Italy’s competition watchdog has ordered Google to pay over €100 million ($123 million) for abuse of its dominant position. The regulator said Google had shut out an electric vehicle recharging app from its Android Auto infotainment platform for cars for over two years.
The company at the core of the action is Enel X — a subsidiary of Italian energy provider Enel — which through its JuicePass app gives EV drivers access to about 95,000 public charging points in Europe. The watchdog said by blocking the app for over two years Google was essentially favoring Google Maps, which also lets users search for nearby EV charging points. Along with the fine, the regulator told Google to make the JuicePass app available on Android Auto.
Echoing concerns raised by its EU and UK counterparts, the Italian authority pointed to Google’s gatekeeper status over the digital economy. The regulator said Android OS and the Google Play store had given the company a “dominant position” that allowed it to” control the access of app developers to end users.” In the case of Enel X, the watchdog said that by excluding the JuicePass app Google had put its rival’s business in jeopardy and potentially hobbled the advancement of electric mobility.
The new technique uses a computer to convert attempted handwriting movements from brain activity into on-screen text. As part of their tests, the team worked with a 65-year-old participant (named T5 in the study) who was paralyzed from the neck down due to a spinal cord injury sustained in 2007.
The researchers started by placing two brain chip implants into T5’s motor cortex — the part of the brain that controls movement. They told the participant to imagine he was writing normally with a pen on a piece of ruled paper. The brain chips then sent his neural signal through wires to a computer where an AI algorithm essentially transcribed his “mindwriting” by decoding hand and finger motion.
The end result saw T5 reach a writing speed of about 18 words per minute with 94.1 percent accuracy. Comparatively, an able-bodied adult of a similar age can type about 23 words per minute on a smartphone
Senator Wyden’s office asked the Department of Defense (DoD), which includes various military and intelligence agencies such as the National Security Agency (NSA) and the Defense Intelligence Agency (DIA), for detailed information about its data purchasing practices after Motherboard revealed special forces were buying location data. The responses also touched on military or intelligence use of internet browsing and other types of data, and prompted Wyden to demand more answers specifically about warrantless spying on American citizens.
Some of the answers the DoD provided were given in a form that means Wyden’s office cannot legally publish specifics on the surveillance; one answer in particular was classified. In the letter Wyden is pushing the DoD to release the information to the public.
[…]
“Are any DoD components buying and using without a court order internet metadata, including ‘netflow’ and Domain Name System (DNS) records,” the question read, and asked whether those records were about “domestic internet communications (where the sender and recipient are both U.S. IP addresses)” and “internet communications where one side of the communication is a U.S. IP address and the other side is located abroad.”
Netflow data creates a picture of traffic flow and volume across a network. DNS records relate to when a user looks up a particular domain, and a system then converts that text into the specific IP address for a computer to understand; essentially a form of internet browsing history.
Wyden’s new letter to Austin urging the DoD to release that answer and others says “Information should only be classified if its unauthorized disclosure would cause damage to national security. The information provided by DoD in response to my questions does not meet that bar.”
[…]
“Other than DIA, are any DoD components buying and using without a court order location data collected from phones located in the United States?” one of Wyden’s questions reads. The answer to that is one that Wyden is urging the DoD to release.
The DIA memo said the agency believes it does not require a warrant to obtain such information. Following this, Wyden also asked the DoD which other DoD components have adopted a similar interpretation of the law. One response said that each component is itself responsible to make sure they follow the law.
Wyden is currently proposing a new piece of legislation called The Fourth Amendment Is Not For Sale Act which would force some agencies to obtain a warrant for location and other data.
A day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline cyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of the funds it made from ransom payments.
“A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers,” said Darksupp, the operator of the Darkside ransomware, in a post spotted by Recorded Future threat intelligence analyst Dmitry Smilyanets.
“Now these servers are unavailable via SSH, and the hosting panels are blocked,” said the Darkside operator while also complaining that the web hosting provider refused to cooperate.
In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server, which was hosting ransom payments made by victims.
The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.
Takedown?
This sudden development comes after US authorities announced their intention to go after the gang.
[…]
Or exit scam?
But Smilyanets warns that the group’s announcement could also be a ruse, as no announcement has yet been made by US officials.
The group could be taking advantage of President Biden’s statements as cover to shut down its infrastructure and run away with its affiliate’s money without paying their cuts—a tactic known as an “exit scam” on the cybercriminal underground.
[…]
The news that Darkside lost control of its servers and that a major cybercrime forum was banning ransomware ads, all happening within a span of hours of each other, also had an effect on REvil, arguably considered today’s biggest ransomware operation.
In a post quoting Darkside’s (now-deleted) statement, REvil spokesperson Unknown made an announcement of their own and said they also plan to stop advertising their Ransomware-as-a-Service platform and “go private”—a term used by cybercrime gangs to describe their intention to work with a small group of known and trusted collaborators only.
Additionally, the REvil group also said that it plans to stop attacking sensitive social sectors like healthcare, educational institutes, and the government networks of any country, which it believes could draw unwanted attention to its operation, such as the attention Darkside is getting right now.
In the case of any of such attacks carried out by any of its collaborators, REvil said they plan to provide a free decryption key to victims and stop working with the misbehaving affiliate.
Image: Recorded Future
Furthermore, hours after REvil’s announcement, the operators of the Avaddon ransomware also announced similar updates to their program, with the same clause barring ransomware groups from attacking government entities, healthcare orgs, and educational institutes.
While we may never know who or what is driving these changes among ransomware gangs, it is pretty clear that the Colonial Pipeline attack and its aftermath appears to have broken the camel’s back, and US authorities have started applying some sort of pressure on these groups.
The Tianwen-1 mission, China’s first interplanetary endeavor, reached the surface of the Red Planet Friday (May 14) at approximately 7:11 p.m. EDT (2311 GMT), though Chinese space officials have not yet confirmed the exact time and location of touchdown. Tianwen-1 (which translates to “Heavenly Questions”) arrived in Mars’ orbit in February after launching to the Red Planet on a Long March 5 rocket in July 2020.
After circling the Red Planet for more than three months, the Tianwen-1 lander, with the rover attached, separated from the orbiter to begin its plunge toward the planet’s surface. Once the lander and rover entered Mars’ atmosphere, the spacecraft endured a similar procedure to the “seven minutes of terror” that NASA’s Mars rovers have experienced when attempting soft landings on Mars.
An artist’s concept of China’s first Mars rover mission, Tianwen-1, at the Red Planet. (Image credit: CCTV/CNSA)
A heat shield protected the spacecraft during the fiery descent, after which the mission safely parachuted down to the Utopia Planitia region, a plain inside of an enormous impact basin in the planet’s northern hemisphere. Much like during NASA’s Perseverance rover landing, Tianwen-1’s landing platform fired some small, downward-facing rocket engines to slow down during the last few seconds of its descent.
The China National Space Administration (CNSA) has not yet officially confirmed the successful landing, but it has been announced on social media by the state-run China Global Television Network (CGTN) and by researchers at Macau University of Science and Technology in China.
Succesful landing of #Tianwen1, on #Mars! Landing point: 109.7 E, 25.1 N, less than 40 km from target location in Utopia Planitia. More details expected later! pic.twitter.com/bMSvziscjiMay 15, 2021
See more
China’s Mars rover, called Zhurong after an ancient fire god in Chinese mythology, will part ways with the lander by driving down a foldable ramp. Once it has deployed, the rover is expected to spend at least 90 Mars days (or about 93 Earth days; a day on Mars lasts about 40 minutes longer than a day on Earth) roving around on Mars to study the planet’s composition and look for signs of water ice. Utopia Planitia is believed to contain vast amounts of water ice beneath the surface. It’s also where NASA’s Viking 2 mission touched down in 1976.
An image of Utopia Planitia taken by the Tianwen-1 orbiter at an altitude of about 220 miles (350 kilometers). (Image credit: CNSA)
The six-wheeled rover, which is about the size of NASA’s twin Mars rovers Spirit and Opportunity, carries six scientific instruments on board, including two panoramic cameras, a ground-penetrating radar and a magnetic field detector. It also has a laser that it can use to zap rocks and study their composition, as well as a meteorological instrument to study the climate and weather on Mars.
Zhurong will work in tandem with the Tianwen-1 orbiter to study the Red Planet, and the orbiter will serve as a data relay station for communications between Zhurong and mission controllers on Earth. The orbiter is designed to last for at least one Mars year, or about 687 Earth days.
In a 28-second video, which was posted to Twitter this week by a spokesman for Prime Minister Benjamin Netanyahu of Israel, Palestinian militants in the Gaza Strip appeared to launch rocket attacks at Israelis from densely populated civilian areas.
Instead, the video that he shared, which can be found on many YouTube channels and other video-hosting sites, was from 2018. And according to captions on older versions of the video, it showed militants firing rockets not from Gaza but from Syria or Libya.
The video was just one piece of misinformation that has circulated on Twitter, TikTok, Facebook, WhatsApp and other social media this week about the rising violence between Israelis and Palestinians, as Israeli military ground forces attacked Gaza early on Friday. The false information has included videos, photos and clips of text purported to be from government officials in the region, with posts baselessly claiming early this week that Israeli soldiers had invaded Gaza, or that Palestinian mobs were about to rampage through sleepy Israeli suburbs.
They may be tiny weapons, but BYU’s holography research group has figured out how to create lightsabers — green for Yoda and red for Darth Vader, naturally — with actual luminous beams rising from them.
Inspired by the displays of science fiction, the researchers have also engineered battles between equally small versions of the Starship Enterprise and a Klingon Battle Cruiser that incorporate photon torpedoes launching and striking the enemy vessel that you can see with the naked eye.
“What you’re seeing in the scenes we create is real; there is nothing computer generated about them,” said lead researcher Dan Smalley, a professor of electrical engineering at BYU. “This is not like the movies, where the lightsabers or the photon torpedoes never really existed in physical space. These are real, and if you look at them from any angle, you will see them existing in that space.”
[…]
Smalley and Rogers detail these and other recent breakthroughs in a new paper published in Nature Scientific Reports this month. The work overcomes a limiting factor to optical trap displays: wherein this technology lacks the ability to show virtual images, Smalley and Rogers show it is possible to simulate virtual images by employing a time-varying perspective projection backdrop.
“We can play some fancy tricks with motion parallax and we can make the display look a lot bigger than it physically is,” Rogers said. “This methodology would allow us to create the illusion of a much deeper display up to theoretically an infinite size display.”
To see more of the holography work professor Dan Smalley is doing with his students, check out his lab website here: https://www.smalleyholography.org/
Facebook Inc. was ordered to stop collecting German users’ data from its WhatsApp unit, after a regulator in the nation said the company’s attempt to make users agree to the practice in its updated terms isn’t legal.
Johannes Caspar, who heads Hamburg’s privacy authority, issued a three-month emergency ban, prohibiting Facebook from continuing with the data collection. He also asked a panel of European Union data regulators to take action and issue a ruling across the 27-nation bloc. The new WhatsApp terms enabling the data scoop are invalid because they are intransparent, inconsistent and overly broad, he said.
“The order aims to secure the rights and freedoms of millions of users which are agreeing to the terms Germany-wide,” Caspar said in a statement on Tuesday. “We need to prevent damage and disadvantages linked to such a black-box-procedure.”
The order strikes at the heart of Facebook’s business model and advertising strategy. It echoes a similar and contested step by Germany’s antitrust office attacking the network’s habit of collecting data about what users do online and merging the information with their Facebook profiles. That trove of information allows ads to be tailored to individual users — creating a cash cow for Facebook.
Facebook’s WhatsApp unit called Caspar’s claims “wrong” and said the order won’t stop the roll-out of the new terms. The regulator’s action is “based on a fundamental misunderstanding” of the update’s purpose and effect, the company said in an emailed statement.
The U.S. tech giant has faced global criticism over the new terms that WhatsApp users are required to accept by May 15. Caspar said Facebook may already be wrongfully handling data and said it’s important to prevent misuse of the information to influence the German national election in September.
OSIRIS-REx, a NASA spacecraft tasked with collecting rocks and dust from a nearby asteroid named Bennu, is coming back home after almost five years away. The spacecraft, officially named Origins, Spectral Interpretation, Resource Identification, Security, Regolith Explorer, officially fired its engines to begin its Earthward journey on May 10. Its return trip will take two and half years.
Bennu, the asteroid the spacecraft accosted, is a 1,600-foot-wide (500-meter) hunk of rock and ice located 200 million miles (321 million kilometers) from Earth. OSIRIS-REx snagged a handful of dust last October after a fairly dramatic encounter with the desolate little world. NASA was concerned that OSIRIS-REx wouldn’t be able to bring back a full sample due to leaks in the collection system. Thankfully, the samples now are headed to Earth, where they will be carefully examined by researchers.
A Windows Defender bug creates thousands of small files that waste gigabytes of storage space on Windows 10 hard drives.
The bug started with Windows Defender antivirus engine 1.1.18100.5 and will cause the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store folder to be filled up with thousands of files with names that appear to be MD5 hashes.
Windows Defender folder filled with small files
From a system seen by BleepingComputer, the created files range in size from 600 bytes to a little over 1KB.
File properties of one of these files
While the system we looked at only had approximately 1MB of files, other Windows 10 users report that their systems have been filled up with hundreds of thousands of files, which in one case, used up 30GB of storage space.
On smaller SSD system drives (C:), this can be a considerable amount of storage space to waste on unnecessary files.
According to Deskmodder, who first reported on this issue, the bug has now been fixed in the latest Windows Defender engine, version 1.1.18100.6.
An NHS Digital-run vaccine-booking website exposed just how many vaccines individual people had received – and did so with no authentication, according to the Guardian.
The booking page, aimed at English NHS patients wanting to book first and second coronavirus jabs, would tell anyone at all whether a named person had had zero, one or two vaccination doses, the newspaper reported on Thursday.
All you need, it says, are the date of birth and postcode of the person whose vaccination status you wanted to check up on.
[…]
Vaccination status is set to become a political hot potato as the UK restarts its economy following the 2020 COVID-19 shutdown. Government policy is to enforce vaccine passports, initially as a means of deterring overseas travel but rumours persist that they will be required for domestic activities. To that end, the ruling Conservatives’ insincere promise in December that vaccine passports wouldn’t become reality at all has prompted a 350,000 strong Parliamentary petition against them.
Carelessness around health data in general has been a feature of the current government’s tech-driven approach to tackling COVID-19. Such repeated incidents have a habit of lodging themselves in the public’s consciousness, making it harder to gain consent for genuine health-boosting measures based on handing data over to public sector bodies.
a company called Flawless has created an AI-powered solution that will replace an actor’s facial performance to match the words in a film dubbed for foreign audiences.
[…]
What Flawless is promising to do with its TrueSync software is use the same tools responsible for deepfake videos to manipulate and adjust an actor’s face in a film so that the movements of their mouths, and in turn the muscles in their faces, more closely match how they’d move were the original performance given in the language a foreign audience is hearing. So even though an actor shot a film in English, to a moviegoer in Berlin watching the film dubbed in German, it would appear as if all of the actors were actually speaking German.
[…]
Is it necessary? That’s certainly up for debate. The recent Academy Award-winning film Parasite resurfaced the debate over dubbing a foreign film versus simply watching it with subtitles. One side feels that an endless string of text over a film is distracting and takes the focus away from everything else happening on screen, while the other side feels that a dub performed by even a talented and seasoned voice artist simply can’t match or recreate the emotions behind the original actor’s performance, and hearing it, even if the words aren’t understood, is important to enjoying their performance as a whole.
[…]
The company has shared a few examples of what the TrueSync tool is capable of on its website, and sure enough, Tom Hanks appears to be speaking flawless Japanese in Forrest Gump.
After ten years of toiling, the team has demonstrated in a paper published on Thursday in the journal Optica the development of a laser with record-breaking intensity over 10²³ watts per square centimeter. Nam told Motherboard in an email that you can compare the intensity of this laser beam to the combined power of all of the sunlight across the entire planet, but pressed together into roughly the size of a speck of dust or a single red blood cell. This whole burst of power happens in just fractions of a second.
“The laser intensity of 10²³ W/cm² is comparable to the light intensity obtainable by focusing all the sunlight reaching Earth to a spot of 10 microns,” explained Nam.
To achieve this effect, Nam and colleagues at the Center for Relativistic Laser Science (CoReLS) lab constructed a kind of obstacle course for the laser beam to pass through to amplify, reflect, and control the motion of the photons comprising it. Because light behaves as both a particle (e.g. individual photons) as well as a wave, controlling the wavefront of this laser (similar to the front of an ocean wave) was crucial to make sure the team could actually focus its power.
Nam explains that the technology to make this kind of precise control possible has been years in the making.
“We have developed ultrahigh power femtosecond lasers for more than a decade, reaching the output power of 4 PW (1015 W) in 2017,” says Nam. “We then developed the laser technology to focus the beam size of 28 cm to 1 micron, for which we have to make the laser wavefront superb using a deformable mirror.”
[…]
Beyond being a scientific breakthrough, Nam said that this high-intensity laser will open doors to explore some of the universe’s most fundamental questions that had previously only been explored by theoreticians.
“With such ultrahigh laser intensity we can tackle such phenomena as electron-positron pair production from light-light interactions… This kind of phenomena is supposed to happen in the early universe, plasma jets from supernova explosions and from black holes,” said Nam.
Thanks to these lasers, and even more powerful ones yet to come, Nam says that it will now be possible to explore these cosmic rays in the lab instead of just through simulations and theories. Using laser pulses, the researchers will be able to make and collide high energy electrons with photons, recreating the Compton scattering effect that scientists believe creates such high-energy cosmic rays.
Nam also said that these lasers have a more terrestrial purpose as well in the form of cancer treatment technology.
Proton therapy is a newer cancer treatment that directs positively charged proton beams to patients’ tumors using an accelerator. While this technique has shown promise, the use of an accelerator also requires a large, and expensive, radiation shield.
Nam proposes that using laser beams to direct these protons instead could be a more cost-efficient solution and may get this treatment into the hands of even more patients.
Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets’ networks as a legitimate pentesting exercise.
Now, the UK’s National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in equipment ranging from Cisco routers through to VMware virtualization kit – and the well-known Pulse Secure VPN flaw, among others.
“In one example identified by the NCSC, the actor had searched for authentication credentials in mailboxes, including passwords and PKI keys,” warned the GCHQ offshoot today.
Roughly equivalent to MI6 mixed with GCHQ, the SVR is Russia’s foreign intelligence service and is known to infosec pros as APT29. A couple of weeks ago, Britain and the US joined forces to out the SVR’s Tactics, Techniques and Procedures (TTPs), giving the world’s infosec defenders a chance to look out for the state-backed hackers’ fingerprints on their networked infrastructure.
On top of all that the SVR is also posing as legitimate red-team pentesters: looking for easy camouflage, the spies hopped onto GitHub and downloaded the free open-source Sliver red-teaming platform, in what the NCSC described as “an attempt to maintain their accesses.”
There are more vulns being abused by the Russians and the full NCSC advisory on what these are can be read on the NCSC website. The advisory includes YARA and Snort rules.
The Department of Justice quietly seized phone records and tried to obtain email records for three Washington Post reporters, ostensibly over their coverage of then-U.S. Attorney General Jeff Sessions and Russia’s role in the 2016 presidential election, according to officials and government letters reviewed by the Post.
Justice Department regulations typically mandate that news organizations be notified when it subpoenas such records. However, though the Trump administration OK’d the decision, officials apparently left the notification part for the Biden administration to deal with. I guess they just never got around to it. Probably too busy inspiring an insurrection and trying to overthrow the presidential election.
In three separate letters dated May 3 addressed to reporters Ellen Nakashima, Greg Miller, and former reporter Adam Entous, the Justice Department wrote they were “hereby notified that pursuant to legal process the United States Department of Justice received toll records associated with the following telephone numbers for the period from April 15, 2017 to July 31, 2017,” according to the Post. Listed were Miller’s work and cellphone numbers, Entous’ cellphone number, and Nakashima’s work, cellphone, and home phone numbers. These records included all calls to and from the phones as well as how long each call lasted but did not reveal what was said.
According to the letters, the Post reports that prosecutors also secured a court order to seize “non content communications records” for the reporters’ email accounts, which would disclose who emailed whom and when the emails were sent but not their contents. However, officials ultimately did not obtain these records, the outlet said.
[…]
“We are deeply troubled by this use of government power to seek access to the communications of journalists,” said the Post’s acting executive editor Cameron Barr. “The Department of Justice should immediately make clear its reasons for this intrusion into the activities of reporters doing their jobs, an activity protected under the First Amendment.”
Frustratingly, the letters apparently don’t go into why the Department of Justice seized this data. A department spokesperson told the outlet that the decision to do so was made in 2020 during the Trump administration. (It’s worth noting that former President Donald Trump has made it crystal clear that he despises news media and the government leakers that provide them their scoops.)
Based on the time period cited in the letters and what the reporters covered during those months, the Post speculates that their investigations into Sessions and Russian interference could be why the department wanted to get its hands on their phone data.
You probably haven’t seen PimEyes, a mysterious facial-recognition search engine, but it may have spotted you.
If you upload a picture of your face to PimEyes’ website, it will immediately show you any pictures of yourself that the company has found around the internet. You might recognize all of them, or be surprised (or, perhaps, even horrified) by some; these images may include anything from wedding or vacation snapshots to pornographic images.
PimEyes is open to anyone with internet access.
[…]
Imagine a potential employer digging into your past, an abusive ex tracking you, or a random stranger snapping a photo of you in public and then finding you online. This is all possible through PimEyes
[…]
PimEyes lets users see a limited number of small, somewhat pixelated search results at no cost, or you can pay a monthly fee, which starts at $29.99, for more extensive search results and features (such as to click through to see full-size images on the websites where PimEyes found them and to set up alerts for when PimEyes finds new pictures of faces online that its software believes match an uploaded face).
The company offers a paid plan for businesses, too: $299.99 per month lets companies conduct unlimited searches and set up 500 alerts.
[…]
while Clearview AI built its massive stockpile of faces in part by scraping images from major social networks (it was subsequently served with cease-and-desist notices by Facebook, Google, and Twitter, sued by several civil rights groups, and declared illegal in Canada), PimEyes said it does not scrape images from social media.
[…]
I wanted to learn more about how PimEyes works, and why it’s open to anyone, as well as who’s behind it. This was much trickier than uploading my own face to the website. The website currently lists no information about who owns or runs the search engine, or how to reach them, and users must submit a form to get answers to questions or help with accounts.
Poring over archived images of the website via the Internet Archive’s Wayback Machine, as well as other online sources, yielded some details about the company’s past and how it has changed over time.
The Pimeyes.com website was initially registered in March 2017, according to a domain name registration lookup conducted through ICANN (Internet Corporation for Assigned Names and Numbers). An “about” page on the Pimeyes website, as well as some news stories, shows it began as a Polish startup.
An archived image of the website’s privacy policy indicated that it was registered as a business in Wroclaw, Poland, as of August 2020. This changed soon after: The website’s privacy policy currently states that PimEyes’ administrator, known as Face Recognition Solutions Ltd., is registered at an address in the Seychelles. An online search of the address — House of Francis, Room 303, Ile Du Port, Mahe, Seychelles — indicated a number of businesses appear to use the same exact address.
CNN says it’s a contrast with Clearview AI because they supposedly limit their database to law enforcement. The problem with Clearview was partially that they didn’t limit access at all, giving out free accounts to anyone and everyone.
One of the USA’s largest oil pipelines has been shut by ransomware, leading the nation’s Federal Motor Carrier Safety Administration to issue a regional emergency declaration permitting the transport of fuel by road.
The Colonial Pipeline says it carries 100 million gallons a day of refined fuels between Houston, Texas, and New York Harbor, or 45 percent of all fuel needed on the USA’s East Coast. The pipeline carries fuel for cars and trucks, jet fuel, and heating oil.
It’s been offline since May 7, according to a company statement, due to what the outfit described as “… a cybersecurity attack [that] involves ransomware.”
It added: “In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
[…]
In a statement on May 10 fingering the culprits of the attack, the FBI said “the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”
Meanwhile, on its Tor-hidden website, the Darkside crew seems to regret the attention it has drawn from Uncle Sam. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” it wrote.
After facing international backlash over impending updates to its privacy policy, WhatsApp has ever-so-slightly backtracked on the harsh consequences it initially planned for users who don’t accept them—but not entirely.
In an update to the company’s FAQ page, WhatsApp clarifies that no users will have their accounts deleted or instantly lose app functionality if they don’t accept the new policies. It’s a step back from what WhatsApp had been telling users up until this point. When this page was first posted back in February, it specifically told users that those who don’t accept the platform’s new policies “won’t have full functionality” until they do. The threat of losing functionality is still there, but it won’t be automatic.
“For a short time, you’ll be able to receive calls and notifications, but won’t be able to read or send messages from the app,” WhatsApp wrote at the time. While the deadline to accept was initially early February, the blowback the company got from, well, just about everyone, caused the deadline to be postponed until May 15—this coming Saturday.
After that, folks that gave the okay to the new policy won’t notice any difference to their daily WhatsApp experience, and neither will the people that didn’t—at least at first. “After a period of several weeks, the reminder [to accept] people receive will eventually become persistent,” WhatsApp wrote, adding that users getting these “persistent” reminders will see their app stymied pretty significantly: For a “few weeks,” users won’t be able to access their chat lists, but will be able to answer incoming phone and video calls made over WhatsApp. After that grace period, WhatsApp will stop sending messages and calls to your phone entirely (until you accept).
[…]
It’s worth mentioning here that if you keep the app installed but still refuse to accept the policy for whatever reason, WhatsApp won’t outright delete your account because of that. That said, WhatsApp will probablydelete your account due to “inactivity” if you don’t connect for 120 days, as is WhatsApp policy.
[…]
While the company has done the bare minimum in explaining what this privacy policy update actually means, the company hasn’t done much to assuage the concerns of lawyers, lawmakers, or really anyone else. And it doesn’t look like these new “reminders” will put them at ease, either.
Earlier this year fans reversed engineered the source code to Grand Theft Auto III and Grand Theft Auto: Vice City. They released it to the web, but Grand Theft Auto copyright holder Take-Two pulled it offline via a DMCA claim. But one fan stood up to the publisher and has now succeeded in getting the reverse-engineered source code back online.
Deriving the source code through reverse-engineering was a huge milestone for the GTA hacking scene. Players would still need the original game assets to run either classic GTA title, but with accessible source code, modders and devs could begin porting the game to new platforms or adding new features. That’s exactly what’s happened this past year with Super Mario 64.
However, as TorrentFreak reports, a New Zealand-based developer named Theo, who maintained a fork of the removed code, didn’t agree with Take-Two’s claims and pushed back, filing their own counter-notice with GitHub last month. This counter-claim seems to have succeeded, as GitHub’s made the fan-derived source code available to download once more.
Theo explained in their counter-claim that the code didn’t, in fact, contain any original work created or owned by Take-Two Interactive, so it should not have been removed. They filed their claim last month after Take-Two removed over 200 forks of the reversed source, all built off of the original reversed-engineered code. That original repository and all the rest remain unavailable, as only Theo’s fork was restored by the DMCA counter-claim.
Grand Theft Auto III
Screenshot: Rockstar Games
In an interview with TorrentFreak, the dev explained that he believes Take-Two’s DCMA claim is “wholly incorrect” and that the publisher has “no claim to the code” because while it functions like the original source code that went into GTA III and Vice City, it is not identical.
While it might seem like GitHub has taken a side and decided that Take-Two was wrong, this isn’t accurate. DMCA rules state that content that is disputed must be restored within 14 days of a counter-notice being received. At this point, if Take-Two wants the source code removed again, it would become a legal battle. Theo says he understands the legal risk he faces, but doesn’t expect the publisher to pursue this to court any time soon.
While it’s possible Take-Two could challenge Theo’s counter-claim in court at a later date, this is still a nice win for the Grand Theft Auto III and Vice City modding scene. It’s also another reminder that modders, pirates, and fan developers are often the only ones doing the work to keep old games around in an easily playable form.
Commodity.com has a huge and useful page on how to get started trading in environmental commodities. Unfortunately it won’t let me paste it into here easily so below is a list of the subjects they cover. They are also very transparent about how they make their money (through links on their site), which I thought was honest of them. Anyway, enjoy!
Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.
As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)
But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics and, if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.
Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.
But that deadline came and went, the bug wasn’t fixed and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again.
TechCrunch contacted Peloton after the deadline lapsed to ask why the vulnerability report had been ignored, and Peloton confirmed yesterday that it had fixed the vulnerability. (TechCrunch held this story until the bug was fixed in order to prevent misuse.)
[…]
Masters has since put up a blog post explaining the vulnerabilities in more detail.
Munro, who founded Pen Test Partners, told TechCrunch: “Peloton had a bit of a fail in responding to the vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.”
But questions remain for Peloton. When asked repeatedly, the company declined to say why it had not responded to Masters’ vulnerability report. It’s also not known if anyone maliciously exploited the vulnerabilities, such as mass-scraping account data.
Amazon CEO Jeff Bezos told U.S. lawmakers last year that the company has a policy prohibiting employees from using data on specific sellers to help boost its own sales.
“I can’t guarantee you that that policy has never been violated,” he added.
Now it’s clear why he chose his words so carefully.
An internal audit seen by POLITICO warned Amazon’s senior leadership in 2015 that 4,700 of its workforce working on its own sales had unauthorized access to sensitive third-party seller data on the platform — even identifying one case in which an employee used the access to improve sales.
A U.K. company behind digital addressing system What3Words has sent a legal threat to a security researcher for offering to share an open-source software project with other researchers, which What3Words claims violate its copyright.
Aaron Toponce, a systems administrator at XMission, received a letter on Thursday from London-based law firm JA Kemp representing What3Words, requesting that he delete tweets related to the open-source alternative, WhatFreeWords. The letter also demands that he disclose to the law firm the identity of the person or people with whom he had shared a copy of the software, agree that he would not make any further copies of the software and to delete any copies of the software he had in his possession.
The letter gave him until May 7 to agree, after which What3Words would “waive any entitlement it may have to pursue related claims against you,” a thinly-veiled threat of legal action.
“This is not a battle worth fighting,” he said in a tweet. Toponce told TechCrunch that he has complied with the demands, fearing legal repercussions if he didn’t. He has also asked the law firm twice for links to the tweets they want deleting but has not heard back. “Depending on the tweet, I may or may not comply. Depends on its content,” he said.
U.K.-based What3Words divides the entire world into three-meter squares and labels each with a unique three-word phrase. The idea is that sharing three words is easier to share on the phone in an emergency than having to find and read out their precise geographic coordinates.
But security researcher Andrew Tierney recently discovered that What3Words would sometimes have two similarly-named squares less than a mile apart, potentially causing confusion about a person’s true whereabouts. In a later write-up, Tierney said What3Words was not adequate for use in safety-critical cases.
It’s not the only downside. Critics have long argued that What3Words’ proprietary geocoding technology, which it bills as “life-saving,” makes it harder to examine it for problems or security vulnerabilities.
Concerns about its lack of openness in part led to the creation of the WhatFreeWords. A copy of the project’s website, which does not contain the code itself, said the open-source alternative was developed by reverse-engineering What3Words. “Once we found out how it worked, we coded implementations for it for JavaScript and Go,” the website said. “To ensure that we did not violate the What3Words company’s copyright, we did not include any of their code, and we only included the bare minimum data required for interoperability.”
But the project’s website was nevertheless subjected to a copyright takedown request filed by What3Words’ counsel. Even tweets that pointed to cached or backup copies of the code were removed by Twitter at the lawyers’ requests.
Toponce — a security researcher on the side — contributed to Tierney’s research, who was tweeting out his findings as he went. Toponce said that he offered to share a copy of the WhatFreeWords code with other researchers to help Tierney with his ongoing research into What3Words. Toponce told TechCrunch that receiving the legal threat may have been a combination of offering to share the code and also finding problems with What3Words.
In its letter to Toponce, What3Words argues that WhatFreeWords contains its intellectual property and that the company “cannot permit the dissemination” of the software.
Regardless, several websites still retain copies of the code and are easily searchable through Google, and TechCrunch has seen several tweets linking to the WhatFreeWords code since Toponce went public with the legal threat. Tierney, who did not use WhatFreeWords as part of his research, said in a tweet that What3Words’ reaction was “totally unreasonable given the ease with which you can find versions online.”
The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. An attacker can exploit these flaws to take full control of the infotainment system of a Tesla without any user interaction.
A hacker who exploits the vulnerabilities can perform any task that a regular user could from the infotainment system. That includes opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. However, the researchers explained, “This attack does not yield drive control of the car though.”
They showed how an attacker could use a drone to launch an attack via Wi-Fi to hack a parked car and open its doors from a distance of up to 100 meters (roughly 300 feet). They claimed the exploit worked against Tesla S, 3, X and Y models.
“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann said.
Tesla patched the vulnerabilities with an update pushed out in October 2020, and it has reportedly stopped using ConnMan. Intel was also informed since the company was the original developer of ConnMan, but the researchers said the chipmaker believed it was not its responsibility.
Fresh questions have been raised over Amazon’s tax planning after its latest corporate filings in Luxembourg revealed that the company collected record sales income of €44bn (£38bn) in Europe last year but did not have to pay any corporation tax to the Grand Duchy.
Accounts for Amazon EU Sarl, through which it sells products to hundreds of millions of households in the UK and across Europe, show that despite collecting record income, the Luxembourg unit made a €1.2bn loss and therefore paid no tax.
In fact the unit was granted €56m in tax credits it can use to offset any future tax bills should it turn a profit. The company has €2.7bn worth of carried forward losses stored up, which can be used against any tax payable on future profits.
The Luxembourg unit – which handles sales for the UK, France, Germany, Italy, the Netherlands, Poland, Spain and Sweden – employs just 5,262 staff meaning that the income per employ amounts to €8.4m.
The article goes on to blame Amazon, but tbh I don’t blame them much. It’s the EU and the tax haven system inside it that allows its member states to allow and even encourage this kind of tax avoidance that is to blame.
![a group of people walking down a street next to tall buildings: The Al Shrouq building in central Gaza, which hosts offices for media outlets and companies, was destroyed during Israeli airstrikes on Wednesday.]({"default":{"load":"default","w":"80","h":"45","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gIZnW.img?h=450&w=799&m=6&q=60&o=f&l=f"},"size3column":{"load":"default","w":"62","h":"35","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gIZnW.img?h=351&w=624&m=6&q=60&o=f&l=f"},"size2column":{"load":"default","w":"62","h":"35","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gIZnW.img?h=351&w=624&m=6&q=60&o=f&l=f"}})
