The stance seems to be: If minister Grapperhaus tells a webhost to remove content, they should do it without the court system intervening.
As soon as they invoke kiddie porn you know that something totalitarian is being justified. Because once that is allowed, then they expand the powers to all content. And noboday can be seen to be against fighting kiddie porn, right?
Source: Foute en lakse webhosters gaan per september op een zwarte lijst – Emerce
The real Space Force may be going down in flames against the fictional Space Force: According to the Hollywood Reporter, the newly founded military branch appears to be losing a trademark battle with the Netflix comedy show of the same name.
Netflix “has outmaneuvered the U.S. government to secure trademark rights to ‘Space Force’ in Europe, Australia, Mexico and elsewhere,” according to the Reporter, while the Air Force—under which the Space Force is organized—simply has a pending application stateside. This mostly has ramifications for merch. Consumers won’t have trouble discerning between the military branch and Space Force when it comes to which one stars Steve Carrell, but they might not be able who is selling a line of Space Force shirts.
The U.S. Patent and Trademark Office relies on a “first-to-use” system when assigning rights, and Netflix has been submitting trademark applications for the Space Force across the globe since the start of 2019. On the other hand, the Air Force filed a trademark application on the basis of intent to use in March 2019, per Law & Crime, and the Space Force didn’t become an actual organization until December 2019. If it comes down to a legal battle, that means Netflix may be able to easily demonstrate it was actually using the Space Force branding first. (Even if Netflix lost the case, it would have a First Amendment right to continue selling Space Force merch on the grounds of satire and parody.)
Source: Space Force Losing Trademark Battle With Netflix’s Space Force
OK, so not only is this silly but the fact that you can apparently actually trademark two words in a row seems absolutely bonkers to me.
Artificial intelligence turning your photos into art
It uses the stylistic elements of one image to draw the content of another. Get your own artwork in just three steps.
Upload photo
The first picture defines the scene you would like to have painted.
Choose style
Choose among predefined styles or upload your own style image.
Submit
Our servers paint the image for you. You get an email when it’s done.
Source: deepart.io – become a digital artist
Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne’s former chief policy officer, Katie Moussouris, call a “perversion.”
Bug bounty vs. VDP
A vulnerability disclosure program (VDP) is a welcome mat for concerned citizens to report security vulnerabilities. Every organization should have a VDP. In fact, the US Federal Trade Commission (FTC) considers a VDP a best practice, and has fined companies for poor security practices, including failing to deploy a VDP as part of their security due diligence. The US Department of Homeland Security (DHS) issued a draft order in 2019 mandating all federal civilian agencies deploy a VDP.
Regulators often view deploying a VDP as minimal due diligence, but running a VDP is a pain. A VDP looks like this: Good-faith security researchers tell you your stuff is broken, give you 90 days max to fix it, and when the time is up they call their favorite journalist and publish the complete details on Twitter, plus a talk at Black Hat or DEF CON if it’s a really juicy bug.
[…]
“Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security,” Robert Graham of Errata Security tells CSO.
Leitschuh, the Zoom bug finder, agrees. “This is part of the problem with the bug bounty platforms as they are right now. They aren’t holding companies to a 90-day disclosure deadline,” he says. “A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence.”
The bug bounty platforms’ NDAs prohibit even mentioning the existence of a private bug bounty. Tweeting something like “Company X has a private bounty program over at Bugcrowd” would be enough to get a hacker kicked off their platform.
The carrot for researcher silence is the money — bounties can range from a few hundred to tens of thousands of dollars — but the stick to enforce silence is “safe harbor,” an organization’s public promise not to sue or criminally prosecute a security researcher attempting to report a bug in good faith.
The US Department of Justice (DOJ) published guidelines in 2017 on how to make a promise of safe harbor. Severe penalties for illegal hacking should not apply to a concerned citizen trying to do the right thing, they reasoned.
Want safe harbor? Sign this NDA
Sign this NDA to report a security issue or we reserve the right to prosecute you under the Computer Fraud and Abuse Act (CFAA) and put you in jail for a decade or more. That’s the message some organizations are sending with their private bug bounty programs.
[…]
The PayPal terms, published and facilitated by HackerOne, turn the idea of a VDP with safe harbor on its head. The company “commits that, if we conclude, in our sole discretion, [emphasis ours] that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry.”
The only way to meet their “sole discretion” decision of safe harbor is if you agree to their NDA. “By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without PayPal’s prior written approval.”
HackerOne underscores that safe harbor can be contingent on agreeing to program terms, including signing an NDA, in their disclosure guidelines. Bug finders who don’t wish to sign an NDA to report a security flaw may contact the affected organization directly, but without safe harbor protections.
“Submit directly to the Security Team outside of the Program,” they write. “In this situation, Finders are advised to exercise good judgement as any safe harbor afforded by the Program Policy may not be available.”
[…]
security researchers concerned about safe harbor protection should not rest easy with most safe harbor language, Electronic Frontier Foundation (EFF) Senior Staff Attorney Andrew Crocker tells CSO. “The terms of many bug bounty programs are often written to give the company leeway to determine ‘in its sole discretion’ whether a researcher has met the criteria for a safe harbor,” Crocker says. “That obviously limits how much comfort researchers can take from the offer of a safe harbor.”
“EFF strongly believes that security researchers have a First Amendment right to report their research and that disclosure of vulnerabilities is highly beneficial,” Crocker adds. In fact, many top security researchers refuse to participate on bug bounty platforms because of required NDAs.
[…]
Health insurance in the US is typically provided by employers to employees, and not to independent contractors. However, legal experts tell CSO that the bug bounty platforms violate both California and US federal labor law.
California AB 5, the Golden State’s new law to protect “gig economy” workers that came into effect in January 2020, clearly applies to bug bounty hunters working for HackerOne, Bugcrowd and Synack, Leanna Katz, an LLM candidate at Harvard Law School researching legal tests that distinguish between independent contractors and employees, tells CSO.
[…]
“My legal analysis suggests those workers [on bug bounty platforms] should at least be getting minimum wage, overtime compensation, and unemployment insurance,” Dubal tells CSO. “That is so exploitative and illegal,” she adds, saying that “under federal law it is conceivable that not just HackerOne but the client is a joint employer [of bug finders]. There might be liability for companies that use [bug bounty platform] services.”
“Finders are not employees,” Rice says, a sentiment echoed by Bugcrowd founder Ellis and Synack founder Jay Kaplan. Synack’s response is representative of all three platforms: “Like many companies in California, we’re closely monitoring how the state will apply AB 5, but we have a limited number of security researchers based in California and they represent only a fractional percentage of overall testing time,” a Synack representative tells CSO.
Using gig economy platform workers to discover and report security flaws may also have serious GDPR consequences when a security researcher discovers a data breach.
Bug bounty platforms may violate GDPR
When is a data breach not a data breach?
When a penetration testing consultancy with vetted employees discover the exposed data.
A standard penetrating testing engagement contract includes language that protects the penetration testers — in short, it’s not a crime if someone asks you to break into their building or corporate network on purpose, and signs a contract indemnifying you.
This includes data breaches discovered by penetration testers. Since the pen testers are brought under the umbrella of the client, say “Company X,” any publicly exposed Company X data discovered is not considered publicly exposed, since that would legally be the same as a Company X employee discovering a data breach, and GDPR’s data breach notification rules don’t come into play.
What about unvetted bug bounty hunters who discover a data breach as part of a bug bounty program? According to Joan Antokol, a GDPR expert, the EU’s data breach notification regulation applies to bug bounty platforms. Antokol is partner at Park Legal LLC and a longstanding member of the International Working Group on Data Protection in Technology (IWGDPT), which is chaired by the Berlin Data Protection Commissioner. She works closely with GDPR regulators.
“If a free agent hacker who signed up for a project via bug bounty companies to try to find vulnerabilities in the electronic systems of a bug bounty client (often a multinational company), was, in fact, able to access company personal data of the multinational via successful hacking into their systems,” she tells CSO, “the multinational (data controller) would have a breach notification obligation under the GDPR and similar laws of other countries.”
[…]
ISO 29147 standardizes how to receive security bug reports from an outside reporter for the first time and how to disseminate security advisories to the public.
ISO 30111 documents internal digestion of bug reports and remediation within an affected software maker. ISO provided CSO with a review copy of both standards, and the language is unambiguous.
These standards make clear that private bug bounty NDAs are not ISO compliant. “When non-disclosure is a required term or condition of reporting bugs via a bug bounty platform, that fundamentally breaks the process of vulnerability disclosure as outlined in ISO 29147,” Moussouris says. “The purpose of the standard is to allow for incoming vulnerability reports and [her emphasis] release of guidance to affected parties.”
ISO 29147 lists four major goals, including “providing users with sufficient information to evaluate risk due to vulnerabilities,” and lists eight different reasons why publishing security advisories is a standardized requirement, including “informing public policy decisions” and “transparency and accountability.” Further, 29147 says that public disclosure makes us all more secure in the long term. “The theory supporting vulnerability disclosure holds that the short-term risk caused by public disclosure is outweighed by longer-term benefits from fixed vulnerabilities, better informed defenders, and systemic defensive improvements.”
Source: Bug bounty platforms buy researcher silence, violate labor laws, critics say | CSO Online
A report from consumer advocates Which? highlights the shockingly short lifespan of “smart” appliances, with some losing software support after just a few years, despite costing vastly more than “dumb” alternatives.
That lifespan varies between manufacturers: Most vendors were vague, with Beko offering “up to 10 years” and LG saying patches would be issued as required. Samsung said it would offer software support for a maximum of two years, according to the report.
Only one manufacturer, Miele, promised to issue software updates for a full decade after the release of a device, but then Miele tends to make premium priced products.
[…]
For consumers, that ambiguous (if not outright short) lifespan raises the possibility they could be forced to replace their expensive white goods before they otherwise would. According to the consumer watchdog, fridge-freezers typically last 11 years.
If a manufacturer decides to withdraw software support, or switch off central servers, users could find themselves with a big, frosty brick in their kitchen. In the wider IoT world, there’s precedent for this.
In 2016, owners of the Revolv smart home hub were infuriated after the Google-owned Nest deactivated the servers required for it to work. More recently, Belkin flicked the kill switch on its WeMo NetCam IP cameras, offering refunds only to those users whose devices were still in warranty and had the foresight to keep their receipts.
There’s another cause for concern. Given that smart appliances are essentially computers with a persistent connection to the internet, there’s a risk hackers could co-opt unpatched fridges and dishwashers, turning them into drones in vast botnets.
Again, there’s precedent. The Mirai botnet, for example, was effectively composed of hacked routers and IP cameras.
At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories. To better label and prioritize bugs at that scale, we couldn’t just apply more people to the problem. However, large volumes of semi-curated data are perfect for machine learning. Since 2001 Microsoft has collected 13 million work items and bugs. We used that data to develop a process and machine learning model that correctly distinguishes between security and non-security bugs 99 percent of the time and accurately identifies the critical, high priority security bugs, 97 percent of the time. This is an overview of how we did it.
Source: Secure the software development lifecycle with machine learning – Microsoft Security
Voor 495 euro in een private jet naar Ibiza vliegen, met 25 kilogram bagage, luxesnacks en een glaasje champagne. Dat wil de Limburgse luchtvaartondernemer Philippe Bodson vanaf 4 juli onder de naam Flying Executive in de markt zetten. Op wekelijkse basis vanuit Brussel.
Een lijnvlucht voor private jets is geen primeur in Europa. Maar de timing is wel opvallend. Met dat concept roeit Bodson, de topman van ASL Group, naar eigen zeggen tegen de stroom in. ‘Het staat haaks op alle tendensen in de luchtvaartsector, die door low cost wordt gedreven. Maar het sluit perfect aan op de nieuwe noden van het postcoronareizen.’
Bodson, die op zijn 34ste een pilotenbrevet haalde en daarna van zijn hobby zijn beroep maakte door een eigen luchtvaartbedrijf op te richten, schakelt voor de nieuwe formule twee toestellen van het type Embraer in. Dat zijn vliegtuigen met een beperkt aantal zitplaatsen (respectievelijk 30 en 42) en meer beenruimte (plus 12 centimeter) dan op een gewone lijnvlucht.
De binnenruimte in die toestellen – met één zetel links en twee zetels rechts – biedt volgens hem ook een veel betere vluchtervaring. ‘Het voordeel is dat reizigers steeds alleen of naast een bekende kunnen zitten’, zegt hij. ‘In tijden van Covid-19 geeft dat een prettiger gevoel.’
Source: Belg opent lijnvlucht met private jets naar Ibiza | De Tijd
We like to complain about how data is messy, not in the right format, and how parts don’t make sense. Reality is complicated though. Data comes from the realities. Here are several guides to help with visualizing these realities, which seem especially important these days.
Visualizing Incomplete and Missing Data
We love complete and nicely formatted data. That’s not what we get a lot of the time.
Visualizing Outliers
Step 1: Figure out why the outlier exists in the first place. Step 2: Choose from these visualization options to show the outlier.
Visualizing Differences
Focus on finding or displaying contrasting points, and some visual methods are more helpful than others.
Visualizing Patterns on Repeat
Things have a way of repeating themselves, and it can be useful to highlight these patterns in data.
One Dataset, Visualized 25 Ways
A single dataset can tell you a lot of things. See also how questions can guide you.
How to Spot Visualization Lies
Chart ≠ fact.
Source: Guides for Visualizing Reality | FlowingData
Three thousand light-years from Earth sits Kepler 160, a sun-like star that’s already thought to have three planets in its system. Now researchers think they’ve found a fourth. Planet KOI-456.04, as it’s called, appears similar to Earth in size and orbit, raising new hopes we’ve found perhaps the best candidate yet for a habitable exoplanet that resembles our home world. The new findings bolster the case for devoting more time to looking for planets orbiting stars like Kepler-160 and our sun, where there’s a better chance a planet can receive the kind of illumination that’s amenable to life.
Most exoplanet discoveries so far have been made around red dwarf stars. This isn’t totally unexpected; red dwarfs are the most common type of star out there. And our main method for finding exoplanets involves looking for stellar transits—periodic dips in a star’s brightness as an orbiting object passes in front of it. This is much easier to do for dimmer stars like red dwarfs, which are smaller than our sun and emit more of their energy as infrared radiation
[…]
Data on the new exoplanet orbiting Kepler 160, published in Astronomy and Astrophysics on Thursday, points to a different situation entirely. From what researchers can tell, KOI 456.04 looks to be less than twice the size of Earth and is apparently orbiting Kepler-160 at about the same distance from Earth to the sun (one complete orbit is 378 days). Perhaps most important, it receives about 93% as much light as Earth gets from the sun.
This is critical, because one of the biggest obstacles to habitability around red dwarf stars is they can emit a lot of high-energy flares and radiation that could fry a planet and any life on it. By contrast, stars like the sun—and Kepler-160, in theory—are more stable and suitable for the evolution of life.
[…]
Right now the researchers say it’s 85% probable KOI-456.04 is an actual planet. But it could still be an artifact of Kepler’s instruments or the new analysis—an object needs to pass a threshold of 99% to be a certified exoplanet. Getting that level of certainty will require direct observations. The instruments on NASA’s upcoming James Webb Space Telescope are expected to be up to the task, as are those on ESA’s PLATO space telescope, due to launch in 2026.
Source: Astronomers have found a planet like Earth orbiting a star like the sun | MIT Technology Review
The following report appeared on Yahoo! Finance: Privacy-focused browser Brave was found to autocomplete several websites and keywords in its address bar with an affiliate code. Shortly after a user published his findings, Brave CEO and co-founder Brendan Eich addressed the incident and called it “a mistake we’re correcting.” Eich said that while Brave is a Binance affiliate [a cryptocurrency exchange], the browser’s autocompleting feature should not have added any new affiliate codes.
“The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions,” Eich wrote in the thread. “Sorry for this mistake — we are clearly not perfect, but we correct course quickly,” he added.
Android Police reports the mistake occured more than 10 weeks ago — and that referrer codes were also included for other cryptocurrency-related sites: The browser’s GitHub repository reveals the functionality was first added on March 25th, and the current list of sites includes Binance, Coinbase, Ledger, and Trezor. Brave Software receives a kickback for purchases/accounts made with those services — for example, Coinbase says that when you refer a new customer to the service, you can earn 50% of their fees for the first three months.The nature of these affiliate programs also allows the referrer — in this case, Brave Software — to view some amount of data about the customers who sign up with the code. Coinbase’s program provides “direct access to your campaign’s performance data,” while Trezor offers a “detailed overview of purchases.”
Brave CEO and co-founder Brendan Eich (who also created the JavaScript programming language) tweeted, “For what it’s worth there’s a setting to disable the autocomplete defaults that add affiliate codes, in brave://settings first page. Current plan is to flip default to off as shown here. You can disable ahead of our release schedule if you want to.“Good to hear from supporters who’ll enable it.”
Source: Brave Browser Mistake Adds Its Referrer Code For Cryptocurrency Sites – Slashdot
scientists in America and China have created a sodium-ion-based battery that can potentially perform at close to the levels of Li-ion, paving the way for a cheaper, commercially viable alternative to lithium.
The key challenge in creating this battery is that sodium-ion cells tend to break down faster than their lithium-ion cousins. Sodium crystals collect on the cathode, made of O3-layered metal oxide, preventing sodium ions from flowing, and thus knackering the operation of the battery.
A solution for this is what the Washington State University-based team – led by Jianming Zheng (Pacific Northwest National Laboratory), Yuehe Lin (WSU), Pengfei Yan (Beijing University of Technology), and Xiaolin Li (Pacific Northwest National Laboratory) – sought to figure out.
They eventually came up with a liquid electrolyte with a high concentration of sodium ions, which prevented the build up of inactive crystals, thus preserving 80 per cent of the cell’s charge capacity after 1,000 cycles.
Not only were the new cells observed as having a higher capacity and better lifespan than older sodium-ion cell designs, but they were able to hit levels closer to those of lithium-ion.
“Our study showed that sodium-ion can be as good as some lithium-ion chemistries and thus make them more competitive and versatile,” The Register was told by Junhua Song, a contributing author to the paper based out of Lawrence Berkeley Labs.
“We are hopeful that a deployable high energy and long cycle life sodium-ion battery can be realised in five years with enough funding resources.”
Song explained that while there could be other advantages to using sodium over lithium other than availability of materials and extraction costs, it is too soon to say that the sodium power cells would be, for example, safer or more environmentally friendly.
“Environmental friendliness relies on many factors because the battery is essentially a complicated system involving more than just electrode materials,” he explained.
“Sodium does provide better environmental benignity due to its resource abundance and accessibility, which might do less harm to the environment during extraction, compared to the geologically constrained lithium counterpart. Similar to environmental friendliness, safety depends on many components (materials, electrolyte, cell architecture, etc), more systematic studies are on the way to tackle the safety aspect of sodium-ion batteries.”
To that end, Song noted that the next steps in development of sodium-ion batteries will involve investigating the cathode and anode materials, and the actual reaction process within the electrolyte.
The team’s paper, “Controlling Surface Phase Transition and Chemical Reactivity of O3-Layered Metal Oxide Cathodes for High-Performance Na-Ion Batteries”, was published in the journal ACS Energy Letters.
Lenovo has decided to certify all of its workstations for Linux.
“Our entire portfolio of ThinkStation and ThinkPad P Series workstations will now be certified via both Red Hat Enterprise Linux and Ubuntu LTS – a long-term, enterprise-stability variant of the popular Ubuntu Linux distribution,” said a Tuesday statement from GM and executive director of the company’s workstation and client AI group Rob Herman.
Lenovo is serious about this: the company says its workstations will “offer full end-to-end support – from security patches and updates to better secure and verify hardware drivers, firmware and bios optimizations.” Lenovo will also upstream device drivers into the Linux kernel.
The company’s rationale for the move is that Linux workstations are favourites of a sizable population of power users, especially developers and data scientists. Lenovo wants to relieve their employers of the chore of installing and maintaining Linux on the mildly-exotic hardware such users require. But it’s also tipped a hat to Linux enthusiasts with “a pilot program with a preloaded Fedora image on our ThinkPad P53 and P1 Gen 2 systems; providing the latest pure open source platform for this community-based distribution.” Note, however, that the new arrangements are only for Lenovo workstations. ThinkPads, Yogas and other models will still almost certainly run Linux, but don’t get extra love from Lenovo.
Lenovo’s offering isn’t unique: Dell offers supported RHEL and Ubuntu on its XPS13 and Precision mobile workstations, plus the Precision tower workstations. HP Inc also supports Linux on its Z-series mobile and desktop workstations and claims it was first to do so. Lenovo seems to think it might have them outflanked by supporting all possible configurations of its P-series laptops (The Register counts nine machines in that range) and the seven P-series workstations.
If you’re a free Zoom user, and waiting for the company to roll out end-to-end encryption for better protection of your calls, you’re out of luck. Free calls won’t be encrypted, and law enforcement will be able to access your information in case of ‘misuse’ of the platform.
Zoom CEO Eric Yuan today said that the video conferencing app’s upcoming end-to-end encryption feature will be available to only paid users. After announcing the company’s financial results for Q1 2020, Yuan said the firm wants to keep this feature away from free users to work with law enforcement in case of the app’s misuse:
Free users, for sure, we don’t want to give that [end-to-end encryption]. Because we also want to work it together with FBI and local law enforcement, in case some people use Zoom for bad purpose.
In the past, platforms with end-to-end encryption, such as WhatsApp, have faced heavy scrutiny in many countries because they were unable to trace the origins of problematic and misleading messages. Zoom likey wants to avoid being in such a position, and wants to comply with local laws to keep operating across the globe.
Alex Stamos, working as a security consultant with Zoom, said it wants to catch repeat offenders for hate speech or child exploitative content by not offering end-to-end encryption t0 free users.
Zoom is dealing with some serious safety issues. When people disrupt meetings (sometimes with hate speech, CSAM, exposure to children and other illegal behaviors) that can be reported by the host. Zoom is working with law enforcement on the worst repeat offenders.
— Alex Stamos (@alexstamos) June 3, 2020
In March, The Intercept published a report stating that the company doesn’t use end-to-end encryption, despite claiming that on its website and security white paper. Later, Zoom apologized and issued a clarification to specify it didn’t provide the feature at that time.
Last month, the company acquired Keybase.io, an encryption-based identity service, to build its end-to-end encryption offering. Yuan said today that the company got a lot of feedback from users on encryption, and it’s working out on executing it. However, he didn’t specify a release date for the feature.
According to the Q1 2020 results, the company grew 169% year-on-year in terms of revenue. Zoom has more than 300 million daily participants attending meetings through the platform.
Source: Zoom won’t encrypt free calls because it wants to comply with law enforcement
The GSM Association, the body that represents mobile carriers and influences the development of standards, has suggested its members bake virus contact-tracing functionality into their own bundled software.
The body today popped out a paper [PDF] on contact-tracing apps. After some unremarkable observations about the need for and operations of such apps, plus an explanation of the centralised vs. centralised data storage debate, the paper offers members a section titled: “How the mobile industry can help.”
That section suggests carriers could help to improve the reach of and disseminate such apps with the following three tactics:
- Integrate software into own apps (e.g. customer self-care app), if this is part of the national strategy
- Pre-install on devices
- Communicate to / educate subscribers
The first item may prove unworkable given Google and Apple have indicated they’ll only register coronavirus-related apps if they’re developed by governments and their health agencies. The two tech giants have also said they’ll only allow one app per jurisdiction to use their pro-privacy COVID-19 contact-tracing interface. The second suggestion also has potential pitfalls as contact-tracing apps are generally opt-in affairs. Carriers would need to be sensitive about how they are installed and the user experience offered if the apps ask for registration.
Three online advertisers are suing Google for allegedly violating antitrust laws by monopolizing “digital advertising markets.”
“Google leveraged its stranglehold on online search and search advertising to gain an illegal monopoly in brokering display advertising on other companies’ websites,” the marketers allege in a class-action complaint filed last week in U.S. District Court for the Northern District of California. The case was filed on behalf of Washington, D.C. tour company Grand Atlas Tours, Delray Beach, Florida-based Prana Pets (which sells herbs for dogs and cats) and the San Francisco law firm Hanson Law.
They claim Google “achieved this market dominance in part by acquiring rivals in the online advertising space, conditioning access to its search-results data and YouTube video advertising platform upon the purchase of its separate display advertising services, and ensuring those systems were not compatible with those of its competitors in online advertising.”
The complaint comes as the U.S. Department of Justice and a coalition of state attorneys general are reportedly preparing separate antitrust lawsuits against Google.
Grand Atlas Tours and the others allege that Google’s “pervasive monopoly conduct” has resulted in higher prices for advertisers and consumers, lower payments to online publishers and diminished competition in the online ad marketplace.
The complaint alleges both that Google commands a dominant position in search advertising, and that the company has leveraged its market power in search “to drive out competition in the separate market for display advertising services.”
Among other allegations, the marketers claim Google’s decision to eventually block third-party cookies in Chrome will make it “much harder for advertisers and competitors to efficiently bid on ads.”
Google said in January it plans to phase out Chrome’s support for third-party cookies within two years — a move often seen as privacy friendly, because it can prevent companies that have no relationship with consumers from tracking them. Mozilla’s Firefox, as well as Apple’s Safari, already automatically prevent ad-tech companies from using cookies to track people around the web in order to serve them targeted ads.
Source: Marketers Bring Antitrust Suit Against Google 06/02/2020
I’ve been talking about this happening since May 2019 and it’s becoming more and more common
A hapless IT bod found the Have I Been Pwned service (HIBP) answering its own question in a way he really didn’t want – after a breach report including a SQL string KO’d his company’s helpdesk ticket system.
A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a breach notification email from HIBP was ingested into his firm’s helpdesk ticket system and was automatically assigned a ticket ID.
The company used version 9.4.5 of the GLPi open source helpdesk system, a rather old product but quite functional. As Matt put it: “All was well until we received an email from haveibeenpwned to our helpdesk support address, which automatically got logged as a support ticket.”
When one of your email addresses is included in a breach picked up by HIBP, you can generate a report that tells you where your details were found. Included in the email with the link to the report is the HIBP header logo graphic, partly formed from ASCII text which reads as so:
‘;–have I been pwned?
Problems arose when Matt received that email. While he looked at it and took the relevant actions, GLPi had encountered an issue. “I and the other techs quickly noticed that every single ticket description had been deleted and replaced with partial header data from the HIBP email,” wrote Matt.
This caused some headaches, requiring a restore from the previous day’s backups. Not ideal and quite disruptive.
That evening Matt started fault-finding, eventually narrowing down the ticket-wiping problem to one of either assigning the HIBP email to yourself in GLPi or adding yourself as a “watcher” of it. In both cases, Matt suspected, some kind of SQL injection was happening.
“I managed to shrink the exploit down to six characters (‘;– ” – the space and double-quote at the end appear to be required though this could do with more testing) to achieve the same kind of malicious behaviour, in this case deleting all content of the descriptions for every ticket in the database,” he wrote.
Eventually he figured it out. GLPi 9.4.5 is vulnerable to a SQL injection flaw which just happened to be triggered by the formatting of HIBP’s breach report email. As Matt put it, “GLPI supports HTML emails, which get rendered (almost) normally within the interface. Simply hiding the text in an attribute or the <head> or something will keep it invisible to the tech. You’ve just gotta wait for them to assign it to themselves.”
Buoyed by his success, Matt zoomed off to GLPi’s Github page to find contact details for its maintainers to warn them of the flaw. There he made an equally important discovery: GLPi had since been updated to version 9.4.6. Not only that, but the latest version fixed the SQLi vuln.
“If you’re running GLPI, make sure you’re on the latest release. Or look for alternative software,” he concluded, apparently rather crestfallen from all those excellent but ultimately needless efforts.
Source: Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system • The Register
A funny thing happened overnight in the world of space and politics as a campaigning video featuring SpaceX’s commercial crew launch and promoting US President Donald Trump was abruptly pulled from YouTube.
“Make Space Great Again” was uploaded to YouTube following the successful launch, attended by Trump, and featured a mix of footage including some from the Demo-2 commercial crew mission.
It also set off a firestorm of protests, including one from retired astronaut, Karen Nyberg, who is married to NASA ‘naut, Doug Hurley. Hurley is one of the two lucky crew-members of that Demo-2 mission.
Nyberg, understandably, was somewhat aggrieved that imagery of her and her son was being used in what she described as “political propaganda” without consent.
I find it disturbing that a video image of me and my son is being used in political propaganda without my knowledge or consent. That is wrong. @nasa @JimBridenstine https://t.co/cXcKHxmn6e
— Karen L. Nyberg (@AstroKarenN) June 4, 2020
Others highlighted the unfortunate appearance of a European Space Agency (ESA) logo in the presidential campaign video.
As is so often the case these days, a petition soon popped up, urging the master of the caps-lock key to stop politicising space. After all, while the implication of the video is that if it wasn’t for the efforts of the current US President the mission might not have happened, NASA’s Commercial Crew Program was actually kicked off by President Barack Obama years previously, and has its roots in the George W Bush administration.
Sadly, the politicisation of space is difficult to avoid. President Richard Nixon, for example, was less than keen to lavish credit on John F Kennedy during the moonlandings of 50 years ago, while the space race itself was arguably driven more by political gesturing rather than pure science.
Lawmakers, after all, hold the purse strings and, as the saying goes, “No bucks, no Buck Rogers.”
As well as perhaps allowing someone to take a little more credit than is due and managing to annoy a former astronaut, the video also stomped over NASA’s media usage guidelines, which aren’t keen on the agency’s logos being used to “imply endorsement” and state that permission to show identifiable people needs to come from those individuals.
We suspect that ESA might also be a bit grumpy about its logo popping up.
Trump has infamously found himself on the receiving end of a long overdue prodding by social media anger trumpet, Twitter, but this particular bit of video self-aggrandisement was swiftly yanked by the uploader, presumably Trump’s campaign itself.
The good news for Trump fans is that while a like on the Make Space Great Again video is no longer possible, support can still be shown with the purchase of a hat from Trump’s online store. Right up until Disney notices a distinct similarity to its own, Epcot-based Mission Space logo.
The motion simulator ride in Florida’s Epcot theme park itself can leave some of its users a tad nauseous. Not unlike sitting through “Make Space Great Again”. ®
Source: Trump’s Make Space Great Again video pulled after former ‘naut says: Nope • The Register
In one fell swoop, Facebook may have changed its mind about how the online news media will operate from here on out. Undermining a now age-old assumption, Facebook told Ars Technica on Thursday that embedding from Instagram may not shield news organizations from freely cross-posting on their sites. A spokesperson said:
While our terms allow us to grant a sub-license, we do not grant one for our embeds API. Our platform policies require third parties to have the necessary rights from applicable rights holders.
The dry statement could mean upheaval for online publishing, implying that a news organization (or anyone running a for-profit site) would have to obtain a license for an Instagram post directly from the poster before they can embed it. Some will worry that it bodes a future in which publications retroactively strike every Instagram embed from its archives in order to avoid lawsuits.
On one hand, it’s good news for professional photographers and artists who would otherwise be paid for the use of their work embedded on a personal website. Photographers like the ones who separately sued Mashable and Newsweek for embedding their Instagram posts, both after they explicitly declined to license the images to the respective publications. On the other hand, this might be the last gasp for Instagram commentary, the bread of the news, the spice of the tea blogs.
Source: Did Instagram Just Say It’s Rewriting Online Copyright?
Today, member companies [Note only four members – ed] of the Association of American Publishers (AAP) filed a copyright infringement lawsuit against Internet Archive (“IA”) in the United States District Court for the Southern District of New York. The suit asks the Court to enjoin IA’s mass scanning, public display, and distribution of entire literary works, which it offers to the public at large through global-facing businesses coined “Open Library” and “National Emergency Library,” accessible at both openlibrary.org and archive.org. IA has brazenly reproduced some 1.3 million bootleg scans of print books, including recent works, commercial fiction and non-fiction, thrillers, and children’s books.
The plaintiffs—Hachette Book Group, HarperCollins Publishers, John Wiley & Sons and Penguin Random House—publish many of the world’s preeminent authors, including winners of the Pulitzer Prize, National Book Award, Newbery Medal, Man Booker Prize, Caldecott Medal and Nobel Prize.
Despite the self-serving library branding of its operations, IA’s conduct bears little resemblance to the trusted role that thousands of American libraries play within their communities and as participants in the lawful copyright marketplace. IA scans books from cover to cover, posts complete digital files to its website, and solicits users to access them for free by signing up for Internet Archive Accounts. The sheer scale of IA’s infringement described in the complaint—and its stated objective to enlarge its illegal trove with abandon—appear to make it one of the largest known book pirate sites in the world. IA publicly reports millions of dollars in revenue each year, including financial schemes that support its infringement design.
This is book publishers filing against a library. Copyright has gone nuts.
The lawsuit was filed in Federal court in New York City by Penguin Random House, Hachette Book Group, John Wiley & Sons, and HarperCollins Publishers.
The complaint notes that these four publishers are all members of the Association of American Publishers (AAP). AAP was one of 40 signatories, including the NWU, of a joint Appeal from the Victims of Controlled Digital Lending issued in 2019. Two of the four publishers bringing the lawsuit are US subsidiaries of European parent companies (Hachette Livre, which is part of the Lagardère Publishing group, and Bertelsmann) that are affiliated with the Federation of European Publishers (FEP), which also co-signed the Appeal.
The court complaint, however, was brought only by the four named publishers, and not as a class action. At least as originally filed, neither AAP, FEP, nor any authors or organizations of authors are parties to the lawsuit. The NWU had no advance knowledge whatsoever regarding this lawsuit.
Source: Publishers Sue the Internet Archive for Scanning Books (National Writers Union)
Obviously though a large group of self serving copyright vampires is congratulating the serving monkeys for killing off culture in favor of money in their collective pockets.
