Daily Archives: October 7, 2020

Cars, planes, trains: where do CO2 emissions from transport come from?

Posted on by

In the chart here we see global transport emissions in 2018. This data is sourced from the International Energy Agency (IEA).

Road travel accounts for three-quarters of transport emissions. Most of this comes from passenger vehicles – cars and buses – which contribute 45.1%. The other 29.4% comes from trucks carrying freight.

Since the entire transport sector accounts for 21% of total emissions, and road transport accounts for three-quarters of transport emissions, road transport accounts for 15% of total CO2 emissions.

Aviation – while it often gets the most attention in discussions on action against climate change – accounts for only 11.6% of transport emissions. It emits just under one billion tonnes of CO2 each year – around 2.5% of total global emissions [we look at the role that air travel plays in climate change in more detail in an upcoming article]. International shipping contributes a similar amount, at 10.6%.

Rail travel and freight emits very little – only 1% of transport emissions. Other transport – which is mainly the movement of materials such as water, oil, and gas via pipelines – is responsible for 2.2%.

Source: Cars, planes, trains: where do CO2 emissions from transport come from? – Our World in Data

Listening in on your XR11 remote from 20m away

Posted on by

Guardicore discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room. Prior to its remediation by Comcast, the attack, dubbed WarezTheRemote, was a very real security threat: with more than 18 million units deployed across homes in the USA, the XR11 is one of the most widespread remote controls in existence.

WarezTheRemote used a man-in-the-middle attack to exploit remote’s RF communication with the set-top box and over-the-air firmware upgrades – by pushing a malicious firmware image back the remote, attackers could have used the remote to continuously record audio without user interaction.

The attack did not require physical contact with the targeted remote or any interaction from the victim – any hacker with a cheap RF transceiver could have used it to take over an XR11 remote. Using a 16dBi antenna, we were able to listen to conversations happening in a house from about 65 feet away. We believe this could have been amplified easily using better equipment.

We worked with Comcast’s security team after finding the vulnerability and they have released fixes that remediate the issues that made the attack possible.

You can download our full research paper for the technical details of the WarezTheRemote project. You’ll find much more information on the reverse-engineering process inside, as well as a more bits-and-bytes perspective on the vulnerability and the exploit.

Source: A New Attack Vector Discovered in Comcast’s Remote | Guardicore

Nvidia unveils $59 Nvidia Jetson Nano 2GB mini AI board

Posted on by

New Jetson Nano mini AI computer

The Jetson Nano 2GB Developer Kit, announced this week, is a single-board computer – like the Raspberry Pi – though geared towards machine learning rather than general computing. If you like the idea of simple AI projects running on a dedicated board, such as building your own mini self-driving car or an object-recognition system for your home, this one might be for you.

It runs Nvidia CUDA code and provides a Linux-based environment. At only $59 a pop, it’s pretty cheap and a nifty bit of hardware if you’re just dipping your toes in deep learning. As its name suggests, it has 2GB of RAM, plus four Arm Cortex-A57 CPU cores clocked at 1.43GHz and a 128-core Nvidia Maxwell GPU. There are other bits and pieces like gigabit Ethernet, HDMI output, a microSD slot for storage, USB interfaces, GPIO and UART pins, Wi-Fi depending on you region, and more.

“While today’s students and engineers are programming computers, in the near future they’ll be interacting with, and imparting AI to, robots,” said Deepu Talla, vice president and general manager of Edge Computing at Nvidia. “The new Jetson Nano is the ultimate starter AI computer that allows hands-on learning and experimentation at an incredibly affordable price.”

Source: Nvidia unveils $59 Nvidia Jetson Nano 2GB mini AI board, machine learning that slashes vid-chat data by 90%, and new super for Britain • The Register

Europe’s top court confirms no mass surveillance without limits

Posted on by

Europe’s top court has delivered another slap-down to indiscriminate government mass surveillance regimes.

In a ruling today the CJEU has made it clear that national security concerns do not exclude EU Member States from the need to comply with general principles of EU law such as proportionality and respect for fundamental rights to privacy, data protection and freedom of expression.

However the court has also allowed for derogations, saying that a pressing national security threat can justify limited and temporary bulk data collection and retention — capped to ‘what is strictly necessary’.

While threats to public security or the need to combat serious crime may also allow for targeted retention of data provided it’s accompanied by ‘effective safeguards’ and reviewed by a court or independent authority.

 

The reference to the CJEU joined a number of cases, including legal challenges brought by rights advocacy group Privacy International to bulk collection powers baked into the UK’s Investigatory Powers Act; a La Quadrature du Net (and others’) challenge to a 2015 French decree related to specialized intelligence services; and a challenge to Belgium’s 2016 law on collection and retention of comms data.

Civil rights campaigners had been eagerly awaiting today’s judgements from the Grand Chamber, following an opinion by an advisor to the court in January which implied certain EU Member States’ surveillance regimes were breaching the law.

At the time of writing key complainants had yet to issue a response.

Of course a government agency’s definition of how much data collection is ‘strictly necessary’ in a national security context (or, indeed, what constitutes an ‘effective safeguard’) may be rather different to the benchmark of civil rights advocacy groups — so it seems unlikely this ruling will be the last time the CJEU is asked to clarify where the legal limits of mass surveillance lie.

 

Additionally, the judgement raises interesting questions over the UK’s chances of gaining a data protection adequacy agreement from the European Commission — as it leaves the EU in 2021 at the end of the brexit transition process this year — something it needs for digital data flows from the EU to continue uninterrupted as now.

The problem is the UK’s Investigatory Powers Act (IPA) gives government agencies broad powers to intercept and retain digital communications — but here the CJEU is making it clear that such bulk powers must be the exception, not the statutory rule.

So, again, a battle over definitions could be looming…

[…]

Another interesting component of today’s CJEU judgement suggests that in EU states with indiscriminate mass surveillance regimes there could be grounds for overturning individual criminal convictions which are based on evidence obtained via such illegal surveillance.

On this, the court writes in a press release: “As EU law currently stands, it is for national law alone to determine the rules relating to the admissibility and assessment, in criminal proceedings against persons suspected of having committed serious criminal offences, of information and evidence obtained by the retention of data in breach of EU law. However, the Court specifies that the directive on privacy and electronic communications, interpreted in the light of the principle of effectiveness, requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law, in the context of such criminal proceedings, where those persons suspected of having committed criminal offences are not in a position to comment effectively on that information and evidence.”

Update: Privacy International has now responded to the CJEU judgements, saying the UK, French and Belgian surveillance regimes must be amended to be brought within EU law.

In a statement, legal director Caroline Wilson Palow said: “Today’s judgment reinforces the rule of law in the EU. In these turbulent times, it serves as a reminder that no government should be above the law. Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies.

“While the Police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power. They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights.”

Source: Europe’s top court confirms no mass surveillance without limits | TechCrunch

Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are

Posted on by
  • Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API
  • Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves
  • Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas
  • Precise user location data also leaked by API, including personal information and private chats
  • Vendor initially responsive, then missed three remediation deadlines they set themselves over a 6 month period
  • Then finally refused to interact any further, even though majority of issues were resolved in migration to v2 API, yet API v1 inexcusably left available
  • This post is published in coordination with Internet of Dongs.

Smart adult toys and us

We haven’t written about smart adult toys in a long time, but the Qiui Cellmate chastity cage was simply too interesting to pass by. We were tipped off about the adult chastity device, designed to lock-up the wearer’s appendage.

There are other male chastity devices available but this is a Bluetooth (BLE) enabled lock and clamp type mechanism with a companion mobile app. The idea is that the wearer can give control of the lock to someone else.

We are not in the business of kink shaming. People should be able to use these devices safely and securely without the risk of sensitive personal data being leaked.

The security of the teledildonics field is interesting in its own right. It’s worth noting that sales of smart adult toys has risen significantly during the recent lockdown.

What is the risk to users?

We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock. The tube is locked onto a ring worn around the base of the genitals, making things inaccessible. An angle grinder or other suitable heavy tool would be required to cut the wearer free.

Location, plaintext password and other personal data was also leaked, without need for authentication, by the API.

We had particular problems during the disclosure process, as we would usually ask the vendor to take down a leaky API whilst remediation was being implemented. However, anyone currently using the device when the API was taken offline would also be permanently locked in!

As you will see in the disclosure timeline at the bottom of this post, some issues were remediated but others were not, and the vendor simply stopped replying to us, journalists, and retailers. Given the trivial nature of finding some of these issues, and that the company is working on another device that poses even greater potential physical harm (an “internal” chastity device), we have felt compelled to publish these findings at this point.

Source: Smart male chastity lock cock-up | Pen Test Partners

The IRS Is Being Investigated for Using Bought Location Data Without a Warrant – Wait there’s a company called Venntel that sells this and that’s OK?

Posted on by

The body tasked with oversight of the IRS announced in a letter that it will investigate the agency’s use of location data harvested from ordinary apps installed on peoples’ phones, according to a copy of the letter obtained by Motherboard.

The move comes after Senators Ron Wyden and Elizabeth Warren demanded a formal investigation into how the IRS used the location data to track Americans without a warrant.

“We are going to conduct a review of this matter, and we are in the process of contacting the CI [Criminal Investigation] division about this review,” the letter, signed by J. Russell George, the Inspector General, and addressed to the Senators, reads. CI has a broad mandate to investigate abusive tax schemes, bankruptcy fraud, identity theft, and many more similar crimes. Wyden’s office provided Motherboard with a copy of the letter on Tuesday.

In June, officials from the IRS Criminal Investigation unit told Wyden’s office that it had purchased location data from a contractor called Venntel, and that the IRS had tried to use it to identify individual criminal suspects. Venntel obtains location data from innocuous looking apps such as games, weather, or e-commerce apps, and then sells access to the data to government clients.

A Wyden aide previously told Motherboard that the IRS wanted to find phones, track where they were at night, use that as a proxy as to where the individual lived, and then use other data sources to try and identify the person. A person who used to work for Venntel previously told Motherboard that Venntel customers can use the tool to see which devices are in a particular house, for instance.

The IRS’ attempts were not successful though, as the people the IRS was looking for weren’t included in the particular Venntel data set, the aide added.

But the IRS still obtained this data without a warrant, and the legal justification for doing so remains unclear. The aide said that the IRS received verbal approval to use the data, but stopped responding to their office’s inquiries.

[…]

Source: The IRS Is Being Investigated for Using Location Data Without a Warrant

Facebook revenue chief says ad-supported model is ‘under assault’ – boo hoo, turns out people like their privacy

Posted on by

Facebook Chief Revenue Officer David Fischer said Tuesday that the economic models that rely on personalized advertising are “under assault” as Apple readies a change that would limit the ability of Facebook and other companies to target ads and estimate how well they work.

The change to Apple’s identifier for advertisers, or IDFA, will give iPhone users the option to block tracking when opening an app. It was originally planned for iOS 14, the version of the iPhone operating system that was released last month. But Apple said last month it was delaying the rollout until 2021 “to give developers time to make necessary changes.”

Fischer, speaking at a virtual Advertising Week session Tuesday, spoke about the changes after being asked about Facebook’s vulnerability to the companies that control mobile platforms, such as Apple and Google, which runs Android.

Fischer argued that though there’s “angst and concern” about the risks of technology, personalized and targeted advertising has been essential to help the internet grow.

“The economic model that not just we at Facebook but so many businesses rely on, this model is worth preserving, one that makes content freely available, and the business that makes it run and hum, is via advertising,” he said.

“And right now, frankly, some of that is under assault, that the very tools that entrepreneurs, that businesses are relying on right now are being threatened. To me, the changes that Apple has proposed, pretty sweeping changes, are going to hurt developers and businesses the most.”

Apple frames the change as preserving users’ privacy, rather than as an attack on the advertising industry, and has been promoting its privacy features as a core reason to get an iPhone. It comes as consumers are increasingly wary about their online privacy following scandals with various companies, including Facebook.

[…]

Source: Facebook revenue chief says ad-supported model is ‘under assault’

Apple, Facebook, Google, Amazon Are Monopolies: Antitrust Committee

Posted on by

Just as you suspected, Big Tech is dominated by monopolies, a House Judiciary antitrust subcommittee found.

After more than a year of investigating Apple, Facebook, Google, and Amazon’s behavior, lawmakers released a 449-page report with their findings on Tuesday, complete with recommendations that the four companies be broken up to make the market more competitive.

The committee found that each company dominated its respective markets—Facebook in social networking, Google in general online search and search advertising, Amazon in online retail, and Apple in mobile operating systems—to such an extent as to be anticompetitive. The companies “abuse their power by charging exorbitant fees, imposing oppressive contract terms, and extracting valuable data from the people who rely on them,” the Democratic-led committee’s report outlined.

The report goes on to eviscerate the four companies: “To put it simply, companies that once were scrappy, underdog startups that challenged the status quo have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons. Although these firms have delivered clear benefits to society, the dominance of Amazon, Apple, Facebook, and Google has come at a price. These firms typically run the marketplace while also competing in it — a position that enables them to write one set of rules for others, while they play by another, or to engage in a form of their own private quasi regulation that is unaccountable to anyone but themselves.”

Not only do those companies acquire smaller ones, either to hire their talent or to kill or incorporate their products, but their mere existence chills potential investment to start-ups that may be considered competitive, the committee found.

The committee also noted that Big Tech’s acquisitions haven’t been closely vetted by regulators. For example, Facebook has snatched up nearly 100 smaller companies over the years, and just one, its deal to acquire Instagram in 2012, received scrutiny from the Federal Trade Commission.

That lack of oversight, according to the findings, has degraded the user experience in many cases because tech companies don’t have any competition to do better—particularly when it comes to privacy.

“In the absence of adequate privacy guardrails in the United States, the persistent collection and misuse of consumer data is an indicator of market power online,” the committee noted. “Online platforms rarely charge consumers a monetary price—products appear to be ‘free’ but are monetized through people’s attention or with their data. In the absence of genuine competitive threats, dominant firms offer fewer privacy protections than they otherwise would, and the quality of these services has deteriorated over time. As a result, consumers are forced to either use a service with poor privacy safeguards or forego the service altogether.”

In addition to recommending that the companies effectively be broken up, the committee recommended that antitrust laws and federal antitrust agencies be restored “to full strength.” Specifically, the committee advised that strengthening Section 7 of the Clayton Act and Section 2 of the Sherman Act would go a long way toward giving antitrust legislation more teeth.

Of course, the Big Four aren’t going to take this lying down. Amazon released a lengthy statement in which it argued that being a big company doesn’t necessarily make it an anticompetitive one, and that it comprises just 4% of the U.S. retail market. (Frankly, I am not at all sure how it arrived at that number—the antitrust committee pegged Amazon as controlling more than 40% of all online U.S. retail sales.) The company also argued that it helps consumers find low prices and small businesses find new markets. The committee noted that 37% of all third-party sellers on Amazon rely on the platform exclusively for income.

Source: Apple, Facebook, Google, Amazon Are Monopolies: Antitrust Committee

I have been talking about exactly this since the beginning of 2019 – it’s good to see others agree with me!

They are effectively accountable to no one and as a result “wield their dominance in ways that erode entrepreneurship, degrade Americans’ privacy online, and undermine the vibrancy of the free and diverse press. The result is less innovation, fewer choices for consumers, and a weakened democracy.”

[…]

It uses Facebook’s internal documents to argue that its “monopoly power is firmly entrenched and unlikely to be eroded by competitive pressure from new entrants or existing firms.” And it attacks the social network, arguing that “in the absence of competition, Facebook’s quality has deteriorated over time, resulting in worse privacy protections for its users and a dramatic rise in misinformation on its platform.”

Google, it says upfront, “has a monopoly in the markets for general online search and search advertising.” And, it finds, it has “maintained its monopoly over general search through a series of anti-competitive tactics,” including undermining other search providers, stealing content “to boost Google’s own inferior vertical offerings,” and penalizing competitors.

By growing into ever more services and connecting them together, Google “increasingly functions as an ecosystem of interlocking monopolies,” the report states.

Amazon has “engaged in extensive anti-competitive conduct in its treatment of third-party sellers” and has abused its role as both seller and marketplace controller, the report states. Both its Alexa digital assistant and Amazon Web Services (AWS) are identified as potential targets of antitrust activity and possible diversification.

And Apple “exerts monopoly power in the mobile app store market, controlling access to more than 100 million iPhones and iPads in the US.”

The reports notes: “In the absence of competition, Apple’s monopoly power over software distribution to iOS devices has resulted in harms to competitors and competition, reducing quality and innovation among app developers, and increasing prices and reducing choices for consumers.”

The report is also heavy on the impact of these monopolies: it accuses Facebook and Google of being a significant factor in “the decline of trustworthy sources of news, which is essential to our democracy.”

It argues that collectively the tech giants have “materially weakened innovation and entrepreneurship in the US economy.” And that they have undermined Americans’ basic right to privacy by developing and driving business models that work by selling personal data rather than accepting payment directly.

Give me liberty or give me… the FTC

And, in a final punch to the face, the report accuses them of “undermining both political and economic liberties” by instilling fear through the use of their “unaccountable and arbitrary power,” and using their massive resources to direct and influence policy-making “further shaping how they are governed and regulated.”

In order to counteract all these negative impacts, the report makes a long series of recommendations, including, most significantly, “structural separations and prohibitions of certain dominant platforms from operating in adjacent lines of business.” In other words, breaking up companies.

[…]

And it wants the Big Four to feel the force of the US legal system by “strengthening private enforcement, through eliminating obstacles such as forced arbitration clauses, limits on class action formation, judicially created standards constraining what constitutes an antitrust injury, and unduly high pleading standards.”

What now?

In short, the report is everything that Apple, Amazon, Facebook and Google feared it would be; the only surprise however is that what had become obviously during the committee’s investigations was watered down significantly in the final report.

Of course, there is still a long way to go before any of the report’s recommendations become a reality. Even within the committee, there is not unanimity, with some Republican members expressing concerns over breaking up companies in particular. Republicans will also be more ideologically opposed to adding regulations or removing companies’ ability to arbitrate disputes themselves, rather than through the courts.

And then of course there is the enormous collective power of Apple, Amazon, Facebook and Google – some of the world’s largest and richest corporations – who will be willing and able to do anything to protect their markets and profits.

Source: Big Tech to face its Ma Bell moment? US House Dems demand break-up of ‘monopolists’ Apple, Amazon, Facebook, Google

SmartShooter ‘Automatically’ Shoots Drones Out of the Sky using Colt personal gun

Posted on by

The Air Force was already familiar with the possibilities of the ‘SmartShooter’ smart aiming system. The only thing that was unknown was whether it is also effective in combination with the Colt C7 5.56mm long-range automatic rifle.

Operation

The system uses video analysis. A shooter aims his weapon at the target with the SmartShooter. So far, it is the same as with a normal aiming system. With the SmartShooter, the shooter selects the target by pulling the trigger, and holds the pulled trigger while continuing to aim at the target.

As soon as the system ‘sees’ that the target will be hit, the SmartShooter automatically will fire the weapon. So, it does not work autonomously, and the shooter selects the target, aims and pulls the trigger.

Effective

When the Dutch Army organized a shooting day to experiment with the SmartShooter system, the Air Force joined in to test its effectiveness against drones. A section of the top ten UAS detected by the Air Force in the Netherlands was fired.

The Colt rifle in combination with the SmartShooter system proved to be very effective: all targets were eliminated with a few rounds.

Source: SmartShooter ‘Automatically’ Shoots Drones Out of the Sky