscribed to a LinkedIn service for sales prospecting, called LinkedIn Sales Navigator. Once a Zoom user enabled the feature, that person could quickly and covertly view LinkedIn profile data — like locations, employer names and job titles — for people in the Zoom meeting by clicking on a LinkedIn icon next to their names.
The system did not simply automate the manual process of one user looking up the name of another participant on LinkedIn during a Zoom meeting. In tests conducted last week, The Times found that even when a reporter signed in to a Zoom meeting under pseudonyms — “Anonymous” and “I am not here” — the data-mining tool was able to instantly match him to his LinkedIn profile. In doing so, Zoom disclosed the reporter’s real name to another user, overriding his efforts to keep it private.
Reporters also found that Zoom automatically sent participants’ personal information to its data-mining tool even when no one in a meeting had activated it. This week, for instance, as high school students in Colorado signed in to a mandatory video meeting for a class, Zoom readied the full names and email addresses of at least six students — and their teacher — for possible use by its LinkedIn profile-matching tool, according to a Times analysis of the data traffic that Zoom sent to a student’s account.
The discoveries about Zoom’s data-mining feature echo what users have learned about the surveillance practices of other popular tech platforms over the last few years. The video-meeting platform that has offered a welcome window on American resiliency during the coronavirus — providing a virtual peek into colleagues’ living rooms, classmates’ kitchens and friends’ birthday celebrations — can reveal more about its users than they may realize.
“People don’t know this is happening, and that’s just completely unfair and deceptive,” Josh Golin, the executive director of the Campaign for a Commercial-Free Childhood, a nonprofit group in Boston, said of the data-mining feature. He added that storing the personal details of schoolchildren for nonschool purposes, without alerting them or obtaining a parent’s permission, was particularly troubling.
For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.
According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24.
The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com.
The attacking script doesn’t appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.
However, on many Elasticsearch servers, the wiping behavior is obvious, as log entries simply cut off around recent dates, such as March 24, 25, 26, and so on. Due to the highly volatile nature of data stored inside Elasticsearch servers, it is hard to quantify the exact number of systems where data was deleted.
Night Lion Security denies any involvement
In a Signal conversation with this reporter yesterday, Vinny Troia, the founder of Night Lion Security, has denied that his company had anything to do with the ongoing attacks.
In an interview he gave DataBreaches.net on March 26, Troia said he believes the attack is being carried out by a hacker he has been tracking for the past years, and who is also the subject of a recently released book.
Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.
The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.
Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing. From a report: Many of the videos appear to have been recorded through Zoom’s software and saved onto separate online storage space without a password. But because Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos that anyone can download and watch. Zoom videos are not recorded by default, though call hosts can choose to save them to Zoom servers or their own computers. There’s no indication that live-streamed videos or videos saved onto Zoom’s servers are publicly visible. But many participants in Zoom calls may be surprised to find their faces, voices and personal information exposed because a call host can record a large group call without participants’ consent.
For those unaware, Zoom officially has a porn problem. The multibillion-dollar video messaging mainstay among employees at Johnson & Johnson and the Department of Homeland Security—not to mention a household name among currently house-bound citizens across the country—has been rocked by story after story of pranksters popping into video meetings with clips of graphic porn or Nazi memorabilia. None of Zoom’s clients, seemingly, are safe: These Zoom bombs have hit city council members and churches alike. They’ve hit Chipotle.
The idea of having our work-from-home happy hours disrupted by someone splicing in something porn-y or Hitler-y is disturbing, and that’s where it usually ends: annoyance, disgust, shock—which is ultimately the response that these posters are trying to incite. But a Gizmodo investigation into multiple Discord chatrooms dedicated to coordinating these attacks revealed that the practice has a far darker side that can leave victims scarred for life—or far worse.
Zoom-based “bombs” and “raids” are typically the forte of high and middle school students whose classes are now almost exclusively taking place on the platform. From last month onward, Zoom’s rolled out a series of changes specifically catering to the educators it has onboard, from lifting the 40-minute limit on free meetings internationally to partnering with Logitech to offer free cameras and headsets to teachers who might need them. This gesture of goodwill promptly blew up in the company’s face when these students quickly realized that the codes and passwords needed to access a given Zoom meeting could be freely shared, leading a select few to coordinate with other students nationwide to spearhead a wave of raids in classrooms across the country.
Screenshot: Gizmodo (Discord)
Teens, in general, have a thing for Discord, a popular chat platform, and Discord is where these raids are coordinated. The platform’s long track record of raids on every platform led it to wedge a statement into its community guidelines explicitly disavowing raids as a “form of harassment.” Now that those raids have hit Zoom, Discord’s been actively booting off some users that are particularly active in a given raid channel, while unceremoniously shutting those channels down left and right.
This crackdown, along with the shuttering of raid-based communities on Reddit like the creatively named r/zoomraids, means that a lot of these channels are hard to find, and that finding them isn’t a guarantee that it’ll exist the next day. Over the course of this story, Gizmodo joined about 15 raid channels—some racking up more than 800 members a pop. By the time you’re reading this, there are at most six left standing—and for the most part, they are hidden behind server names that don’t mention Zoom at all. Discord told Gizmodo in an email that it had removed more than 350 servers for Zoom bombing just this morning.
“This behavior violates Discord’s terms of service, and we strongly condemn it,” a spokesperson told Gizmodo in a statement. “Once we identify those servers engaging in this sort of activity, we quickly investigate and take action, including removing content, banning users and shutting down those servers.”
The bulk of these servers, overall, are made up of teens not only swapping Zoom links back and forth but overall just… being typical edgelord teens—joking about the Holocaust (ironically), using racial slurs (ironically), and sharing a ton of porn (ironically?). Less ironic, but just as dark, are the materials shared back and forth to make these campaigns a reality. Multiple channels that Gizmodo joined had created a roster of Google documents listing the Zoom codes of hundreds of support groups in the U.S., along with the days and times each one would meet. Similar documents were created to target meetings for other at-risk groups, like LGBTQ and trans teens.
The Wednesday meetings from the manifesto detailing nearly 200 meetings happening weekly nationwide. Zoom codes are censored.
Screenshot: Gizmodo (Discord)
Depending on who you ask, raids on recovery groups are either lame, funny, fucked, or some combination of the three. Each of the Discord channels had a list of rules seemingly tailored to throw admins off the scent of the channel’s true purpose. One server’s rulebook stated that its one goal was to “support our fellow students and adults through their hard day of work by surprising them in their online meetings.” Another server for raid planning included the rule, “DO NOT RAID I DO NOT CONDONE IT.”
In many of the channels, all Zoom calls are fair game, whether it’s a Narcotics Anonymous meeting or a kindergarten classroom. Rules aside, the only limit to what’s being shared is in the hands of the poster: Some think playing footage of the 2019 Christchurch Mosque shooting in the middle of an NA meeting is a bridge too far, while others don’t. Some think exposing 9- and 10-year-olds to hardcore porn is too shitty, while others think the line should be drawn at middle schoolers and above.
As one user put it, “this discord freakin showed porn to kindergardners but wont raid an narcotics [anonymous]? y’all soft.”
Screenshot: Gizmodo (Discord)
While Zoom’s yet to respond to our request for comment, the company is undoubtedly aware of its raiding problem. Late last month, it put out an official blog post about “keeping uninvited guests” out of Zoom meetings, which reminds users, “When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.”
Some of the channels Gizmodo joined did, indeed, set up scrapers and dedicated bots specifically to monitor a Zoom link shared on a given platform. But just as many used a much easier tool: Google search. As confirmed by Gizmodo, public-facing Zoom links share a specific string of characters that, when plugged into Google search (or “dorked,” in internet parlance), will turn up dozens of upcoming Zoom meetings. Trying the search term ourselves, we were able to pull links for Zooms dedicated to hot yoga, wine tasting, and legal advice—all in less than a minute—not to mention more than a few Zoom’s dedicated to parents and their kids.
Putting young children at risk of exposure to horrifying imagery comes up more frequently than you’d might think since Zoom’s teacher-friendly packages apply for preschool teachers as much as it does for college professors. And just like Zoom bombings aimed at high school classes, the reactions of these young children can be passed around in videos recorded by the bombers. In the barely 24 hours we spent joining more than a dozen channels, one video—which showed the confused reactions of second graders being exposed to graphic hardcore pornography in the middle of their class—was frequently shared.
For what should be obvious reasons, we didn’t join any of the many, many raids linked at any given time, so we can’t specify what other young children might be seeing. If we’re assuming the worst, then that means some kids on these video calls are being exposed to footage of decapitation or shootings from sites like Bestgore and LiveLeak, along with any porn scenario you can imagine. Assuming the best-case scenario, the porn’s still there, but the murders aren’t. In either case, kids are at risk: Psychologists have been telling us for years that exposing children to hardcore pornography bumps up the chance that they’ll both become either the victim of sexual assault or end up assaulting someone themselves. Children who see the types of horrific violence you’d find on any gore site can haunt them for the rest of their lives, leading to PTSD or drug abuse.
Screenshot: Gizmodo (Discord)
And when it comes to meetings involving drug abuse, the harm done by these kinds of bombings cannot be overstated. As one Business Insider employee—and Alcoholics Anonymous member—recently explained, the isolation that comes with coronavirus-mandated quarantines is incredibly dangerous for those struggling with addiction:
We are all in our separate homes. And that can be dangerous, because alcoholics are notorious for isolating, for withdrawing from social situations — sometimes with a bottle.
If you drink normally, you may be wondering, ‘Why not just drink — even if you have a problem? Right now, while locked down, who could that hurt?’ I can answer that. I drank myself into the emergency room years ago. I know many people who did. Do you think hospitals need that right now? Do you think healthcare workers need to deal with millions of people whose immune systems are severely compromised by binge drinking?
Screenshot: Gizmodo (Discord)
The risk of relapse doesn’t just come for alcoholics, but anyone with any addiction. As one recent Rolling Stone report detailed, these sorts of weekly meetings can turn into not only a place to discuss their road to recovery but also a place that feels safe to talk about their inarguably valid fears surrounding the current pandemic. When that support line is intercepted—by an edgy teen or otherwise—a recovering addict can lose that tenuous feeling of safety and withdraw from meetings with the support group keeping them clean.
Without that network, some folks fare well and others don’t, with relapse being a bigger risk to those earlier on in recovery, as the Business Insider report explains. For some addictions—like opioids, a relapse can turn deadly shockingly fast. As pointed out by the Centers for Disease Control in 2018, some 70 percent of the tens of thousands of annual drug overdoses in the U.S. happen because of opiate addiction.
Of course, people being dangerously shitty to each other is nothing new. Nor are online pranks. What makes Zoom bombing so wretched is that it’s happening at a time when millions of us are stuck inside with nowhere to go except, perhaps, into a video call with our friends and family, teachers, and support communities—our last tethers to the lives we used to have.
NSO Group – sued by Facebook for developing Pegasus spyware that targeted WhatsApp users – this week claimed Facebook tried to license the very same surveillance software to snoop on its own social-media addicts.
The Israeli spyware maker’s CEO Shalev Hulio alleged in a statement [PDF] to a US federal district court that in 2017 he was approached by Facebook reps who wanted to use NSO’s Pegasus technology in Facebook’s controversial Onavo Protect app to track mobile users.
Pegasus is designed to, once installed on a device, harvest its text messages, gather information about its apps, eavesdrop on calls, track its location, and harvest passwords, among other things.
Onavo Protect, acquired by Facebook in 2013, was available for Android and iOS. It used VPN tunneling to wrap users’ internet connections in encryption, shielding their information as it traveled over untrusted and insecure Wi-Fi networks and the like. The iOS version also blocked harmful websites. However, the software blabbed telemetry about its users to Facebook as well as routed connections through Onavo servers, which could monitor people’s online activities. The application was forced out of the Apple iOS store in 2018 for siphoning information about other programs installed on devices, and discontinued in May 2019.
According to the NSO chief exec, Onavo Protect needed more surveillance powers on iOS handhelds, and so Facebook turned to the spyware maker for its technology.
“The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices,” Hulio alleged.
“The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users.”
Because NSO only sells to governments and not private companies, Hulio claimed, he turned down the Facebook licensing offer.
Facebook, in a statement to The Register, characterized the allegations as a distraction from its legal battle against NSO, which kicked off in October 2019. The web giant claims NSO, working on behalf of its customers, illegally hacked targets via security vulnerabilities in Facebook-owned WhatsApp’s code to install Pegasus on devices.
“NSO is trying to distract from the facts Facebook and WhatsApp filed in court nearly six months ago. Their attempt to avoid responsibility includes inaccurate representations about both their spyware and a discussion with people who work at Facebook,” a Facebook spokesperson said.
“Our lawsuit describes how NSO is responsible for attacking over 100 human rights activists and journalists around the world. NSO CEO Shalev Hulio has admitted his company can attack devices without a user knowing and he can see who has been targeted with Pegasus. We look forward to proving our case against NSO in court and seeking accountability for their actions.”
The case has been unusual from the start, with Facebook filing suit after first deleting NSO workers’ personal Facebook accounts. The spyware maker then missed its scheduled court appearance because, it was alleged, Facebook did not properly serve its paperwork.
NSO reckons Facebook’s accusations are baseless because it only sells its software to government departments and agencies, and does not operate the tools itself. Thus, we’re told, it didn’t hack anyone itself, and it cannot be held accountable for the actions of its customers. NSO also noted it only deals with governments allowed under Israeli export laws.
Further, NSO contended the court, in Oakland, California, does not have jurisdiction to hear this case due to America’s Foreign Sovereign Immunity Act, and it argued that the actions described in the lawsuit wouldn’t even run afoul of its spyware’s terms of service
This week, SpaceX workers in South Texas loaded the third full-scale Starship prototype—SN3—onto a test stand at the company’s Boca Chica launch site. On Wednesday night, they pressure-tested the vehicle at ambient temperature with nitrogen, and SN3 performed fine.
On Thursday night SpaceX began cryo-testing the vehicle, which means it was loaded again with nitrogen, but this time it was chilled to flight-like temperatures and put under flight-like pressures. Unfortunately, a little after 2am local time, SN3 failed and began to collapse on top of itself. It appeared as if the vehicle may have lost pressurization and become top-heavy.
Shortly after the failure, SpaceX’s founder and chief engineer, Elon Musk, said on Twitter, “We will see what data review says in the morning, but this may have been a test configuration mistake.” A testing issue would be good in the sense that it means the vehicle itself performed well, and the problem can be more easily addressed.
This is the third time a Starship has failed during these proof tests that precede engine tests and, potentially flight tests. Multiple sources indicated that had these preliminary tests succeeded, SN3 would have attempted a 150-meter flight test as early as next Tuesday.
Here’s a recap of SpaceX’s efforts to test full-size Starships to date:
Starship Mk1: Construction began in December, 2018. Failed during pressure test in November, 2019.
Starship SN1: Construction began in October, 2019. Failed during a pressure test on Feb. 28.
Starship SN2: Construction began in Feb., 2020. After SN1 failure, was converted into a test bed for thrust puck at base of rocket. Passed test on March 8, and was retired.
Starship SN3: Construction began in March, 2020. Cryogenic test failure on April 3.
Starship SN4: Construction began in March, 2020. Testing begins later this month?
This failure has to be a disappointment in that the prototype rocket failed for a third time before getting to Raptor engine tests. And after the SN1 failure, Musk said he told his engineers, “In the future, you treat that rocket like it’s your baby, and you do not send it to the test site unless you think your baby’s going to be OK.”
Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.
“Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into ‘Skype’. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share.”
The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari’s list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com, and fake://example.com. By “wiggling around,” as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari.
“I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” he says. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago. They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today.”
A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target’s webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple’s microphone and webcam protections themselves, or even in Safari’s defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.
Pickren submitted seven vulnerabilities to Apple’s bug bounty program in mid-December and says he got a response that the company had validated the bugs the next day. While an attacker would only exploit three of the bugs to take over webcams in the chain Pickren envisioned, he found other, related flaws along the way that he submitted as well. Pickren says that part of the reason he encountered so many extra bugs was that he was looking for an attack chain that would work on both iOS and macOS—and Safari is designed slightly differently for each.
A study by economists Sergio Correia, Stephan Luck and Emil Verner suggests that the best way to save your economy is to save your people. The authors looked at the economic impact of the Spanish influenza pandemic of 1918 on different U.S. cities. They concluded that the earlier, more forcefully and longer cities responded, the better their economic recovery.
A faculty affiliate from the Harvard Department of Economics writes in Bloomberg: [C]ities that implemented aggressive social distancing and shutdowns to contain the virus came out looking better. Implementing these policies eight days earlier, or maintaining them for 46 days longer were associated with 4% and 6% higher post-pandemic manufacturing employment, respectively. The gains for output were similar. Likewise, faster and longer-lasting distancing measures were associated with higher post-pandemic banking activity…
[T]his is at least consistent with the arguments my Bloomberg Opinion colleagues Noah Smith and Michael Strain have already put forward for why easing distancing measures too early would be potentiallydevastating for the economy… [I]t looks like the things we should be doing to save lives are also what we should be doing to save the economy.
