Daily Archives: March 10, 2021

Hackers Looted Passenger Data From Some of the Biggest Airlines through Supplier SITA

Posted on by

SITA, a data firm that works with some of the world’s largest airlines, announced Thursday that it had been the victim of a “highly sophisticated cyberattack,” the likes of which compromised information on hundreds of thousands of airline passengers all over the world.

The attack, which occurred in February, targeted data stored on SITA’s Passenger Service System servers, which are responsible for storing information related to transactions between carriers and customers. One of the things SITA does is act as a mechanism for data exchange between different airlines—helping to ensure that passenger “benefits can be used across different carriers” in a systematized fashion.

Understanding what specific data the hackers accessed is, at this point, a little tough—though it would appear that some of it was frequent flier information shared with SITA by members of the Star Alliance, the world’s largest global airline alliance.

An airline alliance is basically an industry consortium, and Star’s membership is comprised of some of the world’s most prominent airlines—including United Airlines, Lufthansa, Air Canada, and 23 others. Of those members, a number have already stepped forward to announce breaches in connection with the attack—and SITA itself would appear to have acknowledged that the affected parties are connected to alliance memberships.

[…]

So far, it would appear that the nature of the breach is more wide than deep. That is, a lot of people seem to have been affected, though in most cases the data that was being shared with SITA does not seem that extensive. In the case of Singapore Airlines, for instance, upwards of 500,000 people had their data compromised, though the data did not include things like member itineraries, passwords, or credit card information. The airline has stated:

Around 580,000 KrisFlyer and PPS members have been affected by the breach of the SITA PSS servers. The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer.

[…]

Source: Hackers Looted Passenger Data From Some of the Biggest Airlines

Facebook uses one billion Instagram photos to build massive object-recognition AI that partly trained itself

Posted on by

Known as SEER, short for SElf-supERvised, this massive convolutional neural network contains over a billion parameters. If you show it images of things, it will describe in words what it recognizes: a bicycle, a banana, a red-and-blue striped golfing umbrella, and so on. While its capabilities aren’t all that novel, the way it was trained differs from the techniques used to teach other types of computer vision models. Essentially, SEER partly taught itself using an approach called self-supervision.

First, it learned how to group the Instagram pictures by their similarity without any supervision, using an algorithm nicknamed SwAV. The team then fine-tuned the model by teaching it to associate a million photos taken from the ImageNet dataset with their corresponding human-written labels. This stage was a traditional supervised method: humans curated the photos and labels, and this is passed on to the neural network that was pretrained by itself.

[…]

“SwAV uses online clustering to rapidly group images with similar visual concepts and leverage their similarities. With SwAV, we were able to improve over the previous state of the art in self-supervised learning — and did so with 6x less training time.”

SEER thus learned to associate an image of, say, a red apple with the description “red apple.” Once trained, the model’s object-recognition skills were tested using 50,000 pictures from ImageNet it had not seen before: in each test it had to produce a set of predictions of what was pictured, ranked in confidence from high to low. Its top prediction in each test was accurate 84.2 per cent of time, we’re told.

The model doesn’t score as highly as its peers in ImageNet benchmarking. The downside of models like SEER is that they’re less accurate than their supervised cousins. Yet there are advantages to training in a semi-supervised way, Goyal, first author of the project’s paper on SEER, told The Register.

“Using self-supervision pretraining, we can learn on a more diverse set of images as we don’t require labels, data curation or any other metadata,” she said. “This means that the model can learn about more visual concepts in the world in contrast to the supervised training where we can only train on limited or small datasets that are highly curated and don’t allow us to capture visual diversity of the world.”

[…]

SEER was trained over eight days using 512 GPUs. The code for the model isn’t publicly available, although VISSL, the PyTorch library that was used to build SEER, is now up on GitHub.

[…]

Source: Facebook uses one billion Instagram photos to build massive object-recognition AI that partly trained itself • The Register

Results of US ‘Universal Basic Income’ Program? Employment Increased

Posted on by

After getting $500 per month for two years without rules on how to spend it, 125 people in California paid off debt, got full-time jobs and reported lower rates of anxiety and depression, according to a study released Wednesday. The program in the Northern California city of Stockton was the highest-profile experiment in the U.S. of a universal basic income, where everyone gets a guaranteed amount per month for free…

Stockton was an ideal place, given its proximity to Silicon Valley and the eagerness of the state’s tech titans to fund the experiment as they grapple with how to prepare for job losses that could come with automation and artificial intelligence. The Stockton Economic Empowerment Demonstration launched in February 2019, selecting a group of 125 people who lived in census tracts at or below the city’s median household income of $46,033. The program did not use tax dollars, but was financed by private donations, including a nonprofit led by Facebook co-founder Chris Hughes.

A pair of independent researchers at the University of Tennessee and the University of Pennsylvania reviewed data from the first year of the study, which did not overlap with the pandemic. A second study looking at year two is scheduled to be released next year. When the program started in February 2019, 28% of the people slated to get the free money had full-time jobs. One year later, 40% of those people had full-time jobs. A control group of people who did not get the money saw a 5 percentage point increase in full-time employment over that same time period.

“These numbers were incredible. I hardly believed them myself,” said Stacia West, an assistant professor at the University of Tennessee who analyzed the data along with Amy Castro Baker, an assistant professor at the University of Pennsylvania.
The Stockton mayor who’d started the program told reporters to “tell your friends, tell your cousins, that guaranteed income did not make people stop working.”

Source: Results of ‘Universal Basic Income’ Program? Employment Increased – Slashdot

Furious AI Researcher Creates Site Shaming Non-Reproducible Machine Learning Papers

Posted on by

The Next Web tells the story of an AI researcher who discovered the results of a machine learning research paper couldn’t be reproduced. But then they’d heard similar stories from Reddit’s Machine Learning forum: “Easier to compile a list of reproducible ones…,” one user responded.

“Probably 50%-75% of all papers are unreproducible. It’s sad, but it’s true,” another user wrote. “Think about it, most papers are ‘optimized’ to get into a conference. More often than not the authors know that a paper they’re trying to get into a conference isn’t very good! So they don’t have to worry about reproducibility because nobody will try to reproduce them.” A few other users posted links to machine learning papers they had failed to implement and voiced their frustration with code implementation not being a requirement in ML conferences.

The next day, ContributionSecure14 created “Papers Without Code,” a website that aims to create a centralized list of machine learning papers that are not implementable…

Papers Without Code includes a submission page, where researchers can submit unreproducible machine learning papers along with the details of their efforts, such as how much time they spent trying to reproduce the results… If the authors do not reply in a timely fashion, the paper will be added to the list of unreproducible machine learning papers.

Source: Furious AI Researcher Creates Site Shaming Non-Reproducible Machine Learning Papers – Slashdot

Waymo simulated (not very many) real-world (if the world was limited to 100 sq miles) crashes to prove its self-driving cars can prevent deaths

Posted on by

In a bid to prove that its robot drivers are safer than humans, Waymo simulated dozens of real-world fatal crashes that took place in Arizona over nearly a decade. The Google spinoff discovered that replacing either vehicle in a two-car crash with its robot-guided minivans would nearly eliminate all deaths, according to data it publicized today.

The results are meant to bolster Waymo’s case that autonomous vehicles operate more safely than human-driven ones. With millions of people dying in auto crashes globally every year, AV operators are increasingly leaning on this safety case to spur regulators to pass legislation allowing more fully autonomous vehicles on the road.

But that case has been difficult to prove out, thanks to the very limited number of autonomous vehicles operating on public roads today. To provide more statistical support for its argument, Waymo has turned to counterfactuals, or “what if?” scenarios, meant to showcase how its robot vehicles would react in real-world situations.

Last year, the company published 6.1 million miles of driving data in 2019 and 2020, including 18 crashes and 29 near-miss collisions. In those incidents where its safety operators took control of the vehicle to avoid a crash, Waymo’s engineers simulated what would have happened had the driver not disengaged the vehicle’s self-driving system to generate a counterfactual. The company has also made some of its data available to academic researchers.

That work in counterfactuals continues in this most recent data release. Through a third party, Waymo collected information on every fatal crash that took place in Chandler, Arizona, a suburban community outside Phoenix, between 2008 and 2017. Focusing just on the crashes that took place within its operational design domain, or the approximately 100-square-mile area in which the company permits its cars to drive, Waymo identified 72 crashes to reconstruct in simulation in order to determine how its autonomous system would respond in similar situations.

[…]

The results show that Waymo’s autonomous vehicles would have “avoided or mitigated” 88 out of 91 total simulations, said Trent Victor, director of safety research and best practices at Waymo. Moreover, for the crashes that were mitigated, Waymo’s vehicles would have reduced the likelihood of serious injury by a factor of 1.3 to 15 times, Victor said.

[…]

Source: Waymo simulated real-world crashes to prove its self-driving cars can prevent deaths – The Verge

OK, it’s a good idea, but surely they could have modelled Waymo response on hundreds of thousands of crash scenarios instead of this very tightly controlled tiny subset?

The “Crazy Huge Hack” of Microsoft, Explained – it dwarfs SolarWinds

Posted on by

Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves of email data. Since then, the big question on everybody’s mind has been: Just how bad is this?

The short answer is: It’s pretty bad

So far, hack descriptors such as “crazy huge,” “astronomical,” and “unusually aggressive” seem to be right on the money. As a result of Exchange vulnerabilities, it is likely that tens of thousands of U.S.-based entities have had malicious backdoors implanted in their systems. Anonymous sources close to the Microsoft investigation have repeatedly told press outlets that somewhere around 30,000 American organizations have been compromised as a result of the security flaws (if correct, these numbers officially dwarf SolarWinds, which led to the compromise of about 18,000 entities domestically and nine federal agencies, according to the White House). The number of compromised entities worldwide could be much larger. A source recently told Bloomberg that there are “at least 60,000 known victims globally.”

Even more problematically, some researchers have said that, since the public disclosure of the Exchange vulnerabilities, it would appear that attacks on the product have only accelerated. Anton Ivanov, a threat research specialist at Kaspersky, said in an email that his team has seen an uptick in activity over the past week.

[…]

Microsoft Exchange Server comes in two formats, which has led to some confusion about what systems are at risk: there is an on-premises product and a software-as-a-service cloud product. The cloud product, Exchange Online, is said to be unaffected by the security flaws. As previously stated, it is the on-premises products that are being exploited. Other Microsoft email products are not thought to be vulnerable. As CISA has said, “neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments.”

There are four vulnerabilities in on-premises Exchange Servers that are actively being exploited (see: here, here, here, and here). Three other security-associated vulnerabilities exist, but authorities say these have not seen active exploitation of these yet (see: here, here, and here.) Patches can be found at Microsoft’s website, though, as we’ll go over in more detail later, there have been some issues with proper deployment.

So far, Microsoft has primarily blamed a threat actor dubbed “HAFNIUM” for the intrusions into Exchange. HAFNIUM is said to be a state-sponsored group

[…]

security researchers say it is almost certain that other threat actors are also involved in the exploitation of the vulnerabilities. S

[…]

. “Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities,” said Red Canary researcher Katie Nickels on Saturday.

Who Is Getting Hit

Due to the widespread use of Exchange, many different types of entities are at-risk. Some large organizations—including the European Banking Authority—have already announced breaches.

[…]

As noted above, Microsoft has issued patches for the vulnerabilities—but these patches have had some problems. On Thursday, a Microsoft spokesperson noted that, in certain cases, the patches would appear to work but wouldn’t actually fix the vulnerability. A full break-down of that issue can be found on Microsoft’s website.

Organizations have been warned that they should not only be patching vulnerabilities but should also be investigating whether they have already been compromised. Microsoft has announced resources to help with that. It issued an update to its Safety Scanner (MSERT) tool which can help identify whether web shells have been deployed against Exchange servers. MSERT is an anti-malware tool that searches for, identifies, and removes malware on a system.

[…]

 

Source: The “Crazy Huge Hack” of Microsoft, Explained

How to build your own digital telescope

Posted on by

The sky is a fascinating place, but the real interesting stuff resides far beyond the thin atmosphere. The Universe, the Milky Way and our Solar System is where it’s at. To be able to peer far out through the sky and observe the galaxy and beyond, one needs a telescope.

This Instructable follows my journey as I develop a miniture GOTO telescope. We’ll look through some of the research I perform, glimpse at my design process, observe the assembly & wiring processes, view instuctions for the software configuration and then finally step outside to scope out the cosmos.

The Micro Scope Features.

  • Raspberry Pi 4B & HQ Camera.
  • 300mm Mirror Lens.
  • Canon EOS Lens compatible.
  • NEMA 8 Geared Stepper Motors.
  • Fully GOTO with tracking.
  • GPS.
  • WiFi Enabled.
  • GT2 Belt Drive.
  • Hand Controller.
  • 3D Printed Parts.
  • Tripod.
  • OnStep Telescope Mount GOTO Controller.
  • INDI Server.
  • KStars/Ekos.

Bill Of Materials & 3D Printable Parts.

The BOM & STLs are available from Thingiverse (4708262). However, I recommend downloading The Micro Scope Build Pack as it contains extras not available from Thingiverse!

[…]

Source: The Micro Scope | a Miniture GOTO Telescope. : 41 Steps (with Pictures) – Instructables

Hackers Target Surveillance Firm, Exposing thousands Live Camera Feeds at Tesla, Cloudflare, Hospitals, Jails, Police, etc etc etc in anti-surveillance ideology

Posted on by

A hacker group claims to have broken into the networks of cloud-based surveillance startup Verkada, gaining unfiltered access to thousands and thousands of live security camera feeds in the process.

The hack first gained public attention Tuesday afternoon, when a Twitter user who goes by the name “Tillie” began leaking purported images of the hack onto the internet: “ever wondered what a @Tesla warehouse looks like?” the hacker quipped, dangling a picture of what appears to be an industrial facility.

Tillie, who goes by the full name Tillie Kottmann and uses they/them pronouns, is allegedly part of an international hacker collective responsible for having breached Verkada, according to a report from Bloomberg. Once inside, the hackers were able to use the firm’s security feeds to peer into the internal workings of droves of organizations, including medical facilities, psychiatric hospitals, jails, schools and police departments, and even large companies like Tesla, Equinox and Cloudflare. The scope of the hack appears massive.

Among other things, Kottmann implied Tuesday that they could have used their access to Verkada to hack into the laptop of Cloudflare CEO Matthew Prince:

The hacker group has very noticeably courted public attention, calling the intrusion campaign “Operation Panopticon” and claiming they want to “end surveillance capitalism” by bringing attention to the ways in which ubiquitous surveillance dominates people’s lives.

[…]

According to Bloomberg, “Arson Cats” gained entry to the company via a pretty massive security blunder: The hackers discovered a password and username for a Verkada administrative account publicly exposed to the internet. In a Twitter message, Tillie reiterated this to Gizmodo, claiming that once they had compromised the administrator account (called a “super administrator”), they were able to hook into any of the 150,000 video feeds in Verkada’s library.

“The access we had allowed us to impersonate any user of the system and access their view of the platform,” said the hacker, further explaining that the “superadmin rights are also what granted us access to the root shell at the click of a button.”

[…]

Source: Hackers Target Surveillance Firm, Exposing Live Camera Feeds

Russian Cracker / Cybercrime Forums Hacked

Posted on by

n the latest in a string of “hits” on Russian dark web forums, the prominent crime site Maza appears to have been hacked by someone earlier this week.

This is kind of big news since Maza (previously called “Mazafaka”) has long been a destination for all assortment of criminal activity, including malware distribution, money laundering, carding (i.e., the selling of stolen credit card information), and lots of other bad behavior. The forum is considered “elite” and hard to join, and in the past, it has been a cesspool for some of the world’s most prolific cybercriminals.

Whoever hacked Maza netted thousands of data points about the site’s users, including usernames, email addresses, and hashed passwords, a new report from intelligence firm Flashpoint shows. Two warning messages were then scrawled across the forum’s home page: “Your data has been leaked” and “This forum has been hacked.”

KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web, spurring fears among criminals that their identities might be exposed (oh, the irony). The validity of the data has been verified by threat intelligence firm Intel 471.

This hack comes shortly after similar attacks on two other Russian cybercrime forums, Verified and Exploit, that occurred earlier this year. It’s been noted that the successive targeting of such high-level forums is somewhat unusual.

[…]

Source: Hacker Forum Maza Hacked

GPS jamming around Cyprus gives our air traffic controllers a headache, says Eurocontrol

Posted on by

[…]

Jamming of the essential navigational satellite signal has caused enough headaches for the EU air traffic control organisation to prompt an investigation, complete with an instrumented aircraft designed to detect signs of GPS jamming.

Airliners rely on GPS to a great extent, and air traffic management (the science of making sure airliners don’t come dangerously close to each other) is almost solely focused nowadays on building approach paths and airways that are defined by GPS waypoints.

[…]

Eurocontrol “started collecting GNSS outage reports by pilots in 2014, following up significant numbers of outage reports in a given area to determine cause and impact, and to support the [air traffic control company] and operators in question,” said the organisation in its report [PDF], adding that between 2017 and 2018, reported outages increased by 2,000 percentage points, rising from 154 in 2017 to a whopping 4,364 the following year.

Most of this jamming is focused on the Eastern Mediterranean and specifically affects Cyprus, Eurocontrol said. During a three-hour period in February 2020, a fifth of all flights passing through Cypriot airspace were affected, said the air traffic control org, extrapolating from a research flight it operated with an instrumented Airbus A320 that flew south of Cyprus itself.

The eastern Med, especially around Syria and Lebanon, has long been a conflict zone – and air forces from West and East alike have long been jamming GPS as part of their military operations there.

“Larnaca could become an absolute shitshow when the Americans jammed it,” an airline pilot told The Register. Describing one incident, where a radar* contact that was “going at least 50 per cent faster than us” passed below his aircraft, the pilot said it seemed to be on course for Sicily shortly before his own aircraft had a GPS failure.

“Luckily at that point, because at high altitude, it’s irritating, but not a major issue. Because for short term, you’ve got your eyes and your internal navigation system,” said the pilot.

It has deeper effects, however. “The main issue is when it happens in Larnaca (eastern Cyprus), because you’re right next to mountains and [you’re following a] GNSS approach. And if you get jammed, it causes the map to shift and the plane then decides that it’s currently inside a mountain. Sets off all of your terrain warnings.”

[…]

Triggering a terrain warning means immediately having to perform a prescribed escape manoeuvre that can mean breaking off an otherwise safe approach to land, said the pilot, who spoke on condition of anonymity because he is not an official spokesman for his airline. This causes delays and potentially extra costs to the airline and its passengers.

[…]

As for Eurocontrol, the body plaintively concluded: “At national level, local RFI [radio frequency interference] mitigation measures need to be taken, ideally including the ability to conduct in-flight RFI measurements.

“While the majority of RFI hotspots appear to originate in conflict zones, they affect commercial aviation at large distances from these zones, reflecting a disproportionate use of jamming that appears to go well beyond simple military mission effectiveness.”

So far the problem’s been formally identified: but, other than flying around jamming zones, what else can pilots do?

Source: GPS jamming around Cyprus gives our air traffic controllers a headache, says Eurocontrol • The Register