Daily Archives: September 6, 2020

‘Linusgate’: Namby pamby doesn’t like Linus calling FSF names at debconf, feels cancel cultury about it.

Posted on by

253 emails have been leaked from private (high-level) mailing lists of Debian, in which its representatives vocally complain about the talk Linus Torvalds gave at the most recent DebConf conference. Some people insist that he should be permanently banned from future conferences because the language he uses is inappropriate and infringes on the project’s Code of Conduct. This could set a very bad precedent for the open source community, which has recently seen an influx of various CoC policies applied to a number of high-profile projects mostly after very vocal concerns from the people who barely participate in the open source community. Some observers believe that it’s a plot by Microsoft to destroy the open source movement from the inside.

Source: ‘Linusgate’: Debian Project Leaders Want To Ban Linus Torvalds For His Manners – Slashdot

TCL Announces E Ink Color Display That Can Handle Video

Posted on by

Known for its tablets, TVs, and phones, TCL has this week announced a new technology, NXTPAPER, that could totally change how you think about e ink. E ink displays are known for being great to stare at for hours and perfect for reading books (and sometimes even comics), but the latest color displays from E Ink have low resolution and slow refresh rates, making them unusable for video. TCL claims its new NXTPAPER tech could be a solution.

TCL’s press release is a little confusing, as it appears to compare NXTPAPER both to E Ink’s displays and to traditional LCD displays that you find in most tablets and phones today. But by all accounts, the technology used in NXTPAPER sounds like e ink technology. The press release claims it will be 36% thinner than LCD displays and 65% more power-efficient—which lines up with the gains you get from e ink.

Last week, E Ink told the blog Good Ereader that it had plans to improve its own color E Ink technology. While we adore the first color E Ink devices, they’ve not been without their flaws, including a paltry 100-PPI resolution and slower refresh rates. E Ink promised to at least double the resolution to 200 PPI by 2021, with a goal of hitting 300 PPI—the resolution of high-end LCD and monochrome E Ink displays—at a later date.

We don’t know the exact planned resolution for TCL’s competing NXTPAPER technology, but the company claims it will be full HD, and that the text incorporated will allow it to have 25% higher contrast than traditional e ink devices

TCL also says it will offer a “paper-like visual experience in full color with no flicker and no harmful blue light” and that it will rely on natural light—which, again, sounds like e ink.

Source: TCL Announces E Ink Color Display That Can Handle Video

7 years later, US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway

Posted on by

The United States Court of Appeals for the Ninth Circuit has ruled [PDF] that the National Security Agency’s phone-call slurping was indeed naughty, seven years after former contractor Edward Snowden blew the whistle on the tawdry affair.

It’s been a long time coming, and while some might view the decision as a slap for officials that defended the practice, the three-judge panel said the part played by the NSA programme wasn’t sufficient to undermine the convictions of four individuals for conspiring to send funds to Somalia in support of a terrorist group.

Snowden made public the existence of the NSA data collection programmes in June 2013, and by June 2015 US Congress had passed the USA FREEDOM Act, “which effectively ended the NSA’s bulk telephony metadata collection program,” according to the panel.

The panel took a long, hard look at the metadata collection programme, which slurped the telephony of millions of Americans (as well as at least one of the defendants) and concluded that not only had the Fourth Amendment of the constitution likely been violated, it certainly flouted section 1861 of the Foreign Intelligence Surveillance Act (FISA), which deals with access to business records in foreign intelligence and international terrorism investigations.

“On the merits,” the ruling said, “the panel held that the metadata collection exceeded the scope of Congress’s authorization in 50 U.S.C. § 1861, which required the government to make a showing of relevance to a particular authorized investigation before collecting the records, and that the program therefore violated that section of FISA.”

So, both illegal and quite possibly unconstitutional.

It isn’t a good look for the intelligence services. The panel was able to study the classified records and noted that “the metadata did not and was not necessary to support the requisite probable cause showing for the FISA Subchapter I warrant application in this case.”

The panel went on to administer a light slapping to those insisting that the metadata programme was an essential element in the case. The evidence, such as it was, “did not taint the evidence introduced by the government at trial,” the panel observed before going on to say: “To the extent the public statements of government officials created a contrary impression, that impression is inconsistent with the contents of the classified record.”

Thus not only illegal, possibly unconstitutional but also not particularly helpful in this instance, no matter what officials might have insisted.

While the American Civil Liberties Union (ACLU) declared the ruling “a victory for our privacy rights”, the process could have a while to run yet, including a trip to America’s Supreme Court

Source: US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway • The Register

European ISPs report mysterious wave of DDoS attacks

Posted on by

More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure.

The list of ISPs that suffered attacks over the past week includes Belgium’s EDP, France’s Bouygues TélécomFDNK-netSFR, and the Netherlands’ CaiwayDeltaFreedomNetOnline.nl, Signet, and Tweak.nl.

Attacks lasted no longer than a day and were all eventually mitigated, but ISP services were down while the DDoS was active.

NBIP, a non-profit founded by Dutch ISPs to collectively fight DDoS attacks and government wiretapping attempts, provided ZDNet with additional insights into the past week’s incidents.

“Multiple attacks were aimed towards routers and DNS infrastructure of Benelux based ISPs,” a spokesperson said. “Most of [the attacks] were DNS amplification and LDAP-type of attacks.”

“Some of the attacks took longer than 4 hours and hit close to 300Gbit/s in volume,” NBIB said.

[…]

Source: European ISPs report mysterious wave of DDoS attacks | ZDNet

These students figured out their tests were graded by AI — and the easy way to cheat – The Verge

Posted on by

Simmons, who is a history professor herself. Then, Lazare clarified that he’d received his grade less than a second after submitting his answers. A teacher couldn’t have read his response in that time, Simmons knew — her son was being graded by an algorithm.

Simmons watched Lazare complete more assignments. She looked at the correct answers, which Edgenuity revealed at the end. She surmised that Edgenuity’s AI was scanning for specific keywords that it expected to see in students’ answers. And she decided to game it.

[…]

Now, for every short-answer question, Lazare writes two long sentences followed by a disjointed list of keywords — anything that seems relevant to the question. “The questions are things like… ‘What was the advantage of Constantinople’s location for the power of the Byzantine empire,’” Simmons says. “So you go through, okay, what are the possible keywords that are associated with this? Wealth, caravan, ship, India, China, Middle East, he just threw all of those words in.”

“I wanted to game it because I felt like it was an easy way to get a good grade,” Lazare told The Verge. He usually digs the keywords out of the article or video the question is based on.

Apparently, that “word salad” is enough to get a perfect grade on any short-answer question in an Edgenuity test.

Edgenuity didn’t respond to repeated requests for comment, but the company’s online help center suggests this may be by design. According to the website, answers to certain questions receive 0% if they include no keywords, and 100% if they include at least one. Other questions earn a certain percentage based on the number of keywords included.

[…]

One student, who told me he wouldn’t have passed his Algebra 2 class without the exploit, said he’s been able to find lists of the exact keywords or sample answers that his short-answer questions are looking for — he says you can find them online “nine times out of ten.” Rather than listing out the terms he finds, though, he tried to work three into each of his answers. (“Any good cheater doesn’t aim for a perfect score,” he explained.)

Source: These students figured out their tests were graded by AI — and the easy way to cheat – The Verge

Bill Barr to destroy antitrust case vs Google by forcing DoJ complaint filed before case is ready but before Trump re-election voting

Posted on by

Several interested parties in the U.S. government have been looking to put Google’s head on a spike, and while undoubtedly there’s been some degree of jockeying between them for which will ultimately get the credit, they’ve been proceeding with care and caution in the interest of building an ironclad case against a particularly canny opponent. Leave it to Bill Barr—who in a better world would instead star in a live-action remake of Droopy Dog— to take all that hard work and piss it away.

Per reporting in the New York Times, “Justice Department officials told lawyers involved in the antitrust inquiry into Alphabet […] to wrap up their work by the end of September.” These lawyers apparently viewed the new, abrupt deadline—against an enormously powerful company with nearly unlimited resources to throw at a comprehensive legal defense—as “arbitrary.”

In all likeliness it’s anything but arbitrary. As we near the general election in November, the Trump camp is looking for a win to hang its hat on. We’ve already seen the president decide—seemingly mid-interview with Axios’s Jonathan Swan—to cut the number of troops deployed in Afghanistan by half, and likewise claim during his keynote speech at the RNC that he will release a covid-19 vaccine. Not coincidentally, both of these miraculous claims are projected (by Trump and seemingly only Trump) to come to fruition around November. Breaking up Google, which is increasingly a source of ire for Republicans and Democrats (albeit for wildly different reasons) appears to be a gambit by Barr to find that win—or at least the appearance of one.

We’ve reached out to Google and the Department of Justice for comment and will update if we hear back.

As mentioned, the DOJ isn’t the only game in town where fining, regulating, or otherwise frustrating Google’s market dominance is concerned. A coalition of 50 state attorneys general is also probing the company, while the FTC, the House’s Antitrust Subcommittee, and the Senate Antitrust Subcommittee have ongoing investigations more broadly into the practices of big tech. All have been gathering evidence for a year or more, which is what makes Barr’s hastiness particularly egregious. Per the Times:

Some lawyers in the department worry that Mr. Barr’s determination to bring a complaint this month could weaken their case and ultimately strengthen Google’s hand, according to interviews with 15 lawyers who worked on the case or were briefed on the department’s strategy […] Many career staff members in the antitrust division, including more than a dozen who were hired during the Trump administration, considered the evidence solid that Google’s search and advertising businesses violated antitrust law. But some told associates that Mr. Barr was forcing them to come up with “half-baked” cases so he could unveil a complaint by Sept. 30.

As is the case with most would-be totalitarians, the appearance of strength for Trump is often pursued at the expense of actually wielding power effectively. If true, Barr’s reported plan to jump the gun on a Google antitrust case is a prime example. By looking the part and going after Google now, he would be likely to undermine the other existing cases against the company. If, say, Google manages to dodge claims by the DOJ of a monopoly on web search advertising (of which it controls more than 90% of the market), that becomes precedent the FTC or House needs to overcome to prove said monopoly exists.

Regulating big tech—and regulating it in a smart and comprehensive way—would be a steep uphill climb in the best of political climates. Leave it to Trump and his lackeys to carve that hill into a sheer cliff face and slather it in grease. Maybe someone else will clean it up.

Source: Report: DOJ Puts to File Google Antitrust Case in September

After Facebook Balks, Apple Delays “Privacy” (ie only Apple spies on you) Feature

Posted on by

In June, Apple unveiled plans for an iOS 14 privacy update that forces developers to gather users’ consent before tracking their activities across third-party apps and websites. Needless to say, giving users more control over how their information is gathered and trafficked is expected to bruise advertisers—especially Facebook, which uses that information to narrow its targeting functions.

As the initial autumn deadline closed in, Facebook protested last week that the change could render Facebook’s Audience Network—its ad service offered to third-party apps—“so ineffective on iOS 14 that it may not make sense to offer it on iOS 14 in the future.” The company claimed that blocking personalization is expected to cut Audience Network revenue by half or more, and that the move would hurt the over 19,000 developers who work with Facebook, many of which are “small businesses that depend on ads to support their livelihood.”

Apple’s messaging to users, as illustrated in the latest promo images for iOS 14, doesn’t give surveillance a nice ring. It will tell you bluntly that such-and-such app “would like permission to track you across apps and websites owned by other companies.” Apple pointed out to Gizmodo that it still embraces in-app advertising and does not prohibit tracking. In fact, Facebook can still gather that data (using Apple’s advertiser ID), if it’s willing to ask iOS users to agree to be tracked (using that scary messaging.) But both Apple and Facebook know that the data collection business operates more smoothly when begging for forgiveness later rather than asking permission now. If not, companies wouldn’t have mastered the art of doublespeak and constructed labyrinthine settings menus.

Apple, on the other hand, will still be able to benefit from gathering your information in various ways without asking permission because Apple doesn’t necessarily need to share or gather your information with data brokers and outside companies—your data is already growing organically within Apple’s walled garden. For example, Apple might show you an ad for a weight loss app in the App Store based on the fact that you read an article from a lifestyle publication in the Apple News app—a function which is automatically enabled, and can be toggled off, under “Apple Advertising.” Similarly, Apple says that developers can use data gained from activity within their own apps through Apple’s vendor-specific identifier. (Apple says that the “tracking” prompt would still show up if Apple-created apps intend to share information beyond Apple.)

But it’s hard to imagine a competing vendor that would have access to such a sprawling network of native data, aside from Google, which has its own devices and browser and advertiser ID. And sticking the notification on Facebook polishes Apple’s self-fashioned reputation a big tech company which values privacy. (It is not.)

[…]

Apple says that now apps won’t need to ask users permission to be tracked until 2021, “to give developers time to make necessary changes.” Apple will also require developers to submit details on the data their apps collect—including “sensitive information” such as race, sexual orientation, disability, and political affiliation—which will be published in the App Store later this year.

Source: After Facebook Balks, Apple Delays Privacy Feature

Facebook finally joins responsible disclosure for bugs they find

Posted on by

Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that’s the right thing to do.

“Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software,” the company writes. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.”

The Social Network™ has made itself the arbiter of what needs to be disclosed and when it needs to be disclosed. The company’s policy is to contact “the appropriate responsible party” and give them 21 days to respond.

“Facebook will evaluate based on our interpretation of the risk to people.”

“If we don’t hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability,” the policy says, adding: “If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability.”

But the company has also outlined exceptions to those rules, with acceleration of disclosure if a bug is already being exploited and slowing down news “If a project’s release cycle dictates a longer window.”

The third reason is:

“If a fix is ready and has been validated, but the project owner unnecessarily delays rolling out the fix, we might initiate the disclosure prior to the 90-day deadline when the delay might adversely impact the public.”

Facebook “will evaluate each issue on a case-by-case basis based on our interpretation of the risk to people.”

The policy isn’t wildly difficult from that used by Google’s Project Zero, which also discloses bugs after 90 days and also offers extensions under some circumstances.

Source: Facebook to blab bugs it finds if it thinks code owners aren’t fixing fast enough • The Register

The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy

Posted on by

In July 2017, Tesla CEO Elon Musk got on stage at the National Governors Association in Rhode Island and confirmed that a “fleet-wide hack” is one of Tesla’s biggest concerns as the automaker moves to autonomous vehicles.

He even presented a strange scenario that could happen in an autonomous future:

“In principle, if someone was able to say hack all the autonomous Teslas, they could say – I mean just as a prank – they could say ‘send them all to Rhode Island’ [laugh] – across the United States… and that would be the end of Tesla and there would be a lot of angry people in Rhode Island.”

What Musk knew that the public didn’t was that Tesla got a taste of that actually happening just a few months prior to his talk.

The Big Tesla Hack

Back in 2017, Jason Hughes was already well known in the Tesla community under his WK057 alias on the forums.

He was an early member of the Tesla “root access” community, a group of Tesla owners who would hack their own cars to get more control over them and even unlock unreleased features.

[…]

After Tesla started to give customers access to more data about Supercharger stations, mainly the ability to see how many chargers were currently available at a specific charging station through its navigation app, Hughes decided to poke around and see if he could expose the data.

He told Electrek:

“I found a hole in the server-side of that mechanism that allowed me to basically get data for every Supercharger worldwide about once every few minutes.”

The hacker shared the data on the Tesla Motors Club forum, and the automaker seemingly wasn’t happy about it.

Someone who appeared to be working at Tesla posted anonymously about how they didn’t want the data out there.

Hughes responded that he would be happy to discuss it with them.

20 minutes later, he was on a conference call with the head of the Supercharger network and the head of software security at Tesla.

They kindly explained to him that they would prefer for him not to share the data, which was technically accessible through the vehicles. Hughes then agreed to stop scraping and sharing the Supercharger data.

After reporting his server exploit through Tesla’s bug reporting service, he received a $5,000 reward for exposing the vulnerability.

With now having more experience with Tesla’s servers and knowing that their network wasn’t the most secure, to say the least, he decided to go hunting for more bug bounties.

After some poking around, he managed to find a bunch of small vulnerabilities.

The hacker told Electrek:

“I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was ‘Mothership’.”

Mothership is the name of Tesla’s home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through “Mothership.”

After downloading and dissecting the data found in the repository, Hughes started using his car’s VPN connection to poke at Mothership. He eventually landed on a developer network connection.

That’s when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla’s fleet.

All he needed was a vehicle’s VIN number, and he had access to all of those through Tesla’s “tesladex” database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.

At the time, I gave Hughes the VIN number of my own Tesla Model S, and he was able to give me its exact location and any other information about my own vehicle.

[…]

Hughes couldn’t really send Tesla cars driving around everywhere like Tesla’s CEO described in a strange scenario few months later, but he could “Summon” them.

In 2016, Tesla released its Summon feature, which enables Tesla owners to remotely move their cars forward or backward a few dozen feet without anyone in them.

[…]

the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit:

Source: The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy – Electrek