Monthly Archives: February 2021

India’s New Cyber Law Goes Live: Subtracts Safe Harbor Protections, Adds Compelled Assistance Demands For Intermediaries, Massive surveillance infrastructure

Posted on by

New rules for social media companies and other hosts of third-party content have just gone into effect in India. The proposed changes to India’s 2018 Intermediary Guidelines are now live, allowing the government to insert itself into content moderation efforts and make demands of tech companies some simply won’t be able to comply with.

Now, under the threat of fines and jail time, platforms like Twitter (itself a recent combatant of the Indian government over its attempts to silence people protesting yet another bad law) can be held directly responsible for any “illegal” content it hosts, even as the government attempts to pay lip service to honoring long-standing intermediary protections that immunized them from the actions of their users.

[…]

turns a whole lot of online discourse into potentially illegal content.

[…]

The new mandates demand platforms operating in India proactively scan all uploaded content to ensure it complies with India’s laws.

The Intermediary shall deploy technology based automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.

This obligation is not only impossible to comply with (and is prohibitively expensive for smaller platforms and sites/online forums that don’t have access to AI tools), it opens up platforms to prosecution simply for being unable to do the impossible. And complying with this directive to implement this demand undercuts the Safe Harbour protections granted to intermediaries by the Indian government.

If you’re moderating all content prior to it going “live,” it’s no longer possible to claim you’re not acting as an editor or curator. The Indian government grants Safe Harbour to “passive” conduits of information. The new law pretty much abolishes those because complying with the law turns intermediaries from “passive” to “active.”

Broader and broader it gets, with the Indian government rewriting its “national security only” demands to cover “investigation or detection or prosecution or prevention of offence(s).” In other words, the Indian government can force platforms and services to provide information and assistance within 72 hours of notification to almost any government agency for almost any reason.

This assistance includes “tracing the origin” of illegal content — something that may be impossible to comply with since some platforms don’t collect enough personal information to make identification possible. Any information dug up by intermediaries in support of government action must be retained for 180 days whether or not the government makes use of it.

More burdens: any intermediary with more than 5 million users must establish permanent residence in India and provide on-call service 24/7. Takedown compliance has been accelerated from 36 hours of notification to 24 hours.

Very few companies will be able to comply with most of these directives. No company will be able to comply with them completely. And with the government insisting on adding more “eye of the beholder” content to the illegal list, the law encourages pre-censorship of any questionable content and invites regulators and other government agencies to get into the moderation business.

[…]

Source: India’s New Cyber Law Goes Live: Subtracts Safe Harbor Protections, Adds Compelled Assistance Demands For Intermediaries | Techdirt

Sub-diffraction optical writing enables data storage at the nanoscale – on disk

Posted on by

The demand to store ever-increasing volumes of information has resulted in the widespread implementation of data centers for Big Data. These centers consume massive amounts of energy (about 3% of global electricity supply) and rely on magnetization-based hard disk drives with limited storage capacity (up to 2 TB per disk) and lifespan (three to five years). Laser-enabled optical data storage is a promising and cost-effective alternative for meeting this unprecedented demand. However, the diffractive nature of light has limited the size to which bits can be scaled, and as a result, the storage capacity of optical disks.Researchers at USST, RMIT and NUS have now overcome this limitation by using earth-rich lanthanide-doped upconversion nanoparticles and graphene oxide flakes. This unique material platform enables low-power optical writing nanoscale information bits.A much-improved data density can be achieved for an estimated storage capacity of 700 TB on a 12-cm optical disk, comparable to a storage capacity of 28,000 Blu-ray disks. Furthermore, the technology uses inexpensive continuous-wave lasers, reducing operating costs compared to traditional optical writing techniques using expensive and bulky pulsed lasers.This technology also offers the potential for optical lithography of nanostructures in carbon-based chips under development for next-generation nanophotonic devices.

Source: Sub-diffraction optical writing enables data storage at the nanoscale

Using deep-sea fiber optic cables to detect earthquakes

Posted on by

Seismologists at Caltech working with optics experts at Google have developed a method to use existing underwater telecommunication cables to detect earthquakes. The technique could lead to improved earthquake and tsunami warning systems around the world.

[…]

evious efforts to use optical fibers to study seismicity have relied on the addition of sophisticated scientific instruments and/or the use of so-called “dark fibers,” fiber optic cables that are not actively being used.

Now Zhongwen Zhan (Ph.D. ’13), assistant professor of geophysics at Caltech, and his colleagues have come up with a way to analyze the light traveling through “lit” fibers—in other words, existing and functioning submarine cables—to detect earthquakes and ocean waves without the need for any additional equipment. They describe the new method in the February 26 issue of the journal Science.

[…]

The cable networks work through the use of lasers that send pulses of information through glass fibers bundled within the cables to deliver data at rates faster than 200,000 kilometers per second to receivers at the other end. To make optimal use of the cables—that is, to transfer as much information as possible across them—one of the things operators monitor is the polarization of the light that travels within the fibers. Like other light that passes through a polarizing filter, laser light is polarized—meaning, its electric field oscillates in just one direction rather than any which way. Controlling the direction of the electric field can allow multiple signals to travel through the same fiber simultaneously. At the receiving end, devices check the state of polarization of each signal to see how it has changed along the path of the cable to make sure that the signals are not getting mixed.

[…]

On land, all sorts of disturbances, such as changes in temperature and even lightning strikes, can change the polarization of light traveling through fiber optic cables. Because the temperature in the deep ocean remains nearly constant and because there are so few disturbances there, the change in polarization from one end of the Curie Cable to the other remains quite stable over time, Zhan and his colleagues found.

However, during earthquakes and when storms produce large ocean waves, the polarization changes suddenly and dramatically, allowing the researchers to easily identify such events in the data.

Currently, when earthquakes occur miles offshore, it can take minutes for the seismic waves to reach land-based seismometers and even longer for any tsunami waves to be verified. Using the new technique, the entire length of a submarine cable acts as a single sensor in a hard-to-monitor location. Polarization can be measured as often as 20 times per second. That means that if an earthquake strikes close to a particular area, a warning could be delivered to the potentially affected areas within a matter of seconds.

During the nine months of testing reported in the new study (between December 2019 and September 2020), the researchers detected about 20 moderate-to-large earthquakes along the Curie Cable, including the magnitude-7.7 that took place off of Jamaica on January 28, 2020.

Although no tsunamis were detected during the study, the researchers were able to detect changes in polarization produced by ocean swells that originated in the Southern Ocean. They believe the changes in polarization observed during those events were caused by pressure changes along the seafloor as powerful waves traveled past the cable. “This means we can detect ocean waves, so it is plausible that one day we will be able to detect tsunami waves,” says Zhan.

Zhan and his colleagues at Caltech are now developing a machine learning algorithm that would be able to determine whether detected changes in polarization are produced by earthquakes or rather than some other change to the system, such as a ship or crab moving the . They expect that the entire detection and notification process could be automated to provide critical information in addition to the data already collected by the of land-based seismometers and the buoys in the Deep- Assessment and Reporting of Tsunamis (DART) system, operated by the National Oceanic and Atmospheric Administration’s National Data Buoy Center.

[…]

Source: Using deep-sea fiber optic cables to detect earthquakes

Extension shows the monopoly big tech has on your browsing – you always route your traffic through them

Posted on by

A new extension for Google Chrome has made explicit how most popular sites on the internet load resources from one or more of Google, Facebook, Microsoft and Amazon.

The extension, Big Tech Detective, shows the extent to which websites exchange data with these four companies by reporting on them. It also optionally blocks sites that request such data. Any such request is also effectively a tracker, since the provider sees the IP number and other request data for the user’s web browser.

The extension was built by investigative data reporter Dhruv Mehrotra in association with the Anti-Monopoly Fund at the Economic Security Project, a non-profit research group financed by the US-based Hopewell Fund in Washington DC.

Cara Rose Defabio, editor at the Economic Security Project, said: “Big Tech Detective is a tool that pulls the curtain back on exactly how much control these corporations have over the internet. Our browser extension lets you ‘lock out’ Google, Amazon, Facebook and Microsoft, alerting you when a website you’re using pings any one of these companies… you can’t do much online without your data being routed through one of these giants.”

[…]

That, perhaps, is an exaggeration. Big Tech Detective will spot sites that use Google Analytics to report on web traffic, or host Google ads, or use a service hosted on Amazon Web Services such as Chartbeat analytics – which embeds a script that pings its service every 15 seconds according to this post – but that is not the same as routing your data through the services.

In terms of actual data collection and analysis, we would guess that Google and Facebook are ahead of AWS and Microsoft, and munging together infrastructure services with analytics and tracking is perhaps unhelpful.

Another point to note is that a third-party service hosted on a public cloud server at AWS, Microsoft or Google is distinct from services run directly by those companies. Public cloud is an infrastructure choice and the infrastructure provider does not get that data other than being able to see that there is traffic.

[Note: This is untrue. They also get to see where the traffic is from, where it goes to, how it is routed, how many connections there are, the size of the traffice being sent. This metadata is often more valuable than the actual data being sent]

Dependencies

Defabio made the point, though, that the companies behind public cloud have huge power, referencing Amazon’s decision to “refuse hosting service to the right wing social app Parler, effectively shutting it down.” While there was substantial popular approval of the action, it was Amazon’s decision, rather than one based on law and regulation.

She argued that these giant corporations should be broken up, so that Amazon the retailer is separate from AWS, for example. The release of the new extension is timed to coincide with US government hearings on digital competition, drawing on research from last year.

[…]

Source: Ever felt that a few big tech companies are following you around the internet? That’s because … they are • The Register

Apple, forced to rate product repair potential in France, gives itself modest marks – still lying, they should be worse

Posted on by

Apple, on its French website, is now publishing repairability scores for its notoriously difficult to repair products, in accordance with a Gallic environmental law enacted a year ago.

Cook & Co score themselves on repairability however, and Cupertino kit sometimes fares better under internal interpretation of the criteria [PDF] than it does under ratings awarded by independent organizations.

For example, Apple gave its 2019 model year 16-inch MacBook Pro (A2141) a repairability score of 6.3 out of 10. According to iFixit, a repair community website, that MacBook Pro model deserves a score of 1 out of 10.

Apple’s evaluation of its products aligns more closely with independent assessment when it comes to phones. Apple gives its iPhone 12 Pro a repairability score of six, which matches the middling score bestowed by iFixit.

“It’s self-reporting right now,” said Gay Gordon-Byrne, executive director of The Repair Association, a repair advocacy group, in an email to The Register. “No audit, no validation, yet. I think there is another year before there are any penalties for lying.”

[…]

Source: Apple, forced to rate product repair potential in France, gives itself modest marks • The Register

1Password has none, KeePass has none… So why are there seven embedded trackers in the LastPass Android app?

Posted on by

A security researcher has recommended against using the LastPass password manager Android app after noting seven embedded trackers. The software’s maker says users can opt out if they want.

[…]

The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as well as others from AppsFlyer, MixPanel, and Segment. Segment, for instance, gathers data for marketing teams, and claims to offer a “single view of the customer”, profiling users and connecting their activity across different platforms, presumably for tailored adverts.

LastPass has many free users – is it a problem if its owner seeks to monetise them in some way? Kuketz said it is. Typically, the way trackers like this work is that the developer compiles code from the tracking provider into their application. The gathered information can be used to build up a profile of the user’s interests from their activities, and target them with ads.

Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said.

Kuketz also investigated what data is transmitted by inspecting the network traffic. He found that this included details about the device being used, the mobile operator, the type of LastPass account, the Google Advertising ID (which can connect data about the user across different apps). During use, the data also shows when new passwords are created and what type they are. Kuketz did not suggest that actual passwords or usernames are transmitted, but did note the absence of any opt-out dialogs, or information for the user about the data being sent to third parties. In his view, the presence of the trackers demonstrates a suboptimal attitude to security. Kuketz recommended changing to a different password manager, such as the open-source KeePass.

Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting. Dashlane has four. LastPass does appear to have more than its rivals. And yes, lots of smartphone apps have trackers: today, we’re talking about LastPass.

[…]

“All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy.

Source: 1Password has none, KeePass has none… So why are there seven embedded trackers in the LastPass Android app? • The Register

Looking for this option was definitely not easy to find.

I just bought a year’s subscription as I thought the $2.11 / month price point was OK. They added on a few cents and then told me this price was excl VAT. Not doing very well on the trustworthyness scale here.

Half a million stolen French medical records, lab results, feeble excuses

Posted on by

[…]

Here in France, we’ve just experienced the country’s biggest ever data breach of customer records, involving some half a million medical patients. Worse, the data wasn’t even sold or held to ransom by dark web criminals: it was just given away so that anyone could download it.

Up to 60 fields of personal data per patient are now blowing around in the internet winds. Full name, address, email, mobile phone number, date of birth, social security number, blood group, prescribing doctor, reason for consultation (such as “pregnancy”, “brain tumour”, “deaf”, “HIV positive”) and so on – it’s all there, detailed across 491,840 lines of plain text.

Data journalism couldn’t be easier, and indeed the newspaper hacks have been on the beat, contacting the doctors listed in the file and phoning up some of the patients on their mobile numbers to ask how they feel about the data breach. The doctors knew nothing about it, and of course the patients whose personal info had been stolen – including Hervé Morin, ex-Minister of Defence, as it turns out – hadn’t the faintest idea.

According to an investigation by daily newspaper Libération, warning signs that something was afoot were first reported on 12 February in a blog by Damien Bancal at security outfit Zataz. Some dark web spivs began discussing in Turkish-language channels on Telegram about how to sell some medical records stolen from a French hospital. Some of them then tried independently to put the data on the market and got into an argument that spilled over into Russian-language channels.

One of them, it seems, got pissed off and decided to take revenge by posting an extract of the data publicly. This was rapidly spread around Telegram’s other lesser spivlet channels and soon afterwards ended up being shared on conventional social media.

A closer look at the file reveals that it didn’t come from a hospital after all. It turns out the various dates on the patient records refer not to doctors’ appointments but to when patients had to submit a test specimen: in other words, the data is likely to have been stolen from French bio-medical laboratories conducting the specimen analysis.

Further probing by Libé revealed that the hack may relate to data stored using a system called Mega-Bus from Medasys, a company since absorbed into Dedalus France. Dating back to 2009, Mega-Bus hasn’t been updated and laboratories have been abandoning it for other solutions over the last couple of years. No patient records entered into these newer systems can be found in the stolen file, only pre-upgrade stuff entered into Mega-Bus, apparently.

[…]

Source: Half a million stolen French medical records, drowned in feeble excuses • The Register

GameStop short-sellers have lost $1.9 billion in just 2 days amid the stock’s latest spike

Posted on by

Short sellers lost $664 million on Wednesday as GameStop shares spiked 104% in the final 30 minutes of trading, S3 Partners said.The stock’s 84% intraday gain on Thursday fueled another $1.19 billion in mark-to-market losses.

Source: GameStop short-sellers have lost $1.9 billion in just 2 days amid the stock’s latest spike | Markets Insider

Use AdNauseum to Block Ads and Confuse Google’s Advertising

Posted on by

In an online world in which countless systems are trying to figure out what exactly you enjoy so they can serve you up advertising about it, it really fucks up their profiling mechanisms when they think you like everything. And to help you out with this approach, I recommend checking out the Chrome/Firefox extension AdNauseum. You won’t find it on the Chrome Web Store, however, as Google frowns at extensions that screw up Google’s efforts to show you advertising for some totally inexplicable reason. You’ll have to install it manually, but it’s worth it.

[…]

AdNauseum works on a different principle. As Lee McGuigan writes over at the MIT Technology Review:

“AdNauseam is like conventional ad-blocking software, but with an extra layer. Instead of just removing ads when the user browses a website, it also automatically clicks on them. By making it appear as if the user is interested in everything, AdNauseam makes it hard for observers to construct a profile of that person. It’s like jamming radar by flooding it with false signals. And it’s adjustable. Users can choose to trust privacy-respecting advertisers while jamming others. They can also choose whether to automatically click on all the ads on a given website or only some percentage of them.”

McGuigan goes on to describe the various experiments he worked on with AdNauseum founder Helen Nissenbaum, allegedly proving that the extension can make it past Google’s various checks for fraudulent or otherwise illegitimate clicks on advertising. Google, as you might expect, denies the experiments actually prove anything, and maintains that a “vast majority” of these kinds of clicks are detected and ignored.

[…]

Once you’ve installed AdNauseum, you’ll be presented with three simple options:

undefined
Screenshot: David Murphy

Feel free to enable all three, but heed AdNauseum’s warning: You probably don’t want to use the extension alongside another adblocker, as the two will conflict and you probably won’t see any added benefit.

As with most adblockers, there are plenty of options you can play with if you dig deeper into AdNauseum’s settings.

[…]

note that AdNauseum still (theoretically) generates revenue for the sites tracking you. That in itself might cause you to adopt a nuclear approach vs. an obfuscation-by-noise approach. Your call.

Source: Use AdNauseum to Block Ads and Confuse Google’s Advertising

Porsche says synthetic fuel can be as clean as EVs

Posted on by

In a recent interview with Evo magazine, Porsche VP of Motorsport and GT cars, Dr. Frank Walliser, says that synthetic fuels, also called eFuels, can reduce the carbon dioxide emissions of existing ICE cars by as much as 85 percent. And, he says, when you account for the wheel-to-well impact of manufacturing the EV, it’s a wash.

Synthetic fuels are made by extracting hydrogen via renewable energy, and capturing it liquid form with carbon dioxide. Compared to pump fuel, eFuels emit fewer particulates and nitrogen oxide as well. That’s because, as Walliser explains, they are composed of eight to 10 ingredients while the dead plants we mine contain 30 to 40, many of which are simply burned and emitted as pollution in the process.

While Porsche is continuing to develop EVs like the Taycan, it says that ICEs will continue to exist in the market for many years to come. Synthetic fuels, along with electrified cars, would be part of a multi-pronged approach to reducing emissions as quickly as possible. Mazda gave a similar statement a couple weeks earlier when it became the first car company to join Europe’s eFuel Alliance.

[…]

 

Source: Porsche says synthetic fuel can be as clean as EVs | Autoblog

How “ugly” labels on imperfect food can increase purchase of unattractive produce

Posted on by

[…]

According to a recent report by the National Academies of Science, Engineering and Medicine (2020), each year in the U.S. farmers throw away up to 30% of their crops, equal to 66.5 million tons of edible produce, due to cosmetic imperfections.

[…]

They discover that consumers expect unattractive produce to be less tasty and, to a smaller extent, less healthy than attractive produce, which leads to its rejection. They also find that emphasizing aesthetic flaws via ‘ugly’ labeling (e.g., “Ugly Cucumbers”) can increase the purchase of unattractive produce. This is because ‘ugly’ labeling points out the aesthetic flaw in the produce, making it clear to consumers that there are no other deficiencies in the produce other than attractiveness. Consumers may also reevaluate their reliance on visual appearance as a basis for judging the tastiness and healthiness of produce; ‘ugly’ labeling makes them aware of the limited nature of their spontaneous objection to unattractive produce.

[…]

“We sold both unattractive and attractive produce at a farmer’s market and find that consumers were more likely to purchase unattractive produce over attractive produce when the unattractive produce was labeled ‘ugly’ compared to when unattractive produce was not labeled in any specific way. ‘Ugly’ labeling also generated greater profit margins relative to when unattractive produce was not labeled in any specific way—a great solution for sellers to make a profit while reducing food waste.” In the second study, participants were told that they could win a lottery worth $30, and could keep all the cash or allocate some of the lottery earnings to purchase either a box of attractive produce or unattractive produce. ‘Ugly’ labeling increased the likelihood that consumers would use their lottery earnings to purchase a box of unattractive rather than attractive produce.

In Studies 3 and 4, ‘ugly’ labeling positively impacts taste and health expectations, which led to higher choice likelihood of unattractive produce over attractive produce. Study 5 considers how ‘ugly’ labeling might alter the effectiveness of price discounts. Typically, when retailers sell unattractive produce, they offer a discount of 20%-50%. Cornil says that “We show that ‘ugly’ labeling works best for moderate price discounts (i.e., 20%) rather than steep price discounts (i.e., 60%) because a large discount signals low quality, which nullifies the positive effect of the ‘ugly’ label.” This suggests that by simply adding the ‘ugly’ label, retailers selling unattractive produce can reduce those discounts and increase profitability.

The last two studies demonstrate that ‘ugly’ labeling is more effective than another popular label, ‘imperfect.’

[…]

Importantly, these findings largely contrast with managers’ beliefs. “While grocery store managers believed in either not labeling unattractive produce in any specific way or using ‘imperfect’ labeling, we show that ‘ugly’ labeling is far more effective,” says Hoegg

[…]

Source: How “ugly” labels can increase purchase of unattractive produce

CNAME DNS-based tracking defies your browser privacy defenses

Posted on by

Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security.

In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven-affiliated researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem delve into increasing adoption of CNAME-based tracking, which abuse DNS records to erase the distinction between first-party and third-party contexts.

“This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site,” the paper explains. “As such, defenses that block third-party cookies are rendered ineffective.”

[…]

A technique known as DNS delegation or DNS aliasing has been known since at least 2007 and showed up in privacy-focused research papers in 2010 [PDF] and 2014 [PDF]. Based on the use of CNAME DNS records, the counter anti-tracking mechanism drew attention two years ago when open source developer Raymond Hill implemented a defense in the Firefox version of his uBlock Origin content blocking extension.

CNAME cloaking involves having a web publisher put a subdomain – e.g. trackyou.example.com – under the control of a third-party through the use of a CNAME DNS record. This makes a third-party tracker associated with the subdomain look like it belongs to the first-party domain, example.com.

The boffins from Belgium studied the CNAME-based tracking ecosystem and found 13 different companies using the technique. They claim that the usage of such trackers is growing, up 21 per cent over the past 22 months, and that CNAME trackers can be found on almost 10 per cent of the top 10,000 websites.

What’s more, sites with CNAME trackers have an average of about 28 other tracking scripts. They also leak data due to the way web architecture works. The researchers found cookie data leaks on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking. Most of these were the result of third-party analytics scripts setting cookies on the first-party domain.

Not all of these leaks exposed sensitive data but some did. Out of 103 websites with login functionality tested, the researchers found 13 that leaked sensitive info, including the user’s full name, location, email address, and authentication cookie.

“This suggests that this scheme is actively dangerous,” wrote Dr Lukasz Olejnik, one of the paper’s co-authors, an independent privacy researcher, and consultant, in a blog post. “It is harmful to web security and privacy.”

[…]

In addition, the researchers report that ad tech biz Criteo switches specifically to CNAME tracking – putting its cookies into a first-party context – when its trackers encountered users of Safari, which has strong third-party cookie defenses.

According to Olejnik, CNAME tracking can defeat most anti-tracking techniques and there are few defenses against it.

Firefox running the add-on uBlock Origin 1.25+ can see through CNAME deception. So too can Brave, which recently had to repair its CNAME defenses due to problems it created with Tor.

Chrome falls short because it does not have a suitable DNS-resolving API for uBlock Origin to hook into. Safari will limit the lifespan of cookies set via CNAME cloaking but doesn’t provide a way to undo the domain disguise to determine whether the subdomain should be blocked outright.

[…]

Source: What’s CNAME of your game? This DNS-based tracking defies your browser privacy defenses • The Register

WhatsApp: Users Who Don’t Accept Privacy Terms Can’t Read or send Texts

Posted on by

After causing a huge virtual meltdown with the announcement of its new privacy policy, and then postponing the implementation of said policy due to online fury, WhatsApp has spent the last few weeks trying not to stir up trouble. However, it has just revealed what will happen to users who do not accept its new privacy policy by the May 15 deadline.

WhatsApp has apparently been emailing some of its merchant partners to inform them that it will “slowly ask” users to accept the new privacy policy “in order to have full functionality” of the app, according to TechCrunch, which saw an email and confirmed its veracity with WhatsApp. The email also pointed to a public WhatsApp FAQ page titled, “What happens on the effective date?”

The FAQ page states that WhatsApp will not delete the accounts of users who do not accept the new terms, but that they won’t be able to use it like they normally do.

“If you haven’t accepted by then, WhatsApp will not delete your account. However, you won’t have full functionality of WhatsApp until you accept. For a short time, you’ll be able to receive calls and notifications, but won’t be able to read or send messages from the app,” WhatsApp wrote.

If the “for a short time” part has you scratching your head, WhatsApp did elaborate, sort of. Users who do not accept the new privacy policy by May 15 will be considered inactive users and subject to WhatsApp’s existing policy on that front, as detailed below.

“To maintain security, limit data retention, and protect the privacy of our users, WhatsApp accounts are generally deleted after 120 days of inactivity,” WhatsApp states. “Content stored locally on a user’s device prior to account deletion will remain until WhatsApp is deleted from the device. When a user reregisters for WhatsApp on the same device, their locally stored content will reappear.”

Source: WhatsApp: Users Who Don’t Accept Privacy Terms Can’t Read Texts

Dynamic DIY Macro Keyboard Controls All The Things

Posted on by

[Sebastian] needed a good set of of shortcuts for OBS and decided to make a macro keyboard to help out. By the time he was finished, [Sebastian] had macro’d all the things and built a beautiful and smart peripheral that anyone with a pulse would likely love to have gracing their desk.

The design started with OBS, but this slick little keyboard turned into a system-wide assistant. It assigns the eight keys dynamically based on the program that has focus, and even updates the icon to show changes like the microphone status.

This is done with a Python script on the PC that monitors the running programs and updates the macro keeb accordingly using a serial protocol that [Sebastian] wrote. Thanks to the flexibility of this design, [Sebastian] can even use it to control the office light over MQTT and make the CO2 monitor send a color-coded warning to the jog wheel when there’s trouble in the air.

This project is wide open with fabulous documentation, and [Sebastian] is eager to see what improvements and alternative enclosure materials people come up with. Be sure to check out the walk-through/build video after the break.

Inspired to make your own, but want to start smaller? There are plenty to admire around here.

 

Source: Dynamic Macro Keyboard Controls All The Things | Hackaday

Why You Should Switch From LastPass to Bitward’s Password Manager

Posted on by

Whether you’re looking to make a change in your password management just because, or you’re a LastPass user annoyed with the service’s recent changes to its free tier, switching to the much-loved (and free) Bitwarden service is a good choice. Bitwarden is now the best free password manager for most people—since it works across all of your devices to add convenience and security to your logins—and setting it up is quick and easy.

To get started, head to Bitwarden’s site and create an account. It’s free to do, and all you need to worry about is giving yourself a solid master password. Make it a good one, and one that you don’t use anywhere else, because it’ll be one of the gatekeepers for all of your other passwords that you’ll store on the service. Once you’ve created your account and logged in, make sure you verify your email address using the option in the upper-right corner.

[…]

Source: Why You Should Switch From LastPass to Bitward’s Password Manager

Aussie shakedown: Facebook ‘Endangered Public Safety’ by Blocking News During Pandemic According to Australia- after forcing FB to pay for news on the site

Posted on by

Facebook has endangered public safety by blocking news on the platform in Australia during the covid-19 pandemic, according to Australia’s Treasurer Josh Frydenberg a high-ranking official in the country’s ruling Liberal Party.

Frydenberg appeared on the local TV program “Today,” on Friday morning, Australia time, and insisted the government was not going to tolerate Facebook’s “unnecessary” and “wrong” attempts to bully Australia into submission.

“He endangered public safety,” Frydenberg said of Facebook CEO Mark Zuckerberg. “In the middle of a pandemic, people weren’t able to get access to information about the vaccines.”

Facebook started blocking all news content for Australian users on Thursday in retaliation for the government’s plan to implement a new law that would force large tech companies to pay news publishers for linking to their content. Google previously threatened to block all searches in Australia over the law but has since signed agreements with several large Australian publishers.

[…]

Source: Facebook ‘Endangered Public Safety’ by Blocking News During Pandemic According to Australia

Australia facepalms as Facebook blocks bookstores, sport, health services instead of just news

Posted on by

Facebook is being flayed in Australia after its ban on sharing of links to news publications caught plenty of websites that have nothing to do with news.

The Social Network™ announced its ban with a blog post and the sudden erasure of all posts on certain Facebook pages.

Links to news outlets big and small (including The Register) are currently impossible to post to Facebook from within Australia. Australian Facebook users don’t see news links posted from outside the nation.

Which is as Facebook intended to show its displeasure with Australia’s News Media Bargaining Code, a newly legislated scheme that forces Facebook to negotiate payments with local news publishers for the privilege of linking to their content.

But when Facebook implemented its ban, an online bookstore, charities, and even a domestic violence support service saw their Facebook presences erased. Australia’s national Basketball and Rugby bodies also saw their pages sent to the sin bin.

Facebook’s actions to unfriend Australia today … were arrogant and disappointing

Facebook said that the breadth of its blocks is regrettable, but as Australia’s law “does not provide clear guidance on the definition of news content, we have taken a broad definition in order to respect the law as drafted.”

This leaves Facebook in the interesting position of telling advertisers it offers superior micro-targeting services, while telling the world it is unable to tell the difference between a newspaper and a bookshop.

Australia’s Prime Minister Scott Morrison used Facebook to say “Facebook’s actions to unfriend Australia today, cutting off essential information services on health and emergency services, were as arrogant as they were disappointing.”

While Australia facepalms at Facebook’s clumsiness, publishers and politicians around the world have expressed dismay that Facebook has banned news and, by doing so, again demonstrated its ability to shape public discourse.

That Facebook’s contribution to public conversations has so often been to infuse them with misinformation, then promise to do better by ensuring that higher-quality content such as public interest journalism becomes more prominent, has not gone unnoticed.

[…]

Source: Australia facepalms as Facebook blocks bookstores, sport, health services instead of just news • The Register

So a country tells FB to pay for news or not show it and is then suprised that stuff starts dissappearing from FB?

And to complete the shakedown by the Aussie government, read: Facebook ‘Endangered Public Safety’ by Blocking News During Pandemic According to Australia

Uber Drivers Entitled to Paid Vacation and Minimum Wage According to UK Supreme Court

Posted on by

Uber drivers in the UK should be classified as workers and entitled to both paid vacation time and the minimum wage, according to a ruling Friday by Britain’s Supreme Court. But Uber’s London office is already disputing the scope and relevance of the ruling for its British drivers, insisting that its own rules have changed dramatically since the case was first brought by 25 drivers in 2016.

The UK Supreme Court ruling notes five reasons that Uber drivers should be classified as workers rather than independent entrepreneurs. First, the court pointed out that Uber drivers have no say in the amount charged for each ride—a number set by Uber. If Uber sets the price, how are they not the driver’s real employer?

Second, Uber sets the contract terms between riders and drivers through their app. Third, Uber constrains all drivers in their ability to accept and decline rides at will. Drivers are penalized if they decline too many rides, another point of fact that would make it pretty obvious Uber is an employer who’s holding all the cards in the employment relationship.

Fourth, Uber penalizes or bans drivers who don’t maintain a sufficiently high rating, another act more consistent with an employer-employee relationship. And lastly, Uber restricts the amount of communication between drivers and riders, something that wouldn’t be normalized if Uber drivers were really just working for themselves.

From the UK Supreme Court’s press release on Friday’s ruling:

Taking these factors together, the transportation service performed by drivers and offered to passengers through the Uber app is very tightly defined and controlled by Uber. Drivers are in a position of subordination and dependency in relation to Uber such that they have little or no ability to improve their economic position through professional or entrepreneurial skill. In practice the only way in which they can increase their earnings is by working longer hours while constantly meeting Uber’s measures of performance. The Supreme Court considers that comparisons made by Uber with digital platforms which act as booking agents for hotels and other accommodation and with minicab drivers do not advance its case. The drivers were rightly found to be “workers.”

[…]

Source: Uber Drivers Entitled to Paid Vacation and Minimum Wage According to UK Supreme Court

The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin

Posted on by

Kia seems to be in quite a predicament. As we reported earlier today, the automaker’s online services appear to have been severed from the outside world, with customers unable to start their cars remotely via Kia’s apps or even log into the company’s financing website to pay their bills. All signs pointed to a potential cyberattack against Kia—ransomware most likely—and that’s exactly what a new report is claiming it is.A report by information security news site Bleeping Computer seems to solidify that theory, as the publication shared a screenshot of an alleged ransom note asking Kia for the hefty sum of $20,000,000 to decrypt its files.Screenshot: KiaThe infection is believed to be the work of a group called DoppelPaymer by Crowdstrike researchers in 2019. Such threat actors routinely hunt big game for large payouts, according to a security bulletin released by the FBI late last year. The note left behind mentions that the malware not only encrypted live data, but also the company’s backups, which more sophisticated attacks of this nature often do to prevent an easy restoration.To make matters worse, it also claims to have exfiltrated a large amount of data along with the hack which it says it will release within three weeks. It’s not clear what kind of data was exfiltrated by the attackers, however, the note claims that it was a “huge amount” of it, and the number of Kia’s online services that were affected does elude to the possibility of a broad net being cast into Kia’s network. In more simple terms, these alleged attackers stole a bunch of stuff out of Kia’s house and then locked the doors to some of the bedrooms inside. After reaching out to Kia multiple times, The Drive finally received an answer on the matter. A Kia spokesperson confirmed that Kia is “experiencing an extended systems outage,” though it does not mention the nature of the outage. It also downplays the ransomware attack allegations shared by Bleeping Computer.”Kia Motors America, Inc. is currently experiencing an extended systems outage,” a Kia spokesperson told The Drive via email. “Affected systems includetheKiaOwnersPortal, UVO Mobile Apps, and the Consumer Affairs Web portal. We apologize for any inconvenience to affected customers and are working to resolve the issue as quickly as possible with minimal interruption to our business.”The spokesperson added: “We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”Having said that, the report on Bleeping Computer indicates detailed notes from these purported attackers. The attackers apparently used a Protonmail email address to communicate and display a web page on Tor, an encrypted peer-to-peer network that promotes anonymity, complete with an online chat function in case they need support to pay the ransom. At the time of this writing, the hackers were requesting 404.5412 Bitcoin, which equates to roughly $20.9 million. But the message also warns that as they take longer to pay, the fee goes up, ending in 600 Bitcoin ($31 million) should the automaker not pay up within nine days.Screenshots of the actual notes have been published by Bleeping Computer and can be viewed here. It’s also worth noting that DoppelPaymer is the same malware that was responsible for exfiltrating and encrypting data from Visser, a defense contractor and parts manufacturer for both Tesla and SpaceX, just last year.

Source: The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin

Citibank accidentally wired $500m back to lenders in user-interface super-gaffe – and judge says it can’t be undone

Posted on by

A judge has ruled that Citibank can’t claw back more than $500m (£360m) it mistakenly paid out after outsourced staff and a senior manager made a nearly billion-dollar (£700m) user-interface blunder.The error occurred on August 11 last year, when Citibank was supposed to wire $7.8m (£5.6m) in interest payments to lenders who are propping up troubled cosmetics giant Revlon. But a worker at outsourcing mega-org Wipro accidentally checked the wrong combination of on-screen boxes, leading to the repayment of not only the interest but also the $894m (£640m) principal from the bank’s funds.Citibank has a “six-eyes” policy on massive money transfers of this type. In the Revlon fiasco, a Wipro worker in India configured the transfer using software called Flexcube, his local manager approved it, and Vincent Fratta – a Citibank senior manager based in Delaware, USA – gave the final OK for the transfer of funds, all believing the settings were correct.Below is a screenshot of the transfer set up by the first Wipro worker. He should have ticked not just the principal field but also the front and fund fields, and set their values to the necessary clearing account number. By leaving those two boxes unchecked and values empty – and wrongly assuming putting the account number in the principal field was a correct move – the entire principal of the loan, which was set to mature in 2023, was handed back to 315 creditors.UIIncomplete … The Flexcube interface for the infamous transfer. Click to enlarge. Source: US courts systemIt wasn’t until the next day that staff noticed the error, and sent out emails asking for the funds be returned – and hundreds of millions of dollars were. However, a group of 10 creditors refused to hand back their share the cash, amounting to more than $500m, leading Citibank to sue them in New York to recover the dosh.This week, the US federal district court judge presiding over that lawsuit sided with the lenders, saying [PDF] they had reasonable grounds to think that the transfer was legitimate and that they had legal grounds to keep their money.angry lego minifig man turns on anxious lego minifig manBarclays Bank appeared to be using the Wayback Machine as a ‘CDN’ for some JavascriptREAD MORE”The non-returning lenders believed, and were justified in believing, that the payments were intentional,” Judge Jesse Furman ruled.”Indeed, to believe otherwise — to believe that Citibank, one of the most sophisticated financial institutions in the world, had made a mistake that had never happened before, to the tune of nearly $1bn — would have been borderline irrational.”Since the amount sent back repaid the loaned amounts to the cent and no more, the judge ruled Citibank had no right to reclaim the money.”We are extremely pleased with Judge Furman’s thoughtful, thorough and detailed decision,” Benjamin Finestone, representing two lenders, Brigade and HPS Investment Partners, told CNN.That said, the saga isn’t over yet. The disputed funds are going nowhere, and are held under a temporary restraining order, to give Citibank a chance to challenge the ruling. “We strongly disagree with this decision and intend to appeal,” the mega bank said in a statement. “We believe we are entitled to the funds and will continue to pursue a complete recovery of them.”

Source: Citibank accidentally wired $500m back to lenders in user-interface super-gaffe – and judge says it can’t be undone • The Register

‘Spy pixels in emails have become endemic’

Posted on by

The use of “invisible” tracking tech in emails is now “endemic”, according to a messaging service that analysed its traffic at the BBC’s request.Hey’s review indicated that two-thirds of emails sent to its users’ personal accounts contained a “spy pixel”, even after excluding for spam.Its makers said that many of the largest brands used email pixels, with the exception of the “big tech” firms.Defenders of the trackers say they are a commonplace marketing tactic.And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies.Emails pixels can be used to log: if and when an email is opened how many times it is opened what device or devices are involved the user’s rough physical location, deduced from their internet protocol (IP) address – in some cases making it possible to see the street the recipient is onThis information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles.Hey’s co-founder David Heinemeier Hansson says they amount to a “grotesque invasion of privacy”.

Source: ‘Spy pixels in emails have become endemic’ – BBC News

‘Roaring Kitty’ GameStop investor hit with lawsuit by American idiot

Posted on by

Keith Gill, known as ‘Roaring Kitty’ on YouTube, allegedly duped retail investors into buying inflated stocks while hiding his sophisticated financial background.Mr Gill has downplayed his impact and rebutted claims he violated any laws.Separately, he will testify on Thursday to Congress about the “Reddit rally”.”The idea that I used social media to promote GameStop stock to unwitting investors is preposterous,” Mr Gill said in the prepared testimony.”I was abundantly clear that my channel was for educational purposes only, and that my aggressive style of investing was unlikely to be suitable for most folks checking out the channel.” GameStop: What is it and why is it trending? Real Wolf of Wall Street warns of GameStop losses Share buying mistakes ‘on the rise’Mr Gill allegedly bought GameStop shares for $5 (£3.60) and then used social media to drive shares from around $20 in early January to more than $400 in just two weeks.This violated securities laws against manipulating the market, according to the lawsuit filed by Christian Iovin, a Washington state resident who purchased GameStop stock options.Mr Gill said he used publicly available information to determine GameStop was undervalued, and shared this view with a “tiny” following on social media ahead of January’s huge price surge.The lawsuit also names as defendants Massachusetts Mutual Life Insurance Co and its subsidiary MML Investors Services, which employed Mr Gill until 28 January.The company told Massachusetts regulators it was unaware of Mr Gill’s outside activities.Grilling from lawmakersA number of people involved in the so-called “Reddit rally” are due to appear before Congress on Thursday, including Mr Gill.Others called to testify include Wall Street hedge fund Melvin Capital, along with the chief executive of Reddit.media captionGameStop investors on a wild rideThe chief executive of Robinhood, the trading platform that restricted the purchases of GameStop shares to investors during the trading frenzy, is also expected to testify.The GameStop saga was hailed as a victory of the little guys against big Wall Street hedge funds that were betting against video games retailer GameStop and other struggling businesses.But it is unclear what role hedge funds had in the rally as some are reported to have made millions from the GameStop share rally, that was inspired by Reddit users.

Source: ‘Roaring Kitty’ GameStop investor hit with lawsuit – BBC News

France has been suffering A Very ‘Solar Winds’-Like Cyberattack since 2017

Posted on by

As the U.S. continues to chart the damage from the sweeping “SolarWinds” hack, France has announced that it too has suffered a large supply chain cyberattack. The news comes via a recently released technical report published by the Agence Nationale de la sécurité des systèmes d’information—or simply ANSSI—the French government’s chief cybersecurity agency. Like the U.S., French authorities have implied that Russia is probably involved.According to ANSSI, a sophisticated hacker group has successfully penetrated the Centreon Systems products, a French IT firm specializing in network and system monitoring that is used by many French government agencies, as well as some of the nation’s biggest companies (Air France, among others). Centreon’s client page shows that it partners with the French Department of Justice, Ecole Polytechnique, and regional public agencies, as well as some of the nation’s largest agri-food production firms.Illustration for article titled France Just Suffered a SolarWinds-Style CyberattackThe SolarWinds Hack Just Keeps Getting More WildNow the Chinese are involved. That’s one of the newest allegations to emerge in the SolarWinds…Read moreWhile ANSSI did not officially attribute the hack to any organization, the agency says the techniques used bear similarities to those of the Russian military hacker group “Sandworm” (also known as Unit 74455). The intrusion campaign, which dates back at least to 2017, allowed the hackers to breach the systems of a number of French organizations, though ANSSI has declined to name the victims or say how many were affected.

Source: France Just Suffered A Very ‘Solar Winds’-Like Cyberattack

Apple new M1 chip specific Malware Has Arrived

Posted on by

Now that Apple has officially begun the transition to Apple Silicon, so has malware.

Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Macs.) Meanwhile, a new report from Wired also quotes other security researchers as finding other, distinct instances of native M1 malware from Wardle’s findings.

The GoSearch22 malware was signed with an Apple developer ID on Nov. 23,  2020—not long after the first M1 laptops were first unveiled. Having a developer ID means a user downloading the malware wouldn’t trigger Gatekeeper on macOS, which notifies users when an application they’re about to download may not be safe. Developers can take the extra step of submitting apps to Apple to be notarized for extra confirmation. However, Wardle notes in his writeup that it’s unclear whether Apple ever notarized the code, as the certificate for GoSearch22 has since been revoked. Unfortunately, he also writes that since this malware was detected in the wild, regardless of whether Apple notarized it, “macOS users were infected.”

[…]

Source: The M1 Malware Has Arrived