The Linkielist

Linking ideas with the world

The Linkielist

Monthly Archives: January 2021

ODoH: Cloudflare and Apple design a new privacy-friendly internet protocol for DNS

Posted on by

Engineers at Cloudflare and Apple say they’ve developed a new internet protocol that will shore up one of the biggest holes in internet privacy that many don’t know even exists. Dubbed Oblivious DNS-over-HTTPS, or ODoH for short, the new protocol makes it far more difficult for internet providers to know which websites you visit.

But first, a little bit about how the internet works.

Every time you go to visit a website, your browser uses a DNS resolver to convert web addresses to machine-readable IP addresses to locate where a web page is located on the internet. But this process is not encrypted, meaning that every time you load a website the DNS query is sent in the clear. That means the DNS resolver — which might be your internet provider unless you’ve changed it — knows which websites you visit. That’s not great for your privacy, especially since your internet provider can also sell your browsing history to advertisers.

Recent developments like DNS-over-HTTPS (or DoH) have added encryption to DNS queries, making it harder for attackers to hijack DNS queries and point victims to malicious websites instead of the real website you wanted to visit. But that still doesn’t stop the DNS resolvers from seeing which website you’re trying to visit.

Enter ODoH, which builds on previous work by Princeton academics. In simple terms, ODoH decouples DNS queries from the internet user, preventing the DNS resolver from knowing which sites you visit.

Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.

“What ODoH is meant to do is separate the information about who is making the query and what the query is,” said Nick Sullivan, Cloudflare’s head of research.

In other words, ODoH ensures that only the proxy knows the identity of the internet user and that the DNS resolver only knows the website being requested. Sullivan said that page loading times on ODoH are “practically indistinguishable” from DoH and shouldn’t cause any significant changes to browsing speed.

A key component of ODoH working properly is ensuring that the proxy and the DNS resolver never “collude,” in that the two are never controlled by the same entity, otherwise the “separation of knowledge is broken,” Sullivan said. That means having to rely on companies offering to run proxies.

Sullivan said a few partner organizations are already running proxies, allowing for early adopters to begin using the technology through Cloudflare’s existing 1.1.1.1 DNS resolver. But most will have to wait until ODoH is baked into browsers and operating systems before it can be used. That could take months or years, depending on how long it takes for ODoH to be certified as a standard by the Internet Engineering Task Force.

Source: Cloudflare and Apple design a new privacy-friendly internet protocol | TechCrunch

Light Commands: Hacking Voice Assistants with Lasers / Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable

Posted on by

Our laser-based injection attack Light Commands shows how microphones can respond to light as if it was sound. By simply modulating the amplitude of laser light, we can inject fully inaudible and invisible commands into microphones of smart speakers, phones, and tablets, across large distances and through glass windows.

In this talk, we will show:

  1. How Light Commands works by exploiting a physical vulnerability of MEMS microphones,
  2. How it’s possible to remotely inject and execute unauthorized commands on Alexa, Portal, Google, and Siri voice assistants
  3. How the ecosystem of devices connected to these voice assistants, such as smart-locks, home switches, and even cars, fail under common security vulnerabilities (e.g. PIN bruteforcing) that make the attack more dangerous

Source: Light Commands: Hacking Voice Assistants with Lasers – Black Hat Europe 2020 | Briefings Schedule

Turn a Touch Interface Touchless with Intel RealSense TCS

Posted on by

Today, Intel announced Intel® RealSense™ Touchless Control Software (TCS), a simple solution for converting a touch-based kiosk or digital sign into a safer, touchless one while maintaining a familiar and intuitive user experience. With the pandemic affecting people worldwide, pay and check-in stations, automated teller machines and ordering kiosks could use the Intel RealSense software and camera to offer safer, touch-free options.

Source: Turn a Touch Interface Touchless with Intel RealSense TCS | Intel Newsroom

Content Moderation Case Study: SoundCloud Combats Piracy By Giving Universal Music The Power To Remove Uploads (2014)

Posted on by

n most cases, allegedly infringing content is removed at the request of rights holders following the normal DMCA takedown process. A DMCA notice is issued and the site responds by removing the content and — in some cases — allowing the uploader to challenge the takedown.

SoundCloud has positioned itself as a host of user-created audio content, relying on content creators to upload original works. But, like any content hosting site, it often found itself hosting infringing content not created by the uploader.

Realizing the potential for SoundCloud to be overrun with infringing content, the platform became far more proactive as it gained users and funding.

Rather than allow the normal DMCA process to work, SoundCloud allowed one major label to set the terms of engagement. This partnership resulted in Universal being able to unilaterally remove content it believed was infringing without any input from SoundCloud or use of the normal DMCA process.

One user reported his account was closed due to alleged infringement contained in his uploaded radio shows. When he attempted to dispute the removals and the threatened shuttering of his account, he was informed by the platform it was completely out of SoundCloud’s hands.

Your uploads were removed directly by Universal. This means that SoundCloud had no control over it, and they don’t tell us which part of your upload was infringing.

The control of removing content is completely with Universal. This means I can’t tell you why they removed your uploads and not others, and you would really need to ask them that question.

Unfortunately, there was no clear appeal process for disputing the takedown, leaving the user without his account or his uploads.

[…]

SoundCloud continues to allow labels like Universal to perform content removals without utilizing the DMCA process or engaging with the platform directly. Users are still on their own when it comes to content declared infringing by labels. This appears to flow directly from SoundCloud’s long-running efforts to secure licensing agreements with major labels. And that appears to flow directly from multiple threats of copyright litigation from some of the same labels SoundCloud is now partnered with

Source: Content Moderation Case Study: SoundCloud Combats Piracy By Giving Universal Music The Power To Remove Uploads (2014) | Techdirt

And having said that, DMCA is a process that is very very far from perfect and is used to bully smaller players in the market by the big boys with big lawyer pockets.

Whatsapp locks you in – you can’t export all your chats. And now it will share everything with Facebook

Posted on by

Yes, you can back up your database and if you’re rooted, you can find a key to it, but that will give you the chat in database form. You won’t get your pictures and videos etc. You can download them seperately though.

Yes, you can export a single chat / chatgroup, but doing that for the thousands of chats you probably have is not practically possible.

So you’re stuck. Either you share all your data with Facebook or you get rid of your chat history.

Lock down the permissions WhatsApp has – it has way too many!

WhatsApp Has Shared Your Data With Facebook since 2016, actually.

Posted on by

Since Facebook acquired WhatsApp in 2014, users have wondered and worried about how much data would flow between the two platforms. Many of them experienced a rude awakening this week, as a new in-app notification raises awareness about a step WhatsApp actually took to share more with Facebook back in 2016.

On Monday, WhatsApp updated its terms of use and privacy policy, primarily to expand on its practices around how WhatsApp business users can store their communications. A pop-up has been notifying users that as of February 8, the app’s privacy policy will change and they must accept the terms to keep using the app. As part of that privacy policy refresh, WhatsApp also removed a passage about opting out of sharing certain data with Facebook: “If you are an existing user, you can choose not to have your WhatsApp account information shared with Facebook to improve your Facebook ads and products experiences.”

Some media outlets and confused WhatsApp users understandably assumed that this meant WhatsApp had finally crossed a line, requiring data-sharing with no alternative. But in fact the company says that the privacy policy deletion simply reflects how WhatsApp has shared data with Facebook since 2016 for the vast majority of its now 2 billion-plus users.

When WhatsApp launched a major update to its privacy policy in August 2016, it started sharing user information and metadata with Facebook. At that time, the messaging service offered its billion existing users 30 days to opt out of at least some of the sharing. If you chose to opt out at the time, WhatsApp will continue to honor that choice. The feature is long gone from the app settings, but you can check whether you’re opted out through the “Request account info” function in Settings.

Meanwhile, the billion-plus users WhatsApp has added since 2016, along with anyone who missed that opt-out window, have had their data shared with Facebook all this time. WhatsApp emphasized to WIRED that this week’s privacy policy changes do not actually impact WhatsApp’s existing practices or behavior around sharing data with Facebook.

[…]

None of this has at any point impacted WhatsApp’s marquee feature: end-to-end encryption. Messages, photos, and other content you send and receive on WhatsApp can only be viewed on your smartphone and the devices of the people you choose to message with. WhatsApp and Facebook itself can’t access your communications.

[…]

In practice, this means that WhatsApp shares a lot of intel with Facebook, including  account information like your phone number, logs of how long and how often you use WhatsApp, information about how you interact with other users, device identifiers, and other device details like IP address, operating system, browser details, battery health information, app version, mobile network, language and time zone. Transaction and payment data, cookies, and location information are also all fair game to share with Facebook depending on the permissions you grant WhatsApp in the first place.

[…]

Source: WhatsApp Has Shared Your Data With Facebook for Years, Actually | WIRED

Boeing Reaches $2.5 Billion Settlement of U.S. Probe Into 737 MAX Crashes, has to admit a lot of wrongdoing

Posted on by

Boeing Co. will pay $2.5 billion to resolve a Justice Department criminal investigation and admit employees deceived aviation regulators about safety issues that led to two deadly crashes of the 737 MAX, authorities said.

The settlement, which was filed Thursday in Dallas federal court, would lift a legal cloud that has hung over the aerospace company for about two years since the fatal crashes. Federal prosecutors had been investigating the role of two Boeing employees who interacted with the Federal Aviation Administration about the design of the 737 MAX and how much pilot training would be required for the new model.

The settlement includes a nearly $244 million fine as well as almost $2.3 billion in compensation to airline customers and families of the 346 people who perished in two MAX crashes.

The plane maker was charged with one count of conspiracy to defraud the U.S. But it will avoid prosecution on that charge—allowing it to stay eligible for federal contracts—as long as it avoids legal trouble for a period of three years. The deal also calls for Boeing to comply with any ongoing investigations, including probes by foreign law-enforcement and regulatory authorities, and to beef up compliance programs, according to its settlement agreement.

[…]

Source: Boeing Reaches $2.5 Billion Settlement of U.S. Probe Into 737 MAX Crashes – WSJ

DARPA Announces Subterranean Challenge Finals: mapping out underground tunnels, caves, evil lairs by robot

Posted on by

After three years of development, DARPA Subterranean (SubT) Challenge teams will get the chance to compete in the Final Event being held at the Louisville Mega Cavern in Louisville, Kentucky on September 21-23, 2021.

The DARPA SubT Challenge aims to develop innovative technologies that can rapidly map, navigate, and search complex underground environments such as human-made tunnel systems, urban undergrounds, and natural cave networks. Teams compete by demonstrating how their autonomy, networking, perception, and mobility capabilities perform on either physical courses in the Systems Competition or simulated environments in the Virtual Competition. The best performing team in the Systems Competition will be awarded a $2 million prize while the best performing team in the Virtual Competition will be awarded a $750,000 prize.

Over the last two years, teams faced a series of preliminary circuit events – the Tunnel Circuit, Urban Circuit, and Cave Circuit – to demonstrate how their solutions address the unique challenges of each subdomain. Teams will now tackle competition courses that include challenge elements from all three subdomains at the same time.

“Whether it’s the systems courses that we are building inside the Mega Cavern, or the wildly varying virtual environments we’re designing in the SubT Virtual Testbed, I’m excited to see how all of the SubT Challenge competitors build on the knowledge they gained during the Circuit Events to be successful in the Final Event.” said Dr. Timothy Chung, program manager for the Subterranean Challenge in DARPA’s Tactical Technology Office.

While many competitors are already preparing for the Final Event, new teams still have an opportunity to qualify for the Systems and Virtual Competitions. In order to participate, teams must deploy autonomous robotic systems – either real or virtual – into the competition courses to map, navigate, and search for artifacts of interest. The locations of each artifact must be reported with an accuracy of at least five meters to score a point. The competition courses are intentionally designed to emulate the dangers of rescue efforts in collapsed mines, post-earthquake search and rescue in urban underground settings, and cave rescue operations for injured or lost spelunkers.

For additional information on the DARPA Subterranean Challenge, including how to compete in this September’s event, please visit www.subtchallenge.com

Source: DARPA Announces Subterranean (SubT) Challenge Final Event Site and Date

‘DALL-E’ AI generates an image out of anything you describe

Posted on by
with DALL-E (a portmanteau of “Wall-E” and “Dali”), an AI app that can create an image out of nearly any description. For example, if you ask for “a cat made of sushi” or a “high quality illustration of a giraffe turtle chimera,” it will deliver those things, often with startlingly good quality (and sometimes not).DALL-E can create images based on a description of its attributes, like “a pentagonal green clock,” or “a collection of glasses is sitting on a table.” In the latter example, it places both drinking and eye glasses on a table with varying degrees of success.

It can also draw and combine multiple objects and provide different points of view, including cutaways and object interiors. Unlike past text-to-image programs, it even infers details that aren’t mentioned in the description but would be required for a realistic image. For instance, with the description “a painting of a fox sitting in a field during winter,” the agent was able to determine that a shadow was needed.

“Unlike a 3D rendering engine, whose inputs must be specified unambiguously and in complete detail, DALL·E is often able to ‘fill in the blanks’ when the caption implies that the image must contain a certain detail that is not explicitly stated,” according to the OpenAI team.

'DALL-E' AI generates an image out of anything you describe

OpenAI also exploits a capability called “zero-shot reasoning.” This allows an agent to generate an answer from a description and cue without any additional training, and has been used for translation and other chores. This time, the researchers applied it to the visual domain to perform both image-to-image and text-to-image translation. In one example, it was able to generate an image of a cat from a sketch, with the cue “the exact same cat on the top as the sketch on the bottom.”

The system has numerous other talents, like understanding how telephones and other objects change over time, grasping geographic facts and landmarks and creating images in photographic, illustration and even clip-art styles.

For now, DALL-E is pretty limited. Sometimes, it delivers what you expect from the description and other times you just get some weird or crappy images. As with other AI systems, even the researchers themselves don’t understand exactly how it produces certain images due to the black box nature of the system.

Still, if developed further, DALL-E has vast potential to disrupt fields like stock photography and illustration, with all the good and bad that entails. “In the future, we plan to analyze how models like DALL·E relate to societal issues like economic impact on certain work processes and professions, the potential for bias in the model outputs, and the longer term ethical challenges implied by this technology,” the team wrote. To play with DALL-E yourself, check out OpenAI’s blog.

Source: ‘DALL-E’ AI generates an image out of anything you describe | Engadget

The Earth has been spinning faster lately

Posted on by

Scientists around the world have noted that the Earth has been spinning on its axis faster lately—the fastest ever recorded. Several scientists have spoken to the press about the unusual phenomenon, with some pointing out that this past year saw some of the shortest days ever recorded.

For most of the history of mankind, time has been marked by the 24-hour day/night cycle (with some alterations made for convenience as the seasons change). The cycle is governed by the speed at which the planet spins on its axis. Because of that, the length of a day has become the standard by which time is marked—each day lasts approximately 86,400 seconds. The day/night cycle is remarkably consistent despite the fact that it actually varies slightly on a regular basis.

Several decades ago, the development of atomic clocks began allowing scientists to record the passage of time in incredibly small increments, in turn, allowing for measuring the length of a given day down to the millisecond. And that has led to the discovery that the spin of the planet is actually far more variable than once thought. Since such measurements began, scientists have also found that the Earth was slowing its spin very gradually (compensated by the insertion of a leap second now and then)—until this past year, when it began spinning faster—so much so that some in the field have begun to wonder if a negative leap negative second might be needed this year, an unprecedented suggestion. Scientists also noted that this past summer, on July 19, the shortest day ever was recorded—it was 1.4602 milliseconds shorter than the standard.

Planetary scientists are not concerned about the new finding; they have learned that there are many factors that have an impact on planetary spin—including the moon’s pull, snowfall levels and mountain erosion. They also have begun wondering if might push the Earth to spin faster as the snow caps and high-altitude snows begin disappearing. Computer scientists, on the other hand, are somewhat concerned about the shifting spin speed—so much of is based on what they describe as “true time.” Adding a negative leap second could lead to problems, so some have suggested shifting the world’s clocks from solar time to atomic .

Source: The Earth has been spinning faster lately

If you’re a WhatsApp user, you’ll have to share your personal data with Facebook from next month – and no, you can’t opt out this time

Posted on by

WhatsApp users must agree to share their personal information with Facebook if they want to continue using the messaging service from next month, according to new terms and conditions.

“As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the other Facebook Companies,” its privacy policy, updated this week, stated.

“We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings, including the Facebook Company Products.”

Yes, said information includes your personal information. Thus, in other words, WhatsApp users must allow their personal info to be shared with Facebook and its subsidiaries as and when decided by the tech giant. Presumably, this is to serve personalized advertising.

If you’re a user today, you have two choices: accept this new arrangement, or stop using the end-to-end encrypted chat app (and use something else, like Signal.) The changes are expected to take effect on February 8.

When WhatsApp was acquired by Facebook in 2014, it promised netizens that its instant-messaging app would not collect names, addresses, internet searches, or location data. CEO Jan Koum wrote in a blog post: “Above all else, I want to make sure you understand how deeply I value the principle of private communication. For me, this is very personal. I was born in Ukraine, and grew up in the USSR during the 1980s.

“One of my strongest memories from that time is a phrase I’d frequently hear when my mother was talking on the phone: ‘This is not a phone conversation; I’ll tell you in person.’ The fact that we couldn’t speak freely without the fear that our communications would be monitored by KGB is in part why we moved to the United States when I was a teenager.”

Two years later, however, that vow was eroded by, well, capitalism, and WhatsApp decided it would share its users’ information with Facebook though only if they consented. That ability to opt-out, however, will no longer be an option from next month. Koum left in 2018.

That means users who wish to keep using WhatsApp must be prepared to give up personal info such as their names, profile pictures, status updates, phone numbers, contacts lists, and IP addresses, as well as data about their mobile devices, such as model numbers, operating system versions, and network carrier details, to the mothership. If users engage with businesses via the app, order details such as shipping addresses and the amount of money spent can be passed to Facebook, too.

Source: If you’re a WhatsApp user, you’ll have to share your personal data with Facebook from next month – and no, you can’t opt out this time • The Register

These Repair Bulletins for Tesla’s Quality Problems Are Downright Embarrassing—and Serious

Posted on by

t’s no secret that Tesla tends to ship cars to customers with questionable fit and finish. Sometimes components don’t fit the way they should, so fake wood from Home Depot is used to ensure they do. Other times, glass roofs simply detach while driving down the highway. This time, however, it’s not a random Facebook rant or one-off tweet telling us Tesla is selling vehicles of questionable quality, it’s the National Highway Traffic Safety Administration (NHTSA), via recalls and service bulletins.

Thanks to Bozi Tatarevic on Twitter, we know about errors numerous enough to warrant a response from the NHTSA, and some of them are pretty bad. They include low-grade rust repair, fixes to bodywork using a dead-blow hammer, and missing fasteners. We’re not talking about a couple of loose lug nuts, either. We’re talking parts missing from the car’s power system that may affect battery charge and discharge, and even nuts missing in the front suspension.

NHTSA

The service bulletins are sort of humorous in their official language of very basic fixes to really obvious issues with these cars. If the “DC link busbar” bolts are missing in the Model 3, replace them! If the charging door isn’t sitting flush—this defect is present on the 3 and Y—hit the non-flush panel with a hammer until it sits right. But if you start roleplaying as the village blacksmith and take it just a tad too far, replace the entire panel. Also, if you mess up the paint when you do this, make sure you touch it up. It looks like there’s a little bit of rust forming in that area anyway, so it’s probably a good idea to do that in any case.

The most alarming one of these issues is the self-locking nylon nut that’s straight-up missing from the front suspension. Apparently, this issue is widespread enough on the Model Y to warrant a service bulletin. If this bolt fell out during driving—which it would if there was no nut holding it on—one side of the front suspension would just collapse. Obviously, that’s something you don’t want to happen while you’re driving, and could lead to a serious accident and bodily injury. Possibly even worse.

Reading through other complaints on the NHTSA’s page for the Model 3, it seems like suspension issues are very common. Problems with ball joints snapping seem to be by far the most common issue. It’s safe to read clearly inflammatory messages with a little bit of skepticism, but looking through wrecked Model 3s on Copart, it seems like that is at least a somewhat common issue.

Unfortunately, this just sort of seems like business as usual for Tesla. Its vehicles are known to have these sorts of issues, and they aren’t doing a ton to attempt to shed this image. There is certainly something to be said for the strides the company has made with battery technology and drivetrain design, but quality control has to catch up with those innovations. Making advanced cars is one thing, making safe and reliable cars is entirely another.

Source: These Repair Bulletins for Tesla’s Quality Problems Are Downright Embarrassing—and Serious

Compromised Amazon Ring Devices Combined With Swatting

Posted on by

Late last year, it was discovered that yet another set of IoT devices were being turned against their owners by malicious people. It would be a stretch to call these losers “hackers,” considering all they did was utilize credentials harvested from multiple security breaches to take control of poorly secured cameras made by Ring.

Password reuse is common and these trolls made the most of it. Streaming their exploits to paying users, the perpetrators shouted racist abuse at homeowners, talked to/taunted their children, and interrupted their sleep by blaring loud noises through the cameras’ mics.

This string of events landed Ring in court. Ring claims this isn’t the company’s fault since the credentials weren’t obtained from Ring itself. But Ring’s lax security standards allowed users to bypass two-factor authentication and, until recently, didn’t warn users of unrecognized login attempts or lock their accounts after a certain number of login failures.

There’s another insidious twist to this new form of online/offline abuse. And it’s caught the attention of the feds. The FBI says these cameras are now being combined with swatting to inflict additional misery on camera owners.

Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks. To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.

They then call emergency services to report a crime at the victims’ residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.

Combining two things people hate into one dangerous blend is someone’s idea of a good time. Two recent incidents involving hacked devices and swatting fortunately ended without anyone being killed by law enforcement.

One Florida woman was called by a “hacker” and told to go outside and see if the local SWAT team was there. She was met by police shortly afterwards who told her they’d received a call she’d been murdered by her husband. No raid happened but officers were showered with insults and obscenities by “hackers” via the compromised Ring doorbell/camera for failing to provide the entertainment the online assholes were seeking.

A similar incident happened in Virginia, with the “hacker” taunting both the family and officers as they investigated a fake suicide call.

Through the family’s four Ring cameras, a hacker screamed, “Help me!” as officers checked inside the home to make sure everyone was safe.

Back outside, the officers realized the intermittent screaming was coming from the home’s Ring cameras.

A man started talking to the officers through the cameras, saying he hacked the homeowner’s accounts and faked the 911 call.

[…]

Officer: “What is it that you need from us?”

Hacker: “Oh nothing, we were just [messing] around, after this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff].”

Chesapeake Police officers covered up the cameras and asked who was screaming. The hacker told officers it was him yelling for help, claiming he livestreamed the Ring cameras when officers arrived and charged people five dollars each to watch online.

So, that’s where we’re at, hellscape-wise. A nation full of devices that can be taken over by anyone with the right credentials and turned into entertainment for sociopaths. Of course, being better about locking down IoT devices won’t stop these same sociopaths from weaponizing local law enforcement agencies. Choosing a strong, unique password isn’t going to keep assholes from swatting people. It’s only going to deprive them of their ability to witness the potentially deadly results of their actions.

Source: FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That’s The Hell We Now Live In | Techdirt

Singapore police can access now data from the country’s contract tracing app

Posted on by

With a nearly 80 percent uptake among the country’s population, Singapore’s TraceTogether app is one of the best examples of what a successful centralized contact tracing effort can look like as countries across the world struggle to contain the coronavirus pandemic. To date, more than 4.2 million people in Singapore have download the app or obtained the wearable the government has offered to people.

In contrast to Apple’s and Google’s Exposure Notifications System — which powers the majority of COVID-19 apps out there, including ones put out by states and countries like California and Germany — Singapore’s TraceTogether app and wearable uses the country’s own internally developed BlueTrace protocol. The protocol relies on a centralized reporting structure wherein a user’s entire contact log is uploaded to a server administered by a government health authority. Outside of Singapore, only Australia has so far adopted the protocol.

In an update the government made to the platform’s privacy policy on Monday, it added a paragraph about how police can use data collected through the platform. “TraceTogether data may be used in circumstances where citizen safety and security is or has been affected,” the new paragraph states. “Authorized Police officers may invoke Criminal Procedure Code (CPC) powers to request users to upload their TraceTogether data for criminal investigations.”

Previous versions of the privacy policy made no mention of the fact police could access any data collected by the app; in fact, the website used to say, “data will only be used for COVID-19 contact tracing.” The government added the paragraph after Singapore’s opposition party asked the Minister of State for Home Affairs if police could use the data for criminal investigations. “We do not preclude the use of TraceTogether data in circumstances where citizens’ safety and security is or has been affected, and this applies to all other data as well,” said Minister Desmond Tan.

What’s happening in Singapore is an example of the exact type of potential privacy nightmare that experts warned might happen with centralized digital contact tracing efforts. Worse, a loss of trust in the privacy of data could push people further away from contact tracing efforts altogether, putting everyone at more risk.

Source: Singapore police can access data from the country’s contract tracing app | Engadget

Uber wasted $100 million on useless digital ad campaigns

Posted on by

[…]

the estimated $100 million Uber apparently straight-up squandered on incredibly obvious, third-party digital advertising scams… something that is garnering mainstream coverage in the first days of 2021, despite coming to light back in February of last damn year.

Uber defraud tweet
Twitter / @nandoodles

You Google Played yourself — Former Sleeping Giants alum and co-founder of Check My Ads, Nandini Jammi, caught most of us up on the whole situation yesterday in a lengthy Twitter thread detailing just how Uber, the poster child of startup capitalism’s unethical robber baron mentality, managed to recently waste a mind-boggling $100 million in pointless digital advertising campaigns through a host of blatantly shady ad networks.

One such instance involved launching “‘battery saver’ style apps in Google Play, giving them root access to your phone.” Upon typing “Uber” into Google Play, the service “auto-fires a click to make it look like you clicked on an Uber ad and attribute the install to themselves.”

[…]

Source: Uber wasted $100 million on useless digital ad campaigns

A lot more moralising in the article on how Uber is evil and how this writer would spend someone else’s money but we’re seeing more and more about how the huge digital “targetted” ad spends are actually not delivering on their promises

Scientists turn CO2 into jet fuel

Posted on by

Researchers may have found a way to reduce the environmental impact of air travel in situations when electric aircraft and alternative fuels aren’t practical. Wired reports that Oxford University scientists have successfully turned CO2 into jet fuel, raising the possibility of conventionally-powered aircraft with net zero emissions.

The technique effectively reverses the process of burning fuel by relying on the organic combustion method. The team heated a mix of citric acid, hydrogen and an iron-manganese-potassium catalyst to turn CO2 into a liquid fuel capable of powering jet aircraft.

The approach is inexpensive, uncomplicated and uses commonplace materials. It’s cheaper than processes used to turn hydrogen and water into fuel.

There are numerous challenges to bringing this to aircraft. The lab method only produced a few grams of fuel — you’d clearly need much more to support even a single flight, let alone an entire fleet. You’d need much more widespread use of carbon capture. And if you want effectively zero emissions, the capture and conversion systems would have to run on clean energy.

The researches are talking with industrial partners, though, and don’t see any major scientific hurdles. It might also be one of the most viable options for fleets. Many of them would have to replace their aircraft to go electric or switch fuel types. This conversion process would let airlines keep their existing aircraft and go carbon neutral until they’re truly ready for eco-friendly propulsion.

Source: Scientists turn CO2 into jet fuel | Engadget

Zyxel products have a hardcoded root user you can access from internet

Posted on by

TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. You can find the full list of affected devices here and the Zyxel advisory here.

Zyxel is a popular brand for firewalls that are marketed towards small and medium businesses. Their Unified Security Gateway (USG) product line is often used as a firewall or VPN gateway. As a lot of us are working from home, VPN-capable devices have been quite selling well lately.

When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.

$ ssh zyfwp@192.168.1.252
Password: Pr*******Xp
Router> show users current
No: 1
  Name: zyfwp
  Type: admin
(...)
Router>

The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.

As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet. Using publicly available data from Project Sonar, I was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, more than 100.000 devices have exposed their web interface to the internet.

Source: Undocumented user account in Zyxel products (CVE-2020-29583) – EYE

Julian Assange will NOT be extradited to the US over WikiLeaks hacking and spy charges, rules British judge

Posted on by

Accused hacker and WikiLeaks founder Julian Assange should not be extradited to the US to stand trial, Westminster Magistrates’ Court has ruled.

District Judge Vanessa Baraitser told Assange this morning that there was no legal obstacle to his being sent to the US, where he faces multiple criminal charges under America’s Espionage Act and Computer Fraud and Abuse Act over his WikiLeaks website.

Assange is a suicide risk and the judge decided not to order his extradition to the US, despite giving a ruling in which she demolished all of his legal team’s other arguments against extradition.

“I am satisfied that the risk that Mr Assange will commit suicide is a substantial one,” said the judge, sitting at the Old Bailey, in this morning’s ruling. Adopting the conclusions of medical expert Professor Michael Kopelman, an emeritus professor of neuropsychiatry at King’s College London, Judge Baraitser continued:

Taking account of all of the information available to him, he considered Mr Assange’s risk of suicide to be very high should extradition become imminent. This was a well-informed opinion carefully supported by evidence and explained over two detailed reports.

[…]

All other legal arguments against extradition rejected

Judge Baraitser heard from Assange’s lawyers during this case that he was set to be extradited because he had politically embarrassed the US, rather than committed any genuine criminal offence.

Nonetheless, US lawyers successfully argued that Assange’s actions were outside journalistic norms, with the judge approvingly quoting news articles from The Guardian and New York Times that condemned him for dumping about 250,000 stolen US diplomatic cables online in clear text.

“Free speech does not comprise a ‘trump card’ even where matters of serious public concern are disclosed,” said the judge in a passage that will be alien to American readers, whose country’s First Amendment reverses that position.

[…]

The judge also found that the one-time WikiLeaker-in-chief had directly commissioned a range of people to hack into various Western countries’ governments, banks and commercial businesses, including the Gnosis hacking crew that was active in the early 2010s.

Judge Baraitser also dismissed Assange’s legal arguments that publishing stolen US government documents on WikiLeaks was not a crime in the UK, ruling that had he been charged in the UK, he would have been guilty of offences under the Official Secrets Acts 1911-1989. Had his conduct not been a crime in the UK, that would have been a powerful blow against extradition.

[…]

Summing up the thoughts of most if not all people following Assange’s case when the verdict was given, NSA whistleblower Edward Snowden took to Twitter:

Having had all of his substantive legal arguments dismissed, there isn’t much for Assange and his supporters to cheer about today. It is certain that the US will throw as much legal muscle at the appeal as it possibly can. With some British prisoners successfully avoiding extradition by expressing suicidal thoughts, it is likely American prosecutors will want to set a UK precedent that overturns the suicide barrier.

Source: Julian Assange will NOT be extradited to the US over WikiLeaks hacking and spy charges, rules British judge • The Register

Microsoft says SolarWinds hackers viewed source code

Posted on by

The hackers who carried out a sophisticated cyberattack on US government agencies and on private companies were able to access Microsoft’s source code, the company said Thursday.

A Microsoft investigation turned up “unusual activity with a small number of internal accounts” and also revealed that “one account had been used to view source code in a number of source code repositories,” the company said in a blog post. Microsoft said that the account didn’t have the ability to modify code and that no company services or customer data was put at risk.

[…]

Source: Microsoft says SolarWinds hackers viewed source code – CNET

T-Mobile data breach exposed phone numbers, call records for 200k customers

Posted on by

T-Mobile has announced a data breach exposing customers’ proprietary network information (CPNI), including phone numbers and call records.

Starting yesterday, T-Mobile began texting customers that a “security incident” exposed their account’s information.

According to T-Mobile, its security team recently discovered “malicious, unauthorized access” to their systems. After bringing in a cybersecurity firm to perform an investigation, T-Mobile found that threat actors gained access to the telecommunications information generated by customers, known as CPNI.

The information exposed in this breach includes phone numbers, call records, and the number of lines on an account.

“Customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC) rules was accessed. The CPNI accessed may have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service,” T-Mobile stated in a data breach notification.

T-Mobile states that the data breach did not expose account holders’ names, physical addresses, email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

In a statement to BleepingComputer, T-Mobile stated that this breach affected a “small number of customers (less than 0.2%).”  T-Mobile has approximately 100 million customers, which equates to around 200,000 people affected by this breach.

[…]

Source: T-Mobile data breach exposed phone numbers, call records

Access To Big Data Turns Farm Machine Makers Into Tech Firms

Posted on by

The combine harvester, a staple of farmers’ fields since the late 1800s, does much more these days than just vacuum up corn, soybeans and other crops. It also beams back reams of data to its manufacturer.

GPS records the combine’s precise path through the field. Sensors tally the number of crops gathered per acre and the spacing between them. On a sister machine called a planter, algorithms adjust the distribution of seeds based on which parts of the soil have in past years performed best. Another machine, a sprayer, uses algorithms to scan for weeds and zap them with pesticides. All the while sensors record the wear and tear on the machines, so that when the farmer who operates them heads to the local distributor to look for a replacement part, it has already been ordered and is waiting for them.

Farming may be an earthy industry, but much of it now takes place in the cloud. Leading farm machine makers like Chicago-based John Deere & Co. DE +1.1% or Duluth’s AGCO AGCO +0.9% collect data from all around the world thanks to the ability of their bulky machines to extract a huge variety of metrics from farmers’ fields and store them online. The farmers who sit in the driver’s seats of these machines have access to the data that they themselves accumulate, but legal murk obfuscates the question of whether they actually own that data and only the machine manufacturer can see all the data from all the machines leased or sold.

[…]

Still, farmers have yet to be fully won over. Many worry that by allowing the transfer of their data to manufacturers, it will inadvertently wind up in the hands of neighboring farmers with whom they compete for scarce land, who could then mine their closely guarded information about the number of acres they plow or the types of fertilizers and pesticides they use, thus gaining a competitive edge. Others fear that information about the type of seeds or fertilizer they use will wind up in the hands of the chemicals companies they buy from, allowing those companies to anticipate their product needs and charge them more, said Jonathan Coppess, a professor at the University of Illinois.

Sensitive to the suggestion that they are infringing on privacy, the largest equipment makers say they don’t share farmers’ data with third parties unless farmers give permission. (Farmers frequently agree to share data with, for example, their local distributors and dealers.)

It’s common to hear that farmers are, by nature, highly protective of their land and business, and that this predisposes them to worry about sharing data even when there are more potential benefits than drawbacks. Still, the concerns are at least partly the result of a lack of legal and regulatory standards around the collection of data from smart farming technologies, observers say. Contracts to buy or rent big machines are many pages long and the language unclear, especially since some of the underlying legal concepts regarding the sharing and collecting of agricultural data are still evolving.

As one 2019 paper puts it, “the lack of transparency and clarity around issues such as data ownership, portability, privacy, trust and liability in the commercial relationships governing smart farming are contributing to farmers’ reluctance to engage in the widespread sharing of their farm data that smart farming facilitates. At the heart of the concerns is the lack of trust between the farmers as data contributors, and those third parties who collect, aggregate and share their data.”

[…]

Some farmers may still find themselves surprised to discover the amount of access Deere and others have to their data. Jacob Maurer is an agronomist with RDO Equipment Co., a Deere dealer, who helps farmers understand how to use their data to work their fields more efficiently. He explained that some farmers would be shocked to learn how much information about their fields he can access by simply tapping into Deere’s vast online stores of data and pulling up their details.

[…]

Based on the mountains of data flowing in to their databases, equipment makers with sufficient sales of machines around the country may in theory actually be able to predict, at least to some small but meaningful extent, the prices of various crops by analyzing the data its machines are sending in — such as “yields” of crops per acre, the amount of fertilizer used, or the average number of seeds of a given crop planted in various regions, all of which would help to anticipate the supply of crops come harvest season.

Were the company then to sell that data to a commodities trader, say, it could likely reap a windfall. Normally, the markets must wait for highly-anticipated government surveys to run their course before having an indication of the future supply of crops. The agronomic data that machine makers collect could offer similar insights but far sooner.

Machine makers don’t deny the obvious value of the data they collect. As AGCO’s Crawford put it: “Anybody that trades grains would love to have their hands on this data.”

Experts occasionally wonder about what companies could do with the data. Mary Kay Thatcher, a former official with the American Farm Bureau, raised just such a concern in an interview with National Public Radio in 2014, when questions about data ownership were swirling after Monsanto began deploying a new “precision planting” tool that required it to have gobs of data.

“They could actually manipulate the market with it. You know, they only have to know the information about what’s actually happening with harvest minutes before somebody else knows it,” Thatcher said in the interview.

“Not saying they will. Just a concern.”

Source: Access To Big Data Turns Farm Machine Makers Into Tech Firms

Apple Told This Developer That His App ‘Promoted’ Drugs – after 6 years in the store

Posted on by

In Apple’s world, an app can be inappropriate one day, but acceptable the next. That’s what the developer of Amphetamine—an app designed to keep Macs from going to sleep, which is useful in situations such as when a file is downloading or when a specific app is running—learned recently when Apple got in touch with him and told him that his app violated the company’s App Store guidelines.

Amphetamine developer William Gustafson published an account of the incident and his experience with Apple’s App Store review team on GitHub on Friday. In the post, Gustafson explained that Apple contacted him on Dec. 29 and told him that Amphetamine, which has been on the Mac App Store for six years, had suddenly begun violating one of the company’s App Store guidelines. Specifically, Gustafson said that Apple claimed that Amphetamine appeared to promote the inappropriate use of controlled substances given its very name—amphetamines are used to treat ADHD—and because its icon includes a pill.

[…]

“As we discussed, we found that your app includes content that some users may find upsetting, offensive, or otherwise objectionable,” an Apple representative told Gustafson on Dec. 29 according to a screenshot shared with Gizmodo. “Specifically, your app name and icon include references to controlled substances, pills.”

The representative then brought up App Store Guideline 1.4.3, which pertains to safety and physical harm. The guideline reads as follows:

“Apps that encourage consumption of tobacco and vape products, illegal drugs, or excessive amounts of alcohol are not permitted on the App Store. Apps that encourage minors to consume any of these substances will be rejected. Facilitating the sale of marijuana, tobacco, or controlled substances (except for licensed pharmacies) isn’t allowed.”

To resolve the issue, the Apple representative said that Gustafson had to remove all content that encourages inappropriate consumption of drugs or alcohol. Gustafson explained in his Github post that Apple had threatened to remove Amphetamine from the Mac App Store on Jan. 12 if he did not oblige with its request for changes.

If this is all sounding a bit wild to you, that’s because it is. Although Amphetamine uses its name and branding to lightheartedly convey the fact that the app will prevent your Mac from going to sleep, it does not do anything that violates Guideline 1.4.3.

Source: Apple Told This Developer That His App ‘Promoted’ Drugs

Pentagon Puts F-35 Full-Rate Production Decision On Hold

Posted on by

In a setback for the Lockheed Martin F-35 stealth fighter program, the U.S. Department of Defense has formally decreed that a decision on full-rate production of the jet is on indefinite hold. The Milestone C decision on whether or not to ramp up the manufacture of Joint Strike Fighters had been due in or before March 2021, but has now been on hold pending completion of the final phase of operational testing of the F-35.

Bloomberg was first to report news of the verdict, which was made by Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment in the Trump administration. There had been previous suggestions that a delay was at least likely, before today’s official confirmation.

U.S. Marine Corps/Lance Cpl. Dalton J. Payne

U.S. Marine Corps F-35Bs assigned to VMFA-121 await refueling at Marine Corps Air Station Futenma, Okinawa, Japan, December 17, 2020.

While more than 600 F-35s have been manufactured so far by the Joint Strike Fighter enterprise, including 123 examples delivered in 2020, wrapping up the Initial Operational Test & Evaluation (IOT&E) is a formal requirement before the formal launch of full-rate production. Once that happens, it will signal that the Pentagon officially has confidence in the program’s maturity and that the jet is able to perform as required in all operational conditions. Ultimately, the manufacturing run of the F-35 could reach 3,200 aircraft, depending on different nations’ requirements and emerging new customers. The U.S. Air Force alone has a program of record to eventually buy 1,763 conventional takeoff and landing F-35As, 241 of which had been delivered as of last summer.

Furthermore, the production-related milestone is supposed to confirm that the F-35 meets maintenance requirements, which have fallen short in the past, and that the manufacturing effort is running efficiently. This year, the effects of the COVID-19 pandemic mean that fewer F-35s have been delivered than was originally planned.

The latest hiccup in the F-35 program is a result of delays to operational testing in the Joint Simulation Environment. The F-35 needs to prove itself in these trials in order to complete the IOT&E phase and kickstart the full-rate production review.

This a critical, roughly month-long testing phase was originally supposed to begin in 2017. That schedule subsequently slipped and there had been a hope that those trials would begin this month. Now, the F-35 is not likely to enter the Joint Simulation Environment until mid-to-late 2021.

[…]

Source: It’s Official: Pentagon Puts F-35 Full-Rate Production Decision On Hold

Japanese Researchers Are Working to Create Wooden Satellites

Posted on by

You might think metal satellites burn up on re-entry, but as it turns out, it’s not that simple. “We are very concerned with the fact that all the satellites which re-enter the Earth’s atmosphere burn and create tiny alumina particles which will float in the upper atmosphere for many years,” Takao Doi, an astronaut and Kyoto University professor, told the BBC when speaking about the project. “Eventually it will affect the environment of the Earth.”

Wood, however, would entirely burn up upon re-entry without leaving harmful substances in the atmosphere—or perhaps scattering dangerous debris. According to Nikkei Asia, another reason the researchers are experimenting with wood is that it doesn’t block electromagnetic waves or the Earth’s own magnetic field. That means wooden satellites could have simpler builds, as components like antennas could be placed inside the satellite itself.

[…]

According to the World Economic Forum, there are roughly 6,000 satellites currently in orbit, of which 60% are actually defunct. Meanwhile, 990 satellites are estimated to be launched every year for the next decade. The WEF also notes that there are more than half a million pieces of space trash larger than a marble currently floating around the Earth and 20,000 pieces of debris that are larger than a softball. These pieces of trash aren’t static. They are actually moving at speeds up to 17,500 miles per hour, the speed necessary to remain in orbit and not fall back to the Earth itself. According to NASA, more space junk presents an increasing danger of collision to all types of spacecraft, including the International Space Station, shuttles, and any other type of vessel that may carry humans.

[…]

The problem of space clutter is only getting worse, as both Elon Musk’s SpaceX and Amazon’s Project Kuiper race to launch thousands of satellites into orbit to provide low-cost internet. Meanwhile, astronomers have also expressed concern that these satellite constellations could potentially disrupt their ability to observe the cosmos. It’s unclear how much wooden satellites would alleviate the problem, but hey, it’s gotta be better than sticking more metal junk up there.

Source: Japanese Researchers Are Working to Create Wooden Satellites

Ticketmaster To Pay $10 million After Illegally Hacking Rival’s System

Posted on by

Ticketmaster and its parent company, Live Nation, have agreed to pay out $10 million dollars to a competitor after admitting to hiring a former employee to hack into the rival company’s computer network.

According to a statement issued by the Justice Department on Wednesday, the five criminal counts facing Ticketmaster stemmed from a plot to infiltrate the computer system of ticket-seller rival CrowdSurge in a self-described attempt to “cut [the company] off at the knees.”

“Ticketmaster employees repeatedly — and illegally — accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” acting US attorney Seth DuCharme said in the statement. “Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers.”

The hacking plot was first reported in 2017, shortly after CrowdSurge filed an antitrust lawsuit against Live Nation. At some point prior to that filing, Live Nation had apparently recruited an employee named Stephen Mead, whom the company had poached from CrowdSurge in 2013, to turn on his former employer, offering data analytics and insider secrets to top executives in an attempt to hobble the competitor.

Mead’s knowledge of his former employer’s passwords was so extensive that it enabled him to log in to the company’s backend during a 2014 Live Nation summit, where he reportedly offered executives a “product review” of CrowdSurge’s operations and led a demonstration of the smaller company’s internal systems.

In a statement to The Verge, a Ticketmaster spokesperson said that the company was satisfied with the terms of the settlement, and stressed that both Mead and Zeeshan Zaidi — Ticketmaster’s former general manager of artist services — had both been terminated as a result of an investigation into the wrongdoing.

Source: Ticketmaster To Pay $10 million After Illegally Hacking Rival’s System