Daily Archives: May 8, 2020

GitHub blasts code-scanning tool into all open-source projects

Posted on by

GitHub has made its automated code-scanning tools available to all open-source projects free of charge.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects.

The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

GitHub senior product manager Justin Hutchings told The Register that a key component of the Semmle (and now GitHub) scanning was CodeQL, the query language that graphs and then checks code for mistakes.

“It turns out that capability is extremely useful in security,” said Hutchings. “Most security problems are bad data flow or bad data usage in one way or another.”

While the feature itself will be new to GitHub, the underlying Semmle tools have been in use for years, which is why GitHub believes they’ll hit the ground running when they launch for free with open-source projects and as an add-on for the paid (enterprise), closed-source part of GitHub.

Although the code-scanning feature could be seen as most beneficial to smaller projects without enough work hours needed to thoroughly check for bugs, Hutchings noted that by making the feature cloud-based, bigger developers are also getting something on their wishlist.

“A lot of our commercial customers are excited about being able to run this at scale on our cloud,” he told us.

“Security analysis is compute intensive, you are dealing with millions of lines of code. You want to do this rapidly and we are finally bringing this capability into a hosted cloud environment, so they can scale up more quickly than they could previously.”

In addition to scanning for security bugs, GitHub is also adding the option for commercial developers to scan offline repositories and for exposed secrets (keys, credentials, etc) that could lead to network breaches and data leaks if let out onto the public internet. Previously limited to public repositories (such as AWS or Google Cloud), the secret-scanning feature will now be able to run on private GitHub repositories.

This addition, Hutchings said, is not just a security feature but also a stability feature, as it helps developers keep up with security policies that require changing keys at regular intervals by tracking and logging the changes. In this way, developers can avert outages and downtime that might otherwise occur when keys changes don’t get properly reported and handled.

Source: GitHub blasts code-scanning tool into all open-source projects • The Register

Very cloudy indeed!

Nervous, Adobe? It took 16 years, but open-source vector graphics editor Inkscape v1.0 now works properly on macOS

Posted on by

Open-source, cross-platform vector drawing package Inkscape has reached its version 1.0 milestone after many years of development.

Inkscape can be seen as an alternative to commercial products such as Adobe Illustrator or Serif Affinity Designer – though unlike Inkscape, neither of those run on Linux. The native format of Inkscape is SVG (Scalable Vector Graphics), the web standard.

[…]

Inkscape 1.0 is most significant for Mac users. Previous releases for macOS required a compatibility component called XQuartz, which enables applications designed for the X windowing system to run on macOS Quartz, part of Apple’s Core Graphics framework. This is no longer required and Inkscape 1.0 is now a native macOS application – though it is not all good news. The announcement noted: “This latest version is labelled as ‘preview’, which means that additional improvements are scheduled for the next versions.”

[…]

Inkscape 1.0 seems polished and professional. Adobe, which sells Illustrator on a subscription basis starting at £19 (if you inhale the rest of the Creative Cloud), will likely not be worried, but apart from the cost saving there are advantages in simpler applications that are relatively lightweight and easy to learn, as well as running well on Linux.

Source: Nervous, Adobe? It took 16 years, but open-source vector graphics editor Inkscape now works properly on macOS • The Register

Hackers hide web skimmer behind a website’s favicon

Posted on by

a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.

The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.

Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they’re entered in checkout forms.

[…]

Hackers created a fake icons hosting portal

In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.

The security firm says it discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon — the logo image shown in browser tabs.

The new favicon was a legitimate image file hosted on MyIcons.net, with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.

[…]

The trick, according to Malwarebytes, was that the MyIcons.net website served a legitimate favicon file for all a website’s pages, except on pages that contained checkout forms.

On these pages, the MyIcons.net website would secretly switch the favicon with a malicious JavaScript file that created a fake checkout form and stole user card details.

Malwarebytes said that site owners investigating the incident and accessing the MyIcons.net website would find a fully-working icon hosting portal, and would be misled to believe it’s a legitimate site.

However, the security firm says MyIcons.net was actually a clone of the legitimate IconArchive.com portal, and that its primary role was to be a decoy.

Furthermore, the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.

Source: Hackers hide web skimmer behind a website’s favicon | ZDNet

Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache

Posted on by

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned.

The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

ZDNet has obtained copies of both data sets. We received the entire 44 million records released online today, but we also received a sample of 55 million user records that were part of the 115 million data dump. Based on the data sets, we can conclude that the two are the same.

According to our analysis of the leaked files, the data contained both personally-identifiable and telephony-related information. This includes the likes of:

  • Customer full names
  • Home addresses (city, region, street name)
  • National identification (CNIC) numbers
  • Mobile phone numbers
  • Landline numbers
  • Dates of subscription

The data included details for both Pakistani home users and local companies alike.

Details for companies matched public records and public phone numbers listed on companies’ websites. In addition, ZDNet also verified the validity of the leaked data with multiple Pakistani users.

Source: Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache | ZDNet

Jet propulsion by microwave air plasma in the atmosphere: AIP Advances: Vol 10, No 5

Posted on by

We propose a prototype design of a propulsion thruster that utilizes air plasma induced by microwave ionization. Such a jet engine simply uses only air and electricity to produce high temperature and pressurized plasma for jet propulsion. We used a home-made device to measure the lifting force and jet pressure at various settings of microwave power and the air flow rate. We demonstrated that, given the same power consumption, its propulsion pressure is comparable to that of conventional airplane jet engines using fossil fuels. Therefore, such a carbon-emission free thruster could potentially be used as a jet thruster in the atmosphere.

[…]

n this report, we consider a microwave air plasma jet thruster using high-temperature and high-pressure plasma generated by a 2.45 GHz microwave ionization chamber for injected pressurized air. We propose a simple prototype plasma jet thruster that can generate approximately 10 N of thrust at 400 W using 0.5 l/s for the airflow, corresponding to the lifting force of 28 N/kW and a jet pressure of 2.4 × 104 N/m2. At a higher microwave power or greater airflow, propulsion forces and jet pressures comparable to those of commercial airplane jet engines can be achieved.

[…]

When high-power microwave is generated using microwave sources arranged in parallel, higher heat is also generated. At this time, the method of measuring the propulsive force with a steel ball is no longer applicable. How to deal with the impact of high temperature on equipment and how to evaluate the driving force are challenges that require further research

Source: Jet propulsion by microwave air plasma in the atmosphere: AIP Advances: Vol 10, No 5

No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body

Posted on by

You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.

That’s the unambiguous message from the European Data Protection Board (EDPB), which has published updated guidelines on the rules around online consent to process people’s data.

Under pan-EU law, consent is one of six lawful bases that data controllers can use when processing people’s personal data.

But in order for consent to be legally valid under Europe’s General Data Protection Regulation (GDPR) there are specific standards to meet: It must be clear and informed, specific and freely given.

Hence cookie walls that demand ‘consent’ as the price for getting inside the club are not only an oxymoron but run into a legal brick wall.

No consent behind a cookie wall

The regional cookie wall has been crumbling for some time, as we reported last year — when the Dutch DPA clarified its guidance to ban cookie walls.

The updated guidelines from the EDPB look intended to hammer the point home. The steering body’s role is to provide guidance to national data protection agencies to encourage a more consistent application of data protection rules.

The EDPB’s intervention should — should! — remove any inconsistencies of interpretation on the updated points by national agencies of the bloc’s 27 Member States. (Though compliance with EU data protection law tends to be a process; aka it’s a marathon not a sprint, though on the cookie wall issues the ‘runners’ have been going around the tracks for a considerable time now.)

As we noted in our report on the Dutch clarification last year, the Internet Advertising Bureau Europe was operating a full cookie wall — instructing visitors to ‘agree’ to its data processing terms if they wished to view the content.

The problem that we pointed out is that that wasn’t a free choice. Yet EU law requires a free choice for consent to be legally valid. So it’s interesting to note the IAB Europe has, at some point since, updated its cookie consent implementation — removing the cookie wall and offering a fairly clear (if nudged) choice to visitors to either accept or deny cookies for “aggregated statistics”…

As we said at the time the writing was on the wall for consent cookie walls.

The EDPB document includes the below example to illustrate the salient point that consent cookie walls do not “constitute valid consent, as the provision of the service relies on the data subject clicking the ‘Accept cookies’ button. It is not presented with a genuine choice.”

It’s hard to get clearer than that, really.

Scrolling never means ‘take my data’

A second area to get attention in the updated guidance, as a result of the EDPB deciding there was a need for additional clarification, is the issue of scrolling and consent.

Simply put: Scrolling on a website or digital service can not — in any way — be interpreted as consent.

Or, as the EDPB puts it, “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action” [emphasis ours].

Source: No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body | TechCrunch

Google Lens can now copy and paste handwritten notes to your computer

Posted on by

Google has added a very useful feature to Google Lens, its multipurpose object recognition tool. You can now copy and paste handwritten notes from your phone to your computer with Lens, though it only works if your handwriting is neat enough.

In order to use the new feature, you need to have the latest version of Google Chrome as well as the standalone Google Lens app on Android or the Google app on iOS (where Lens can be accessed through a button next to the search bar). You’ll also need to be logged in to the same Google account on both devices.

That done, simply point your camera at any handwritten text, highlight it on-screen, and select copy. You can then go to any document in Google Docs, hit Edit, and then Paste to paste the text. And voila — or, viola, depending on your handwriting.

Copy and pasting with Google Lens.
Gif: Google

In our tests, the feature was pretty hit or miss. If you don’t write neatly, you’ll definitely get some typos. But it’s still a cool feature that’s especially useful at a time when a lot of people are now working from home and relying on endless to-do lists to bring some sense of order to their day.

Source: Google Lens can now copy and paste handwritten notes to your computer – The Verge

Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Posted on by

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. These were purchased off eBay, and despite having been reset, Green found that plenty of private owner information and passwords were still easily recoverable from the units.

[…]

There’s a number of reasons why Tesla owners may need to replace these units: if you’re adding on Autopilot to an existing car, for example, some early models had data-logging issues that caused failure after a few years, and various other wear-and-tear and failure issues.

Once he had the units, Green found that there was a surprising amount of data still on them, from what appear to be debugging screenshots taken every time a Model 3 starts up:

…to far more compromising data, which he described to InsideEVs:

“…owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”

That’s a security hole big enough to drive a Model X through, even with the Falcon Doors stuck open. And, speaking of the Model X, the unit he got from that model was physically crushed, but data was still recoverable.

Green gave more details on his Twitter feed, clarifying that the Spotify passwords are stored as plain text, and that the Netflix and Gmail passwords are stored in cookie format:

The ability to get calendar events and owner’s phone book and call history are also huge security breaches, too.

When owners decide to upgrade their cars’ computer, Tesla will only let them keep their original hardware for, according to a Tesla owners’ forum, a $1,000 fee. Yes, it’s strange to have to pay the company to take hardware that you should have owned when you bought your car, but Tesla has a history with non-traditional ideas of just what you think you’ve bought with your car.

Source: Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Amazon Sued for Acting Like Users Own “Purchased” Movies (Spoiler Alert: You Don’t)

Posted on by

The question of whether you own your digital purchases, or whether you’re simply licensing that content from whatever tech giant du jour hosts it, has always been a bit of a black box for consumers. Recently, this lack of transparency has prompted one California user to file a lawsuit against Amazon for saying customers can “purchase” movies on Prime Video when, in actuality, the company can cut off access to that content at its discretion.

Yeah, in case you didn’t know, you don’t really own what you buy on Prime Video. Even though the service bills this content as “Your Video Purchases”, Prime Video’s terms of service outlines how all purchases are really just long-term rentals that can disappear from your library at any time:

“Purchased Digital Content will generally continue to be available to you for download or streaming from the Service, as applicable, but may become unavailable due to potential content provider licensing restrictions or for other reasons, and Amazon will not be liable to you if Purchased Digital Content becomes unavailable for further download or streaming.”

None of this is made apparent unless you go digging into Prime Video’s ToS pages, though, which lawyers for the suit’s plaintiff, Amanda Caudel, argue is Amazon’s attempt to “deceive, mislead and defraud consumers.” Per the class action complaint, as first spotted by TechDirt:

“Reasonable consumers will expect that the use of a “Buy” button and the representation that their Video Content is a “Purchase” means that the consumer has paid for full access to the Video Content and, like any bought product, that access cannot be revoked.

Unfortunately for consumers who chose the “Buy” option, this is deceptive and untrue. Rather, the ugly truth is that Defendant secretly reserves the right to terminate the consumers’ access and use of the Video Content at any time, and has done so on numerous occasions, leaving the consumer without the ability to enjoy their already-bought Video Content.”

Defendant’s representations are misleading because they give the impression that the Video Content is purchased – i.e. the person owns it – when in fact that is not true because Defendant or others may revoke access to the Video Content at any time and for any reason.

And since renting movies for 30 days also costs significantly less than purchasing it on Prime Video, usually around $5 compared to $14.99-19.99, the lawsuit argues that Amazon uses this deceptive distinction to earn profit at the expense of consumers. Particularly since there’s no user agreement that pops up upon purchase to explain to customers that they won’t actually own the video content after hitting “Buy”. There’s no such disclaimer on the movie’s purchase page either.

Source: Amazon Sued for Acting Like Users Own “Purchased” Movies (Spoiler Alert: You Don’t)

IAB Europe Guide to the Post Third-Party Cookie Era

Posted on by

This Guide has been developed by experts from IAB Europe’s Programmatic Trading Committee (PTC) to prepare brands, agencies, publishers and tech intermediaries for the much-anticipated post third-party cookie advertising ecosystem.

It provides background to the current use of cookies in digital advertising today and an overview of the alternative solutions being developed. As solutions evolve, the PTC will be updating this Guide on a regular basis to provide the latest information and guidance on market alternatives to third-party cookies.

The Guide, available below as an e-book or PDF, helps to answer to the following questions:

  • What factors have contributed to the depletion of the third-party cookie?
  • How will the depletion of third-party cookies impact stakeholders and the wider industry including proprietary platforms?
  • How will the absence of third-party cookies affect the execution of digital advertising campaigns?
  • What solutions currently exist to replace the usage of third-party cookies?
  • What industry solutions are currently being developed and by whom?
  • How can I get involved in contributing to the different solutions?

Source: IAB Europe Guide to the Post Third-Party Cookie Era – IAB Europe

Yup, advertisers won’t be able to track you over the internet using 3rd party cookies anymore soon

Air Force Announces it Can Save $7 Million by Adjusting One Plane’s Windshield Wipers

Posted on by

The Air Force recently proved through a series of tests that its KC-135 Stratotanker aircraft can fly more efficiently just by mounting the cockpit window’s wiper blades vertically instead of horizontally. The potential fuel cost savings: about $7 million per year.

Researchers with the Advanced Power and Technology Office, part of the Air Force Research Laboratory, and the Southwest Research Institute, assessed the KC-135 after similar tests were conducted on a commercial McDonnell Douglas MD-11 cargo airliner. The commercial tests showed the new blade direction reduced its flight drag by 1.2%.

“Across the KC-135 fleet, blades are positioned horizontally on the windshield as part of the aircraft’s original 1950s design,” officials said in a news release. “However, as the understanding of aviation aerodynamics advanced, research indicated placing the wipers vertically when not in use could improve aerodynamic efficiency and optimize fuel use.”

[,,,]

The data collected revealed drag was reduced 0.8% just by moving the blade vertically, and 0.2% for a slimmer wiper design on the cockpit’s window.

nose of a KC-135 Stratotanker, as the wiper blades are positioned horizontally
Computational fluid dynamics analysis, conducted by Air Force Research Laboratory and Southwest Research Institute, shows the nose of a KC-135 Stratotanker, as the wiper blades are positioned horizontally, left, and vertically, right. The red indicates an area of high aerodynamic drag. (U.S. Air Force courtesy photo)

“While 1% efficiency may not seem like a lot, it equates to millions of dollars in fuel savings each year, which can then be re-invested into other programs,” Daniel Pike, acquisition manager and chief of future operations for Air Force Operational Energy, said in a statement.

For example, the KC-135 fleet used more than 260 million gallons in fiscal 2019, the service said, citing the Air Force Total Ownership Cost database. That accounts for roughly 14% of the Air Force’s total fuel use across its aircraft fleets.

Source: Air Force Announces it Can Save $7 Million by Adjusting One Plane’s Windshield Wipers | Military.com